Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

111
doc/scripts/policy/protocols/http/detect-sql-injection.zeek.rst Normal file
View file

@ -0,0 +1,111 @@
:tocdepth: 3
policy/protocols/http/detect-sql-injection.zeek
===============================================
.. zeek:namespace:: HTTP
SQL injection attack detection in HTTP.
The script annotates the notices it generates with an associated $uid
connection identifier; always provides an attacker IP address in the
$src field; and always provides a victim IP address in the $dst field.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinable Options
###################
================================================================================== ================================================================
:zeek:id:`HTTP::match_sql_injection_uri`: :zeek:type:`pattern` :zeek:attr:`&redef` Regular expression is used to match URI based SQL injections.
:zeek:id:`HTTP::sqli_requests_interval`: :zeek:type:`interval` :zeek:attr:`&redef` Interval at which to watch for the
:zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
:zeek:id:`HTTP::sqli_requests_threshold`: :zeek:type:`double` :zeek:attr:`&redef` Defines the threshold that determines if an SQL injection attack
is ongoing based on the number of requests that appear to be SQL
injection attacks.
================================================================================== ================================================================
Redefinitions
#############
======================================================= ==============================================================
:zeek:type:`HTTP::Tags`: :zeek:type:`enum`
* :zeek:enum:`HTTP::URI_SQLI`:
Indicator of a URI based SQL injection attack.
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::SQL_Injection_Attacker`:
Indicates that a host performing SQL injection attacks was
detected.
* :zeek:enum:`HTTP::SQL_Injection_Victim`:
Indicates that a host was seen to have SQL injection attacks
against it.
:zeek:type:`SumStats::Observation`: :zeek:type:`record`
:New Fields: :zeek:type:`SumStats::Observation`
uid: :zeek:type:`string` :zeek:attr:`&optional`
======================================================= ==============================================================
Hooks
#####
=============================================== =======================================================================
:zeek:id:`HTTP::sqli_policy`: :zeek:type:`hook` A hook that can be used to prevent specific requests from being counted
as an injection attempt.
=============================================== =======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: HTTP::match_sql_injection_uri
:source-code: policy/protocols/http/detect-sql-injection.zeek 41 41
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?(((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?(having|union|exec|select|delete|drop|declare|create|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+)$?))|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+(x?or|n?and)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+'?(([^a-zA-Z&]+)?=|exists))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?convert|cast))$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*'([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*(x?or|n?and|having|union|exec|select|delete|drop|declare|create|regexp|insert)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?)))$?)|((?i:^?([\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?(char|ascii|substring|truncate|version|length)\()$?)))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/
Regular expression is used to match URI based SQL injections.
.. zeek:id:: HTTP::sqli_requests_interval
:source-code: policy/protocols/http/detect-sql-injection.zeek 38 38
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``5.0 mins``
Interval at which to watch for the
:zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
At the end of each interval the counter is reset.
.. zeek:id:: HTTP::sqli_requests_threshold
:source-code: policy/protocols/http/detect-sql-injection.zeek 33 33
:Type: :zeek:type:`double`
:Attributes: :zeek:attr:`&redef`
:Default: ``50.0``
Defines the threshold that determines if an SQL injection attack
is ongoing based on the number of requests that appear to be SQL
injection attacks.
Hooks
#####
.. zeek:id:: HTTP::sqli_policy
:source-code: policy/protocols/http/detect-sql-injection.zeek 52 52
:Type: :zeek:type:`hook` (c: :zeek:type:`connection`, method: :zeek:type:`string`, unescaped_URI: :zeek:type:`string`) : :zeek:type:`bool`
A hook that can be used to prevent specific requests from being counted
as an injection attempt. Use a 'break' statement to exit the hook
early and ignore the request.

33
doc/scripts/policy/protocols/http/detect-webapps.zeek.rst Normal file
View file

@ -0,0 +1,33 @@
:tocdepth: 3
policy/protocols/http/detect-webapps.zeek
=========================================
.. zeek:namespace:: HTTP
Detect and log web applications through the software framework.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`, :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================================================ ===================================================================
:zeek:id:`Signatures::ignored_ids`: :zeek:type:`pattern` :zeek:attr:`&redef`
:zeek:type:`Software::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`Software::Info`
url: :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
Most root URL where the software was discovered.
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::WEB_APPLICATION`:
Identifier for web applications in the software framework.
============================================================================ ===================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

60
doc/scripts/policy/protocols/http/header-names.zeek.rst Normal file
View file

@ -0,0 +1,60 @@
:tocdepth: 3
policy/protocols/http/header-names.zeek
=======================================
.. zeek:namespace:: HTTP
Extract and include the header names used for each request in the HTTP
logging stream. The headers in the logging stream will be stored in the
same order which they were seen on the wire.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== =====================================================================
:zeek:id:`HTTP::log_client_header_names`: :zeek:type:`bool` :zeek:attr:`&redef` A boolean value to determine if client header names are to be logged.
:zeek:id:`HTTP::log_server_header_names`: :zeek:type:`bool` :zeek:attr:`&redef` A boolean value to determine if server header names are to be logged.
=============================================================================== =====================================================================
Redefinitions
#############
============================================ ==========================================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
client_header_names: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The vector of HTTP header names sent by the client.
server_header_names: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
The vector of HTTP header names sent by the server.
============================================ ==========================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: HTTP::log_client_header_names
:source-code: policy/protocols/http/header-names.zeek 21 21
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``T``
A boolean value to determine if client header names are to be logged.
.. zeek:id:: HTTP::log_server_header_names
:source-code: policy/protocols/http/header-names.zeek 24 24
:Type: :zeek:type:`bool`
:Attributes: :zeek:attr:`&redef`
:Default: ``F``
A boolean value to determine if server header names are to be logged.

36
doc/scripts/policy/protocols/http/software-browser-plugins.zeek.rst Normal file
View file

@ -0,0 +1,36 @@
:tocdepth: 3
policy/protocols/http/software-browser-plugins.zeek
===================================================
.. zeek:namespace:: HTTP
Detect browser plugins as they leak through requests to Omniture
advertising servers.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`, :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== ==================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
omniture: :zeek:type:`bool` :zeek:attr:`&default` = ``F`` :zeek:attr:`&optional`
Indicates if the server is an omniture advertising server.
flash_version: :zeek:type:`string` :zeek:attr:`&optional`
The unparsed Flash version, if detected.
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::BROWSER_PLUGIN`:
Identifier for browser plugins in the software framework.
============================================== ==================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

54
doc/scripts/policy/protocols/http/software.zeek.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
policy/protocols/http/software.zeek
===================================
.. zeek:namespace:: HTTP
Software identification and extraction for HTTP traffic.
:Namespace: HTTP
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================== ===============================================================
:zeek:id:`HTTP::ignored_user_agents`: :zeek:type:`pattern` :zeek:attr:`&redef` The pattern of HTTP User-Agents which you would like to ignore.
============================================================================== ===============================================================
Redefinitions
#############
============================================== ========================================================
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`HTTP::APPSERVER`:
Identifier for app servers in the software framework.
* :zeek:enum:`HTTP::BROWSER`:
Identifier for web browsers in the software framework.
* :zeek:enum:`HTTP::SERVER`:
Identifier for web servers in the software framework.
============================================== ========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: HTTP::ignored_user_agents
:source-code: policy/protocols/http/software.zeek 18 18
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?(NO_DEFAULT)$?/
The pattern of HTTP User-Agents which you would like to ignore.

28
doc/scripts/policy/protocols/http/var-extraction-cookies.zeek.rst Normal file
View file

@ -0,0 +1,28 @@
:tocdepth: 3
policy/protocols/http/var-extraction-cookies.zeek
=================================================
.. zeek:namespace:: HTTP
Extracts and logs variable names from cookies sent by clients.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>`, :doc:`base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ==================================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
cookie_vars: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
Variable names extracted from all cookies.
============================================ ==================================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~

29
doc/scripts/policy/protocols/http/var-extraction-uri.zeek.rst Normal file
View file

@ -0,0 +1,29 @@
:tocdepth: 3
policy/protocols/http/var-extraction-uri.zeek
=============================================
.. zeek:namespace:: HTTP
Extracts and logs variables from the requested URI in the default HTTP
logging stream.
:Namespace: HTTP
:Imports: :doc:`base/protocols/http </scripts/base/protocols/http/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================ ===============================================================================================
:zeek:type:`HTTP::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`HTTP::Info`
uri_vars: :zeek:type:`vector` of :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
Variable names from the URI.
============================================ ===============================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~