Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/frameworks/netcontrol/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/frameworks/netcontrol/__load__.zeek
========================================
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/netcontrol/drop.zeek </scripts/base/frameworks/netcontrol/drop.zeek>`, :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/non-cluster.zeek </scripts/base/frameworks/netcontrol/non-cluster.zeek>`, :doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`, :doc:`base/frameworks/netcontrol/shunt.zeek </scripts/base/frameworks/netcontrol/shunt.zeek>`, :doc:`base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

171
doc/scripts/base/frameworks/netcontrol/drop.zeek.rst Normal file
View file

@ -0,0 +1,171 @@
:tocdepth: 3
base/frameworks/netcontrol/drop.zeek
====================================
.. zeek:namespace:: NetControl
Implementation of the drop functionality for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`
Summary
~~~~~~~
Types
#####
====================================================== =
:zeek:type:`NetControl::DropInfo`: :zeek:type:`record`
====================================================== =
Redefinitions
#############
======================================= ===================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`NetControl::DROP_LOG`
======================================= ===================================
Events
######
============================================================== ==========================================================================
:zeek:id:`NetControl::log_netcontrol_drop`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
============================================================== ==========================================================================
Hooks
#####
==================================================================== =======================================================================
:zeek:id:`NetControl::drop_rule_policy`: :zeek:type:`hook` Hook that allows the modification of rules passed to drop_* before they
are passed on.
:zeek:id:`NetControl::log_policy_drop`: :zeek:type:`Log::PolicyHook`
==================================================================== =======================================================================
Functions
#########
============================================================= ======================================================================
:zeek:id:`NetControl::drop_address`: :zeek:type:`function` Stops all packets involving an IP address from being forwarded.
:zeek:id:`NetControl::drop_connection`: :zeek:type:`function` Stops all packets involving a connection address from being forwarded.
============================================================= ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NetControl::DropInfo
:source-code: base/frameworks/netcontrol/drop.zeek 34 47
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time at which the recorded activity occurred.
.. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log`
ID of the rule; unique during each Zeek run.
.. zeek:field:: orig_h :zeek:type:`addr` :zeek:attr:`&log`
The originator's IP address.
.. zeek:field:: orig_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
The originator's port number.
.. zeek:field:: resp_h :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
The responder's IP address.
.. zeek:field:: resp_p :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
The responder's port number.
.. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&log`
Expiry time of the shunt.
.. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Location where the underlying action was triggered.
Events
######
.. zeek:id:: NetControl::log_netcontrol_drop
:source-code: base/frameworks/netcontrol/drop.zeek 57 57
:Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::DropInfo`)
Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: NetControl::drop_rule_policy
:source-code: base/frameworks/netcontrol/drop.zeek 53 53
:Type: :zeek:type:`hook` (r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool`
Hook that allows the modification of rules passed to drop_* before they
are passed on. If one of the hooks uses break, the rule is ignored.
:param r: The rule to be added.
.. zeek:id:: NetControl::log_policy_drop
:source-code: base/frameworks/netcontrol/drop.zeek 10 10
:Type: :zeek:type:`Log::PolicyHook`
Functions
#########
.. zeek:id:: NetControl::drop_address
:source-code: base/frameworks/netcontrol/drop.zeek 89 111
:Type: :zeek:type:`function` (a: :zeek:type:`addr`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
Stops all packets involving an IP address from being forwarded.
:param a: The address to be dropped.
:param t: How long to drop it, with 0 being indefinitely.
:param location: An optional string describing where the drop was triggered.
:returns: The id of the inserted rule on success and zero on failure.
.. zeek:id:: NetControl::drop_connection
:source-code: base/frameworks/netcontrol/drop.zeek 65 87
:Type: :zeek:type:`function` (c: :zeek:type:`conn_id`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
Stops all packets involving a connection address from being forwarded.
:param c: The connection to be dropped.
:param t: How long to drop it, with 0 being indefinitely.
:param location: An optional string describing where the drop was triggered.
:returns: The id of the inserted rule on success and zero on failure.

77
doc/scripts/base/frameworks/netcontrol/index.rst Normal file
View file

@ -0,0 +1,77 @@
:orphan:
Package: base/frameworks/netcontrol
===================================
The NetControl framework provides a way for Zeek to interact with networking
hard- and software, e.g. for dropping and shunting IP addresses/connections,
etc.
:doc:`/scripts/base/frameworks/netcontrol/__load__.zeek`
:doc:`/scripts/base/frameworks/netcontrol/types.zeek`
This file defines the types that are used by the NetControl framework.
The most important type defined in this file is :zeek:see:`NetControl::Rule`,
which is used to describe all rules that can be expressed by the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/main.zeek`
Zeek's NetControl framework.
This plugin-based framework allows to control the traffic that Zeek monitors
as well as, if having access to the forwarding path, the traffic the network
forwards. By default, the framework lets everything through, to both Zeek
itself as well as on the network. Scripts can then add rules to impose
restrictions on entities, such as specific connections or IP addresses.
This framework has two APIs: a high-level and low-level. The high-level API
provides convenience functions for a set of common operations. The
low-level API provides full flexibility.
:doc:`/scripts/base/frameworks/netcontrol/plugin.zeek`
This file defines the plugin interface for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/plugins/__load__.zeek`
:doc:`/scripts/base/frameworks/netcontrol/plugins/debug.zeek`
Debugging plugin for the NetControl framework, providing insight into
executed operations.
:doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek`
OpenFlow plugin for the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek`
NetControl plugin for the process-level PacketFilter that comes with
Zeek. Since the PacketFilter in Zeek is quite limited in scope
and can only add/remove filters for addresses, this is quite
limited in scope at the moment.
:doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek`
Broker plugin for the NetControl framework. Sends the raw data structures
used in NetControl on to Broker to allow for easy handling, e.g., of
command-line scripts.
:doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek`
Acld plugin for the netcontrol framework.
:doc:`/scripts/base/frameworks/netcontrol/drop.zeek`
Implementation of the drop functionality for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/shunt.zeek`
Implementation of the shunt functionality for NetControl.
:doc:`/scripts/base/frameworks/netcontrol/non-cluster.zeek`

649
doc/scripts/base/frameworks/netcontrol/main.zeek.rst Normal file
View file

@ -0,0 +1,649 @@
:tocdepth: 3
base/frameworks/netcontrol/main.zeek
====================================
.. zeek:namespace:: NetControl
Zeek's NetControl framework.
This plugin-based framework allows to control the traffic that Zeek monitors
as well as, if having access to the forwarding path, the traffic the network
forwards. By default, the framework lets everything through, to both Zeek
itself as well as on the network. Scripts can then add rules to impose
restrictions on entities, such as specific connections or IP addresses.
This framework has two APIs: a high-level and low-level. The high-level API
provides convenience functions for a set of common operations. The
low-level API provides full flexibility.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`, :doc:`base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>`
Summary
~~~~~~~
Types
#####
======================================================== =================================================================
:zeek:type:`NetControl::Info`: :zeek:type:`record` The record type defining the column fields of the NetControl log.
:zeek:type:`NetControl::InfoCategory`: :zeek:type:`enum` Type of an entry in the NetControl log.
:zeek:type:`NetControl::InfoState`: :zeek:type:`enum` State of an entry in the NetControl log.
======================================================== =================================================================
Redefinitions
#############
================================================== ===================================================================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The framework's logging stream identifier.
* :zeek:enum:`NetControl::LOG`
:zeek:type:`NetControl::Rule`: :zeek:type:`record`
:New Fields: :zeek:type:`NetControl::Rule`
_plugin_ids: :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
Internally set to the plugins handling the rule.
_active_plugin_ids: :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
Internally set to the plugins on which the rule is currently active.
_no_expire_plugins: :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
Internally set to plugins where the rule should not be removed upon timeout.
_added: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Track if the rule was added successfully by all responsible plugins.
================================================== ===================================================================================================================
Events
######
========================================================= ===========================================================================
:zeek:id:`NetControl::init`: :zeek:type:`event` Event that is used to initialize plugins.
:zeek:id:`NetControl::init_done`: :zeek:type:`event` Event that is raised once all plugins activated in ``NetControl::init``
have finished their initialization.
:zeek:id:`NetControl::log_netcontrol`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::Info`
record as it is sent on to the logging framework.
:zeek:id:`NetControl::rule_added`: :zeek:type:`event` Confirms that a rule was put in place by a plugin.
:zeek:id:`NetControl::rule_destroyed`: :zeek:type:`event` This event is raised when a rule is deleted from the NetControl framework,
because it is no longer in use.
:zeek:id:`NetControl::rule_error`: :zeek:type:`event` Reports an error when operating on a rule.
:zeek:id:`NetControl::rule_exists`: :zeek:type:`event` Signals that a rule that was supposed to be put in place was already
existing at the specified plugin.
:zeek:id:`NetControl::rule_new`: :zeek:type:`event` This event is raised when a new rule is created by the NetControl framework
due to a call to add_rule.
:zeek:id:`NetControl::rule_removed`: :zeek:type:`event` Reports that a plugin reports a rule was removed due to a
remove_rule function call.
:zeek:id:`NetControl::rule_timeout`: :zeek:type:`event` Reports that a rule was removed from a plugin due to a timeout.
========================================================= ===========================================================================
Hooks
#####
=============================================================== =============================================================================
:zeek:id:`NetControl::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
:zeek:id:`NetControl::rule_added_policy`: :zeek:type:`hook` Hook that allows the modification of rule states after they are returned from
the plugins and have been added to the rules database.
:zeek:id:`NetControl::rule_policy`: :zeek:type:`hook` Hook that allows the modification of rules passed to add_rule before they
are passed on to the plugins.
=============================================================== =============================================================================
Functions
#########
=============================================================== ===============================================================================================
:zeek:id:`NetControl::activate`: :zeek:type:`function` Activates a plugin.
:zeek:id:`NetControl::add_rule`: :zeek:type:`function` Installs a rule.
:zeek:id:`NetControl::clear`: :zeek:type:`function` Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules.
:zeek:id:`NetControl::delete_rule`: :zeek:type:`function` Deletes a rule without removing it from the backends to which it has been
added before.
:zeek:id:`NetControl::find_rules_addr`: :zeek:type:`function` Searches all rules affecting a certain IP address.
:zeek:id:`NetControl::find_rules_subnet`: :zeek:type:`function` Searches all rules affecting a certain subnet.
:zeek:id:`NetControl::plugin_activated`: :zeek:type:`function` Function called by plugins once they finished their activation.
:zeek:id:`NetControl::quarantine_host`: :zeek:type:`function` Quarantines a host.
:zeek:id:`NetControl::redirect_flow`: :zeek:type:`function` Redirects a uni-directional flow to another port.
:zeek:id:`NetControl::remove_rule`: :zeek:type:`function` Removes a rule.
:zeek:id:`NetControl::whitelist_address`: :zeek:type:`function` Allows all traffic involving a specific IP address to be forwarded.
:zeek:id:`NetControl::whitelist_subnet`: :zeek:type:`function` Allows all traffic involving a specific IP subnet to be forwarded.
=============================================================== ===============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NetControl::Info
:source-code: base/frameworks/netcontrol/main.zeek 308 339
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time at which the recorded activity occurred.
.. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
ID of the rule; unique during each Zeek run.
.. zeek:field:: category :zeek:type:`NetControl::InfoCategory` :zeek:attr:`&log` :zeek:attr:`&optional`
Type of the log entry.
.. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The command the log entry is about.
.. zeek:field:: state :zeek:type:`NetControl::InfoState` :zeek:attr:`&log` :zeek:attr:`&optional`
State the log entry reflects.
.. zeek:field:: action :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
String describing an action the entry is about.
.. zeek:field:: target :zeek:type:`NetControl::TargetType` :zeek:attr:`&log` :zeek:attr:`&optional`
The target type of the action.
.. zeek:field:: entity_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Type of the entity the log entry is about.
.. zeek:field:: entity :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
String describing the entity the log entry is about.
.. zeek:field:: mod :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
String describing the optional modification of the entry (e.h. redirect)
.. zeek:field:: msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
String with an additional message.
.. zeek:field:: priority :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
Number describing the priority of the log entry.
.. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
Expiry time of the log entry.
.. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Location where the underlying action was triggered.
.. zeek:field:: plugin :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Plugin triggering the log entry.
The record type defining the column fields of the NetControl log.
.. zeek:type:: NetControl::InfoCategory
:source-code: base/frameworks/netcontrol/main.zeek 288 296
:Type: :zeek:type:`enum`
.. zeek:enum:: NetControl::MESSAGE NetControl::InfoCategory
A log entry reflecting a framework message.
.. zeek:enum:: NetControl::ERROR NetControl::InfoCategory
A log entry reflecting a framework message.
.. zeek:enum:: NetControl::RULE NetControl::InfoCategory
A log entry about a rule.
Type of an entry in the NetControl log.
.. zeek:type:: NetControl::InfoState
:source-code: base/frameworks/netcontrol/main.zeek 298 306
:Type: :zeek:type:`enum`
.. zeek:enum:: NetControl::REQUESTED NetControl::InfoState
The request to add/remove a rule was sent to the respective backend.
.. zeek:enum:: NetControl::SUCCEEDED NetControl::InfoState
A rule was successfully added by a backend.
.. zeek:enum:: NetControl::EXISTS NetControl::InfoState
A backend reported that a rule was already existing.
.. zeek:enum:: NetControl::FAILED NetControl::InfoState
A rule addition failed.
.. zeek:enum:: NetControl::REMOVED NetControl::InfoState
A rule was successfully removed by a backend.
.. zeek:enum:: NetControl::TIMEOUT NetControl::InfoState
A rule timeout was triggered by the NetControl framework or a backend.
State of an entry in the NetControl log.
Events
######
.. zeek:id:: NetControl::init
:source-code: base/frameworks/netcontrol/main.zeek 642 650
:Type: :zeek:type:`event` ()
Event that is used to initialize plugins. Place all plugin initialization
related functionality in this event.
.. zeek:id:: NetControl::init_done
:source-code: base/frameworks/netcontrol/main.zeek 43 43
:Type: :zeek:type:`event` ()
Event that is raised once all plugins activated in ``NetControl::init``
have finished their initialization.
.. zeek:id:: NetControl::log_netcontrol
:source-code: base/frameworks/netcontrol/main.zeek 343 343
:Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::Info`)
Event that can be handled to access the :zeek:type:`NetControl::Info`
record as it is sent on to the logging framework.
.. zeek:id:: NetControl::rule_added
:source-code: base/frameworks/netcontrol/main.zeek 191 191
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
Confirms that a rule was put in place by a plugin.
:param r: The rule now in place.
:param p: The state for the plugin that put it into place.
:param msg: An optional informational message by the plugin.
.. zeek:id:: NetControl::rule_destroyed
:source-code: base/frameworks/netcontrol/main.zeek 256 256
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`)
This event is raised when a rule is deleted from the NetControl framework,
because it is no longer in use. This can be caused by the fact that a rule
was removed by all plugins to which it was added, by the fact that it timed out
or due to rule errors.
To get the cause of a rule remove, catch the rule_removed, rule_timeout and
rule_error events.
.. zeek:id:: NetControl::rule_error
:source-code: base/frameworks/netcontrol/main.zeek 236 236
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
Reports an error when operating on a rule.
:param r: The rule that encountered an error.
:param p: The state for the plugin that reported the error.
:param msg: An optional informational message by the plugin.
.. zeek:id:: NetControl::rule_exists
:source-code: base/frameworks/netcontrol/main.zeek 204 204
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
Signals that a rule that was supposed to be put in place was already
existing at the specified plugin. Rules that already have been existing
continue to be tracked like normal, but no timeout calls will be sent
to the specified plugins. Removal of the rule from the hardware can
still be forced by manually issuing a remove_rule call.
:param r: The rule that was already in place.
:param p: The plugin that reported that the rule already was in place.
:param msg: An optional informational message by the plugin.
.. zeek:id:: NetControl::rule_new
:source-code: base/frameworks/netcontrol/main.zeek 247 247
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`)
This event is raised when a new rule is created by the NetControl framework
due to a call to add_rule. From this moment, until the rule_destroyed event
is raised, the rule is tracked internally by the NetControl framework.
Note that this event does not mean that a rule was successfully added by
any backend; it just means that the rule has been accepted and addition
to the specified backend is queued. To get information when rules are actually
installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout
and rule_error events.
.. zeek:id:: NetControl::rule_removed
:source-code: base/frameworks/netcontrol/non-cluster.zeek 47 50
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, msg: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`)
Reports that a plugin reports a rule was removed due to a
remove_rule function call.
:param r: The rule now removed.
:param p: The state for the plugin that had the rule in place and now
removed it.
:param msg: An optional informational message by the plugin.
.. zeek:id:: NetControl::rule_timeout
:source-code: base/frameworks/netcontrol/main.zeek 227 227
:Type: :zeek:type:`event` (r: :zeek:type:`NetControl::Rule`, i: :zeek:type:`NetControl::FlowInfo`, p: :zeek:type:`NetControl::PluginState`)
Reports that a rule was removed from a plugin due to a timeout.
:param r: The rule now removed.
:param i: Additional flow information, if supported by the protocol.
:param p: The state for the plugin that had the rule in place and now
removed it.
:param msg: An optional informational message by the plugin.
Hooks
#####
.. zeek:id:: NetControl::log_policy
:source-code: base/frameworks/netcontrol/main.zeek 23 23
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.
.. zeek:id:: NetControl::rule_added_policy
:source-code: base/frameworks/netcontrol/main.zeek 277 277
:Type: :zeek:type:`hook` (r: :zeek:type:`NetControl::Rule`, p: :zeek:type:`NetControl::PluginState`, exists: :zeek:type:`bool`, msg: :zeek:type:`string`) : :zeek:type:`bool`
Hook that allows the modification of rule states after they are returned from
the plugins and have been added to the rules database. This allows low-level
modification of the handling of rules like, e.g., changing rule expiration depending
on context.
:param r: The rule now in place.
:param p: The state for the plugin that put it into place.
:param exists: If the adding plugin flagged the rule as already existing.
:param msg: An optional informational message by the plugin.
.. zeek:id:: NetControl::rule_policy
:source-code: base/frameworks/netcontrol/main.zeek 263 263
:Type: :zeek:type:`hook` (r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool`
Hook that allows the modification of rules passed to add_rule before they
are passed on to the plugins. If one of the hooks uses break, the rule is
ignored and not passed on to any plugin.
:param r: The rule to be added.
Functions
#########
.. zeek:id:: NetControl::activate
:source-code: base/frameworks/netcontrol/non-cluster.zeek 6 9
:Type: :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, priority: :zeek:type:`int`) : :zeek:type:`void`
Activates a plugin.
:param p: The plugin to activate.
:param priority: The higher the priority, the earlier this plugin will be checked
whether it supports an operation, relative to other plugins.
.. zeek:id:: NetControl::add_rule
:source-code: base/frameworks/netcontrol/non-cluster.zeek 11 14
:Type: :zeek:type:`function` (r: :zeek:type:`NetControl::Rule`) : :zeek:type:`string`
Installs a rule.
:param r: The rule to install.
:returns: If successful, returns an ID string unique to the rule that can
later be used to refer to it. If unsuccessful, returns an empty
string. The ID is also assigned to ``r$id``. Note that
"successful" means "a plugin knew how to handle the rule", it
doesn't necessarily mean that it was indeed successfully put in
place, because that might happen asynchronously and thus fail
only later.
.. zeek:id:: NetControl::clear
:source-code: base/frameworks/netcontrol/main.zeek 1075 1079
:Type: :zeek:type:`function` () : :zeek:type:`void`
Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules.
.. zeek:id:: NetControl::delete_rule
:source-code: base/frameworks/netcontrol/non-cluster.zeek 16 19
:Type: :zeek:type:`function` (id: :zeek:type:`string`, reason: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
Deletes a rule without removing it from the backends to which it has been
added before. This means that no messages will be sent to the switches to which
the rule has been added; if it is not removed from them by a separate mechanism,
it will stay installed and not be removed later.
:param id: The rule to delete, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
:param reason: Optional string argument giving information on why the rule was deleted.
:returns: True if removal is successful, or sent to manager.
False if the rule could not be found.
.. zeek:id:: NetControl::find_rules_addr
:source-code: base/frameworks/netcontrol/main.zeek 763 766
:Type: :zeek:type:`function` (ip: :zeek:type:`addr`) : :zeek:type:`vector` of :zeek:type:`NetControl::Rule`
Searches all rules affecting a certain IP address.
This function works on both the manager and workers of a cluster. Note that on
the worker, the internal rule variables (starting with _) will not reflect the
current state.
:param ip: The ip address to search for.
:returns: vector of all rules affecting the IP address.
.. zeek:id:: NetControl::find_rules_subnet
:source-code: base/frameworks/netcontrol/main.zeek 741 761
:Type: :zeek:type:`function` (sn: :zeek:type:`subnet`) : :zeek:type:`vector` of :zeek:type:`NetControl::Rule`
Searches all rules affecting a certain subnet.
A rule affects a subnet, if it covers the whole subnet. Note especially that
this function will not reveal all rules that are covered by a subnet.
For example, a search for 192.168.17.0/8 will reveal a rule that exists for
192.168.0.0/16, since this rule affects the subnet. However, it will not reveal
a more specific rule for 192.168.17.1/32, which does not directly affect the whole
subnet.
This function works on both the manager and workers of a cluster. Note that on
the worker, the internal rule variables (starting with _) will not reflect the
current state.
:param sn: The subnet to search for.
:returns: vector of all rules affecting the subnet.
.. zeek:id:: NetControl::plugin_activated
:source-code: base/frameworks/netcontrol/main.zeek 617 635
:Type: :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`) : :zeek:type:`void`
Function called by plugins once they finished their activation. After all
plugins defined in zeek_init finished to activate, rules will start to be sent
to the plugins. Rules that scripts try to set before the backends are ready
will be discarded.
.. zeek:id:: NetControl::quarantine_host
:source-code: base/frameworks/netcontrol/main.zeek 570 590
:Type: :zeek:type:`function` (infected: :zeek:type:`addr`, dns: :zeek:type:`addr`, quarantine: :zeek:type:`addr`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`vector` of :zeek:type:`string`
Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining
the quarantine and a DNS server which resolves all requests to the quarantine server. DNS queries
from the host to the network DNS server will be rewritten and will be sent to the quarantine server
instead. Only http communication infected to quarantinehost is allowed. All other network communication
is blocked.
:param infected: the host to quarantine.
:param dns: the network dns server.
:param quarantine: the quarantine server running a dns and a web server.
:param t: how long to leave the quarantine in place.
:returns: Vector of inserted rules on success, empty list on failure.
.. zeek:id:: NetControl::redirect_flow
:source-code: base/frameworks/netcontrol/main.zeek 556 568
:Type: :zeek:type:`function` (f: :zeek:type:`flow_id`, out_port: :zeek:type:`count`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
Redirects a uni-directional flow to another port.
:param f: The flow to redirect.
:param out_port: Port to redirect the flow to.
:param t: How long to leave the redirect in place, with 0 being indefinitely.
:param location: An optional string describing where the redirect was triggered.
:returns: The id of the inserted rule on success and zero on failure.
.. zeek:id:: NetControl::remove_rule
:source-code: base/frameworks/netcontrol/non-cluster.zeek 21 24
:Type: :zeek:type:`function` (id: :zeek:type:`string`, reason: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`bool`
Removes a rule.
:param id: The rule to remove, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
:param reason: Optional string argument giving information on why the rule was removed.
:returns: True if successful, the relevant plugin indicated that it knew
how to handle the removal. Note that again "success" means the
plugin accepted the removal. It might still fail to put it
into effect, as that might happen asynchronously and thus go
wrong at that point.
.. zeek:id:: NetControl::whitelist_address
:source-code: base/frameworks/netcontrol/main.zeek 539 545
:Type: :zeek:type:`function` (a: :zeek:type:`addr`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
Allows all traffic involving a specific IP address to be forwarded.
:param a: The address to be whitelisted.
:param t: How long to whitelist it, with 0 being indefinitely.
:param location: An optional string describing whitelist was triggered.
:returns: The id of the inserted rule on success and zero on failure.
.. zeek:id:: NetControl::whitelist_subnet
:source-code: base/frameworks/netcontrol/main.zeek 547 553
:Type: :zeek:type:`function` (s: :zeek:type:`subnet`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
Allows all traffic involving a specific IP subnet to be forwarded.
:param s: The subnet to be whitelisted.
:param t: How long to whitelist it, with 0 being indefinitely.
:param location: An optional string describing whitelist was triggered.
:returns: The id of the inserted rule on success and zero on failure.

16
doc/scripts/base/frameworks/netcontrol/non-cluster.zeek.rst Normal file
View file

@ -0,0 +1,16 @@
:tocdepth: 3
base/frameworks/netcontrol/non-cluster.zeek
===========================================
.. zeek:namespace:: NetControl
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

179
doc/scripts/base/frameworks/netcontrol/plugin.zeek.rst Normal file
View file

@ -0,0 +1,179 @@
:tocdepth: 3
base/frameworks/netcontrol/plugin.zeek
======================================
.. zeek:namespace:: NetControl
This file defines the plugin interface for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>`
Summary
~~~~~~~
Types
#####
========================================================= =====================================================
:zeek:type:`NetControl::Plugin`: :zeek:type:`record` Definition of a plugin.
:zeek:type:`NetControl::PluginState`: :zeek:type:`record` This record keeps the per instance state of a plugin.
========================================================= =====================================================
Redefinitions
#############
========================================================= ========================================================================
:zeek:type:`NetControl::PluginState`: :zeek:type:`record` Table for a plugin to store instance-specific configuration information.
:New Fields: :zeek:type:`NetControl::PluginState`
plugin: :zeek:type:`NetControl::Plugin` :zeek:attr:`&optional`
The plugin that the state belongs to.
========================================================= ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NetControl::Plugin
:source-code: base/frameworks/netcontrol/plugin.zeek 38 72
:Type: :zeek:type:`record`
.. zeek:field:: name :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`) : :zeek:type:`string`
Returns a descriptive name of the plugin instance, suitable for use in logging
messages. Note that this function is not optional.
.. zeek:field:: can_expire :zeek:type:`bool`
If true, plugin can expire rules itself. If false, the NetControl
framework will manage rule expiration.
.. zeek:field:: init :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`) : :zeek:type:`void` :zeek:attr:`&optional`
One-time initialization function called when plugin gets registered, and
before any other methods are called.
If this function is provided, NetControl assumes that the plugin has to
perform, potentially lengthy, initialization before the plugin will become
active. In this case, the plugin has to call ``NetControl::plugin_activated``,
once initialization finishes.
.. zeek:field:: done :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`) : :zeek:type:`void` :zeek:attr:`&optional`
One-time finalization function called when a plugin is shutdown; no further
functions will be called afterwards.
.. zeek:field:: add_rule :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
Implements the add_rule() operation. If the plugin accepts the rule,
it returns true, false otherwise. The rule will already have its
``id`` field set, which the plugin may use for identification
purposes.
.. zeek:field:: remove_rule :zeek:type:`function` (state: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`, reason: :zeek:type:`string`) : :zeek:type:`bool` :zeek:attr:`&optional`
Implements the remove_rule() operation. This will only be called for
rules that the plugin has previously accepted with add_rule(). The
``id`` field will match that of the add_rule() call. Generally,
a plugin that accepts an add_rule() should also accept the
remove_rule().
Definition of a plugin.
Generally a plugin needs to implement only what it can support. By
returning failure, it indicates that it can't support something and
the framework will then try another plugin, if available; or inform the
that the operation failed. If a function isn't implemented by a plugin,
that's considered an implicit failure to support the operation.
If plugin accepts a rule operation, it *must* generate one of the reporting
events ``rule_{added,remove,error}`` to signal if it indeed worked out;
this is separate from accepting the operation because often a plugin
will only know later (i.e., asynchronously) if that was an error for
something it thought it could handle.
.. zeek:type:: NetControl::PluginState
:source-code: base/frameworks/netcontrol/plugin.zeek 11 23
:Type: :zeek:type:`record`
.. zeek:field:: config :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
Table for a plugin to store custom, instance-specific state.
.. zeek:field:: _id :zeek:type:`count` :zeek:attr:`&optional`
Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally.
.. zeek:field:: _priority :zeek:type:`int` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Set internally.
.. zeek:field:: _activated :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Set internally. Signifies if the plugin has returned that it has activated successfully.
.. zeek:field:: plugin :zeek:type:`NetControl::Plugin` :zeek:attr:`&optional`
The plugin that the state belongs to. (Defined separately
because of cyclic type dependency.)
.. zeek:field:: of_controller :zeek:type:`OpenFlow::Controller` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek` is loaded)
OpenFlow controller for NetControl OpenFlow plugin.
.. zeek:field:: of_config :zeek:type:`NetControl::OfConfig` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek` is loaded)
OpenFlow configuration record that is passed on initialization.
.. zeek:field:: broker_config :zeek:type:`NetControl::BrokerConfig` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek` is loaded)
OpenFlow controller for NetControl Broker plugin.
.. zeek:field:: broker_id :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek` is loaded)
The ID of this broker instance - for the mapping to PluginStates.
.. zeek:field:: acld_config :zeek:type:`NetControl::AcldConfig` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek` is loaded)
.. zeek:field:: acld_id :zeek:type:`count` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek` is loaded)
The ID of this acld instance - for the mapping to PluginStates.
This record keeps the per instance state of a plugin.
Individual plugins commonly extend this record to suit their needs.

14
doc/scripts/base/frameworks/netcontrol/plugins/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/__load__.zeek
================================================
:Imports: :doc:`base/frameworks/netcontrol/plugins/acld.zeek </scripts/base/frameworks/netcontrol/plugins/acld.zeek>`, :doc:`base/frameworks/netcontrol/plugins/broker.zeek </scripts/base/frameworks/netcontrol/plugins/broker.zeek>`, :doc:`base/frameworks/netcontrol/plugins/debug.zeek </scripts/base/frameworks/netcontrol/plugins/debug.zeek>`, :doc:`base/frameworks/netcontrol/plugins/openflow.zeek </scripts/base/frameworks/netcontrol/plugins/openflow.zeek>`, :doc:`base/frameworks/netcontrol/plugins/packetfilter.zeek </scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

197
doc/scripts/base/frameworks/netcontrol/plugins/acld.zeek.rst Normal file
View file

@ -0,0 +1,197 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/acld.zeek
============================================
.. zeek:namespace:: NetControl
Acld plugin for the netcontrol framework.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
Summary
~~~~~~~
Types
#####
======================================================== =
:zeek:type:`NetControl::AclRule`: :zeek:type:`record`
:zeek:type:`NetControl::AcldConfig`: :zeek:type:`record`
======================================================== =
Redefinitions
#############
========================================================= =========================================================================
:zeek:type:`NetControl::PluginState`: :zeek:type:`record`
:New Fields: :zeek:type:`NetControl::PluginState`
acld_config: :zeek:type:`NetControl::AcldConfig` :zeek:attr:`&optional`
acld_id: :zeek:type:`count` :zeek:attr:`&optional`
The ID of this acld instance - for the mapping to PluginStates.
========================================================= =========================================================================
Events
######
============================================================ =======================================
:zeek:id:`NetControl::acld_add_rule`: :zeek:type:`event` Events that are sent from us to Broker.
:zeek:id:`NetControl::acld_remove_rule`: :zeek:type:`event`
:zeek:id:`NetControl::acld_rule_added`: :zeek:type:`event` Events that are sent from Broker to us.
:zeek:id:`NetControl::acld_rule_error`: :zeek:type:`event`
:zeek:id:`NetControl::acld_rule_exists`: :zeek:type:`event`
:zeek:id:`NetControl::acld_rule_removed`: :zeek:type:`event`
============================================================ =======================================
Hooks
#####
========================================================== ==============================================================
:zeek:id:`NetControl::acld_rule_policy`: :zeek:type:`hook` Hook that is called after a rule is converted to an acld rule.
========================================================== ==============================================================
Functions
#########
========================================================= =============================
:zeek:id:`NetControl::create_acld`: :zeek:type:`function` Instantiates the acld plugin.
========================================================= =============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NetControl::AclRule
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 10 15
:Type: :zeek:type:`record`
.. zeek:field:: command :zeek:type:`string`
.. zeek:field:: cookie :zeek:type:`count`
.. zeek:field:: arg :zeek:type:`string`
.. zeek:field:: comment :zeek:type:`string` :zeek:attr:`&optional`
.. zeek:type:: NetControl::AcldConfig
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 17 37
:Type: :zeek:type:`record`
.. zeek:field:: acld_topic :zeek:type:`string`
The acld topic to send events to.
.. zeek:field:: acld_host :zeek:type:`addr`
Broker host to connect to.
.. zeek:field:: acld_port :zeek:type:`port`
Broker port to connect to.
.. zeek:field:: monitor :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Do we accept rules for the monitor path? Default false.
.. zeek:field:: forward :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
Do we accept rules for the forward path? Default true.
.. zeek:field:: check_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
Predicate that is called on rule insertion or removal.
:param p: Current plugin state.
:param r: The rule to be inserted or removed.
:returns: T if the rule can be handled by the current backend, F otherwise.
Events
######
.. zeek:id:: NetControl::acld_add_rule
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 61 61
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, ar: :zeek:type:`NetControl::AclRule`)
Events that are sent from us to Broker.
.. zeek:id:: NetControl::acld_remove_rule
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 62 62
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, ar: :zeek:type:`NetControl::AclRule`)
.. zeek:id:: NetControl::acld_rule_added
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 90 101
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
Events that are sent from Broker to us.
.. zeek:id:: NetControl::acld_rule_error
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 129 140
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
.. zeek:id:: NetControl::acld_rule_exists
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 103 114
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
.. zeek:id:: NetControl::acld_rule_removed
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 116 127
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
Hooks
#####
.. zeek:id:: NetControl::acld_rule_policy
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 58 58
:Type: :zeek:type:`hook` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`, ar: :zeek:type:`NetControl::AclRule`) : :zeek:type:`bool`
Hook that is called after a rule is converted to an acld rule.
The hook may modify the rule before it is sent to acld.
Setting the acld command to F will cause the rule to be rejected
by the plugin.
:param p: Current plugin state.
:param r: The rule to be inserted or removed.
:param ar: The acld rule to be inserted or removed.
Functions
#########
.. zeek:id:: NetControl::create_acld
:source-code: base/frameworks/netcontrol/plugins/acld.zeek 298 317
:Type: :zeek:type:`function` (config: :zeek:type:`NetControl::AcldConfig`) : :zeek:type:`NetControl::PluginState`
Instantiates the acld plugin.

159
doc/scripts/base/frameworks/netcontrol/plugins/broker.zeek.rst Normal file
View file

@ -0,0 +1,159 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/broker.zeek
==============================================
.. zeek:namespace:: NetControl
Broker plugin for the NetControl framework. Sends the raw data structures
used in NetControl on to Broker to allow for easy handling, e.g., of
command-line scripts.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`, :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
Summary
~~~~~~~
Types
#####
========================================================== ================================================================================================
:zeek:type:`NetControl::BrokerConfig`: :zeek:type:`record` This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
========================================================== ================================================================================================
Redefinitions
#############
========================================================= =============================================================================
:zeek:type:`NetControl::PluginState`: :zeek:type:`record`
:New Fields: :zeek:type:`NetControl::PluginState`
broker_config: :zeek:type:`NetControl::BrokerConfig` :zeek:attr:`&optional`
OpenFlow controller for NetControl Broker plugin.
broker_id: :zeek:type:`count` :zeek:attr:`&optional`
The ID of this broker instance - for the mapping to PluginStates.
========================================================= =============================================================================
Events
######
============================================================== =
:zeek:id:`NetControl::broker_add_rule`: :zeek:type:`event`
:zeek:id:`NetControl::broker_remove_rule`: :zeek:type:`event`
:zeek:id:`NetControl::broker_rule_added`: :zeek:type:`event`
:zeek:id:`NetControl::broker_rule_error`: :zeek:type:`event`
:zeek:id:`NetControl::broker_rule_exists`: :zeek:type:`event`
:zeek:id:`NetControl::broker_rule_removed`: :zeek:type:`event`
:zeek:id:`NetControl::broker_rule_timeout`: :zeek:type:`event`
============================================================== =
Functions
#########
=========================================================== ===============================
:zeek:id:`NetControl::create_broker`: :zeek:type:`function` Instantiates the broker plugin.
=========================================================== ===============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NetControl::BrokerConfig
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 13 34
:Type: :zeek:type:`record`
.. zeek:field:: topic :zeek:type:`string` :zeek:attr:`&optional`
The broker topic to send events to.
.. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&optional`
Broker host to connect to.
.. zeek:field:: bport :zeek:type:`port` :zeek:attr:`&optional`
Broker port to connect to.
.. zeek:field:: monitor :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
Do we accept rules for the monitor path? Default true.
.. zeek:field:: forward :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
Do we accept rules for the forward path? Default true.
.. zeek:field:: check_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
Predicate that is called on rule insertion or removal.
:param p: Current plugin state.
:param r: The rule to be inserted or removed.
:returns: T if the rule can be handled by the current backend, F otherwise.
This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
Events
######
.. zeek:id:: NetControl::broker_add_rule
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 46 46
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`)
.. zeek:id:: NetControl::broker_remove_rule
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 47 47
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, reason: :zeek:type:`string`)
.. zeek:id:: NetControl::broker_rule_added
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 61 72
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
.. zeek:id:: NetControl::broker_rule_error
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 100 111
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
.. zeek:id:: NetControl::broker_rule_exists
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 74 85
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
.. zeek:id:: NetControl::broker_rule_removed
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 87 98
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, msg: :zeek:type:`string`)
.. zeek:id:: NetControl::broker_rule_timeout
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 113 124
:Type: :zeek:type:`event` (id: :zeek:type:`count`, r: :zeek:type:`NetControl::Rule`, i: :zeek:type:`NetControl::FlowInfo`)
Functions
#########
.. zeek:id:: NetControl::create_broker
:source-code: base/frameworks/netcontrol/plugins/broker.zeek 198 220
:Type: :zeek:type:`function` (config: :zeek:type:`NetControl::BrokerConfig`, can_expire: :zeek:type:`bool`) : :zeek:type:`NetControl::PluginState`
Instantiates the broker plugin.

65
doc/scripts/base/frameworks/netcontrol/plugins/debug.zeek.rst Normal file
View file

@ -0,0 +1,65 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/debug.zeek
=============================================
.. zeek:namespace:: NetControl
Debugging plugin for the NetControl framework, providing insight into
executed operations.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
Summary
~~~~~~~
Functions
#########
================================================================= =========================================================
:zeek:id:`NetControl::create_debug`: :zeek:type:`function` Instantiates a debug plugin for the NetControl framework.
:zeek:id:`NetControl::create_debug_error`: :zeek:type:`function` Instantiates a debug plugin for the NetControl framework.
:zeek:id:`NetControl::create_debug_exists`: :zeek:type:`function` Instantiates a debug plugin for the NetControl framework.
================================================================= =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: NetControl::create_debug
:source-code: base/frameworks/netcontrol/plugins/debug.zeek 118 131
:Type: :zeek:type:`function` (do_something: :zeek:type:`bool`, name: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`NetControl::PluginState`
Instantiates a debug plugin for the NetControl framework. The debug
plugin simply logs the operations it receives.
:param do_something: If true, the plugin will claim it supports all operations; if
false, it will indicate it doesn't support any.
:param name: Optional name that for the plugin.
.. zeek:id:: NetControl::create_debug_error
:source-code: base/frameworks/netcontrol/plugins/debug.zeek 133 140
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`NetControl::PluginState`
Instantiates a debug plugin for the NetControl framework. This variation
of the plugin will return "error" to any rule operations.
:param name: Name of this plugin.
.. zeek:id:: NetControl::create_debug_exists
:source-code: base/frameworks/netcontrol/plugins/debug.zeek 142 149
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`NetControl::PluginState`
Instantiates a debug plugin for the NetControl framework. This variation
of the plugin will return "exists" to any rule operations.
:param name: Name of this plugin.

36
doc/scripts/base/frameworks/netcontrol/plugins/index.rst Normal file
View file

@ -0,0 +1,36 @@
:orphan:
Package: base/frameworks/netcontrol/plugins
===========================================
Plugins for the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/plugins/__load__.zeek`
:doc:`/scripts/base/frameworks/netcontrol/plugins/debug.zeek`
Debugging plugin for the NetControl framework, providing insight into
executed operations.
:doc:`/scripts/base/frameworks/netcontrol/plugins/openflow.zeek`
OpenFlow plugin for the NetControl framework.
:doc:`/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek`
NetControl plugin for the process-level PacketFilter that comes with
Zeek. Since the PacketFilter in Zeek is quite limited in scope
and can only add/remove filters for addresses, this is quite
limited in scope at the moment.
:doc:`/scripts/base/frameworks/netcontrol/plugins/broker.zeek`
Broker plugin for the NetControl framework. Sends the raw data structures
used in NetControl on to Broker to allow for easy handling, e.g., of
command-line scripts.
:doc:`/scripts/base/frameworks/netcontrol/plugins/acld.zeek`
Acld plugin for the netcontrol framework.

195
doc/scripts/base/frameworks/netcontrol/plugins/openflow.zeek.rst Normal file
View file

@ -0,0 +1,195 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/openflow.zeek
================================================
.. zeek:namespace:: NetControl
OpenFlow plugin for the NetControl framework.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`, :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`, :doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
Summary
~~~~~~~
Redefinable Options
###################
========================================================================================== ===============================================================================
:zeek:id:`NetControl::openflow_flow_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The time interval after we consider a flow timed out.
:zeek:id:`NetControl::openflow_message_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The time interval after which an openflow message is considered to be timed out
and we delete it from our internal tracking.
========================================================================================== ===============================================================================
Types
#####
====================================================== ==================================================================================================
:zeek:type:`NetControl::OfConfig`: :zeek:type:`record` This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`.
:zeek:type:`NetControl::OfTable`: :zeek:type:`record`
====================================================== ==================================================================================================
Redefinitions
#############
========================================================= =========================================================================
:zeek:type:`NetControl::PluginState`: :zeek:type:`record`
:New Fields: :zeek:type:`NetControl::PluginState`
of_controller: :zeek:type:`OpenFlow::Controller` :zeek:attr:`&optional`
OpenFlow controller for NetControl OpenFlow plugin.
of_config: :zeek:type:`NetControl::OfConfig` :zeek:attr:`&optional`
OpenFlow configuration record that is passed on initialization.
========================================================= =========================================================================
Functions
#########
============================================================= =============================================================
:zeek:id:`NetControl::create_openflow`: :zeek:type:`function` Instantiates an openflow plugin for the NetControl framework.
============================================================= =============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: NetControl::openflow_flow_timeout
:source-code: base/frameworks/netcontrol/plugins/openflow.zeek 76 76
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``1.0 day``
The time interval after we consider a flow timed out. This should be fairly high (or
even disabled) if you expect a lot of long flows. However, one also will have state
buildup for quite a while if keeping this around...
.. zeek:id:: NetControl::openflow_message_timeout
:source-code: base/frameworks/netcontrol/plugins/openflow.zeek 71 71
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``20.0 secs``
The time interval after which an openflow message is considered to be timed out
and we delete it from our internal tracking.
Types
#####
.. zeek:type:: NetControl::OfConfig
:source-code: base/frameworks/netcontrol/plugins/openflow.zeek 11 51
:Type: :zeek:type:`record`
.. zeek:field:: monitor :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
Accept rules that target the monitor path.
.. zeek:field:: forward :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`
Accept rules that target the forward path.
.. zeek:field:: idle_timeout :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Default OpenFlow idle timeout.
.. zeek:field:: table_id :zeek:type:`count` :zeek:attr:`&optional`
Default OpenFlow table ID.
.. zeek:field:: priority_offset :zeek:type:`int` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.
.. zeek:field:: check_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`) : :zeek:type:`bool` :zeek:attr:`&optional`
Predicate that is called on rule insertion or removal.
:param p: Current plugin state.
:param r: The rule to be inserted or removed.
:returns: T if the rule can be handled by the current backend, F otherwise.
.. zeek:field:: match_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, e: :zeek:type:`NetControl::Entity`, m: :zeek:type:`vector` of :zeek:type:`OpenFlow::ofp_match`) : :zeek:type:`vector` of :zeek:type:`OpenFlow::ofp_match` :zeek:attr:`&optional`
This predicate is called each time an OpenFlow match record is created.
The predicate can modify the match structure before it is sent on to the
device.
:param p: Current plugin state.
:param r: The rule to be inserted or removed.
:param m: The openflow match structures that were generated for this rules.
:returns: The modified OpenFlow match structures that will be used in place of the structures passed in m.
.. zeek:field:: flow_mod_pred :zeek:type:`function` (p: :zeek:type:`NetControl::PluginState`, r: :zeek:type:`NetControl::Rule`, m: :zeek:type:`OpenFlow::ofp_flow_mod`) : :zeek:type:`OpenFlow::ofp_flow_mod` :zeek:attr:`&optional`
This predicate is called before a FlowMod message is sent to the OpenFlow
device. It can modify the FlowMod message before it is passed on.
:param p: Current plugin state.
:param r: The rule to be inserted or removed.
:param m: The OpenFlow FlowMod message.
:returns: The modified FlowMod message that is used in lieu of m.
This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`.
.. zeek:type:: NetControl::OfTable
:source-code: base/frameworks/netcontrol/plugins/openflow.zeek 60 67
:Type: :zeek:type:`record`
.. zeek:field:: p :zeek:type:`NetControl::PluginState`
.. zeek:field:: r :zeek:type:`NetControl::Rule`
.. zeek:field:: c :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
.. zeek:field:: packet_count :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
.. zeek:field:: byte_count :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
.. zeek:field:: duration_sec :zeek:type:`double` :zeek:attr:`&default` = ``0.0`` :zeek:attr:`&optional`
Functions
#########
.. zeek:id:: NetControl::create_openflow
:source-code: base/frameworks/netcontrol/plugins/openflow.zeek 448 453
:Type: :zeek:type:`function` (controller: :zeek:type:`OpenFlow::Controller`, config: :zeek:type:`NetControl::OfConfig` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`NetControl::PluginState`
Instantiates an openflow plugin for the NetControl framework.

35
doc/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek.rst Normal file
View file

@ -0,0 +1,35 @@
:tocdepth: 3
base/frameworks/netcontrol/plugins/packetfilter.zeek
====================================================
.. zeek:namespace:: NetControl
NetControl plugin for the process-level PacketFilter that comes with
Zeek. Since the PacketFilter in Zeek is quite limited in scope
and can only add/remove filters for addresses, this is quite
limited in scope at the moment.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>`
Summary
~~~~~~~
Functions
#########
================================================================= =====================================
:zeek:id:`NetControl::create_packetfilter`: :zeek:type:`function` Instantiates the packetfilter plugin.
================================================================= =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: NetControl::create_packetfilter
:source-code: base/frameworks/netcontrol/plugins/packetfilter.zeek 107 112
:Type: :zeek:type:`function` () : :zeek:type:`NetControl::PluginState`
Instantiates the packetfilter plugin.

123
doc/scripts/base/frameworks/netcontrol/shunt.zeek.rst Normal file
View file

@ -0,0 +1,123 @@
:tocdepth: 3
base/frameworks/netcontrol/shunt.zeek
=====================================
.. zeek:namespace:: NetControl
Implementation of the shunt functionality for NetControl.
:Namespace: NetControl
:Imports: :doc:`base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>`
Summary
~~~~~~~
Types
#####
======================================================= =
:zeek:type:`NetControl::ShuntInfo`: :zeek:type:`record`
======================================================= =
Redefinitions
#############
======================================= ================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`NetControl::SHUNT`
======================================= ================================
Events
######
=============================================================== ==========================================================================
:zeek:id:`NetControl::log_netcontrol_shunt`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
=============================================================== ==========================================================================
Hooks
#####
===================================================================== =
:zeek:id:`NetControl::log_policy_shunt`: :zeek:type:`Log::PolicyHook`
===================================================================== =
Functions
#########
======================================================== ==========================================================
:zeek:id:`NetControl::shunt_flow`: :zeek:type:`function` Stops forwarding a uni-directional flow's packets to Zeek.
======================================================== ==========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NetControl::ShuntInfo
:source-code: base/frameworks/netcontrol/shunt.zeek 23 34
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time at which the recorded activity occurred.
.. zeek:field:: rule_id :zeek:type:`string` :zeek:attr:`&log`
ID of the rule; unique during each Zeek run.
.. zeek:field:: f :zeek:type:`flow_id` :zeek:attr:`&log`
Flow ID of the shunted flow.
.. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&log`
Expiry time of the shunt.
.. zeek:field:: location :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Location where the underlying action was triggered.
Events
######
.. zeek:id:: NetControl::log_netcontrol_shunt
:source-code: base/frameworks/netcontrol/shunt.zeek 38 38
:Type: :zeek:type:`event` (rec: :zeek:type:`NetControl::ShuntInfo`)
Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: NetControl::log_policy_shunt
:source-code: base/frameworks/netcontrol/shunt.zeek 10 10
:Type: :zeek:type:`Log::PolicyHook`
Functions
#########
.. zeek:id:: NetControl::shunt_flow
:source-code: base/frameworks/netcontrol/shunt.zeek 46 70
:Type: :zeek:type:`function` (f: :zeek:type:`flow_id`, t: :zeek:type:`interval`, location: :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`) : :zeek:type:`string`
Stops forwarding a uni-directional flow's packets to Zeek.
:param f: The flow to shunt.
:param t: How long to leave the shunt in place, with 0 being indefinitely.
:param location: An optional string describing where the shunt was triggered.
:returns: The id of the inserted rule on success and zero on failure.

380
doc/scripts/base/frameworks/netcontrol/types.zeek.rst Normal file
View file

@ -0,0 +1,380 @@
:tocdepth: 3
base/frameworks/netcontrol/types.zeek
=====================================
.. zeek:namespace:: NetControl
This file defines the types that are used by the NetControl framework.
The most important type defined in this file is :zeek:see:`NetControl::Rule`,
which is used to describe all rules that can be expressed by the NetControl framework.
:Namespace: NetControl
Summary
~~~~~~~
Runtime Options
###############
============================================================================= ======================================================
:zeek:id:`NetControl::default_priority`: :zeek:type:`int` :zeek:attr:`&redef` The default priority that is used when creating rules.
============================================================================= ======================================================
Redefinable Options
###################
=============================================================================== =====================================================================================
:zeek:id:`NetControl::whitelist_priority`: :zeek:type:`int` :zeek:attr:`&redef` The default priority that is used when using the high-level functions to
push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and
:zeek:see:`NetControl::whitelist_subnet`).
=============================================================================== =====================================================================================
Types
#####
====================================================== ======================================================================================================
:zeek:type:`NetControl::Entity`: :zeek:type:`record` Type defining the entity a rule is operating on.
:zeek:type:`NetControl::EntityType`: :zeek:type:`enum` Type defining the entity that a rule applies to.
:zeek:type:`NetControl::Flow`: :zeek:type:`record` Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify
a uni-directional flow that a rule applies to.
:zeek:type:`NetControl::FlowInfo`: :zeek:type:`record` Information of a flow that can be provided by switches when the flow times out.
:zeek:type:`NetControl::FlowMod`: :zeek:type:`record` Type for defining a flow modification action.
:zeek:type:`NetControl::Rule`: :zeek:type:`record` A rule for the framework to put in place.
:zeek:type:`NetControl::RuleType`: :zeek:type:`enum` Type of rules that the framework supports.
:zeek:type:`NetControl::TargetType`: :zeek:type:`enum` Type defining the target of a rule.
====================================================== ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: NetControl::default_priority
:source-code: base/frameworks/netcontrol/types.zeek 10 10
:Type: :zeek:type:`int`
:Attributes: :zeek:attr:`&redef`
:Default: ``0``
The default priority that is used when creating rules.
Redefinable Options
###################
.. zeek:id:: NetControl::whitelist_priority
:source-code: base/frameworks/netcontrol/types.zeek 18 18
:Type: :zeek:type:`int`
:Attributes: :zeek:attr:`&redef`
:Default: ``5``
The default priority that is used when using the high-level functions to
push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and
:zeek:see:`NetControl::whitelist_subnet`).
Note that this priority is not automatically used when manually creating rules
that have a :zeek:see:`NetControl::RuleType` of :zeek:enum:`NetControl::WHITELIST`.
Types
#####
.. zeek:type:: NetControl::Entity
:source-code: base/frameworks/netcontrol/types.zeek 42 48
:Type: :zeek:type:`record`
.. zeek:field:: ty :zeek:type:`NetControl::EntityType`
Type of entity.
.. zeek:field:: conn :zeek:type:`conn_id` :zeek:attr:`&optional`
Used with :zeek:enum:`NetControl::CONNECTION`.
.. zeek:field:: flow :zeek:type:`NetControl::Flow` :zeek:attr:`&optional`
Used with :zeek:enum:`NetControl::FLOW`.
.. zeek:field:: ip :zeek:type:`subnet` :zeek:attr:`&optional`
Used with :zeek:enum:`NetControl::ADDRESS` to specify a CIDR subnet.
.. zeek:field:: mac :zeek:type:`string` :zeek:attr:`&optional`
Used with :zeek:enum:`NetControl::MAC`.
Type defining the entity a rule is operating on.
.. zeek:type:: NetControl::EntityType
:source-code: base/frameworks/netcontrol/types.zeek 21 27
:Type: :zeek:type:`enum`
.. zeek:enum:: NetControl::ADDRESS NetControl::EntityType
Activity involving a specific IP address.
.. zeek:enum:: NetControl::CONNECTION NetControl::EntityType
Activity involving all of a bi-directional connection's activity.
.. zeek:enum:: NetControl::FLOW NetControl::EntityType
Activity involving a uni-directional flow's activity. Can contain wildcards.
.. zeek:enum:: NetControl::MAC NetControl::EntityType
Activity involving a MAC address.
Type defining the entity that a rule applies to.
.. zeek:type:: NetControl::Flow
:source-code: base/frameworks/netcontrol/types.zeek 32 39
:Type: :zeek:type:`record`
.. zeek:field:: src_h :zeek:type:`subnet` :zeek:attr:`&optional`
The source IP address/subnet.
.. zeek:field:: src_p :zeek:type:`port` :zeek:attr:`&optional`
The source port number.
.. zeek:field:: dst_h :zeek:type:`subnet` :zeek:attr:`&optional`
The destination IP address/subnet.
.. zeek:field:: dst_p :zeek:type:`port` :zeek:attr:`&optional`
The destination port number.
.. zeek:field:: src_m :zeek:type:`string` :zeek:attr:`&optional`
The source MAC address.
.. zeek:field:: dst_m :zeek:type:`string` :zeek:attr:`&optional`
The destination MAC address.
Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify
a uni-directional flow that a rule applies to.
If optional fields are not set, they are interpreted as wildcarded.
.. zeek:type:: NetControl::FlowInfo
:source-code: base/frameworks/netcontrol/types.zeek 122 126
:Type: :zeek:type:`record`
.. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&optional`
Total duration of the rule.
.. zeek:field:: packet_count :zeek:type:`count` :zeek:attr:`&optional`
Number of packets exchanged over connections matched by the rule.
.. zeek:field:: byte_count :zeek:type:`count` :zeek:attr:`&optional`
Total bytes exchanged over connections matched by the rule.
Information of a flow that can be provided by switches when the flow times out.
Currently this is heavily influenced by the data that OpenFlow returns by default.
That being said - their design makes sense and this is probably the data one
can expect to be available.
.. zeek:type:: NetControl::FlowMod
:source-code: base/frameworks/netcontrol/types.zeek 90 98
:Type: :zeek:type:`record`
.. zeek:field:: src_h :zeek:type:`addr` :zeek:attr:`&optional`
The source IP address.
.. zeek:field:: src_p :zeek:type:`count` :zeek:attr:`&optional`
The source port number.
.. zeek:field:: dst_h :zeek:type:`addr` :zeek:attr:`&optional`
The destination IP address.
.. zeek:field:: dst_p :zeek:type:`count` :zeek:attr:`&optional`
The destination port number.
.. zeek:field:: src_m :zeek:type:`string` :zeek:attr:`&optional`
The source MAC address.
.. zeek:field:: dst_m :zeek:type:`string` :zeek:attr:`&optional`
The destination MAC address.
.. zeek:field:: redirect_port :zeek:type:`count` :zeek:attr:`&optional`
Type for defining a flow modification action.
.. zeek:type:: NetControl::Rule
:source-code: base/frameworks/netcontrol/types.zeek 103 116
:Type: :zeek:type:`record`
.. zeek:field:: ty :zeek:type:`NetControl::RuleType`
Type of rule.
.. zeek:field:: target :zeek:type:`NetControl::TargetType`
Where to apply rule.
.. zeek:field:: entity :zeek:type:`NetControl::Entity`
Entity to apply rule to.
.. zeek:field:: expire :zeek:type:`interval` :zeek:attr:`&optional`
Timeout after which to expire the rule.
.. zeek:field:: priority :zeek:type:`int` :zeek:attr:`&default` = :zeek:see:`NetControl::default_priority` :zeek:attr:`&optional`
Priority if multiple rules match an entity (larger value is higher priority).
.. zeek:field:: location :zeek:type:`string` :zeek:attr:`&optional`
Optional string describing where/what installed the rule.
.. zeek:field:: out_port :zeek:type:`count` :zeek:attr:`&optional`
Argument for :zeek:enum:`NetControl::REDIRECT` rules.
.. zeek:field:: mod :zeek:type:`NetControl::FlowMod` :zeek:attr:`&optional`
Argument for :zeek:enum:`NetControl::MODIFY` rules.
.. zeek:field:: id :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
Internally determined unique ID for this rule. Will be set when added.
.. zeek:field:: cid :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Internally determined unique numeric ID for this rule. Set when added.
.. zeek:field:: _plugin_ids :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
Internally set to the plugins handling the rule.
.. zeek:field:: _active_plugin_ids :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
Internally set to the plugins on which the rule is currently active.
.. zeek:field:: _no_expire_plugins :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
Internally set to plugins where the rule should not be removed upon timeout.
.. zeek:field:: _added :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/frameworks/netcontrol/main.zeek` is loaded)
Track if the rule was added successfully by all responsible plugins.
A rule for the framework to put in place. Of all rules currently in
place, the first match will be taken, sorted by priority. All
further rules will be ignored.
.. zeek:type:: NetControl::RuleType
:source-code: base/frameworks/netcontrol/types.zeek 65 88
:Type: :zeek:type:`enum`
.. zeek:enum:: NetControl::DROP NetControl::RuleType
Stop forwarding all packets matching the entity.
No additional arguments.
.. zeek:enum:: NetControl::MODIFY NetControl::RuleType
Modify all packets matching entity. The packets
will be modified according to the `mod` entry of
the rule.
.. zeek:enum:: NetControl::REDIRECT NetControl::RuleType
Redirect all packets matching entity to a different switch port,
given in the `out_port` argument of the rule.
.. zeek:enum:: NetControl::WHITELIST NetControl::RuleType
Whitelists all packets of an entity, meaning no restrictions will be applied.
While whitelisting is the default if no rule matches, this type can be
used to override lower-priority rules that would otherwise take effect for the
entity.
Type of rules that the framework supports. Each type lists the extra
:zeek:type:`NetControl::Rule` fields it uses, if any.
Plugins may extend this type to define their own.
.. zeek:type:: NetControl::TargetType
:source-code: base/frameworks/netcontrol/types.zeek 56 60
:Type: :zeek:type:`enum`
.. zeek:enum:: NetControl::FORWARD NetControl::TargetType
.. zeek:enum:: NetControl::MONITOR NetControl::TargetType
Type defining the target of a rule.
Rules can either be applied to the forward path, affecting all network traffic, or
on the monitor path, only affecting the traffic that is sent to Zeek. The second
is mostly used for shunting, which allows Zeek to tell the networking hardware that
it wants to no longer see traffic that it identified as benign.