Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 19:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/ftp/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/ftp/__load__.zeek
================================
:Imports: :doc:`base/protocols/ftp/files.zeek </scripts/base/protocols/ftp/files.zeek>`, :doc:`base/protocols/ftp/gridftp.zeek </scripts/base/protocols/ftp/gridftp.zeek>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

49
doc/scripts/base/protocols/ftp/files.zeek.rst Normal file
View file

@ -0,0 +1,49 @@
:tocdepth: 3
base/protocols/ftp/files.zeek
=============================
.. zeek:namespace:: FTP
:Namespace: FTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Redefinitions
#############
============================================================= ====================================================
:zeek:type:`fa_file`: :zeek:type:`record` :zeek:attr:`&redef`
:New Fields: :zeek:type:`fa_file`
ftp: :zeek:type:`FTP::Info` :zeek:attr:`&optional`
============================================================= ====================================================
Functions
#########
====================================================== =====================================
:zeek:id:`FTP::describe_file`: :zeek:type:`function` Describe the file being transferred.
:zeek:id:`FTP::get_file_handle`: :zeek:type:`function` Default file handle provider for FTP.
====================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: FTP::describe_file
:source-code: base/protocols/ftp/files.zeek 29 41
:Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
Describe the file being transferred.
.. zeek:id:: FTP::get_file_handle
:source-code: base/protocols/ftp/files.zeek 21 27
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for FTP.

138
doc/scripts/base/protocols/ftp/gridftp.zeek.rst Normal file
View file

@ -0,0 +1,138 @@
:tocdepth: 3
base/protocols/ftp/gridftp.zeek
===============================
.. zeek:namespace:: GridFTP
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:zeek:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.
:Namespace: GridFTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Runtime Options
###############
========================================================================== ===================================================================
:zeek:id:`GridFTP::max_time`: :zeek:type:`interval` :zeek:attr:`&redef` Time during which we check whether a connection's size exceeds the
:zeek:see:`GridFTP::size_threshold`.
:zeek:id:`GridFTP::size_threshold`: :zeek:type:`count` :zeek:attr:`&redef` Number of bytes transferred before guessing a connection is a
GridFTP data channel.
:zeek:id:`GridFTP::skip_data`: :zeek:type:`bool` :zeek:attr:`&redef` Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
========================================================================== ===================================================================
Redefinitions
#############
=========================================== =================================================================
:zeek:type:`FTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`FTP::Info`
last_auth_requested: :zeek:type:`string` :zeek:attr:`&optional`
=========================================== =================================================================
Events
######
============================================================= ===============================================
:zeek:id:`GridFTP::data_channel_detected`: :zeek:type:`event` Raised when a GridFTP data channel is detected.
============================================================= ===============================================
Functions
#########
============================================================================================ ==================================================================
:zeek:id:`GridFTP::data_channel_initial_criteria`: :zeek:type:`function` :zeek:attr:`&redef` The initial criteria used to determine whether to start polling
the connection for the :zeek:see:`GridFTP::size_threshold` to have
been exceeded.
============================================================================================ ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: GridFTP::max_time
:source-code: base/protocols/ftp/gridftp.zeek 37 37
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``2.0 mins``
Time during which we check whether a connection's size exceeds the
:zeek:see:`GridFTP::size_threshold`.
.. zeek:id:: GridFTP::size_threshold
:source-code: base/protocols/ftp/gridftp.zeek 33 33
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``1073741824``
Number of bytes transferred before guessing a connection is a
GridFTP data channel.
.. zeek:id:: GridFTP::skip_data
:source-code: base/protocols/ftp/gridftp.zeek 41 41
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
Events
######
.. zeek:id:: GridFTP::data_channel_detected
:source-code: base/protocols/ftp/gridftp.zeek 46 46
:Type: :zeek:type:`event` (c: :zeek:type:`connection`)
Raised when a GridFTP data channel is detected.
:param c: The connection pertaining to the GridFTP data channel.
Functions
#########
.. zeek:id:: GridFTP::data_channel_initial_criteria
:source-code: base/protocols/ftp/gridftp.zeek 108 113
:Type: :zeek:type:`function` (c: :zeek:type:`connection`) : :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
The initial criteria used to determine whether to start polling
the connection for the :zeek:see:`GridFTP::size_threshold` to have
been exceeded. This is called in a :zeek:see:`ssl_established` event
handler and by default looks for both a client and server certificate
and for a NULL bulk cipher. One way in which this function could be
redefined is to make it also consider client/server certificate
issuer subjects.
:param c: The connection which may possibly be a GridFTP data channel.
:returns: true if the connection should be further polled for an
exceeded :zeek:see:`GridFTP::size_threshold`, else false.

54
doc/scripts/base/protocols/ftp/index.rst Normal file
View file

@ -0,0 +1,54 @@
:orphan:
Package: base/protocols/ftp
===========================
Support for File Transfer Protocol (FTP) analysis.
:doc:`/scripts/base/protocols/ftp/__load__.zeek`
:doc:`/scripts/base/protocols/ftp/utils-commands.zeek`
:doc:`/scripts/base/protocols/ftp/info.zeek`
Defines data structures for tracking and logging FTP sessions.
:doc:`/scripts/base/protocols/ftp/main.zeek`
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:doc:`/scripts/base/protocols/ftp/utils.zeek`
Utilities specific for FTP processing.
:doc:`/scripts/base/protocols/ftp/files.zeek`
:doc:`/scripts/base/protocols/ftp/gridftp.zeek`
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:zeek:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.

185
doc/scripts/base/protocols/ftp/info.zeek.rst Normal file
View file

@ -0,0 +1,185 @@
:tocdepth: 3
base/protocols/ftp/info.zeek
============================
.. zeek:namespace:: FTP
Defines data structures for tracking and logging FTP sessions.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== ==========================================================
:zeek:id:`FTP::default_capture_password`: :zeek:type:`bool` :zeek:attr:`&redef` This setting changes if passwords used in FTP sessions are
captured or not.
=============================================================================== ==========================================================
Types
#####
========================================================== ==============================================
:zeek:type:`FTP::ExpectedDataChannel`: :zeek:type:`record` The expected endpoints of an FTP data channel.
:zeek:type:`FTP::Info`: :zeek:type:`record`
========================================================== ==============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: FTP::default_capture_password
:source-code: base/protocols/ftp/info.zeek 11 11
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
This setting changes if passwords used in FTP sessions are
captured or not.
Types
#####
.. zeek:type:: FTP::ExpectedDataChannel
:source-code: base/protocols/ftp/info.zeek 14 24
:Type: :zeek:type:`record`
.. zeek:field:: passive :zeek:type:`bool` :zeek:attr:`&log`
Whether PASV mode is toggled for control channel.
.. zeek:field:: orig_h :zeek:type:`addr` :zeek:attr:`&log`
The host that will be initiating the data connection.
.. zeek:field:: resp_h :zeek:type:`addr` :zeek:attr:`&log`
The host that will be accepting the data connection.
.. zeek:field:: resp_p :zeek:type:`port` :zeek:attr:`&log`
The port at which the acceptor is listening for the data
connection.
The expected endpoints of an FTP data channel.
.. zeek:type:: FTP::Info
:source-code: base/protocols/ftp/info.zeek 26 78
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Time when the command was sent.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: user :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``"<unknown>"`` :zeek:attr:`&optional`
User name for the current FTP session.
.. zeek:field:: password :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Password for the current FTP session if captured.
.. zeek:field:: command :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Command given by the client.
.. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Argument for the command if one is given.
.. zeek:field:: mime_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Sniffed mime type of file.
.. zeek:field:: file_size :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Size of the file if the command indicates a file transfer.
.. zeek:field:: reply_code :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Reply code from the server in response to the command.
.. zeek:field:: reply_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Reply message from the server in response to the command.
.. zeek:field:: data_channel :zeek:type:`FTP::ExpectedDataChannel` :zeek:attr:`&log` :zeek:attr:`&optional`
Expected FTP data channel.
.. zeek:field:: cwd :zeek:type:`string` :zeek:attr:`&default` = ``"."`` :zeek:attr:`&optional`
Current working directory that this session is in. By making
the default value '.', we can indicate that unless something
more concrete is discovered that the existing but unknown
directory is ok to use.
.. zeek:field:: cmdarg :zeek:type:`FTP::CmdArg` :zeek:attr:`&optional`
Command that is currently waiting for a response.
.. zeek:field:: pending_commands :zeek:type:`FTP::PendingCmds`
Queue for commands that have been sent but not yet responded
to are tracked here.
.. zeek:field:: command_seq :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Sequence number of previous command.
.. zeek:field:: passive :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the session is in active or passive mode.
.. zeek:field:: capture_password :zeek:type:`bool` :zeek:attr:`&default` = :zeek:see:`FTP::default_capture_password` :zeek:attr:`&optional`
Determines if the password will be captured for this request.
.. zeek:field:: fuid :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
File unique ID.
.. zeek:field:: last_auth_requested :zeek:type:`string` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ftp/gridftp.zeek` is loaded)

244
doc/scripts/base/protocols/ftp/main.zeek.rst Normal file
View file

@ -0,0 +1,244 @@
:tocdepth: 3
base/protocols/ftp/main.zeek
============================
.. zeek:namespace:: FTP
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:Namespace: FTP
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>`, :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>`, :doc:`base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ======================================================================
:zeek:id:`FTP::guest_ids`: :zeek:type:`set` :zeek:attr:`&redef` User IDs that can be considered "anonymous".
:zeek:id:`FTP::logged_commands`: :zeek:type:`set` :zeek:attr:`&redef` List of commands that should have their command/response pairs logged.
:zeek:id:`FTP::max_arg_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the arg field in the log to that many bytes to avoid
excessive logging volume.
:zeek:id:`FTP::max_password_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the password field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
:zeek:id:`FTP::max_pending_commands`: :zeek:type:`count` :zeek:attr:`&redef` Allow a client to send this many commands before the server
sends a reply.
:zeek:id:`FTP::max_reply_msg_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the reply_msg field in the log to that many bytes to avoid
excessive logging volume.
:zeek:id:`FTP::max_user_length`: :zeek:type:`count` :zeek:attr:`&redef` Truncate the user field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
============================================================================ ======================================================================
Types
#####
================================================ ===============================================
:zeek:type:`FTP::ReplyCode`: :zeek:type:`record` This record is to hold a parsed FTP reply code.
================================================ ===============================================
Redefinitions
#############
==================================================================== ========================================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The FTP protocol logging stream identifier.
* :zeek:enum:`FTP::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
ftp: :zeek:type:`FTP::Info` :zeek:attr:`&optional`
ftp_data_reuse: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ========================================================================================
Events
######
=========================================== ==============================================================
:zeek:id:`FTP::log_ftp`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`FTP::Info`
record as it is sent on to the logging framework.
=========================================== ==============================================================
Hooks
#####
============================================================ =============================================
:zeek:id:`FTP::finalize_ftp`: :zeek:type:`Conn::RemovalHook` FTP finalization hook.
:zeek:id:`FTP::finalize_ftp_data`: :zeek:type:`hook` FTP data finalization hook.
:zeek:id:`FTP::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
============================================================ =============================================
Functions
#########
=========================================================== =====================================================================
:zeek:id:`FTP::parse_ftp_reply_code`: :zeek:type:`function` Parse FTP reply codes into the three constituent single digit values.
=========================================================== =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: FTP::guest_ids
:source-code: base/protocols/ftp/main.zeek 32 32
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"guest",
"anonymous",
"ftpuser",
"ftp"
}
User IDs that can be considered "anonymous".
.. zeek:id:: FTP::logged_commands
:source-code: base/protocols/ftp/main.zeek 26 26
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"ACCT",
"DELE",
"APPE",
"RETR",
"PORT",
"STOR",
"EPRT",
"PASV",
"STOU",
"EPSV"
}
List of commands that should have their command/response pairs logged.
.. zeek:id:: FTP::max_arg_length
:source-code: base/protocols/ftp/main.zeek 73 73
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``4096``
Truncate the arg field in the log to that many bytes to avoid
excessive logging volume.
.. zeek:id:: FTP::max_password_length
:source-code: base/protocols/ftp/main.zeek 69 69
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``128``
Truncate the password field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
.. zeek:id:: FTP::max_pending_commands
:source-code: base/protocols/ftp/main.zeek 59 59
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``20``
Allow a client to send this many commands before the server
sends a reply. If this value is exceeded a weird named
FTP_too_many_pending_commands is logged for the connection.
.. zeek:id:: FTP::max_reply_msg_length
:source-code: base/protocols/ftp/main.zeek 77 77
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``4096``
Truncate the reply_msg field in the log to that many bytes to avoid
excessive logging volume.
.. zeek:id:: FTP::max_user_length
:source-code: base/protocols/ftp/main.zeek 64 64
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``128``
Truncate the user field in the log to that many bytes to avoid
excessive logging volume as this values is replicated in each
of the entries related to an FTP session.
Types
#####
.. zeek:type:: FTP::ReplyCode
:source-code: base/protocols/ftp/main.zeek 36 40
:Type: :zeek:type:`record`
.. zeek:field:: x :zeek:type:`count`
.. zeek:field:: y :zeek:type:`count`
.. zeek:field:: z :zeek:type:`count`
This record is to hold a parsed FTP reply code. For example, for the
201 status code, the digits would be parsed as: x->2, y->0, z->1.
Events
######
.. zeek:id:: FTP::log_ftp
:source-code: base/protocols/ftp/main.zeek 47 47
:Type: :zeek:type:`event` (rec: :zeek:type:`FTP::Info`)
Event that can be handled to access the :zeek:type:`FTP::Info`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: FTP::finalize_ftp
:source-code: base/protocols/ftp/main.zeek 479 488
:Type: :zeek:type:`Conn::RemovalHook`
FTP finalization hook. Remaining FTP info may get logged when it's called.
.. zeek:id:: FTP::finalize_ftp_data
:source-code: base/protocols/ftp/main.zeek 466 476
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`) : :zeek:type:`bool`
FTP data finalization hook. Expected FTP data channel state may
get purged when called.
.. zeek:id:: FTP::log_policy
:source-code: base/protocols/ftp/main.zeek 23 23
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.
Functions
#########
.. zeek:id:: FTP::parse_ftp_reply_code
:source-code: base/protocols/ftp/main.zeek 141 154
:Type: :zeek:type:`function` (code: :zeek:type:`count`) : :zeek:type:`FTP::ReplyCode`
Parse FTP reply codes into the three constituent single digit values.

416
doc/scripts/base/protocols/ftp/utils-commands.zeek.rst Normal file
View file

@ -0,0 +1,416 @@
:tocdepth: 3
base/protocols/ftp/utils-commands.zeek
======================================
.. zeek:namespace:: FTP
:Namespace: FTP
Summary
~~~~~~~
Runtime Options
###############
==================================================================== ===========================================================
:zeek:id:`FTP::cmd_reply_code`: :zeek:type:`set` :zeek:attr:`&redef` Possible response codes for a wide variety of FTP commands.
==================================================================== ===========================================================
Types
#####
================================================= ====================================================================
:zeek:type:`FTP::CmdArg`: :zeek:type:`record`
:zeek:type:`FTP::PendingCmds`: :zeek:type:`table` Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.
================================================= ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: FTP::cmd_reply_code
:source-code: base/protocols/ftp/utils-commands.zeek 24 24
:Type: :zeek:type:`set` [:zeek:type:`string`, :zeek:type:`count`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
["ABOR", 226] ,
["REIN", 120] ,
["STOU", 553] ,
["MLSD", 150] ,
["RNTO", 503] ,
["CDUP", 530] ,
["CDUP", 501] ,
["APPE", 425] ,
["SYST", 530] ,
["PORT", 421] ,
["TYPE", 501] ,
["LIST", 125] ,
["RNTO", 530] ,
["PWD", 501] ,
["STOR", 125] ,
["CDUP", 200] ,
["MLSD", 250] ,
["SITE", 500] ,
["CWD", 550] ,
["CDUP", 550] ,
["QUIT", 500] ,
["MKD", 257] ,
["ALLO", 500] ,
["LIST", 425] ,
["CLNT", 200] ,
["<init>", 0] ,
["ABOR", 501] ,
["FEAT", 502] ,
["MLST", 150] ,
["APPE", 150] ,
["STOU", 550] ,
["USER", 332] ,
["PASV", 227] ,
["SYST", 421] ,
["STRU", 530] ,
["EPRT", 501] ,
["PASV", 530] ,
["USER", 530] ,
["APPE", 125] ,
["CDUP", 421] ,
["STOU", 451] ,
["HELP", 214] ,
["NLST", 426] ,
["RNFR", 450] ,
["LPRT", 521] ,
["ALLO", 530] ,
["STAT", 501] ,
["MACB", 550] ,
["PASS", 332] ,
["SITE", 502] ,
["SIZE", 550] ,
["LIST", 451] ,
["LIST", 426] ,
["APPE", 426] ,
["SMNT", 530] ,
["MLST", 250] ,
["TYPE", 530] ,
["HELP", 500] ,
["RNTO", 553] ,
["STOR", 530] ,
["NLST", 150] ,
["NLST", 451] ,
["SMNT", 501] ,
["ACCT", 230] ,
["MDTM", 550] ,
["APPE", 452] ,
["LIST", 450] ,
["NLST", 250] ,
["MDTM", 500] ,
["RETR", 450] ,
["NLST", 502] ,
["TYPE", 504] ,
["MLSD", 550] ,
["MODE", 421] ,
["OPTS", 451] ,
["RETR", 426] ,
["APPE", 530] ,
["STRU", 504] ,
["STAT", 502] ,
["RETR", 125] ,
["EPRT", 200] ,
["ALLO", 202] ,
["MKD", 502] ,
["STOU", 501] ,
["SYST", 502] ,
["REIN", 220] ,
["MLSD", 501] ,
["DELE", 530] ,
["USER", 421] ,
["NLST", 530] ,
["TYPE", 200] ,
["RMD", 250] ,
["DELE", 421] ,
["FEAT", 211] ,
["APPE", 500] ,
["RETR", 501] ,
["ABOR", 225] ,
["CWD", 250] ,
["STOU", 110] ,
["ALLO", 504] ,
["RNTO", 532] ,
["PWD", 500] ,
["STOR", 110] ,
["MODE", 502] ,
["PORT", 200] ,
["NLST", 125] ,
["RETR", 110] ,
["ACCT", 503] ,
["RMD", 502] ,
["REST", 200] ,
["RETR", 226] ,
["PASV", 500] ,
["STRU", 501] ,
["LIST", 502] ,
["STAT", 530] ,
["RETR", 500] ,
["PASS", 501] ,
["STOR", 553] ,
["APPE", 550] ,
["SMNT", 550] ,
["PASV", 501] ,
["SYST", 501] ,
["MKD", 550] ,
["PASV", 502] ,
["MODE", 530] ,
["STAT", 450] ,
["APPE", 226] ,
["MACB", 500] ,
["PASS", 230] ,
["STAT", 212] ,
["PASV", 421] ,
["STOU", 530] ,
["PASS", 530] ,
["SITE", 202] ,
["PASS", 500] ,
["APPE", 450] ,
["STOR", 450] ,
["LIST", 250] ,
["NLST", 500] ,
["PWD", 502] ,
["RNFR", 500] ,
["STOR", 501] ,
["DELE", 500] ,
["HELP", 421] ,
["NLST", 425] ,
["NLST", 550] ,
["STOR", 451] ,
["SYST", 215] ,
["RETR", 425] ,
["APPE", 532] ,
["LIST", 150] ,
["CWD", 500] ,
["USER", 331] ,
["OPTS", 501] ,
["PASS", 503] ,
["STOU", 532] ,
["STOU", 150] ,
["QUIT", 221] ,
["ACCT", 202] ,
["STOR", 425] ,
["MKD", 421] ,
["TYPE", 500] ,
["STOU", 125] ,
["SYST", 500] ,
["CDUP", 502] ,
["RETR", 451] ,
["RNFR", 502] ,
["TYPE", 421] ,
["STOR", 500] ,
["SIZE", 500] ,
["HELP", 211] ,
["RNTO", 250] ,
["REIN", 502] ,
["STRU", 200] ,
["RMD", 421] ,
["<init>", 421] ,
["STAT", 211] ,
["<init>", 120] ,
["LIST", 550] ,
["ABOR", 500] ,
["NOOP", 200] ,
["REIN", 421] ,
["STOR", 150] ,
["SMNT", 502] ,
["CDUP", 250] ,
["PORT", 501] ,
["MODE", 504] ,
["STAT", 421] ,
["MODE", 501] ,
["MDTM", 213] ,
["MKD", 501] ,
["LIST", 421] ,
["MLST", 226] ,
["STOR", 226] ,
["NOOP", 421] ,
["PWD", 421] ,
["FEAT", 500] ,
["APPE", 250] ,
["CLNT", 500] ,
["LIST", 501] ,
["STOU", 425] ,
["LIST", 530] ,
["SITE", 530] ,
["STOU", 250] ,
["RETR", 150] ,
["RNTO", 500] ,
["MLST", 501] ,
["REST", 501] ,
["MKD", 530] ,
["RNFR", 530] ,
["ALLO", 200] ,
["STRU", 500] ,
["MLSD", 500] ,
["STOU", 426] ,
["STAT", 213] ,
["RNFR", 421] ,
["ALLO", 501] ,
["RETR", 421] ,
["APPE", 421] ,
["USER", 501] ,
["QUIT", 0] ,
["USER", 230] ,
["RNFR", 350] ,
["STOU", 551] ,
["MODE", 500] ,
["STOR", 426] ,
["REST", 530] ,
["SMNT", 421] ,
["ABOR", 502] ,
["ACCT", 421] ,
["APPE", 502] ,
["SITE", 214] ,
["CWD", 421] ,
["NLST", 450] ,
["STOU", 226] ,
["EPRT", 522] ,
["REST", 500] ,
["RMD", 550] ,
["LPRT", 501] ,
["EPSV", 501] ,
["HELP", 501] ,
["DELE", 450] ,
["NLST", 501] ,
["EPSV", 500] ,
["APPE", 552] ,
["EPRT", 500] ,
["PWD", 257] ,
["MODE", 200] ,
["NLST", 226] ,
["RMD", 500] ,
["CWD", 530] ,
["APPE", 501] ,
["RMD", 530] ,
["STOR", 452] ,
["<missing>", 0] ,
["RETR", 530] ,
["NOOP", 500] ,
["REIN", 500] ,
["STOR", 532] ,
["ABOR", 421] ,
["APPE", 551] ,
["SMNT", 500] ,
["STOR", 550] ,
["RNFR", 501] ,
["USER", 500] ,
["ALLO", 421] ,
["ACCT", 500] ,
["RNTO", 502] ,
["MKD", 500] ,
["PASS", 421] ,
["STOU", 552] ,
["STOU", 452] ,
["CWD", 501] ,
["PORT", 500] ,
["MLST", 500] ,
["STOU", 450] ,
["STOU", 421] ,
["ACCT", 530] ,
["STRU", 421] ,
["STOU", 500] ,
["SIZE", 501] ,
["MDTM", 501] ,
["ACCT", 501] ,
["REST", 502] ,
["STOR", 421] ,
["RNTO", 421] ,
["RETR", 250] ,
["MLSD", 226] ,
["LIST", 500] ,
["DELE", 502] ,
["SMNT", 250] ,
["OPTS", 200] ,
["SITE", 501] ,
["APPE", 553] ,
["PASS", 202] ,
["SIZE", 213] ,
["STOR", 250] ,
["DELE", 250] ,
["STOR", 551] ,
["PWD", 550] ,
["STAT", 500] ,
["RMD", 501] ,
["RNTO", 501] ,
["HELP", 200] ,
["MACB", 200] ,
["DELE", 501] ,
["LPRT", 500] ,
["LIST", 226] ,
["REST", 350] ,
["CDUP", 500] ,
["APPE", 451] ,
["EPSV", 229] ,
["RETR", 550] ,
["DELE", 550] ,
["PORT", 530] ,
["CWD", 502] ,
["STOR", 552] ,
["NLST", 421] ,
["HELP", 502] ,
["SITE", 200] ,
["<init>", 220] ,
["SMNT", 202] ,
["RNFR", 550] ,
["MLST", 550] ,
["REST", 421]
}
Possible response codes for a wide variety of FTP commands.
Types
#####
.. zeek:type:: FTP::CmdArg
:source-code: base/protocols/ftp/utils-commands.zeek 4 16
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time`
Time when the command was sent.
.. zeek:field:: cmd :zeek:type:`string` :zeek:attr:`&default` = ``"<unknown>"`` :zeek:attr:`&optional`
Command.
.. zeek:field:: arg :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
Argument for the command if one was given.
.. zeek:field:: seq :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Counter to track how many commands have been executed.
.. zeek:field:: cwd_consumed :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag indicating if the arg of this CmdArg has been used
to update cwd of c$ftp.
.. zeek:type:: FTP::PendingCmds
:source-code: base/protocols/ftp/utils-commands.zeek 21 21
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`FTP::CmdArg`
Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.

60
doc/scripts/base/protocols/ftp/utils.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
base/protocols/ftp/utils.zeek
=============================
.. zeek:namespace:: FTP
Utilities specific for FTP processing.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>`, :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
Summary
~~~~~~~
Functions
#########
==================================================== ===========================================================
:zeek:id:`FTP::build_url`: :zeek:type:`function` Creates a URL from an :zeek:type:`FTP::Info` record.
:zeek:id:`FTP::build_url_ftp`: :zeek:type:`function` Creates a URL from an :zeek:type:`FTP::Info` record.
:zeek:id:`FTP::describe`: :zeek:type:`function` Create an extremely shortened representation of a log line.
==================================================== ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: FTP::build_url
:source-code: base/protocols/ftp/utils.zeek 28 38
:Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
Creates a URL from an :zeek:type:`FTP::Info` record.
:param rec: An :zeek:type:`FTP::Info` record.
:returns: A URL, not prefixed by ``"ftp://"``.
.. zeek:id:: FTP::build_url_ftp
:source-code: base/protocols/ftp/utils.zeek 40 43
:Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
Creates a URL from an :zeek:type:`FTP::Info` record.
:param rec: An :zeek:type:`FTP::Info` record.
:returns: A URL prefixed with ``"ftp://"``.
.. zeek:id:: FTP::describe
:source-code: base/protocols/ftp/utils.zeek 45 48
:Type: :zeek:type:`function` (rec: :zeek:type:`FTP::Info`) : :zeek:type:`string`
Create an extremely shortened representation of a log line.