Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/conn/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/conn/__load__.zeek
=================================
:Imports: :doc:`base/protocols/conn/contents.zeek </scripts/base/protocols/conn/contents.zeek>`, :doc:`base/protocols/conn/inactivity.zeek </scripts/base/protocols/conn/inactivity.zeek>`, :doc:`base/protocols/conn/main.zeek </scripts/base/protocols/conn/main.zeek>`, :doc:`base/protocols/conn/polling.zeek </scripts/base/protocols/conn/polling.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/conn/thresholds.zeek </scripts/base/protocols/conn/thresholds.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

71
doc/scripts/base/protocols/conn/contents.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
base/protocols/conn/contents.zeek
=================================
.. zeek:namespace:: Conn
This script can be used to extract either the originator's data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the ``c$extract_orig`` and/or the
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
would be to handle the :zeek:id:`connection_established` event elsewhere
and set the ``extract_orig`` and ``extract_resp`` options there.
However, there may be trouble with the timing due to event queue delay.
.. note::
This script does not work well in a cluster context unless it has a
remotely mounted disk to write the content files to.
:Namespace: Conn
:Imports: :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================== ==================================================================
:zeek:id:`Conn::default_extract`: :zeek:type:`bool` :zeek:attr:`&redef` If this variable is set to ``T``, then all contents of all
connections will be extracted.
:zeek:id:`Conn::extraction_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The prefix given to files containing extracted connections as they
are opened on disk.
=========================================================================== ==================================================================
Redefinitions
#############
============================================ ==================================================================================================================
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
extract_orig: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
extract_resp: :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`Conn::default_extract` :zeek:attr:`&optional`
============================================ ==================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Conn::default_extract
:source-code: base/protocols/conn/contents.zeek 25 25
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
If this variable is set to ``T``, then all contents of all
connections will be extracted.
.. zeek:id:: Conn::extraction_prefix
:source-code: base/protocols/conn/contents.zeek 21 21
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``"contents"``
The prefix given to files containing extracted connections as they
are opened on disk.

64
doc/scripts/base/protocols/conn/inactivity.zeek.rst Normal file
View file

@ -0,0 +1,64 @@
:tocdepth: 3
base/protocols/conn/inactivity.zeek
===================================
.. zeek:namespace:: Conn
Adjust the inactivity timeouts for interactive services which could
very possibly have long delays between packets.
:Namespace: Conn
Summary
~~~~~~~
Runtime Options
###############
===================================================================================== ==================================================================
:zeek:id:`Conn::analyzer_inactivity_timeouts`: :zeek:type:`table` :zeek:attr:`&redef` Define inactivity timeouts by the service detected being used over
the connection.
:zeek:id:`Conn::port_inactivity_timeouts`: :zeek:type:`table` :zeek:attr:`&redef` Define inactivity timeouts based on common protocol ports.
===================================================================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Conn::analyzer_inactivity_timeouts
:source-code: base/protocols/conn/inactivity.zeek 9 9
:Type: :zeek:type:`table` [:zeek:type:`AllAnalyzers::Tag`] of :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
[AllAnalyzers::ANALYZER_ANALYZER_FTP] = 1.0 hr,
[AllAnalyzers::ANALYZER_ANALYZER_SSH] = 1.0 hr
}
Define inactivity timeouts by the service detected being used over
the connection.
.. zeek:id:: Conn::port_inactivity_timeouts
:source-code: base/protocols/conn/inactivity.zeek 15 15
:Type: :zeek:type:`table` [:zeek:type:`port`] of :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
[513/tcp] = 1.0 hr,
[21/tcp] = 1.0 hr,
[23/tcp] = 1.0 hr,
[22/tcp] = 1.0 hr
}
Define inactivity timeouts based on common protocol ports.

62
doc/scripts/base/protocols/conn/index.rst Normal file
View file

@ -0,0 +1,62 @@
:orphan:
Package: base/protocols/conn
============================
Support for connection (TCP, UDP, or ICMP) analysis.
:doc:`/scripts/base/protocols/conn/removal-hooks.zeek`
Adds a framework for registering "connection removal hooks".
All registered hooks for a given connection get run within the
:zeek:see:`connection_state_remove` event for that connection.
This functionality is useful from a performance/scaling concern:
if every new protocol-analysis script uses
:zeek:see:`connection_state_remove` to implement its finalization/cleanup
logic, then all connections take the performance hit of dispatching that
event, even if they aren't related to that specific protocol.
:doc:`/scripts/base/protocols/conn/__load__.zeek`
:doc:`/scripts/base/protocols/conn/main.zeek`
This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP "ports" are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.
:doc:`/scripts/base/protocols/conn/contents.zeek`
This script can be used to extract either the originator's data or the
responders data or both. By default nothing is extracted, and in order
to actually extract data the ``c$extract_orig`` and/or the
``c$extract_resp`` variable must be set to ``T``. One way to achieve this
would be to handle the :zeek:id:`connection_established` event elsewhere
and set the ``extract_orig`` and ``extract_resp`` options there.
However, there may be trouble with the timing due to event queue delay.
.. note::
This script does not work well in a cluster context unless it has a
remotely mounted disk to write the content files to.
:doc:`/scripts/base/protocols/conn/inactivity.zeek`
Adjust the inactivity timeouts for interactive services which could
very possibly have long delays between packets.
:doc:`/scripts/base/protocols/conn/polling.zeek`
Implements a generic way to poll connections looking for certain features
(e.g. monitor bytes transferred). The specific feature of a connection
to look for, the polling interval, and the code to execute if the feature
is found are all controlled by user-defined callback functions.
:doc:`/scripts/base/protocols/conn/thresholds.zeek`
Implements a generic API to throw events when a connection crosses a
fixed threshold of bytes or packets.

346
doc/scripts/base/protocols/conn/main.zeek.rst Normal file
View file

@ -0,0 +1,346 @@
:tocdepth: 3
base/protocols/conn/main.zeek
=============================
.. zeek:namespace:: Conn
This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP "ports" are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.
:Namespace: Conn
:Imports: :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`, :doc:`base/utils/strings.zeek </scripts/base/utils/strings.zeek>`
Summary
~~~~~~~
Types
#####
============================================ ===================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record` The record type which contains column fields of the connection log.
============================================ ===================================================================
Redefinitions
#############
============================================ ======================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The connection logging stream identifier.
* :zeek:enum:`Conn::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
conn: :zeek:type:`Conn::Info` :zeek:attr:`&optional`
============================================ ======================================================
Events
######
============================================= ===============================================================
:zeek:id:`Conn::log_conn`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`Conn::Info`
record as it is sent on to the logging framework.
============================================= ===============================================================
Hooks
#####
========================================================= =============================================
:zeek:id:`Conn::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
========================================================= =============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Conn::Info
:source-code: base/protocols/conn/main.zeek 21 168
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
This is the time of the first packet.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
A unique identifier of the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
The transport layer protocol of the connection.
.. zeek:field:: service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A comma-separated list of confirmed protocol(s).
With :zeek:see:DPD::track_removed_services_in_connection, the list
includes the same protocols prefixed with "-" to record that Zeek
dropped them due to parsing violations."
.. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
How long the connection lasted.
.. note:: The duration doesn't cover trailing "non-productive"
TCP packets (i.e., ones not contributing new stream payload)
once a direction is closed. For example, for regular
3-way/4-way connection tear-downs it doesn't include the
final ACK. The reason is largely historic: this approach
allows more accurate computation of connection data rates.
Zeek does however reflect such trailing packets in the
connection history.
.. zeek:field:: orig_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The number of payload bytes the originator sent. For TCP
this is taken from sequence numbers and might be inaccurate
(e.g., due to large connections).
.. zeek:field:: resp_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The number of payload bytes the responder sent. See
*orig_bytes*.
.. zeek:field:: conn_state :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Possible *conn_state* values:
* S0: Connection attempt seen, no reply.
* S1: Connection established, not terminated.
* SF: Normal establishment and termination.
Note that this is the same symbol as for state S1.
You can tell the two apart because for S1 there will not be any
byte counts in the summary, while for SF there will be.
* REJ: Connection attempt rejected.
* S2: Connection established and close attempt by originator seen
(but no reply from responder).
* S3: Connection established and close attempt by responder seen
(but no reply from originator).
* RSTO: Connection established, originator aborted (sent a RST).
* RSTR: Responder sent a RST.
* RSTOS0: Originator sent a SYN followed by a RST, we never saw a
SYN-ACK from the responder.
* RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a
SYN from the (purported) originator.
* SH: Originator sent a SYN followed by a FIN, we never saw a
SYN ACK from the responder (hence the connection was "half" open).
* SHR: Responder sent a SYN ACK followed by a FIN, we never saw a
SYN from the originator.
* OTH: No SYN seen, just midstream traffic (one example of this
is a "partial connection" that was not later closed).
.. zeek:field:: local_orig :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
If the connection is originated locally, this value will be T.
If it was originated remotely it will be F. In the case that
the :zeek:id:`Site::local_nets` variable is undefined, this
field will be left empty at all times.
.. zeek:field:: local_resp :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
If the connection is responded to locally, this value will be T.
If it was responded to remotely it will be F. In the case that
the :zeek:id:`Site::local_nets` variable is undefined, this
field will be left empty at all times.
.. zeek:field:: missed_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Indicates the number of bytes missed in content gaps, which
is representative of packet loss. A value other than zero
will normally cause protocol analysis to fail but some
analysis may have been completed prior to the packet loss.
.. zeek:field:: history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Records the state history of connections as a string of
letters. The meaning of those letters is:
====== ====================================================
Letter Meaning
====== ====================================================
s a SYN w/o the ACK bit set
h a SYN+ACK ("handshake")
a a pure ACK
d packet with payload ("data")
f packet with FIN bit set
r packet with RST bit set
c packet with a bad checksum (applies to UDP too)
g a content gap
t packet with retransmitted payload
w packet with a zero window advertisement
i inconsistent packet (e.g. FIN+RST bits set)
q multi-flag packet (SYN+FIN or SYN+RST bits set)
^ connection direction was flipped by Zeek's heuristic
x connection analysis partial (e.g. limits exceeded)
====== ====================================================
If the event comes from the originator, the letter is in
upper-case; if it comes from the responder, it's in
lower-case. The 'a', 'd', 'i' and 'q' flags are
recorded a maximum of one time in either direction regardless
of how many are actually seen. 'f', 'h', 'r' and
's' can be recorded multiple times for either direction
if the associated sequence number differs from the
last-seen packet of the same flag type.
'c', 'g', 't' and 'w' are recorded in a logarithmic fashion:
the second instance represents that the event was seen
(at least) 10 times; the third instance, 100 times; etc.
.. zeek:field:: orig_pkts :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Number of packets that the originator sent.
Only set if :zeek:id:`use_conn_size_analyzer` = T.
.. zeek:field:: orig_ip_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Number of IP level bytes that the originator sent (as seen on
the wire, taken from the IP total_length header field).
Only set if :zeek:id:`use_conn_size_analyzer` = T.
.. zeek:field:: resp_pkts :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Number of packets that the responder sent.
Only set if :zeek:id:`use_conn_size_analyzer` = T.
.. zeek:field:: resp_ip_bytes :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Number of IP level bytes that the responder sent (as seen on
the wire, taken from the IP total_length header field).
Only set if :zeek:id:`use_conn_size_analyzer` = T.
.. zeek:field:: tunnel_parents :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
If this connection was over a tunnel, indicate the
*uid* values for any encapsulating parent connections
used over the lifetime of this inner connection.
.. zeek:field:: ip_proto :zeek:type:`count` :zeek:attr:`&optional`
For IP-based connections, this contains the protocol
identifier passed in the IP header. This is different
from the *proto* field in that this value comes
directly from the header.
.. zeek:field:: community_id :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
(present if :doc:`/scripts/policy/protocols/conn/community-id-logging.zeek` is loaded)
.. zeek:field:: failed_service :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional` :zeek:attr:`&ordered`
(present if :doc:`/scripts/policy/protocols/conn/failed-service-logging.zeek` is loaded)
List of analyzers in a connection that raised violations
causing their removal.
Analyzers are listed in order that they were removed.
.. zeek:field:: ip_proto_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/ip-proto-name-logging.zeek` is loaded)
A string version of the ip_proto field
.. zeek:field:: orig_l2_addr :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/mac-logging.zeek` is loaded)
Link-layer address of the originator, if available.
.. zeek:field:: resp_l2_addr :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/mac-logging.zeek` is loaded)
Link-layer address of the responder, if available.
.. zeek:field:: vlan :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/vlan-logging.zeek` is loaded)
The outer VLAN for this connection, if applicable.
.. zeek:field:: inner_vlan :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/vlan-logging.zeek` is loaded)
The inner VLAN for this connection, if applicable.
.. zeek:field:: pppoe_session_id :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek` is loaded)
The PPPoE session id, if applicable for this connection.
.. zeek:field:: speculative_service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/conn/speculative-service.zeek` is loaded)
Protocol that was determined by a matching signature after the beginning
of a connection. In this situation no analyzer can be attached and hence
the data cannot be analyzed nor the protocol can be confirmed.
The record type which contains column fields of the connection log.
Events
######
.. zeek:id:: Conn::log_conn
:source-code: base/protocols/conn/main.zeek 172 172
:Type: :zeek:type:`event` (rec: :zeek:type:`Conn::Info`)
Event that can be handled to access the :zeek:type:`Conn::Info`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: Conn::log_policy
:source-code: base/protocols/conn/main.zeek 18 18
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.

52
doc/scripts/base/protocols/conn/polling.zeek.rst Normal file
View file

@ -0,0 +1,52 @@
:tocdepth: 3
base/protocols/conn/polling.zeek
================================
.. zeek:namespace:: ConnPolling
Implements a generic way to poll connections looking for certain features
(e.g. monitor bytes transferred). The specific feature of a connection
to look for, the polling interval, and the code to execute if the feature
is found are all controlled by user-defined callback functions.
:Namespace: ConnPolling
Summary
~~~~~~~
Functions
#########
==================================================== =====================================
:zeek:id:`ConnPolling::watch`: :zeek:type:`function` Starts monitoring a given connection.
==================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: ConnPolling::watch
:source-code: base/protocols/conn/polling.zeek 47 51
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, callback: :zeek:type:`function` (c: :zeek:type:`connection`, cnt: :zeek:type:`count`) : :zeek:type:`interval`, cnt: :zeek:type:`count`, i: :zeek:type:`interval`) : :zeek:type:`void`
Starts monitoring a given connection.
:param c: The connection to watch.
:param callback: A callback function that takes as arguments the monitored
*connection*, and counter *cnt* that increments each time
the callback is called. It returns an interval indicating
how long in the future to schedule an event which will call
the callback. A negative return interval causes polling
to stop.
:param cnt: The initial value of a counter which gets passed to *callback*.
:param i: The initial interval at which to schedule the next callback.
May be ``0secs`` to poll right away.

101
doc/scripts/base/protocols/conn/removal-hooks.zeek.rst Normal file
View file

@ -0,0 +1,101 @@
:tocdepth: 3
base/protocols/conn/removal-hooks.zeek
======================================
.. zeek:namespace:: Conn
Adds a framework for registering "connection removal hooks".
All registered hooks for a given connection get run within the
:zeek:see:`connection_state_remove` event for that connection.
This functionality is useful from a performance/scaling concern:
if every new protocol-analysis script uses
:zeek:see:`connection_state_remove` to implement its finalization/cleanup
logic, then all connections take the performance hit of dispatching that
event, even if they aren't related to that specific protocol.
:Namespace: Conn
Summary
~~~~~~~
Types
#####
================================================= ===========================================================================
:zeek:type:`Conn::RemovalHook`: :zeek:type:`hook` A hook function for use with either :zeek:see:`Conn::register_removal_hook`
or :zeek:see:`Conn::unregister_removal_hook`.
================================================= ===========================================================================
Redefinitions
#############
============================================ =========================================================================================
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
removal_hooks: :zeek:type:`set` [:zeek:type:`Conn::RemovalHook`] :zeek:attr:`&optional`
============================================ =========================================================================================
Functions
#########
=============================================================== =====================================================================
:zeek:id:`Conn::register_removal_hook`: :zeek:type:`function` Register a hook that will later be called during a connection's
:zeek:see:`connection_state_remove` event.
:zeek:id:`Conn::unregister_removal_hook`: :zeek:type:`function` Unregister a hook that would have been called during a connection's
:zeek:see:`connection_state_remove` event such that it will no longer
be called.
=============================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Conn::RemovalHook
:source-code: base/protocols/conn/removal-hooks.zeek 17 17
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
A hook function for use with either :zeek:see:`Conn::register_removal_hook`
or :zeek:see:`Conn::unregister_removal_hook`. The :zeek:see:`connection`
argument refers to the connection currently being removed within a
:zeek:see:`connection_state_remove` event.
Functions
#########
.. zeek:id:: Conn::register_removal_hook
:source-code: base/protocols/conn/removal-hooks.zeek 47 60
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, hk: :zeek:type:`Conn::RemovalHook`) : :zeek:type:`bool`
Register a hook that will later be called during a connection's
:zeek:see:`connection_state_remove` event.
:param c: The associated connection whose :zeek:see:`connection_state_remove`
event should trigger a callback to *hk*.
:param hk: The hook function to use as a callback.
:returns: false if the provided hook was previously registered, else true.
.. zeek:id:: Conn::unregister_removal_hook
:source-code: base/protocols/conn/removal-hooks.zeek 62 72
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, hk: :zeek:type:`Conn::RemovalHook`) : :zeek:type:`bool`
Unregister a hook that would have been called during a connection's
:zeek:see:`connection_state_remove` event such that it will no longer
be called.
:param c: The associated connection whose :zeek:see:`connection_state_remove`
event could have triggered a callback to *hk*.
:param hk: The hook function that would have been used as a callback.
:returns: true if the provided hook was previously registered, else false.

252
doc/scripts/base/protocols/conn/thresholds.zeek.rst Normal file
View file

@ -0,0 +1,252 @@
:tocdepth: 3
base/protocols/conn/thresholds.zeek
===================================
.. zeek:namespace:: ConnThreshold
Implements a generic API to throw events when a connection crosses a
fixed threshold of bytes or packets.
:Namespace: ConnThreshold
Summary
~~~~~~~
Types
#####
=========================================================== =
:zeek:type:`ConnThreshold::Thresholds`: :zeek:type:`record`
=========================================================== =
Redefinitions
#############
============================================ ===========================================================================
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
thresholds: :zeek:type:`ConnThreshold::Thresholds` :zeek:attr:`&optional`
============================================ ===========================================================================
Events
######
======================================================================== =================================================================
:zeek:id:`ConnThreshold::bytes_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set byte threshold
:zeek:id:`ConnThreshold::duration_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set duration threshold.
:zeek:id:`ConnThreshold::packets_threshold_crossed`: :zeek:type:`event` Generated for a connection that crossed a set byte threshold
======================================================================== =================================================================
Functions
#########
========================================================================== ===================================================================================================
:zeek:id:`ConnThreshold::delete_bytes_threshold`: :zeek:type:`function` Deletes a byte threshold for connection sizes.
:zeek:id:`ConnThreshold::delete_duration_threshold`: :zeek:type:`function` Deletes a duration threshold for a connection.
:zeek:id:`ConnThreshold::delete_packets_threshold`: :zeek:type:`function` Deletes a packet threshold for connection sizes.
:zeek:id:`ConnThreshold::set_bytes_threshold`: :zeek:type:`function` Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
:zeek:id:`ConnThreshold::set_duration_threshold`: :zeek:type:`function` Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
:zeek:id:`ConnThreshold::set_packets_threshold`: :zeek:type:`function` Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
========================================================================== ===================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: ConnThreshold::Thresholds
:source-code: base/protocols/conn/thresholds.zeek 8 14
:Type: :zeek:type:`record`
.. zeek:field:: orig_byte :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
current originator byte thresholds we watch for
.. zeek:field:: resp_byte :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
current responder byte thresholds we watch for
.. zeek:field:: orig_packet :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
current originator packet thresholds we watch for
.. zeek:field:: resp_packet :zeek:type:`set` [:zeek:type:`count`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
current responder packet thresholds we watch for
.. zeek:field:: duration :zeek:type:`set` [:zeek:type:`interval`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
current duration thresholds we watch for
Events
######
.. zeek:id:: ConnThreshold::bytes_threshold_crossed
:source-code: base/protocols/ftp/gridftp.zeek 73 86
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set byte threshold
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: True if the threshold was crossed by the originator of the connection
.. zeek:id:: ConnThreshold::duration_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 109 109
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set duration threshold. Note that this event is
not raised at the exact moment that a duration threshold is crossed; instead it is raised
when the next packet is seen after the threshold has been crossed. On a connection that is
idle, this can be raised significantly later.
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: True if the threshold was crossed by the originator of the connection
.. zeek:id:: ConnThreshold::packets_threshold_crossed
:source-code: base/protocols/conn/thresholds.zeek 97 97
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`)
Generated for a connection that crossed a set byte threshold
:param c: the connection
:param threshold: the threshold that was set
:param is_orig: True if the threshold was crossed by the originator of the connection
Functions
#########
.. zeek:id:: ConnThreshold::delete_bytes_threshold
:source-code: base/protocols/conn/thresholds.zeek 266 284
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Deletes a byte threshold for connection sizes.
:param cid: The connection id.
:param threshold: Threshold in bytes to remove.
:param is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
:returns: T on success, F on failure.
.. zeek:id:: ConnThreshold::delete_duration_threshold
:source-code: base/protocols/conn/thresholds.zeek 306 318
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
Deletes a duration threshold for a connection.
:param cid: The connection id.
:param threshold: Threshold in packets.
:returns: T on success, F on failure.
.. zeek:id:: ConnThreshold::delete_packets_threshold
:source-code: base/protocols/conn/thresholds.zeek 286 304
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Deletes a packet threshold for connection sizes.
:param cid: The connection id.
:param threshold: Threshold in packets.
:param is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
:returns: T on success, F on failure.
.. zeek:id:: ConnThreshold::set_bytes_threshold
:source-code: base/protocols/conn/thresholds.zeek 224 237
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
conn_bytes_threshold_crossed will be raised for each set threshold.
:param cid: The connection id.
:param threshold: Threshold in bytes.
:param is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
:returns: T on success, F on failure.
.. zeek:id:: ConnThreshold::set_duration_threshold
:source-code: base/protocols/conn/thresholds.zeek 254 264
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`interval`) : :zeek:type:`bool`
Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
conn_duration_threshold_crossed will be raised for each set threshold.
:param cid: The connection id.
:param threshold: Threshold in seconds.
:returns: T on success, F on failure.
.. zeek:id:: ConnThreshold::set_packets_threshold
:source-code: base/protocols/conn/thresholds.zeek 239 252
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, threshold: :zeek:type:`count`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
conn_packets_threshold_crossed will be raised for each set threshold.
:param cid: The connection id.
:param threshold: Threshold in packets.
:param is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
:returns: T on success, F on failure.

14
doc/scripts/base/protocols/dce-rpc/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dce-rpc/__load__.zeek
====================================
:Imports: :doc:`base/protocols/dce-rpc/consts.zeek </scripts/base/protocols/dce-rpc/consts.zeek>`, :doc:`base/protocols/dce-rpc/main.zeek </scripts/base/protocols/dce-rpc/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

2848
doc/scripts/base/protocols/dce-rpc/consts.zeek.rst Normal file
View file

File diff suppressed because it is too large Load diff

17
doc/scripts/base/protocols/dce-rpc/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/dce-rpc
===============================
Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
Calls) protocol analysis.
:doc:`/scripts/base/protocols/dce-rpc/__load__.zeek`
:doc:`/scripts/base/protocols/dce-rpc/consts.zeek`
:doc:`/scripts/base/protocols/dce-rpc/main.zeek`

194
doc/scripts/base/protocols/dce-rpc/main.zeek.rst Normal file
View file

@ -0,0 +1,194 @@
:tocdepth: 3
base/protocols/dce-rpc/main.zeek
================================
.. zeek:namespace:: DCE_RPC
:Namespace: DCE_RPC
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dce-rpc/consts.zeek </scripts/base/protocols/dce-rpc/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================== ===============================================================
:zeek:id:`DCE_RPC::ignored_operations`: :zeek:type:`table` :zeek:attr:`&redef` These are DCE-RPC operations that are ignored, typically due to
the operations being noisy and low value on most networks.
============================================================================== ===============================================================
Types
#####
======================================================= =
:zeek:type:`DCE_RPC::BackingState`: :zeek:type:`record`
:zeek:type:`DCE_RPC::Info`: :zeek:type:`record`
:zeek:type:`DCE_RPC::State`: :zeek:type:`record`
======================================================= =
Redefinitions
#############
======================================================================= =======================================================================================================================
:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef`
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`DCE_RPC::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
dce_rpc: :zeek:type:`DCE_RPC::Info` :zeek:attr:`&optional`
dce_rpc_state: :zeek:type:`DCE_RPC::State` :zeek:attr:`&optional`
dce_rpc_backing: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`DCE_RPC::BackingState` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
======================================================================= =======================================================================================================================
Hooks
#####
==================================================================== ==========================
:zeek:id:`DCE_RPC::finalize_dce_rpc`: :zeek:type:`Conn::RemovalHook` DCE_RPC finalization hook.
:zeek:id:`DCE_RPC::log_policy`: :zeek:type:`Log::PolicyHook`
==================================================================== ==========================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: DCE_RPC::ignored_operations
:source-code: base/protocols/dce-rpc/main.zeek 45 45
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
["spoolss"] = {
"RpcSplOpenPrinter",
"RpcClosePrinter"
},
["wkssvc"] = {
"NetrWkstaGetInfo"
},
["winreg"] = {
"BaseRegCloseKey",
"BaseRegGetVersion",
"BaseRegOpenKey",
"BaseRegDeleteKeyEx",
"BaseRegEnumKey",
"OpenLocalMachine",
"BaseRegQueryValue",
"OpenClassesRoot"
}
}
These are DCE-RPC operations that are ignored, typically due to
the operations being noisy and low value on most networks.
Types
#####
.. zeek:type:: DCE_RPC::BackingState
:source-code: base/protocols/dce-rpc/main.zeek 59 62
:Type: :zeek:type:`record`
.. zeek:field:: info :zeek:type:`DCE_RPC::Info`
.. zeek:field:: state :zeek:type:`DCE_RPC::State`
.. zeek:type:: DCE_RPC::Info
:source-code: base/protocols/dce-rpc/main.zeek 11 41
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: rtt :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
Round trip time from the request to the response.
If either the request or response wasn't seen,
this will be null.
.. zeek:field:: named_pipe :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Remote pipe name.
Note that this value is from the "sec_addr" field in the
protocol. Zeek uses the "named_pipe" name for historical reasons,
but it may also contain local port numbers rather than named pipes.
If you prefer to use the "secondary address" name, consider
using :zeek:see:`Log::default_field_name_map`, a ``Log::Filter``'s
:zeek:field:`Log::Filter$field_name_map` field, or removing
the :zeek:attr:`&log` attribute from this field, adding a
new :zeek:field:`sec_addr` field and populating it in a custom
:zeek:see:`dce_rpc_bind_ack` event handler based on the
:zeek:field:`named_pipe` value.
.. zeek:field:: endpoint :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Endpoint name looked up from the uuid.
.. zeek:field:: operation :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Operation seen in the call.
.. zeek:type:: DCE_RPC::State
:source-code: base/protocols/dce-rpc/main.zeek 51 55
:Type: :zeek:type:`record`
.. zeek:field:: uuid :zeek:type:`string` :zeek:attr:`&optional`
.. zeek:field:: named_pipe :zeek:type:`string` :zeek:attr:`&optional`
.. zeek:field:: ctx_to_uuid :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string` :zeek:attr:`&optional`
Hooks
#####
.. zeek:id:: DCE_RPC::finalize_dce_rpc
:source-code: base/protocols/dce-rpc/main.zeek 248 280
:Type: :zeek:type:`Conn::RemovalHook`
DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it's called.
.. zeek:id:: DCE_RPC::log_policy
:source-code: base/protocols/dce-rpc/main.zeek 9 9
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/dhcp/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dhcp/__load__.zeek
=================================
:Imports: :doc:`base/protocols/dhcp/consts.zeek </scripts/base/protocols/dhcp/consts.zeek>`, :doc:`base/protocols/dhcp/main.zeek </scripts/base/protocols/dhcp/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

231
doc/scripts/base/protocols/dhcp/consts.zeek.rst Normal file
View file

@ -0,0 +1,231 @@
:tocdepth: 3
base/protocols/dhcp/consts.zeek
===============================
.. zeek:namespace:: DHCP
Types, errors, and fields for analyzing DHCP data. A helper file
for DHCP analysis scripts.
:Namespace: DHCP
Summary
~~~~~~~
Constants
#########
================================================================================================ ===================================
:zeek:id:`DHCP::message_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Types of DHCP messages.
:zeek:id:`DHCP::option_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Option types mapped to their names.
================================================================================================ ===================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: DHCP::message_types
:source-code: base/protocols/dhcp/consts.zeek 9 9
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "OFFER",
[14] = "BULKLEASEQUERY",
[6] = "NAK",
[15] = "LEASEQUERYDONE",
[16] = "ACTIVELEASEQUERY",
[8] = "INFORM",
[9] = "FORCERENEW",
[1] = "DISCOVER",
[11] = "LEASEUNASSIGNED",
[7] = "RELEASE",
[5] = "ACK",
[10] = "LEASEQUERY",
[4] = "DECLINE",
[12] = "LEASEUNKNOWN",
[13] = "LEASEACTIVE",
[18] = "TLS",
[3] = "REQUEST",
[17] = "LEASEQUERYSTATUS"
}
Types of DHCP messages. See :rfc:`1533`, :rfc:`3203`,
:rfc:`4388`, :rfc:`6926`, and :rfc:`7724`.
.. zeek:id:: DHCP::option_types
:source-code: base/protocols/dhcp/consts.zeek 31 31
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[39] = "Keepalive Data",
[73] = "Finger-Server",
[46] = "NETBIOS Node Type",
[28] = "Broadcast Address",
[212] = "OPTION_6RD",
[9] = "LPR Server",
[68] = "Home-Agent-Addrs",
[53] = "DHCP Msg Type",
[71] = "NNTP-Server",
[52] = "Overload",
[41] = "NIS Servers",
[17] = "Root Path",
[119] = "Domain Search",
[81] = "Client FQDN",
[88] = "BCMCS Controller Domain Name list",
[29] = "Mask Discovery",
[133] = "IEEE 802.1D/p Layer 2 Priority",
[176] = "IP Telephone (Tentatively Assigned - 2005-06-23)",
[213] = "OPTION_V4_ACCESS_DOMAIN",
[54] = "DHCP Server Id",
[95] = "LDAP",
[90] = "Authentication",
[252] = "auto-proxy-config",
[146] = "RDNSS Selection",
[86] = "NDS Tree Name",
[1] = "Subnet Mask",
[116] = "Auto-Config",
[158] = "OPTION_V4_PCP_SERVER",
[35] = "ARP Timeout",
[135] = "HTTP Proxy for phone-specific applications",
[3] = "Router",
[114] = "URL",
[140] = "OPTION-IPv4_FQDN-MoS",
[44] = "NETBIOS Name Srv",
[129] = "PXE - undefined (vendor specific)",
[34] = "Trailers",
[45] = "NETBIOS Dist Srv",
[14] = "Merit Dump File",
[31] = "Router Discovery",
[82] = "Relay Agent Information",
[56] = "DHCP Message",
[7] = "Log Server",
[66] = "Server-Name",
[26] = "MTU Interface",
[128] = "PXE - undefined (vendor specific)",
[175] = "Etherboot (Tentatively Assigned - 2005-06-23)",
[47] = "NETBIOS Scope",
[70] = "POP3-Server",
[93] = "Client System",
[2] = "Time Offset",
[132] = "IEEE 802.1Q VLAN ID",
[72] = "WWW-Server",
[24] = "MTU Timeout",
[69] = "SMTP-Server",
[99] = "GEOCONF_CIVIC",
[161] = "OPTION_MUD_URL_V4 (TEMPORARY - registered 2016-11-17)",
[61] = "Client Id",
[60] = "Class Id",
[51] = "Address Time",
[37] = "Default TCP TTL",
[18] = "Extension File",
[157] = "data-source",
[0] = "Pad",
[220] = "Subnet Allocation Option",
[137] = "OPTION_V4_LOST",
[94] = "Client NDI",
[19] = "Forward On/Off",
[20] = "SrcRte On/Off",
[33] = "Static Route",
[75] = "StreetTalk-Server",
[67] = "Bootfile-Name",
[30] = "Mask Supplier",
[15] = "Domain Name",
[77] = "User-Class",
[64] = "NIS-Domain-Name",
[211] = "Reboot Time",
[91] = "client-last-transaction-time option",
[156] = "dhcp-state",
[177] = "PacketCable and CableHome (replaced by 122)",
[97] = "UUID/GUID",
[55] = "Parameter List",
[21] = "Policy Filter",
[221] = "Virtual Subnet Selection (VSS) Option",
[4] = "Time Server",
[124] = "V-I Vendor Class",
[130] = "PXE - undefined (vendor specific)",
[12] = "Hostname",
[155] = "query-end-time",
[58] = "Renewal Time",
[134] = "Diffserv Code Point (DSCP) for VoIP signalling and media streams",
[80] = "Rapid Commit",
[150] = "TFTP server address",
[76] = "STDA-Server",
[25] = "MTU Plateau",
[142] = "OPTION-IPv4_Address-ANDSF",
[16] = "Swap Server",
[255] = "End",
[59] = "Rebinding Time",
[210] = "Path Prefix",
[38] = "Keepalive Time",
[154] = "query-start-time",
[63] = "NetWare/IP Option",
[42] = "NTP Servers",
[57] = "DHCP Max Msg Size",
[78] = "Directory Agent",
[98] = "User-Auth",
[113] = "Netinfo Tag",
[11] = "RLP Server",
[22] = "Max DG Assembly",
[43] = "Vendor Specific",
[136] = "OPTION_PANA_AGENT",
[144] = "GeoLoc",
[40] = "NIS Domain",
[151] = "status-code",
[208] = "PXELINUX Magic",
[36] = "Ethernet",
[6] = "Domain Server",
[141] = "SIP UA Configuration Service Domains",
[125] = "V-I Vendor-Specific Information",
[8] = "Quotes Server",
[23] = "Default IP TTL",
[27] = "MTU Subnet",
[145] = "FORCERENEW_NONCE_CAPABLE",
[83] = "iSNS",
[122] = "CCC",
[159] = "OPTION_V4_PORTPARAMS",
[92] = "associated-ip option",
[10] = "Impress Server",
[65] = "NIS-Server-Addr",
[13] = "Boot File Size",
[32] = "Router Request",
[74] = "IRC-Server",
[62] = "NetWare/IP Domain",
[101] = "TCode",
[89] = "BCMCS Controller IPv4 address option",
[118] = "Subnet Selection Option",
[138] = "OPTION_CAPWAP_AC_V4",
[160] = "DHCP Captive-Portal",
[139] = "OPTION-IPv4_Address-MoS",
[120] = "SIP Servers DHCP Option",
[152] = "base-time",
[50] = "Address Request",
[79] = "Service Scope",
[121] = "Classless Static Route Option",
[48] = "X Window Font",
[85] = "NDS Servers",
[49] = "X Window Manager",
[209] = "Configuration File",
[112] = "Netinfo Address",
[5] = "Name Server",
[100] = "PCode",
[117] = "Name Service Search",
[123] = "GeoConf Option",
[131] = "PXE - undefined (vendor specific)",
[87] = "NDS Context",
[153] = "start-time-of-state"
}
Option types mapped to their names.

23
doc/scripts/base/protocols/dhcp/index.rst Normal file
View file

@ -0,0 +1,23 @@
:orphan:
Package: base/protocols/dhcp
============================
Support for Dynamic Host Configuration Protocol (DHCP) analysis.
:doc:`/scripts/base/protocols/dhcp/__load__.zeek`
:doc:`/scripts/base/protocols/dhcp/consts.zeek`
Types, errors, and fields for analyzing DHCP data. A helper file
for DHCP analysis scripts.
:doc:`/scripts/base/protocols/dhcp/main.zeek`
Analyze DHCP traffic and provide a log that is organized around
the idea of a DHCP "conversation" defined by messages exchanged within
a relatively short period of time using the same transaction ID.
The log will have information from clients and servers to give a more
complete picture of what happened.

360
doc/scripts/base/protocols/dhcp/main.zeek.rst Normal file
View file

@ -0,0 +1,360 @@
:tocdepth: 3
base/protocols/dhcp/main.zeek
=============================
.. zeek:namespace:: DHCP
Analyze DHCP traffic and provide a log that is organized around
the idea of a DHCP "conversation" defined by messages exchanged within
a relatively short period of time using the same transaction ID.
The log will have information from clients and servers to give a more
complete picture of what happened.
:Namespace: DHCP
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/dhcp/consts.zeek </scripts/base/protocols/dhcp/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================================== ================================================================
:zeek:id:`DHCP::max_msg_types_per_log_entry`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of msg_types allowed in a single log entry.
:zeek:id:`DHCP::max_txid_watch_time`: :zeek:type:`interval` :zeek:attr:`&redef` The maximum amount of time that a transaction ID will be watched
for to try and tie messages together into a single DHCP
transaction narrative.
:zeek:id:`DHCP::max_uids_per_log_entry`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of uids allowed in a single log entry.
==================================================================================== ================================================================
State Variables
###############
================================================== ========================================================
:zeek:id:`DHCP::log_info`: :zeek:type:`DHCP::Info` This is a global variable that is only to be used in the
:zeek:see:`DHCP::aggregate_msgs` event.
================================================== ========================================================
Types
#####
============================================ =================================================================
:zeek:type:`DHCP::Info`: :zeek:type:`record` The record type which contains the column fields of the DHCP log.
============================================ =================================================================
Redefinitions
#############
==================================================================== ===========================================================
:zeek:type:`DHCP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`DHCP::Info`
last_message_ts: :zeek:type:`time` :zeek:attr:`&optional`
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`DHCP::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
dhcp: :zeek:type:`DHCP::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ===========================================================
Events
######
=================================================== ================================================================
:zeek:id:`DHCP::aggregate_msgs`: :zeek:type:`event` This event is used internally to distribute data around clusters
since DHCP doesn't follow the normal "connection" model used by
most protocols.
:zeek:id:`DHCP::log_dhcp`: :zeek:type:`event` Event that can be handled to access the DHCP
record as it is sent on to the logging framework.
=================================================== ================================================================
Hooks
#####
========================================================= =
:zeek:id:`DHCP::log_policy`: :zeek:type:`Log::PolicyHook`
========================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: DHCP::max_msg_types_per_log_entry
:source-code: base/protocols/dhcp/main.zeek 98 98
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``50``
The maximum number of msg_types allowed in a single log entry.
.. zeek:id:: DHCP::max_txid_watch_time
:source-code: base/protocols/dhcp/main.zeek 92 92
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0 secs``
The maximum amount of time that a transaction ID will be watched
for to try and tie messages together into a single DHCP
transaction narrative.
.. zeek:id:: DHCP::max_uids_per_log_entry
:source-code: base/protocols/dhcp/main.zeek 95 95
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``10``
The maximum number of uids allowed in a single log entry.
State Variables
###############
.. zeek:id:: DHCP::log_info
:source-code: base/protocols/dhcp/main.zeek 110 110
:Type: :zeek:type:`DHCP::Info`
:Default:
::
{
ts=<uninitialized>
uids={
}
client_addr=<uninitialized>
server_addr=<uninitialized>
client_port=<uninitialized>
server_port=<uninitialized>
mac=<uninitialized>
host_name=<uninitialized>
client_fqdn=<uninitialized>
domain=<uninitialized>
requested_addr=<uninitialized>
assigned_addr=<uninitialized>
lease_time=<uninitialized>
client_message=<uninitialized>
server_message=<uninitialized>
msg_types=[]
duration=0 secs
client_chaddr=<uninitialized>
last_message_ts=<uninitialized>
msg_orig=[]
client_software=<uninitialized>
server_software=<uninitialized>
circuit_id=<uninitialized>
agent_remote_id=<uninitialized>
subscriber_id=<uninitialized>
}
This is a global variable that is only to be used in the
:zeek:see:`DHCP::aggregate_msgs` event. It can be used to avoid
looking up the info record for a transaction ID in every event handler
for :zeek:see:`DHCP::aggregate_msgs`.
Types
#####
.. zeek:type:: DHCP::Info
:source-code: base/protocols/dhcp/main.zeek 18 87
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The earliest time at which a DHCP message over the
associated connection is observed.
.. zeek:field:: uids :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log`
A series of unique identifiers of the connections over which
DHCP is occurring. This behavior with multiple connections is
unique to DHCP because of the way it uses broadcast packets
on local networks.
.. zeek:field:: client_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
IP address of the client. If a transaction
is only a client sending INFORM messages then
there is no lease information exchanged so this
is helpful to know who sent the messages.
Getting an address in this field does require
that the client sources at least one DHCP message
using a non-broadcast address.
.. zeek:field:: server_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
IP address of the server involved in actually
handing out the lease. There could be other
servers replying with OFFER messages which won't
be represented here. Getting an address in this
field also requires that the server handing out
the lease also sources packets from a non-broadcast
IP address.
.. zeek:field:: client_port :zeek:type:`port` :zeek:attr:`&optional`
Client port number seen at time of server handing out IP (expected
as 68/udp).
.. zeek:field:: server_port :zeek:type:`port` :zeek:attr:`&optional`
Server port number seen at time of server handing out IP (expected
as 67/udp).
.. zeek:field:: mac :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Client's hardware address.
.. zeek:field:: host_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Name given by client in Hostname option 12.
.. zeek:field:: client_fqdn :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
FQDN given by client in Client FQDN option 81.
.. zeek:field:: domain :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Domain given by the server in option 15.
.. zeek:field:: requested_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
IP address requested by the client.
.. zeek:field:: assigned_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
IP address assigned by the server.
.. zeek:field:: lease_time :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
IP address lease interval.
.. zeek:field:: client_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Message typically accompanied with a DHCP_DECLINE
so the client can tell the server why it rejected
an address.
.. zeek:field:: server_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Message typically accompanied with a DHCP_NAK to let
the client know why it rejected the request.
.. zeek:field:: msg_types :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
The DHCP message types seen by this DHCP transaction
.. zeek:field:: duration :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&default` = ``0 secs`` :zeek:attr:`&optional`
Duration of the DHCP "session" representing the
time from the first message to the last.
.. zeek:field:: client_chaddr :zeek:type:`string` :zeek:attr:`&optional`
The CHADDR field sent by the client.
.. zeek:field:: last_message_ts :zeek:type:`time` :zeek:attr:`&optional`
.. zeek:field:: msg_orig :zeek:type:`vector` of :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/msg-orig.zeek` is loaded)
The address that originated each message from the
`msg_types` field.
.. zeek:field:: client_software :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/software.zeek` is loaded)
Software reported by the client in the `vendor_class` option.
.. zeek:field:: server_software :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/software.zeek` is loaded)
Software reported by the server in the `vendor_class` option.
.. zeek:field:: circuit_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.zeek` is loaded)
Added by DHCP relay agents which terminate switched or
permanent circuits. It encodes an agent-local identifier
of the circuit from which a DHCP client-to-server packet was
received. Typically it should represent a router or switch
interface number.
.. zeek:field:: agent_remote_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.zeek` is loaded)
A globally unique identifier added by relay agents to identify
the remote host end of the circuit.
.. zeek:field:: subscriber_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dhcp/sub-opts.zeek` is loaded)
The subscriber ID is a value independent of the physical
network configuration so that a customer's DHCP configuration
can be given to them correctly no matter where they are
physically connected.
The record type which contains the column fields of the DHCP log.
Events
######
.. zeek:id:: DHCP::aggregate_msgs
:source-code: base/protocols/dhcp/main.zeek 104 104
:Type: :zeek:type:`event` (ts: :zeek:type:`time`, id: :zeek:type:`conn_id`, uid: :zeek:type:`string`, is_orig: :zeek:type:`bool`, msg: :zeek:type:`DHCP::Msg`, options: :zeek:type:`DHCP::Options`)
This event is used internally to distribute data around clusters
since DHCP doesn't follow the normal "connection" model used by
most protocols. It can also be handled to extend the DHCP log.
:zeek:see:`DHCP::log_info`.
.. zeek:id:: DHCP::log_dhcp
:source-code: policy/protocols/dhcp/software.zeek 40 65
:Type: :zeek:type:`event` (rec: :zeek:type:`DHCP::Info`)
Event that can be handled to access the DHCP
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: DHCP::log_policy
:source-code: base/protocols/dhcp/main.zeek 15 15
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/dnp3/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dnp3/__load__.zeek
=================================
:Imports: :doc:`base/protocols/dnp3/main.zeek </scripts/base/protocols/dnp3/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

75
doc/scripts/base/protocols/dnp3/consts.zeek.rst Normal file
View file

@ -0,0 +1,75 @@
:tocdepth: 3
base/protocols/dnp3/consts.zeek
===============================
.. zeek:namespace:: DNP3
:Namespace: DNP3
Summary
~~~~~~~
Redefinable Options
###################
===================================================================================================================== =======================================
:zeek:id:`DNP3::function_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` Standard defined Modbus function codes.
===================================================================================================================== =======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: DNP3::function_codes
:source-code: base/protocols/dnp3/consts.zeek 6 6
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:Default:
::
{
[19] = "SAVE_CONFIG",
[20] = "ENABLE_UNSOLICITED",
[33] = "AUTHENTICATE_REQ_NR",
[14] = "WARM_RESTART",
[15] = "INITIALIZE_DATA",
[6] = "DIRECT_OPERATE_NR",
[30] = "ABORT_FILE",
[31] = "ACTIVATE_CONFIG",
[28] = "GET_FILE_INFO",
[23] = "DELAY_MEASURE",
[8] = "IMMED_FREEZE_NR",
[27] = "DELETE_FILE",
[9] = "FREEZE_CLEAR",
[7] = "IMMED_FREEZE",
[10] = "FREEZE_CLEAR_NR",
[21] = "DISABLE_UNSOLICITED",
[4] = "OPERATE",
[26] = "CLOSE_FILE",
[13] = "COLD_RESTART",
[12] = "FREEZE_AT_TIME_NR",
[32] = "AUTHENTICATE_REQ",
[130] = "UNSOLICITED_RESPONSE",
[17] = "START_APPL",
[25] = "OPEN_FILE",
[2] = "WRITE",
[29] = "AUTHENTICATE_FILE",
[16] = "INITIALIZE_APPL",
[24] = "RECORD_CURRENT_TIME",
[1] = "READ",
[11] = "FREEZE_AT_TIME",
[5] = "DIRECT_OPERATE",
[22] = "ASSIGN_CLASS",
[18] = "STOP_APPL",
[3] = "SELECT",
[0] = "CONFIRM",
[131] = "AUTHENTICATE_RESP",
[129] = "RESPONSE"
}
Standard defined Modbus function codes.

17
doc/scripts/base/protocols/dnp3/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/dnp3
============================
Support for Distributed Network Protocol (DNP3) analysis.
:doc:`/scripts/base/protocols/dnp3/__load__.zeek`
:doc:`/scripts/base/protocols/dnp3/main.zeek`
A very basic DNP3 analysis script that just logs requests and replies.
:doc:`/scripts/base/protocols/dnp3/consts.zeek`

115
doc/scripts/base/protocols/dnp3/main.zeek.rst Normal file
View file

@ -0,0 +1,115 @@
:tocdepth: 3
base/protocols/dnp3/main.zeek
=============================
.. zeek:namespace:: DNP3
A very basic DNP3 analysis script that just logs requests and replies.
:Namespace: DNP3
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dnp3/consts.zeek </scripts/base/protocols/dnp3/consts.zeek>`
Summary
~~~~~~~
Types
#####
============================================ =
:zeek:type:`DNP3::Info`: :zeek:type:`record`
============================================ =
Redefinitions
#############
==================================================================== ======================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`DNP3::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
dnp3: :zeek:type:`DNP3::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ======================================================
Events
######
============================================= ====================================================================
:zeek:id:`DNP3::log_dnp3`: :zeek:type:`event` Event that can be handled to access the DNP3 record as it is sent on
to the logging framework.
============================================= ====================================================================
Hooks
#####
============================================================== =======================
:zeek:id:`DNP3::finalize_dnp3`: :zeek:type:`Conn::RemovalHook` DNP3 finalization hook.
:zeek:id:`DNP3::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================== =======================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: DNP3::Info
:source-code: base/protocols/dnp3/main.zeek 13 26
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time of the request.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique identifier for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
Identifier for the connection.
.. zeek:field:: fc_request :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The name of the function message in the request.
.. zeek:field:: fc_reply :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The name of the function message in the reply.
.. zeek:field:: iin :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The response's "internal indication number".
Events
######
.. zeek:id:: DNP3::log_dnp3
:source-code: base/protocols/dnp3/main.zeek 30 30
:Type: :zeek:type:`event` (rec: :zeek:type:`DNP3::Info`)
Event that can be handled to access the DNP3 record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: DNP3::finalize_dnp3
:source-code: base/protocols/dnp3/main.zeek 78 85
:Type: :zeek:type:`Conn::RemovalHook`
DNP3 finalization hook. Remaining DNP3 info may get logged when it's called.
.. zeek:id:: DNP3::log_policy
:source-code: base/protocols/dnp3/main.zeek 11 11
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/dns/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/dns/__load__.zeek
================================
:Imports: :doc:`base/protocols/dns/check-event-handlers.zeek </scripts/base/protocols/dns/check-event-handlers.zeek>`, :doc:`base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>`, :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

17
doc/scripts/base/protocols/dns/check-event-handlers.zeek.rst Normal file
View file

@ -0,0 +1,17 @@
:tocdepth: 3
base/protocols/dns/check-event-handlers.zeek
============================================
.. zeek:namespace:: DNS
This script checks if DNS event handlers that will not be raised
are used and raises a warning in those cases.
:Namespace: DNS
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

325
doc/scripts/base/protocols/dns/consts.zeek.rst Normal file
View file

@ -0,0 +1,325 @@
:tocdepth: 3
base/protocols/dns/consts.zeek
==============================
.. zeek:namespace:: DNS
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:Namespace: DNS
Summary
~~~~~~~
Constants
#########
=============================================================================================== ======================================================================
:zeek:id:`DNS::ANY`: :zeek:type:`count` A QTYPE value describing a request for all records.
:zeek:id:`DNS::EDNS`: :zeek:type:`count` An OPT RR TYPE value described by EDNS.
:zeek:id:`DNS::PTR`: :zeek:type:`count` RR TYPE value for a domain name pointer.
:zeek:id:`DNS::algorithms`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible values of the algorithms used in DNSKEY, DS and RRSIG records
:zeek:id:`DNS::base_errors`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Errors used for non-TSIG/EDNS types.
:zeek:id:`DNS::classes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible values of the CLASS field in resource records or QCLASS
field in query messages.
:zeek:id:`DNS::digests`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible digest types used in DNSSEC.
:zeek:id:`DNS::edns_zfield`: :zeek:type:`table` :zeek:attr:`&default` = ``"?"`` This deciphers EDNS Z field values.
:zeek:id:`DNS::query_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Mapping of DNS query type codes to human readable string
representation.
:zeek:id:`DNS::svcparam_keys`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` SVCB/HTTPS SvcParam keys as defined in
https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.
=============================================================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: DNS::ANY
:source-code: base/protocols/dns/consts.zeek 9 9
:Type: :zeek:type:`count`
:Default: ``255``
A QTYPE value describing a request for all records.
.. zeek:id:: DNS::EDNS
:source-code: base/protocols/dns/consts.zeek 8 8
:Type: :zeek:type:`count`
:Default: ``41``
An OPT RR TYPE value described by EDNS.
.. zeek:id:: DNS::PTR
:source-code: base/protocols/dns/consts.zeek 7 7
:Type: :zeek:type:`count`
:Default: ``12``
RR TYPE value for a domain name pointer.
.. zeek:id:: DNS::algorithms
:source-code: base/protocols/dns/consts.zeek 154 154
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[254] = "PrivateOID",
[2] = "Diffie_Hellman",
[15] = "Ed25519",
[6] = "DSA_NSEC3_SHA1",
[14] = "ECDSA_curveP384withSHA384",
[16] = "Ed448",
[255] = "reserved255",
[8] = "RSA_SHA256",
[252] = "Indirect",
[253] = "PrivateDNS",
[1] = "RSA_MD5",
[5] = "RSA_SHA1",
[7] = "RSA_SHA1_NSEC3_SHA1",
[10] = "RSA_SHA512",
[4] = "Elliptic_Curve",
[12] = "GOST_R_34_10_2001",
[13] = "ECDSA_curveP256withSHA256",
[3] = "DSA_SHA1",
[0] = "reserved0"
}
Possible values of the algorithms used in DNSKEY, DS and RRSIG records
.. zeek:id:: DNS::base_errors
:source-code: base/protocols/dns/consts.zeek 107 107
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "BADMODE",
[3842] = "BADSIG",
[20] = "BADNAME",
[2] = "SERVFAIL",
[14] = "unassigned-14",
[15] = "unassigned-15",
[6] = "YXDOMAIN",
[16] = "BADVERS",
[8] = "NXRRSet",
[23] = "BADCOOKIE",
[9] = "NOTAUTH",
[1] = "FORMERR",
[11] = "unassigned-11",
[7] = "YXRRSET",
[5] = "REFUSED",
[10] = "NOTZONE",
[21] = "BADALG",
[4] = "NOTIMP",
[22] = "BADTRUNC",
[13] = "unassigned-13",
[12] = "unassigned-12",
[18] = "BADTIME",
[17] = "BADKEY",
[3] = "NXDOMAIN",
[0] = "NOERROR"
}
Errors used for non-TSIG/EDNS types.
.. zeek:id:: DNS::classes
:source-code: base/protocols/dns/consts.zeek 144 144
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[254] = "C_NONE",
[2] = "C_CSNET",
[3] = "C_CHAOS",
[255] = "C_ANY",
[4] = "C_HESIOD",
[1] = "C_INTERNET"
}
Possible values of the CLASS field in resource records or QCLASS
field in query messages.
.. zeek:id:: DNS::digests
:source-code: base/protocols/dns/consts.zeek 177 177
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "reserved0",
[2] = "SHA256",
[4] = "SHA384",
[1] = "SHA1",
[3] = "GOST_R_34_11_94"
}
Possible digest types used in DNSSEC.
.. zeek:id:: DNS::edns_zfield
:source-code: base/protocols/dns/consts.zeek 137 137
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"?"``
:Default:
::
{
[0] = "NOVALUE",
[32768] = "DNS_SEC_OK"
}
This deciphers EDNS Z field values.
.. zeek:id:: DNS::query_types
:source-code: base/protocols/dns/consts.zeek 13 13
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "X25",
[20] = "ISDN",
[33] = "SRV",
[39] = "DNAME",
[30] = "NXT",
[46] = "RRSIG",
[15] = "MX",
[65422] = "XPF",
[28] = "AAAA",
[64] = "SVCB",
[106] = "L64",
[9] = "MR",
[253] = "MAILB",
[107] = "LP",
[53] = "SMIMEA",
[55] = "HIP",
[52] = "TLSA",
[251] = "IXFR",
[21] = "RT",
[4] = "MF",
[12] = "PTR",
[41] = "OPT",
[58] = "TALINK",
[17] = "RP",
[105] = "L32",
[254] = "MAILA",
[32768] = "TA",
[25] = "KEY",
[32769] = "DLV",
[65281] = "WINS",
[29] = "LOC",
[16] = "TXT",
[255] = "*",
[59] = "CDS",
[38] = "A6",
[252] = "AXFR",
[63] = "ZONEMD",
[42] = "APL",
[57] = "RKEY",
[1] = "A",
[11] = "WKS",
[35] = "NAPTR",
[108] = "EUI48",
[22] = "NSAP",
[256] = "URI",
[43] = "DS",
[102] = "GID",
[257] = "CAA",
[65521] = "INTEGRITY",
[3] = "MD",
[44] = "SSHFP",
[34] = "ATMA",
[45] = "IPSECKEY",
[40] = "SINK",
[36] = "KX",
[250] = "TSIG",
[14] = "MINFO",
[6] = "SOA",
[31] = "EID",
[23] = "NSAP-PTR",
[8] = "MG",
[27] = "GPOS",
[56] = "NINFO",
[7] = "MB",
[10] = "NULL",
[32] = "NIMLOC",
[13] = "HINFO",
[26] = "PX",
[65] = "HTTPS",
[62] = "CSYNC",
[101] = "UID",
[47] = "NSEC",
[50] = "NSEC3",
[2] = "NS",
[65282] = "WINS-R",
[48] = "DNSKEY",
[24] = "SIG",
[99] = "SPF",
[49] = "DHCID",
[109] = "EUI64",
[249] = "TKEY",
[103] = "UNSPEC",
[5] = "CNAME",
[104] = "NID",
[61] = "OPENPGPKEY",
[60] = "CDNSKEY",
[100] = "UINFO",
[51] = "NSEC3PARAM",
[37] = "CERT",
[18] = "AFSDB"
}
Mapping of DNS query type codes to human readable string
representation.
.. zeek:id:: DNS::svcparam_keys
:source-code: base/protocols/dns/consts.zeek 188 188
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "no-default-alpn",
[3] = "port",
[5] = "ech",
[0] = "mandatory",
[6] = "ipv6hint",
[4] = "ipv4hint",
[1] = "alpn"
}
SVCB/HTTPS SvcParam keys as defined in
https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.

25
doc/scripts/base/protocols/dns/index.rst Normal file
View file

@ -0,0 +1,25 @@
:orphan:
Package: base/protocols/dns
===========================
Support for Domain Name System (DNS) protocol analysis.
:doc:`/scripts/base/protocols/dns/__load__.zeek`
:doc:`/scripts/base/protocols/dns/consts.zeek`
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:doc:`/scripts/base/protocols/dns/main.zeek`
Base DNS analysis script which tracks and logs DNS queries along with
their responses.
:doc:`/scripts/base/protocols/dns/check-event-handlers.zeek`
This script checks if DNS event handlers that will not be raised
are used and raises a warning in those cases.

377
doc/scripts/base/protocols/dns/main.zeek.rst Normal file
View file

@ -0,0 +1,377 @@
:tocdepth: 3
base/protocols/dns/main.zeek
============================
.. zeek:namespace:: DNS
Base DNS analysis script which tracks and logs DNS queries along with
their responses.
:Namespace: DNS
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>`, :doc:`base/utils/queue.zeek </scripts/base/utils/queue.zeek>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================= =======================================================================
:zeek:id:`DNS::max_pending_msgs`: :zeek:type:`count` :zeek:attr:`&redef` Give up trying to match pending DNS queries or replies for a given
query/transaction ID once this number of unmatched queries or replies
is reached (this shouldn't happen unless either the DNS server/resolver
is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
response is ongoing).
:zeek:id:`DNS::max_pending_query_ids`: :zeek:type:`count` :zeek:attr:`&redef` Give up trying to match pending DNS queries or replies across all
query/transaction IDs once there is at least one unmatched query or
reply across this number of different query IDs.
============================================================================= =======================================================================
Types
#####
===================================================== ================================================================
:zeek:type:`DNS::Info`: :zeek:type:`record` The record type which contains the column fields of the DNS log.
:zeek:type:`DNS::PendingMessages`: :zeek:type:`table` Yields a queue of :zeek:see:`DNS::Info` objects for a given
DNS message query/transaction ID.
:zeek:type:`DNS::State`: :zeek:type:`record` A record type which tracks the status of DNS queries for a given
:zeek:type:`connection`.
===================================================== ================================================================
Redefinitions
#############
==================================================================== ===========================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The DNS logging stream identifier.
* :zeek:enum:`DNS::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
dns: :zeek:type:`DNS::Info` :zeek:attr:`&optional`
dns_state: :zeek:type:`DNS::State` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ===========================================================
Events
######
=========================================== =================================================================
:zeek:id:`DNS::log_dns`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`DNS::Info`
record as it is sent to the logging framework.
=========================================== =================================================================
Hooks
#####
============================================================ =================================================================
:zeek:id:`DNS::do_reply`: :zeek:type:`hook` This is called by the specific dns_*_reply events with a "reply"
which may not represent the full data available from the resource
record, but it's generally considered a summarization of the
responses.
:zeek:id:`DNS::finalize_dns`: :zeek:type:`Conn::RemovalHook` DNS finalization hook.
:zeek:id:`DNS::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
:zeek:id:`DNS::set_session`: :zeek:type:`hook` A hook that is called whenever a session is being set.
============================================================ =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: DNS::max_pending_msgs
:source-code: base/protocols/dns/main.zeek 126 126
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``50``
Give up trying to match pending DNS queries or replies for a given
query/transaction ID once this number of unmatched queries or replies
is reached (this shouldn't happen unless either the DNS server/resolver
is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
response is ongoing).
.. zeek:id:: DNS::max_pending_query_ids
:source-code: base/protocols/dns/main.zeek 131 131
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``50``
Give up trying to match pending DNS queries or replies across all
query/transaction IDs once there is at least one unmatched query or
reply across this number of different query IDs.
Types
#####
.. zeek:type:: DNS::Info
:source-code: base/protocols/dns/main.zeek 18 86
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The earliest time at which a DNS protocol message over the
associated connection is observed.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
A unique identifier of the connection over which DNS messages
are being transferred.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
The transport layer protocol of the connection.
.. zeek:field:: trans_id :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
A 16-bit identifier assigned by the program that generated
the DNS query. Also used in responses to match up replies to
outstanding queries.
.. zeek:field:: rtt :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
Round trip time for the query and response. This indicates
the delay between when the request was seen until the
answer started.
.. zeek:field:: query :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The domain name that is the subject of the DNS query.
.. zeek:field:: qclass :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The QCLASS value specifying the class of the query.
.. zeek:field:: qclass_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A descriptive name for the class of the query.
.. zeek:field:: qtype :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
A QTYPE value specifying the type of the query.
.. zeek:field:: qtype_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A descriptive name for the type of the query.
.. zeek:field:: rcode :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The response code value in DNS response messages.
.. zeek:field:: rcode_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A descriptive name for the response code value.
.. zeek:field:: AA :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Authoritative Answer bit for response messages specifies
that the responding name server is an authority for the
domain name in the question section.
.. zeek:field:: TC :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Truncation bit specifies that the message was truncated.
.. zeek:field:: RD :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Recursion Desired bit in a request message indicates that
the client wants recursive service for this query.
.. zeek:field:: RA :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The Recursion Available bit in a response message indicates
that the name server supports recursive queries.
.. zeek:field:: Z :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
A reserved field that is zero in queries and responses unless
using DNSSEC. This field represents the 3-bit Z field using
the specification from RFC 1035.
.. zeek:field:: answers :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The set of resource descriptions in the query answer.
.. zeek:field:: TTLs :zeek:type:`vector` of :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
The caching intervals of the associated RRs described by the
*answers* field.
.. zeek:field:: rejected :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
The DNS query was rejected by the server.
.. zeek:field:: total_answers :zeek:type:`count` :zeek:attr:`&optional`
The total number of resource records in a reply message's
answer section.
.. zeek:field:: total_replies :zeek:type:`count` :zeek:attr:`&optional`
The total number of resource records in a reply message's
answer, authority, and additional sections.
.. zeek:field:: saw_query :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Whether the full DNS query has been seen.
.. zeek:field:: saw_reply :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Whether the full DNS reply has been seen.
.. zeek:field:: auth :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/auth-addl.zeek` is loaded)
Authoritative responses for the query.
.. zeek:field:: addl :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/auth-addl.zeek` is loaded)
Additional responses for the query.
.. zeek:field:: original_query :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/dns/log-original-query-case.zeek` is loaded)
Query with original letter casing
The record type which contains the column fields of the DNS log.
.. zeek:type:: DNS::PendingMessages
:source-code: base/protocols/dns/main.zeek 119 119
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Queue::Queue`
Yields a queue of :zeek:see:`DNS::Info` objects for a given
DNS message query/transaction ID.
.. zeek:type:: DNS::State
:source-code: base/protocols/dns/main.zeek 135 150
:Type: :zeek:type:`record`
.. zeek:field:: pending_query :zeek:type:`DNS::Info` :zeek:attr:`&optional`
A single query that hasn't been matched with a response yet.
Note this is maintained separate from the *pending_queries*
field solely for performance reasons -- it's possible that
*pending_queries* contains further queries for which a response
has not yet been seen, even for the same transaction ID.
.. zeek:field:: pending_queries :zeek:type:`DNS::PendingMessages` :zeek:attr:`&optional`
Indexed by query id, returns Info record corresponding to
queries that haven't been matched with a response yet.
.. zeek:field:: pending_replies :zeek:type:`DNS::PendingMessages` :zeek:attr:`&optional`
Indexed by query id, returns Info record corresponding to
replies that haven't been matched with a query yet.
A record type which tracks the status of DNS queries for a given
:zeek:type:`connection`.
Events
######
.. zeek:id:: DNS::log_dns
:source-code: base/protocols/dns/main.zeek 90 90
:Type: :zeek:type:`event` (rec: :zeek:type:`DNS::Info`)
An event that can be handled to access the :zeek:type:`DNS::Info`
record as it is sent to the logging framework.
Hooks
#####
.. zeek:id:: DNS::do_reply
:source-code: base/protocols/dns/main.zeek 104 104
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, ans: :zeek:type:`dns_answer`, reply: :zeek:type:`string`) : :zeek:type:`bool`
This is called by the specific dns_*_reply events with a "reply"
which may not represent the full data available from the resource
record, but it's generally considered a summarization of the
responses.
:param c: The connection record for which to fill in DNS reply data.
:param msg: The DNS message header information for the response.
:param ans: The general information of a RR response.
:param reply: The specific response information according to RR type/class.
.. zeek:id:: DNS::finalize_dns
:source-code: base/protocols/dns/main.zeek 643 658
:Type: :zeek:type:`Conn::RemovalHook`
DNS finalization hook. Remaining DNS info may get logged when it's called.
.. zeek:id:: DNS::log_policy
:source-code: base/protocols/dns/main.zeek 15 15
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.
.. zeek:id:: DNS::set_session
:source-code: base/protocols/dns/main.zeek 238 346
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`, msg: :zeek:type:`dns_msg`, is_query: :zeek:type:`bool`) : :zeek:type:`bool`
A hook that is called whenever a session is being set.
This can be used if additional initialization logic needs to happen
when creating a new session value.
:param c: The connection involved in the new session.
:param msg: The DNS message header information.
:param is_query: Indicator for if this is being called for a query or a response.

14
doc/scripts/base/protocols/finger/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/finger/__load__.zeek
===================================
:Imports: :doc:`base/protocols/finger/main.zeek </scripts/base/protocols/finger/main.zeek>`, :doc:`base/protocols/finger/spicy-events.zeek </scripts/base/protocols/finger/spicy-events.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

18
doc/scripts/base/protocols/finger/index.rst Normal file
View file

@ -0,0 +1,18 @@
:orphan:
Package: base/protocols/finger
==============================
:doc:`/scripts/base/protocols/finger/__load__.zeek`
:doc:`/scripts/base/protocols/finger/spicy-events.zeek`
Events generated by the Finger analyzer.
:doc:`/scripts/base/protocols/finger/main.zeek`
Implements base functionality for Finger analysis. We currently do not generate
a log file, but just configure the analyzer.

45
doc/scripts/base/protocols/finger/main.zeek.rst Normal file
View file

@ -0,0 +1,45 @@
:tocdepth: 3
base/protocols/finger/main.zeek
===============================
.. zeek:namespace:: Finger
Implements base functionality for Finger analysis. We currently do not generate
a log file, but just configure the analyzer.
:Namespace: Finger
Summary
~~~~~~~
Constants
#########
========================================== =
:zeek:id:`Finger::ports`: :zeek:type:`set`
========================================== =
Redefinitions
#############
==================================================================== =
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: Finger::ports
:source-code: base/protocols/finger/main.zeek 7 7
:Type: :zeek:type:`set` [:zeek:type:`port`]
:Default:
::
{
79/tcp
}

65
doc/scripts/base/protocols/finger/spicy-events.zeek.rst Normal file
View file

@ -0,0 +1,65 @@
:tocdepth: 3
base/protocols/finger/spicy-events.zeek
=======================================
Events generated by the Finger analyzer.
Summary
~~~~~~~
Events
######
============================================= ==============================
:zeek:id:`finger_reply`: :zeek:type:`event` Generated for Finger replies.
:zeek:id:`finger_request`: :zeek:type:`event` Generated for Finger requests.
============================================= ==============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: finger_reply
:source-code: base/protocols/finger/spicy-events.zeek 31 31
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, reply_line: :zeek:type:`string`)
Generated for Finger replies.
See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
information about the Finger protocol.
:param c: The connection.
:param reply_line: The reply as returned by the server
.. zeek:see:: finger_request
.. zeek:id:: finger_request
:source-code: base/protocols/finger/spicy-events.zeek 19 19
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, full: :zeek:type:`bool`, username: :zeek:type:`string`, hostname: :zeek:type:`string`)
Generated for Finger requests.
See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
information about the Finger protocol.
:param c: The connection.
:param full: True if verbose information is requested (``/W`` switch).
:param username: The request's user name.
:param hostname: The request's host name.
.. zeek:see:: finger_reply

14
doc/scripts/base/protocols/ftp/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ftp/__load__.zeek
================================
:Imports: :doc:`base/protocols/ftp/files.zeek </scripts/base/protocols/ftp/files.zeek>`, :doc:`base/protocols/ftp/gridftp.zeek </scripts/base/protocols/ftp/gridftp.zeek>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

49
doc/scripts/base/protocols/ftp/files.zeek.rst Normal file
View file

@ -0,0 +1,49 @@
:tocdepth: 3
base/protocols/ftp/files.zeek
=============================
.. zeek:namespace:: FTP
:Namespace: FTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Redefinitions
#############
============================================================= ====================================================
:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef`
:New Fields: :zeek:type:`fa_file`
ftp: :zeek:type:`FTP::Info` :zeek:attr:`&optional`
============================================================= ====================================================
Functions
#########
====================================================== =====================================
:zeek:id:`FTP::describe_file`: :zeek:type:`function` Describe the file being transferred.
:zeek:id:`FTP::get_file_handle`: :zeek:type:`function` Default file handle provider for FTP.
====================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: FTP::describe_file
:source-code: base/protocols/ftp/files.zeek 29 41
:Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
Describe the file being transferred.
.. zeek:id:: FTP::get_file_handle
:source-code: base/protocols/ftp/files.zeek 21 27
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for FTP.

138
doc/scripts/base/protocols/ftp/gridftp.zeek.rst Normal file
View file

@ -0,0 +1,138 @@
:tocdepth: 3
base/protocols/ftp/gridftp.zeek
===============================
.. zeek:namespace:: GridFTP
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:zeek:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.
:Namespace: GridFTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Runtime Options
###############
========================================================================== ===================================================================
:zeek:id:`GridFTP::max_time`: :zeek:type:`interval` :zeek:attr:`&redef` Time during which we check whether a connection's size exceeds the
:zeek:see:`GridFTP::size_threshold`.
:zeek:id:`GridFTP::size_threshold`: :zeek:type:`count` :zeek:attr:`&redef` Number of bytes transferred before guessing a connection is a
GridFTP data channel.
:zeek:id:`GridFTP::skip_data`: :zeek:type:`bool` :zeek:attr:`&redef` Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
========================================================================== ===================================================================
Redefinitions
#############
=========================================== =================================================================
:zeek:type:`FTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`FTP::Info`
last_auth_requested: :zeek:type:`string` :zeek:attr:`&optional`
=========================================== =================================================================
Events
######
============================================================= ===============================================
:zeek:id:`GridFTP::data_channel_detected`: :zeek:type:`event` Raised when a GridFTP data channel is detected.
============================================================= ===============================================
Functions
#########
============================================================================================ ==================================================================
:zeek:id:`GridFTP::data_channel_initial_criteria`: :zeek:type:`function` :zeek:attr:`&redef` The initial criteria used to determine whether to start polling
the connection for the :zeek:see:`GridFTP::size_threshold` to have
been exceeded.
============================================================================================ ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: GridFTP::max_time
:source-code: base/protocols/ftp/gridftp.zeek 37 37
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``2.0 mins``
Time during which we check whether a connection's size exceeds the
:zeek:see:`GridFTP::size_threshold`.
.. zeek:id:: GridFTP::size_threshold
:source-code: base/protocols/ftp/gridftp.zeek 33 33
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``1073741824``
Number of bytes transferred before guessing a connection is a
GridFTP data channel.
.. zeek:id:: GridFTP::skip_data
:source-code: base/protocols/ftp/gridftp.zeek 41 41
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
Events
######
.. zeek:id:: GridFTP::data_channel_detected
:source-code: base/protocols/ftp/gridftp.zeek 46 46
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Raised when a GridFTP data channel is detected.
:param c: The connection pertaining to the GridFTP data channel.
Functions
#########
.. zeek:id:: GridFTP::data_channel_initial_criteria
:source-code: base/protocols/ftp/gridftp.zeek 108 113
:Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
The initial criteria used to determine whether to start polling
the connection for the :zeek:see:`GridFTP::size_threshold` to have
been exceeded. This is called in a :zeek:see:`ssl_established` event
handler and by default looks for both a client and server certificate
and for a NULL bulk cipher. One way in which this function could be
redefined is to make it also consider client/server certificate
issuer subjects.
:param c: The connection which may possibly be a GridFTP data channel.
:returns: true if the connection should be further polled for an
exceeded :zeek:see:`GridFTP::size_threshold`, else false.

54
doc/scripts/base/protocols/ftp/index.rst Normal file
View file

@ -0,0 +1,54 @@
:orphan:
Package: base/protocols/ftp
===========================
Support for File Transfer Protocol (FTP) analysis.
:doc:`/scripts/base/protocols/ftp/__load__.zeek`
:doc:`/scripts/base/protocols/ftp/utils-commands.zeek`
:doc:`/scripts/base/protocols/ftp/info.zeek`
Defines data structures for tracking and logging FTP sessions.
:doc:`/scripts/base/protocols/ftp/main.zeek`
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:doc:`/scripts/base/protocols/ftp/utils.zeek`
Utilities specific for FTP processing.
:doc:`/scripts/base/protocols/ftp/files.zeek`
:doc:`/scripts/base/protocols/ftp/gridftp.zeek`
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:zeek:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.

185
doc/scripts/base/protocols/ftp/info.zeek.rst Normal file
View file

@ -0,0 +1,185 @@
:tocdepth: 3
base/protocols/ftp/info.zeek
============================
.. zeek:namespace:: FTP
Defines data structures for tracking and logging FTP sessions.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== ==========================================================
:zeek:id:`FTP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` This setting changes if passwords used in FTP sessions are
captured or not.
=============================================================================== ==========================================================
Types
#####
========================================================== ==============================================
:zeek:type:`FTP::ExpectedDataChannel`: :zeek:type:`record` The expected endpoints of an FTP data channel.
:zeek:type:`FTP::Info`: :zeek:type:`record`
========================================================== ==============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: FTP::default_capture_password
:source-code: base/protocols/ftp/info.zeek 11 11
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
This setting changes if passwords used in FTP sessions are
captured or not.
Types
#####
.. zeek:type:: FTP::ExpectedDataChannel
:source-code: base/protocols/ftp/info.zeek 14 24
:Type: :zeek:type:`record`
.. zeek:field:: passive :zeek:type:`bool` :zeek:attr:`&log`
Whether PASV mode is toggled for control channel.
.. zeek:field:: orig_h :zeek:type:`addr` :zeek:attr:`&log`
The host that will be initiating the data connection.
.. zeek:field:: resp_h :zeek:type:`addr` :zeek:attr:`&log`
The host that will be accepting the data connection.
.. zeek:field:: resp_p :zeek:type:`port` :zeek:attr:`&log`
The port at which the acceptor is listening for the data
connection.
The expected endpoints of an FTP data channel.
.. zeek:type:: FTP::Info
:source-code: base/protocols/ftp/info.zeek 26 78
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time when the command was sent.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: user :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``"<unknown>"`` :zeek:attr:`&optional`
User name for the current FTP session.
.. zeek:field:: password :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Password for the current FTP session if captured.
.. zeek:field:: command :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Command given by the client.
.. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Argument for the command if one is given.
.. zeek:field:: mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Sniffed mime type of file.
.. zeek:field:: file_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Size of the file if the command indicates a file transfer.
.. zeek:field:: reply_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Reply code from the server in response to the command.
.. zeek:field:: reply_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Reply message from the server in response to the command.
.. zeek:field:: data_channel :zeek:type:`FTP::ExpectedDataChannel` :zeek:attr:`&log` :zeek:attr:`&optional`
Expected FTP data channel.
.. zeek:field:: cwd :zeek:type:`string` :zeek:attr:`&default` = ``"."`` :zeek:attr:`&optional`
Current working directory that this session is in. By making
the default value '.', we can indicate that unless something
more concrete is discovered that the existing but unknown
directory is ok to use.
.. zeek:field:: cmdarg :zeek:type:`FTP::CmdArg` :zeek:attr:`&optional`
Command that is currently waiting for a response.
.. zeek:field:: pending_commands :zeek:type:`FTP::PendingCmds`
Queue for commands that have been sent but not yet responded
to are tracked here.
.. zeek:field:: command_seq :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Sequence number of previous command.
.. zeek:field:: passive :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the session is in active or passive mode.
.. zeek:field:: capture_password :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`FTP::default_capture_password` :zeek:attr:`&optional`
Determines if the password will be captured for this request.
.. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
File unique ID.
.. zeek:field:: last_auth_requested :zeek:type:`string` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ftp/gridftp.zeek` is loaded)

244
doc/scripts/base/protocols/ftp/main.zeek.rst Normal file
View file

@ -0,0 +1,244 @@
:tocdepth: 3
base/protocols/ftp/main.zeek
============================
.. zeek:namespace:: FTP
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:Namespace: FTP
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ======================================================================
:zeek:id:`FTP::guest_ids`: :zeek:type:`set` :zeek:attr:`&redef` User IDs that can be considered "anonymous".
:zeek:id:`FTP::logged_commands`: :zeek:type:`set` :zeek:attr:`&redef` List of commands that should have their command/response pairs logged.
:zeek:id:`FTP::max_arg_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the arg field in the log to that many bytes to avoid
excessive logging volume.
:zeek:id:`FTP::max_password_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the password field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
:zeek:id:`FTP::max_pending_commands`: :zeek:type:`count` :zeek:attr:`&redef` Allow a client to send this many commands before the server
sends a reply.
:zeek:id:`FTP::max_reply_msg_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the reply_msg field in the log to that many bytes to avoid
excessive logging volume.
:zeek:id:`FTP::max_user_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the user field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
============================================================================ ======================================================================
Types
#####
================================================ ===============================================
:zeek:type:`FTP::ReplyCode`: :zeek:type:`record` This record is to hold a parsed FTP reply code.
================================================ ===============================================
Redefinitions
#############
==================================================================== ========================================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The FTP protocol logging stream identifier.
* :zeek:enum:`FTP::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
ftp: :zeek:type:`FTP::Info` :zeek:attr:`&optional`
ftp_data_reuse: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ========================================================================================
Events
######
=========================================== ==============================================================
:zeek:id:`FTP::log_ftp`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`FTP::Info`
record as it is sent on to the logging framework.
=========================================== ==============================================================
Hooks
#####
============================================================ =============================================
:zeek:id:`FTP::finalize_ftp`: :zeek:type:`Conn::RemovalHook` FTP finalization hook.
:zeek:id:`FTP::finalize_ftp_data`: :zeek:type:`hook` FTP data finalization hook.
:zeek:id:`FTP::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
============================================================ =============================================
Functions
#########
=========================================================== =====================================================================
:zeek:id:`FTP::parse_ftp_reply_code`: :zeek:type:`function` Parse FTP reply codes into the three constituent single digit values.
=========================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: FTP::guest_ids
:source-code: base/protocols/ftp/main.zeek 32 32
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"guest",
"anonymous",
"ftpuser",
"ftp"
}
User IDs that can be considered "anonymous".
.. zeek:id:: FTP::logged_commands
:source-code: base/protocols/ftp/main.zeek 26 26
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"ACCT",
"DELE",
"APPE",
"RETR",
"PORT",
"STOR",
"EPRT",
"PASV",
"STOU",
"EPSV"
}
List of commands that should have their command/response pairs logged.
.. zeek:id:: FTP::max_arg_length
:source-code: base/protocols/ftp/main.zeek 73 73
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``4096``
Truncate the arg field in the log to that many bytes to avoid
excessive logging volume.
.. zeek:id:: FTP::max_password_length
:source-code: base/protocols/ftp/main.zeek 69 69
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``128``
Truncate the password field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
.. zeek:id:: FTP::max_pending_commands
:source-code: base/protocols/ftp/main.zeek 59 59
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``20``
Allow a client to send this many commands before the server
sends a reply. If this value is exceeded a weird named
FTP_too_many_pending_commands is logged for the connection.
.. zeek:id:: FTP::max_reply_msg_length
:source-code: base/protocols/ftp/main.zeek 77 77
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``4096``
Truncate the reply_msg field in the log to that many bytes to avoid
excessive logging volume.
.. zeek:id:: FTP::max_user_length
:source-code: base/protocols/ftp/main.zeek 64 64
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``128``
Truncate the user field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
Types
#####
.. zeek:type:: FTP::ReplyCode
:source-code: base/protocols/ftp/main.zeek 36 40
:Type: :zeek:type:`record`
.. zeek:field:: x :zeek:type:`count`
.. zeek:field:: y :zeek:type:`count`
.. zeek:field:: z :zeek:type:`count`
This record is to hold a parsed FTP reply code. For example, for the
201 status code, the digits would be parsed as: x->2, y->0, z->1.
Events
######
.. zeek:id:: FTP::log_ftp
:source-code: base/protocols/ftp/main.zeek 47 47
:Type: :zeek:type:`event` (rec: :zeek:type:`FTP::Info`)
Event that can be handled to access the :zeek:type:`FTP::Info`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: FTP::finalize_ftp
:source-code: base/protocols/ftp/main.zeek 479 488
:Type: :zeek:type:`Conn::RemovalHook`
FTP finalization hook. Remaining FTP info may get logged when it's called.
.. zeek:id:: FTP::finalize_ftp_data
:source-code: base/protocols/ftp/main.zeek 466 476
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
FTP data finalization hook. Expected FTP data channel state may
get purged when called.
.. zeek:id:: FTP::log_policy
:source-code: base/protocols/ftp/main.zeek 23 23
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.
Functions
#########
.. zeek:id:: FTP::parse_ftp_reply_code
:source-code: base/protocols/ftp/main.zeek 141 154
:Type: :zeek:type:`function` (code: :zeek:type:`count`) : :zeek:type:`FTP::ReplyCode`
Parse FTP reply codes into the three constituent single digit values.

416
doc/scripts/base/protocols/ftp/utils-commands.zeek.rst Normal file
View file

@ -0,0 +1,416 @@
:tocdepth: 3
base/protocols/ftp/utils-commands.zeek
======================================
.. zeek:namespace:: FTP
:Namespace: FTP
Summary
~~~~~~~
Runtime Options
###############
==================================================================== ===========================================================
:zeek:id:`FTP::cmd_reply_code`: :zeek:type:`set` :zeek:attr:`&redef` Possible response codes for a wide variety of FTP commands.
==================================================================== ===========================================================
Types
#####
================================================= ====================================================================
:zeek:type:`FTP::CmdArg`: :zeek:type:`record`
:zeek:type:`FTP::PendingCmds`: :zeek:type:`table` Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.
================================================= ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: FTP::cmd_reply_code
:source-code: base/protocols/ftp/utils-commands.zeek 24 24
:Type: :zeek:type:`set` [:zeek:type:`string`, :zeek:type:`count`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
["ABOR", 226] ,
["REIN", 120] ,
["STOU", 553] ,
["MLSD", 150] ,
["RNTO", 503] ,
["CDUP", 530] ,
["CDUP", 501] ,
["APPE", 425] ,
["SYST", 530] ,
["PORT", 421] ,
["TYPE", 501] ,
["LIST", 125] ,
["RNTO", 530] ,
["PWD", 501] ,
["STOR", 125] ,
["CDUP", 200] ,
["MLSD", 250] ,
["SITE", 500] ,
["CWD", 550] ,
["CDUP", 550] ,
["QUIT", 500] ,
["MKD", 257] ,
["ALLO", 500] ,
["LIST", 425] ,
["CLNT", 200] ,
["<init>", 0] ,
["ABOR", 501] ,
["FEAT", 502] ,
["MLST", 150] ,
["APPE", 150] ,
["STOU", 550] ,
["USER", 332] ,
["PASV", 227] ,
["SYST", 421] ,
["STRU", 530] ,
["EPRT", 501] ,
["PASV", 530] ,
["USER", 530] ,
["APPE", 125] ,
["CDUP", 421] ,
["STOU", 451] ,
["HELP", 214] ,
["NLST", 426] ,
["RNFR", 450] ,
["LPRT", 521] ,
["ALLO", 530] ,
["STAT", 501] ,
["MACB", 550] ,
["PASS", 332] ,
["SITE", 502] ,
["SIZE", 550] ,
["LIST", 451] ,
["LIST", 426] ,
["APPE", 426] ,
["SMNT", 530] ,
["MLST", 250] ,
["TYPE", 530] ,
["HELP", 500] ,
["RNTO", 553] ,
["STOR", 530] ,
["NLST", 150] ,
["NLST", 451] ,
["SMNT", 501] ,
["ACCT", 230] ,
["MDTM", 550] ,
["APPE", 452] ,
["LIST", 450] ,
["NLST", 250] ,
["MDTM", 500] ,
["RETR", 450] ,
["NLST", 502] ,
["TYPE", 504] ,
["MLSD", 550] ,
["MODE", 421] ,
["OPTS", 451] ,
["RETR", 426] ,
["APPE", 530] ,
["STRU", 504] ,
["STAT", 502] ,
["RETR", 125] ,
["EPRT", 200] ,
["ALLO", 202] ,
["MKD", 502] ,
["STOU", 501] ,
["SYST", 502] ,
["REIN", 220] ,
["MLSD", 501] ,
["DELE", 530] ,
["USER", 421] ,
["NLST", 530] ,
["TYPE", 200] ,
["RMD", 250] ,
["DELE", 421] ,
["FEAT", 211] ,
["APPE", 500] ,
["RETR", 501] ,
["ABOR", 225] ,
["CWD", 250] ,
["STOU", 110] ,
["ALLO", 504] ,
["RNTO", 532] ,
["PWD", 500] ,
["STOR", 110] ,
["MODE", 502] ,
["PORT", 200] ,
["NLST", 125] ,
["RETR", 110] ,
["ACCT", 503] ,
["RMD", 502] ,
["REST", 200] ,
["RETR", 226] ,
["PASV", 500] ,
["STRU", 501] ,
["LIST", 502] ,
["STAT", 530] ,
["RETR", 500] ,
["PASS", 501] ,
["STOR", 553] ,
["APPE", 550] ,
["SMNT", 550] ,
["PASV", 501] ,
["SYST", 501] ,
["MKD", 550] ,
["PASV", 502] ,
["MODE", 530] ,
["STAT", 450] ,
["APPE", 226] ,
["MACB", 500] ,
["PASS", 230] ,
["STAT", 212] ,
["PASV", 421] ,
["STOU", 530] ,
["PASS", 530] ,
["SITE", 202] ,
["PASS", 500] ,
["APPE", 450] ,
["STOR", 450] ,
["LIST", 250] ,
["NLST", 500] ,
["PWD", 502] ,
["RNFR", 500] ,
["STOR", 501] ,
["DELE", 500] ,
["HELP", 421] ,
["NLST", 425] ,
["NLST", 550] ,
["STOR", 451] ,
["SYST", 215] ,
["RETR", 425] ,
["APPE", 532] ,
["LIST", 150] ,
["CWD", 500] ,
["USER", 331] ,
["OPTS", 501] ,
["PASS", 503] ,
["STOU", 532] ,
["STOU", 150] ,
["QUIT", 221] ,
["ACCT", 202] ,
["STOR", 425] ,
["MKD", 421] ,
["TYPE", 500] ,
["STOU", 125] ,
["SYST", 500] ,
["CDUP", 502] ,
["RETR", 451] ,
["RNFR", 502] ,
["TYPE", 421] ,
["STOR", 500] ,
["SIZE", 500] ,
["HELP", 211] ,
["RNTO", 250] ,
["REIN", 502] ,
["STRU", 200] ,
["RMD", 421] ,
["<init>", 421] ,
["STAT", 211] ,
["<init>", 120] ,
["LIST", 550] ,
["ABOR", 500] ,
["NOOP", 200] ,
["REIN", 421] ,
["STOR", 150] ,
["SMNT", 502] ,
["CDUP", 250] ,
["PORT", 501] ,
["MODE", 504] ,
["STAT", 421] ,
["MODE", 501] ,
["MDTM", 213] ,
["MKD", 501] ,
["LIST", 421] ,
["MLST", 226] ,
["STOR", 226] ,
["NOOP", 421] ,
["PWD", 421] ,
["FEAT", 500] ,
["APPE", 250] ,
["CLNT", 500] ,
["LIST", 501] ,
["STOU", 425] ,
["LIST", 530] ,
["SITE", 530] ,
["STOU", 250] ,
["RETR", 150] ,
["RNTO", 500] ,
["MLST", 501] ,
["REST", 501] ,
["MKD", 530] ,
["RNFR", 530] ,
["ALLO", 200] ,
["STRU", 500] ,
["MLSD", 500] ,
["STOU", 426] ,
["STAT", 213] ,
["RNFR", 421] ,
["ALLO", 501] ,
["RETR", 421] ,
["APPE", 421] ,
["USER", 501] ,
["QUIT", 0] ,
["USER", 230] ,
["RNFR", 350] ,
["STOU", 551] ,
["MODE", 500] ,
["STOR", 426] ,
["REST", 530] ,
["SMNT", 421] ,
["ABOR", 502] ,
["ACCT", 421] ,
["APPE", 502] ,
["SITE", 214] ,
["CWD", 421] ,
["NLST", 450] ,
["STOU", 226] ,
["EPRT", 522] ,
["REST", 500] ,
["RMD", 550] ,
["LPRT", 501] ,
["EPSV", 501] ,
["HELP", 501] ,
["DELE", 450] ,
["NLST", 501] ,
["EPSV", 500] ,
["APPE", 552] ,
["EPRT", 500] ,
["PWD", 257] ,
["MODE", 200] ,
["NLST", 226] ,
["RMD", 500] ,
["CWD", 530] ,
["APPE", 501] ,
["RMD", 530] ,
["STOR", 452] ,
["<missing>", 0] ,
["RETR", 530] ,
["NOOP", 500] ,
["REIN", 500] ,
["STOR", 532] ,
["ABOR", 421] ,
["APPE", 551] ,
["SMNT", 500] ,
["STOR", 550] ,
["RNFR", 501] ,
["USER", 500] ,
["ALLO", 421] ,
["ACCT", 500] ,
["RNTO", 502] ,
["MKD", 500] ,
["PASS", 421] ,
["STOU", 552] ,
["STOU", 452] ,
["CWD", 501] ,
["PORT", 500] ,
["MLST", 500] ,
["STOU", 450] ,
["STOU", 421] ,
["ACCT", 530] ,
["STRU", 421] ,
["STOU", 500] ,
["SIZE", 501] ,
["MDTM", 501] ,
["ACCT", 501] ,
["REST", 502] ,
["STOR", 421] ,
["RNTO", 421] ,
["RETR", 250] ,
["MLSD", 226] ,
["LIST", 500] ,
["DELE", 502] ,
["SMNT", 250] ,
["OPTS", 200] ,
["SITE", 501] ,
["APPE", 553] ,
["PASS", 202] ,
["SIZE", 213] ,
["STOR", 250] ,
["DELE", 250] ,
["STOR", 551] ,
["PWD", 550] ,
["STAT", 500] ,
["RMD", 501] ,
["RNTO", 501] ,
["HELP", 200] ,
["MACB", 200] ,
["DELE", 501] ,
["LPRT", 500] ,
["LIST", 226] ,
["REST", 350] ,
["CDUP", 500] ,
["APPE", 451] ,
["EPSV", 229] ,
["RETR", 550] ,
["DELE", 550] ,
["PORT", 530] ,
["CWD", 502] ,
["STOR", 552] ,
["NLST", 421] ,
["HELP", 502] ,
["SITE", 200] ,
["<init>", 220] ,
["SMNT", 202] ,
["RNFR", 550] ,
["MLST", 550] ,
["REST", 421]
}
Possible response codes for a wide variety of FTP commands.
Types
#####
.. zeek:type:: FTP::CmdArg
:source-code: base/protocols/ftp/utils-commands.zeek 4 16
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time`
Time when the command was sent.
.. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&default` = ``"<unknown>"`` :zeek:attr:`&optional`
Command.
.. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
Argument for the command if one was given.
.. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Counter to track how many commands have been executed.
.. zeek:field:: cwd_consumed :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag indicating if the arg of this CmdArg has been used
to update cwd of c$ftp.
.. zeek:type:: FTP::PendingCmds
:source-code: base/protocols/ftp/utils-commands.zeek 21 21
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`FTP::CmdArg`
Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.

60
doc/scripts/base/protocols/ftp/utils.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
base/protocols/ftp/utils.zeek
=============================
.. zeek:namespace:: FTP
Utilities specific for FTP processing.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
Summary
~~~~~~~
Functions
#########
==================================================== ===========================================================
:zeek:id:`FTP::build_url`: :zeek:type:`function` Creates a URL from an :zeek:type:`FTP::Info` record.
:zeek:id:`FTP::build_url_ftp`: :zeek:type:`function` Creates a URL from an :zeek:type:`FTP::Info` record.
:zeek:id:`FTP::describe`: :zeek:type:`function` Create an extremely shortened representation of a log line.
==================================================== ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: FTP::build_url
:source-code: base/protocols/ftp/utils.zeek 28 38
:Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
Creates a URL from an :zeek:type:`FTP::Info` record.
:param rec: An :zeek:type:`FTP::Info` record.
:returns: A URL, not prefixed by ``"ftp://"``.
.. zeek:id:: FTP::build_url_ftp
:source-code: base/protocols/ftp/utils.zeek 40 43
:Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
Creates a URL from an :zeek:type:`FTP::Info` record.
:param rec: An :zeek:type:`FTP::Info` record.
:returns: A URL prefixed with ``"ftp://"``.
.. zeek:id:: FTP::describe
:source-code: base/protocols/ftp/utils.zeek 45 48
:Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
Create an extremely shortened representation of a log line.

14
doc/scripts/base/protocols/http/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/http/__load__.zeek
=================================
:Imports: :doc:`base/protocols/http/entities.zeek </scripts/base/protocols/http/entities.zeek>`, :doc:`base/protocols/http/files.zeek </scripts/base/protocols/http/files.zeek>`, :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

130
doc/scripts/base/protocols/http/entities.zeek.rst Normal file
View file

@ -0,0 +1,130 @@
:tocdepth: 3
base/protocols/http/entities.zeek
=================================
.. zeek:namespace:: HTTP
Analysis and logging for MIME entities found in HTTP sessions.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/strings.zeek </scripts/base/utils/strings.zeek>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================= ==========================================
:zeek:id:`HTTP::max_files_orig`: :zeek:type:`count` :zeek:attr:`&redef` Maximum number of originator files to log.
:zeek:id:`HTTP::max_files_resp`: :zeek:type:`count` :zeek:attr:`&redef` Maximum number of responder files to log.
======================================================================= ==========================================
Types
#####
============================================== =
:zeek:type:`HTTP::Entity`: :zeek:type:`record`
============================================== =
Redefinitions
#############
============================================================= ======================================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
orig_fuids: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
An ordered vector of file unique IDs.
orig_filenames: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
An ordered vector of filenames from the client.
orig_mime_types: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
An ordered vector of mime types.
resp_fuids: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
An ordered vector of file unique IDs.
resp_filenames: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
An ordered vector of filenames from the server.
resp_mime_types: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
An ordered vector of mime types.
current_entity: :zeek:type:`HTTP::Entity` :zeek:attr:`&optional`
The current entity.
orig_mime_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Current number of MIME entities in the HTTP request message
body.
resp_mime_depth: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Current number of MIME entities in the HTTP response message
body.
:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef`
:New Fields: :zeek:type:`fa_file`
http: :zeek:type:`HTTP::Info` :zeek:attr:`&optional`
============================================================= ======================================================================================================
Hooks
#####
==================================================== ================================================================
:zeek:id:`HTTP::max_files_policy`: :zeek:type:`hook` Called when reaching the max number of files across a given HTTP
connection according to :zeek:see:`HTTP::max_files_orig`
or :zeek:see:`HTTP::max_files_resp`.
==================================================== ================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: HTTP::max_files_orig
:source-code: base/protocols/http/entities.zeek 20 20
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``15``
Maximum number of originator files to log.
:zeek:see:`HTTP::max_files_policy` even is called once this
limit is reached to determine if it's enforced.
.. zeek:id:: HTTP::max_files_resp
:source-code: base/protocols/http/entities.zeek 25 25
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``15``
Maximum number of responder files to log.
:zeek:see:`HTTP::max_files_policy` even is called once this
limit is reached to determine if it's enforced.
Types
#####
.. zeek:type:: HTTP::Entity
:source-code: base/protocols/http/entities.zeek 12 15
:Type: :zeek:type:`record`
.. zeek:field:: filename :zeek:type:`string` :zeek:attr:`&optional`
Filename for the entity if discovered from a header.
Hooks
#####
.. zeek:id:: HTTP::max_files_policy
:source-code: base/protocols/http/entities.zeek 31 31
:Type: :zeek:type:`hook` (f: :zeek:type:`fa_file`, is_orig: :zeek:type:`bool`) : :zeek:type:`bool`
Called when reaching the max number of files across a given HTTP
connection according to :zeek:see:`HTTP::max_files_orig`
or :zeek:see:`HTTP::max_files_resp`. Break from the hook
early to signal that the file limit should not be applied.

39
doc/scripts/base/protocols/http/files.zeek.rst Normal file
View file

@ -0,0 +1,39 @@
:tocdepth: 3
base/protocols/http/files.zeek
==============================
.. zeek:namespace:: HTTP
:Namespace: HTTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/http/entities.zeek </scripts/base/protocols/http/entities.zeek>`, :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Functions
#########
======================================================= ======================================
:zeek:id:`HTTP::describe_file`: :zeek:type:`function` Default file describer for HTTP.
:zeek:id:`HTTP::get_file_handle`: :zeek:type:`function` Default file handle provider for HTTP.
======================================================= ======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: HTTP::describe_file
:source-code: base/protocols/http/files.zeek 37 49
:Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
Default file describer for HTTP.
.. zeek:id:: HTTP::get_file_handle
:source-code: base/protocols/http/files.zeek 17 35
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for HTTP.

27
doc/scripts/base/protocols/http/index.rst Normal file
View file

@ -0,0 +1,27 @@
:orphan:
Package: base/protocols/http
============================
Support for Hypertext Transfer Protocol (HTTP) analysis.
:doc:`/scripts/base/protocols/http/__load__.zeek`
:doc:`/scripts/base/protocols/http/main.zeek`
Implements base functionality for HTTP analysis. The logging model is
to log request/response pairs and all relevant metadata together in
a single record.
:doc:`/scripts/base/protocols/http/entities.zeek`
Analysis and logging for MIME entities found in HTTP sessions.
:doc:`/scripts/base/protocols/http/utils.zeek`
Utilities specific for HTTP processing.
:doc:`/scripts/base/protocols/http/files.zeek`

498
doc/scripts/base/protocols/http/main.zeek.rst Normal file
View file

@ -0,0 +1,498 @@
:tocdepth: 3
base/protocols/http/main.zeek
=============================
.. zeek:namespace:: HTTP
Implements base functionality for HTTP analysis. The logging model is
to log request/response pairs and all relevant metadata together in
a single record.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================ ====================================================================
:zeek:id:`HTTP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` This setting changes if passwords used in Basic-Auth are captured or
not.
:zeek:id:`HTTP::http_methods`: :zeek:type:`set` :zeek:attr:`&redef` A list of HTTP methods.
:zeek:id:`HTTP::max_pending_requests`: :zeek:type:`count` :zeek:attr:`&redef` Only allow that many pending requests on a single connection.
:zeek:id:`HTTP::proxy_headers`: :zeek:type:`set` :zeek:attr:`&redef` A list of HTTP headers typically used to indicate proxied requests.
================================================================================ ====================================================================
Redefinable Options
###################
======================================================================================= =======================================================================
:zeek:id:`HTTP::default_max_field_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef` The maximum number of bytes that a single string field can contain when
logging.
======================================================================================= =======================================================================
Types
#####
============================================= ===================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record` The record type which contains the fields of the HTTP log.
:zeek:type:`HTTP::State`: :zeek:type:`record` Structure to maintain state for an HTTP connection with multiple
requests and responses.
:zeek:type:`HTTP::Tags`: :zeek:type:`enum` Indicate a type of attack or compromise in the record to be logged.
============================================= ===================================================================
Redefinitions
#############
==================================================================== =============================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`HTTP::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
http: :zeek:type:`HTTP::Info` :zeek:attr:`&optional`
http_state: :zeek:type:`HTTP::State` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =============================================================
Events
######
============================================= ====================================================================
:zeek:id:`HTTP::log_http`: :zeek:type:`event` Event that can be handled to access the HTTP record as it is sent on
to the logging framework.
============================================= ====================================================================
Hooks
#####
============================================================== =======================
:zeek:id:`HTTP::finalize_http`: :zeek:type:`Conn::RemovalHook` HTTP finalization hook.
:zeek:id:`HTTP::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================== =======================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: HTTP::default_capture_password
:source-code: base/protocols/http/main.zeek 25 25
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
This setting changes if passwords used in Basic-Auth are captured or
not.
.. zeek:id:: HTTP::http_methods
:source-code: base/protocols/http/main.zeek 120 120
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"POST",
"PUT",
"CONNECT",
"BMOVE",
"SEARCH",
"TRACE",
"LOCK",
"PROPPATCH",
"HEAD",
"OPTIONS",
"POLL",
"REPORT",
"SUBSCRIBE",
"MOVE",
"GET",
"UNLOCK",
"DELETE",
"COPY",
"MKCOL",
"PROPFIND"
}
A list of HTTP methods. Other methods will generate a weird. Note
that the HTTP analyzer will only accept methods consisting solely
of letters ``[A-Za-z]``.
.. zeek:id:: HTTP::max_pending_requests
:source-code: base/protocols/http/main.zeek 141 141
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``100``
Only allow that many pending requests on a single connection.
If this number is exceeded, all pending requests are flushed
out and request/response tracking reset to prevent unbounded
state growth.
.. zeek:id:: HTTP::proxy_headers
:source-code: base/protocols/http/main.zeek 107 107
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"CLIENT-IP",
"X-FORWARDED-FROM",
"VIA",
"XROXY-CONNECTION",
"PROXY-CONNECTION",
"X-FORWARDED-FOR",
"FORWARDED"
}
A list of HTTP headers typically used to indicate proxied requests.
Redefinable Options
###################
.. zeek:id:: HTTP::default_max_field_string_bytes
:source-code: base/protocols/http/main.zeek 149 149
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``0``
The maximum number of bytes that a single string field can contain when
logging. If a string reaches this limit, the log output for the field will be
truncated. Setting this to zero disables the limiting. HTTP has no maximum
length for various fields such as the URI, so this is set to zero by default.
.. zeek:see:: Log::default_max_field_string_bytes
Types
#####
.. zeek:type:: HTTP::Info
:source-code: base/protocols/http/main.zeek 28 89
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the request happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: trans_depth :zeek:type:`count` :zeek:attr:`&log`
Represents the pipelined depth into the connection of this
request/response transaction.
.. zeek:field:: method :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Verb used in the HTTP request (GET, POST, HEAD, etc.).
.. zeek:field:: host :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value of the HOST header.
.. zeek:field:: uri :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
URI used in the request.
.. zeek:field:: referrer :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value of the "referer" header. The comment is deliberately
misspelled like the standard declares, but the name used here
is "referrer", spelled correctly.
.. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value of the version portion of the reply. If you require
message-level detail, consider the :zeek:see:`http_request` and
:zeek:see:`http_reply` events, which report each message's
version string.
.. zeek:field:: user_agent :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value of the User-Agent header from the client.
.. zeek:field:: origin :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value of the Origin header from the client.
.. zeek:field:: request_body_len :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Actual uncompressed content size of the data transferred from
the client.
.. zeek:field:: response_body_len :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Actual uncompressed content size of the data transferred from
the server.
.. zeek:field:: status_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Status code returned by the server.
.. zeek:field:: status_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Status message returned by the server.
.. zeek:field:: info_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Last seen 1xx informational reply code returned by the server.
.. zeek:field:: info_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Last seen 1xx informational reply message returned by the server.
.. zeek:field:: tags :zeek:type:`set` [:zeek:type:`HTTP::Tags`] :zeek:attr:`&log`
A set of indicators of various attributes discovered and
related to a particular request/response pair.
.. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Username if basic-auth is performed for the request.
.. zeek:field:: password :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Password if basic-auth is performed for the request.
.. zeek:field:: capture_password :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`HTTP::default_capture_password` :zeek:attr:`&optional`
Determines if the password will be captured for this request.
.. zeek:field:: proxied :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
All of the headers that may indicate if the request was proxied.
.. zeek:field:: range_request :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if this request can assume 206 partial content in
response.
.. zeek:field:: orig_fuids :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
An ordered vector of file unique IDs.
Limited to :zeek:see:`HTTP::max_files_orig` entries.
.. zeek:field:: orig_filenames :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
An ordered vector of filenames from the client.
Limited to :zeek:see:`HTTP::max_files_orig` entries.
.. zeek:field:: orig_mime_types :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
An ordered vector of mime types.
Limited to :zeek:see:`HTTP::max_files_orig` entries.
.. zeek:field:: resp_fuids :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
An ordered vector of file unique IDs.
Limited to :zeek:see:`HTTP::max_files_resp` entries.
.. zeek:field:: resp_filenames :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
An ordered vector of filenames from the server.
Limited to :zeek:see:`HTTP::max_files_resp` entries.
.. zeek:field:: resp_mime_types :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
An ordered vector of mime types.
Limited to :zeek:see:`HTTP::max_files_resp` entries.
.. zeek:field:: current_entity :zeek:type:`HTTP::Entity` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
The current entity.
.. zeek:field:: orig_mime_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
Current number of MIME entities in the HTTP request message
body.
.. zeek:field:: resp_mime_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/http/entities.zeek` is loaded)
Current number of MIME entities in the HTTP response message
body.
.. zeek:field:: client_header_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/header-names.zeek` is loaded)
The vector of HTTP header names sent by the client. No
header values are included here, just the header names.
.. zeek:field:: server_header_names :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/header-names.zeek` is loaded)
The vector of HTTP header names sent by the server. No
header values are included here, just the header names.
.. zeek:field:: omniture :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.zeek` is loaded)
Indicates if the server is an omniture advertising server.
.. zeek:field:: flash_version :zeek:type:`string` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/http/software-browser-plugins.zeek` is loaded)
The unparsed Flash version, if detected.
.. zeek:field:: cookie_vars :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
(present if :doc:`/scripts/policy/protocols/http/var-extraction-cookies.zeek` is loaded)
Variable names extracted from all cookies.
.. zeek:field:: uri_vars :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
(present if :doc:`/scripts/policy/protocols/http/var-extraction-uri.zeek` is loaded)
Variable names from the URI.
The record type which contains the fields of the HTTP log.
.. zeek:type:: HTTP::State
:source-code: base/protocols/http/main.zeek 93 104
:Type: :zeek:type:`record`
.. zeek:field:: pending :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`HTTP::Info`
Pending requests.
.. zeek:field:: current_request :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Current request in the pending queue.
.. zeek:field:: current_response :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Current response in the pending queue.
.. zeek:field:: trans_depth :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Track the current deepest transaction.
This is meant to cope with missing requests
and responses.
Structure to maintain state for an HTTP connection with multiple
requests and responses.
.. zeek:type:: HTTP::Tags
:source-code: base/protocols/http/main.zeek 18 22
:Type: :zeek:type:`enum`
.. zeek:enum:: HTTP::EMPTY HTTP::Tags
Placeholder.
.. zeek:enum:: HTTP::URI_SQLI HTTP::Tags
(present if :doc:`/scripts/policy/protocols/http/detect-sql-injection.zeek` is loaded)
Indicator of a URI based SQL injection attack.
Indicate a type of attack or compromise in the record to be logged.
Events
######
.. zeek:id:: HTTP::log_http
:source-code: base/protocols/http/main.zeek 132 132
:Type: :zeek:type:`event` (rec: :zeek:type:`HTTP::Info`)
Event that can be handled to access the HTTP record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: HTTP::finalize_http
:source-code: base/protocols/http/main.zeek 393 405
:Type: :zeek:type:`Conn::RemovalHook`
HTTP finalization hook. Remaining HTTP info may get logged when it's called.
.. zeek:id:: HTTP::log_policy
:source-code: base/protocols/http/main.zeek 15 15
:Type: :zeek:type:`Log::PolicyHook`

82
doc/scripts/base/protocols/http/utils.zeek.rst Normal file
View file

@ -0,0 +1,82 @@
:tocdepth: 3
base/protocols/http/utils.zeek
==============================
.. zeek:namespace:: HTTP
Utilities specific for HTTP processing.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
Summary
~~~~~~~
Functions
#########
====================================================== ====================================================================
:zeek:id:`HTTP::build_url`: :zeek:type:`function` Creates a URL from an :zeek:type:`HTTP::Info` record.
:zeek:id:`HTTP::build_url_http`: :zeek:type:`function` Creates a URL from an :zeek:type:`HTTP::Info` record.
:zeek:id:`HTTP::describe`: :zeek:type:`function` Create an extremely shortened representation of a log line.
:zeek:id:`HTTP::extract_keys`: :zeek:type:`function` Given a string containing a series of key-value pairs separated
by "=", this function can be used to parse out all of the key names.
====================================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: HTTP::build_url
:source-code: base/protocols/http/utils.zeek 55 66
:Type: :zeek:type:`function` (rec: :zeek:type:`HTTP::Info`) : :zeek:type:`string`
Creates a URL from an :zeek:type:`HTTP::Info` record. This should
handle edge cases such as proxied requests appropriately.
:param rec: An :zeek:type:`HTTP::Info` record.
:returns: A URL, not prefixed by ``"http://"``.
.. zeek:id:: HTTP::build_url_http
:source-code: base/protocols/http/utils.zeek 68 71
:Type: :zeek:type:`function` (rec: :zeek:type:`HTTP::Info`) : :zeek:type:`string`
Creates a URL from an :zeek:type:`HTTP::Info` record. This should
handle edge cases such as proxied requests appropriately.
:param rec: An :zeek:type:`HTTP::Info` record.
:returns: A URL prefixed with ``"http://"``.
.. zeek:id:: HTTP::describe
:source-code: base/protocols/http/utils.zeek 73 76
:Type: :zeek:type:`function` (rec: :zeek:type:`HTTP::Info`) : :zeek:type:`string`
Create an extremely shortened representation of a log line.
.. zeek:id:: HTTP::extract_keys
:source-code: base/protocols/http/utils.zeek 41 53
:Type: :zeek:type:`function` (data: :zeek:type:`string`, kv_splitter: :zeek:type:`pattern`) : :zeek:type:`string_vec`
Given a string containing a series of key-value pairs separated
by "=", this function can be used to parse out all of the key names.
:param data: The raw data, such as a URL or cookie value.
:param kv_splitter: A regular expression representing the separator between
key-value pairs.
:returns: A vector of strings containing the keys.

14
doc/scripts/base/protocols/imap/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/imap/__load__.zeek
=================================
:Imports: :doc:`base/protocols/imap/main.zeek </scripts/base/protocols/imap/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

17
doc/scripts/base/protocols/imap/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/imap
============================
Support for the Internet Message Access Protocol (IMAP).
Note that currently the IMAP analyzer only supports analyzing IMAP sessions
until they do or do not switch to TLS using StartTLS. Hence, we do not get
mails from IMAP sessions, only X509 certificates.
:doc:`/scripts/base/protocols/imap/__load__.zeek`
:doc:`/scripts/base/protocols/imap/main.zeek`

21
doc/scripts/base/protocols/imap/main.zeek.rst Normal file
View file

@ -0,0 +1,21 @@
:tocdepth: 3
base/protocols/imap/main.zeek
=============================
.. zeek:namespace:: IMAP
:Namespace: IMAP
Summary
~~~~~~~
Redefinitions
#############
==================================================================== =
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~

14
doc/scripts/base/protocols/irc/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/irc/__load__.zeek
================================
:Imports: :doc:`base/protocols/irc/dcc-send.zeek </scripts/base/protocols/irc/dcc-send.zeek>`, :doc:`base/protocols/irc/files.zeek </scripts/base/protocols/irc/files.zeek>`, :doc:`base/protocols/irc/main.zeek </scripts/base/protocols/irc/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

56
doc/scripts/base/protocols/irc/dcc-send.zeek.rst Normal file
View file

@ -0,0 +1,56 @@
:tocdepth: 3
base/protocols/irc/dcc-send.zeek
================================
.. zeek:namespace:: IRC
File extraction and introspection for DCC transfers over IRC.
There is a major problem with this script in the cluster context because
we might see A send B a message that a DCC connection is to be expected,
but that connection will actually be between B and C which could be
analyzed on a different worker.
:Namespace: IRC
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/irc/main.zeek </scripts/base/protocols/irc/main.zeek>`, :doc:`base/utils/files.zeek </scripts/base/utils/files.zeek>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== =============================================================================
:zeek:type:`IRC::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`IRC::Info`
dcc_file_name: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
DCC filename requested.
dcc_file_size: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Size of the DCC transfer as indicated by the sender.
dcc_mime_type: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Sniffed mime type of the file.
=========================================== =============================================================================
Hooks
#####
================================================================= ===============================
:zeek:id:`IRC::finalize_irc_data`: :zeek:type:`Conn::RemovalHook` IRC DCC data finalization hook.
================================================================= ===============================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Hooks
#####
.. zeek:id:: IRC::finalize_irc_data
:source-code: base/protocols/irc/dcc-send.zeek 135 146
:Type: :zeek:type:`Conn::RemovalHook`
IRC DCC data finalization hook. Remaining expected IRC DCC state may be
purged when it's called.

47
doc/scripts/base/protocols/irc/files.zeek.rst Normal file
View file

@ -0,0 +1,47 @@
:tocdepth: 3
base/protocols/irc/files.zeek
=============================
.. zeek:namespace:: IRC
:Namespace: IRC
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/irc/dcc-send.zeek </scripts/base/protocols/irc/dcc-send.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Redefinitions
#############
============================================================= ====================================================================
:zeek:type:`IRC::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`IRC::Info`
fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
File unique ID.
:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef`
:New Fields: :zeek:type:`fa_file`
irc: :zeek:type:`IRC::Info` :zeek:attr:`&optional`
============================================================= ====================================================================
Functions
#########
====================================================== =====================================
:zeek:id:`IRC::get_file_handle`: :zeek:type:`function` Default file handle provider for IRC.
====================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: IRC::get_file_handle
:source-code: base/protocols/irc/files.zeek 21 24
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for IRC.

29
doc/scripts/base/protocols/irc/index.rst Normal file
View file

@ -0,0 +1,29 @@
:orphan:
Package: base/protocols/irc
===========================
Support for Internet Relay Chat (IRC) protocol analysis.
:doc:`/scripts/base/protocols/irc/__load__.zeek`
:doc:`/scripts/base/protocols/irc/main.zeek`
Implements the core IRC analysis support. The logging model is to log
IRC commands along with the associated response and some additional
metadata about the connection if it's available.
:doc:`/scripts/base/protocols/irc/dcc-send.zeek`
File extraction and introspection for DCC transfers over IRC.
There is a major problem with this script in the cluster context because
we might see A send B a message that a DCC connection is to be expected,
but that connection will actually be between B and C which could be
analyzed on a different worker.
:doc:`/scripts/base/protocols/irc/files.zeek`

147
doc/scripts/base/protocols/irc/main.zeek.rst Normal file
View file

@ -0,0 +1,147 @@
:tocdepth: 3
base/protocols/irc/main.zeek
============================
.. zeek:namespace:: IRC
Implements the core IRC analysis support. The logging model is to log
IRC commands along with the associated response and some additional
metadata about the connection if it's available.
:Namespace: IRC
Summary
~~~~~~~
Types
#####
=========================================== =
:zeek:type:`IRC::Info`: :zeek:type:`record`
=========================================== =
Redefinitions
#############
==================================================================== ====================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`IRC::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
irc: :zeek:type:`IRC::Info` :zeek:attr:`&optional`
IRC session information.
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ====================================================
Events
######
=========================================== ===================================================================
:zeek:id:`IRC::irc_log`: :zeek:type:`event` Event that can be handled to access the IRC record as it is sent on
to the logging framework.
=========================================== ===================================================================
Hooks
#####
======================================================== =
:zeek:id:`IRC::log_policy`: :zeek:type:`Log::PolicyHook`
======================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: IRC::Info
:source-code: base/protocols/irc/main.zeek 13 31
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp when the command was seen.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: nick :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Nickname given for the connection.
.. zeek:field:: user :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Username given for the connection.
.. zeek:field:: command :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Command given by the client.
.. zeek:field:: value :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Value for the command given by the client.
.. zeek:field:: addl :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Any additional data for the command.
.. zeek:field:: dcc_file_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/dcc-send.zeek` is loaded)
DCC filename requested.
.. zeek:field:: dcc_file_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/dcc-send.zeek` is loaded)
Size of the DCC transfer as indicated by the sender.
.. zeek:field:: dcc_mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/dcc-send.zeek` is loaded)
Sniffed mime type of the file.
.. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/irc/files.zeek` is loaded)
File unique ID.
Events
######
.. zeek:id:: IRC::irc_log
:source-code: base/protocols/irc/main.zeek 35 35
:Type: :zeek:type:`event` (rec: :zeek:type:`IRC::Info`)
Event that can be handled to access the IRC record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: IRC::log_policy
:source-code: base/protocols/irc/main.zeek 11 11
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/krb/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/krb/__load__.zeek
================================
:Imports: :doc:`base/protocols/krb/files.zeek </scripts/base/protocols/krb/files.zeek>`, :doc:`base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

140
doc/scripts/base/protocols/krb/consts.zeek.rst Normal file
View file

@ -0,0 +1,140 @@
:tocdepth: 3
base/protocols/krb/consts.zeek
==============================
.. zeek:namespace:: KRB
:Namespace: KRB
Summary
~~~~~~~
Constants
#########
============================================================================================= =
:zeek:id:`KRB::cipher_name`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`KRB::error_msg`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
============================================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: KRB::cipher_name
:source-code: base/protocols/krb/consts.zeek 76 76
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "des-cbc-md4",
[25] = "camellia128-cts-cmac",
[14] = "rsaES-OAEP-ENV-OID",
[15] = "des-ede3-cbc-Env-OID",
[16] = "des3-cbc-sha1-kd",
[24] = "rc4-hmac-exp",
[23] = "rc4-hmac",
[9] = "dsaWithSHA1-CmsOID",
[1] = "des-cbc-crc",
[11] = "sha1WithRSAEncryption-CmsOID",
[7] = "des3-cbc-sha1",
[5] = "des3-cbc-md5",
[10] = "md5WithRSAEncryption-CmsOID",
[13] = "rsaEncryption-EnvOID",
[12] = "rc2CBC-EnvOID",
[26] = "camellia256-cts-cmac",
[65] = "subkey-keymaterial",
[18] = "aes256-cts-hmac-sha1-96",
[3] = "des-cbc-md5",
[17] = "aes128-cts-hmac-sha1-96"
}
.. zeek:id:: KRB::error_msg
:source-code: base/protocols/krb/consts.zeek 5 5
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "KDC_ERR_SERVICE_REVOKED",
[20] = "KDC_ERR_TGT_REVOKED",
[33] = "KRB_AP_ERR_TKT_NYV",
[39] = "KRB_AP_ERR_BADVERSION",
[67] = "KRB_AP_ERR_NO_TGT",
[73] = "KDC_ERR_REVOCATION_STATUS_UNKNOWN",
[75] = "KDC_ERR_CLIENT_NAME_MISMATCH",
[46] = "KRB_AP_ERR_MUT_FAIL",
[15] = "KDC_ERR_SUMTYPE_NOSUPP",
[64] = "KDC_ERROR_INVALID_SIG",
[28] = "KDC_ERR_PATH_NOT_ACCEPTED",
[9] = "KDC_ERR_NULL_KEY",
[68] = "KDC_ERR_WRONG_REALM",
[71] = "KDC_ERR_INVALID_CERTIFICATE",
[52] = "KRB_ERR_RESPONSE_TOO_BIG",
[21] = "KDC_ERR_CLIENT_NOTYET",
[4] = "KDC_ERR_C_OLD_MAST_KVNO",
[12] = "KDC_ERR_POLICY",
[41] = "KRB_AP_ERR_MODIFIED",
[17] = "KDC_ERR_TRTYPE_NOSUPP",
[25] = "KDC_ERR_PREAUTH_REQUIRED",
[76] = "KDC_ERR_KDC_NAME_MISMATCH",
[29] = "KDC_ERR_SVC_UNAVAILABLE",
[16] = "KDC_ERR_PADATA_TYPE_NOSUPP",
[38] = "KRB_AP_ERR_BADADDR",
[63] = "KDC_ERROR_KDC_NOT_TRUSTED",
[42] = "KRB_AP_ERR_BADORDER",
[1] = "KDC_ERR_NAME_EXP",
[11] = "KDC_ERR_NEVER_VALID",
[35] = "KRB_AP_ERR_NOT_US",
[22] = "KDC_ERR_SERVICE_NOTYET",
[3] = "KDC_ERR_BAD_PVNO",
[44] = "KRB_AP_ERR_BADKEYVER",
[34] = "KRB_AP_ERR_REPEAT",
[45] = "KRB_AP_ERR_NOKEY",
[40] = "KRB_AP_ERR_MSG_TYPE",
[36] = "KRB_AP_ERR_BADMATCH",
[14] = "KDC_ERR_ETYPE_NOSUPP",
[6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
[31] = "KRB_AP_ERR_BAD_INTEGRITY",
[8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
[23] = "KDC_ERR_KEY_EXPIRED",
[27] = "KDC_ERR_MUST_USE_USER2USER",
[7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
[66] = "KDC_ERR_CERTIFICATE_MISMATCH",
[10] = "KDC_ERR_CANNOT_POSTDATE",
[32] = "KRB_AP_ERR_TKT_EXPIRED",
[13] = "KDC_ERR_BADOPTION",
[26] = "KDC_ERR_SERVER_NOMATCH",
[65] = "KDC_ERR_KEY_TOO_WEAK",
[62] = "KDC_ERROR_CLIENT_NOT_TRUSTED",
[74] = "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE",
[47] = "KRB_AP_ERR_BADDIRECTION",
[70] = "KDC_ERR_CANT_VERIFY_CERTIFICATE",
[50] = "KRB_AP_ERR_INAPP_CKSUM",
[2] = "KDC_ERR_SERVICE_EXP",
[72] = "KDC_ERR_REVOKED_CERTIFICATE",
[48] = "KRB_AP_ERR_METHOD",
[24] = "KDC_ERR_PREAUTH_FAILED",
[69] = "KRB_AP_ERR_USER_TO_USER_REQUIRED",
[49] = "KRB_AP_ERR_BADSEQ",
[5] = "KDC_ERR_S_OLD_MAST_KVNO",
[61] = "KRB_ERR_FIELD_TOOLONG",
[60] = "KRB_ERR_GENERIC",
[51] = "KRB_AP_PATH_NOT_ACCEPTED",
[37] = "KRB_AP_ERR_SKEW",
[18] = "KDC_ERR_CLIENT_REVOKED",
[0] = "KDC_ERR_NONE"
}

65
doc/scripts/base/protocols/krb/files.zeek.rst Normal file
View file

@ -0,0 +1,65 @@
:tocdepth: 3
base/protocols/krb/files.zeek
=============================
.. zeek:namespace:: KRB
:Namespace: KRB
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ===================================================================================
:zeek:type:`KRB::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`KRB::Info`
client_cert: :zeek:type:`Files::Info` :zeek:attr:`&optional`
Client certificate
client_cert_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of client certificate, if any
client_cert_fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
File unique ID of client cert, if any
server_cert: :zeek:type:`Files::Info` :zeek:attr:`&optional`
Server certificate
server_cert_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of server certificate, if any
server_cert_fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
File unique ID of server cert, if any
=========================================== ===================================================================================
Functions
#########
====================================================== =====================================
:zeek:id:`KRB::describe_file`: :zeek:type:`function` Default file describer for KRB.
:zeek:id:`KRB::get_file_handle`: :zeek:type:`function` Default file handle provider for KRB.
====================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: KRB::describe_file
:source-code: base/protocols/krb/files.zeek 38 62
:Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
Default file describer for KRB.
.. zeek:id:: KRB::get_file_handle
:source-code: base/protocols/krb/files.zeek 32 36
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for KRB.

21
doc/scripts/base/protocols/krb/index.rst Normal file
View file

@ -0,0 +1,21 @@
:orphan:
Package: base/protocols/krb
===========================
Support for Kerberos protocol analysis.
:doc:`/scripts/base/protocols/krb/__load__.zeek`
:doc:`/scripts/base/protocols/krb/main.zeek`
Implements base functionality for KRB analysis. Generates the kerberos.log
file.
:doc:`/scripts/base/protocols/krb/consts.zeek`
:doc:`/scripts/base/protocols/krb/files.zeek`

243
doc/scripts/base/protocols/krb/main.zeek.rst Normal file
View file

@ -0,0 +1,243 @@
:tocdepth: 3
base/protocols/krb/main.zeek
============================
.. zeek:namespace:: KRB
Implements base functionality for KRB analysis. Generates the kerberos.log
file.
:Namespace: KRB
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/krb/consts.zeek </scripts/base/protocols/krb/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================== =======================================================
:zeek:id:`KRB::ignored_errors`: :zeek:type:`set` :zeek:attr:`&redef` The server response error texts which are *not* logged.
==================================================================== =======================================================
Types
#####
=========================================== =
:zeek:type:`KRB::Info`: :zeek:type:`record`
=========================================== =
Redefinitions
#############
==================================================================== ====================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`KRB::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
krb: :zeek:type:`KRB::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ====================================================
Events
######
=========================================== ===================================================================
:zeek:id:`KRB::log_krb`: :zeek:type:`event` Event that can be handled to access the KRB record as it is sent on
to the logging framework.
=========================================== ===================================================================
Hooks
#####
============================================================ ===========================
:zeek:id:`KRB::finalize_krb`: :zeek:type:`Conn::RemovalHook` Kerberos finalization hook.
:zeek:id:`KRB::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================ ===========================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: KRB::ignored_errors
:source-code: base/protocols/krb/main.zeek 54 54
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"NEEDED_PREAUTH",
"Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"
}
The server response error texts which are *not* logged.
Types
#####
.. zeek:type:: KRB::Info
:source-code: base/protocols/krb/main.zeek 14 51
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: request_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Request type - Authentication Service ("AS") or
Ticket Granting Service ("TGS")
.. zeek:field:: client :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Client
.. zeek:field:: service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Service
.. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Request result
.. zeek:field:: error_code :zeek:type:`count` :zeek:attr:`&optional`
Error code
.. zeek:field:: error_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Error message
.. zeek:field:: from :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
Ticket valid from
.. zeek:field:: till :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
Ticket valid till
.. zeek:field:: cipher :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Ticket encryption type
.. zeek:field:: forwardable :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Forwardable ticket requested
.. zeek:field:: renewable :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Renewable ticket requested
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
We've already logged this
.. zeek:field:: client_cert :zeek:type:`Files::Info` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Client certificate
.. zeek:field:: client_cert_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Subject of client certificate, if any
.. zeek:field:: client_cert_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
File unique ID of client cert, if any
.. zeek:field:: server_cert :zeek:type:`Files::Info` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Server certificate
.. zeek:field:: server_cert_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Subject of server certificate, if any
.. zeek:field:: server_cert_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
File unique ID of server cert, if any
.. zeek:field:: auth_ticket :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/krb/ticket-logging.zeek` is loaded)
Hash of ticket used to authorize request/transaction
.. zeek:field:: new_ticket :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/krb/ticket-logging.zeek` is loaded)
Hash of ticket returned by the KDC
Events
######
.. zeek:id:: KRB::log_krb
:source-code: base/protocols/krb/main.zeek 68 68
:Type: :zeek:type:`event` (rec: :zeek:type:`KRB::Info`)
Event that can be handled to access the KRB record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: KRB::finalize_krb
:source-code: base/protocols/krb/main.zeek 71 71
:Type: :zeek:type:`Conn::RemovalHook`
Kerberos finalization hook. Remaining Kerberos info may get logged when it's called.
.. zeek:id:: KRB::log_policy
:source-code: base/protocols/krb/main.zeek 12 12
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/ldap/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ldap/__load__.zeek
=================================
:Imports: :doc:`base/protocols/ldap/consts.zeek </scripts/base/protocols/ldap/consts.zeek>`, :doc:`base/protocols/ldap/main.zeek </scripts/base/protocols/ldap/main.zeek>`, :doc:`base/protocols/ldap/spicy-events.zeek </scripts/base/protocols/ldap/spicy-events.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

241
doc/scripts/base/protocols/ldap/consts.zeek.rst Normal file
View file

@ -0,0 +1,241 @@
:tocdepth: 3
base/protocols/ldap/consts.zeek
===============================
.. zeek:namespace:: LDAP
:Namespace: LDAP
Summary
~~~~~~~
Redefinable Options
###################
================================================================================================================ =
:zeek:id:`LDAP::EXTENDED_REQUESTS`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"`` :zeek:attr:`&redef`
================================================================================================================ =
Constants
#########
=============================================================================================== =
:zeek:id:`LDAP::BIND_SASL`: :zeek:type:`string`
:zeek:id:`LDAP::BIND_SICILY_NEGOTIATE`: :zeek:type:`string`
:zeek:id:`LDAP::BIND_SICILY_RESPONSE`: :zeek:type:`string`
:zeek:id:`LDAP::BIND_SIMPLE`: :zeek:type:`string`
:zeek:id:`LDAP::PROTOCOL_OPCODES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``
:zeek:id:`LDAP::RESULT_CODES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``
:zeek:id:`LDAP::SEARCH_DEREF_ALIASES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``
:zeek:id:`LDAP::SEARCH_SCOPES`: :zeek:type:`table` :zeek:attr:`&default` = ``"unknown"``
=============================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: LDAP::EXTENDED_REQUESTS
:source-code: base/protocols/ldap/consts.zeek 126 126
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"unknown"`` :zeek:attr:`&redef`
:Default:
::
{
["1.3.6.1.4.1.1466.20037"] = "StartTLS",
["1.3.6.1.4.1.4203.1.11.3"] = "whoami"
}
Constants
#########
.. zeek:id:: LDAP::BIND_SASL
:source-code: base/protocols/ldap/consts.zeek 28 28
:Type: :zeek:type:`string`
:Default: ``"bind SASL"``
.. zeek:id:: LDAP::BIND_SICILY_NEGOTIATE
:source-code: base/protocols/ldap/consts.zeek 29 29
:Type: :zeek:type:`string`
:Default: ``"sicily_negotiate"``
.. zeek:id:: LDAP::BIND_SICILY_RESPONSE
:source-code: base/protocols/ldap/consts.zeek 30 30
:Type: :zeek:type:`string`
:Default: ``"sicily_response"``
.. zeek:id:: LDAP::BIND_SIMPLE
:source-code: base/protocols/ldap/consts.zeek 27 27
:Type: :zeek:type:`string`
:Default: ``"bind simple"``
.. zeek:id:: LDAP::PROTOCOL_OPCODES
:source-code: base/protocols/ldap/consts.zeek 4 4
:Type: :zeek:type:`table` [:zeek:type:`LDAP::ProtocolOpcode`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"unknown"``
:Default:
::
{
[LDAP::ProtocolOpcode_SEARCH_RESULT_REFERENCE] = "search",
[LDAP::ProtocolOpcode_UNBIND_REQUEST] = "unbind",
[LDAP::ProtocolOpcode_INTERMEDIATE_RESPONSE] = "intermediate",
[LDAP::ProtocolOpcode_COMPARE_REQUEST] = "compare",
[LDAP::ProtocolOpcode_COMPARE_RESPONSE] = "compare",
[LDAP::ProtocolOpcode_MODIFY_REQUEST] = "modify",
[LDAP::ProtocolOpcode_ABANDON_REQUEST] = "abandon",
[LDAP::ProtocolOpcode_EXTENDED_RESPONSE] = "extended",
[LDAP::ProtocolOpcode_ADD_REQUEST] = "add",
[LDAP::ProtocolOpcode_EXTENDED_REQUEST] = "extended",
[LDAP::ProtocolOpcode_ADD_RESPONSE] = "add",
[LDAP::ProtocolOpcode_BIND_RESPONSE] = "bind",
[LDAP::ProtocolOpcode_DEL_RESPONSE] = "delete",
[LDAP::ProtocolOpcode_MODIFY_RESPONSE] = "modify",
[LDAP::ProtocolOpcode_SEARCH_RESULT_DONE] = "search",
[LDAP::ProtocolOpcode_DEL_REQUEST] = "delete",
[LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY] = "search",
[LDAP::ProtocolOpcode_MOD_DN_RESPONSE] = "modify",
[LDAP::ProtocolOpcode_MOD_DN_REQUEST] = "modify",
[LDAP::ProtocolOpcode_SEARCH_REQUEST] = "search",
[LDAP::ProtocolOpcode_BIND_REQUEST] = "bind"
}
.. zeek:id:: LDAP::RESULT_CODES
:source-code: base/protocols/ldap/consts.zeek 32 32
:Type: :zeek:type:`table` [:zeek:type:`LDAP::ResultCode`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"unknown"``
:Default:
::
{
[LDAP::ResultCode_NO_RESULTS_RETURNED] = "no results returned",
[LDAP::ResultCode_CONSTRAINT_VIOLATION] = "constraint violation",
[LDAP::ResultCode_ATTRIBUTE_OR_VALUE_EXISTS] = "attribute or value exists",
[LDAP::ResultCode_ALIAS_PROBLEM] = "alias problem",
[LDAP::ResultCode_CLIENT_LOOP] = "client loop",
[LDAP::ResultCode_NOT_ALLOWED_ON_RDN] = "not allowed on RDN",
[LDAP::ResultCode_NAMING_VIOLATION] = "naming violation",
[LDAP::ResultCode_CONNECT_ERROR] = "connect error",
[LDAP::ResultCode_PARTIAL_RESULTS] = "partial results",
[LDAP::ResultCode_ENTRY_ALREADY_EXISTS] = "entry already exists",
[LDAP::ResultCode_REFERRAL_LIMIT_EXCEEDED] = "referral limit exceeded",
[LDAP::ResultCode_UNWILLING_TO_PERFORM] = "unwilling to perform",
[LDAP::ResultCode_AFFECTS_MULTIPLE_DSAS] = "affects multiple DSAs",
[LDAP::ResultCode_UNAVAILABLE] = "unavailable",
[LDAP::ResultCode_INVALID_ATTRIBUTE_SYNTAX] = "invalid attribute syntax",
[LDAP::ResultCode_SIZE_LIMIT_EXCEEDED] = "size limit exceeded",
[LDAP::ResultCode_UNAVAILABLE_CRITICAL_EXTENSION] = "unavailable critical extension",
[LDAP::ResultCode_UNDEFINED_ATTRIBUTE_TYPE] = "undefined attribute type",
[LDAP::ResultCode_NO_SUCH_OPERATION] = "no such operation",
[LDAP::ResultCode_OTHER] = "other",
[LDAP::ResultCode_SERVER_DOWN] = "server down",
[LDAP::ResultCode_USER_CANCELED] = "user canceled",
[LDAP::ResultCode_CONTROL_ERROR] = "control error",
[LDAP::ResultCode_NO_SUCH_ATTRIBUTE] = "no such attribute",
[LDAP::ResultCode_LCUP_INVALID_DATA] = "LCUP invalid data",
[LDAP::ResultCode_LOOP_DETECT] = "loop detect",
[LDAP::ResultCode_MORE_RESULTS_TO_RETURN] = "more results to return",
[LDAP::ResultCode_NO_MEMORY] = "no memory",
[LDAP::ResultCode_OPERATIONS_ERROR] = "operations error",
[LDAP::ResultCode_AUTH_UNKNOWN] = "auth unknown",
[LDAP::ResultCode_LCUP_UNSUPPORTED_SCHEME] = "LCUP unsupported scheme",
[LDAP::ResultCode_ADMIN_LIMIT_EXCEEDED] = "admin limit exceeded",
[LDAP::ResultCode_INTERMEDIATE_RESPONSE] = "intermediate response",
[LDAP::ResultCode_TIME_LIMIT_EXCEEDED] = "time limit exceeded",
[LDAP::ResultCode_UNKNOWN_TYPE] = "unknown type",
[LDAP::ResultCode_INVALID_DNSYNTAX] = "invalid DN syntax",
[LDAP::ResultCode_ALIAS_DEREFERENCING_PROBLEM] = "alias dereferencing problem",
[LDAP::ResultCode_COMPARE_TRUE] = "compare true",
[LDAP::ResultCode_SASL_BIND_IN_PROGRESS] = "SASL bind in progress",
[LDAP::ResultCode_STRONGER_AUTH_REQUIRED] = "stronger auth required",
[LDAP::ResultCode_ENCODING_ERROR] = "encoding error",
[LDAP::ResultCode_LOCAL_ERROR] = "local error",
[LDAP::ResultCode_ASSERTION_FAILED] = "assertion failed",
[LDAP::ResultCode_AUTH_METHOD_NOT_SUPPORTED] = "auth method not supported",
[LDAP::ResultCode_NOT_ALLOWED_ON_NON_LEAF] = "not allowed on non-leaf",
[LDAP::ResultCode_NOT_SUPPORTED] = "not supported",
[LDAP::ResultCode_REFERRAL] = "referral",
[LDAP::ResultCode_OBJECT_CLASS_VIOLATION] = "object class violation",
[LDAP::ResultCode_NO_SUCH_OBJECT] = "no such object",
[LDAP::ResultCode_CONFIDENTIALITY_REQUIRED] = "confidentiality required",
[LDAP::ResultCode_AMBIGUOUS_RESPONSE] = "ambiguous response",
[LDAP::ResultCode_PARAM_ERROR] = "param error",
[LDAP::ResultCode_CANCELED] = "canceled",
[LDAP::ResultCode_RESULTS_TOO_LARGE] = "results too large",
[LDAP::ResultCode_CONTROL_NOT_FOUND] = "control not found",
[LDAP::ResultCode_INSUFFICIENT_ACCESS_RIGHTS] = "insufficient access rights",
[LDAP::ResultCode_TOO_LATE] = "too late",
[LDAP::ResultCode_PROTOCOL_ERROR] = "protocol error",
[LDAP::ResultCode_CANNOT_CANCEL] = "cannot cancel",
[LDAP::ResultCode_INAPPROPRIATE_AUTHENTICATION] = "inappropriate authentication",
[LDAP::ResultCode_OBJECT_CLASS_MODS_PROHIBITED] = "object class mods prohibited",
[LDAP::ResultCode_TIMEOUT] = "timeout",
[LDAP::ResultCode_INVALID_CREDENTIALS] = "invalid credentials",
[LDAP::ResultCode_COMPARE_FALSE] = "compare false",
[LDAP::ResultCode_TLS_NOT_SUPPORTED] = "TLS not supported",
[LDAP::ResultCode_OFFSET_RANGE_ERROR] = "offset range error",
[LDAP::ResultCode_SORT_CONTROL_MISSING] = "sort control missing",
[LDAP::ResultCode_INVALID_RESPONSE] = "invalid response",
[LDAP::ResultCode_BUSY] = "busy",
[LDAP::ResultCode_INAPPROPRIATE_MATCHING] = "inappropriate matching",
[LDAP::ResultCode_LCUP_RELOAD_REQUIRED] = "LCUP reload required",
[LDAP::ResultCode_SUCCESS] = "success",
[LDAP::ResultCode_AUTHORIZATION_DENIED] = "authorization denied",
[LDAP::ResultCode_FILTER_ERROR] = "filter error",
[LDAP::ResultCode_DECODING_ERROR] = "decoding error"
}
.. zeek:id:: LDAP::SEARCH_DEREF_ALIASES
:source-code: base/protocols/ldap/consts.zeek 120 120
:Type: :zeek:type:`table` [:zeek:type:`LDAP::SearchDerefAlias`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"unknown"``
:Default:
::
{
[LDAP::SearchDerefAlias_DEREF_NEVER] = "never",
[LDAP::SearchDerefAlias_DEREF_FINDING_BASE] = "finding",
[LDAP::SearchDerefAlias_DEREF_ALWAYS] = "always",
[LDAP::SearchDerefAlias_DEREF_IN_SEARCHING] = "searching"
}
.. zeek:id:: LDAP::SEARCH_SCOPES
:source-code: base/protocols/ldap/consts.zeek 116 116
:Type: :zeek:type:`table` [:zeek:type:`LDAP::SearchScope`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"unknown"``
:Default:
::
{
[LDAP::SearchScope_SEARCH_BASE] = "base",
[LDAP::SearchScope_SEARCH_TREE] = "tree",
[LDAP::SearchScope_SEARCH_SINGLE] = "single"
}

21
doc/scripts/base/protocols/ldap/index.rst Normal file
View file

@ -0,0 +1,21 @@
:orphan:
Package: base/protocols/ldap
============================
:doc:`/scripts/base/protocols/ldap/__load__.zeek`
:doc:`/scripts/base/protocols/ldap/spicy-events.zeek`
Events generated by the LDAP analyzer.
See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
:doc:`/scripts/base/protocols/ldap/consts.zeek`
:doc:`/scripts/base/protocols/ldap/main.zeek`

256
doc/scripts/base/protocols/ldap/main.zeek.rst Normal file
View file

@ -0,0 +1,256 @@
:tocdepth: 3
base/protocols/ldap/main.zeek
=============================
.. zeek:namespace:: LDAP
:Namespace: LDAP
:Imports: :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ldap/consts.zeek </scripts/base/protocols/ldap/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
===================================================================================== =================================================
:zeek:id:`LDAP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` Whether clear text passwords are captured or not.
:zeek:id:`LDAP::default_log_search_attributes`: :zeek:type:`bool` :zeek:attr:`&redef` Whether to log LDAP search attributes or not.
===================================================================================== =================================================
Redefinable Options
###################
================================================================ ==================================================
:zeek:id:`LDAP::ports_tcp`: :zeek:type:`set` :zeek:attr:`&redef` TCP ports which should be considered for analysis.
:zeek:id:`LDAP::ports_udp`: :zeek:type:`set` :zeek:attr:`&redef` UDP ports which should be considered for analysis.
================================================================ ==================================================
Types
#####
=================================================== =
:zeek:type:`LDAP::MessageInfo`: :zeek:type:`record`
:zeek:type:`LDAP::SearchInfo`: :zeek:type:`record`
:zeek:type:`LDAP::State`: :zeek:type:`record`
=================================================== =
Redefinitions
#############
==================================================================== =======================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`LDAP::LDAP_LOG`
* :zeek:enum:`LDAP::LDAP_SEARCH_LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
ldap: :zeek:type:`LDAP::State` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =======================================================
Events
######
==================================================== =
:zeek:id:`LDAP::log_ldap`: :zeek:type:`event`
:zeek:id:`LDAP::log_ldap_search`: :zeek:type:`event`
==================================================== =
Hooks
#####
================================================================ ================================================
:zeek:id:`LDAP::finalize_ldap`: :zeek:type:`Conn::RemovalHook` LDAP finalization hook.
:zeek:id:`LDAP::log_policy`: :zeek:type:`Log::PolicyHook` Default logging policy hook for LDAP_LOG.
:zeek:id:`LDAP::log_policy_search`: :zeek:type:`Log::PolicyHook` Default logging policy hook for LDAP_SEARCH_LOG.
================================================================ ================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: LDAP::default_capture_password
:source-code: base/protocols/ldap/main.zeek 20 20
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Whether clear text passwords are captured or not.
.. zeek:id:: LDAP::default_log_search_attributes
:source-code: base/protocols/ldap/main.zeek 23 23
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Whether to log LDAP search attributes or not.
Redefinable Options
###################
.. zeek:id:: LDAP::ports_tcp
:source-code: base/protocols/ldap/main.zeek 14 14
:Type: :zeek:type:`set` [:zeek:type:`port`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
3268/tcp,
389/tcp
}
TCP ports which should be considered for analysis.
.. zeek:id:: LDAP::ports_udp
:source-code: base/protocols/ldap/main.zeek 17 17
:Type: :zeek:type:`set` [:zeek:type:`port`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
389/udp
}
UDP ports which should be considered for analysis.
Types
#####
.. zeek:type:: LDAP::MessageInfo
:source-code: base/protocols/ldap/main.zeek 37 67
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
.. zeek:field:: message_id :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: version :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: opcode :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: diagnostic_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: object :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: argument :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:type:: LDAP::SearchInfo
:source-code: base/protocols/ldap/main.zeek 72 106
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
.. zeek:field:: message_id :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: scope :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: deref_aliases :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: base_object :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: result_count :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: diagnostic_message :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: filter :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:field:: attributes :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
.. zeek:type:: LDAP::State
:source-code: base/protocols/ldap/main.zeek 108 111
:Type: :zeek:type:`record`
.. zeek:field:: messages :zeek:type:`table` [:zeek:type:`int`] of :zeek:type:`LDAP::MessageInfo` :zeek:attr:`&optional`
.. zeek:field:: searches :zeek:type:`table` [:zeek:type:`int`] of :zeek:type:`LDAP::SearchInfo` :zeek:attr:`&optional`
Events
######
.. zeek:id:: LDAP::log_ldap
:source-code: base/protocols/ldap/main.zeek 115 115
:Type: :zeek:type:`event` (rec: :zeek:type:`LDAP::MessageInfo`)
.. zeek:id:: LDAP::log_ldap_search
:source-code: base/protocols/ldap/main.zeek 116 116
:Type: :zeek:type:`event` (rec: :zeek:type:`LDAP::SearchInfo`)
Hooks
#####
.. zeek:id:: LDAP::finalize_ldap
:source-code: base/protocols/ldap/main.zeek 400 419
:Type: :zeek:type:`Conn::RemovalHook`
LDAP finalization hook.
.. zeek:id:: LDAP::log_policy
:source-code: base/protocols/ldap/main.zeek 26 26
:Type: :zeek:type:`Log::PolicyHook`
Default logging policy hook for LDAP_LOG.
.. zeek:id:: LDAP::log_policy_search
:source-code: base/protocols/ldap/main.zeek 29 29
:Type: :zeek:type:`Log::PolicyHook`
Default logging policy hook for LDAP_SEARCH_LOG.

191
doc/scripts/base/protocols/ldap/spicy-events.zeek.rst Normal file
View file

@ -0,0 +1,191 @@
:tocdepth: 3
base/protocols/ldap/spicy-events.zeek
=====================================
Events generated by the LDAP analyzer.
See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
Summary
~~~~~~~
Events
######
======================================================== =================================================================
:zeek:id:`LDAP::bind_request`: :zeek:type:`event` Event generated for each LDAPMessage containing a BindRequest.
:zeek:id:`LDAP::extended_request`: :zeek:type:`event` Event generated for each ExtendedRequest in LDAP messages.
:zeek:id:`LDAP::extended_response`: :zeek:type:`event` Event generated for each ExtendedResponse in LDAP messages.
:zeek:id:`LDAP::message`: :zeek:type:`event` Event generated for each LDAPMessage (either direction).
:zeek:id:`LDAP::search_request`: :zeek:type:`event` Event generated for each LDAPMessage containing a SearchRequest.
:zeek:id:`LDAP::search_result_entry`: :zeek:type:`event` Event generated for each SearchResultEntry in LDAP messages.
:zeek:id:`LDAP::starttls`: :zeek:type:`event` Event generated when a plaintext LDAP connection switched to TLS.
======================================================== =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: LDAP::bind_request
:source-code: base/protocols/ldap/main.zeek 366 397
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, version: :zeek:type:`int`, name: :zeek:type:`string`, auth_type: :zeek:type:`LDAP::BindAuthType`, auth_info: :zeek:type:`string`)
Event generated for each LDAPMessage containing a BindRequest.
:param c: The connection.
:param message_id: The messageID element.
:param version: The version field in the BindRequest.
:param name: The name field in the BindRequest.
:param auth_type: The auth type field in the BindRequest.
:param auth_info: Additional information related to the used auth type.
.. zeek:id:: LDAP::extended_request
:source-code: base/protocols/ldap/spicy-events.zeek 111 111
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, request_name: :zeek:type:`string`, request_value: :zeek:type:`string`)
Event generated for each ExtendedRequest in LDAP messages.
:param c: The connection.
:param message_id: The messageID element.
:param request_name: The name of the extended request.
:param request_value: The value of the extended request (empty if missing).
.. zeek:id:: LDAP::extended_response
:source-code: base/protocols/ldap/spicy-events.zeek 129 129
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, result: :zeek:type:`LDAP::ResultCode`, response_name: :zeek:type:`string`, response_value: :zeek:type:`string`)
Event generated for each ExtendedResponse in LDAP messages.
:param c: The connection.
:param message_id: The messageID element.
:param result: The result code of the response.
:param response_name: The name of the extended response (empty if missing).
:param response_value: The value of the extended response (empty if missing).
.. zeek:id:: LDAP::message
:source-code: base/protocols/ldap/main.zeek 188 287
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, opcode: :zeek:type:`LDAP::ProtocolOpcode`, result: :zeek:type:`LDAP::ResultCode`, matched_dn: :zeek:type:`string`, diagnostic_message: :zeek:type:`string`, object: :zeek:type:`string`, argument: :zeek:type:`string`)
Event generated for each LDAPMessage (either direction).
:param c: The connection.
:param message_id: The messageID element.
:param opcode: The protocolOp field in the message.
:param result: The result code if the message contains a result.
:param matched_dn: The DN if the message contains a result.
:param diagnostic_message: Diagnostic message if the LDAP message contains a result.
:param object: The object name this message refers to.
:param argument: Additional arguments this message includes.
.. zeek:id:: LDAP::search_request
:source-code: base/protocols/ldap/main.zeek 299 348
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, base_object: :zeek:type:`string`, scope: :zeek:type:`LDAP::SearchScope`, deref: :zeek:type:`LDAP::SearchDerefAlias`, size_limit: :zeek:type:`int`, time_limit: :zeek:type:`int`, types_only: :zeek:type:`bool`, filter: :zeek:type:`string`, attributes: :zeek:type:`vector` of :zeek:type:`string`)
Event generated for each LDAPMessage containing a SearchRequest.
:param c: The connection.
:param message_id: The messageID element.
:param base_object: The baseObject field in the SearchRequest.
:param scope: The scope field in the SearchRequest.
:param deref_alias: The derefAlias field in the SearchRequest
:param size_limit: The sizeLimit field in the SearchRequest.
:param time_limit: The timeLimit field in the SearchRequest.
:param types_only: The typesOnly field in the SearchRequest.
:param filter: The string representation of the filter field in the SearchRequest.
:param attributes: Additional attributes of the SearchRequest.
.. zeek:id:: LDAP::search_result_entry
:source-code: base/protocols/ldap/main.zeek 353 358
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, message_id: :zeek:type:`int`, object_name: :zeek:type:`string`)
Event generated for each SearchResultEntry in LDAP messages.
:param c: The connection.
:param message_id: The messageID element.
:param object_name: The object name in the SearchResultEntry.
.. zeek:id:: LDAP::starttls
:source-code: base/protocols/ldap/spicy-events.zeek 141 141
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Event generated when a plaintext LDAP connection switched to TLS.
:param c: The connection.

14
doc/scripts/base/protocols/modbus/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/modbus/__load__.zeek
===================================
:Imports: :doc:`base/protocols/modbus/consts.zeek </scripts/base/protocols/modbus/consts.zeek>`, :doc:`base/protocols/modbus/main.zeek </scripts/base/protocols/modbus/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

94
doc/scripts/base/protocols/modbus/consts.zeek.rst Normal file
View file

@ -0,0 +1,94 @@
:tocdepth: 3
base/protocols/modbus/consts.zeek
=================================
.. zeek:namespace:: Modbus
:Namespace: Modbus
Summary
~~~~~~~
Redefinable Options
###################
======================================================================================================================== =======================================
:zeek:id:`Modbus::exception_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:zeek:id:`Modbus::function_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` Standard defined Modbus function codes.
======================================================================================================================== =======================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: Modbus::exception_codes
:source-code: base/protocols/modbus/consts.zeek 43 43
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:Default:
::
{
[2] = "ILLEGAL_DATA_ADDRESS",
[8] = "MEMORY_PARITY_ERROR",
[11] = "GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND",
[5] = "ACKNOWLEDGE",
[3] = "ILLEGAL_DATA_VALUE",
[10] = "GATEWAY_PATH_UNAVAILABLE",
[6] = "SLAVE_DEVICE_BUSY",
[4] = "SLAVE_DEVICE_FAILURE",
[1] = "ILLEGAL_FUNCTION"
}
.. zeek:id:: Modbus::function_codes
:source-code: base/protocols/modbus/consts.zeek 6 6
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:Default:
::
{
[40] = "PROGRAM_CONCEPT",
[19] = "RESET_COMM_LINK_884_U84",
[20] = "READ_FILE_RECORD",
[15] = "WRITE_MULTIPLE_COILS",
[6] = "WRITE_SINGLE_REGISTER",
[14] = "POLL_584_984",
[125] = "FIRMWARE_REPLACEMENT",
[8] = "DIAGNOSTICS",
[23] = "READ_WRITE_MULTIPLE_REGISTERS",
[91] = "OBJECT_MESSAGING",
[9] = "PROGRAM_484",
[7] = "READ_EXCEPTION_STATUS",
[127] = "REPORT_LOCAL_ADDRESS",
[21] = "WRITE_FILE_RECORD",
[10] = "POLL_484",
[4] = "READ_INPUT_REGISTERS",
[13] = "PROGRAM_584_984",
[12] = "GET_COMM_EVENT_LOG",
[41] = "MULTIPLE_FUNCTION_CODES",
[17] = "REPORT_SLAVE_ID",
[2] = "READ_DISCRETE_INPUTS",
[16] = "WRITE_MULTIPLE_REGISTERS",
[24] = "READ_FIFO_QUEUE",
[90] = "PROGRAM_UNITY",
[1] = "READ_COILS",
[11] = "GET_COMM_EVENT_COUNTER",
[5] = "WRITE_SINGLE_COIL",
[126] = "PROGRAM_584_984_2",
[22] = "MASK_WRITE_REGISTER",
[43] = "ENCAP_INTERFACE_TRANSPORT",
[18] = "PROGRAM_884_U84",
[3] = "READ_HOLDING_REGISTERS"
}
Standard defined Modbus function codes.

17
doc/scripts/base/protocols/modbus/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/modbus
==============================
Support for Modbus protocol analysis.
:doc:`/scripts/base/protocols/modbus/__load__.zeek`
:doc:`/scripts/base/protocols/modbus/consts.zeek`
:doc:`/scripts/base/protocols/modbus/main.zeek`
Base Modbus analysis script.

122
doc/scripts/base/protocols/modbus/main.zeek.rst Normal file
View file

@ -0,0 +1,122 @@
:tocdepth: 3
base/protocols/modbus/main.zeek
===============================
.. zeek:namespace:: Modbus
Base Modbus analysis script.
:Namespace: Modbus
:Imports: :doc:`base/protocols/modbus/consts.zeek </scripts/base/protocols/modbus/consts.zeek>`
Summary
~~~~~~~
Types
#####
============================================== =
:zeek:type:`Modbus::Info`: :zeek:type:`record`
============================================== =
Redefinitions
#############
==================================================================== ==========================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`Modbus::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
modbus: :zeek:type:`Modbus::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ==========================================================
Events
######
================================================= ===================================================================
:zeek:id:`Modbus::log_modbus`: :zeek:type:`event` Event that can be handled to access the Modbus record as it is sent
on to the logging framework.
================================================= ===================================================================
Hooks
#####
=========================================================== =
:zeek:id:`Modbus::log_policy`: :zeek:type:`Log::PolicyHook`
=========================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Modbus::Info
:source-code: base/protocols/modbus/main.zeek 12 29
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time of the request.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique identifier for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
Identifier for the connection.
.. zeek:field:: tid :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Modbus transaction ID
.. zeek:field:: unit :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The terminal unit identifier for the message
.. zeek:field:: func :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The name of the function message that was sent.
.. zeek:field:: pdu_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Whether this PDU was a response ("RESP") or request ("REQ")
.. zeek:field:: exception :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The exception if the response was a failure.
.. zeek:field:: track_address :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/modbus/track-memmap.zeek` is loaded)
Events
######
.. zeek:id:: Modbus::log_modbus
:source-code: base/protocols/modbus/main.zeek 33 33
:Type: :zeek:type:`event` (rec: :zeek:type:`Modbus::Info`)
Event that can be handled to access the Modbus record as it is sent
on to the logging framework.
Hooks
#####
.. zeek:id:: Modbus::log_policy
:source-code: base/protocols/modbus/main.zeek 10 10
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/mqtt/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/mqtt/__load__.zeek
=================================
:Imports: :doc:`base/protocols/mqtt/consts.zeek </scripts/base/protocols/mqtt/consts.zeek>`, :doc:`base/protocols/mqtt/main.zeek </scripts/base/protocols/mqtt/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

109
doc/scripts/base/protocols/mqtt/consts.zeek.rst Normal file
View file

@ -0,0 +1,109 @@
:tocdepth: 3
base/protocols/mqtt/consts.zeek
===============================
.. zeek:namespace:: MQTT
Constants definitions for MQTT.
:Namespace: MQTT
Summary
~~~~~~~
Constants
#########
=============================================================================================== =
:zeek:id:`MQTT::msg_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`MQTT::qos_levels`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`MQTT::return_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`MQTT::versions`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
=============================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: MQTT::msg_types
:source-code: base/protocols/mqtt/consts.zeek 6 6
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "connack",
[11] = "unsuback",
[5] = "pubrec",
[7] = "pubcomp",
[6] = "pubrel",
[10] = "unsubscribe",
[14] = "disconnect",
[4] = "puback",
[13] = "pingresp",
[12] = "pingreq",
[8] = "subscribe",
[3] = "publish",
[9] = "suback",
[1] = "connect"
}
.. zeek:id:: MQTT::qos_levels
:source-code: base/protocols/mqtt/consts.zeek 29 29
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "at most once",
[2] = "exactly once",
[1] = "at least once"
}
.. zeek:id:: MQTT::return_codes
:source-code: base/protocols/mqtt/consts.zeek 35 35
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "Refused: identifier rejected",
[3] = "Refused: server unavailable",
[5] = "Refused: not authorized",
[0] = "Connection Accepted",
[4] = "Refused: bad user name or password",
[1] = "Refused: unacceptable protocol version"
}
.. zeek:id:: MQTT::versions
:source-code: base/protocols/mqtt/consts.zeek 23 23
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[4] = "3.1.1",
[3] = "3.1",
[5] = "5.0"
}

19
doc/scripts/base/protocols/mqtt/index.rst Normal file
View file

@ -0,0 +1,19 @@
:orphan:
Package: base/protocols/mqtt
============================
Support for MQTT protocol analysis.
:doc:`/scripts/base/protocols/mqtt/__load__.zeek`
:doc:`/scripts/base/protocols/mqtt/consts.zeek`
Constants definitions for MQTT.
:doc:`/scripts/base/protocols/mqtt/main.zeek`
Implements base functionality for MQTT (v3.1.1) analysis.
Generates the mqtt.log file.

338
doc/scripts/base/protocols/mqtt/main.zeek.rst Normal file
View file

@ -0,0 +1,338 @@
:tocdepth: 3
base/protocols/mqtt/main.zeek
=============================
.. zeek:namespace:: MQTT
Implements base functionality for MQTT (v3.1.1) analysis.
Generates the mqtt.log file.
:Namespace: MQTT
:Imports: :doc:`base/protocols/mqtt/consts.zeek </scripts/base/protocols/mqtt/consts.zeek>`
Summary
~~~~~~~
Types
#####
================================================================== ======================================================================
:zeek:type:`MQTT::ConnectInfo`: :zeek:type:`record`
:zeek:type:`MQTT::PublishInfo`: :zeek:type:`record`
:zeek:type:`MQTT::State`: :zeek:type:`record` Data structure to track pub/sub messaging state of a given connection.
:zeek:type:`MQTT::SubUnsub`: :zeek:type:`enum` :zeek:attr:`&redef`
:zeek:type:`MQTT::SubscribeInfo`: :zeek:type:`record`
================================================================== ======================================================================
Redefinitions
#############
==================================================================== =============================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`MQTT::CONNECT_LOG`
* :zeek:enum:`MQTT::PUBLISH_LOG`
* :zeek:enum:`MQTT::SUBSCRIBE_LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
mqtt: :zeek:type:`MQTT::ConnectInfo` :zeek:attr:`&optional`
mqtt_state: :zeek:type:`MQTT::State` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =============================================================
Events
######
============================================= ====================================================================
:zeek:id:`MQTT::log_mqtt`: :zeek:type:`event` Event that can be handled to access the MQTT record as it is sent on
to the logging framework.
============================================= ====================================================================
Hooks
#####
=================================================================== =
:zeek:id:`MQTT::log_policy_connect`: :zeek:type:`Log::PolicyHook`
:zeek:id:`MQTT::log_policy_publish`: :zeek:type:`Log::PolicyHook`
:zeek:id:`MQTT::log_policy_subscribe`: :zeek:type:`Log::PolicyHook`
=================================================================== =
Functions
#########
======================================================== ==========================================================================
:zeek:id:`MQTT::publish_expire`: :zeek:type:`function` The expiration function for published messages that haven't been logged
yet simply causes the message to be logged.
:zeek:id:`MQTT::subscribe_expire`: :zeek:type:`function` The expiration function for subscription messages that haven't been logged
yet simply causes the message to be logged.
======================================================== ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: MQTT::ConnectInfo
:source-code: base/protocols/mqtt/main.zeek 24 45
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports
.. zeek:field:: proto_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Indicates the protocol name
.. zeek:field:: proto_version :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The version of the protocol in use
.. zeek:field:: client_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Unique identifier for the client
.. zeek:field:: connect_status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Status message from the server in response to the connect request
.. zeek:field:: will_topic :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Topic to publish a "last will and testament" message to
.. zeek:field:: will_payload :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Payload to publish as a "last will and testament"
.. zeek:type:: MQTT::PublishInfo
:source-code: base/protocols/mqtt/main.zeek 67 107
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the publish message started
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
UID for the connection
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
ID fields for the connection
.. zeek:field:: from_client :zeek:type:`bool` :zeek:attr:`&log`
Indicates if the message was published by the client of
this connection or published to the client.
.. zeek:field:: retain :zeek:type:`bool` :zeek:attr:`&log`
Indicates if the message was to be retained by the server
.. zeek:field:: qos :zeek:type:`string` :zeek:attr:`&log`
QoS level set for the message
.. zeek:field:: status :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``"incomplete_qos"`` :zeek:attr:`&optional`
Status of the published message. This will be set to "incomplete_qos"
if the full back and forth for the requested level of QoS was not seen.
Otherwise if it's successful the field will be "ok".
.. zeek:field:: topic :zeek:type:`string` :zeek:attr:`&log`
Topic the message was published to
.. zeek:field:: payload :zeek:type:`string` :zeek:attr:`&log`
Payload of the message
.. zeek:field:: payload_len :zeek:type:`count` :zeek:attr:`&log`
The actual length of the payload in the case the *payload*
field's contents were truncated according to
:zeek:see:`MQTT::max_payload_size`.
.. zeek:field:: ack :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Track if the message was acked
.. zeek:field:: rec :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the server sent the RECEIVED qos message
.. zeek:field:: rel :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the client sent the RELEASE qos message
.. zeek:field:: comp :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the server sent the COMPLETE qos message
.. zeek:field:: qos_level :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Internally used for comparing numeric qos level
.. zeek:type:: MQTT::State
:source-code: base/protocols/mqtt/main.zeek 122 128
:Type: :zeek:type:`record`
.. zeek:field:: publish :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::PublishInfo` :zeek:attr:`&optional` :zeek:attr:`&write_expire` = ``5.0 secs`` :zeek:attr:`&expire_func` = :zeek:see:`MQTT::publish_expire`
Published messages that haven't been logged yet.
.. zeek:field:: subscribe :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::SubscribeInfo` :zeek:attr:`&optional` :zeek:attr:`&write_expire` = ``5.0 secs`` :zeek:attr:`&expire_func` = :zeek:see:`MQTT::subscribe_expire`
Subscription/unsubscription messages that haven't been ACK'd or
logged yet.
Data structure to track pub/sub messaging state of a given connection.
.. zeek:type:: MQTT::SubUnsub
:source-code: base/protocols/mqtt/main.zeek 19 23
:Type: :zeek:type:`enum`
.. zeek:enum:: MQTT::SUBSCRIBE MQTT::SubUnsub
.. zeek:enum:: MQTT::UNSUBSCRIBE MQTT::SubUnsub
:Attributes: :zeek:attr:`&redef`
.. zeek:type:: MQTT::SubscribeInfo
:source-code: base/protocols/mqtt/main.zeek 47 65
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the subscribe or unsubscribe request started
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
UID for the connection
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
ID fields for the connection
.. zeek:field:: action :zeek:type:`MQTT::SubUnsub` :zeek:attr:`&log`
Indicates if a subscribe or unsubscribe action is taking place
.. zeek:field:: topics :zeek:type:`string_vec` :zeek:attr:`&log`
The topics (or topic patterns) being subscribed to
.. zeek:field:: qos_levels :zeek:type:`index_vec` :zeek:attr:`&log` :zeek:attr:`&optional`
QoS levels requested for messages from subscribed topics
.. zeek:field:: granted_qos_level :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
QoS level the server granted
.. zeek:field:: ack :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the request was acked by the server
Events
######
.. zeek:id:: MQTT::log_mqtt
:source-code: base/protocols/mqtt/main.zeek 111 111
:Type: :zeek:type:`event` (rec: :zeek:type:`MQTT::ConnectInfo`)
Event that can be handled to access the MQTT record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: MQTT::log_policy_connect
:source-code: base/protocols/mqtt/main.zeek 15 15
:Type: :zeek:type:`Log::PolicyHook`
.. zeek:id:: MQTT::log_policy_publish
:source-code: base/protocols/mqtt/main.zeek 17 17
:Type: :zeek:type:`Log::PolicyHook`
.. zeek:id:: MQTT::log_policy_subscribe
:source-code: base/protocols/mqtt/main.zeek 16 16
:Type: :zeek:type:`Log::PolicyHook`
Functions
#########
.. zeek:id:: MQTT::publish_expire
:source-code: base/protocols/mqtt/main.zeek 131 135
:Type: :zeek:type:`function` (tbl: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::PublishInfo`, idx: :zeek:type:`count`) : :zeek:type:`interval`
The expiration function for published messages that haven't been logged
yet simply causes the message to be logged.
.. zeek:id:: MQTT::subscribe_expire
:source-code: base/protocols/mqtt/main.zeek 137 141
:Type: :zeek:type:`function` (tbl: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`MQTT::SubscribeInfo`, idx: :zeek:type:`count`) : :zeek:type:`interval`
The expiration function for subscription messages that haven't been logged
yet simply causes the message to be logged.

14
doc/scripts/base/protocols/mysql/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/mysql/__load__.zeek
==================================
:Imports: :doc:`base/protocols/mysql/main.zeek </scripts/base/protocols/mysql/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

69
doc/scripts/base/protocols/mysql/consts.zeek.rst Normal file
View file

@ -0,0 +1,69 @@
:tocdepth: 3
base/protocols/mysql/consts.zeek
================================
.. zeek:namespace:: MySQL
:Namespace: MySQL
Summary
~~~~~~~
Constants
#########
============================================================================================ =
:zeek:id:`MySQL::commands`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
============================================================================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: MySQL::commands
:source-code: base/protocols/mysql/consts.zeek 4 4
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "table_dump",
[20] = "connect_out",
[14] = "ping",
[15] = "time",
[6] = "drop_db",
[30] = "binlog_dump_gtid",
[31] = "reset_connection",
[28] = "stmt_fetch",
[23] = "stmt_execute",
[8] = "shutdown",
[27] = "set_option",
[9] = "statistics",
[7] = "refresh",
[10] = "process_info",
[21] = "register_slave",
[4] = "field_list",
[26] = "stmt_reset",
[13] = "debug",
[12] = "process_kill",
[17] = "change_user",
[25] = "stmt_close",
[2] = "init_db",
[29] = "daemon",
[16] = "delayed_insert",
[24] = "stmt_send_long_data",
[1] = "quit",
[11] = "connect",
[5] = "create_db",
[22] = "stmt_prepare",
[18] = "binlog_dump",
[3] = "query",
[0] = "sleep"
}

17
doc/scripts/base/protocols/mysql/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/mysql
=============================
Support for MySQL protocol analysis.
:doc:`/scripts/base/protocols/mysql/__load__.zeek`
:doc:`/scripts/base/protocols/mysql/main.zeek`
Implements base functionality for MySQL analysis. Generates the mysql.log file.
:doc:`/scripts/base/protocols/mysql/consts.zeek`

124
doc/scripts/base/protocols/mysql/main.zeek.rst Normal file
View file

@ -0,0 +1,124 @@
:tocdepth: 3
base/protocols/mysql/main.zeek
==============================
.. zeek:namespace:: MySQL
Implements base functionality for MySQL analysis. Generates the mysql.log file.
:Namespace: MySQL
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/mysql/consts.zeek </scripts/base/protocols/mysql/consts.zeek>`
Summary
~~~~~~~
Types
#####
============================================= =
:zeek:type:`MySQL::Info`: :zeek:type:`record`
============================================= =
Redefinitions
#############
============================================ ========================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`mysql::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
mysql: :zeek:type:`MySQL::Info` :zeek:attr:`&optional`
============================================ ========================================================
Events
######
=============================================== =====================================================================
:zeek:id:`MySQL::log_mysql`: :zeek:type:`event` Event that can be handled to access the MySQL record as it is sent on
to the logging framework.
=============================================== =====================================================================
Hooks
#####
================================================================ ========================
:zeek:id:`MySQL::finalize_mysql`: :zeek:type:`Conn::RemovalHook` MySQL finalization hook.
:zeek:id:`MySQL::log_policy`: :zeek:type:`Log::PolicyHook`
================================================================ ========================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: MySQL::Info
:source-code: base/protocols/mysql/main.zeek 13 30
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&log`
The command that was issued
.. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&log`
The argument issued to the command
.. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Did the server tell us that the command succeeded?
.. zeek:field:: rows :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The number of affected rows, if any
.. zeek:field:: response :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Server message, if any
Events
######
.. zeek:id:: MySQL::log_mysql
:source-code: base/protocols/mysql/main.zeek 34 34
:Type: :zeek:type:`event` (rec: :zeek:type:`MySQL::Info`)
Event that can be handled to access the MySQL record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: MySQL::finalize_mysql
:source-code: base/protocols/mysql/main.zeek 157 164
:Type: :zeek:type:`Conn::RemovalHook`
MySQL finalization hook. Remaining MySQL info may get logged when it's called.
.. zeek:id:: MySQL::log_policy
:source-code: base/protocols/mysql/main.zeek 11 11
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/ntlm/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ntlm/__load__.zeek
=================================
:Imports: :doc:`base/protocols/ntlm/main.zeek </scripts/base/protocols/ntlm/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

13
doc/scripts/base/protocols/ntlm/index.rst Normal file
View file

@ -0,0 +1,13 @@
:orphan:
Package: base/protocols/ntlm
============================
Support for NT LAN Manager (NTLM) protocol analysis.
:doc:`/scripts/base/protocols/ntlm/__load__.zeek`
:doc:`/scripts/base/protocols/ntlm/main.zeek`

123
doc/scripts/base/protocols/ntlm/main.zeek.rst Normal file
View file

@ -0,0 +1,123 @@
:tocdepth: 3
base/protocols/ntlm/main.zeek
=============================
.. zeek:namespace:: NTLM
:Namespace: NTLM
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`
Summary
~~~~~~~
Types
#####
============================================ =
:zeek:type:`NTLM::Info`: :zeek:type:`record`
============================================ =
Redefinitions
#############
======================================================================= ======================================================
:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef`
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`NTLM::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
ntlm: :zeek:type:`NTLM::Info` :zeek:attr:`&optional`
======================================================================= ======================================================
Hooks
#####
============================================================== =======================
:zeek:id:`NTLM::finalize_ntlm`: :zeek:type:`Conn::RemovalHook` NTLM finalization hook.
:zeek:id:`NTLM::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================== =======================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NTLM::Info
:source-code: base/protocols/ntlm/main.zeek 10 38
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Username given by the client.
.. zeek:field:: hostname :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Hostname given by the client.
.. zeek:field:: domainname :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Domainname given by the client.
.. zeek:field:: server_nb_computer_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
NetBIOS name given by the server in a CHALLENGE.
.. zeek:field:: server_dns_computer_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
DNS name given by the server in a CHALLENGE.
.. zeek:field:: server_tree_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Tree name given by the server in a CHALLENGE.
.. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Indicate whether or not the authentication was successful.
.. zeek:field:: done :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Internally used field to indicate if the login attempt
has already been logged.
Hooks
#####
.. zeek:id:: NTLM::finalize_ntlm
:source-code: base/protocols/ntlm/main.zeek 117 123
:Type: :zeek:type:`Conn::RemovalHook`
NTLM finalization hook. Remaining NTLM info may get logged when it's called.
.. zeek:id:: NTLM::log_policy
:source-code: base/protocols/ntlm/main.zeek 8 8
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/ntp/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ntp/__load__.zeek
================================
:Imports: :doc:`base/protocols/ntp/consts.zeek </scripts/base/protocols/ntp/consts.zeek>`, :doc:`base/protocols/ntp/main.zeek </scripts/base/protocols/ntp/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

47
doc/scripts/base/protocols/ntp/consts.zeek.rst Normal file
View file

@ -0,0 +1,47 @@
:tocdepth: 3
base/protocols/ntp/consts.zeek
==============================
.. zeek:namespace:: NTP
:Namespace: NTP
Summary
~~~~~~~
Redefinable Options
###################
=========================================================================================================== ====================================================
:zeek:id:`NTP::modes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef` The descriptions of the NTP mode value, as described
in :rfc:`5905`, Figure 1
=========================================================================================================== ====================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: NTP::modes
:source-code: base/protocols/ntp/consts.zeek 6 6
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:Default:
::
{
[2] = "symmetric passive",
[5] = "broadcast server",
[3] = "client",
[7] = "reserved",
[6] = "broadcast client",
[4] = "server",
[1] = "symmetric active"
}
The descriptions of the NTP mode value, as described
in :rfc:`5905`, Figure 1

15
doc/scripts/base/protocols/ntp/index.rst Normal file
View file

@ -0,0 +1,15 @@
:orphan:
Package: base/protocols/ntp
===========================
:doc:`/scripts/base/protocols/ntp/__load__.zeek`
:doc:`/scripts/base/protocols/ntp/main.zeek`
:doc:`/scripts/base/protocols/ntp/consts.zeek`

161
doc/scripts/base/protocols/ntp/main.zeek.rst Normal file
View file

@ -0,0 +1,161 @@
:tocdepth: 3
base/protocols/ntp/main.zeek
============================
.. zeek:namespace:: NTP
:Namespace: NTP
Summary
~~~~~~~
Types
#####
=========================================== =
:zeek:type:`NTP::Info`: :zeek:type:`record`
=========================================== =
Redefinitions
#############
==================================================================== ====================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`NTP::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
ntp: :zeek:type:`NTP::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ====================================================
Events
######
=========================================== ===================================================================
:zeek:id:`NTP::log_ntp`: :zeek:type:`event` Event that can be handled to access the NTP record as it is sent on
to the logging framework.
=========================================== ===================================================================
Hooks
#####
======================================================== =
:zeek:id:`NTP::log_policy`: :zeek:type:`Log::PolicyHook`
======================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: NTP::Info
:source-code: base/protocols/ntp/main.zeek 8 47
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: version :zeek:type:`count` :zeek:attr:`&log`
The NTP version number (1, 2, 3, 4).
.. zeek:field:: mode :zeek:type:`count` :zeek:attr:`&log`
The NTP mode being used.
.. zeek:field:: stratum :zeek:type:`count` :zeek:attr:`&log`
The stratum (primary server, secondary server, etc.).
.. zeek:field:: poll :zeek:type:`interval` :zeek:attr:`&log`
The maximum interval between successive messages.
.. zeek:field:: precision :zeek:type:`interval` :zeek:attr:`&log`
The precision of the system clock.
.. zeek:field:: root_delay :zeek:type:`interval` :zeek:attr:`&log`
Total round-trip delay to the reference clock.
.. zeek:field:: root_disp :zeek:type:`interval` :zeek:attr:`&log`
Total dispersion to the reference clock.
.. zeek:field:: ref_id :zeek:type:`string` :zeek:attr:`&log`
For stratum 0, 4 character string used for debugging.
For stratum 1, ID assigned to the reference clock by IANA.
Above stratum 1, when using IPv4, the IP address of the reference
clock. Note that the NTP protocol did not originally specify a
large enough field to represent IPv6 addresses, so they use
the first four bytes of the MD5 hash of the reference clock's
IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
.. zeek:field:: ref_time :zeek:type:`time` :zeek:attr:`&log`
Time when the system clock was last set or correct.
.. zeek:field:: org_time :zeek:type:`time` :zeek:attr:`&log`
Time at the client when the request departed for the NTP server.
.. zeek:field:: rec_time :zeek:type:`time` :zeek:attr:`&log`
Time at the server when the request arrived from the NTP client.
.. zeek:field:: xmt_time :zeek:type:`time` :zeek:attr:`&log`
Time at the server when the response departed for the NTP client.
.. zeek:field:: num_exts :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional` :zeek:attr:`&log`
Number of extension fields (which are not currently parsed).
Events
######
.. zeek:id:: NTP::log_ntp
:source-code: base/protocols/ntp/main.zeek 51 51
:Type: :zeek:type:`event` (rec: :zeek:type:`NTP::Info`)
Event that can be handled to access the NTP record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: NTP::log_policy
:source-code: base/protocols/ntp/main.zeek 6 6
:Type: :zeek:type:`Log::PolicyHook`

13
doc/scripts/base/protocols/pop3/__load__.zeek.rst Normal file
View file

@ -0,0 +1,13 @@
:tocdepth: 3
base/protocols/pop3/__load__.zeek
=================================
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

10
doc/scripts/base/protocols/pop3/index.rst Normal file
View file

@ -0,0 +1,10 @@
:orphan:
Package: base/protocols/pop3
============================
Support for POP3 (Post Office Protocol) protocol analysis.
:doc:`/scripts/base/protocols/pop3/__load__.zeek`

14
doc/scripts/base/protocols/postgresql/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/postgresql/__load__.zeek
=======================================
:Imports: :doc:`base/protocols/postgresql/consts.zeek </scripts/base/protocols/postgresql/consts.zeek>`, :doc:`base/protocols/postgresql/main.zeek </scripts/base/protocols/postgresql/main.zeek>`, :doc:`base/protocols/postgresql/spicy-events.zeek </scripts/base/protocols/postgresql/spicy-events.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

79
doc/scripts/base/protocols/postgresql/consts.zeek.rst Normal file
View file

@ -0,0 +1,79 @@
:tocdepth: 3
base/protocols/postgresql/consts.zeek
=====================================
.. zeek:namespace:: PostgreSQL
:Namespace: PostgreSQL
Summary
~~~~~~~
State Variables
###############
====================================================================================================================== =
:zeek:id:`PostgreSQL::auth_ids`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:zeek:id:`PostgreSQL::error_ids`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
====================================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
State Variables
###############
.. zeek:id:: PostgreSQL::auth_ids
:source-code: base/protocols/postgresql/consts.zeek 26 26
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:Default:
::
{
[2] = "KerberosV5",
[8] = "GSSAPIContinue",
[11] = "SASLContinue",
[3] = "CleartextPassword",
[7] = "GSSAPI",
[5] = "MD5Password",
[9] = "SSPI",
[10] = "SASL",
[12] = "SASLFinal"
}
.. zeek:id:: PostgreSQL::error_ids
:source-code: base/protocols/postgresql/consts.zeek 5 5
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function` :zeek:attr:`&redef`
:Default:
::
{
["R"] = "Routine",
["H"] = "Hint",
["D"] = "Detail",
["S"] = "SeverityLocalized",
["d"] = "Data",
["p"] = "InternalPosition",
["W"] = "Where",
["M"] = "Message",
["n"] = "Constraint",
["c"] = "Column",
["V"] = "Severity",
["t"] = "Table",
["C"] = "Code",
["F"] = "File",
["P"] = "Position",
["s"] = "Schema",
["q"] = "InternalQuery",
["L"] = "Line"
}

20
doc/scripts/base/protocols/postgresql/index.rst Normal file
View file

@ -0,0 +1,20 @@
:orphan:
Package: base/protocols/postgresql
==================================
:doc:`/scripts/base/protocols/postgresql/__load__.zeek`
:doc:`/scripts/base/protocols/postgresql/consts.zeek`
:doc:`/scripts/base/protocols/postgresql/spicy-events.zeek`
Events generated by the PostgreSQL analyzer.
:doc:`/scripts/base/protocols/postgresql/main.zeek`
Implements base functionality for PostgreSQL analysis.

189
doc/scripts/base/protocols/postgresql/main.zeek.rst Normal file
View file

@ -0,0 +1,189 @@
:tocdepth: 3
base/protocols/postgresql/main.zeek
===================================
.. zeek:namespace:: PostgreSQL
Implements base functionality for PostgreSQL analysis.
:Namespace: PostgreSQL
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/postgresql/consts.zeek </scripts/base/protocols/postgresql/consts.zeek>`, :doc:`base/protocols/postgresql/spicy-events.zeek </scripts/base/protocols/postgresql/spicy-events.zeek>`
Summary
~~~~~~~
State Variables
###############
================================================================== =
:zeek:id:`PostgreSQL::ports`: :zeek:type:`set` :zeek:attr:`&redef`
================================================================== =
Types
#####
===================================================== ===============================================================
:zeek:type:`PostgreSQL::Info`: :zeek:type:`record` Record type containing the column fields of the PostgreSQL log.
:zeek:type:`PostgreSQL::State`: :zeek:type:`record`
:zeek:type:`PostgreSQL::Version`: :zeek:type:`record`
===================================================== ===============================================================
Redefinitions
#############
==================================================================== =========================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` Log stream identifier.
* :zeek:enum:`PostgreSQL::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
postgresql: :zeek:type:`PostgreSQL::Info` :zeek:attr:`&optional`
postgresql_state: :zeek:type:`PostgreSQL::State` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== =========================================================================
Events
######
========================================================= =====================================
:zeek:id:`PostgreSQL::log_postgresql`: :zeek:type:`event` Default hook into PostgreSQL logging.
========================================================= =====================================
Hooks
#####
========================================================================== =
:zeek:id:`PostgreSQL::finalize_postgresql`: :zeek:type:`Conn::RemovalHook`
========================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
State Variables
###############
.. zeek:id:: PostgreSQL::ports
:source-code: base/protocols/postgresql/main.zeek 65 65
:Type: :zeek:type:`set` [:zeek:type:`port`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
5432/tcp
}
Types
#####
.. zeek:type:: PostgreSQL::Info
:source-code: base/protocols/postgresql/main.zeek 20 49
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the activity happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: user :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
The user as found in the StartupMessage.
.. zeek:field:: database :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
The database as found in the StartupMessage.
.. zeek:field:: application_name :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
The application name as found in the StartupMessage.
.. zeek:field:: frontend :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
.. zeek:field:: frontend_arg :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
.. zeek:field:: backend :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
.. zeek:field:: backend_arg :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
.. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&optional` :zeek:attr:`&log`
.. zeek:field:: rows :zeek:type:`count` :zeek:attr:`&optional` :zeek:attr:`&log`
Record type containing the column fields of the PostgreSQL log.
.. zeek:type:: PostgreSQL::State
:source-code: base/protocols/postgresql/main.zeek 51 58
:Type: :zeek:type:`record`
.. zeek:field:: version :zeek:type:`PostgreSQL::Version` :zeek:attr:`&optional`
.. zeek:field:: user :zeek:type:`string` :zeek:attr:`&optional`
.. zeek:field:: database :zeek:type:`string` :zeek:attr:`&optional`
.. zeek:field:: application_name :zeek:type:`string` :zeek:attr:`&optional`
.. zeek:field:: rows :zeek:type:`count` :zeek:attr:`&optional`
.. zeek:field:: errors :zeek:type:`vector` of :zeek:type:`string`
.. zeek:type:: PostgreSQL::Version
:source-code: base/protocols/postgresql/main.zeek 14 17
:Type: :zeek:type:`record`
.. zeek:field:: major :zeek:type:`count`
.. zeek:field:: minor :zeek:type:`count`
Events
######
.. zeek:id:: PostgreSQL::log_postgresql
:source-code: base/protocols/postgresql/main.zeek 61 61
:Type: :zeek:type:`event` (rec: :zeek:type:`PostgreSQL::Info`)
Default hook into PostgreSQL logging.
Hooks
#####
.. zeek:id:: PostgreSQL::finalize_postgresql
:source-code: base/protocols/postgresql/main.zeek 248 250
:Type: :zeek:type:`Conn::RemovalHook`

293
doc/scripts/base/protocols/postgresql/spicy-events.zeek.rst Normal file
View file

@ -0,0 +1,293 @@
:tocdepth: 3
base/protocols/postgresql/spicy-events.zeek
===========================================
Events generated by the PostgreSQL analyzer.
Summary
~~~~~~~
Events
######
=========================================================================== =========================================================================
:zeek:id:`PostgreSQL::authentication_ok`: :zeek:type:`event` Event generated for backend authentication requests indicating successful
authentication.
:zeek:id:`PostgreSQL::authentication_request`: :zeek:type:`event` Event generated for backend authentication requests.
:zeek:id:`PostgreSQL::authentication_response`: :zeek:type:`event` Event generated for frontend authentication responses.
:zeek:id:`PostgreSQL::backend_key_data`: :zeek:type:`event` Generated for a BackendKeyData message for cancellation.
:zeek:id:`PostgreSQL::data_row`: :zeek:type:`event` Event generated for every backend DataRow message.
:zeek:id:`PostgreSQL::error_response`: :zeek:type:`event` Event generated for a ErrorResponse.
:zeek:id:`PostgreSQL::error_response_identified_field`: :zeek:type:`event` Event generated for identified field within an ErrorResponse.
:zeek:id:`PostgreSQL::not_implemented`: :zeek:type:`event` Event generated for not implemented messages.
:zeek:id:`PostgreSQL::notice_response`: :zeek:type:`event` Event generated for a NoticeResponse.
:zeek:id:`PostgreSQL::notice_response_identified_field`: :zeek:type:`event` Event generated for identified field within a NoticeResponse.
:zeek:id:`PostgreSQL::parameter_status`: :zeek:type:`event` Event generated for backend runtime parameter status reports.
:zeek:id:`PostgreSQL::ready_for_query`: :zeek:type:`event` Event generated for every backed ReadyForQuery message.
:zeek:id:`PostgreSQL::simple_query`: :zeek:type:`event` Event generated for every frontend SimpleQuery message.
:zeek:id:`PostgreSQL::ssl_reply`: :zeek:type:`event` Event generated for backend SSL reply.
:zeek:id:`PostgreSQL::ssl_request`: :zeek:type:`event` Event generated for frontend SSLRequest messages.
:zeek:id:`PostgreSQL::startup_message`: :zeek:type:`event` Event generated for a StartupMessage.
:zeek:id:`PostgreSQL::startup_parameter`: :zeek:type:`event` Event generated for every parameter in a StartupMessage.
:zeek:id:`PostgreSQL::terminate`: :zeek:type:`event` Event generated For a frontend Terminate message.
=========================================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: PostgreSQL::authentication_ok
:source-code: base/protocols/postgresql/main.zeek 195 200
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Event generated for backend authentication requests indicating successful
authentication.
:param c: The connection.
.. zeek:see:: PostgreSQL::authentication_request
.. zeek:see:: PostgreSQL::authentication_response
.. zeek:id:: PostgreSQL::authentication_request
:source-code: base/protocols/postgresql/main.zeek 181 193
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, identifier: :zeek:type:`count`, data: :zeek:type:`string`)
Event generated for backend authentication requests.
:param c: The connection.
:param identifier: The identifier in the request.
:param data: The request data, if any.
.. zeek:see:: PostgreSQL::authentication_response
.. zeek:see:: PostgreSQL::authentication_ok
.. zeek:id:: PostgreSQL::authentication_response
:source-code: base/protocols/postgresql/spicy-events.zeek 44 44
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`string`)
Event generated for frontend authentication responses.
:param c: The connection.
:param data: The response data, if any.
.. zeek:see:: PostgreSQL::authentication_request
.. zeek:see:: PostgreSQL::authentication_ok
.. zeek:id:: PostgreSQL::backend_key_data
:source-code: base/protocols/postgresql/spicy-events.zeek 139 139
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, process_id: :zeek:type:`count`, secret_key: :zeek:type:`count`)
Generated for a BackendKeyData message for cancellation.
:param c: The connection.
:param process_id: The process ID of the backend.
:param secret_key: The secret key of the backend.
.. zeek:id:: PostgreSQL::data_row
:source-code: base/protocols/postgresql/main.zeek 222 229
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, column_values: :zeek:type:`count`)
Event generated for every backend DataRow message.
:param c: The connection.
:param column_values: The number of columns in this row.
.. zeek:id:: PostgreSQL::error_response
:source-code: base/protocols/postgresql/main.zeek 160 179
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Event generated for a ErrorResponse.
:param c: The connection.
.. zeek:see:: PostgreSQL::error_response_identified_field
.. zeek:id:: PostgreSQL::error_response_identified_field
:source-code: base/protocols/postgresql/main.zeek 143 148
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`string`, value: :zeek:type:`string`)
Event generated for identified field within an ErrorResponse.
:param c: The connection.
:param code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
:param value: The field value.
.. zeek:see:: PostgreSQL::error_response
.. zeek:id:: PostgreSQL::not_implemented
:source-code: base/protocols/postgresql/spicy-events.zeek 147 147
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, typ: :zeek:type:`string`, chunk: :zeek:type:`string`)
Event generated for not implemented messages.
.. zeek:id:: PostgreSQL::notice_response
:source-code: base/protocols/postgresql/spicy-events.zeek 113 113
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Event generated for a NoticeResponse.
:param c: The connection.
.. zeek:see:: PostgreSQL::notice_response_identified_field
.. zeek:id:: PostgreSQL::notice_response_identified_field
:source-code: base/protocols/postgresql/main.zeek 150 158
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, code: :zeek:type:`string`, value: :zeek:type:`string`)
Event generated for identified field within a NoticeResponse.
:param c: The connection.
:param code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
:param value: The field value.
.. zeek:see:: PostgreSQL::notice_response
.. zeek:id:: PostgreSQL::parameter_status
:source-code: base/protocols/postgresql/spicy-events.zeek 130 130
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, value: :zeek:type:`string`)
Event generated for backend runtime parameter status reports.
:param c: The connection.
:param name: The name of the runtime parameter.
:param value: The current value of the parameter.
.. zeek:id:: PostgreSQL::ready_for_query
:source-code: base/protocols/postgresql/main.zeek 231 246
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, transaction_status: :zeek:type:`string`)
Event generated for every backed ReadyForQuery message.
:param c: The connection.
:param transaction_status: I (idle), T (in transaction block), E (error).
.. zeek:id:: PostgreSQL::simple_query
:source-code: base/protocols/postgresql/main.zeek 211 220
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, query: :zeek:type:`string`)
Event generated for every frontend SimpleQuery message.
:param c: The connection.
:param query: The query string.
.. zeek:id:: PostgreSQL::ssl_reply
:source-code: base/protocols/postgresql/main.zeek 114 122
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, data: :zeek:type:`string`)
Event generated for backend SSL reply.
:param c: The connection.
:param data: The server's reply: S for secure, N for unencrypted.
.. zeek:id:: PostgreSQL::ssl_request
:source-code: base/protocols/postgresql/main.zeek 108 112
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Event generated for frontend SSLRequest messages.
:param c: The connection.
.. zeek:id:: PostgreSQL::startup_message
:source-code: base/protocols/postgresql/main.zeek 136 141
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, major: :zeek:type:`count`, minor: :zeek:type:`count`)
Event generated for a StartupMessage.
:param c: The connection.
:param major: The major protocol version.
:param minor: The minor protocol version.
.. zeek:id:: PostgreSQL::startup_parameter
:source-code: base/protocols/postgresql/main.zeek 124 134
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, name: :zeek:type:`string`, value: :zeek:type:`string`)
Event generated for every parameter in a StartupMessage.
:param c: The connection.
:param name: The name of the parameter.
:param value: The value of the parameter.
.. zeek:id:: PostgreSQL::terminate
:source-code: base/protocols/postgresql/main.zeek 202 209
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Event generated For a frontend Terminate message.
:param c: The connection.

14
doc/scripts/base/protocols/quic/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/quic/__load__.zeek
=================================
:Imports: :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`, :doc:`base/protocols/quic/main.zeek </scripts/base/protocols/quic/main.zeek>`, :doc:`base/protocols/quic/spicy-events.zeek </scripts/base/protocols/quic/spicy-events.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

61
doc/scripts/base/protocols/quic/consts.zeek.rst Normal file
View file

@ -0,0 +1,61 @@
:tocdepth: 3
base/protocols/quic/consts.zeek
===============================
.. zeek:namespace:: QUIC
:Namespace: QUIC
Summary
~~~~~~~
Constants
#########
================================================================================================== ==============================================================
:zeek:id:`QUIC::version_strings`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` A mapping from QUIC's raw version numbers to readable strings.
================================================================================================== ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: QUIC::version_strings
:source-code: base/protocols/quic/consts.zeek 7 7
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[4207849486] = "mvfst (faceb00e)",
[4278190112] = "draft-32",
[4278190110] = "draft-30",
[4278190111] = "draft-30",
[4278190114] = "draft-34",
[4207849474] = "mvfst (faceb002)",
[4278190108] = "draft-28",
[4278190113] = "draft-33",
[4278190104] = "draft-24",
[4278190105] = "draft-25",
[1] = "1",
[1798521807] = "quicv2",
[4207849491] = "mvfst (faceb013)",
[4207849489] = "mvfst (faceb011)",
[4278190106] = "draft-26",
[4207849490] = "mvfst (faceb012)",
[4278190107] = "draft-27",
[4278190103] = "draft-23",
[4278190102] = "draft-22",
[4278190109] = "draft-29",
[4207849473] = "mvfst (faceb001)"
}
A mapping from QUIC's raw version numbers to readable strings.
Unexpected versions become "unknown-<hex>", with a hexadecimal
rendering of the version number.

22
doc/scripts/base/protocols/quic/index.rst Normal file
View file

@ -0,0 +1,22 @@
:orphan:
Package: base/protocols/quic
============================
:doc:`/scripts/base/protocols/quic/__load__.zeek`
:doc:`/scripts/base/protocols/quic/spicy-events.zeek`
Events generated by the QUIC analyzer.
See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
:doc:`/scripts/base/protocols/quic/consts.zeek`
:doc:`/scripts/base/protocols/quic/main.zeek`
Implements base functionality for QUIC analysis. Generates quic.log.

176
doc/scripts/base/protocols/quic/main.zeek.rst Normal file
View file

@ -0,0 +1,176 @@
:tocdepth: 3
base/protocols/quic/main.zeek
=============================
.. zeek:namespace:: QUIC
Implements base functionality for QUIC analysis. Generates quic.log.
:Namespace: QUIC
:Imports: :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================== ========================================
:zeek:id:`QUIC::max_history_length`: :zeek:type:`count` :zeek:attr:`&redef` The maximum length of the history field.
=========================================================================== ========================================
Types
#####
============================================ =
:zeek:type:`QUIC::Info`: :zeek:type:`record`
============================================ =
Redefinitions
#############
============================================ ======================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`QUIC::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
quic: :zeek:type:`QUIC::Info` :zeek:attr:`&optional`
============================================ ======================================================
Events
######
============================================= =
:zeek:id:`QUIC::log_quic`: :zeek:type:`event`
============================================= =
Hooks
#####
============================================================== =
:zeek:id:`QUIC::finalize_quic`: :zeek:type:`Conn::RemovalHook`
:zeek:id:`QUIC::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: QUIC::max_history_length
:source-code: base/protocols/quic/main.zeek 79 79
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``100``
The maximum length of the history field.
Types
#####
.. zeek:type:: QUIC::Info
:source-code: base/protocols/quic/main.zeek 13 70
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp of first QUIC packet for this entry.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: version :zeek:type:`string` :zeek:attr:`&log`
QUIC version as found in the first INITIAL packet from
the client. This will often be "1" or "quicv2", but see
the :zeek:see:`QUIC::version_strings` table for details.
.. zeek:field:: client_initial_dcid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
First Destination Connection ID used by client. This is
random and unpredictable, but used for packet protection
by client and server.
.. zeek:field:: client_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Client's Source Connection ID from the first INITIAL packet.
.. zeek:field:: server_scid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Server chosen Connection ID usually from server's first
INITIAL packet. This is to be used by the client in
subsequent packets.
.. zeek:field:: server_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Server name extracted from SNI extension in ClientHello
packet if available.
.. zeek:field:: client_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
First protocol extracted from ALPN extension in ClientHello
packet if available.
.. zeek:field:: history :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
QUIC history.
Letters have the following meaning with client-sent
letters being capitalized:
====== ====================================================
Letter Meaning
====== ====================================================
I INIT packet
H HANDSHAKE packet
Z 0RTT packet
R RETRY packet
C CONNECTION_CLOSE packet
S SSL Client/Server Hello
U Unfamiliar QUIC version
====== ====================================================
.. zeek:field:: history_state :zeek:type:`vector` of :zeek:type:`string`
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Events
######
.. zeek:id:: QUIC::log_quic
:source-code: base/protocols/quic/main.zeek 72 72
:Type: :zeek:type:`event` (rec: :zeek:type:`QUIC::Info`)
Hooks
#####
.. zeek:id:: QUIC::finalize_quic
:source-code: base/protocols/quic/main.zeek 229 235
:Type: :zeek:type:`Conn::RemovalHook`
.. zeek:id:: QUIC::log_policy
:source-code: base/protocols/quic/main.zeek 74 74
:Type: :zeek:type:`Log::PolicyHook`

176
doc/scripts/base/protocols/quic/spicy-events.zeek.rst Normal file
View file

@ -0,0 +1,176 @@
:tocdepth: 3
base/protocols/quic/spicy-events.zeek
=====================================
Events generated by the QUIC analyzer.
See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
Summary
~~~~~~~
Events
######
=========================================================== ============================================
:zeek:id:`QUIC::connection_close_frame`: :zeek:type:`event` Generated for a QUIC CONNECTION_CLOSE frame.
:zeek:id:`QUIC::handshake_packet`: :zeek:type:`event` Generated for a QUIC Handshake packet.
:zeek:id:`QUIC::initial_packet`: :zeek:type:`event` Generated for a QUIC Initial packet.
:zeek:id:`QUIC::retry_packet`: :zeek:type:`event` Generated for a QUIC Retry packet.
:zeek:id:`QUIC::unhandled_version`: :zeek:type:`event` Generated for an unrecognized QUIC version.
:zeek:id:`QUIC::zero_rtt_packet`: :zeek:type:`event` Generated for a QUIC 0-RTT packet.
=========================================================== ============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. zeek:id:: QUIC::connection_close_frame
:source-code: base/protocols/quic/main.zeek 182 192
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, error_code: :zeek:type:`count`, reason_phrase: :zeek:type:`string`)
Generated for a QUIC CONNECTION_CLOSE frame.
:param c: The connection.
:param is_orig: True if the packet is from the the connection's originator.
:param version: The Version field.
:param dcid: The Destination Connection ID field.
:param scid: The Source Connection ID field.
:param error_code: Count indicating the reason for closing this connection.
:param reason_phrase: Additional diagnostic information for the closure.
.. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
.. zeek:id:: QUIC::handshake_packet
:source-code: base/protocols/quic/main.zeek 142 146
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
Generated for a QUIC Handshake packet.
:param c: The connection.
:param is_orig: True if the packet is from the the connection's originator.
:param version: The Version field.
:param dcid: The Destination Connection ID field.
:param scid: The Source Connection ID field.
.. zeek:id:: QUIC::initial_packet
:source-code: base/protocols/quic/main.zeek 136 140
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
Generated for a QUIC Initial packet.
:param c: The connection.
:param is_orig: True if the packet is from the the connection's originator.
:param version: The Version field.
:param dcid: The Destination Connection ID field.
:param scid: The Source Connection ID field.
.. zeek:id:: QUIC::retry_packet
:source-code: base/protocols/quic/main.zeek 155 165
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`, retry_token: :zeek:type:`string`, retry_integrity_tag: :zeek:type:`string`)
Generated for a QUIC Retry packet.
:param c: The connection.
:param is_orig: True if the packet is from the the connection's originator.
:param version: The Version field.
:param dcid: The Destination Connection ID field.
:param scid: The Source Connection ID field.
:param retry_token: The Retry Token field.
:param integrity_tag: The Retry Integrity Tag field.
.. zeek:id:: QUIC::unhandled_version
:source-code: base/protocols/quic/main.zeek 168 178
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
Generated for an unrecognized QUIC version.
:param c: The connection.
:param is_orig: True if the packet is from the the connection's originator.
:param version: The Version field.
:param dcid: The Destination Connection ID field.
:param scid: The Source Connection ID field.
.. zeek:id:: QUIC::zero_rtt_packet
:source-code: base/protocols/quic/main.zeek 148 152
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`, version: :zeek:type:`count`, dcid: :zeek:type:`string`, scid: :zeek:type:`string`)
Generated for a QUIC 0-RTT packet.
:param c: The connection.
:param is_orig: True if the packet is from the the connection's originator.
:param version: The Version field.
:param dcid: The Destination Connection ID field.
:param scid: The Source Connection ID field.

14
doc/scripts/base/protocols/radius/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/radius/__load__.zeek
===================================
:Imports: :doc:`base/protocols/radius/main.zeek </scripts/base/protocols/radius/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

15
doc/scripts/base/protocols/radius/consts.zeek.rst Normal file
View file

@ -0,0 +1,15 @@
:tocdepth: 3
base/protocols/radius/consts.zeek
=================================
.. zeek:namespace:: RADIUS
:Namespace: RADIUS
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

17
doc/scripts/base/protocols/radius/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/radius
==============================
Support for RADIUS protocol analysis.
:doc:`/scripts/base/protocols/radius/__load__.zeek`
:doc:`/scripts/base/protocols/radius/main.zeek`
Implements base functionality for RADIUS analysis. Generates the radius.log file.
:doc:`/scripts/base/protocols/radius/consts.zeek`

154
doc/scripts/base/protocols/radius/main.zeek.rst Normal file
View file

@ -0,0 +1,154 @@
:tocdepth: 3
base/protocols/radius/main.zeek
===============================
.. zeek:namespace:: RADIUS
Implements base functionality for RADIUS analysis. Generates the radius.log file.
:Namespace: RADIUS
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/radius/consts.zeek </scripts/base/protocols/radius/consts.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
Summary
~~~~~~~
Types
#####
============================================== =
:zeek:type:`RADIUS::Info`: :zeek:type:`record`
============================================== =
Redefinitions
#############
==================================================================== ==========================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`RADIUS::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
radius: :zeek:type:`RADIUS::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ==========================================================
Events
######
================================================= ======================================================================
:zeek:id:`RADIUS::log_radius`: :zeek:type:`event` Event that can be handled to access the RADIUS record as it is sent on
to the logging framework.
================================================= ======================================================================
Hooks
#####
================================================================== =========================
:zeek:id:`RADIUS::finalize_radius`: :zeek:type:`Conn::RemovalHook` RADIUS finalization hook.
:zeek:id:`RADIUS::log_policy`: :zeek:type:`Log::PolicyHook`
================================================================== =========================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: RADIUS::Info
:source-code: base/protocols/radius/main.zeek 14 49
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: username :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The username, if present.
.. zeek:field:: mac :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
MAC address, if present.
.. zeek:field:: framed_addr :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&optional`
The address given to the network access server, if
present. This is only a hint from the RADIUS server
and the network access server is not required to honor
the address.
.. zeek:field:: tunnel_client :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
if present. This is collected from the Tunnel-Client-Endpoint
attribute.
.. zeek:field:: connect_info :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Connect info, if present.
.. zeek:field:: reply_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Reply message from the server challenge. This is
frequently shown to the user authenticating.
.. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Successful or failed authentication.
.. zeek:field:: ttl :zeek:type:`interval` :zeek:attr:`&log` :zeek:attr:`&optional`
The duration between the first request and
either the "Access-Accept" message or an error.
If the field is empty, it means that either
the request or response was not seen.
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Whether this has already been logged and can be ignored.
Events
######
.. zeek:id:: RADIUS::log_radius
:source-code: base/protocols/radius/main.zeek 53 53
:Type: :zeek:type:`event` (rec: :zeek:type:`RADIUS::Info`)
Event that can be handled to access the RADIUS record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: RADIUS::finalize_radius
:source-code: base/protocols/radius/main.zeek 148 155
:Type: :zeek:type:`Conn::RemovalHook`
RADIUS finalization hook. Remaining RADIUS info may get logged when it's called.
.. zeek:id:: RADIUS::log_policy
:source-code: base/protocols/radius/main.zeek 12 12
:Type: :zeek:type:`Log::PolicyHook`

14
doc/scripts/base/protocols/rdp/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/rdp/__load__.zeek
================================
:Imports: :doc:`base/protocols/rdp/consts.zeek </scripts/base/protocols/rdp/consts.zeek>`, :doc:`base/protocols/rdp/main.zeek </scripts/base/protocols/rdp/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

567
doc/scripts/base/protocols/rdp/consts.zeek.rst Normal file
View file

@ -0,0 +1,567 @@
:tocdepth: 3
base/protocols/rdp/consts.zeek
==============================
.. zeek:namespace:: RDP
:Namespace: RDP
Summary
~~~~~~~
Constants
#########
==================================================================================================== =
:zeek:id:`RDP::builds`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::cert_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::color_depths`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::encryption_levels`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::encryption_methods`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::failure_codes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::high_color_depths`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::languages`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::results`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`RDP::security_protocols`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
==================================================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: RDP::builds
:source-code: base/protocols/rdp/consts.zeek 5 5
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2195] = "RDP 5.0",
[7601] = "RDP 7.1",
[6001] = "RDP 6.1",
[6000] = "RDP 6.0",
[419] = "RDP 4.0",
[25282] = "RDP 8.0 (Mac)",
[3790] = "RDP 5.2",
[2600] = "RDP 5.1",
[6002] = "RDP 6.2",
[2221] = "RDP 5.0",
[7600] = "RDP 7.0",
[9600] = "RDP 8.1",
[25189] = "RDP 8.0 (Mac)",
[9200] = "RDP 8.0"
}
.. zeek:id:: RDP::cert_types
:source-code: base/protocols/rdp/consts.zeek 38 38
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "X.509",
[1] = "RSA"
}
.. zeek:id:: RDP::color_depths
:source-code: base/protocols/rdp/consts.zeek 67 67
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[8] = "32bit",
[4] = "15bit",
[2] = "16bit",
[1] = "24bit"
}
.. zeek:id:: RDP::encryption_levels
:source-code: base/protocols/rdp/consts.zeek 51 51
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "None",
[2] = "Client compatible",
[4] = "FIPS",
[1] = "Low",
[3] = "High"
}
.. zeek:id:: RDP::encryption_methods
:source-code: base/protocols/rdp/consts.zeek 43 43
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "None",
[10] = "FIPS",
[8] = "56bit",
[2] = "128bit",
[1] = "40bit"
}
.. zeek:id:: RDP::failure_codes
:source-code: base/protocols/rdp/consts.zeek 29 29
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "SSL_NOT_ALLOWED_BY_SERVER",
[5] = "HYBRID_REQUIRED_BY_SERVER",
[3] = "SSL_CERT_NOT_ON_SERVER",
[6] = "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER",
[4] = "INCONSISTENT_FLAGS",
[1] = "SSL_REQUIRED_BY_SERVER"
}
.. zeek:id:: RDP::high_color_depths
:source-code: base/protocols/rdp/consts.zeek 59 59
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[15] = "15bit",
[16] = "16bit",
[8] = "8bit",
[4] = "4bit",
[24] = "24bit"
}
.. zeek:id:: RDP::languages
:source-code: base/protocols/rdp/consts.zeek 84 84
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[1154] = "Occitan",
[66628] = "Tatar",
[6153] = "English - Ireland",
[658432] = "Phags-pa",
[1080] = "Faroese",
[67596] = "Belgian (Comma)",
[11273] = "English - Trinidad",
[71689] = "Scottish Gaelic",
[263177] = "English - United States (Dvorak for right hand)",
[1117184] = "Javanese",
[1153] = "Maori - New Zealand",
[1155] = "Corsican",
[14337] = "Arabic - U.A.E.",
[1140] = "Guarani - Paraguay",
[66652] = "Cherokee Nation Phonetic",
[1033] = "English - United States",
[1129] = "Ibibio - Nigeria",
[1053] = "Swedish",
[12314] = "Serbian (Cyrillic) - Montenegro",
[1134] = "Luxembourgish",
[12297] = "English - Zimbabwe",
[3079] = "German - Austria",
[2070] = "Portuguese - Portugal",
[66569] = "English - United States (Dvorak)",
[5124] = "Chinese - Macao SAR",
[68608] = "Myanmar",
[1070] = "Sorbian",
[1079] = "Georgian",
[9226] = "Spanish - Colombia",
[1089] = "Swahili",
[66650] = "Syriac Phonetic",
[1105] = "Tibetan - People's Republic of China",
[17417] = "English - Malaysia",
[1164] = "Dari",
[9242] = "Serbian (Latin) - Serbia",
[1064] = "Tajik",
[14346] = "Spanish - Uruguay",
[66604] = "Azerbaijani (Standard)",
[1109] = "Burmese",
[1158] = "K'iche",
[1075] = "Venda",
[4122] = "Croatian (Bosnia/Herzegovina)",
[1128] = "Hausa - Nigeria",
[1137] = "Kanuri - Nigeria",
[66606] = "Sorbian Extended",
[986112] = "Old Italic",
[2141] = "Inuktitut (Latin) - Canada",
[10249] = "English - Belize",
[66565] = "Czech (QWERTY)",
[11265] = "Arabic - Jordan",
[197634] = "Bulgarian",
[1081] = "Hindi",
[1036] = "French - France",
[1093] = "Bengali (India)",
[132139] = "Armenian Phonetic",
[4097] = "Arabic - Libya",
[1133] = "Bashkir",
[7227] = "Sami (Southern) - Sweden",
[1039] = "Icelandic",
[5146] = "Bosnian (Bosnia/Herzegovina)",
[1059] = "Belarusian",
[1088] = "Kyrgyz (Cyrillic)",
[17418] = "Spanish - El Salvador",
[22538] = "Spanish - Latin America",
[6156] = "French - Monaco",
[66568] = "Uyghur",
[66641] = "Tibetan (PRC - Standard)",
[132105] = "English - United States (International)",
[66562] = "Bulgarian (Latin)",
[1091] = "Uzbek (Latin)",
[2128] = "Mongolian (Mongolian)",
[66590] = "Thai Pattachote",
[1043] = "Dutch - Netherlands",
[132098] = "Bulgarian (phonetic layout)",
[1052] = "Albanian - Albania",
[1029] = "Czech",
[2145] = "Nepali - India",
[6154] = "Spanish - Panama",
[197662] = "Thai Pattachote (non-ShiftLock)",
[1115] = "Sinhalese - Sri Lanka",
[328745] = "Persian (Standard)",
[132134] = "Latvian (Standard)",
[1135] = "Greenlandic",
[9228] = "French - Democratic Rep. of Congo",
[4155] = "Sami (Lule) - Norway",
[66619] = "Sami Extended Norway",
[1090] = "Turkmen",
[66615] = "Georgian (QWERTY)",
[199680] = "Tai Le",
[1152] = "Uighur - China",
[1065] = "Farsi",
[10266] = "Serbian (Cyrillic) - Serbia",
[3098] = "Serbian (Cyrillic)",
[132151] = "Georgian (Ergonomic)",
[2144] = "Kashmiri",
[10241] = "Arabic - Syria",
[2064] = "Italian - Switzerland",
[1047] = "Rhaeto-Romanic",
[1160] = "Wolof",
[66688] = "Uyghur",
[3076] = "Chinese - Hong Kong SAR",
[2067] = "Dutch - Belgium",
[13313] = "Arabic - Kuwait",
[132165] = "Bangla (India)",
[132142] = "Sorbian Standard",
[2049] = "Arabic - Iraq",
[132130] = "Ukrainian (Enhanced)",
[3073] = "Arabic - Egypt",
[1030] = "Danish",
[15370] = "Spanish - Paraguay",
[1131] = "Quecha - Bolivia",
[1077] = "Zulu",
[16394] = "Spanish - Bolivia",
[132135] = "Lithuanian Standard",
[1026] = "Bulgarian",
[2055] = "German - Switzerland",
[1082] = "Maltese",
[8204] = "French - Reunion",
[1071] = "FYRO Macedonian",
[8218] = "Bosnian (Cyrillic) - Bosnia and Herzegovina",
[12300] = "French - Cote d'Ivoire",
[461824] = "Lisu (Basic)",
[13321] = "English - Philippines",
[1121] = "Nepali",
[20490] = "Spanish - Puerto Rico",
[3084] = "French - Canada",
[69641] = "Canadian Multilingual Standard",
[2155] = "Quecha - Ecuador",
[1114] = "Syriac",
[1066] = "Vietnamese",
[1092] = "Tatar",
[5132] = "French - Luxembourg",
[1132] = "Sepedi",
[263176] = "Greek (319) Latin",
[14348] = "French - Morocco",
[2074] = "Serbian (Latin)",
[1098] = "Telugu",
[1156] = "Alsatian",
[1055] = "Turkish",
[7178] = "Spanish - Dominican Republic",
[9275] = "Sami (Inari) - Finland",
[1083] = "Sami (Lappish)",
[4106] = "Spanish - Guatemala",
[3081] = "English - Australia",
[5129] = "English - New Zealand",
[1146] = "Mapudungun",
[1037] = "Hebrew",
[66598] = "Latvian (Legacy)",
[1182720] = "Futhark",
[1159] = "Kinyarwanda",
[2057] = "English - United Kingdom",
[2108] = "Irish",
[1032] = "Greek",
[1049] = "Russian",
[2058] = "Spanish - Mexico",
[132101] = "Czech Programmers",
[132097] = "Arabic (102) AZERTY",
[1067] = "Armenian - Armenia",
[1054] = "Thai",
[1143] = "Somali",
[1031] = "German - Germany",
[4108] = "French - Switzerland",
[1103] = "Sanskrit",
[15369] = "English - Hong Kong SAR",
[133200] = "Mongolian (Mongolian Script - Standard)",
[66585] = "Russian (Typewriter)",
[197675] = "Armenian Typewriter",
[9225] = "English - Caribbean",
[2151] = "Pular - Senegal",
[66561] = "Arabic (102)",
[330752] = "Tifinagh (Basic)",
[3153] = "Dzongkha",
[66607] = "Macedonia (FYROM) - Standard",
[1097] = "Tamil",
[8201] = "English - Jamaica",
[15361] = "Arabic - Bahrain",
[4191] = "Central Atlas Tamazight (Tifinagh) - Morocco",
[2115] = "Uzbek (Cyrillic)",
[1062] = "Latvian",
[4105] = "English - Canada",
[1120] = "Kashmiri (Arabic)",
[7169] = "Arabic - Tunisia",
[2143] = "Tamazight (Latin)",
[2118] = "Punjabi (Pakistan)",
[13324] = "French - Mali",
[66599] = "Lithuanian",
[3082] = "Spanish - Spain (Modern Sort)",
[8202] = "Spanish - Venezuela",
[12289] = "Arabic - Lebanon",
[7180] = "French - West Indies",
[66629] = "Bangla (India - Legacy)",
[67643] = "Finnish with Sami",
[1142] = "Latin",
[1074] = "Tswana",
[1058] = "Ukrainian",
[5130] = "Spanish - Costa Rica",
[66603] = "Armenian Western",
[1141] = "Hawaiian - United States",
[1042] = "Korean",
[8193] = "Arabic - Oman",
[1086] = "Malay - Malaysia",
[1106] = "Welsh",
[197641] = "English - United States (Dvorak for left hand)",
[66643] = "Khmer (NIDA)",
[1122] = "French - West Indies",
[1095] = "Gujarati",
[18442] = "Spanish - Honduras",
[1099] = "Kannada",
[1087] = "Kazakh",
[1094] = "Punjabi",
[1035] = "Finnish",
[66581] = "Polish (214)",
[11274] = "Spanish - Argentina",
[1069] = "Basque",
[1111] = "Konkani",
[1126] = "Edo",
[3131] = "Sami (Northern) - Finland",
[10252] = "French - Senegal",
[1078] = "Afrikaans - South Africa",
[1068] = "Azeri (Latin)",
[592896] = "N'ko",
[1124] = "Filipino",
[2080] = "Urdu - India",
[2052] = "Chinese - People's Republic of China",
[1044] = "Norwegian (Bokmal)",
[2068] = "Norwegian (Nynorsk)",
[7177] = "English - South Africa",
[1051648] = "Sora",
[1034] = "Spanish - Spain (Traditional Sort)",
[1028] = "Chinese - Taiwan",
[66587] = "Slovak (QWERTY)",
[133179] = "Sami Extended Finland-Sweden",
[11290] = "Serbian (Latin) - Montenegro",
[1084] = "Scottish Gaelic",
[13322] = "Spanish - Chile",
[132126] = "Thai Kedmanee (non-ShiftLock)",
[6170] = "Serbian (Latin) - Bosnia and Herzegovina",
[66584] = "Romanian (Standard)",
[1051] = "Slovak",
[66618] = "Maltese 48-key",
[1096] = "Oriya",
[2110] = "Malay - Brunei Darussalam",
[31748] = "Chinese - Traditional",
[328712] = "Greek Latin",
[1116] = "Cherokee - United States",
[396288] = "Tifinagh (Full)",
[66567] = "German (IBM)",
[58380] = "French - North Africa",
[1038] = "Hungarian",
[1061] = "Estonian",
[16385] = "Arabic - Qatar",
[527360] = "Lisu (Standard)",
[1112] = "Manipuri",
[789504] = "Gothic",
[2060] = "French - Belgium",
[16393] = "English - India",
[132120] = "Romanian (Programmers)",
[1025] = "Arabic - Saudi Arabia",
[1119] = "Tamazight (Arabic)",
[1104] = "Mongolian (Cyrillic)",
[2129] = "Tibetan - Bhutan",
[15372] = "French - Haiti",
[1073] = "Tsonga",
[66617] = "Hindi Traditional",
[6203] = "Sami (Southern) - Norway",
[19466] = "Spanish - Nicaragua",
[5179] = "Sami (Lule) - Sweden",
[6145] = "Arabic - Morocco",
[1117] = "Inuktitut",
[1138] = "Oromo",
[197687] = "Georgian Ministry of Education and Science Schools",
[263170] = "Bulgarian (phonetic traditional)",
[920576] = "Osmanya",
[10250] = "Spanish - Peru",
[1041] = "Japanese",
[4100] = "Chinese - Singapore",
[21514] = "Spanish - United States",
[1056] = "Urdu",
[2121] = "Tamil - Sri Lanka",
[1100] = "Malayalam",
[1102] = "Marathi",
[1125] = "Divehi",
[1101] = "Assamese",
[132121] = "Russian - Mnemonic",
[2137] = "Sindhi - Pakistan",
[2072] = "Romanian - Moldava",
[2092] = "Azeri (Cyrillic)",
[1130] = "Yoruba",
[1127] = "Fulfulde - Nigeria",
[1148] = "Mohawk",
[66576] = "Italian (142)",
[1139] = "Tigrigna - Ethiopia",
[1048] = "Romanian",
[12298] = "Spanish - Ecuador",
[66570] = "Spanish Variation",
[1110] = "Galician",
[5121] = "Arabic - Algeria",
[18441] = "English - Singapore",
[2077] = "Swedish - Finland",
[1076] = "Xhosa",
[66582] = "Portuguese (Brazilian ABNT2)",
[1108] = "Lao",
[2073] = "Russian - Moldava",
[263223] = "Georgian (Old Alphabets)",
[1136] = "Igbo - Nigeria",
[197640] = "Greek (220) Latin",
[1150] = "Breton",
[1113] = "Sindhi - India",
[1050] = "Croatian",
[1157] = "Yakut",
[4103] = "German - Luxembourg",
[394248] = "Greek Polytonic",
[132104] = "Greek (319)",
[1123] = "Pashto",
[66651] = "Sinhala - wij 9",
[8251] = "Sami (Skolt) - Finland",
[1057] = "Indonesian",
[2163] = "Tigrigna - Eritrea",
[11276] = "French - Cameroon",
[9217] = "Arabic - Yemen",
[1107] = "Khmer",
[2117] = "Bengali (Bangladesh)",
[1063] = "Lithuanian",
[1085] = "Yiddish",
[14345] = "English - Indonesia",
[855040] = "Ol Chiki",
[1279] = "HID (Human Interface Device)",
[1072] = "Sutu",
[2107] = "Sami (Northern) - Sweden",
[3179] = "Quecha - Peru\x09CB",
[1145] = "Papiamentu",
[5127] = "German - Liechtenstein",
[66574] = "Hungarian 101-key",
[1144] = "Yi",
[66653] = "Inuktitut - Naqittaut",
[1027] = "Catalan",
[1060] = "Slovenian",
[1046] = "Portuguese - Brazil",
[1118] = "Amharic - Ethiopia",
[723968] = "Buginese",
[1040] = "Italian - Italy",
[66661] = "Divehi Typewriter",
[134144] = "New Tai Lue",
[66591] = "Turkish F",
[1045] = "Polish"
}
.. zeek:id:: RDP::results
:source-code: base/protocols/rdp/consts.zeek 74 74
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "Success",
[2] = "Resources not available",
[4] = "Locked conference",
[1] = "User rejected",
[3] = "Rejected for symmetry breaking"
}
.. zeek:id:: RDP::security_protocols
:source-code: base/protocols/rdp/consts.zeek 22 22
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "RDP",
[8] = "HYBRID_EX",
[2] = "HYBRID",
[1] = "SSL"
}

17
doc/scripts/base/protocols/rdp/index.rst Normal file
View file

@ -0,0 +1,17 @@
:orphan:
Package: base/protocols/rdp
===========================
Support for Remote Desktop Protocol (RDP) analysis.
:doc:`/scripts/base/protocols/rdp/__load__.zeek`
:doc:`/scripts/base/protocols/rdp/consts.zeek`
:doc:`/scripts/base/protocols/rdp/main.zeek`
Implements base functionality for RDP analysis. Generates the rdp.log file.

249
doc/scripts/base/protocols/rdp/main.zeek.rst Normal file
View file

@ -0,0 +1,249 @@
:tocdepth: 3
base/protocols/rdp/main.zeek
============================
.. zeek:namespace:: RDP
Implements base functionality for RDP analysis. Generates the rdp.log file.
:Namespace: RDP
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/rdp/consts.zeek </scripts/base/protocols/rdp/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================================= ==================================================================
:zeek:id:`RDP::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef` If true, detach the RDP analyzer from the connection to prevent
continuing to process encrypted traffic.
:zeek:id:`RDP::rdp_check_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The amount of time to monitor an RDP session from when it is first
identified.
======================================================================================= ==================================================================
Types
#####
=========================================== =
:zeek:type:`RDP::Info`: :zeek:type:`record`
=========================================== =
Redefinitions
#############
==================================================================== ==============================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`RDP::LOG`
:zeek:type:`RDP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`RDP::Info`
analyzer_id: :zeek:type:`count` :zeek:attr:`&optional`
The analyzer ID used for the analyzer instance attached
to each connection.
done: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Track status of logging RDP connections.
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
rdp: :zeek:type:`RDP::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ==============================================================================
Events
######
=========================================== ===================================================================
:zeek:id:`RDP::log_rdp`: :zeek:type:`event` Event that can be handled to access the rdp record as it is sent on
to the logging framework.
=========================================== ===================================================================
Hooks
#####
============================================================ ======================
:zeek:id:`RDP::finalize_rdp`: :zeek:type:`Conn::RemovalHook` RDP finalization hook.
:zeek:id:`RDP::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================ ======================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: RDP::disable_analyzer_after_detection
:source-code: base/protocols/rdp/main.zeek 67 67
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
If true, detach the RDP analyzer from the connection to prevent
continuing to process encrypted traffic.
.. zeek:id:: RDP::rdp_check_interval
:source-code: base/protocols/rdp/main.zeek 71 71
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``10.0 secs``
The amount of time to monitor an RDP session from when it is first
identified. When this interval is reached, the session is logged.
Types
#####
.. zeek:type:: RDP::Info
:source-code: base/protocols/rdp/main.zeek 13 63
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: cookie :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Cookie value used by the client machine.
This is typically a username, but note that it will often
be truncated on the wire, to a maximum of 9 characters.
.. zeek:field:: result :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Status result for the connection. It's a mix between
RDP negotiation failure messages and GCC server create
response messages.
.. zeek:field:: security_protocol :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Security protocol chosen by the server.
.. zeek:field:: client_channels :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The channels requested by the client
.. zeek:field:: keyboard_layout :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Keyboard layout (language) of the client machine.
.. zeek:field:: client_build :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
RDP client version used by the client machine.
.. zeek:field:: client_name :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Name of the client machine.
.. zeek:field:: client_dig_product_id :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Product ID of the client machine.
.. zeek:field:: desktop_width :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Desktop width of the client machine.
.. zeek:field:: desktop_height :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Desktop height of the client machine.
.. zeek:field:: requested_color_depth :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The color depth requested by the client in
the high_color_depth field.
.. zeek:field:: cert_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
If the connection is being encrypted with native
RDP encryption, this is the type of cert
being used.
.. zeek:field:: cert_count :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
The number of certs seen. X.509 can transfer an
entire certificate chain.
.. zeek:field:: cert_permanent :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Indicates if the provided certificate or certificate
chain is permanent or temporary.
.. zeek:field:: encryption_level :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Encryption level of the connection.
.. zeek:field:: encryption_method :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Encryption method of the connection.
.. zeek:field:: analyzer_id :zeek:type:`count` :zeek:attr:`&optional`
The analyzer ID used for the analyzer instance attached
to each connection. It is not used for logging since it's a
meaningless arbitrary number.
.. zeek:field:: done :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Track status of logging RDP connections.
.. zeek:field:: ssl :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/rdp/indicate_ssl.zeek` is loaded)
Flag the connection if it was seen over SSL.
Events
######
.. zeek:id:: RDP::log_rdp
:source-code: base/protocols/rdp/main.zeek 75 75
:Type: :zeek:type:`event` (rec: :zeek:type:`RDP::Info`)
Event that can be handled to access the rdp record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: RDP::finalize_rdp
:source-code: base/protocols/rdp/main.zeek 296 303
:Type: :zeek:type:`Conn::RemovalHook`
RDP finalization hook. Remaining RDP info may get logged when it's called.
.. zeek:id:: RDP::log_policy
:source-code: base/protocols/rdp/main.zeek 11 11
:Type: :zeek:type:`Log::PolicyHook`

Some files were not shown because too many files have changed in this diff Show more