mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
db6f028003
The configuration framework consists of three mostly distinct parts:
* option variables
* the config reader
* the script level framework
I will describe the three elements in the following.
Internally, this commit also performs a range of changes to the Input
manager; it marks a lot of functions as const and introduces a new
ValueToVal method (which could in theory replace the already existing
one - it is a bit more powerful).
This also changes SerialTypes to have a subtype for Values, just as
Fields already have it; I think it was mostly an oversight that this was
not introduced from the beginning. This should not necessitate any code
changes for people already using SerialTypes.
option variable
===============
The option keyword allows variables to be specified as run-tine options.
Such variables cannot be changed using normal assignments. Instead, they
can be changed using Option::set. It is possible to "subscribe" to
options and be notified when an option value changes.
Change handlers can also change values before they are applied; this
gives them the opportunity to reject changes. Priorities can be
specified if there are several handlers for one option.
Example script:
option testbool: bool = T;
function option_changed(ID: string, new_value: bool): bool
{
print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
return new_value;
}
event bro_init()
{
print "Old value", testbool;
Option::set_change_handler("testbool", option_changed);
Option::set("testbool", F);
print "New value", testbool;
}
config reader
=============
The config reader provides a way to read configuration files back into
Bro. Most importantly it automatically converts values to the correct
types. This is important because it is at least inconvenient (and
sometimes near impossible) to perform the necessary type conversions in
Bro scripts themselves. This is especially true for sets/vectors.
Configuration generally look like this:
[option name][tab/spaces][new variable value]
so, for example:
testaddr 2607:f8b0:4005:801::200e
testinterval 60
testtime 1507321987
test_set a b c d erdbeerschnitzel
The reader uses the option name to look up the type that variable has in
the Bro core and automatically converts the value to the correct type.
Example script use:
type Idx: record {
option_name: string;
};
type Val: record {
option_val: string;
};
global currconfig: table[string] of string = table();
event InputConfig::new_value(name: string, source: string, id: string, value: any)
{
print id, value;
}
event bro_init()
{
Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
}
Script-level config framework
=============================
The script-level framework ties these two features together and makes
them a bit more convenient to use. Configuration files can simply be
specified by placing them into Config::config_files. The framework also
creates a config.log that shows all value changes that took place.
Usage example:
redef Config::config_files += {configfile};
export {
option testbool : bool = F;
}
The file is now monitored for changes; when a change occurs the
respective option values are automatically updated and the value change
is written to config.log.
191 lines
16 KiB
ReStructuredText
191 lines
16 KiB
ReStructuredText
=========
|
|
Log Files
|
|
=========
|
|
|
|
Listed below are the log files generated by Bro, including a brief description
|
|
of the log file and links to descriptions of the fields for each log
|
|
type.
|
|
|
|
Network Protocols
|
|
-----------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| conn.log | TCP/UDP/ICMP connections | :bro:type:`Conn::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| config.log | Configuration option changes | :bro:type:`Config::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dce_rpc.log | Distributed Computing Environment/RPC | :bro:type:`DCE_RPC::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dhcp.log | DHCP leases | :bro:type:`DHCP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dnp3.log | DNP3 requests and replies | :bro:type:`DNP3::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dns.log | DNS activity | :bro:type:`DNS::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ftp.log | FTP activity | :bro:type:`FTP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| http.log | HTTP requests and replies | :bro:type:`HTTP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| irc.log | IRC commands and responses | :bro:type:`IRC::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| kerberos.log | Kerberos | :bro:type:`KRB::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| modbus.log | Modbus commands and responses | :bro:type:`Modbus::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| modbus_register_change.log | Tracks changes to Modbus holding | :bro:type:`Modbus::MemmapInfo` |
|
|
| | registers | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| mysql.log | MySQL | :bro:type:`MySQL::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ntlm.log | NT LAN Manager (NTLM) | :bro:type:`NTLM::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| radius.log | RADIUS authentication attempts | :bro:type:`RADIUS::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| rdp.log | RDP | :bro:type:`RDP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| rfb.log | Remote Framebuffer (RFB) | :bro:type:`RFB::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| sip.log | SIP | :bro:type:`SIP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| smb_cmd.log | SMB commands | :bro:type:`SMB::CmdInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| smb_files.log | SMB files | :bro:type:`SMB::FileInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| smb_mapping.log | SMB trees | :bro:type:`SMB::TreeInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| smtp.log | SMTP transactions | :bro:type:`SMTP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| snmp.log | SNMP messages | :bro:type:`SNMP::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| socks.log | SOCKS proxy requests | :bro:type:`SOCKS::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ssh.log | SSH connections | :bro:type:`SSH::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ssl.log | SSL/TLS handshake info | :bro:type:`SSL::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| syslog.log | Syslog messages | :bro:type:`Syslog::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| tunnel.log | Tunneling protocol events | :bro:type:`Tunnel::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Files
|
|
-----
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| files.log | File analysis results | :bro:type:`Files::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| ocsp.log | Online Certificate Status Protocol | :bro:type:`OCSP::Info` |
|
|
| | (OCSP). Only created if policy script | |
|
|
| | is loaded. | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| pe.log | Portable Executable (PE) | :bro:type:`PE::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| x509.log | X.509 certificate info | :bro:type:`X509::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
NetControl
|
|
----------
|
|
|
|
+------------------------------+---------------------------------------+------------------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+==============================+=======================================+==========================================+
|
|
| netcontrol.log | NetControl actions | :bro:type:`NetControl::Info` |
|
|
+------------------------------+---------------------------------------+------------------------------------------+
|
|
| netcontrol_drop.log | NetControl actions | :bro:type:`NetControl::DropInfo` |
|
|
+------------------------------+---------------------------------------+------------------------------------------+
|
|
| netcontrol_shunt.log | NetControl shunt actions | :bro:type:`NetControl::ShuntInfo` |
|
|
+------------------------------+---------------------------------------+------------------------------------------+
|
|
| netcontrol_catch_release.log | NetControl catch and release actions | :bro:type:`NetControl::CatchReleaseInfo` |
|
|
+------------------------------+---------------------------------------+------------------------------------------+
|
|
| openflow.log | OpenFlow debug log | :bro:type:`OpenFlow::Info` |
|
|
+------------------------------+---------------------------------------+------------------------------------------+
|
|
|
|
Detection
|
|
---------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| intel.log | Intelligence data matches | :bro:type:`Intel::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| notice.log | Bro notices | :bro:type:`Notice::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| notice_alarm.log | The alarm stream | :bro:enum:`Notice::ACTION_ALARM`|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| signatures.log | Signature matches | :bro:type:`Signatures::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| traceroute.log | Traceroute detection | :bro:type:`Traceroute::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
|
|
Network Observations
|
|
--------------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| known_certs.log | SSL certificates | :bro:type:`Known::CertsInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_devices.log | MAC addresses of devices on the | :bro:type:`Known::DevicesInfo` |
|
|
| | network | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_hosts.log | Hosts that have completed TCP | :bro:type:`Known::HostsInfo` |
|
|
| | handshakes | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_modbus.log | Modbus masters and slaves | :bro:type:`Known::ModbusInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| known_services.log | Services running on hosts | :bro:type:`Known::ServicesInfo` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| software.log | Software being used on the network | :bro:type:`Software::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Miscellaneous
|
|
-------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| barnyard2.log | Alerts received from Barnyard2 | :bro:type:`Barnyard2::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| dpd.log | Dynamic protocol detection failures | :bro:type:`DPD::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| unified2.log | Interprets Snort's unified output | :bro:type:`Unified2::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| weird.log | Unexpected network-level activity | :bro:type:`Weird::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|
|
Bro Diagnostics
|
|
---------------
|
|
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| Log File | Description | Field Descriptions |
|
|
+============================+=======================================+=================================+
|
|
| capture_loss.log | Packet loss rate | :bro:type:`CaptureLoss::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| cluster.log | Bro cluster messages | :bro:type:`Cluster::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| communication.log | Communication events between Bro or | :bro:type:`Communication::Info` |
|
|
| | Broccoli instances | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| loaded_scripts.log | Shows all scripts loaded by Bro | :bro:type:`LoadedScripts::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| packet_filter.log | List packet filters that were applied | :bro:type:`PacketFilter::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| prof.log | Profiling statistics (to create this | N/A |
|
|
| | log, load policy/misc/profiling.bro) | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| reporter.log | Internal error/warning/info messages | :bro:type:`Reporter::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| stats.log | Memory/event/packet/lag statistics | :bro:type:`Stats::Info` |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| stderr.log | Captures standard error when Bro is | N/A |
|
|
| | started from BroControl | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
| stdout.log | Captures standard output when Bro is | N/A |
|
|
| | started from BroControl | |
|
|
+----------------------------+---------------------------------------+---------------------------------+
|
|
|