Copy docs into Zeek repo directly

This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
2025-10-17 14:08:20 +00:00 · 2025-09-15 15:52:18 -07:00 · 2025-09-15 15:52:18 -07:00 · ded98cd373
commit ded98cd373
parent 83f1e74643
1074 changed files with 169319 additions and 0 deletions
--- a/doc/scripts/policy/frameworks/software/version-changes.zeek.rst
+++ b/doc/scripts/policy/frameworks/software/version-changes.zeek.rst
@ -0,0 +1,49 @@
+:tocdepth: 3
+
+policy/frameworks/software/version-changes.zeek
+===============================================
+.. zeek:namespace:: Software
+
+Provides the possibility to define software names that are interesting to
+watch for changes.  A notice is generated if software versions change on a
+host.
+
+:Namespace: Software
+:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+====================================================================================== ====================================================================
+:zeek:id:`Software::interesting_version_changes`: :zeek:type:`set` :zeek:attr:`&redef` Some software is more interesting when the version changes and this
+                                                                                       is a set of all software that should raise a notice when a different
+                                                                                       version is seen on a host.
+====================================================================================== ====================================================================
+
+Redefinitions
+#############
+============================================ ======================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Software::Software_Version_Change`:
+                                               For certain software, a version changing may matter.
+============================================ ======================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Software::interesting_version_changes
+   :source-code: policy/frameworks/software/version-changes.zeek 22 22
+
+   :Type: :zeek:type:`set` [:zeek:type:`string`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   Some software is more interesting when the version changes and this
+   is a set of all software that should raise a notice when a different
+   version is seen on a host.
+
+
--- a/doc/scripts/policy/frameworks/software/vulnerable.zeek.rst
+++ b/doc/scripts/policy/frameworks/software/vulnerable.zeek.rst
@ -0,0 +1,111 @@
+:tocdepth: 3
+
+policy/frameworks/software/vulnerable.zeek
+==========================================
+.. zeek:namespace:: Software
+
+Provides a variable to define vulnerable versions of software and if
+a version of that software is as old or older than the defined version a
+notice will be generated.
+
+:Namespace: Software
+:Imports: :doc:`base/frameworks/control </scripts/base/frameworks/control/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+Summary
+~~~~~~~
+Runtime Options
+###############
+=================================================================================================== =============================================================
+:zeek:id:`Software::vulnerable_versions_update_endpoint`: :zeek:type:`string` :zeek:attr:`&redef`   The DNS zone where runtime vulnerable software updates will
+                                                                                                    be loaded from.
+:zeek:id:`Software::vulnerable_versions_update_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The interval at which vulnerable versions should grab updates
+                                                                                                    over DNS.
+=================================================================================================== =============================================================
+
+Redefinable Options
+###################
+================================================================================ ===============================================================
+:zeek:id:`Software::vulnerable_versions`: :zeek:type:`table` :zeek:attr:`&redef` This is a table of software versions indexed by the name of the
+                                                                                 software and a set of version ranges that are declared to be
+                                                                                 vulnerable for that software.
+================================================================================ ===============================================================
+
+Types
+#####
+================================================================== =
+:zeek:type:`Software::VulnerableVersionRange`: :zeek:type:`record` 
+================================================================== =
+
+Redefinitions
+#############
+============================================ ===============================================================
+:zeek:type:`Notice::Type`: :zeek:type:`enum` 
+                                             
+                                             * :zeek:enum:`Software::Vulnerable_Version`:
+                                               Indicates that a vulnerable version of software was detected.
+============================================ ===============================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Runtime Options
+###############
+.. zeek:id:: Software::vulnerable_versions_update_endpoint
+   :source-code: policy/frameworks/software/vulnerable.zeek 32 32
+
+   :Type: :zeek:type:`string`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``""``
+
+   The DNS zone where runtime vulnerable software updates will
+   be loaded from.
+
+.. zeek:id:: Software::vulnerable_versions_update_interval
+   :source-code: policy/frameworks/software/vulnerable.zeek 36 36
+
+   :Type: :zeek:type:`interval`
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``1.0 hr``
+
+   The interval at which vulnerable versions should grab updates
+   over DNS.
+
+Redefinable Options
+###################
+.. zeek:id:: Software::vulnerable_versions
+   :source-code: policy/frameworks/software/vulnerable.zeek 41 41
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`set` [:zeek:type:`Software::VulnerableVersionRange`]
+   :Attributes: :zeek:attr:`&redef`
+   :Default: ``{}``
+
+   This is a table of software versions indexed by the name of the
+   software and a set of version ranges that are declared to be
+   vulnerable for that software.
+
+Types
+#####
+.. zeek:type:: Software::VulnerableVersionRange
+   :source-code: policy/frameworks/software/vulnerable.zeek 17 28
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: min :zeek:type:`Software::Version` :zeek:attr:`&optional`
+
+      The minimal version of a vulnerable version range.  This
+      field can be undefined if all previous versions of a piece
+      of software are vulnerable.
+
+
+   .. zeek:field:: max :zeek:type:`Software::Version`
+
+      The maximum vulnerable version.  This field is deliberately
+      not optional because a maximum vulnerable version must
+      always be defined.  This assumption may become incorrect
+      if all future versions of some software are to be considered
+      vulnerable. :)
+
+
+
+
--- a/doc/scripts/policy/frameworks/software/windows-version-detection.zeek.rst
+++ b/doc/scripts/policy/frameworks/software/windows-version-detection.zeek.rst
@ -0,0 +1,98 @@
+:tocdepth: 3
+
+policy/frameworks/software/windows-version-detection.zeek
+=========================================================
+.. zeek:namespace:: OS
+
+Windows systems access a Microsoft Certificate Revocation List (CRL) periodically. The
+user agent for these requests reveals which version of Crypt32.dll installed on the system,
+which can uniquely identify the version of Windows that's running.
+
+This script will log the version of Windows that was identified to the Software framework.
+
+:Namespace: OS
+:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+Summary
+~~~~~~~
+Redefinable Options
+###################
+========================================================================= =
+:zeek:id:`OS::crypto_api_mapping`: :zeek:type:`table` :zeek:attr:`&redef` 
+========================================================================= =
+
+Types
+#####
+============================================================ =
+:zeek:type:`Software::name_and_version`: :zeek:type:`record` 
+============================================================ =
+
+Redefinitions
+#############
+============================================== ==================================================
+:zeek:type:`Software::Type`: :zeek:type:`enum` 
+                                               
+                                               * :zeek:enum:`OS::WINDOWS`:
+                                                 Identifier for Windows operating system versions
+============================================== ==================================================
+
+
+Detailed Interface
+~~~~~~~~~~~~~~~~~~
+Redefinable Options
+###################
+.. zeek:id:: OS::crypto_api_mapping
+   :source-code: policy/frameworks/software/windows-version-detection.zeek 23 23
+
+   :Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`Software::name_and_version`
+   :Attributes: :zeek:attr:`&redef`
+   :Default:
+
+      ::
+
+         {
+            ["Microsoft-CryptoAPI/5.131.3790.1830"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=1830, addl="XP x64 or Server 2003 SP1"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3249"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3249, addl="XP SP3 RC Beta"]],
+            ["Microsoft-CryptoAPI/5.131.2600.5508"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5508, addl="XP SP3 RC2 Update 2"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3180, addl="XP SP3 Beta 1"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3264"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3264, addl="XP SP3 RC1"]],
+            ["Microsoft-CryptoAPI/6.2"] = [name="Windows", version=[major=6, minor=2, minor2=<uninitialized>, minor3=<uninitialized>, addl="8 or Server 2012"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3282"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3282, addl="XP SP3 RC1 Update"]],
+            ["Microsoft-CryptoAPI/5.131.3790.5235"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=5235, addl="XP x64 or Server 2003 with MS13-095"]],
+            ["Microsoft-CryptoAPI/6.4"] = [name="Windows", version=[major=6, minor=4, minor2=<uninitialized>, minor3=<uninitialized>, addl="10 Technical Preview"]],
+            ["Microsoft-CryptoAPI/5.131.2600.0"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=0, addl="XP SP0"]],
+            ["Microsoft-CryptoAPI/5.131.2600.5512"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5512, addl="XP SP3"]],
+            ["Microsoft-CryptoAPI/5.131.2195.6661"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6661, addl="2000 SP4"]],
+            ["Microsoft-CryptoAPI/5.131.2195.6926"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6926, addl="2000 with Hotfix 98830"]],
+            ["Microsoft-CryptoAPI/6.0"] = [name="Windows", version=[major=6, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl="Vista or Server 2008"]],
+            ["Microsoft-CryptoAPI/5.131.3790.0"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=0, addl="XP x64 or Server 2003 SP0"]],
+            ["Microsoft-CryptoAPI/6.3"] = [name="Windows", version=[major=6, minor=3, minor2=<uninitialized>, minor3=<uninitialized>, addl="8.1 or Server 2012 R2"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3205"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3205, addl="XP SP3 Beta 2"]],
+            ["Microsoft-CryptoAPI/5.131.2600.1106"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=1106, addl="XP SP1"]],
+            ["Microsoft-CryptoAPI/5.131.2600.2180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=2180, addl="XP SP2"]],
+            ["Microsoft-CryptoAPI/5.131.2195.6824"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6824, addl="2000 with MS04-11"]],
+            ["Microsoft-CryptoAPI/5.131.2600.3300"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3300, addl="XP SP3 RC2"]],
+            ["Microsoft-CryptoAPI/6.1"] = [name="Windows", version=[major=6, minor=1, minor2=<uninitialized>, minor3=<uninitialized>, addl="7 or Server 2008 R2"]],
+            ["Microsoft-CryptoAPI/10.0"] = [name="Windows", version=[major=10, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl=<uninitialized>]],
+            ["Microsoft-CryptoAPI/5.131.2600.3311"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3311, addl="XP SP3 RC2 Update"]],
+            ["Microsoft-CryptoAPI/5.131.3790.3959"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=3959, addl="XP x64 or Server 2003 SP2"]]
+         }
+
+
+
+Types
+#####
+.. zeek:type:: Software::name_and_version
+   :source-code: policy/frameworks/software/windows-version-detection.zeek 18 21
+
+   :Type: :zeek:type:`record`
+
+
+   .. zeek:field:: name :zeek:type:`string`
+
+
+   .. zeek:field:: version :zeek:type:`Software::Version`
+
+
+
+