Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

52
doc/scripts/policy/protocols/conn/community-id-logging.zeek.rst Normal file
View file

@ -0,0 +1,52 @@
:tocdepth: 3
policy/protocols/conn/community-id-logging.zeek
===============================================
.. zeek:namespace:: CommunityID
Adds community hash IDs to conn.log.
:Namespace: CommunityID
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================== =
:zeek:id:`CommunityID::do_base64`: :zeek:type:`bool` :zeek:attr:`&redef`
:zeek:id:`CommunityID::seed`: :zeek:type:`count` :zeek:attr:`&redef`
======================================================================== =
Redefinitions
#############
============================================ ============================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
community_id: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
============================================ ============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: CommunityID::do_base64
:source-code: policy/protocols/conn/community-id-logging.zeek 12 12
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
.. zeek:id:: CommunityID::seed
:source-code: policy/protocols/conn/community-id-logging.zeek 8 8
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``0``

22
doc/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek.rst Normal file
View file

@ -0,0 +1,22 @@
:tocdepth: 3
policy/protocols/conn/disable-unknown-ip-proto-support.zeek
===========================================================
This script filters the ip_proto field out of the conn.log and disables
logging of connections with unknown IP protocols.
:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =
:zeek:type:`Conn::Info`: :zeek:type:`record`
============================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~

32
doc/scripts/policy/protocols/conn/failed-service-logging.zeek.rst Normal file
View file

@ -0,0 +1,32 @@
:tocdepth: 3
policy/protocols/conn/failed-service-logging.zeek
=================================================
.. zeek:namespace:: Conn
This script adds the new column ``failed_service`` to the connection log.
The column contains the list of protocols in a connection that raised protocol
violations causing the analyzer to be removed. Protocols are listed in order
that they were removed.
:Namespace: Conn
:Imports: :doc:`base/frameworks/analyzer/dpd.zeek </scripts/base/frameworks/analyzer/dpd.zeek>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =======================================================================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
failed_service: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional` :zeek:attr:`&ordered`
List of analyzers in a connection that raised violations
causing their removal.
============================================ =======================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

30
doc/scripts/policy/protocols/conn/ip-proto-name-logging.zeek.rst Normal file
View file

@ -0,0 +1,30 @@
:tocdepth: 3
policy/protocols/conn/ip-proto-name-logging.zeek
================================================
.. zeek:namespace:: Conn
This script adds a string version of the ip_proto field. It's not recommended
to load this policy and the ip_proto removal policy at the same time, as
conn.log will end up with useless information in the log from this field.
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =============================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
ip_proto_name: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A string version of the ip_proto field
============================================ =============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

214
doc/scripts/policy/protocols/conn/known-hosts.zeek.rst Normal file
View file

@ -0,0 +1,214 @@
:tocdepth: 3
policy/protocols/conn/known-hosts.zeek
======================================
.. zeek:namespace:: Known
This script logs hosts that Zeek determines have performed complete TCP
handshakes and logs the address once per day (by default). The log that
is output provides an easy way to determine a count of the IP addresses in
use on a network per day.
:Namespace: Known
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== =======================================================
:zeek:id:`Known::host_store_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The timeout interval to use for operations against
:zeek:see:`Known::host_store`.
:zeek:id:`Known::host_tracking`: :zeek:type:`Host` :zeek:attr:`&redef` The hosts whose existence should be logged and tracked.
=============================================================================== =======================================================
Redefinable Options
###################
============================================================================== ====================================================================
:zeek:id:`Known::host_store_expiry`: :zeek:type:`interval` :zeek:attr:`&redef` The expiry interval of new entries in :zeek:see:`Known::host_store`.
:zeek:id:`Known::host_store_name`: :zeek:type:`string` :zeek:attr:`&redef` The Broker topic name to use for :zeek:see:`Known::host_store`.
:zeek:id:`Known::use_host_store`: :zeek:type:`bool` :zeek:attr:`&redef` Toggles between different implementations of this script.
============================================================================== ====================================================================
State Variables
###############
======================================================================================================= ================================================================
:zeek:id:`Known::host_store`: :zeek:type:`Cluster::StoreInfo` Holds the set of all known hosts.
:zeek:id:`Known::hosts`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The set of all known addresses to store for preventing duplicate
logging of addresses.
======================================================================================================= ================================================================
Types
#####
================================================== ========================================================================
:zeek:type:`Known::HostsInfo`: :zeek:type:`record` The record type which contains the column fields of the known-hosts log.
================================================== ========================================================================
Redefinitions
#############
======================================= ==========================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The known-hosts logging stream identifier.
* :zeek:enum:`Known::HOSTS_LOG`
======================================= ==========================================
Events
######
===================================================== ========================================================================
:zeek:id:`Known::log_known_hosts`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`Known::HostsInfo`
record as it is sent on to the logging framework.
===================================================== ========================================================================
Hooks
#####
================================================================ =============================================
:zeek:id:`Known::log_policy_hosts`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
================================================================ =============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Known::host_store_timeout
:source-code: policy/protocols/conn/known-hosts.zeek 50 50
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``15.0 secs``
The timeout interval to use for operations against
:zeek:see:`Known::host_store`.
.. zeek:id:: Known::host_tracking
:source-code: policy/protocols/conn/known-hosts.zeek 35 35
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``LOCAL_HOSTS``
:Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
``=``::
ALL_HOSTS
The hosts whose existence should be logged and tracked.
See :zeek:type:`Host` for possible choices.
Redefinable Options
###################
.. zeek:id:: Known::host_store_expiry
:source-code: policy/protocols/conn/known-hosts.zeek 46 46
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``1.0 day``
The expiry interval of new entries in :zeek:see:`Known::host_store`.
This also changes the interval at which hosts get logged.
.. zeek:id:: Known::host_store_name
:source-code: policy/protocols/conn/known-hosts.zeek 42 42
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``"zeek/known/hosts"``
The Broker topic name to use for :zeek:see:`Known::host_store`.
.. zeek:id:: Known::use_host_store
:source-code: policy/protocols/conn/known-hosts.zeek 31 31
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Toggles between different implementations of this script.
When true, use a Broker data store, else use a regular Zeek set
with keys uniformly distributed over proxy nodes in cluster
operation.
State Variables
###############
.. zeek:id:: Known::host_store
:source-code: policy/protocols/conn/known-hosts.zeek 39 39
:Type: :zeek:type:`Cluster::StoreInfo`
:Default:
::
{
name=<uninitialized>
store=<uninitialized>
master_node=""
master=F
backend=Broker::MEMORY
options=[sqlite=[path="", synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]
clone_resync_interval=10.0 secs
clone_stale_interval=5.0 mins
clone_mutation_buffer_interval=2.0 mins
}
Holds the set of all known hosts. Keys in the store are addresses
and their associated value will always be the "true" boolean.
.. zeek:id:: Known::hosts
:source-code: policy/protocols/conn/known-hosts.zeek 60 60
:Type: :zeek:type:`set` [:zeek:type:`addr`]
:Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
:Default: ``{}``
The set of all known addresses to store for preventing duplicate
logging of addresses. It can also be used from other scripts to
inspect if an address has been seen in use.
Maintain the list of known hosts for 24 hours so that the existence
of each individual address is logged each day.
In cluster operation, this set is distributed uniformly across
proxy nodes.
Types
#####
.. zeek:type:: Known::HostsInfo
:source-code: policy/protocols/conn/known-hosts.zeek 19 25
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The timestamp at which the host was detected.
.. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
The address that was detected originating or responding to a
TCP connection.
The record type which contains the column fields of the known-hosts log.
Events
######
.. zeek:id:: Known::log_known_hosts
:source-code: policy/protocols/conn/known-hosts.zeek 64 64
:Type: :zeek:type:`event` (rec: :zeek:type:`Known::HostsInfo`)
An event that can be handled to access the :zeek:type:`Known::HostsInfo`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: Known::log_policy_hosts
:source-code: policy/protocols/conn/known-hosts.zeek 16 16
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.

349
doc/scripts/policy/protocols/conn/known-services.zeek.rst Normal file
View file

@ -0,0 +1,349 @@
:tocdepth: 3
policy/protocols/conn/known-services.zeek
=========================================
.. zeek:namespace:: Known
This script logs and tracks active services. For this script, an active
service is defined as an IP address and port of a server for which
a TCP handshake (SYN+ACK) is observed, assumed to have been done in the
past (started seeing packets mid-connection, but the server is actively
sending data), or sent at least one UDP packet.
If a protocol name is found/known for service, that will be logged,
but services whose names can't be determined are also still logged.
:Namespace: Known
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/storage/async.zeek </scripts/base/frameworks/storage/async.zeek>`, :doc:`base/frameworks/storage/sync.zeek </scripts/base/frameworks/storage/sync.zeek>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`, :doc:`policy/frameworks/storage/backend/sqlite </scripts/policy/frameworks/storage/backend/sqlite/index>`
Summary
~~~~~~~
Runtime Options
###############
====================================================================================== ========================================================================
:zeek:id:`Known::service_store_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The timeout interval to use for operations against
:zeek:see:`Known::service_broker_store` and
:zeek:see:`Known::service_store_backend`.
:zeek:id:`Known::service_tracking`: :zeek:type:`Host` :zeek:attr:`&redef` The hosts whose services should be tracked and logged.
:zeek:id:`Known::service_udp_requires_response`: :zeek:type:`bool` :zeek:attr:`&redef` Require UDP server to respond before considering it an "active service".
====================================================================================== ========================================================================
Redefinable Options
###################
========================================================================================================= =============================================================================
:zeek:id:`Known::service_store_backend_options`: :zeek:type:`Storage::BackendOptions` :zeek:attr:`&redef` The options for the service store.
:zeek:id:`Known::service_store_backend_type`: :zeek:type:`Storage::Backend` :zeek:attr:`&redef` The type of storage backend to open.
:zeek:id:`Known::service_store_expiry`: :zeek:type:`interval` :zeek:attr:`&redef` The expiry interval of new entries in :zeek:see:`Known::service_broker_store`
and :zeek:see:`Known::service_store_backend`.
:zeek:id:`Known::service_store_name`: :zeek:type:`string` :zeek:attr:`&redef` The Broker topic name to use for :zeek:see:`Known::service_broker_store`.
:zeek:id:`Known::service_store_prefix`: :zeek:type:`string` :zeek:attr:`&redef` The name to use for :zeek:see:`Known::service_store_backend`.
:zeek:id:`Known::use_service_store`: :zeek:type:`bool` :zeek:attr:`&redef` Toggles between different implementations of this script.
:zeek:id:`Known::use_storage_framework`: :zeek:type:`bool` :zeek:attr:`&redef` Switches to the version of this script that uses the storage
framework instead of Broker stores.
========================================================================================================= =============================================================================
State Variables
###############
======================================================================================== ========================================================================
:zeek:id:`Known::service_broker_store`: :zeek:type:`Cluster::StoreInfo` Storage configuration for Broker stores
Holds the set of all known services.
:zeek:id:`Known::service_store_backend`: :zeek:type:`opaque` Storage configuration for storage framework stores
This requires setting a configuration in local.zeek that sets the
Known::use_storage_framework boolean to T, and optionally sets different
values in the Known::service_store_backend_options record.
:zeek:id:`Known::services`: :zeek:type:`table` :zeek:attr:`&create_expire` = ``1.0 day`` Tracks the set of daily-detected services for preventing the logging
of duplicates, but can also be inspected by other scripts for
different purposes.
======================================================================================== ========================================================================
Types
#####
============================================================ ======================================================================
:zeek:type:`Known::AddrPortServTriplet`: :zeek:type:`record`
:zeek:type:`Known::ServicesInfo`: :zeek:type:`record` The record type which contains the column fields of the known-services
log.
============================================================ ======================================================================
Redefinitions
#############
============================================ =============================================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum` The known-services logging stream identifier.
* :zeek:enum:`Known::SERVICES_LOG`
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
known_services_done: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
============================================ =============================================================================================
Events
######
======================================================== ========================================================================
:zeek:id:`Known::log_known_services`: :zeek:type:`event` Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
record as it is sent on to the logging framework.
======================================================== ========================================================================
Hooks
#####
=================================================================== =============================================
:zeek:id:`Known::log_policy_services`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
=================================================================== =============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Known::service_store_timeout
:source-code: policy/protocols/conn/known-services.zeek 104 104
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``15.0 secs``
The timeout interval to use for operations against
:zeek:see:`Known::service_broker_store` and
:zeek:see:`Known::service_store_backend`.
.. zeek:id:: Known::service_tracking
:source-code: policy/protocols/conn/known-services.zeek 56 56
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``LOCAL_HOSTS``
:Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
``=``::
ALL_HOSTS
The hosts whose services should be tracked and logged.
See :zeek:type:`Host` for possible choices.
.. zeek:id:: Known::service_udp_requires_response
:source-code: policy/protocols/conn/known-services.zeek 52 52
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
Require UDP server to respond before considering it an "active service".
Redefinable Options
###################
.. zeek:id:: Known::service_store_backend_options
:source-code: policy/protocols/conn/known-services.zeek 93 93
:Type: :zeek:type:`Storage::BackendOptions`
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
serializer=Storage::STORAGE_SERIALIZER_JSON
forced_sync=F
redis=<uninitialized>
sqlite=[database_path=":memory:", table_name="zeek/known/services", busy_timeout=5.0 secs, pragma_commands={
["integrity_check"] = "",
["journal_mode"] = "WAL",
["synchronous"] = "normal",
["temp_store"] = "memory"
}, pragma_timeout=500.0 msecs, pragma_wait_on_busy=5.0 msecs]
}
The options for the service store. This should be redef'd in local.zeek to set
connection information for the backend. The options default to a memory store.
.. zeek:id:: Known::service_store_backend_type
:source-code: policy/protocols/conn/known-services.zeek 89 89
:Type: :zeek:type:`Storage::Backend`
:Attributes: :zeek:attr:`&redef`
:Default: ``Storage::STORAGE_BACKEND_SQLITE``
The type of storage backend to open.
.. zeek:id:: Known::service_store_expiry
:source-code: policy/protocols/conn/known-services.zeek 99 99
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``1.0 day``
The expiry interval of new entries in :zeek:see:`Known::service_broker_store`
and :zeek:see:`Known::service_store_backend`. This also changes the interval
at which services get logged.
.. zeek:id:: Known::service_store_name
:source-code: policy/protocols/conn/known-services.zeek 72 72
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``"zeek/known/services"``
The Broker topic name to use for :zeek:see:`Known::service_broker_store`.
.. zeek:id:: Known::service_store_prefix
:source-code: policy/protocols/conn/known-services.zeek 86 86
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``"zeekknownservices"``
The name to use for :zeek:see:`Known::service_store_backend`. This will be used
by the backends to differentiate tables/keys. This should be alphanumeric so
that it can be used as the table name for the storage framework.
.. zeek:id:: Known::use_service_store
:source-code: policy/protocols/conn/known-services.zeek 44 44
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Toggles between different implementations of this script.
When true, use a Broker data store, else use a regular Zeek set
with keys uniformly distributed over proxy nodes in cluster
operation.
.. zeek:id:: Known::use_storage_framework
:source-code: policy/protocols/conn/known-services.zeek 49 49
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Switches to the version of this script that uses the storage
framework instead of Broker stores. This will default to ``T``
in v8.1.
State Variables
###############
.. zeek:id:: Known::service_broker_store
:source-code: policy/protocols/conn/known-services.zeek 69 69
:Type: :zeek:type:`Cluster::StoreInfo`
:Default:
::
{
name=<uninitialized>
store=<uninitialized>
master_node=""
master=F
backend=Broker::MEMORY
options=[sqlite=[path="", synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]
clone_resync_interval=10.0 secs
clone_stale_interval=5.0 mins
clone_mutation_buffer_interval=2.0 mins
}
Storage configuration for Broker stores
Holds the set of all known services. Keys in the store are
:zeek:type:`Known::AddrPortServTriplet` and their associated value is
always the boolean value of "true".
.. zeek:id:: Known::service_store_backend
:source-code: policy/protocols/conn/known-services.zeek 81 81
:Type: :zeek:type:`opaque` of Storage::BackendHandle
Storage configuration for storage framework stores
This requires setting a configuration in local.zeek that sets the
Known::use_storage_framework boolean to T, and optionally sets different
values in the Known::service_store_backend_options record.
Backend to use for storing known services data using the storage framework.
.. zeek:id:: Known::services
:source-code: policy/protocols/conn/known-services.zeek 114 114
:Type: :zeek:type:`table` [:zeek:type:`addr`, :zeek:type:`port`] of :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&create_expire` = ``1.0 day``
:Default: ``{}``
Tracks the set of daily-detected services for preventing the logging
of duplicates, but can also be inspected by other scripts for
different purposes.
In cluster operation, this table is uniformly distributed across
proxy nodes.
This table is automatically populated and shouldn't be directly modified.
Types
#####
.. zeek:type:: Known::AddrPortServTriplet
:source-code: policy/protocols/conn/known-services.zeek 58 62
:Type: :zeek:type:`record`
.. zeek:field:: host :zeek:type:`addr`
.. zeek:field:: p :zeek:type:`port`
.. zeek:field:: serv :zeek:type:`string`
.. zeek:type:: Known::ServicesInfo
:source-code: policy/protocols/conn/known-services.zeek 27 38
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The time at which the service was detected.
.. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
The host address on which the service is running.
.. zeek:field:: port_num :zeek:type:`port` :zeek:attr:`&log`
The port number on which the service is running.
.. zeek:field:: port_proto :zeek:type:`transport_proto` :zeek:attr:`&log`
The transport-layer protocol which the service uses.
.. zeek:field:: service :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log`
A set of protocols that match the service's connection payloads.
The record type which contains the column fields of the known-services
log.
Events
######
.. zeek:id:: Known::log_known_services
:source-code: policy/protocols/conn/known-services.zeek 118 118
:Type: :zeek:type:`event` (rec: :zeek:type:`Known::ServicesInfo`)
Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
record as it is sent on to the logging framework.
Hooks
#####
.. zeek:id:: Known::log_policy_services
:source-code: policy/protocols/conn/known-services.zeek 23 23
:Type: :zeek:type:`Log::PolicyHook`
A default logging policy hook for the stream.

31
doc/scripts/policy/protocols/conn/mac-logging.zeek.rst Normal file
View file

@ -0,0 +1,31 @@
:tocdepth: 3
policy/protocols/conn/mac-logging.zeek
======================================
.. zeek:namespace:: Conn
This script adds link-layer address (MAC) information to the connection logs
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ============================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
orig_l2_addr: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Link-layer address of the originator, if available.
resp_l2_addr: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Link-layer address of the responder, if available.
============================================ ============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

28
doc/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek.rst Normal file
View file

@ -0,0 +1,28 @@
:tocdepth: 3
policy/protocols/conn/pppoe-session-id-logging.zeek
===================================================
.. zeek:namespace:: Conn
This script adds PPPoE session ID information to the connection log.
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ===============================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
pppoe_session_id: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The PPPoE session id, if applicable for this connection.
============================================ ===============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

37
doc/scripts/policy/protocols/conn/speculative-service.zeek.rst Normal file
View file

@ -0,0 +1,37 @@
:tocdepth: 3
policy/protocols/conn/speculative-service.zeek
==============================================
.. zeek:namespace:: Conn
This script adds information about matched DPD signatures to the connection
log.
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
========================================================================== =====================================================================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
speculative_service: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Protocol that was determined by a matching signature after the beginning
of a connection.
:zeek:type:`connection`: :zeek:type:`record`
:New Fields: :zeek:type:`connection`
speculative_service: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{ }`` :zeek:attr:`&optional`
:zeek:id:`dpd_late_match_stop`: :zeek:type:`bool` :zeek:attr:`&redef`
:zeek:id:`dpd_match_only_beginning`: :zeek:type:`bool` :zeek:attr:`&redef`
========================================================================== =====================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

31
doc/scripts/policy/protocols/conn/vlan-logging.zeek.rst Normal file
View file

@ -0,0 +1,31 @@
:tocdepth: 3
policy/protocols/conn/vlan-logging.zeek
=======================================
.. zeek:namespace:: Conn
This script adds VLAN information to the connection log.
:Namespace: Conn
:Imports: :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =======================================================================
:zeek:type:`Conn::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Conn::Info`
vlan: :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
The outer VLAN for this connection, if applicable.
inner_vlan: :zeek:type:`int` :zeek:attr:`&log` :zeek:attr:`&optional`
The inner VLAN for this connection, if applicable.
============================================ =======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

33
doc/scripts/policy/protocols/conn/weirds.zeek.rst Normal file
View file

@ -0,0 +1,33 @@
:tocdepth: 3
policy/protocols/conn/weirds.zeek
=================================
.. zeek:namespace:: Conn
This script handles core generated connection related "weird" events to
push weird information about connections into the weird framework.
For live operational deployments, this can frequently cause load issues
due to large numbers of these events and quite possibly shouldn't be
loaded.
:Namespace: Conn
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ===================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`Conn::Content_Gap`:
Data has sequence hole; perhaps due to filtering.
* :zeek:enum:`Conn::Retransmission_Inconsistency`:
Possible evasion; usually just chud.
============================================ ===================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

32
doc/scripts/policy/protocols/dhcp/msg-orig.zeek.rst Normal file
View file

@ -0,0 +1,32 @@
:tocdepth: 3
policy/protocols/dhcp/msg-orig.zeek
===================================
.. zeek:namespace:: DHCP
Add a field that logs the order of hosts sending messages
using the same DHCP transaction ID. This information is
occasionally needed on some networks to fully explain the
DHCP sequence.
:Namespace: DHCP
:Imports: :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ============================================================================================================================
:zeek:type:`DHCP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`DHCP::Info`
msg_orig: :zeek:type:`vector` of :zeek:type:`addr` :zeek:attr:`&log` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
The address that originated each message from the
`msg_types` field.
============================================ ============================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

38
doc/scripts/policy/protocols/dhcp/software.zeek.rst Normal file
View file

@ -0,0 +1,38 @@
:tocdepth: 3
policy/protocols/dhcp/software.zeek
===================================
.. zeek:namespace:: DHCP
Software identification and extraction for DHCP traffic.
:Namespace: DHCP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== ===============================================================================
:zeek:type:`DHCP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`DHCP::Info`
client_software: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Software reported by the client in the `vendor_class` option.
server_software: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Software reported by the server in the `vendor_class` option.
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`DHCP::CLIENT`:
Identifier for web browsers in the software framework.
* :zeek:enum:`DHCP::SERVER`:
Identifier for web servers in the software framework.
============================================== ===============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

38
doc/scripts/policy/protocols/dhcp/sub-opts.zeek.rst Normal file
View file

@ -0,0 +1,38 @@
:tocdepth: 3
policy/protocols/dhcp/sub-opts.zeek
===================================
.. zeek:namespace:: DHCP
:Namespace: DHCP
:Imports: :doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ===============================================================================
:zeek:type:`DHCP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`DHCP::Info`
circuit_id: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Added by DHCP relay agents which terminate switched or
permanent circuits.
agent_remote_id: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
A globally unique identifier added by relay agents to identify
the remote host end of the circuit.
subscriber_id: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The subscriber ID is a value independent of the physical
network configuration so that a customer's DHCP configuration
can be given to them correctly no matter where they are
physically connected.
============================================ ===============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

36
doc/scripts/policy/protocols/dns/auth-addl.zeek.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
policy/protocols/dns/auth-addl.zeek
===================================
.. zeek:namespace:: DNS
This script adds authoritative and additional responses for the current
query to the DNS log. It can cause severe overhead due to the need
for all authoritative and additional responses to have events generated.
This script is not recommended for use on heavily loaded links.
:Namespace: DNS
:Imports: :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
Summary
~~~~~~~
Redefinitions
#############
=================================================================== =======================================================================================
:zeek:type:`DNS::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`DNS::Info`
auth: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
Authoritative responses for the query.
addl: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&log` :zeek:attr:`&optional`
Additional responses for the query.
:zeek:id:`dns_skip_all_addl`: :zeek:type:`bool` :zeek:attr:`&redef`
:zeek:id:`dns_skip_all_auth`: :zeek:type:`bool` :zeek:attr:`&redef`
=================================================================== =======================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

55
doc/scripts/policy/protocols/dns/detect-external-names.zeek.rst Normal file
View file

@ -0,0 +1,55 @@
:tocdepth: 3
policy/protocols/dns/detect-external-names.zeek
===============================================
.. zeek:namespace:: DNS
This script detects names which are not within zones considered to be
local but resolving to addresses considered local.
The :zeek:id:`Site::local_zones` variable **must** be set appropriately for
this detection.
:Namespace: DNS
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/utils/site.zeek </scripts/base/utils/site.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== =====================================
:zeek:id:`DNS::skip_resp_host_port_pairs`: :zeek:type:`set` :zeek:attr:`&redef` Default is to ignore mDNS broadcasts.
=============================================================================== =====================================
Redefinitions
#############
============================================ ===========================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`DNS::External_Name`:
Raised when a non-local name is found to be pointing at a
local host.
============================================ ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: DNS::skip_resp_host_port_pairs
:source-code: policy/protocols/dns/detect-external-names.zeek 20 20
:Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`port`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
[224.0.0.251, 5353/udp] ,
[ff02::fb, 5353/udp]
}
Default is to ignore mDNS broadcasts.

29
doc/scripts/policy/protocols/dns/log-original-query-case.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/dns/log-original-query-case.zeek
=================================================
.. zeek:namespace:: DNS
This script adds the query with its original letter casing
to the DNS log.
:Namespace: DNS
:Imports: :doc:`base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ==============================================================================
:zeek:type:`DNS::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`DNS::Info`
original_query: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Query with original letter casing
=========================================== ==============================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

59
doc/scripts/policy/protocols/ftp/detect-bruteforcing.zeek.rst Normal file
View file

@ -0,0 +1,59 @@
:tocdepth: 3
policy/protocols/ftp/detect-bruteforcing.zeek
=============================================
.. zeek:namespace:: FTP
FTP brute-forcing detector, triggering when too many rejected usernames or
failed passwords have occurred from a single address.
:Namespace: FTP
:Imports: :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`, :doc:`base/utils/time.zeek </scripts/base/utils/time.zeek>`
Summary
~~~~~~~
Redefinable Options
###################
========================================================================================== ==================================================================
:zeek:id:`FTP::bruteforce_measurement_interval`: :zeek:type:`interval` :zeek:attr:`&redef` The time period in which the threshold needs to be crossed before
being reset.
:zeek:id:`FTP::bruteforce_threshold`: :zeek:type:`double` :zeek:attr:`&redef` How many rejected usernames or passwords are required before being
considered to be bruteforcing.
========================================================================================== ==================================================================
Redefinitions
#############
============================================ ==============================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`FTP::Bruteforcing`:
Indicates a host bruteforcing FTP logins by watching for too
many rejected usernames or failed passwords.
============================================ ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: FTP::bruteforce_measurement_interval
:source-code: policy/protocols/ftp/detect-bruteforcing.zeek 24 24
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``15.0 mins``
The time period in which the threshold needs to be crossed before
being reset.
.. zeek:id:: FTP::bruteforce_threshold
:source-code: policy/protocols/ftp/detect-bruteforcing.zeek 20 20
:Type: :zeek:type:`double`
:Attributes: :zeek:attr:`&redef`
:Default: ``20.0``
How many rejected usernames or passwords are required before being
considered to be bruteforcing.

27
doc/scripts/policy/protocols/ftp/detect.zeek.rst Normal file
View file

@ -0,0 +1,27 @@
:tocdepth: 3
policy/protocols/ftp/detect.zeek
================================
.. zeek:namespace:: FTP
Detect various potentially bad FTP activities.
:Namespace: FTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ =======================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`FTP::Site_Exec_Success`:
Indicates that a successful response to a "SITE EXEC"
command/arg pair was seen.
============================================ =======================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

29
doc/scripts/policy/protocols/ftp/software.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/ftp/software.zeek
==================================
.. zeek:namespace:: FTP
Software detection with the FTP protocol.
:Namespace: FTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== =======================================================
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`FTP::CLIENT`:
Identifier for FTP clients in the software framework.
* :zeek:enum:`FTP::SERVER`:
Not currently implemented.
============================================== =======================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

111
doc/scripts/policy/protocols/http/detect-sql-injection.zeek.rst Normal file
View file

@ -0,0 +1,111 @@
:tocdepth: 3
policy/protocols/http/detect-sql-injection.zeek
===============================================
.. zeek:namespace:: HTTP
SQL injection attack detection in HTTP.
The script annotates the notices it generates with an associated $uid
connection identifier; always provides an attacker IP address in the
$src field; and always provides a victim IP address in the $dst field.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinable Options
###################
================================================================================== ================================================================
:zeek:id:`HTTP::match_sql_injection_uri`: :zeek:type:`pattern` :zeek:attr:`&redef` Regular expression is used to match URI based SQL injections.
:zeek:id:`HTTP::sqli_requests_interval`: :zeek:type:`interval` :zeek:attr:`&redef` Interval at which to watch for the
:zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
:zeek:id:`HTTP::sqli_requests_threshold`: :zeek:type:`double` :zeek:attr:`&redef` Defines the threshold that determines if an SQL injection attack
is ongoing based on the number of requests that appear to be SQL
injection attacks.
================================================================================== ================================================================
Redefinitions
#############
======================================================= ==============================================================
:zeek:type:`HTTP::Tags`: :zeek:type:`enum`
* :zeek:enum:`HTTP::URI_SQLI`:
Indicator of a URI based SQL injection attack.
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::SQL_Injection_Attacker`:
Indicates that a host performing SQL injection attacks was
detected.
* :zeek:enum:`HTTP::SQL_Injection_Victim`:
Indicates that a host was seen to have SQL injection attacks
against it.
:zeek:type:`SumStats::Observation`: :zeek:type:`record`
:New Fields: :zeek:type:`SumStats::Observation`
uid: :zeek:type:`string` :zeek:attr:`&optional`
======================================================= ==============================================================
Hooks
#####
=============================================== =======================================================================
:zeek:id:`HTTP::sqli_policy`: :zeek:type:`hook` A hook that can be used to prevent specific requests from being counted
as an injection attempt.
=============================================== =======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: HTTP::match_sql_injection_uri
:source-code: policy/protocols/http/detect-sql-injection.zeek 41 41
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?(((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?(having|union|exec|select|delete|drop|declare|create|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+)$?))|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+(x?or|n?and)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+'?(([^a-zA-Z&]+)?=|exists))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?convert|cast))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*(x?or|n?and|having|union|exec|select|delete|drop|declare|create|regexp|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?(char|ascii|substring|truncate|version|length)\()$?)))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/
Regular expression is used to match URI based SQL injections.
.. zeek:id:: HTTP::sqli_requests_interval
:source-code: policy/protocols/http/detect-sql-injection.zeek 38 38
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``5.0 mins``
Interval at which to watch for the
:zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
At the end of each interval the counter is reset.
.. zeek:id:: HTTP::sqli_requests_threshold
:source-code: policy/protocols/http/detect-sql-injection.zeek 33 33
:Type: :zeek:type:`double`
:Attributes: :zeek:attr:`&redef`
:Default: ``50.0``
Defines the threshold that determines if an SQL injection attack
is ongoing based on the number of requests that appear to be SQL
injection attacks.
Hooks
#####
.. zeek:id:: HTTP::sqli_policy
:source-code: policy/protocols/http/detect-sql-injection.zeek 52 52
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`, method: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`) : :zeek:type:`bool`
A hook that can be used to prevent specific requests from being counted
as an injection attempt. Use a 'break' statement to exit the hook
early and ignore the request.

33
doc/scripts/policy/protocols/http/detect-webapps.zeek.rst Normal file
View file

@ -0,0 +1,33 @@
:tocdepth: 3
policy/protocols/http/detect-webapps.zeek
=========================================
.. zeek:namespace:: HTTP
Detect and log web applications through the software framework.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================================================ ===================================================================
:zeek:id:`Signatures::ignored_ids`: :zeek:type:`pattern` :zeek:attr:`&redef`
:zeek:type:`Software::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Software::Info`
url: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
Most root URL where the software was discovered.
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::WEB_APPLICATION`:
Identifier for web applications in the software framework.
============================================================================ ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

60
doc/scripts/policy/protocols/http/header-names.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
policy/protocols/http/header-names.zeek
=======================================
.. zeek:namespace:: HTTP
Extract and include the header names used for each request in the HTTP
logging stream. The headers in the logging stream will be stored in the
same order which they were seen on the wire.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== =====================================================================
:zeek:id:`HTTP::log_client_header_names`: :zeek:type:`bool` :zeek:attr:`&redef` A boolean value to determine if client header names are to be logged.
:zeek:id:`HTTP::log_server_header_names`: :zeek:type:`bool` :zeek:attr:`&redef` A boolean value to determine if server header names are to be logged.
=============================================================================== =====================================================================
Redefinitions
#############
============================================ ==========================================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
client_header_names: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The vector of HTTP header names sent by the client.
server_header_names: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The vector of HTTP header names sent by the server.
============================================ ==========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: HTTP::log_client_header_names
:source-code: policy/protocols/http/header-names.zeek 21 21
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
A boolean value to determine if client header names are to be logged.
.. zeek:id:: HTTP::log_server_header_names
:source-code: policy/protocols/http/header-names.zeek 24 24
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
A boolean value to determine if server header names are to be logged.

36
doc/scripts/policy/protocols/http/software-browser-plugins.zeek.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
policy/protocols/http/software-browser-plugins.zeek
===================================================
.. zeek:namespace:: HTTP
Detect browser plugins as they leak through requests to Omniture
advertising servers.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== ==================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
omniture: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the server is an omniture advertising server.
flash_version: :zeek:type:`string` :zeek:attr:`&optional`
The unparsed Flash version, if detected.
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::BROWSER_PLUGIN`:
Identifier for browser plugins in the software framework.
============================================== ==================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

54
doc/scripts/policy/protocols/http/software.zeek.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
policy/protocols/http/software.zeek
===================================
.. zeek:namespace:: HTTP
Software identification and extraction for HTTP traffic.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================== ===============================================================
:zeek:id:`HTTP::ignored_user_agents`: :zeek:type:`pattern` :zeek:attr:`&redef` The pattern of HTTP User-Agents which you would like to ignore.
============================================================================== ===============================================================
Redefinitions
#############
============================================== ========================================================
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::APPSERVER`:
Identifier for app servers in the software framework.
* :zeek:enum:`HTTP::BROWSER`:
Identifier for web browsers in the software framework.
* :zeek:enum:`HTTP::SERVER`:
Identifier for web servers in the software framework.
============================================== ========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: HTTP::ignored_user_agents
:source-code: policy/protocols/http/software.zeek 18 18
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?(NO_DEFAULT)$?/
The pattern of HTTP User-Agents which you would like to ignore.

28
doc/scripts/policy/protocols/http/var-extraction-cookies.zeek.rst Normal file
View file

@ -0,0 +1,28 @@
:tocdepth: 3
policy/protocols/http/var-extraction-cookies.zeek
=================================================
.. zeek:namespace:: HTTP
Extracts and logs variable names from cookies sent by clients.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ==================================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
cookie_vars: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
Variable names extracted from all cookies.
============================================ ==================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

29
doc/scripts/policy/protocols/http/var-extraction-uri.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/http/var-extraction-uri.zeek
=============================================
.. zeek:namespace:: HTTP
Extracts and logs variables from the requested URI in the default HTTP
logging stream.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ===============================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
uri_vars: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
Variable names from the URI.
============================================ ===============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

31
doc/scripts/policy/protocols/krb/ticket-logging.zeek.rst Normal file
View file

@ -0,0 +1,31 @@
:tocdepth: 3
policy/protocols/krb/ticket-logging.zeek
========================================
.. zeek:namespace:: KRB
Add Kerberos ticket hashes to the krb.log
:Namespace: KRB
:Imports: :doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ===========================================================================
:zeek:type:`KRB::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`KRB::Info`
auth_ticket: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Hash of ticket used to authorize request/transaction
new_ticket: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Hash of ticket returned by the KDC
=========================================== ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

118
doc/scripts/policy/protocols/modbus/known-masters-slaves.zeek.rst Normal file
View file

@ -0,0 +1,118 @@
:tocdepth: 3
policy/protocols/modbus/known-masters-slaves.zeek
=================================================
.. zeek:namespace:: Known
Script for tracking known Modbus masters and slaves.
.. todo:: This script needs a lot of work. What might be more interesting
is to track master/slave relationships based on commands sent and
successful (non-exception) responses.
:Namespace: Known
:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
Summary
~~~~~~~
State Variables
###############
============================================================================================================== ===============================
:zeek:id:`Known::modbus_nodes`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The Modbus nodes being tracked.
============================================================================================================== ===============================
Types
#####
======================================================= =
:zeek:type:`Known::ModbusDeviceType`: :zeek:type:`enum`
:zeek:type:`Known::ModbusInfo`: :zeek:type:`record`
======================================================= =
Redefinitions
#############
======================================= ================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`Known::MODBUS_LOG`
======================================= ================================
Events
######
====================================================== =====================================================================
:zeek:id:`Known::log_known_modbus`: :zeek:type:`event` Event that can be handled to access the loggable record as it is sent
on to the logging framework.
====================================================== =====================================================================
Hooks
#####
================================================================= =
:zeek:id:`Known::log_policy_modbus`: :zeek:type:`Log::PolicyHook`
================================================================= =
Detailed Interface
~~~~~~~~~~~~~~~~~~
State Variables
###############
.. zeek:id:: Known::modbus_nodes
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 31 31
:Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`Known::ModbusDeviceType`]
:Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
:Default: ``{}``
The Modbus nodes being tracked.
Types
#####
.. zeek:type:: Known::ModbusDeviceType
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 16 20
:Type: :zeek:type:`enum`
.. zeek:enum:: Known::MODBUS_MASTER Known::ModbusDeviceType
.. zeek:enum:: Known::MODBUS_SLAVE Known::ModbusDeviceType
.. zeek:type:: Known::ModbusInfo
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 21 28
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The time the device was discovered.
.. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
The IP address of the host.
.. zeek:field:: device_type :zeek:type:`Known::ModbusDeviceType` :zeek:attr:`&log`
The type of device being tracked.
Events
######
.. zeek:id:: Known::log_known_modbus
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 35 35
:Type: :zeek:type:`event` (rec: :zeek:type:`Known::ModbusInfo`)
Event that can be handled to access the loggable record as it is sent
on to the logging framework.
Hooks
#####
.. zeek:id:: Known::log_policy_modbus
:source-code: policy/protocols/modbus/known-masters-slaves.zeek 14 14
:Type: :zeek:type:`Log::PolicyHook`

170
doc/scripts/policy/protocols/modbus/track-memmap.zeek.rst Normal file
View file

@ -0,0 +1,170 @@
:tocdepth: 3
policy/protocols/modbus/track-memmap.zeek
=========================================
.. zeek:namespace:: Modbus
This script tracks the memory map of holding (read/write) registers and logs
changes as they are discovered.
.. todo:: Not all register read and write functions are supported yet.
:Namespace: Modbus
:Imports: :doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
====================================================================== ==================================================
:zeek:id:`Modbus::track_memmap`: :zeek:type:`Host` :zeek:attr:`&redef` The hosts that should have memory mapping enabled.
====================================================================== ==================================================
State Variables
###############
======================================================= =======================================================
:zeek:id:`Modbus::device_registers`: :zeek:type:`table` The memory map of slaves is tracked with this variable.
======================================================= =======================================================
Types
#####
======================================================= =====================================================================
:zeek:type:`Modbus::MemmapInfo`: :zeek:type:`record`
:zeek:type:`Modbus::RegisterValue`: :zeek:type:`record`
:zeek:type:`Modbus::Registers`: :zeek:type:`table` Indexed on the device register value and yielding the register value.
======================================================= =====================================================================
Redefinitions
#############
============================================== ========================================================================================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`Modbus::REGISTER_CHANGE_LOG`
:zeek:type:`Modbus::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Modbus::Info`
track_address: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
============================================== ========================================================================================
Events
######
======================================================= =====================================================================
:zeek:id:`Modbus::changed_register`: :zeek:type:`event` This event is generated every time a register is seen to be different
than it was previously seen to be.
======================================================= =====================================================================
Hooks
#####
=========================================================================== =
:zeek:id:`Modbus::log_policy_register_change`: :zeek:type:`Log::PolicyHook`
=========================================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Modbus::track_memmap
:source-code: policy/protocols/modbus/track-memmap.zeek 17 17
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``ALL_HOSTS``
The hosts that should have memory mapping enabled.
State Variables
###############
.. zeek:id:: Modbus::device_registers
:source-code: policy/protocols/modbus/track-memmap.zeek 46 46
:Type: :zeek:type:`table` [:zeek:type:`addr`] of :zeek:type:`Modbus::Registers`
:Default: ``{}``
The memory map of slaves is tracked with this variable.
Types
#####
.. zeek:type:: Modbus::MemmapInfo
:source-code: policy/protocols/modbus/track-memmap.zeek 19 35
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
Timestamp for the detected register change.
.. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
Unique ID for the connection.
.. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
Connection ID.
.. zeek:field:: register :zeek:type:`count` :zeek:attr:`&log`
The device memory offset.
.. zeek:field:: old_val :zeek:type:`count` :zeek:attr:`&log`
The old value stored in the register.
.. zeek:field:: new_val :zeek:type:`count` :zeek:attr:`&log`
The new value stored in the register.
.. zeek:field:: delta :zeek:type:`interval` :zeek:attr:`&log`
The time delta between when the *old_val* and *new_val* were
seen.
.. zeek:type:: Modbus::RegisterValue
:source-code: policy/protocols/modbus/track-memmap.zeek 37 40
:Type: :zeek:type:`record`
.. zeek:field:: last_set :zeek:type:`time`
.. zeek:field:: value :zeek:type:`count`
.. zeek:type:: Modbus::Registers
:source-code: policy/protocols/modbus/track-memmap.zeek 43 43
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`Modbus::RegisterValue`
Indexed on the device register value and yielding the register value.
Events
######
.. zeek:id:: Modbus::changed_register
:source-code: policy/protocols/modbus/track-memmap.zeek 103 108
:Type: :zeek:type:`event` (c: :zeek:type:`connection`, register: :zeek:type:`count`, old_val: :zeek:type:`count`, new_val: :zeek:type:`count`, delta: :zeek:type:`interval`)
This event is generated every time a register is seen to be different
than it was previously seen to be.
Hooks
#####
.. zeek:id:: Modbus::log_policy_register_change
:source-code: policy/protocols/modbus/track-memmap.zeek 14 14
:Type: :zeek:type:`Log::PolicyHook`

26
doc/scripts/policy/protocols/mysql/software.zeek.rst Normal file
View file

@ -0,0 +1,26 @@
:tocdepth: 3
policy/protocols/mysql/software.zeek
====================================
.. zeek:namespace:: MySQL
Software identification and extraction for MySQL traffic.
:Namespace: MySQL
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== =========================================================
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`MySQL::SERVER`:
Identifier for MySQL servers in the software framework.
============================================== =========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

29
doc/scripts/policy/protocols/rdp/indicate_ssl.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/rdp/indicate_ssl.zeek
======================================
.. zeek:namespace:: RDP
If an RDP session is "upgraded" to SSL, this will be indicated
with this script in a new field added to the RDP log.
:Namespace: RDP
:Imports: :doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ===============================================================================================
:zeek:type:`RDP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`RDP::Info`
ssl: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Flag the connection if it was seen over SSL.
=========================================== ===============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

64
doc/scripts/policy/protocols/smb/log-cmds.zeek.rst Normal file
View file

@ -0,0 +1,64 @@
:tocdepth: 3
policy/protocols/smb/log-cmds.zeek
==================================
.. zeek:namespace:: SMB
Load this script to generate an SMB command log, smb_cmd.log.
This is primarily useful for debugging.
:Namespace: SMB
:Imports: :doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================== ====================================================
:zeek:id:`SMB::ignored_command_statuses`: :zeek:type:`set` :zeek:attr:`&redef` The server response statuses which are *not* logged.
============================================================================== ====================================================
Redefinitions
#############
======================================= ===========================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`SMB::CMD_LOG`
======================================= ===========================
Hooks
#####
======================================================== =
:zeek:id:`SMB::log_policy`: :zeek:type:`Log::PolicyHook`
======================================================== =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SMB::ignored_command_statuses
:source-code: policy/protocols/smb/log-cmds.zeek 16 16
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"MORE_PROCESSING_REQUIRED"
}
The server response statuses which are *not* logged.
Hooks
#####
.. zeek:id:: SMB::log_policy
:source-code: policy/protocols/smb/log-cmds.zeek 13 13
:Type: :zeek:type:`Log::PolicyHook`

50
doc/scripts/policy/protocols/smtp/blocklists.zeek.rst Normal file
View file

@ -0,0 +1,50 @@
:tocdepth: 3
policy/protocols/smtp/blocklists.zeek
=====================================
.. zeek:namespace:: SMTP
Watch for various SPAM blocklist URLs in SMTP error messages.
:Namespace: SMTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
Summary
~~~~~~~
Runtime Options
###############
=================================================================================== =
:zeek:id:`SMTP::blocklist_error_messages`: :zeek:type:`pattern` :zeek:attr:`&redef`
=================================================================================== =
Redefinitions
#############
============================================ ===================================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SMTP::Blocklist_Blocked_Host`:
The originator's address is seen in the block list error message.
* :zeek:enum:`SMTP::Blocklist_Error_Message`:
An SMTP server sent a reply mentioning an SMTP block list.
============================================ ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SMTP::blocklist_error_messages
:source-code: policy/protocols/smtp/blocklists.zeek 20 20
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?(spamhaus\.org\/)$?)|(^?(sophos\.com\/security\/)$?))$?)|(^?(spamcop\.net\/bl)$?))$?)|(^?(cbl\.abuseat\.org\/)$?))$?)|(^?(sorbs\.net\/)$?))$?)|(^?(bsn\.borderware\.com\/)$?))$?)|(^?(mail-abuse\.com\/)$?))$?)|(^?(b\.barracudacentral\.com\/)$?))$?)|(^?(psbl\.surriel\.com\/)$?))$?)|(^?(antispam\.imp\.ch\/)$?))$?)|(^?(dyndns\.com\/.*spam)$?))$?)|(^?(rbl\.knology\.net\/)$?))$?)|(^?(intercept\.datapacket\.net\/)$?))$?)|(^?(uceprotect\.net\/)$?))$?)|(^?(hostkarma\.junkemailfilter\.com\/)$?))$?/

53
doc/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek.rst Normal file
View file

@ -0,0 +1,53 @@
:tocdepth: 3
policy/protocols/smtp/detect-suspicious-orig.zeek
=================================================
.. zeek:namespace:: SMTP
:Namespace: SMTP
:Imports: :doc:`base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================================= ===================================================================
:zeek:id:`SMTP::suspicious_origination_countries`: :zeek:type:`set` :zeek:attr:`&redef` Places where it's suspicious for mail to originate from represented
as all-capital, two character country codes (e.g., US).
:zeek:id:`SMTP::suspicious_origination_networks`: :zeek:type:`set` :zeek:attr:`&redef`
======================================================================================= ===================================================================
Redefinitions
#############
============================================ ===========================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SMTP::Suspicious_Origination`
============================================ ===========================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SMTP::suspicious_origination_countries
:source-code: policy/protocols/smtp/detect-suspicious-orig.zeek 14 14
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
Places where it's suspicious for mail to originate from represented
as all-capital, two character country codes (e.g., US). It requires
Zeek to be built with GeoIP support.
.. zeek:id:: SMTP::suspicious_origination_networks
:source-code: policy/protocols/smtp/detect-suspicious-orig.zeek 15 15
:Type: :zeek:type:`set` [:zeek:type:`subnet`]
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``

49
doc/scripts/policy/protocols/smtp/entities-excerpt.zeek.rst Normal file
View file

@ -0,0 +1,49 @@
:tocdepth: 3
policy/protocols/smtp/entities-excerpt.zeek
===========================================
.. zeek:namespace:: SMTP
This script is for optionally adding a body excerpt to the SMTP
entities log.
:Namespace: SMTP
:Imports: :doc:`base/protocols/smtp/entities.zeek </scripts/base/protocols/smtp/entities.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=================================================================================== ===================================================================
:zeek:id:`SMTP::default_entity_excerpt_len`: :zeek:type:`count` :zeek:attr:`&redef` This is the default value for how much of the entity body should be
included for all MIME entities.
=================================================================================== ===================================================================
Redefinitions
#############
============================================== ======================================================================================================
:zeek:type:`SMTP::Entity`: :zeek:type:`record`
:New Fields: :zeek:type:`SMTP::Entity`
excerpt: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&default` = ``""`` :zeek:attr:`&optional`
The entity body excerpt.
============================================== ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SMTP::default_entity_excerpt_len
:source-code: policy/protocols/smtp/entities-excerpt.zeek 17 17
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``0``
This is the default value for how much of the entity body should be
included for all MIME entities. The lesser of this value and
:zeek:see:`default_file_bof_buffer_size` will be used.

86
doc/scripts/policy/protocols/smtp/software.zeek.rst Normal file
View file

@ -0,0 +1,86 @@
:tocdepth: 3
policy/protocols/smtp/software.zeek
===================================
.. zeek:namespace:: SMTP
This script feeds software detected through email into the software
framework. Mail clients and webmail interfaces are the only thing
currently detected.
TODO:
* Find some heuristic to determine if email was sent through
a MS Exchange webmail interface as opposed to a desktop client.
:Namespace: SMTP
:Imports: :doc:`base/frameworks/software/main.zeek </scripts/base/frameworks/software/main.zeek>`, :doc:`base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================================= ===================================================================
:zeek:id:`SMTP::detect_clients_in_messages_from`: :zeek:type:`Host` :zeek:attr:`&redef` Assuming that local mail servers are more trustworthy with the
headers they insert into message envelopes, this default makes Zeek
not attempt to detect software in inbound message bodies.
:zeek:id:`SMTP::webmail_user_agents`: :zeek:type:`pattern` :zeek:attr:`&redef` A regular expression to match USER-AGENT-like headers to find if a
message was sent with a webmail interface.
======================================================================================= ===================================================================
Redefinitions
#############
============================================== ======================================================================================================
:zeek:type:`SMTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SMTP::Info`
is_webmail: :zeek:type:`bool` :zeek:attr:`&log` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Boolean indicator of if the message was sent through a
webmail interface.
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`SMTP::MAIL_CLIENT`
* :zeek:enum:`SMTP::MAIL_SERVER`
* :zeek:enum:`SMTP::WEBMAIL_SERVER`
============================================== ======================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SMTP::detect_clients_in_messages_from
:source-code: policy/protocols/smtp/software.zeek 36 36
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``LOCAL_HOSTS``
Assuming that local mail servers are more trustworthy with the
headers they insert into message envelopes, this default makes Zeek
not attempt to detect software in inbound message bodies. If mail
coming in from external addresses gives incorrect data in
the Received headers, it could populate your SOFTWARE logging stream
with incorrect data. If you would like to detect mail clients for
incoming messages (network traffic originating from a non-local
address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
.. zeek:id:: SMTP::webmail_user_agents
:source-code: policy/protocols/smtp/software.zeek 40 40
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?(^iPlanet Messenger)$?)|(^?(^Sun Java\(tm\) System Messenger Express)$?))$?)|(^?(\(IMP\))$?))$?)|(^?(^SquirrelMail)$?))$?)|(^?(^NeoMail)$?))$?)|(^?(ZimbraWebClient)$?))$?/
A regular expression to match USER-AGENT-like headers to find if a
message was sent with a webmail interface.

82
doc/scripts/policy/protocols/ssh/detect-bruteforcing.zeek.rst Normal file
View file

@ -0,0 +1,82 @@
:tocdepth: 3
policy/protocols/ssh/detect-bruteforcing.zeek
=============================================
.. zeek:namespace:: SSH
Detect hosts which are doing password guessing attacks and/or password
bruteforcing over SSH.
:Namespace: SSH
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Summary
~~~~~~~
Redefinable Options
###################
=============================================================================== =====================================================================
:zeek:id:`SSH::guessing_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The amount of time to remember presumed non-successful logins to
build a model of a password guesser.
:zeek:id:`SSH::ignore_guessers`: :zeek:type:`table` :zeek:attr:`&redef` This value can be used to exclude hosts or entire networks from being
tracked as potential "guessers".
:zeek:id:`SSH::password_guesses_limit`: :zeek:type:`double` :zeek:attr:`&redef` The number of failed SSH connections before a host is designated as
guessing passwords.
=============================================================================== =====================================================================
Redefinitions
#############
============================================ ============================================================
:zeek:type:`Intel::Where`: :zeek:type:`enum`
* :zeek:enum:`SSH::SUCCESSFUL_LOGIN`:
An indicator of the login for the intel framework.
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::Login_By_Password_Guesser`:
Indicates that a host previously identified as a "password
guesser" has now had a successful login
attempt.
* :zeek:enum:`SSH::Password_Guessing`:
Indicates that a host has been identified as crossing the
:zeek:id:`SSH::password_guesses_limit` threshold with
failed logins.
============================================ ============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: SSH::guessing_timeout
:source-code: policy/protocols/ssh/detect-bruteforcing.zeek 34 34
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0 mins``
The amount of time to remember presumed non-successful logins to
build a model of a password guesser.
.. zeek:id:: SSH::ignore_guessers
:source-code: policy/protocols/ssh/detect-bruteforcing.zeek 39 39
:Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`subnet`
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
This value can be used to exclude hosts or entire networks from being
tracked as potential "guessers". The index represents
client subnets and the yield value represents server subnets.
.. zeek:id:: SSH::password_guesses_limit
:source-code: policy/protocols/ssh/detect-bruteforcing.zeek 30 30
:Type: :zeek:type:`double`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0``
The number of failed SSH connections before a host is designated as
guessing passwords.

61
doc/scripts/policy/protocols/ssh/geo-data.zeek.rst Normal file
View file

@ -0,0 +1,61 @@
:tocdepth: 3
policy/protocols/ssh/geo-data.zeek
==================================
.. zeek:namespace:: SSH
Geodata based detections for SSH analysis.
:Namespace: SSH
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================= ==================================================================
:zeek:id:`SSH::watched_countries`: :zeek:type:`set` :zeek:attr:`&redef` The set of countries for which you'd like to generate notices upon
successful login.
======================================================================= ==================================================================
Redefinitions
#############
============================================ =====================================================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::Watched_Country_Login`:
If an SSH login is seen to or from a "watched" country based
on the :zeek:id:`SSH::watched_countries` variable then this
notice will be generated.
:zeek:type:`SSH::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSH::Info`
remote_location: :zeek:type:`geo_location` :zeek:attr:`&log` :zeek:attr:`&optional`
Add geographic data related to the "remote" host of the
connection.
============================================ =====================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSH::watched_countries
:source-code: policy/protocols/ssh/geo-data.zeek 24 24
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"RO"
}
The set of countries for which you'd like to generate notices upon
successful login.

54
doc/scripts/policy/protocols/ssh/interesting-hostnames.zeek.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
policy/protocols/ssh/interesting-hostnames.zeek
===============================================
.. zeek:namespace:: SSH
This script will generate a notice if an apparent SSH login originates
or heads to a host with a reverse hostname that looks suspicious. By
default, the regular expression to match "interesting" hostnames includes
names that are typically used for infrastructure hosts like nameservers,
mail servers, web servers and ftp servers.
:Namespace: SSH
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== ===============================================================
:zeek:id:`SSH::interesting_hostnames`: :zeek:type:`pattern` :zeek:attr:`&redef` Strange/bad host names to see successful SSH logins from or to.
=============================================================================== ===============================================================
Redefinitions
#############
============================================ ===============================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::Interesting_Hostname_Login`:
Generated if a login originates or responds with a host where
the reverse hostname lookup resolves to a name matched by the
:zeek:id:`SSH::interesting_hostnames` regular expression.
============================================ ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSH::interesting_hostnames
:source-code: policy/protocols/ssh/interesting-hostnames.zeek 20 20
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))$?)|(^?(^mail[0-9]*\.)$?))$?)|(^?(^pop[0-9]*\.)$?))$?)|(^?(^imap[0-9]*\.)$?))$?)|(^?(^www[0-9]*\.)$?))$?)|(^?(^ftp[0-9]*\.)$?))$?/
Strange/bad host names to see successful SSH logins from or to.

30
doc/scripts/policy/protocols/ssh/software.zeek.rst Normal file
View file

@ -0,0 +1,30 @@
:tocdepth: 3
policy/protocols/ssh/software.zeek
==================================
.. zeek:namespace:: SSH
Extracts SSH client and server information from SSH
connections and forwards it to the software framework.
:Namespace: SSH
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== =======================================================
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::CLIENT`:
Identifier for SSH servers in the software framework.
* :zeek:enum:`SSH::SERVER`:
Identifier for SSH clients in the software framework.
============================================== =======================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

29
doc/scripts/policy/protocols/ssl/certificate-request-info.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/ssl/certificate-request-info.zeek
==================================================
.. zeek:namespace:: SSL
When the server requests a client certificate, it optionally may specify a list of CAs that
it accepts. If the server does this, this script adds this list to ssl.log.
:Namespace: SSL
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ===============================================================================================================================
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
requested_client_certificate_authorities: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
List of client certificate CAs accepted by the server
=========================================== ===============================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

98
doc/scripts/policy/protocols/ssl/decryption.zeek.rst Normal file
View file

@ -0,0 +1,98 @@
:tocdepth: 3
policy/protocols/ssl/decryption.zeek
====================================
.. zeek:namespace:: SSL
This script allows for the decryption of certain TLS 1.2 connections, if the user is in possession
of the private key material for the session. Key material can either be provided via a file (useful
for processing trace files) or via sending events via Broker (for live decoding).
Please note that this feature is experimental and can change without guarantees to our typical
deprecation timeline. Please also note that currently only TLS 1.2 connections that use the
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite are supported.
:Namespace: SSL
:Imports: :doc:`base/frameworks/input </scripts/base/frameworks/input/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinable Options
###################
============================================================================ =====================================================================================================
:zeek:id:`SSL::keylog_file`: :zeek:type:`string` :zeek:attr:`&redef` This can be set to a file that contains the session secrets for decryption, when parsing a pcap file.
:zeek:id:`SSL::secret_expiration`: :zeek:type:`interval` :zeek:attr:`&redef` Secrets expire after this time of not being used.
============================================================================ =====================================================================================================
Redefinitions
#############
======================================================================================= ===========================================================
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
client_random: :zeek:type:`string` :zeek:attr:`&optional`
:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef`
======================================================================================= ===========================================================
Events
######
============================================== ==============================================================================================
:zeek:id:`SSL::add_keys`: :zeek:type:`event` This event can be triggered, e.g., via Broker to add known keys to the TLS key database.
:zeek:id:`SSL::add_secret`: :zeek:type:`event` This event can be triggered, e.g., via Broker to add known secrets to the TLS secret database.
============================================== ==============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: SSL::keylog_file
:source-code: policy/protocols/ssl/decryption.zeek 24 24
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``""``
This can be set to a file that contains the session secrets for decryption, when parsing a pcap file.
Please note that, when using this feature, you probably want to pause processing of data till this
file has been read.
.. zeek:id:: SSL::secret_expiration
:source-code: policy/protocols/ssl/decryption.zeek 27 27
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``5.0 mins``
Secrets expire after this time of not being used.
Events
######
.. zeek:id:: SSL::add_keys
:source-code: policy/protocols/ssl/decryption.zeek 82 85
:Type: :zeek:type:`event` (client_random: :zeek:type:`string`, keys: :zeek:type:`string`)
This event can be triggered, e.g., via Broker to add known keys to the TLS key database.
:param client_random: client random for which the key is set
:param keys: key material
.. zeek:id:: SSL::add_secret
:source-code: policy/protocols/ssl/decryption.zeek 87 90
:Type: :zeek:type:`event` (client_random: :zeek:type:`string`, secrets: :zeek:type:`string`)
This event can be triggered, e.g., via Broker to add known secrets to the TLS secret database.
:param client_random: client random for which the secret is set
:param secrets: derived TLS secrets material

71
doc/scripts/policy/protocols/ssl/expiring-certs.zeek.rst Normal file
View file

@ -0,0 +1,71 @@
:tocdepth: 3
policy/protocols/ssl/expiring-certs.zeek
========================================
.. zeek:namespace:: SSL
Generate notices when X.509 certificates over SSL/TLS are expired or
going to expire soon based on the date and time values stored within the
certificate.
:Namespace: SSL
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================================= ======================================================================
:zeek:id:`SSL::notify_certs_expiration`: :zeek:type:`Host` :zeek:attr:`&redef` The category of hosts you would like to be notified about which have
certificates that are going to be expiring soon.
:zeek:id:`SSL::notify_when_cert_expiring_in`: :zeek:type:`interval` :zeek:attr:`&redef` The time before a certificate is going to expire that you would like
to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.
======================================================================================= ======================================================================
Redefinitions
#############
============================================ ==============================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSL::Certificate_Expired`:
Indicates that a certificate's NotValidAfter date has lapsed
and the certificate is now invalid.
* :zeek:enum:`SSL::Certificate_Expires_Soon`:
Indicates that a certificate is going to expire within
:zeek:id:`SSL::notify_when_cert_expiring_in`.
* :zeek:enum:`SSL::Certificate_Not_Valid_Yet`:
Indicates that a certificate's NotValidBefore date is future
dated.
============================================ ==============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSL::notify_certs_expiration
:source-code: policy/protocols/ssl/expiring-certs.zeek 30 30
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``LOCAL_HOSTS``
The category of hosts you would like to be notified about which have
certificates that are going to be expiring soon. By default, these
notices will be suppressed by the notice framework for 1 day after
a particular certificate has had a notice generated.
Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
.. zeek:id:: SSL::notify_when_cert_expiring_in
:source-code: policy/protocols/ssl/expiring-certs.zeek 34 34
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0 days``
The time before a certificate is going to expire that you would like
to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.

53
doc/scripts/policy/protocols/ssl/heartbleed.zeek.rst Normal file
View file

@ -0,0 +1,53 @@
:tocdepth: 3
policy/protocols/ssl/heartbleed.zeek
====================================
.. zeek:namespace:: Heartbleed
Detect the TLS heartbleed attack. See http://heartbleed.com for more.
:Namespace: Heartbleed
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
======================================================================================= ================================================================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`Heartbleed::SSL_Heartbeat_Attack`:
Indicates that a host performed a heartbleed attack or scan.
* :zeek:enum:`Heartbleed::SSL_Heartbeat_Attack_Success`:
Indicates that a host performing a heartbleed attack was probably successful.
* :zeek:enum:`Heartbleed::SSL_Heartbeat_Many_Requests`:
Indicates we saw many heartbeat requests without a reply.
* :zeek:enum:`Heartbleed::SSL_Heartbeat_Odd_Length`:
Indicates we saw heartbeat requests with odd length.
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
last_originator_heartbeat_request_size: :zeek:type:`count` :zeek:attr:`&optional`
last_responder_heartbeat_request_size: :zeek:type:`count` :zeek:attr:`&optional`
originator_heartbeats: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
responder_heartbeats: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
heartbleed_detected: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
enc_appdata_packages: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
enc_appdata_bytes: :zeek:type:`count` :zeek:attr:`&default` = ``0`` :zeek:attr:`&optional`
:zeek:id:`SSL::disable_analyzer_after_detection`: :zeek:type:`bool` :zeek:attr:`&redef`
======================================================================================= ================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

244
doc/scripts/policy/protocols/ssl/known-certs.zeek.rst Normal file
View file

@ -0,0 +1,244 @@
:tocdepth: 3
policy/protocols/ssl/known-certs.zeek
=====================================
.. zeek:namespace:: Known
Log information about certificates while attempting to avoid duplicate
logging.
:Namespace: Known
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== ====================================================================
:zeek:id:`Known::cert_store_expiry`: :zeek:type:`interval` :zeek:attr:`&redef` The expiry interval of new entries in :zeek:see:`Known::cert_store`.
:zeek:id:`Known::cert_store_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The timeout interval to use for operations against
:zeek:see:`Known::cert_store`.
:zeek:id:`Known::cert_tracking`: :zeek:type:`Host` :zeek:attr:`&redef` The certificates whose existence should be logged and tracked.
=============================================================================== ====================================================================
Redefinable Options
###################
========================================================================== ===============================================================
:zeek:id:`Known::cert_store_name`: :zeek:type:`string` :zeek:attr:`&redef` The Broker topic name to use for :zeek:see:`Known::cert_store`.
:zeek:id:`Known::use_cert_store`: :zeek:type:`bool` :zeek:attr:`&redef` Toggles between different implementations of this script.
========================================================================== ===============================================================
State Variables
###############
======================================================================================================= ===================================================================
:zeek:id:`Known::cert_store`: :zeek:type:`Cluster::StoreInfo` Holds the set of all known certificates.
:zeek:id:`Known::certs`: :zeek:type:`set` :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef` The set of all known certificates to store for preventing duplicate
logging.
======================================================================================================= ===================================================================
Types
#####
========================================================= =
:zeek:type:`Known::AddrCertHashPair`: :zeek:type:`record`
:zeek:type:`Known::CertsInfo`: :zeek:type:`record`
========================================================= =
Redefinitions
#############
======================================= ===============================
:zeek:type:`Log::ID`: :zeek:type:`enum`
* :zeek:enum:`Known::CERTS_LOG`
======================================= ===============================
Events
######
===================================================== =====================================================================
:zeek:id:`Known::log_known_certs`: :zeek:type:`event` Event that can be handled to access the loggable record as it is sent
on to the logging framework.
===================================================== =====================================================================
Hooks
#####
================================================================ =
:zeek:id:`Known::log_policy_certs`: :zeek:type:`Log::PolicyHook`
================================================================ =
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: Known::cert_store_expiry
:source-code: policy/protocols/ssl/known-certs.zeek 57 57
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``1.0 day``
The expiry interval of new entries in :zeek:see:`Known::cert_store`.
This also changes the interval at which certs get logged.
.. zeek:id:: Known::cert_store_timeout
:source-code: policy/protocols/ssl/known-certs.zeek 61 61
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``15.0 secs``
The timeout interval to use for operations against
:zeek:see:`Known::cert_store`.
.. zeek:id:: Known::cert_tracking
:source-code: policy/protocols/ssl/known-certs.zeek 34 34
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``LOCAL_HOSTS``
:Redefinition: from :doc:`/scripts/policy/tuning/track-all-assets.zeek`
``=``::
ALL_HOSTS
The certificates whose existence should be logged and tracked.
Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
Redefinable Options
###################
.. zeek:id:: Known::cert_store_name
:source-code: policy/protocols/ssl/known-certs.zeek 53 53
:Type: :zeek:type:`string`
:Attributes: :zeek:attr:`&redef`
:Default: ``"zeek/known/certs"``
The Broker topic name to use for :zeek:see:`Known::cert_store`.
.. zeek:id:: Known::use_cert_store
:source-code: policy/protocols/ssl/known-certs.zeek 40 40
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
Toggles between different implementations of this script.
When true, use a Broker data store, else use a regular Zeek set
with keys uniformly distributed over proxy nodes in cluster
operation.
State Variables
###############
.. zeek:id:: Known::cert_store
:source-code: policy/protocols/ssl/known-certs.zeek 50 50
:Type: :zeek:type:`Cluster::StoreInfo`
:Default:
::
{
name=<uninitialized>
store=<uninitialized>
master_node=""
master=F
backend=Broker::MEMORY
options=[sqlite=[path="", synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]]
clone_resync_interval=10.0 secs
clone_stale_interval=5.0 mins
clone_mutation_buffer_interval=2.0 mins
}
Holds the set of all known certificates. Keys in the store are of
type :zeek:type:`Known::AddrCertHashPair` and their associated value is
always the boolean value of "true".
.. zeek:id:: Known::certs
:source-code: policy/protocols/ssl/known-certs.zeek 70 70
:Type: :zeek:type:`set` [:zeek:type:`addr`, :zeek:type:`string`]
:Attributes: :zeek:attr:`&create_expire` = ``1.0 day`` :zeek:attr:`&redef`
:Default: ``{}``
The set of all known certificates to store for preventing duplicate
logging. It can also be used from other scripts to
inspect if a certificate has been seen in use. The string value
in the set is for storing the DER formatted certificate' SHA1 hash.
In cluster operation, this set is uniformly distributed across
proxy nodes.
Types
#####
.. zeek:type:: Known::AddrCertHashPair
:source-code: policy/protocols/ssl/known-certs.zeek 42 45
:Type: :zeek:type:`record`
.. zeek:field:: host :zeek:type:`addr`
.. zeek:field:: hash :zeek:type:`string`
.. zeek:type:: Known::CertsInfo
:source-code: policy/protocols/ssl/known-certs.zeek 16 30
:Type: :zeek:type:`record`
.. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
The timestamp when the certificate was detected.
.. zeek:field:: host :zeek:type:`addr` :zeek:attr:`&log`
The address that offered the certificate.
.. zeek:field:: port_num :zeek:type:`port` :zeek:attr:`&log` :zeek:attr:`&optional`
If the certificate was handed out by a server, this is the
port that the server was listening on.
.. zeek:field:: subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Certificate subject.
.. zeek:field:: issuer_subject :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Certificate issuer subject.
.. zeek:field:: serial :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Serial number for the certificate.
Events
######
.. zeek:id:: Known::log_known_certs
:source-code: policy/protocols/ssl/known-certs.zeek 74 74
:Type: :zeek:type:`event` (rec: :zeek:type:`Known::CertsInfo`)
Event that can be handled to access the loggable record as it is sent
on to the logging framework.
Hooks
#####
.. zeek:id:: Known::log_policy_certs
:source-code: policy/protocols/ssl/known-certs.zeek 14 14
:Type: :zeek:type:`Log::PolicyHook`

29
doc/scripts/policy/protocols/ssl/log-certs-base64.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/ssl/log-certs-base64.zeek
==========================================
This script is used to extract certificates seen on the wire to Zeek log files.
The certificates are base64-encoded and written to ssl.log, to the newly added cert
field.
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
======================================================================================= ==========================================================================
:zeek:type:`X509::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`X509::Info`
cert: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Base64 encoded X.509 certificate.
:zeek:id:`X509::default_max_field_string_bytes`: :zeek:type:`count` :zeek:attr:`&redef` Certificates can be large and we don't want to risk truncating the output.
======================================================================================= ==========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

18
doc/scripts/policy/protocols/ssl/log-hostcerts-only.zeek.rst Normal file
View file

@ -0,0 +1,18 @@
:tocdepth: 3
policy/protocols/ssl/log-hostcerts-only.zeek
============================================
.. zeek:namespace:: X509
When this script is loaded, only the host certificates (client and server)
will be logged to x509.log. Logging of all other certificates will be suppressed.
:Namespace: X509
:Imports: :doc:`base/files/x509 </scripts/base/files/x509/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

85
doc/scripts/policy/protocols/ssl/ssl-log-ext.zeek.rst Normal file
View file

@ -0,0 +1,85 @@
:tocdepth: 3
policy/protocols/ssl/ssl-log-ext.zeek
=====================================
.. zeek:namespace:: SSL
This file adds a lot of additional information to the SSL log
It is not loaded by default since the information significantly expands
the log and is probably not interesting for a majority of people.
:Namespace: SSL
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
=========================================== ===============================================================================================================
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
server_version: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Numeric version of the server in the server hello
client_version: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Numeric version of the client in the client hello
client_ciphers: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Ciphers that were offered by the client for the connection
ssl_client_exts: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
SSL Client extensions
ssl_server_exts: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
SSL server extensions
ticket_lifetime_hint: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Suggested ticket lifetime sent in the session ticket handshake
by the server.
dh_param_size: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The diffie helman parameter size, when using DH.
point_formats: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
supported elliptic curve point formats
client_curves: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
The curves supported by the client.
orig_alpn: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Application layer protocol negotiation extension sent by the client.
client_supported_versions: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
TLS 1.3 supported versions
server_supported_version: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
TLS 1.3 supported versions
psk_key_exchange_modes: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
TLS 1.3 Pre-shared key exchange modes
client_key_share_groups: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Key share groups from client hello
server_key_share_group: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Selected key share group from server hello
client_comp_methods: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Client supported compression methods
comp_method: :zeek:type:`count` :zeek:attr:`&optional`
Server chosen compression method
sigalgs: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Client supported signature algorithms
hashalgs: :zeek:type:`vector` of :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Client supported hash algorithms
=========================================== ===============================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

127
doc/scripts/policy/protocols/ssl/validate-certs.zeek.rst Normal file
View file

@ -0,0 +1,127 @@
:tocdepth: 3
policy/protocols/ssl/validate-certs.zeek
========================================
.. zeek:namespace:: SSL
Perform full certificate chain validation for SSL certificates.
:Namespace: SSL
:Imports: :doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
State Variables
###############
========================================================================================================================= ==================================================================
:zeek:id:`SSL::recently_validated_certs`: :zeek:type:`table` :zeek:attr:`&read_expire` = ``5.0 mins`` :zeek:attr:`&redef` Result values for recently validated chains along with the
validation status are kept in this table to avoid constant
validation every time the same certificate chain is seen.
:zeek:id:`SSL::ssl_cache_intermediate_ca`: :zeek:type:`bool` :zeek:attr:`&redef` Use intermediate CA certificate caching when trying to validate
certificates.
:zeek:id:`SSL::ssl_store_valid_chain`: :zeek:type:`bool` :zeek:attr:`&redef` Store the valid chain in c$ssl$valid_chain if validation succeeds.
========================================================================================================================= ==================================================================
Redefinitions
#############
============================================ ========================================================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSL::Invalid_Server_Cert`:
This notice indicates that the result of validating the
certificate along with its full certificate chain was
invalid.
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
validation_status: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Result of certificate validation for this connection.
validation_code: :zeek:type:`int` :zeek:attr:`&optional`
Result of certificate validation for this connection, given
as OpenSSL validation code.
valid_chain: :zeek:type:`vector` of :zeek:type:`opaque` of x509 :zeek:attr:`&optional`
Ordered chain of validated certificate, if validation succeeded.
============================================ ========================================================================================
Events
######
==================================================== ===============================================================
:zeek:id:`SSL::intermediate_add`: :zeek:type:`event` Event from a manager to workers when encountering a new, valid
intermediate.
:zeek:id:`SSL::new_intermediate`: :zeek:type:`event` Event from workers to the manager when a new intermediate chain
is to be added.
==================================================== ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
State Variables
###############
.. zeek:id:: SSL::recently_validated_certs
:source-code: policy/protocols/ssl/validate-certs.zeek 33 33
:Type: :zeek:type:`table` [:zeek:type:`string`] of :zeek:type:`X509::Result`
:Attributes: :zeek:attr:`&read_expire` = ``5.0 mins`` :zeek:attr:`&redef`
:Default: ``{}``
Result values for recently validated chains along with the
validation status are kept in this table to avoid constant
validation every time the same certificate chain is seen.
.. zeek:id:: SSL::ssl_cache_intermediate_ca
:source-code: policy/protocols/ssl/validate-certs.zeek 46 46
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
Use intermediate CA certificate caching when trying to validate
certificates. When this is enabled, Zeek keeps track of all valid
intermediate CA certificates that it has seen in the past. When
encountering a host certificate that cannot be validated because
of missing intermediate CA certificate, the cached list is used
to try to validate the cert. This is similar to how Firefox is
doing certificate validation.
Disabling this will usually greatly increase the number of validation warnings
that you encounter. Only disable if you want to find misconfigured servers.
.. zeek:id:: SSL::ssl_store_valid_chain
:source-code: policy/protocols/ssl/validate-certs.zeek 51 51
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
:Redefinition: from :doc:`/scripts/policy/protocols/ssl/validate-sct.zeek`
``=``::
T
Store the valid chain in c$ssl$valid_chain if validation succeeds.
This has a potentially high memory impact, depending on the local environment
and is thus disabled by default.
Events
######
.. zeek:id:: SSL::intermediate_add
:source-code: policy/protocols/ssl/validate-certs.zeek 72 75
:Type: :zeek:type:`event` (key: :zeek:type:`string`, value: :zeek:type:`vector` of :zeek:type:`opaque` of x509)
Event from a manager to workers when encountering a new, valid
intermediate.
.. zeek:id:: SSL::new_intermediate
:source-code: policy/protocols/ssl/validate-certs.zeek 77 84
:Type: :zeek:type:`event` (key: :zeek:type:`string`, value: :zeek:type:`vector` of :zeek:type:`opaque` of x509)
Event from workers to the manager when a new intermediate chain
is to be added.

36
doc/scripts/policy/protocols/ssl/validate-ocsp.zeek.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
policy/protocols/ssl/validate-ocsp.zeek
=======================================
.. zeek:namespace:: SSL
Perform validation of stapled OCSP responses.
:Namespace: SSL
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ===========================================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSL::Invalid_Ocsp_Response`:
This indicates that the OCSP response was not deemed
to be valid.
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
ocsp_status: :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
Result of ocsp validation for this connection.
ocsp_response: :zeek:type:`string` :zeek:attr:`&optional`
ocsp response as string.
============================================ ===========================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

129
doc/scripts/policy/protocols/ssl/validate-sct.zeek.rst Normal file
View file

@ -0,0 +1,129 @@
:tocdepth: 3
policy/protocols/ssl/validate-sct.zeek
======================================
.. zeek:namespace:: SSL
Perform validation of Signed Certificate Timestamps, as used
for Certificate Transparency. See RFC6962 for more details.
:Namespace: SSL
:Imports: :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`policy/protocols/ssl/validate-certs.zeek </scripts/policy/protocols/ssl/validate-certs.zeek>`
Summary
~~~~~~~
Types
#####
============================================== ================================================================
:zeek:type:`SSL::SctInfo`: :zeek:type:`record` This record is used to store information about the SCTs that are
encountered in a SSL connection.
:zeek:type:`SSL::SctSource`: :zeek:type:`enum` List of the different sources for Signed Certificate Timestamp
============================================== ================================================================
Redefinitions
#############
============================================================================ ===================================================================================================================
:zeek:type:`SSL::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSL::Info`
valid_scts: :zeek:type:`count` :zeek:attr:`&optional`
Number of valid SCTs that were encountered in the connection.
invalid_scts: :zeek:type:`count` :zeek:attr:`&optional`
Number of SCTs that could not be validated that were encountered in the connection.
valid_ct_logs: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Number of different Logs for which valid SCTs were encountered in the connection.
valid_ct_operators: :zeek:type:`count` :zeek:attr:`&log` :zeek:attr:`&optional`
Number of different Log operators of which valid SCTs were encountered in the connection.
valid_ct_operators_list: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&optional`
List of operators for which valid SCTs were encountered in the connection.
ct_proofs: :zeek:type:`vector` of :zeek:type:`SSL::SctInfo` :zeek:attr:`&default` = ``[]`` :zeek:attr:`&optional`
Information about all SCTs that were encountered in the connection.
:zeek:id:`SSL::ssl_store_valid_chain`: :zeek:type:`bool` :zeek:attr:`&redef`
============================================================================ ===================================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Types
#####
.. zeek:type:: SSL::SctInfo
:source-code: policy/protocols/ssl/validate-sct.zeek 30 50
:Type: :zeek:type:`record`
.. zeek:field:: version :zeek:type:`count`
The version of the encountered SCT (should always be 0 for v1).
.. zeek:field:: logid :zeek:type:`string`
The ID of the log issuing this SCT.
.. zeek:field:: timestamp :zeek:type:`count`
The timestamp at which this SCT was issued measured since the
epoch (January 1, 1970, 00:00), ignoring leap seconds, in
milliseconds. Not converted to a Zeek timestamp because we need
the exact value for validation.
.. zeek:field:: sig_alg :zeek:type:`count`
The signature algorithm used for this sct.
.. zeek:field:: hash_alg :zeek:type:`count`
The hash algorithm used for this sct.
.. zeek:field:: signature :zeek:type:`string`
The signature of this SCT.
.. zeek:field:: source :zeek:type:`SSL::SctSource`
Source of this SCT.
.. zeek:field:: valid :zeek:type:`bool` :zeek:attr:`&optional`
Validation result of this SCT.
This record is used to store information about the SCTs that are
encountered in a SSL connection.
.. zeek:type:: SSL::SctSource
:source-code: policy/protocols/ssl/validate-sct.zeek 16 27
:Type: :zeek:type:`enum`
.. zeek:enum:: SSL::SCT_X509_EXT SSL::SctSource
Signed Certificate Timestamp was encountered in the extension of
an X.509 certificate.
.. zeek:enum:: SSL::SCT_TLS_EXT SSL::SctSource
Signed Certificate Timestamp was encountered in an TLS session
extension.
.. zeek:enum:: SSL::SCT_OCSP_EXT SSL::SctSource
Signed Certificate Timestamp was encountered in the extension of
an stapled OCSP reply.
List of the different sources for Signed Certificate Timestamp

109
doc/scripts/policy/protocols/ssl/weak-keys.zeek.rst Normal file
View file

@ -0,0 +1,109 @@
:tocdepth: 3
policy/protocols/ssl/weak-keys.zeek
===================================
.. zeek:namespace:: SSL
Generate notices when SSL/TLS connections use certificates, DH parameters,
or cipher suites that are deemed to be insecure.
:Namespace: SSL
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`, :doc:`base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=========================================================================================== ==============================================================================
:zeek:id:`SSL::notify_dh_length_shorter_cert_length`: :zeek:type:`bool` :zeek:attr:`&redef` Warn if the DH key length is smaller than the certificate key length.
:zeek:id:`SSL::notify_minimal_key_length`: :zeek:type:`count` :zeek:attr:`&redef` The minimal key length in bits that is considered to be safe.
:zeek:id:`SSL::notify_weak_keys`: :zeek:type:`Host` :zeek:attr:`&redef` The category of hosts you would like to be notified about which are using weak
keys/ciphers/protocol_versions.
:zeek:id:`SSL::tls_minimum_version`: :zeek:type:`count` :zeek:attr:`&redef` Warn if a server negotiates a SSL session with a protocol version smaller than
the specified version.
:zeek:id:`SSL::unsafe_ciphers_regex`: :zeek:type:`pattern` :zeek:attr:`&redef` Warn if a server negotiates an unsafe cipher suite.
=========================================================================================== ==============================================================================
Redefinitions
#############
============================================ ===============================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSL::Old_Version`:
Indicates that a server is using a potentially unsafe version
* :zeek:enum:`SSL::Weak_Cipher`:
Indicates that a server is using a potentially unsafe cipher
* :zeek:enum:`SSL::Weak_Key`:
Indicates that a server is using a potentially unsafe key.
============================================ ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSL::notify_dh_length_shorter_cert_length
:source-code: policy/protocols/ssl/weak-keys.zeek 34 34
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
Warn if the DH key length is smaller than the certificate key length. This is
potentially unsafe because it gives a wrong impression of safety due to the
certificate key length. However, it is very common and cannot be avoided in some
settings (e.g. with old java clients).
.. zeek:id:: SSL::notify_minimal_key_length
:source-code: policy/protocols/ssl/weak-keys.zeek 28 28
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``2048``
The minimal key length in bits that is considered to be safe. Any shorter
(non-EC) key lengths will trigger a notice.
.. zeek:id:: SSL::notify_weak_keys
:source-code: policy/protocols/ssl/weak-keys.zeek 24 24
:Type: :zeek:type:`Host`
:Attributes: :zeek:attr:`&redef`
:Default: ``LOCAL_HOSTS``
The category of hosts you would like to be notified about which are using weak
keys/ciphers/protocol_versions. By default, these notices will be suppressed
by the notice framework for 1 day after a particular host has had a notice
generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
.. zeek:id:: SSL::tls_minimum_version
:source-code: policy/protocols/ssl/weak-keys.zeek 41 41
:Type: :zeek:type:`count`
:Attributes: :zeek:attr:`&redef`
:Default: ``769``
Warn if a server negotiates a SSL session with a protocol version smaller than
the specified version. By default, the minimal version is TLSv10 because SSLv2
and v3 have serious security issued.
See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00
To disable, set to SSLv20
.. zeek:id:: SSL::unsafe_ciphers_regex
:source-code: policy/protocols/ssl/weak-keys.zeek 45 45
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((_EXPORT_)|(_RC4_))$?/
Warn if a server negotiates an unsafe cipher suite. By default, we only warn when
encountering old export cipher suites, or RC4 (see RFC7465).