Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/krb/__load__.zeek.rst Normal file
View file

@ -0,0 +1,14 @@
:tocdepth: 3
base/protocols/krb/__load__.zeek
================================
:Imports: :doc:`base/protocols/krb/files.zeek </scripts/base/protocols/krb/files.zeek>`, :doc:`base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

140
doc/scripts/base/protocols/krb/consts.zeek.rst Normal file
View file

@ -0,0 +1,140 @@
:tocdepth: 3
base/protocols/krb/consts.zeek
==============================
.. zeek:namespace:: KRB
:Namespace: KRB
Summary
~~~~~~~
Constants
#########
============================================================================================= =
:zeek:id:`KRB::cipher_name`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
:zeek:id:`KRB::error_msg`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function`
============================================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: KRB::cipher_name
:source-code: base/protocols/krb/consts.zeek 76 76
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "des-cbc-md4",
[25] = "camellia128-cts-cmac",
[14] = "rsaES-OAEP-ENV-OID",
[15] = "des-ede3-cbc-Env-OID",
[16] = "des3-cbc-sha1-kd",
[24] = "rc4-hmac-exp",
[23] = "rc4-hmac",
[9] = "dsaWithSHA1-CmsOID",
[1] = "des-cbc-crc",
[11] = "sha1WithRSAEncryption-CmsOID",
[7] = "des3-cbc-sha1",
[5] = "des3-cbc-md5",
[10] = "md5WithRSAEncryption-CmsOID",
[13] = "rsaEncryption-EnvOID",
[12] = "rc2CBC-EnvOID",
[26] = "camellia256-cts-cmac",
[65] = "subkey-keymaterial",
[18] = "aes256-cts-hmac-sha1-96",
[3] = "des-cbc-md5",
[17] = "aes128-cts-hmac-sha1-96"
}
.. zeek:id:: KRB::error_msg
:source-code: base/protocols/krb/consts.zeek 5 5
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "KDC_ERR_SERVICE_REVOKED",
[20] = "KDC_ERR_TGT_REVOKED",
[33] = "KRB_AP_ERR_TKT_NYV",
[39] = "KRB_AP_ERR_BADVERSION",
[67] = "KRB_AP_ERR_NO_TGT",
[73] = "KDC_ERR_REVOCATION_STATUS_UNKNOWN",
[75] = "KDC_ERR_CLIENT_NAME_MISMATCH",
[46] = "KRB_AP_ERR_MUT_FAIL",
[15] = "KDC_ERR_SUMTYPE_NOSUPP",
[64] = "KDC_ERROR_INVALID_SIG",
[28] = "KDC_ERR_PATH_NOT_ACCEPTED",
[9] = "KDC_ERR_NULL_KEY",
[68] = "KDC_ERR_WRONG_REALM",
[71] = "KDC_ERR_INVALID_CERTIFICATE",
[52] = "KRB_ERR_RESPONSE_TOO_BIG",
[21] = "KDC_ERR_CLIENT_NOTYET",
[4] = "KDC_ERR_C_OLD_MAST_KVNO",
[12] = "KDC_ERR_POLICY",
[41] = "KRB_AP_ERR_MODIFIED",
[17] = "KDC_ERR_TRTYPE_NOSUPP",
[25] = "KDC_ERR_PREAUTH_REQUIRED",
[76] = "KDC_ERR_KDC_NAME_MISMATCH",
[29] = "KDC_ERR_SVC_UNAVAILABLE",
[16] = "KDC_ERR_PADATA_TYPE_NOSUPP",
[38] = "KRB_AP_ERR_BADADDR",
[63] = "KDC_ERROR_KDC_NOT_TRUSTED",
[42] = "KRB_AP_ERR_BADORDER",
[1] = "KDC_ERR_NAME_EXP",
[11] = "KDC_ERR_NEVER_VALID",
[35] = "KRB_AP_ERR_NOT_US",
[22] = "KDC_ERR_SERVICE_NOTYET",
[3] = "KDC_ERR_BAD_PVNO",
[44] = "KRB_AP_ERR_BADKEYVER",
[34] = "KRB_AP_ERR_REPEAT",
[45] = "KRB_AP_ERR_NOKEY",
[40] = "KRB_AP_ERR_MSG_TYPE",
[36] = "KRB_AP_ERR_BADMATCH",
[14] = "KDC_ERR_ETYPE_NOSUPP",
[6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
[31] = "KRB_AP_ERR_BAD_INTEGRITY",
[8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
[23] = "KDC_ERR_KEY_EXPIRED",
[27] = "KDC_ERR_MUST_USE_USER2USER",
[7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
[66] = "KDC_ERR_CERTIFICATE_MISMATCH",
[10] = "KDC_ERR_CANNOT_POSTDATE",
[32] = "KRB_AP_ERR_TKT_EXPIRED",
[13] = "KDC_ERR_BADOPTION",
[26] = "KDC_ERR_SERVER_NOMATCH",
[65] = "KDC_ERR_KEY_TOO_WEAK",
[62] = "KDC_ERROR_CLIENT_NOT_TRUSTED",
[74] = "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE",
[47] = "KRB_AP_ERR_BADDIRECTION",
[70] = "KDC_ERR_CANT_VERIFY_CERTIFICATE",
[50] = "KRB_AP_ERR_INAPP_CKSUM",
[2] = "KDC_ERR_SERVICE_EXP",
[72] = "KDC_ERR_REVOKED_CERTIFICATE",
[48] = "KRB_AP_ERR_METHOD",
[24] = "KDC_ERR_PREAUTH_FAILED",
[69] = "KRB_AP_ERR_USER_TO_USER_REQUIRED",
[49] = "KRB_AP_ERR_BADSEQ",
[5] = "KDC_ERR_S_OLD_MAST_KVNO",
[61] = "KRB_ERR_FIELD_TOOLONG",
[60] = "KRB_ERR_GENERIC",
[51] = "KRB_AP_PATH_NOT_ACCEPTED",
[37] = "KRB_AP_ERR_SKEW",
[18] = "KDC_ERR_CLIENT_REVOKED",
[0] = "KDC_ERR_NONE"
}

65
doc/scripts/base/protocols/krb/files.zeek.rst Normal file
View file

@ -0,0 +1,65 @@
:tocdepth: 3
base/protocols/krb/files.zeek
=============================
.. zeek:namespace:: KRB
:Namespace: KRB
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>`, :doc:`base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ===================================================================================
:zeek:type:`KRB::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`KRB::Info`
client_cert: :zeek:type:`Files::Info` :zeek:attr:`&optional`
Client certificate
client_cert_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of client certificate, if any
client_cert_fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
File unique ID of client cert, if any
server_cert: :zeek:type:`Files::Info` :zeek:attr:`&optional`
Server certificate
server_cert_subject: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Subject of server certificate, if any
server_cert_fuid: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
File unique ID of server cert, if any
=========================================== ===================================================================================
Functions
#########
====================================================== =====================================
:zeek:id:`KRB::describe_file`: :zeek:type:`function` Default file describer for KRB.
:zeek:id:`KRB::get_file_handle`: :zeek:type:`function` Default file handle provider for KRB.
====================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: KRB::describe_file
:source-code: base/protocols/krb/files.zeek 38 62
:Type: :zeek:type:`function` (f: :zeek:type:`fa_file`) : :zeek:type:`string`
Default file describer for KRB.
.. zeek:id:: KRB::get_file_handle
:source-code: base/protocols/krb/files.zeek 32 36
:Type: :zeek:type:`function` (c: :zeek:type:`connection`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Default file handle provider for KRB.

21
doc/scripts/base/protocols/krb/index.rst Normal file
View file

@ -0,0 +1,21 @@
:orphan:
Package: base/protocols/krb
===========================
Support for Kerberos protocol analysis.
:doc:`/scripts/base/protocols/krb/__load__.zeek`
:doc:`/scripts/base/protocols/krb/main.zeek`
Implements base functionality for KRB analysis. Generates the kerberos.log
file.
:doc:`/scripts/base/protocols/krb/consts.zeek`
:doc:`/scripts/base/protocols/krb/files.zeek`

243
doc/scripts/base/protocols/krb/main.zeek.rst Normal file
View file

@ -0,0 +1,243 @@
:tocdepth: 3
base/protocols/krb/main.zeek
============================
.. zeek:namespace:: KRB
Implements base functionality for KRB analysis. Generates the kerberos.log
file.
:Namespace: KRB
:Imports: :doc:`base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>`, :doc:`base/protocols/krb/consts.zeek </scripts/base/protocols/krb/consts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
==================================================================== =======================================================
:zeek:id:`KRB::ignored_errors`: :zeek:type:`set` :zeek:attr:`&redef` The server response error texts which are *not* logged.
==================================================================== =======================================================
Types
#####
=========================================== =
:zeek:type:`KRB::Info`: :zeek:type:`record`
=========================================== =
Redefinitions
#############
==================================================================== ====================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`KRB::LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
krb: :zeek:type:`KRB::Info` :zeek:attr:`&optional`
:zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
==================================================================== ====================================================
Events
######
=========================================== ===================================================================
:zeek:id:`KRB::log_krb`: :zeek:type:`event` Event that can be handled to access the KRB record as it is sent on
to the logging framework.
=========================================== ===================================================================
Hooks
#####
============================================================ ===========================
:zeek:id:`KRB::finalize_krb`: :zeek:type:`Conn::RemovalHook` Kerberos finalization hook.
:zeek:id:`KRB::log_policy`: :zeek:type:`Log::PolicyHook`
============================================================ ===========================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: KRB::ignored_errors
:source-code: base/protocols/krb/main.zeek 54 54
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"NEEDED_PREAUTH",
"Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"
}
The server response error texts which are *not* logged.
Types
#####
.. zeek:type:: KRB::Info
:source-code: base/protocols/krb/main.zeek 14 51
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for when the event happened.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
.. zeek:field:: request_type :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Request type - Authentication Service ("AS") or
Ticket Granting Service ("TGS")
.. zeek:field:: client :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Client
.. zeek:field:: service :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Service
.. zeek:field:: success :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Request result
.. zeek:field:: error_code :zeek:type:`count` :zeek:attr:`&optional`
Error code
.. zeek:field:: error_msg :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Error message
.. zeek:field:: from :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
Ticket valid from
.. zeek:field:: till :zeek:type:`time` :zeek:attr:`&log` :zeek:attr:`&optional`
Ticket valid till
.. zeek:field:: cipher :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Ticket encryption type
.. zeek:field:: forwardable :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Forwardable ticket requested
.. zeek:field:: renewable :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&optional`
Renewable ticket requested
.. zeek:field:: logged :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
We've already logged this
.. zeek:field:: client_cert :zeek:type:`Files::Info` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Client certificate
.. zeek:field:: client_cert_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Subject of client certificate, if any
.. zeek:field:: client_cert_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
File unique ID of client cert, if any
.. zeek:field:: server_cert :zeek:type:`Files::Info` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Server certificate
.. zeek:field:: server_cert_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
Subject of server certificate, if any
.. zeek:field:: server_cert_fuid :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/base/protocols/krb/files.zeek` is loaded)
File unique ID of server cert, if any
.. zeek:field:: auth_ticket :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/krb/ticket-logging.zeek` is loaded)
Hash of ticket used to authorize request/transaction
.. zeek:field:: new_ticket :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
(present if :doc:`/scripts/policy/protocols/krb/ticket-logging.zeek` is loaded)
Hash of ticket returned by the KDC
Events
######
.. zeek:id:: KRB::log_krb
:source-code: base/protocols/krb/main.zeek 68 68
:Type: :zeek:type:`event` (rec: :zeek:type:`KRB::Info`)
Event that can be handled to access the KRB record as it is sent on
to the logging framework.
Hooks
#####
.. zeek:id:: KRB::finalize_krb
:source-code: base/protocols/krb/main.zeek 71 71
:Type: :zeek:type:`Conn::RemovalHook`
Kerberos finalization hook. Remaining Kerberos info may get logged when it's called.
.. zeek:id:: KRB::log_policy
:source-code: base/protocols/krb/main.zeek 12 12
:Type: :zeek:type:`Log::PolicyHook`