Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

141
doc/scripts/base/utils/active-http.zeek.rst Normal file
View file

@ -0,0 +1,141 @@
:tocdepth: 3
base/utils/active-http.zeek
===========================
.. zeek:namespace:: ActiveHTTP
A module for performing active HTTP requests and
getting the reply at runtime.
:Namespace: ActiveHTTP
:Imports: :doc:`base/utils/exec.zeek </scripts/base/utils/exec.zeek>`
Summary
~~~~~~~
Runtime Options
###############
================================================================================== =================================================
:zeek:id:`ActiveHTTP::default_max_time`: :zeek:type:`interval` :zeek:attr:`&redef` The default timeout for HTTP requests.
:zeek:id:`ActiveHTTP::default_method`: :zeek:type:`string` :zeek:attr:`&redef` The default HTTP method/verb to use for requests.
================================================================================== =================================================
Types
#####
====================================================== =
:zeek:type:`ActiveHTTP::Request`: :zeek:type:`record`
:zeek:type:`ActiveHTTP::Response`: :zeek:type:`record`
====================================================== =
Functions
#########
===================================================== ========================================
:zeek:id:`ActiveHTTP::request`: :zeek:type:`function` Perform an HTTP request according to the
:zeek:type:`ActiveHTTP::Request` record.
===================================================== ========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: ActiveHTTP::default_max_time
:source-code: base/utils/active-http.zeek 10 10
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``1.0 min``
The default timeout for HTTP requests.
.. zeek:id:: ActiveHTTP::default_method
:source-code: base/utils/active-http.zeek 13 13
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``"GET"``
The default HTTP method/verb to use for requests.
Types
#####
.. zeek:type:: ActiveHTTP::Request
:source-code: base/utils/active-http.zeek 26 46
:Type: :zeek:type:`record`
.. zeek:field:: url :zeek:type:`string`
The URL being requested.
.. zeek:field:: method :zeek:type:`string` :zeek:attr:`&default` = :zeek:see:`ActiveHTTP::default_method` :zeek:attr:`&optional`
The HTTP method/verb to use for the request.
.. zeek:field:: client_data :zeek:type:`string` :zeek:attr:`&optional`
Data to send to the server in the client body. Keep in
mind that you will probably need to set the *method* field
to "POST" or "PUT".
.. zeek:field:: max_time :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`ActiveHTTP::default_max_time` :zeek:attr:`&optional`
Timeout for the request.
.. zeek:field:: addl_curl_args :zeek:type:`string` :zeek:attr:`&optional`
Additional curl command line arguments. Be very careful
with this option since shell injection could take place
if careful handling of untrusted data is not applied.
.. zeek:type:: ActiveHTTP::Response
:source-code: base/utils/active-http.zeek 15 24
:Type: :zeek:type:`record`
.. zeek:field:: code :zeek:type:`count`
Numeric response code from the server.
.. zeek:field:: msg :zeek:type:`string`
String response message from the server.
.. zeek:field:: body :zeek:type:`string` :zeek:attr:`&optional`
Full body of the response.
.. zeek:field:: headers :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&optional`
All headers returned by the server.
Functions
#########
.. zeek:id:: ActiveHTTP::request
:source-code: base/utils/active-http.zeek 79 135
:Type: :zeek:type:`function` (req: :zeek:type:`ActiveHTTP::Request`) : :zeek:type:`ActiveHTTP::Response`
Perform an HTTP request according to the
:zeek:type:`ActiveHTTP::Request` record. This is an asynchronous
function and must be called within a "when" statement.
:param req: A record instance representing all options for an HTTP request.
:returns: A record with the full response message.

392
doc/scripts/base/utils/addrs.zeek.rst Normal file
View file

@ -0,0 +1,392 @@
:tocdepth: 3
base/utils/addrs.zeek
=====================
Functions for parsing and manipulating IP and MAC addresses.
Summary
~~~~~~~
Constants
#########
======================================================================= =
:zeek:id:`ip_addr_regex`: :zeek:type:`pattern`
:zeek:id:`ipv4_addr_regex`: :zeek:type:`pattern`
:zeek:id:`ipv4_decim`: :zeek:type:`pattern`
:zeek:id:`ipv6_8hex_regex`: :zeek:type:`pattern`
:zeek:id:`ipv6_addr_regex`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hex4dec_regex`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hex_regex`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hext4dec_lead_hextets0`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hext4dec_lead_hextets1`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hext4dec_lead_hextets2`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hext4dec_lead_hextets3`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hext4dec_lead_hextets4`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_hext4dec_lead_hextets5`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets0`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets1`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets2`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets3`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets4`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets5`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets6`: :zeek:type:`pattern`
:zeek:id:`ipv6_compressed_lead_hextets7`: :zeek:type:`pattern`
:zeek:id:`ipv6_hex4dec_regex`: :zeek:type:`pattern`
:zeek:id:`ipv6_hextet`: :zeek:type:`pattern`
======================================================================= =
Functions
#########
====================================================== =========================================================================
:zeek:id:`addr_to_uri`: :zeek:type:`function` Returns the string representation of an IP address suitable for inclusion
in a URI.
:zeek:id:`extract_ip_addresses`: :zeek:type:`function` Extracts all IP (v4 or v6) address strings from a given string.
:zeek:id:`has_valid_octets`: :zeek:type:`function` Checks if all elements of a string array are a valid octet value.
:zeek:id:`normalize_mac`: :zeek:type:`function` Given a string, extracts the hex digits and returns a MAC address in
the format: 00:a0:32:d7:81:8f.
====================================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: ip_addr_regex
:source-code: base/utils/addrs.zeek 64 64
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)|(^?((^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?)|(^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?))$?)|(^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?))$?))$?/
.. zeek:id:: ipv4_addr_regex
:source-code: base/utils/addrs.zeek 7 7
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?/
.. zeek:id:: ipv4_decim
:source-code: base/utils/addrs.zeek 5 5
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?/
.. zeek:id:: ipv6_8hex_regex
:source-code: base/utils/addrs.zeek 11 11
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?/
.. zeek:id:: ipv6_addr_regex
:source-code: base/utils/addrs.zeek 59 59
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?)|(^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?))$?)|(^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?))$?/
.. zeek:id:: ipv6_compressed_hex4dec_regex
:source-code: base/utils/addrs.zeek 52 52
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?/
.. zeek:id:: ipv6_compressed_hex_regex
:source-code: base/utils/addrs.zeek 31 31
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?/
.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets0
:source-code: base/utils/addrs.zeek 40 40
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets1
:source-code: base/utils/addrs.zeek 42 42
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets2
:source-code: base/utils/addrs.zeek 44 44
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets3
:source-code: base/utils/addrs.zeek 46 46
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets4
:source-code: base/utils/addrs.zeek 48 48
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_compressed_hext4dec_lead_hextets5
:source-code: base/utils/addrs.zeek 50 50
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_compressed_lead_hextets0
:source-code: base/utils/addrs.zeek 15 15
:Type: :zeek:type:`pattern`
:Default:
::
/^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets1
:source-code: base/utils/addrs.zeek 17 17
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets2
:source-code: base/utils/addrs.zeek 19 19
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets3
:source-code: base/utils/addrs.zeek 21 21
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets4
:source-code: base/utils/addrs.zeek 23 23
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets5
:source-code: base/utils/addrs.zeek 25 25
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets6
:source-code: base/utils/addrs.zeek 27 27
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?/
.. zeek:id:: ipv6_compressed_lead_hextets7
:source-code: base/utils/addrs.zeek 29 29
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?/
.. zeek:id:: ipv6_hex4dec_regex
:source-code: base/utils/addrs.zeek 13 13
:Type: :zeek:type:`pattern`
:Default:
::
/^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
.. zeek:id:: ipv6_hextet
:source-code: base/utils/addrs.zeek 9 9
:Type: :zeek:type:`pattern`
:Default:
::
/^?([0-9A-Fa-f]{1,4})$?/
Functions
#########
.. zeek:id:: addr_to_uri
:source-code: base/utils/addrs.zeek 126 132
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`string`
Returns the string representation of an IP address suitable for inclusion
in a URI. For IPv4, this does no special formatting, but for IPv6, the
address is included in square brackets.
:param a: the address to make suitable for URI inclusion.
:returns: the string representation of the address suitable for URI inclusion.
.. zeek:id:: extract_ip_addresses
:source-code: base/utils/addrs.zeek 89 117
:Type: :zeek:type:`function` (input: :zeek:type:`string`, check_wrapping: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`) : :zeek:type:`string_vec`
Extracts all IP (v4 or v6) address strings from a given string.
:param input: a string that may contain an IP address anywhere within it.
:param check_wrapping: if true, will only return IP addresses that are wrapped in matching pairs of spaces, square brackets, curly braces, or parens. This can be used to avoid extracting strings that look like IPs from innocuous strings, such as SMTP headers.
:returns: an array containing all valid IP address strings found in *input*.
.. zeek:id:: has_valid_octets
:source-code: base/utils/addrs.zeek 71 80
:Type: :zeek:type:`function` (octets: :zeek:type:`string_vec`) : :zeek:type:`bool`
Checks if all elements of a string array are a valid octet value.
:param octets: an array of strings to check for valid octet values.
:returns: T if every element is between 0 and 255, inclusive, else F.
.. zeek:id:: normalize_mac
:source-code: base/utils/addrs.zeek 141 159
:Type: :zeek:type:`function` (a: :zeek:type:`string`) : :zeek:type:`string`
Given a string, extracts the hex digits and returns a MAC address in
the format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex
digits, an empty string is returned.
:param a: the string to normalize.
:returns: a normalized MAC address, or an empty string in the case of an error.

46
doc/scripts/base/utils/backtrace.zeek.rst Normal file
View file

@ -0,0 +1,46 @@
:tocdepth: 3
base/utils/backtrace.zeek
=========================
Summary
~~~~~~~
Functions
#########
================================================= ==================================
:zeek:id:`print_backtrace`: :zeek:type:`function` Prints a Zeek function call stack.
================================================= ==================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: print_backtrace
:source-code: base/utils/backtrace.zeek 19 78
:Type: :zeek:type:`function` (show_args: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`, one_line: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`, one_line_delim: :zeek:type:`string` :zeek:attr:`&default` = ``"|"`` :zeek:attr:`&optional`, skip: :zeek:type:`count` :zeek:attr:`&default` = ``1`` :zeek:attr:`&optional`, to_file: :zeek:type:`file` :zeek:attr:`&default` = ``file "/dev/stdout" of string`` :zeek:attr:`&optional`) : :zeek:type:`void`
Prints a Zeek function call stack.
:param show_args: whether to print function argument names/types/values.
:param one_line: whether to print the stack in a single line or multiple.
:param one_line_delim: delimiter between stack elements if printing to one line.
:param skip: the number of call stack elements to skip past, starting from zero,
with that being the call to this function.
:param to_file: the file to which the call stack will be printed.
.. zeek:see:: backtrace

57
doc/scripts/base/utils/conn-ids.zeek.rst Normal file
View file

@ -0,0 +1,57 @@
:tocdepth: 3
base/utils/conn-ids.zeek
========================
.. zeek:namespace:: GLOBAL
Simple functions for generating ASCII strings from connection IDs.
:Namespace: GLOBAL
Summary
~~~~~~~
Functions
#########
==================================================== ===================================================================
:zeek:id:`directed_id_string`: :zeek:type:`function` Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
second argument is T or F, respectively.
:zeek:id:`id_string`: :zeek:type:`function` Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection originator
on the left to the responder on the right.
:zeek:id:`reverse_id_string`: :zeek:type:`function` Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection responder
on the right to the originator on the left.
==================================================== ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: directed_id_string
:source-code: base/utils/conn-ids.zeek 39 42
:Type: :zeek:type:`function` (id: :zeek:type:`conn_id`, is_orig: :zeek:type:`bool`) : :zeek:type:`string`
Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
second argument is T or F, respectively.
.. zeek:id:: id_string
:source-code: base/utils/conn-ids.zeek 25 30
:Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`string`
Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection originator
on the left to the responder on the right.
.. zeek:id:: reverse_id_string
:source-code: base/utils/conn-ids.zeek 32 37
:Type: :zeek:type:`function` (id: :zeek:type:`conn_id`) : :zeek:type:`string`
Takes a conn_id record and returns a string representation with the
general data flow appearing to be from the connection responder
on the right to the originator on the left.

64
doc/scripts/base/utils/dir.zeek.rst Normal file
View file

@ -0,0 +1,64 @@
:tocdepth: 3
base/utils/dir.zeek
===================
.. zeek:namespace:: Dir
:Namespace: Dir
:Imports: :doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`, :doc:`base/utils/exec.zeek </scripts/base/utils/exec.zeek>`, :doc:`base/utils/paths.zeek </scripts/base/utils/paths.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================== =====================================================================
:zeek:id:`Dir::polling_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The default interval this module checks for files in directories when
using the :zeek:see:`Dir::monitor` function.
=========================================================================== =====================================================================
Functions
#########
============================================== ==============================================================
:zeek:id:`Dir::monitor`: :zeek:type:`function` Register a directory to monitor with a callback that is called
every time a previously unseen file is seen.
============================================== ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Dir::polling_interval
:source-code: base/utils/dir.zeek 10 10
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0 secs``
The default interval this module checks for files in directories when
using the :zeek:see:`Dir::monitor` function.
Functions
#########
.. zeek:id:: Dir::monitor
:source-code: base/utils/dir.zeek 60 63
:Type: :zeek:type:`function` (dir: :zeek:type:`string`, callback: :zeek:type:`function` (fname: :zeek:type:`string`) : :zeek:type:`void`, poll_interval: :zeek:type:`interval` :zeek:attr:`&default` = :zeek:see:`Dir::polling_interval` :zeek:attr:`&optional`) : :zeek:type:`void`
Register a directory to monitor with a callback that is called
every time a previously unseen file is seen. If a file is deleted
and seen to be gone, then the file is available for being seen again
in the future.
:param dir: The directory to monitor for files.
:param callback: Callback that gets executed with each file name
that is found. Filenames are provided with the full path.
:param poll_interval: An interval at which to check for new files.

113
doc/scripts/base/utils/directions-and-hosts.zeek.rst Normal file
View file

@ -0,0 +1,113 @@
:tocdepth: 3
base/utils/directions-and-hosts.zeek
====================================
:Imports: :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
Summary
~~~~~~~
Types
#####
========================================= =
:zeek:type:`Direction`: :zeek:type:`enum`
:zeek:type:`Host`: :zeek:type:`enum`
========================================= =
Functions
#########
====================================================== ======================================================================
:zeek:id:`addr_matches_host`: :zeek:type:`function` Checks whether a given host (IP address) matches a given host type.
:zeek:id:`id_matches_direction`: :zeek:type:`function` Checks whether a given connection is of a given direction with respect
to the locally-monitored network.
====================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Direction
:source-code: base/utils/directions-and-hosts.zeek 3 16
:Type: :zeek:type:`enum`
.. zeek:enum:: INBOUND Direction
The connection originator is not within the locally-monitored
network, but the other endpoint is.
.. zeek:enum:: OUTBOUND Direction
The connection originator is within the locally-monitored network,
but the other endpoint is not.
.. zeek:enum:: BIDIRECTIONAL Direction
Only one endpoint is within the locally-monitored network, meaning
the connection is either outbound or inbound.
.. zeek:enum:: NO_DIRECTION Direction
This value doesn't match any connection.
.. zeek:type:: Host
:source-code: base/utils/directions-and-hosts.zeek 40 50
:Type: :zeek:type:`enum`
.. zeek:enum:: LOCAL_HOSTS Host
A host within the locally-monitored network.
.. zeek:enum:: REMOTE_HOSTS Host
A host not within the locally-monitored network.
.. zeek:enum:: ALL_HOSTS Host
Any host.
.. zeek:enum:: NO_HOSTS Host
This value doesn't match any host.
Functions
#########
.. zeek:id:: addr_matches_host
:source-code: base/utils/directions-and-hosts.zeek 58 65
:Type: :zeek:type:`function` (ip: :zeek:type:`addr`, h: :zeek:type:`Host`) : :zeek:type:`bool`
Checks whether a given host (IP address) matches a given host type.
:param ip: address of a host.
:param h: a host type.
:returns: T if the given host matches the given type, else F.
.. zeek:id:: id_matches_direction
:source-code: base/utils/directions-and-hosts.zeek 25 38
:Type: :zeek:type:`function` (id: :zeek:type:`conn_id`, d: :zeek:type:`Direction`) : :zeek:type:`bool`
Checks whether a given connection is of a given direction with respect
to the locally-monitored network.
:param id: a connection record containing the originator/responder hosts.
:param d: a direction with respect to the locally-monitored network.
:returns: T if the two connection endpoints match the given direction, else F.

82
doc/scripts/base/utils/email.zeek.rst Normal file
View file

@ -0,0 +1,82 @@
:tocdepth: 3
base/utils/email.zeek
=====================
Summary
~~~~~~~
Functions
#########
============================================================ ===========================================================================
:zeek:id:`extract_email_addrs_set`: :zeek:type:`function` Extract mail addresses out of address specifications conforming to RFC5322.
:zeek:id:`extract_email_addrs_vec`: :zeek:type:`function` Extract mail addresses out of address specifications conforming to RFC5322.
:zeek:id:`extract_first_email_addr`: :zeek:type:`function` Extract the first email address from a string.
:zeek:id:`split_mime_email_addresses`: :zeek:type:`function` Split email addresses from MIME headers.
============================================================ ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: extract_email_addrs_set
:source-code: base/utils/email.zeek 24 33
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`set` [:zeek:type:`string`]
Extract mail addresses out of address specifications conforming to RFC5322.
:param str: A string potentially containing email addresses.
:returns: A set of extracted email addresses. An empty set is returned
if no email addresses are discovered.
.. zeek:id:: extract_email_addrs_vec
:source-code: base/utils/email.zeek 7 16
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string_vec`
Extract mail addresses out of address specifications conforming to RFC5322.
:param str: A string potentially containing email addresses.
:returns: A vector of extracted email addresses. An empty vector is returned
if no email addresses are discovered.
.. zeek:id:: extract_first_email_addr
:source-code: base/utils/email.zeek 40 47
:Type: :zeek:type:`function` (str: :zeek:type:`string`) : :zeek:type:`string`
Extract the first email address from a string.
:param str: A string potentially containing email addresses.
:returns: An email address or empty string if none found.
.. zeek:id:: split_mime_email_addresses
:source-code: base/utils/email.zeek 58 67
:Type: :zeek:type:`function` (line: :zeek:type:`string`) : :zeek:type:`set` [:zeek:type:`string`]
Split email addresses from MIME headers. The email addresses will
include the display name and email address as it was given by the mail
mail client. Note that this currently does not account for MIME group
addresses and won't handle them correctly. The group name will show up
as part of an email address.
:param str: The argument from a MIME header.
:returns: A set of addresses or empty string if none found.

114
doc/scripts/base/utils/exec.zeek.rst Normal file
View file

@ -0,0 +1,114 @@
:tocdepth: 3
base/utils/exec.zeek
====================
.. zeek:namespace:: Exec
A module for executing external command line programs.
:Namespace: Exec
:Imports: :doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
Summary
~~~~~~~
Types
#####
=============================================== =
:zeek:type:`Exec::Command`: :zeek:type:`record`
:zeek:type:`Exec::Result`: :zeek:type:`record`
=============================================== =
Functions
#########
=========================================== ======================================================
:zeek:id:`Exec::run`: :zeek:type:`function` Function for running command line programs and getting
output.
=========================================== ======================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Exec::Command
:source-code: base/utils/exec.zeek 8 20
:Type: :zeek:type:`record`
.. zeek:field:: cmd :zeek:type:`string`
The command line to execute. Use care to avoid injection
attacks (i.e., if the command uses untrusted/variable data,
sanitize it with :zeek:see:`safe_shell_quote`).
.. zeek:field:: stdin :zeek:type:`string` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
Provide standard input to the program as a string.
.. zeek:field:: read_files :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
If additional files are required to be read in as part of the
output of the command they can be defined here.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&default` = ``Chd8EgFWk2j`` :zeek:attr:`&optional`
The unique id for tracking executors.
.. zeek:type:: Exec::Result
:source-code: base/utils/exec.zeek 22 34
:Type: :zeek:type:`record`
.. zeek:field:: exit_code :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
Exit code from the program.
.. zeek:field:: signal_exit :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
True if the command was terminated with a signal.
.. zeek:field:: stdout :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
Each line of standard output.
.. zeek:field:: stderr :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional`
Each line of standard error.
.. zeek:field:: files :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string_vec` :zeek:attr:`&optional`
If additional files were requested to be read in
the content of the files will be available here.
Functions
#########
.. zeek:id:: Exec::run
:source-code: base/utils/exec.zeek 153 187
:Type: :zeek:type:`function` (cmd: :zeek:type:`Exec::Command`) : :zeek:type:`Exec::Result`
Function for running command line programs and getting
output. This is an asynchronous function which is meant
to be run with the ``when`` statement.
:param cmd: The command to run. Use care to avoid injection attacks!
:returns: A record representing the full results from the
external program execution.

41
doc/scripts/base/utils/files.zeek.rst Normal file
View file

@ -0,0 +1,41 @@
:tocdepth: 3
base/utils/files.zeek
=====================
:Imports: :doc:`base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>`
Summary
~~~~~~~
Functions
#########
=========================================================================== ======================================================================
:zeek:id:`extract_filename_from_content_disposition`: :zeek:type:`function` For CONTENT-DISPOSITION headers, this function can be used to extract
the filename.
:zeek:id:`generate_extraction_filename`: :zeek:type:`function` This function can be used to generate a consistent filename for when
contents of a file, stream, or connection are being extracted to disk.
=========================================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: extract_filename_from_content_disposition
:source-code: base/utils/files.zeek 20 33
:Type: :zeek:type:`function` (data: :zeek:type:`string`) : :zeek:type:`string`
For CONTENT-DISPOSITION headers, this function can be used to extract
the filename.
.. zeek:id:: generate_extraction_filename
:source-code: base/utils/files.zeek 5 16
:Type: :zeek:type:`function` (prefix: :zeek:type:`string`, c: :zeek:type:`connection`, suffix: :zeek:type:`string`) : :zeek:type:`string`
This function can be used to generate a consistent filename for when
contents of a file, stream, or connection are being extracted to disk.

43
doc/scripts/base/utils/geoip-distance.zeek.rst Normal file
View file

@ -0,0 +1,43 @@
:tocdepth: 3
base/utils/geoip-distance.zeek
==============================
Functions to calculate distance between two locations, based on GeoIP data.
Summary
~~~~~~~
Functions
#########
======================================================= ==========================================================================
:zeek:id:`haversine_distance_ip`: :zeek:type:`function` Returns the distance between two IP addresses using the haversine formula,
based on GeoIP database locations.
======================================================= ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: haversine_distance_ip
:source-code: base/utils/geoip-distance.zeek 14 26
:Type: :zeek:type:`function` (a1: :zeek:type:`addr`, a2: :zeek:type:`addr`) : :zeek:type:`double`
Returns the distance between two IP addresses using the haversine formula,
based on GeoIP database locations. Requires Zeek to be built with GeoIP.
:param a1: First IP address.
:param a2: Second IP address.
:returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
is not available for either of the IP addresses.
.. zeek:see:: haversine_distance lookup_location

105
doc/scripts/base/utils/hash_hrw.zeek.rst Normal file
View file

@ -0,0 +1,105 @@
:tocdepth: 3
base/utils/hash_hrw.zeek
========================
.. zeek:namespace:: HashHRW
An implementation of highest random weight (HRW) hashing, also called
rendezvous hashing. See
`<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
:Namespace: HashHRW
Summary
~~~~~~~
Types
#####
=================================================== ===================================================================
:zeek:type:`HashHRW::Pool`: :zeek:type:`record` A collection of sites to distribute keys across.
:zeek:type:`HashHRW::Site`: :zeek:type:`record` A site/node is a unique location to which you want a subset of keys
to be distributed.
:zeek:type:`HashHRW::SiteTable`: :zeek:type:`table` A table of sites, indexed by their id.
=================================================== ===================================================================
Functions
#########
=================================================== ========================================
:zeek:id:`HashHRW::add_site`: :zeek:type:`function` Add a site to a pool.
:zeek:id:`HashHRW::get_site`: :zeek:type:`function` Returns: the site to which the key maps.
:zeek:id:`HashHRW::rem_site`: :zeek:type:`function` Remove a site from a pool.
=================================================== ========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: HashHRW::Pool
:source-code: base/utils/hash_hrw.zeek 22 24
:Type: :zeek:type:`record`
.. zeek:field:: sites :zeek:type:`HashHRW::SiteTable` :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
A collection of sites to distribute keys across.
.. zeek:type:: HashHRW::Site
:source-code: base/utils/hash_hrw.zeek 10 16
:Type: :zeek:type:`record`
.. zeek:field:: id :zeek:type:`count`
A unique identifier for the site, should not exceed what
can be contained in a 32-bit integer.
.. zeek:field:: user_data :zeek:type:`any` :zeek:attr:`&optional`
Other data to associate with the site.
A site/node is a unique location to which you want a subset of keys
to be distributed.
.. zeek:type:: HashHRW::SiteTable
:source-code: base/utils/hash_hrw.zeek 19 19
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`HashHRW::Site`
A table of sites, indexed by their id.
Functions
#########
.. zeek:id:: HashHRW::add_site
:source-code: base/utils/hash_hrw.zeek 40 47
:Type: :zeek:type:`function` (pool: :zeek:type:`HashHRW::Pool`, site: :zeek:type:`HashHRW::Site`) : :zeek:type:`bool`
Add a site to a pool.
:returns: F is the site is already in the pool, else T.
.. zeek:id:: HashHRW::get_site
:source-code: base/utils/hash_hrw.zeek 58 76
:Type: :zeek:type:`function` (pool: :zeek:type:`HashHRW::Pool`, key: :zeek:type:`any`) : :zeek:type:`HashHRW::Site`
:returns: the site to which the key maps.
.. zeek:id:: HashHRW::rem_site
:source-code: base/utils/hash_hrw.zeek 49 56
:Type: :zeek:type:`function` (pool: :zeek:type:`HashHRW::Pool`, site: :zeek:type:`HashHRW::Site`) : :zeek:type:`bool`
Remove a site from a pool.
:returns: F if the site is not in the pool, else T.

38
doc/scripts/base/utils/numbers.zeek.rst Normal file
View file

@ -0,0 +1,38 @@
:tocdepth: 3
base/utils/numbers.zeek
=======================
Summary
~~~~~~~
Functions
#########
=============================================== =================================
:zeek:id:`extract_count`: :zeek:type:`function` Extract an integer from a string.
=============================================== =================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: extract_count
:source-code: base/utils/numbers.zeek 9 25
:Type: :zeek:type:`function` (s: :zeek:type:`string`, get_first: :zeek:type:`bool` :zeek:attr:`&default` = ``T`` :zeek:attr:`&optional`) : :zeek:type:`count`
Extract an integer from a string.
:param s: The string to search for a number.
:param get_first: Provide ``F`` if you would like the last number found.
:returns: The request integer from the given string or ``0`` if
no integer was found.

41
doc/scripts/base/utils/packages.zeek.rst Normal file
View file

@ -0,0 +1,41 @@
:tocdepth: 3
base/utils/packages.zeek
========================
Rudimentary functions for helping with Zeek packages.
Summary
~~~~~~~
Functions
#########
========================================== ==================================================
:zeek:id:`can_load`: :zeek:type:`function` Checks whether @load of a given package name could
be successful.
========================================== ==================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: can_load
:source-code: base/utils/packages.zeek 13 16
:Type: :zeek:type:`function` (p: :zeek:type:`string`) : :zeek:type:`bool`
Checks whether @load of a given package name could
be successful.
This tests for the existence of corresponding script files
in ZEEKPATH. It does not attempt to parse and validate
any actual Zeek script code.
:param path: The filename, package or path to test.
:returns: T if the given filename, package or path may load.

86
doc/scripts/base/utils/paths.zeek.rst Normal file
View file

@ -0,0 +1,86 @@
:tocdepth: 3
base/utils/paths.zeek
=====================
Functions to parse and manipulate UNIX style paths and directories.
Summary
~~~~~~~
Constants
#########
================================================== =
:zeek:id:`absolute_path_pat`: :zeek:type:`pattern`
================================================== =
Functions
#########
======================================================= ======================================================================
:zeek:id:`build_path`: :zeek:type:`function` Constructs a path to a file given a directory and a file name.
:zeek:id:`build_path_compressed`: :zeek:type:`function` Returns a compressed path to a file given a directory and file name.
:zeek:id:`extract_path`: :zeek:type:`function` Given an arbitrary string, extracts a single, absolute path (directory
with filename).
======================================================= ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: absolute_path_pat
:source-code: base/utils/paths.zeek 3 3
:Type: :zeek:type:`pattern`
:Default:
::
/^?((\/|[A-Za-z]:[\\\/]).*)$?/
Functions
#########
.. zeek:id:: build_path
:source-code: base/utils/paths.zeek 32 38
:Type: :zeek:type:`function` (dir: :zeek:type:`string`, file_name: :zeek:type:`string`) : :zeek:type:`string`
Constructs a path to a file given a directory and a file name.
:param dir: the directory in which the file lives.
:param file_name: the name of the file.
:returns: the concatenation of the directory path and file name, or just
the file name if it's already an absolute path or dir is empty.
.. zeek:id:: build_path_compressed
:source-code: base/utils/paths.zeek 42 45
:Type: :zeek:type:`function` (dir: :zeek:type:`string`, file_name: :zeek:type:`string`) : :zeek:type:`string`
Returns a compressed path to a file given a directory and file name.
See :zeek:id:`build_path` and :zeek:id:`compress_path`.
.. zeek:id:: extract_path
:source-code: base/utils/paths.zeek 13 22
:Type: :zeek:type:`function` (input: :zeek:type:`string`) : :zeek:type:`string`
Given an arbitrary string, extracts a single, absolute path (directory
with filename).
.. todo:: Make this work on Window's style directories.
:param input: a string that may contain an absolute path.
:returns: the first absolute path found in input string, else an empty string.

106
doc/scripts/base/utils/patterns.zeek.rst Normal file
View file

@ -0,0 +1,106 @@
:tocdepth: 3
base/utils/patterns.zeek
========================
.. zeek:namespace:: GLOBAL
Functions for creating and working with patterns.
:Namespace: GLOBAL
Summary
~~~~~~~
Types
#####
==================================================== =
:zeek:type:`PatternMatchResult`: :zeek:type:`record`
==================================================== =
Functions
#########
=============================================== =========================================================================
:zeek:id:`match_pattern`: :zeek:type:`function` Matches the given pattern against the given string, returning
a :zeek:type:`PatternMatchResult` record.
:zeek:id:`set_to_regex`: :zeek:type:`function` Given a pattern as a string with two tildes (~~) contained in it, it will
return a pattern with string set's elements OR'd together where the
double-tilde was given.
=============================================== =========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: PatternMatchResult
:source-code: base/utils/patterns.zeek 37 44
:Type: :zeek:type:`record`
.. zeek:field:: matched :zeek:type:`bool`
T if a match was found, F otherwise.
.. zeek:field:: str :zeek:type:`string`
Portion of string that first matched.
.. zeek:field:: off :zeek:type:`count`
1-based offset where match starts.
Functions
#########
.. zeek:id:: match_pattern
:source-code: base/utils/patterns.zeek 58 67
:Type: :zeek:type:`function` (s: :zeek:type:`string`, p: :zeek:type:`pattern`) : :zeek:type:`PatternMatchResult`
Matches the given pattern against the given string, returning
a :zeek:type:`PatternMatchResult` record.
For example: ``match_pattern("foobar", /o*[a-k]/)`` returns
``[matched=T, str=f, off=1]``, because the *first* match is for
zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)``
returns ``[matched=T, str=oob, off=2]``.
:param s: a string to match against.
:param p: a pattern to match.
:returns: a record indicating the match status.
.. zeek:id:: set_to_regex
:source-code: base/utils/patterns.zeek 23 35
:Type: :zeek:type:`function` (ss: :zeek:type:`set` [:zeek:type:`string`], pat: :zeek:type:`string`) : :zeek:type:`pattern`
Given a pattern as a string with two tildes (~~) contained in it, it will
return a pattern with string set's elements OR'd together where the
double-tilde was given. Examples:
.. code-block:: zeek
global r1 = set_to_regex(set("a", "b", "c"), "~~");
# r1 = /^?(a|b|c)$?/
global r2 = set_to_regex(set("a.com", "b.com", "c.com"), "\\.(~~)");
# r2 = /^?(\.(a\.com|b\.com|c\.com))$?/
:param ss: a set of strings to OR together.
:param pat: the pattern containing a "~~" in it. If a literal backslash is
included, it needs to be escaped with another backslash due to Zeek's
string parsing reducing it to a single backslash upon rendering.
:returns: the input pattern with "~~" replaced by OR'd elements of input set.

197
doc/scripts/base/utils/queue.zeek.rst Normal file
View file

@ -0,0 +1,197 @@
:tocdepth: 3
base/utils/queue.zeek
=====================
.. zeek:namespace:: Queue
A FIFO queue.
:Namespace: Queue
Summary
~~~~~~~
Types
#####
================================================= ==========================================
:zeek:type:`Queue::Queue`: :zeek:type:`record` The internal data structure for the queue.
:zeek:type:`Queue::Settings`: :zeek:type:`record` Settings for initializing the queue.
================================================= ==========================================
Redefinitions
#############
============================================== ==========================================================================================
:zeek:type:`Queue::Queue`: :zeek:type:`record`
:New Fields: :zeek:type:`Queue::Queue`
initialized: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
vals: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`any` :zeek:attr:`&optional`
settings: :zeek:type:`Queue::Settings` :zeek:attr:`&optional`
top: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
bottom: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
size: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
============================================== ==========================================================================================
Functions
#########
=================================================== ==============================================================
:zeek:id:`Queue::get`: :zeek:type:`function` Get a value from the end of a queue.
:zeek:id:`Queue::get_vector`: :zeek:type:`function` Get the contents of the queue as a vector.
:zeek:id:`Queue::init`: :zeek:type:`function` Initialize a queue record structure.
:zeek:id:`Queue::len`: :zeek:type:`function` Get the number of items in a queue.
:zeek:id:`Queue::merge`: :zeek:type:`function` Merge two queues together.
:zeek:id:`Queue::peek`: :zeek:type:`function` Peek at the value at the end of the queue without removing it.
:zeek:id:`Queue::put`: :zeek:type:`function` Put a value onto the beginning of a queue.
=================================================== ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: Queue::Queue
:source-code: base/utils/queue.zeek 15 16
:Type: :zeek:type:`record`
.. zeek:field:: initialized :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
.. zeek:field:: vals :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`any` :zeek:attr:`&optional`
.. zeek:field:: settings :zeek:type:`Queue::Settings` :zeek:attr:`&optional`
.. zeek:field:: top :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
.. zeek:field:: bottom :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
.. zeek:field:: size :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
The internal data structure for the queue.
.. zeek:type:: Queue::Settings
:source-code: base/utils/queue.zeek 7 12
:Type: :zeek:type:`record`
.. zeek:field:: max_len :zeek:type:`count` :zeek:attr:`&optional`
If a maximum length is set for the queue
it will maintain itself at that
maximum length automatically.
Settings for initializing the queue.
Functions
#########
.. zeek:id:: Queue::get
:source-code: base/utils/queue.zeek 105 111
:Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`) : :zeek:type:`any`
Get a value from the end of a queue.
:param q: The queue to get the value from.
:returns: The value gotten from the queue.
.. zeek:id:: Queue::get_vector
:source-code: base/utils/queue.zeek 140 155
:Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`, ret: :zeek:type:`vector` of :zeek:type:`any`) : :zeek:type:`void`
Get the contents of the queue as a vector.
:param q: The queue.
:param ret: A vector containing the current contents of the queue
as the type of ret.
.. zeek:id:: Queue::init
:source-code: base/utils/queue.zeek 88 95
:Type: :zeek:type:`function` (s: :zeek:type:`Queue::Settings` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`) : :zeek:type:`Queue::Queue`
Initialize a queue record structure.
:param s: A record which configures the queue.
:returns: An opaque queue record.
.. zeek:id:: Queue::len
:source-code: base/utils/queue.zeek 135 138
:Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`) : :zeek:type:`count`
Get the number of items in a queue.
:param q: The queue.
:returns: The length of the queue.
.. zeek:id:: Queue::merge
:source-code: base/utils/queue.zeek 118 133
:Type: :zeek:type:`function` (q1: :zeek:type:`Queue::Queue`, q2: :zeek:type:`Queue::Queue`) : :zeek:type:`Queue::Queue`
Merge two queues together. If any settings are applied
to the queues, the settings from *q1* are used for the new
merged queue.
:param q1: The first queue. Settings are taken from here.
:param q2: The second queue.
:returns: A new queue from merging the other two together.
.. zeek:id:: Queue::peek
:source-code: base/utils/queue.zeek 113 116
:Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`) : :zeek:type:`any`
Peek at the value at the end of the queue without removing it.
:param q: The queue to get the value from.
:returns: The value at the end of the queue.
.. zeek:id:: Queue::put
:source-code: base/utils/queue.zeek 97 103
:Type: :zeek:type:`function` (q: :zeek:type:`Queue::Queue`, val: :zeek:type:`any`) : :zeek:type:`void`
Put a value onto the beginning of a queue.
:param q: The queue to put the value into.
:param val: The value to insert into the queue.

266
doc/scripts/base/utils/site.zeek.rst Normal file
View file

@ -0,0 +1,266 @@
:tocdepth: 3
base/utils/site.zeek
====================
.. zeek:namespace:: Site
Definitions describing a site - which networks and DNS zones are "local"
and "neighbors", and servers running particular services.
:Namespace: Site
:Imports: :doc:`base/utils/patterns.zeek </scripts/base/utils/patterns.zeek>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ======================================================================
:zeek:id:`Site::local_admins`: :zeek:type:`table` :zeek:attr:`&redef` If local network administrators are known and they have responsibility
for defined address space, then a mapping can be defined here between
networks for which they have responsibility and a set of email
addresses.
:zeek:id:`Site::local_nets`: :zeek:type:`set` :zeek:attr:`&redef` Networks that are considered "local".
:zeek:id:`Site::local_zones`: :zeek:type:`set` :zeek:attr:`&redef` DNS zones that are considered "local".
:zeek:id:`Site::neighbor_nets`: :zeek:type:`set` :zeek:attr:`&redef` Networks that are considered "neighbors".
:zeek:id:`Site::neighbor_zones`: :zeek:type:`set` :zeek:attr:`&redef` DNS zones that are considered "neighbors".
:zeek:id:`Site::private_address_space`: :zeek:type:`set` :zeek:attr:`&redef` A list of subnets that are considered private address space.
============================================================================ ======================================================================
Redefinable Options
###################
====================================================================================== =================================================================
:zeek:id:`Site::private_address_space_is_local`: :zeek:type:`bool` :zeek:attr:`&redef` Whether Zeek should automatically consider private address ranges
"local".
====================================================================================== =================================================================
State Variables
###############
===================================================== =====================================================================
:zeek:id:`Site::local_nets_table`: :zeek:type:`table` This is used for retrieving the subnet when using multiple entries in
:zeek:id:`Site::local_nets`.
===================================================== =====================================================================
Functions
#########
======================================================== =================================================================
:zeek:id:`Site::get_emails`: :zeek:type:`function` Function that returns a comma-separated list of email addresses
that are considered administrators for the IP address provided as
an argument.
:zeek:id:`Site::is_local_addr`: :zeek:type:`function` Function that returns true if an address corresponds to one of
the local networks, false if not.
:zeek:id:`Site::is_local_name`: :zeek:type:`function` Function that returns true if a host name is within a local
DNS zone.
:zeek:id:`Site::is_neighbor_addr`: :zeek:type:`function` Function that returns true if an address corresponds to one of
the neighbor networks, false if not.
:zeek:id:`Site::is_neighbor_name`: :zeek:type:`function` Function that returns true if a host name is within a neighbor
DNS zone.
:zeek:id:`Site::is_private_addr`: :zeek:type:`function` Function that returns true if an address corresponds to one of
the private/unrouted networks, false if not.
======================================================== =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Site::local_admins
:source-code: base/utils/site.zeek 146 146
:Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
If local network administrators are known and they have responsibility
for defined address space, then a mapping can be defined here between
networks for which they have responsibility and a set of email
addresses.
.. zeek:id:: Site::local_nets
:source-code: base/utils/site.zeek 124 124
:Type: :zeek:type:`set` [:zeek:type:`subnet`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
Networks that are considered "local". Note that ZeekControl sets
this automatically.
.. zeek:id:: Site::local_zones
:source-code: base/utils/site.zeek 149 149
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
DNS zones that are considered "local".
.. zeek:id:: Site::neighbor_nets
:source-code: base/utils/site.zeek 140 140
:Type: :zeek:type:`set` [:zeek:type:`subnet`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
Networks that are considered "neighbors".
.. zeek:id:: Site::neighbor_zones
:source-code: base/utils/site.zeek 152 152
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
DNS zones that are considered "neighbors".
.. zeek:id:: Site::private_address_space
:source-code: base/utils/site.zeek 18 18
:Type: :zeek:type:`set` [:zeek:type:`subnet`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
64:ff9b:1::/48,
198.18.0.0/15,
fc00::/7,
100.64.0.0/10,
::/128,
2002:ffff:ffff::/48,
::1/128,
fec0::/10,
2002:cb00:7100::/40,
2002:c633:6400::/40,
240.0.0.0/4,
2002:a00::/24,
100::/64,
255.255.255.255/32,
192.0.0.0/24,
0.0.0.0/8,
239.0.0.0/8,
2001:2::/48,
172.16.0.0/12,
2002:c000:200::/40,
2002:f000::/20,
2002:7f00::/24,
2001::/23,
2002:6440::/26,
2002:c000::/40,
10.0.0.0/8,
127.0.0.0/8,
224.0.0.0/24,
192.0.2.0/24,
192.168.0.0/16,
2002:ac10::/28,
2002:a9fe::/32,
169.254.0.0/16,
2002:c612::/31,
2002::/24,
fe80::/10,
2001:db8::/32,
2002:ef00::/24,
203.0.113.0/24,
2002:e000::/40,
2002:c0a8::/32,
198.51.100.0/24
}
A list of subnets that are considered private address space.
By default, it has address blocks defined by IANA as not being
routable over the Internet. Some address blocks are reserved for
purposes inconsistent with the address architecture (such as
5f00::/16), making them neither clearly private nor routable. We do
not include such blocks in this list.
See the `IPv4 Special-Purpose Address Registry <https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml>`_
and the `IPv6 Special-Purpose Address Registry <https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml>`_
Redefinable Options
###################
.. zeek:id:: Site::private_address_space_is_local
:source-code: base/utils/site.zeek 130 130
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
Whether Zeek should automatically consider private address ranges
"local". On by default, this setting ensures that the initial value
of :zeek:id:`Site::private_address_space` as well as any later
updates to it get copied over into :zeek:id:`Site::local_nets`.
State Variables
###############
.. zeek:id:: Site::local_nets_table
:source-code: base/utils/site.zeek 137 137
:Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`subnet`
:Default: ``{}``
This is used for retrieving the subnet when using multiple entries in
:zeek:id:`Site::local_nets`. It's populated automatically from there.
A membership query can be done with an
:zeek:type:`addr` and the table will yield the subnet it was found
within.
Functions
#########
.. zeek:id:: Site::get_emails
:source-code: base/utils/site.zeek 257 260
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`string`
Function that returns a comma-separated list of email addresses
that are considered administrators for the IP address provided as
an argument.
The function inspects :zeek:id:`Site::local_admins`.
.. zeek:id:: Site::is_local_addr
:source-code: base/utils/site.zeek 194 197
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
Function that returns true if an address corresponds to one of
the local networks, false if not.
The function inspects :zeek:id:`Site::local_nets`.
.. zeek:id:: Site::is_local_name
:source-code: base/utils/site.zeek 209 212
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
Function that returns true if a host name is within a local
DNS zone.
The function inspects :zeek:id:`Site::local_zones`.
.. zeek:id:: Site::is_neighbor_addr
:source-code: base/utils/site.zeek 199 202
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
Function that returns true if an address corresponds to one of
the neighbor networks, false if not.
The function inspects :zeek:id:`Site::neighbor_nets`.
.. zeek:id:: Site::is_neighbor_name
:source-code: base/utils/site.zeek 214 217
:Type: :zeek:type:`function` (name: :zeek:type:`string`) : :zeek:type:`bool`
Function that returns true if a host name is within a neighbor
DNS zone.
The function inspects :zeek:id:`Site::neighbor_zones`.
.. zeek:id:: Site::is_private_addr
:source-code: base/utils/site.zeek 204 207
:Type: :zeek:type:`function` (a: :zeek:type:`addr`) : :zeek:type:`bool`
Function that returns true if an address corresponds to one of
the private/unrouted networks, false if not.
The function inspects :zeek:id:`Site::private_address_space`.

68
doc/scripts/base/utils/strings.zeek.rst Normal file
View file

@ -0,0 +1,68 @@
:tocdepth: 3
base/utils/strings.zeek
=======================
Functions to assist with small string analysis and manipulation that can
be implemented as Zeek functions and don't need to be implemented as built-in
functions.
Summary
~~~~~~~
Functions
#########
================================================== ==================================================================
:zeek:id:`cut_tail`: :zeek:type:`function` Cut a number of characters from the end of the given string.
:zeek:id:`is_string_binary`: :zeek:type:`function` Returns true if the given string is at least 25% composed of 8-bit
characters.
:zeek:id:`string_escape`: :zeek:type:`function` Given a string, returns an escaped version.
================================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. zeek:id:: cut_tail
:source-code: base/utils/strings.zeek 35 40
:Type: :zeek:type:`function` (s: :zeek:type:`string`, tail_len: :zeek:type:`count`) : :zeek:type:`string`
Cut a number of characters from the end of the given string.
:param s: a string to trim.
:param tail_len: the number of characters to remove from the end of the string.
:returns: the given string with *tail_len* characters removed from the end.
.. zeek:id:: is_string_binary
:source-code: base/utils/strings.zeek 7 10
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`bool`
Returns true if the given string is at least 25% composed of 8-bit
characters.
.. zeek:id:: string_escape
:source-code: base/utils/strings.zeek 20 26
:Type: :zeek:type:`function` (s: :zeek:type:`string`, chars: :zeek:type:`string`) : :zeek:type:`string`
Given a string, returns an escaped version.
:param s: a string to escape.
:param chars: a string containing all the characters that need to be escaped.
:returns: a string with all occurrences of any character in *chars* escaped
using ``\``, and any literal ``\`` characters likewise escaped.

118
doc/scripts/base/utils/thresholds.zeek.rst Normal file
View file

@ -0,0 +1,118 @@
:tocdepth: 3
base/utils/thresholds.zeek
==========================
.. zeek:namespace:: GLOBAL
Functions for using multiple thresholds with a counting tracker. For
example, you may want to generate a notice when something happens 10 times
and again when it happens 100 times but nothing in between. You can use
the :zeek:id:`check_threshold` function to define your threshold points
and the :zeek:type:`TrackCount` variable where you are keeping track of your
counter.
:Namespace: GLOBAL
Summary
~~~~~~~
Redefinable Options
###################
============================================================================= =========================================================
:zeek:id:`default_notice_thresholds`: :zeek:type:`vector` :zeek:attr:`&redef` The thresholds you would like to use as defaults with the
:zeek:id:`default_check_threshold` function.
============================================================================= =========================================================
Types
#####
============================================ =
:zeek:type:`TrackCount`: :zeek:type:`record`
============================================ =
Functions
#########
========================================================= =====================================================================
:zeek:id:`check_threshold`: :zeek:type:`function` This will check if a :zeek:type:`TrackCount` variable has crossed any
thresholds in a given set.
:zeek:id:`default_check_threshold`: :zeek:type:`function` This will use the :zeek:id:`default_notice_thresholds` variable to
check a :zeek:type:`TrackCount` variable to see if it has crossed
another threshold.
:zeek:id:`new_track_count`: :zeek:type:`function`
========================================================= =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: default_notice_thresholds
:source-code: base/utils/thresholds.zeek 22 22
:Type: :zeek:type:`vector` of :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default:
::
[30, 100, 1000, 10000, 100000, 1000000, 10000000]
The thresholds you would like to use as defaults with the
:zeek:id:`default_check_threshold` function.
Types
#####
.. zeek:type:: TrackCount
:source-code: base/utils/thresholds.zeek 11 18
:Type: :zeek:type:`record`
.. zeek:field:: n :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
The counter for the number of times something has happened.
.. zeek:field:: index :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
The index of the vector where the counter currently is. This
is used to track which threshold is currently being watched
for.
Functions
#########
.. zeek:id:: check_threshold
:source-code: base/utils/thresholds.zeek 49 57
:Type: :zeek:type:`function` (v: :zeek:type:`vector` of :zeek:type:`count`, tracker: :zeek:type:`TrackCount`) : :zeek:type:`bool`
This will check if a :zeek:type:`TrackCount` variable has crossed any
thresholds in a given set.
:param v: a vector holding counts that represent thresholds.
:param tracker: the record being used to track event counter and currently
monitored threshold value.
:returns: T if a threshold has been crossed, else F.
.. zeek:id:: default_check_threshold
:source-code: base/utils/thresholds.zeek 59 62
:Type: :zeek:type:`function` (tracker: :zeek:type:`TrackCount`) : :zeek:type:`bool`
This will use the :zeek:id:`default_notice_thresholds` variable to
check a :zeek:type:`TrackCount` variable to see if it has crossed
another threshold.
.. zeek:id:: new_track_count
:source-code: base/utils/thresholds.zeek 43 47
:Type: :zeek:type:`function` () : :zeek:type:`TrackCount`

57
doc/scripts/base/utils/time.zeek.rst Normal file
View file

@ -0,0 +1,57 @@
:tocdepth: 3
base/utils/time.zeek
====================
Time-related functions.
Summary
~~~~~~~
Constants
#########
===================================== ========================================
:zeek:id:`null_ts`: :zeek:type:`time` Time value representing the 0 timestamp.
===================================== ========================================
Functions
#########
======================================================= ========================================================================
:zeek:id:`duration_to_mins_secs`: :zeek:type:`function` Given an interval, returns a string representing the minutes and seconds
in the interval (for example, "3m34s").
:zeek:id:`get_packet_lag`: :zeek:type:`function` Calculate the packet lag, i.e.
======================================================= ========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: null_ts
:source-code: base/utils/time.zeek 12 12
:Type: :zeek:type:`time`
:Default: ``0.0``
Time value representing the 0 timestamp.
Functions
#########
.. zeek:id:: duration_to_mins_secs
:source-code: base/utils/time.zeek 5 9
:Type: :zeek:type:`function` (dur: :zeek:type:`interval`) : :zeek:type:`string`
Given an interval, returns a string representing the minutes and seconds
in the interval (for example, "3m34s").
.. zeek:id:: get_packet_lag
:source-code: base/utils/time.zeek 17 28
:Type: :zeek:type:`function` () : :zeek:type:`interval`
Calculate the packet lag, i.e. the difference between wall clock and the
timestamp of the currently processed packet. If Zeek is not processing a
packet, the function returns a 0 interval value.

129
doc/scripts/base/utils/urls.zeek.rst Normal file
View file

@ -0,0 +1,129 @@
:tocdepth: 3
base/utils/urls.zeek
====================
Functions for URL handling.
Summary
~~~~~~~
Redefinable Options
###################
============================================================== ======================================================
:zeek:id:`url_regex`: :zeek:type:`pattern` :zeek:attr:`&redef` A regular expression for matching and extracting URLs.
============================================================== ======================================================
Types
#####
===================================== =============================================
:zeek:type:`URI`: :zeek:type:`record` A URI, as parsed by :zeek:id:`decompose_uri`.
===================================== =============================================
Functions
#########
============================================================== ==================================================
:zeek:id:`decompose_uri`: :zeek:type:`function`
:zeek:id:`find_all_urls`: :zeek:type:`function` Extracts URLs discovered in arbitrary text.
:zeek:id:`find_all_urls_without_scheme`: :zeek:type:`function` Extracts URLs discovered in arbitrary text without
the URL scheme included.
============================================================== ==================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: url_regex
:source-code: base/utils/urls.zeek 7 7
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?(^([a-zA-Z\-]{3,5}):\/\/(-\.)?([^[:blank:]\/?\.#-]+\.?)+(\/[^[:blank:]]*)?)$?/
A regular expression for matching and extracting URLs.
This is the @imme_emosol regex from https://mathiasbynens.be/demo/url-regex, adapted for Zeek. It's
not perfect for all of their test cases, but it's one of the shorter ones that covers most of the
test cases.
Types
#####
.. zeek:type:: URI
:source-code: base/utils/urls.zeek 10 29
:Type: :zeek:type:`record`
.. zeek:field:: scheme :zeek:type:`string` :zeek:attr:`&optional`
The URL's scheme..
.. zeek:field:: netlocation :zeek:type:`string`
The location, which could be a domain name or an IP address. Left empty if not
specified.
.. zeek:field:: portnum :zeek:type:`count` :zeek:attr:`&optional`
Port number, if included in URI.
.. zeek:field:: path :zeek:type:`string`
Full including the file name. Will be '/' if there's not path given.
.. zeek:field:: file_name :zeek:type:`string` :zeek:attr:`&optional`
Full file name, including extension, if there is a file name.
.. zeek:field:: file_base :zeek:type:`string` :zeek:attr:`&optional`
The base filename, without extension, if there is a file name.
.. zeek:field:: file_ext :zeek:type:`string` :zeek:attr:`&optional`
The filename's extension, if there is a file name.
.. zeek:field:: params :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`string` :zeek:attr:`&optional`
A table of all query parameters, mapping their keys to values, if there's a
query.
A URI, as parsed by :zeek:id:`decompose_uri`.
Functions
#########
.. zeek:id:: decompose_uri
:source-code: base/utils/urls.zeek 52 135
:Type: :zeek:type:`function` (uri: :zeek:type:`string`) : :zeek:type:`URI`
.. zeek:id:: find_all_urls
:source-code: base/utils/urls.zeek 32 35
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string_set`
Extracts URLs discovered in arbitrary text.
.. zeek:id:: find_all_urls_without_scheme
:source-code: base/utils/urls.zeek 39 50
:Type: :zeek:type:`function` (s: :zeek:type:`string`) : :zeek:type:`string_set`
Extracts URLs discovered in arbitrary text without
the URL scheme included.