Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Copy docs into Zeek repo directly

Browse source 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
This commit is contained in:
Tim Wojtulewicz 2025-09-15 15:52:18 -07:00
parent 83f1e74643
commit ded98cd373
1074 changed files with 169319 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

82
doc/scripts/policy/protocols/ssh/detect-bruteforcing.zeek.rst Normal file
View file

@ -0,0 +1,82 @@
:tocdepth: 3
policy/protocols/ssh/detect-bruteforcing.zeek
=============================================
.. zeek:namespace:: SSH
Detect hosts which are doing password guessing attacks and/or password
bruteforcing over SSH.
:Namespace: SSH
:Imports: :doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`, :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Summary
~~~~~~~
Redefinable Options
###################
=============================================================================== =====================================================================
:zeek:id:`SSH::guessing_timeout`: :zeek:type:`interval` :zeek:attr:`&redef` The amount of time to remember presumed non-successful logins to
build a model of a password guesser.
:zeek:id:`SSH::ignore_guessers`: :zeek:type:`table` :zeek:attr:`&redef` This value can be used to exclude hosts or entire networks from being
tracked as potential "guessers".
:zeek:id:`SSH::password_guesses_limit`: :zeek:type:`double` :zeek:attr:`&redef` The number of failed SSH connections before a host is designated as
guessing passwords.
=============================================================================== =====================================================================
Redefinitions
#############
============================================ ============================================================
:zeek:type:`Intel::Where`: :zeek:type:`enum`
* :zeek:enum:`SSH::SUCCESSFUL_LOGIN`:
An indicator of the login for the intel framework.
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::Login_By_Password_Guesser`:
Indicates that a host previously identified as a "password
guesser" has now had a successful login
attempt.
* :zeek:enum:`SSH::Password_Guessing`:
Indicates that a host has been identified as crossing the
:zeek:id:`SSH::password_guesses_limit` threshold with
failed logins.
============================================ ============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Redefinable Options
###################
.. zeek:id:: SSH::guessing_timeout
:source-code: policy/protocols/ssh/detect-bruteforcing.zeek 34 34
:Type: :zeek:type:`interval`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0 mins``
The amount of time to remember presumed non-successful logins to
build a model of a password guesser.
.. zeek:id:: SSH::ignore_guessers
:source-code: policy/protocols/ssh/detect-bruteforcing.zeek 39 39
:Type: :zeek:type:`table` [:zeek:type:`subnet`] of :zeek:type:`subnet`
:Attributes: :zeek:attr:`&redef`
:Default: ``{}``
This value can be used to exclude hosts or entire networks from being
tracked as potential "guessers". The index represents
client subnets and the yield value represents server subnets.
.. zeek:id:: SSH::password_guesses_limit
:source-code: policy/protocols/ssh/detect-bruteforcing.zeek 30 30
:Type: :zeek:type:`double`
:Attributes: :zeek:attr:`&redef`
:Default: ``30.0``
The number of failed SSH connections before a host is designated as
guessing passwords.

61
doc/scripts/policy/protocols/ssh/geo-data.zeek.rst Normal file
View file

@ -0,0 +1,61 @@
:tocdepth: 3
policy/protocols/ssh/geo-data.zeek
==================================
.. zeek:namespace:: SSH
Geodata based detections for SSH analysis.
:Namespace: SSH
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================= ==================================================================
:zeek:id:`SSH::watched_countries`: :zeek:type:`set` :zeek:attr:`&redef` The set of countries for which you'd like to generate notices upon
successful login.
======================================================================= ==================================================================
Redefinitions
#############
============================================ =====================================================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::Watched_Country_Login`:
If an SSH login is seen to or from a "watched" country based
on the :zeek:id:`SSH::watched_countries` variable then this
notice will be generated.
:zeek:type:`SSH::Info`: :zeek:type:`record`
:New Fields: :zeek:type:`SSH::Info`
remote_location: :zeek:type:`geo_location` :zeek:attr:`&log` :zeek:attr:`&optional`
Add geographic data related to the "remote" host of the
connection.
============================================ =====================================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSH::watched_countries
:source-code: policy/protocols/ssh/geo-data.zeek 24 24
:Type: :zeek:type:`set` [:zeek:type:`string`]
:Attributes: :zeek:attr:`&redef`
:Default:
::
{
"RO"
}
The set of countries for which you'd like to generate notices upon
successful login.

54
doc/scripts/policy/protocols/ssh/interesting-hostnames.zeek.rst Normal file
View file

@ -0,0 +1,54 @@
:tocdepth: 3
policy/protocols/ssh/interesting-hostnames.zeek
===============================================
.. zeek:namespace:: SSH
This script will generate a notice if an apparent SSH login originates
or heads to a host with a reverse hostname that looks suspicious. By
default, the regular expression to match "interesting" hostnames includes
names that are typically used for infrastructure hosts like nameservers,
mail servers, web servers and ftp servers.
:Namespace: SSH
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
Summary
~~~~~~~
Runtime Options
###############
=============================================================================== ===============================================================
:zeek:id:`SSH::interesting_hostnames`: :zeek:type:`pattern` :zeek:attr:`&redef` Strange/bad host names to see successful SSH logins from or to.
=============================================================================== ===============================================================
Redefinitions
#############
============================================ ===============================================================
:zeek:type:`Notice::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::Interesting_Hostname_Login`:
Generated if a login originates or responds with a host where
the reverse hostname lookup resolves to a name matched by the
:zeek:id:`SSH::interesting_hostnames` regular expression.
============================================ ===============================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. zeek:id:: SSH::interesting_hostnames
:source-code: policy/protocols/ssh/interesting-hostnames.zeek 20 20
:Type: :zeek:type:`pattern`
:Attributes: :zeek:attr:`&redef`
:Default:
::
/^?((^?((^?((^?((^?((^?((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))$?)|(^?(^mail[0-9]*\.)$?))$?)|(^?(^pop[0-9]*\.)$?))$?)|(^?(^imap[0-9]*\.)$?))$?)|(^?(^www[0-9]*\.)$?))$?)|(^?(^ftp[0-9]*\.)$?))$?/
Strange/bad host names to see successful SSH logins from or to.

30
doc/scripts/policy/protocols/ssh/software.zeek.rst Normal file
View file

@ -0,0 +1,30 @@
:tocdepth: 3
policy/protocols/ssh/software.zeek
==================================
.. zeek:namespace:: SSH
Extracts SSH client and server information from SSH
connections and forwards it to the software framework.
:Namespace: SSH
:Imports: :doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
Summary
~~~~~~~
Redefinitions
#############
============================================== =======================================================
:zeek:type:`Software::Type`: :zeek:type:`enum`
* :zeek:enum:`SSH::CLIENT`:
Identifier for SSH servers in the software framework.
* :zeek:enum:`SSH::SERVER`:
Identifier for SSH clients in the software framework.
============================================== =======================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~