mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
5f3af9e9eb
This option indicates that the Teredo analyzer should wait until it sees both sides of a connection using a valid Teredo encapsulation before issuing a protocol_confirmation. Previous behavior confirmed on the first instance of a valid encapsulation, which could result in more false positives (and e.g. bogus entries in known-services.log). Addresses #890.
2808 lines
97 KiB
Text
2808 lines
97 KiB
Text
@load base/const.bif
|
|
@load base/types.bif
|
|
|
|
# Type declarations
|
|
|
|
## An ordered array of strings. The entries are indexed by succesive numbers. Note
|
|
## that it depends on the usage whether the first index is zero or one.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type string_array: table[count] of string;
|
|
|
|
## A set of strings.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type string_set: set[string];
|
|
|
|
## A set of addresses.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type addr_set: set[addr];
|
|
|
|
## A set of counts.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type count_set: set[count];
|
|
|
|
## A vector of counts, used by some builtin functions to store a list of indices.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type index_vec: vector of count;
|
|
|
|
## A vector of strings.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type string_vec: vector of string;
|
|
|
|
## A vector of addresses.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type addr_vec: vector of addr;
|
|
|
|
## A table of strings indexed by strings.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type table_string_of_string: table[string] of string;
|
|
|
|
## A connection's transport-layer protocol. Note that Bro uses the term
|
|
## "connection" broadly, using flow semantics for ICMP and UDP.
|
|
type transport_proto: enum {
|
|
unknown_transport, ##< An unknown transport-layer protocol.
|
|
tcp, ##< TCP.
|
|
udp, ##< UDP.
|
|
icmp ##< ICMP.
|
|
};
|
|
|
|
## A connection's identifying 4-tuple of endpoints and ports.
|
|
##
|
|
## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
|
|
## part of the port values, `orig_p` and `resp_p`, and can be extracted from them
|
|
## with :bro:id:`get_port_transport_proto`.
|
|
type conn_id: record {
|
|
orig_h: addr; ##< The originator's IP address.
|
|
orig_p: port; ##< The originator's port number.
|
|
resp_h: addr; ##< The responder's IP address.
|
|
resp_p: port; ##< The responder's port number.
|
|
} &log;
|
|
|
|
## Specifics about an ICMP conversation. ICMP events typically pass this in
|
|
## addition to :bro:type:`conn_id`.
|
|
##
|
|
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_redirect icmp_sent
|
|
## icmp_time_exceeded icmp_unreachable
|
|
type icmp_conn: record {
|
|
orig_h: addr; ##< The originator's IP address.
|
|
resp_h: addr; ##< The responder's IP address.
|
|
itype: count; ##< The ICMP type of the packet that triggered the instantiation of the record.
|
|
icode: count; ##< The ICMP code of the packet that triggered the instantiation of the record.
|
|
len: count; ##< The length of the ICMP payload of the packet that triggered the instantiation of the record.
|
|
hlim: count; ##< The encapsulating IP header's Hop Limit value.
|
|
v6: bool; ##< True if it's an ICMPv6 packet.
|
|
};
|
|
|
|
## Packet context part of an ICMP message. The fields of this record reflect the
|
|
## packet that is described by the context.
|
|
##
|
|
## .. bro:see:: icmp_time_exceeded icmp_unreachable
|
|
type icmp_context: record {
|
|
id: conn_id; ##< The packet's 4-tuple.
|
|
len: count; ##< The length of the IP packet (headers + payload).
|
|
proto: count; ##< The packet's transport-layer protocol.
|
|
frag_offset: count; ##< The packet's fragementation offset.
|
|
## True if the packet's IP header is not fully included in the context
|
|
## or if there is not enough of the transport header to determine source
|
|
## and destination ports. If that is the cast, the appropriate fields
|
|
## of this record will be set to null values.
|
|
bad_hdr_len: bool;
|
|
bad_checksum: bool; ##< True if the packet's IP checksum is not correct.
|
|
MF: bool; ##< True if the packets *more fragements* flag is set.
|
|
DF: bool; ##< True if the packets *don't fragment* flag is set.
|
|
};
|
|
|
|
## Values extracted from a Prefix Information option in an ICMPv6 neighbor
|
|
## discovery message as specified by :rfc:`4861`.
|
|
##
|
|
## .. bro:see:: icmp6_nd_option
|
|
type icmp6_nd_prefix_info: record {
|
|
## Number of leading bits of the *prefix* that are valid.
|
|
prefix_len: count;
|
|
## Flag indicating the prefix can be used for on-link determination.
|
|
L_flag: bool;
|
|
## Autonomous address-configuration flag.
|
|
A_flag: bool;
|
|
## Length of time in seconds that the prefix is valid for purpose of
|
|
## on-link determination (0xffffffff represents infinity).
|
|
valid_lifetime: interval;
|
|
## Length of time in seconds that the addresses generated from the prefix
|
|
## via stateless address autoconfiguration remain preferred
|
|
## (0xffffffff represents infinity).
|
|
preferred_lifetime: interval;
|
|
## An IP address or prefix of an IP address. Use the *prefix_len* field
|
|
## to convert this into a :bro:type:`subnet`.
|
|
prefix: addr;
|
|
};
|
|
|
|
## Options extracted from ICMPv6 neighbor discovery messages as specified
|
|
## by :rfc:`4861`.
|
|
##
|
|
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
|
|
## icmp_neighbor_advertisement icmp_neighbor_solicitation icmp_redirect
|
|
## icmp6_nd_options
|
|
type icmp6_nd_option: record {
|
|
## 8-bit identifier of the type of option.
|
|
otype: count;
|
|
## 8-bit integer representing the length of the option (including the type
|
|
## and length fields) in units of 8 octets.
|
|
len: count;
|
|
## Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2).
|
|
## Byte ordering of this is dependent on the actual link-layer.
|
|
link_address: string &optional;
|
|
## Prefix Information (Type 3).
|
|
prefix: icmp6_nd_prefix_info &optional;
|
|
## Redirected header (Type 4). This field contains the context of the
|
|
## original, redirected packet.
|
|
redirect: icmp_context &optional;
|
|
## Recommended MTU for the link (Type 5).
|
|
mtu: count &optional;
|
|
## The raw data of the option (everything after type & length fields),
|
|
## useful for unknown option types or when the full option payload is
|
|
## truncated in the captured packet. In those cases, option fields
|
|
## won't be pre-extracted into the fields above.
|
|
payload: string &optional;
|
|
};
|
|
|
|
## A type alias for a vector of ICMPv6 neighbor discovery message options.
|
|
type icmp6_nd_options: vector of icmp6_nd_option;
|
|
|
|
# A DNS mapping between IP address and hostname resolved by Bro's internal
|
|
# resolver.
|
|
#
|
|
# .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
|
# dns_mapping_unverified dns_mapping_valid
|
|
type dns_mapping: record {
|
|
## The time when the mapping was created, which corresponds to the when the DNS
|
|
## query was sent out.
|
|
creation_time: time;
|
|
## If the mapping is the result of a name lookup, the queried host name; otherwise
|
|
## empty.
|
|
req_host: string;
|
|
## If the mapping is the result of a pointer lookup, the queried address; otherwise
|
|
## null.
|
|
req_addr: addr;
|
|
## True if the lookup returned success. Only then, the result ields are valid.
|
|
valid: bool;
|
|
## If the mapping is the result of a pointer lookup, the resolved hostname;
|
|
## otherwise empty.
|
|
hostname: string;
|
|
## If the mapping is the result of an address lookup, the resolved address(es);
|
|
## otherwise empty.
|
|
addrs: addr_set;
|
|
};
|
|
|
|
## A parsed host/port combination describing server endpoint for an upcoming
|
|
## data transfert.
|
|
##
|
|
## .. bro:see:: fmt_ftp_port parse_eftp_port parse_ftp_epsv parse_ftp_pasv
|
|
## parse_ftp_port
|
|
type ftp_port: record {
|
|
h: addr; ##< The host's address.
|
|
p: port; ##< The host's port.
|
|
valid: bool; ##< True if format was right. Only then, *h* and *p* are valid.
|
|
};
|
|
|
|
## Statistics about what a TCP endpoint sent.
|
|
##
|
|
## .. bro:see:: conn_stats
|
|
type endpoint_stats: record {
|
|
num_pkts: count; ##< Number of packets.
|
|
num_rxmit: count; ##< Number of retransmission.
|
|
num_rxmit_bytes: count; ##< Number of retransmitted bytes.
|
|
num_in_order: count; ##< Number of in-order packets.
|
|
num_OO: count; ##< Number out-of-order packets.
|
|
num_repl: count; ##< Number of replicated packets (last packet was sent again).
|
|
## Endian type used by the endpoint, if it it could be determined from the sequence
|
|
## numbers used. This is one of :bro:see:`ENDIAN_UNKNOWN`, :bro:see:`ENDIAN_BIG`,
|
|
## :bro:see:`ENDIAN_LITTLE`, and :bro:see:`ENDIAN_CONFUSED`.
|
|
endian_type: count;
|
|
};
|
|
|
|
## A unique analyzer instance ID. Each time instantiates a protocol analyzers
|
|
## for a connection, it assigns it a unique ID that can be used to reference
|
|
## that instance.
|
|
##
|
|
## .. bro:see:: analyzer_name disable_analyzer protocol_confirmation
|
|
## protocol_violation
|
|
##
|
|
## .. todo::While we declare an alias for the type here, the events/functions still
|
|
## use ``count``. That should be changed.
|
|
type AnalyzerID: count;
|
|
|
|
module Tunnel;
|
|
export {
|
|
## Records the identity of an encapsulating parent of a tunneled connection.
|
|
type EncapsulatingConn: record {
|
|
## The 4-tuple of the encapsulating "connection". In case of an IP-in-IP
|
|
## tunnel the ports will be set to 0. The direction (i.e., orig and
|
|
## resp) are set according to the first tunneled packet seen
|
|
## and not according to the side that established the tunnel.
|
|
cid: conn_id;
|
|
## The type of tunnel.
|
|
tunnel_type: Tunnel::Type;
|
|
## A globally unique identifier that, for non-IP-in-IP tunnels,
|
|
## cross-references the *uid* field of :bro:type:`connection`.
|
|
uid: string &optional;
|
|
} &log;
|
|
} # end export
|
|
module GLOBAL;
|
|
|
|
## A type alias for a vector of encapsulating "connections", i.e for when
|
|
## there are tunnels within tunnels.
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions
|
|
## via ``bifcl``. We should extend ``bifcl`` to understand composite types
|
|
## directly and then remove this alias.
|
|
type EncapsulatingConnVector: vector of Tunnel::EncapsulatingConn;
|
|
|
|
## Statistics about a :bro:type:`connection` endpoint.
|
|
##
|
|
## .. bro:see:: connection
|
|
type endpoint: record {
|
|
size: count; ##< Logical size of data sent (for TCP: derived from sequence numbers).
|
|
## Endpoint state. For TCP connection, one of the constants:
|
|
## :bro:see:`TCP_INACTIVE` :bro:see:`TCP_SYN_SENT` :bro:see:`TCP_SYN_ACK_SENT`
|
|
## :bro:see:`TCP_PARTIAL` :bro:see:`TCP_ESTABLISHED` :bro:see:`TCP_CLOSED`
|
|
## :bro:see:`TCP_RESET`. For UDP, one of :bro:see:`UDP_ACTIVE` and
|
|
## :bro:see:`UDP_INACTIVE`.
|
|
state: count;
|
|
## Number of packets sent. Only set if :bro:id:`use_conn_size_analyzer` is true.
|
|
num_pkts: count &optional;
|
|
## Number of IP-level bytes sent. Only set if :bro:id:`use_conn_size_analyzer` is
|
|
## true.
|
|
num_bytes_ip: count &optional;
|
|
## The current IPv6 flow label that the connection endpoint is using.
|
|
## Always 0 if the connection is over IPv4.
|
|
flow_label: count;
|
|
};
|
|
|
|
## A connection. This is Bro's basic connection type describing IP- and
|
|
## transport-layer information about the conversation. Note that Bro uses a
|
|
## liberal interpreation of "connection" and associates instances of this type
|
|
## also with UDP and ICMP flows.
|
|
type connection: record {
|
|
id: conn_id; ##< The connection's identifying 4-tuple.
|
|
orig: endpoint; ##< Statistics about originator side.
|
|
resp: endpoint; ##< Statistics about responder side.
|
|
start_time: time; ##< The timestamp of the connection's first packet.
|
|
## The duration of the conversation. Roughly speaking, this is the interval between
|
|
## first and last data packet (low-level TCP details may adjust it somewhat in
|
|
## ambigious cases).
|
|
duration: interval;
|
|
## The set of services the connection is using as determined by Bro's dynamic
|
|
## protocol detection. Each entry is the label of an analyzer that confirmed that
|
|
## it could parse the connection payload. While typically, there will be at
|
|
## most one entry for each connection, in principle it is possible that more than
|
|
## one protocol analyzer is able to parse the same data. If so, all will
|
|
## be recorded. Also note that the recorced services are independent of any
|
|
## transport-level protocols.
|
|
service: set[string];
|
|
addl: string; ##< Deprecated.
|
|
hot: count; ##< Deprecated.
|
|
history: string; ##< State history of connections. See *history* in :bro:see:`Conn::Info`.
|
|
## A globally unique connection identifier. For each connection, Bro creates an ID
|
|
## that is very likely unique across independent Bro runs. These IDs can thus be
|
|
## used to tag and locate information associated with that connection.
|
|
uid: string;
|
|
## If the connection is tunneled, this field contains information about
|
|
## the encapsulating "connection(s)" with the outermost one starting
|
|
## at index zero. It's also always the first such enapsulation seen
|
|
## for the connection unless the :bro:id:`tunnel_changed` event is handled
|
|
## and re-assigns this field to the new encapsulation.
|
|
tunnel: EncapsulatingConnVector &optional;
|
|
};
|
|
|
|
## Fields of a SYN packet.
|
|
##
|
|
## .. bro:see:: connection_SYN_packet
|
|
type SYN_packet: record {
|
|
is_orig: bool; ##< True if the packet was sent the connection's originator.
|
|
DF: bool; ##< True if the *don't fragment* is set in the IP header.
|
|
ttl: count; ##< The IP header's time-to-live.
|
|
size: count; ##< The size of the packet's payload as specified in the IP header.
|
|
win_size: count; ##< The window size from the TCP header.
|
|
win_scale: int; ##< The window scale option if present, or -1 if not.
|
|
MSS: count; ##< The maximum segement size if present, or 0 if not.
|
|
SACK_OK: bool; ##< True if the *SACK* option is present.
|
|
};
|
|
|
|
## Packet capture statistics. All counts are cumulative.
|
|
##
|
|
## .. bro:see:: net_stats
|
|
type NetStats: record {
|
|
pkts_recvd: count &default=0; ##< Packets received by Bro.
|
|
pkts_dropped: count &default=0; ##< Packets reported dropped by the system.
|
|
## Packets seen on the link. Note that this may differ
|
|
## from *pkts_recvd* because of a potential capture_filter. See
|
|
## :doc:`/scripts/base/frameworks/packet-filter/main`. Depending on the packet
|
|
## capture system, this value may not be available and will then be always set to
|
|
## zero.
|
|
pkts_link: count &default=0;
|
|
};
|
|
|
|
## Statistics about Bro's resource consumption.
|
|
##
|
|
## .. bro:see:: resource_usage
|
|
##
|
|
## .. note:: All process-level values refer to Bro's main process only, not to
|
|
## the child process it spawns for doing communication.
|
|
type bro_resources: record {
|
|
version: string; ##< Bro version string.
|
|
debug: bool; ##< True if compiled with --enable-debug.
|
|
start_time: time; ##< Start time of process.
|
|
real_time: interval; ##< Elapsed real time since Bro started running.
|
|
user_time: interval; ##< User CPU seconds.
|
|
system_time: interval; ##< System CPU seconds.
|
|
mem: count; ##< Maximum memory consumed, in KB.
|
|
minor_faults: count; ##< Page faults not requiring actual I/O.
|
|
major_faults: count; ##< Page faults requiring actual I/O.
|
|
num_swap: count; ##< Times swapped out.
|
|
blocking_input: count; ##< Blocking input operations.
|
|
blocking_output: count; ##< Blocking output operations.
|
|
num_context: count; ##< Number of involuntary context switches.
|
|
|
|
num_TCP_conns: count; ##< Current number of TCP connections in memory.
|
|
num_UDP_conns: count; ##< Current number of UDP flows in memory.
|
|
num_ICMP_conns: count; ##< Current number of ICMP flows in memory.
|
|
num_fragments: count; ##< Current number of fragments pending reassembly.
|
|
num_packets: count; ##< Total number packets processed to date.
|
|
num_timers: count; ##< Current number of pending timers.
|
|
num_events_queued: count; ##< Total number of events queued so far.
|
|
num_events_dispatched: count; ##< Total number of events dispatched so far.
|
|
|
|
max_TCP_conns: count; ##< Maximum number of concurrent TCP connections so far.
|
|
max_UDP_conns: count; ##< Maximum number of concurrent UDP connections so far.
|
|
max_ICMP_conns: count; ##< Maximum number of concurrent ICMP connections so far.
|
|
max_fragments: count; ##< Maximum number of concurrently buffered fragements so far.
|
|
max_timers: count; ##< Maximum number of concurrent timers pending so far.
|
|
};
|
|
|
|
## Summary statistics of all regular expression matchers.
|
|
##
|
|
## .. bro:see:: get_matcher_stats
|
|
type matcher_stats: record {
|
|
matchers: count; ##< Number of distinct RE matchers.
|
|
dfa_states: count; ##< Number of DFA states across all matchers.
|
|
computed: count; ##< Number of computed DFA state transitions.
|
|
mem: count; ##< Number of bytes used by DFA states.
|
|
hits: count; ##< Number of cache hits.
|
|
misses: count; ##< Number of cache misses.
|
|
avg_nfa_states: count; ##< Average number of NFA states across all matchers.
|
|
};
|
|
|
|
## Statistics about number of gaps in TCP connections.
|
|
##
|
|
## .. bro:see:: gap_report get_gap_summary
|
|
type gap_info: record {
|
|
ack_events: count; ##< How many ack events *could* have had gaps.
|
|
ack_bytes: count; ##< How many bytes those covered.
|
|
gap_events: count; ##< How many *did* have gaps.
|
|
gap_bytes: count; ##< How many bytes were missing in the gaps.
|
|
};
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
|
|
## else.
|
|
type packet: record {
|
|
conn: connection;
|
|
is_orig: bool;
|
|
seq: count; ##< seq=k => it is the kth *packet* of the connection
|
|
timestamp: time;
|
|
};
|
|
|
|
## Table type used to map variable names to their memory allocation.
|
|
##
|
|
## .. bro:see:: global_sizes
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type var_sizes: table[string] of count;
|
|
|
|
## Meta-information about a script-level identifier.
|
|
##
|
|
## .. bro:see:: global_ids id_table
|
|
type script_id: record {
|
|
type_name: string; ##< The name of the identifier's type.
|
|
exported: bool; ##< True if the identifier is exported.
|
|
constant: bool; ##< True if the identifier is a constant.
|
|
enum_constant: bool; ##< True if the identifier is an enum value.
|
|
redefinable: bool; ##< True if the identifier is declared with the :bro:attr:`&redef` attribute.
|
|
value: any &optional; ##< The current value of the identifier.
|
|
};
|
|
|
|
## Table type used to map script-level identifiers to meta-information
|
|
## describing them.
|
|
##
|
|
## .. bro:see:: global_ids script_id
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type id_table: table[string] of script_id;
|
|
|
|
## Meta-information about a record-field.
|
|
##
|
|
## .. bro:see:: record_fields record_field_table
|
|
type record_field: record {
|
|
type_name: string; ##< The name of the field's type.
|
|
log: bool; ##< True of the field is declared with :bro:attr:`&log` attribute.
|
|
## The current value of the field in the record instance passed into
|
|
## :bro:see:`record_fields` (if it has one).
|
|
value: any &optional;
|
|
default_val: any &optional; ##< The value of the :bro:attr:`&default` attribute if defined.
|
|
};
|
|
|
|
## Table type used to map record field declarations to meta-information describing
|
|
## them.
|
|
##
|
|
## .. bro:see:: record_fields record_field
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type record_field_table: table[string] of record_field;
|
|
|
|
# todo::Do we still needs these here? Can they move into the packet filter
|
|
# framework?
|
|
#
|
|
# The following two variables are defined here until the core is not
|
|
# dependent on the names remaining as they are now.
|
|
|
|
## Set of BPF capture filters to use for capturing, indexed by a user-definable
|
|
## ID (which must be unique). If Bro is *not* configured to examine
|
|
## :bro:id:`PacketFilter::all_packets`, all packets matching at least
|
|
## one of the filters in this table (and all in :bro:id:`restrict_filters`)
|
|
## will be analyzed.
|
|
##
|
|
## .. bro:see:: PacketFilter PacketFilter::all_packets
|
|
## PacketFilter::unrestricted_filter restrict_filters
|
|
global capture_filters: table[string] of string &redef;
|
|
|
|
## Set of BPF filters to restrict capturing, indexed by a user-definable ID (which
|
|
## must be unique). If Bro is *not* configured to examine
|
|
## :bro:id:`PacketFilter::all_packets`, only packets matching *all* of the
|
|
## filters in this table (and any in :bro:id:`capture_filters`) will be
|
|
## analyzed.
|
|
##
|
|
## .. bro:see:: PacketFilter PacketFilter::all_packets
|
|
## PacketFilter::unrestricted_filter capture_filters
|
|
global restrict_filters: table[string] of string &redef;
|
|
|
|
## Enum type identifying dynamic BPF filters. These are used by
|
|
## :bro:see:`precompile_pcap_filter` and :bro:see:`precompile_pcap_filter`.
|
|
type PcapFilterID: enum { None };
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. bro:see:: anonymize_addr
|
|
type IPAddrAnonymization: enum {
|
|
KEEP_ORIG_ADDR,
|
|
SEQUENTIALLY_NUMBERED,
|
|
RANDOM_MD5,
|
|
PREFIX_PRESERVING_A50,
|
|
PREFIX_PRESERVING_MD5,
|
|
};
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. bro:see:: anonymize_addr
|
|
type IPAddrAnonymizationClass: enum {
|
|
ORIG_ADDR,
|
|
RESP_ADDR,
|
|
OTHER_ADDR,
|
|
};
|
|
|
|
## A locally unique ID identifying a communication peer. The ID is returned by
|
|
## :bro:id:`connect`.
|
|
##
|
|
## .. bro:see:: connect Communication
|
|
type peer_id: count;
|
|
|
|
## A communication peer.
|
|
##
|
|
## .. bro:see:: complete_handshake disconnect finished_send_state
|
|
## get_event_peer get_local_event_peer remote_capture_filter
|
|
## remote_connection_closed remote_connection_error
|
|
## remote_connection_established remote_connection_handshake_done
|
|
## remote_event_registered remote_log_peer remote_pong
|
|
## request_remote_events request_remote_logs request_remote_sync
|
|
## send_capture_filter send_current_packet send_id send_ping send_state
|
|
## set_accept_state set_compression_level
|
|
##
|
|
## .. todo::The type's name is to narrow these days, should rename.
|
|
type event_peer: record {
|
|
id: peer_id; ##< Locally unique ID of peer (returned by :bro:id:`connect`).
|
|
host: addr; ##< The IP address of the peer.
|
|
## Either the port we connected to at the peer; or our port the peer
|
|
## connected to if the session is remotely initiated.
|
|
p: port;
|
|
is_local: bool; ##< True if this record describes the local process.
|
|
descr: string; ##< The peer's :bro:see:`peer_description`.
|
|
class: string &optional; ##< The self-assigned *class* of the peer. See :bro:see:`Communication::Node`.
|
|
};
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. bro:see:: rotate_file rotate_file_by_name rotate_interval
|
|
type rotate_info: record {
|
|
old_name: string; ##< Original filename.
|
|
new_name: string; ##< File name after rotation.
|
|
open: time; ##< Time when opened.
|
|
close: time; ##< Time when closed.
|
|
};
|
|
|
|
### The following aren't presently used, though they should be.
|
|
# # Structures needed for subsequence computations (str_smith_waterman):
|
|
# #
|
|
# type sw_variant: enum {
|
|
# SW_SINGLE,
|
|
# SW_MULTIPLE,
|
|
# };
|
|
|
|
## Paramerts for the Smith-Waterman algorithm.
|
|
##
|
|
## .. bro:see:: str_smith_waterman
|
|
type sw_params: record {
|
|
## Minimum size of a substring, minimum "granularity".
|
|
min_strlen: count &default = 3;
|
|
|
|
## Smith-Waterman flavor to use.
|
|
sw_variant: count &default = 0;
|
|
};
|
|
|
|
## Helper type for return value of Smith-Waterman algorithm.
|
|
##
|
|
## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align_vec sw_params
|
|
type sw_align: record {
|
|
str: string; ##< String a substring is part of.
|
|
index: count; ##< Offset substring is located.
|
|
};
|
|
|
|
## Helper type for return value of Smith-Waterman algorithm.
|
|
##
|
|
## .. bro:see:: str_smith_waterman sw_substring_vec sw_substring sw_align sw_params
|
|
type sw_align_vec: vector of sw_align;
|
|
|
|
## Helper type for return value of Smith-Waterman algorithm.
|
|
##
|
|
## .. bro:see:: str_smith_waterman sw_substring_vec sw_align_vec sw_align sw_params
|
|
##
|
|
type sw_substring: record {
|
|
str: string; ##< A substring.
|
|
aligns: sw_align_vec; ##< All strings of which it's a substring.
|
|
new: bool; ##< True if start of new alignment.
|
|
};
|
|
|
|
## Return type for Smith-Waterman algorithm.
|
|
##
|
|
## .. bro:see:: str_smith_waterman sw_substring sw_align_vec sw_align sw_params
|
|
##
|
|
## .. todo:: We need this type definition only for declaring builtin functions via
|
|
## ``bifcl``. We should extend ``bifcl`` to understand composite types directly and
|
|
## then remove this alias.
|
|
type sw_substring_vec: vector of sw_substring;
|
|
|
|
## Policy-level representation of a packet passed on by libpcap. The data includes
|
|
## the complete packet as returned by libpcap, including the link-layer header.
|
|
##
|
|
## .. bro:see:: dump_packet get_current_packet
|
|
type pcap_packet: record {
|
|
ts_sec: count; ##< The non-fractional part of the packet's timestamp (i.e., full seconds since the epoch).
|
|
ts_usec: count; ##< The fractional part of the packet's timestamp.
|
|
caplen: count; ##< The number of bytes captured (<= *len*).
|
|
len: count; ##< The length of the packet in bytes, including <link-level header.
|
|
data: string; ##< The payload of the packet, including link-level header.
|
|
};
|
|
|
|
## GeoIP location information.
|
|
##
|
|
## .. bro:see:: lookup_location
|
|
type geo_location: record {
|
|
country_code: string &optional; ##< The country code.
|
|
region: string &optional; ##< The region.
|
|
city: string &optional; ##< The city.
|
|
latitude: double &optional; ##< Latitude.
|
|
longitude: double &optional; ##< Longitude.
|
|
} &log;
|
|
|
|
## Computed entropy values. The record captures a number of measures that are
|
|
## computed in parallel. See `A Pseudorandom Number Sequence Test Program
|
|
## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
|
|
## code.
|
|
##
|
|
## .. bro:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy
|
|
type entropy_test_result: record {
|
|
entropy: double; ##< Information density.
|
|
chi_square: double; ##< Chi-Square value.
|
|
mean: double; ##< Arithmetic Mean.
|
|
monte_carlo_pi: double; ##< Monte-carlo value for pi.
|
|
serial_correlation: double; ##< Serial correlation coefficient.
|
|
};
|
|
|
|
# Prototypes of Bro built-in functions.
|
|
@load base/strings.bif
|
|
@load base/bro.bif
|
|
@load base/reporter.bif
|
|
|
|
## Deprecated. This is superseded by the new logging framework.
|
|
global log_file_name: function(tag: string): string &redef;
|
|
|
|
## Deprecated. This is superseded by the new logging framework.
|
|
global open_log_file: function(tag: string): file &redef;
|
|
|
|
## Specifies a directory for Bro store its persistent state. All globals can
|
|
## be declared persistent via the :bro:attr:`&persistent` attribute.
|
|
const state_dir = ".state" &redef;
|
|
|
|
## Length of the delays inserted when storing state incrementally. To avoid
|
|
## dropping packets when serializing larger volumes of persistent state to
|
|
## disk, Bro interleaves the operation with continued packet processing.
|
|
const state_write_delay = 0.01 secs &redef;
|
|
|
|
global done_with_network = F;
|
|
event net_done(t: time) { done_with_network = T; }
|
|
|
|
function log_file_name(tag: string): string
|
|
{
|
|
local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
|
|
return fmt("%s.%s", tag, suffix);
|
|
}
|
|
|
|
function open_log_file(tag: string): file
|
|
{
|
|
return open(log_file_name(tag));
|
|
}
|
|
|
|
## Internal function.
|
|
function add_interface(iold: string, inew: string): string
|
|
{
|
|
if ( iold == "" )
|
|
return inew;
|
|
else
|
|
return fmt("%s %s", iold, inew);
|
|
}
|
|
|
|
## Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to
|
|
## extend.
|
|
global interfaces = "" &add_func = add_interface;
|
|
|
|
## Internal function.
|
|
function add_signature_file(sold: string, snew: string): string
|
|
{
|
|
if ( sold == "" )
|
|
return snew;
|
|
else
|
|
return cat(sold, " ", snew);
|
|
}
|
|
|
|
## Signature files to read. Use ``redef signature_files += "foo.sig"`` to
|
|
## extend. Signature files added this way will be searched relative to
|
|
## ``BROPATH``. Using the ``@load-sigs`` directive instead is preferred
|
|
## since that can search paths relative to the current script.
|
|
global signature_files = "" &add_func = add_signature_file;
|
|
|
|
## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
|
|
const passive_fingerprint_file = "base/misc/p0f.fp" &redef;
|
|
|
|
# todo::testing to see if I can remove these without causing problems.
|
|
#const ftp = 21/tcp;
|
|
#const ssh = 22/tcp;
|
|
#const telnet = 23/tcp;
|
|
#const smtp = 25/tcp;
|
|
#const domain = 53/tcp; # note, doesn't include UDP version
|
|
#const gopher = 70/tcp;
|
|
#const finger = 79/tcp;
|
|
#const http = 80/tcp;
|
|
#const ident = 113/tcp;
|
|
#const bgp = 179/tcp;
|
|
#const rlogin = 513/tcp;
|
|
|
|
# TCP values for :bro:see:`endpoint` *state* field.
|
|
# todo::these should go into an enum to make them autodoc'able.
|
|
const TCP_INACTIVE = 0; ##< Endpoint is still inactive.
|
|
const TCP_SYN_SENT = 1; ##< Endpoint has sent SYN.
|
|
const TCP_SYN_ACK_SENT = 2; ##< Endpoint has sent SYN/ACK.
|
|
const TCP_PARTIAL = 3; ##< Endpoint has sent data but no initial SYN.
|
|
const TCP_ESTABLISHED = 4; ##< Endpoint has finished initial handshake regularly.
|
|
const TCP_CLOSED = 5; ##< Endpoint has closed connection.
|
|
const TCP_RESET = 6; ##< Endpoint has sent RST.
|
|
|
|
# UDP values for :bro:see:`endpoint` *state* field.
|
|
# todo::these should go into an enum to make them autodoc'able.
|
|
const UDP_INACTIVE = 0; ##< Endpoint is still inactive.
|
|
const UDP_ACTIVE = 1; ##< Endpoint has sent something.
|
|
|
|
## If true, don't verify checksums. Useful for running on altered trace
|
|
## files, and for saving a few cycles, but at the risk of analyzing invalid
|
|
## data. Note that the ``-C`` command-line option overrides the setting of this
|
|
## variable.
|
|
const ignore_checksums = F &redef;
|
|
|
|
## If true, instantiate connection state when a partial connection
|
|
## (one missing its initial establishment negotiation) is seen.
|
|
const partial_connection_ok = T &redef;
|
|
|
|
## If true, instantiate connection state when a SYN/ACK is seen but not the initial
|
|
## SYN (even if :bro:see:`partial_connection_ok` is false).
|
|
const tcp_SYN_ack_ok = T &redef;
|
|
|
|
## If true, pass any undelivered to the signature engine before flushing the state.
|
|
## If a connection state is removed, there may still be some data waiting in the
|
|
## reassembler.
|
|
const tcp_match_undelivered = T &redef;
|
|
|
|
## Check up on the result of an initial SYN after this much time.
|
|
const tcp_SYN_timeout = 5 secs &redef;
|
|
|
|
## After a connection has closed, wait this long for further activity
|
|
## before checking whether to time out its state.
|
|
const tcp_session_timer = 6 secs &redef;
|
|
|
|
## When checking a closed connection for further activity, consider it
|
|
## inactive if there hasn't been any for this long. Complain if the
|
|
## connection is reused before this much time has elapsed.
|
|
const tcp_connection_linger = 5 secs &redef;
|
|
|
|
## Wait this long upon seeing an initial SYN before timing out the
|
|
## connection attempt.
|
|
const tcp_attempt_delay = 5 secs &redef;
|
|
|
|
## Upon seeing a normal connection close, flush state after this much time.
|
|
const tcp_close_delay = 5 secs &redef;
|
|
|
|
## Upon seeing a RST, flush state after this much time.
|
|
const tcp_reset_delay = 5 secs &redef;
|
|
|
|
## Generate a :bro:id:`connection_partial_close` event this much time after one half
|
|
## of a partial connection closes, assuming there has been no subsequent
|
|
## activity.
|
|
const tcp_partial_close_delay = 3 secs &redef;
|
|
|
|
## If a connection belongs to an application that we don't analyze,
|
|
## time it out after this interval. If 0 secs, then don't time it out (but
|
|
## :bro:see:`tcp_inactivity_timeout`/:bro:see:`udp_inactivity_timeout`/:bro:see:`icmp_inactivity_timeout`
|
|
## still apply).
|
|
const non_analyzed_lifetime = 0 secs &redef;
|
|
|
|
## If a TCP connection is inactive, time it out after this interval. If 0 secs,
|
|
## then don't time it out.
|
|
##
|
|
## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
|
|
const tcp_inactivity_timeout = 5 min &redef;
|
|
|
|
## If a UDP flow is inactive, time it out after this interval. If 0 secs, then
|
|
## don't time it out.
|
|
##
|
|
## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
|
|
const udp_inactivity_timeout = 1 min &redef;
|
|
|
|
## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then
|
|
## don't time it out.
|
|
##
|
|
## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout
|
|
const icmp_inactivity_timeout = 1 min &redef;
|
|
|
|
## Number of FINs/RSTs in a row that constitute a "storm". Storms are reported via
|
|
## as ``weird`` via the notice framework, and they must also come within
|
|
## intervals of at most :bro:see:`tcp_storm_interarrival_thresh`.
|
|
##
|
|
## .. bro:see:: tcp_storm_interarrival_thresh
|
|
const tcp_storm_thresh = 1000 &redef;
|
|
|
|
## FINs/RSTs must come with this much time or less between them to be
|
|
## considered a "storm".
|
|
##
|
|
## .. bro:see:: tcp_storm_thresh
|
|
const tcp_storm_interarrival_thresh = 1 sec &redef;
|
|
|
|
## Maximum amount of data that might plausibly be sent in an initial flight (prior
|
|
## to receiving any acks). Used to determine whether we must not be seeing our
|
|
## peer's ACKs. Set to zero to turn off this determination.
|
|
##
|
|
## .. bro:see:: tcp_max_above_hole_without_any_acks tcp_excessive_data_without_further_acks
|
|
const tcp_max_initial_window = 4096;
|
|
|
|
## If we're not seeing our peer's ACKs, the maximum volume of data above a sequence
|
|
## hole that we'll tolerate before assuming that there's been a packet drop and we
|
|
## should give up on tracking a connection. If set to zero, then we don't ever give
|
|
## up.
|
|
##
|
|
## .. bro:see:: tcp_max_initial_window tcp_excessive_data_without_further_acks
|
|
const tcp_max_above_hole_without_any_acks = 4096;
|
|
|
|
## If we've seen this much data without any of it being acked, we give up
|
|
## on that connection to avoid memory exhaustion due to buffering all that
|
|
## stuff. If set to zero, then we don't ever give up. Ideally, Bro would
|
|
## track the current window on a connection and use it to infer that data
|
|
## has in fact gone too far, but for now we just make this quite beefy.
|
|
##
|
|
## .. bro:see:: tcp_max_initial_window tcp_max_above_hole_without_any_acks
|
|
const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024;
|
|
|
|
## For services without an a handler, these sets define originator-side ports that
|
|
## still trigger reassembly.
|
|
##
|
|
## .. :bro:see:: tcp_reassembler_ports_resp
|
|
const tcp_reassembler_ports_orig: set[port] = {} &redef;
|
|
|
|
## For services without an a handler, these sets define responder-side ports that
|
|
## still trigger reassembly.
|
|
##
|
|
## .. :bro:see:: tcp_reassembler_ports_orig
|
|
const tcp_reassembler_ports_resp: set[port] = {} &redef;
|
|
|
|
## Defines destination TCP ports for which the contents of the originator stream
|
|
## should be delivered via :bro:see:`tcp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
|
|
## tcp_content_deliver_all_resp udp_content_delivery_ports_orig
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_orig
|
|
## udp_content_deliver_all_resp tcp_contents
|
|
const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef;
|
|
|
|
## Defines destination TCP ports for which the contents of the responder stream should
|
|
## be delivered via :bro:see:`tcp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_deliver_all_orig
|
|
## tcp_content_deliver_all_resp udp_content_delivery_ports_orig
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_orig
|
|
## udp_content_deliver_all_resp tcp_contents
|
|
const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef;
|
|
|
|
## If true, all TCP originator-side traffic is reported via
|
|
## :bro:see:`tcp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp
|
|
## tcp_content_deliver_all_resp udp_content_delivery_ports_orig
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_orig
|
|
## udp_content_deliver_all_resp tcp_contents
|
|
const tcp_content_deliver_all_orig = F &redef;
|
|
|
|
## If true, all TCP responder-side traffic is reported via
|
|
## :bro:see:`tcp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig
|
|
## tcp_content_delivery_ports_resp
|
|
## tcp_content_deliver_all_orig udp_content_delivery_ports_orig
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_orig
|
|
## udp_content_deliver_all_resp tcp_contents
|
|
const tcp_content_deliver_all_resp = F &redef;
|
|
|
|
## Defines UDP destination ports for which the contents of the originator stream
|
|
## should be delivered via :bro:see:`udp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig
|
|
## tcp_content_delivery_ports_resp
|
|
## tcp_content_deliver_all_orig tcp_content_deliver_all_resp
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_orig
|
|
## udp_content_deliver_all_resp udp_contents
|
|
const udp_content_delivery_ports_orig: table[port] of bool = {} &redef;
|
|
|
|
## Defines UDP destination ports for which the contents of the originator stream
|
|
## should be delivered via :bro:see:`udp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig
|
|
## tcp_content_delivery_ports_resp tcp_content_deliver_all_orig
|
|
## tcp_content_deliver_all_resp udp_content_delivery_ports_orig
|
|
## udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents
|
|
const udp_content_delivery_ports_resp: table[port] of bool = {} &redef;
|
|
|
|
## If true, all UDP originator-side traffic is reported via
|
|
## :bro:see:`tcp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig
|
|
## tcp_content_delivery_ports_resp tcp_content_deliver_all_resp
|
|
## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_resp
|
|
## udp_contents
|
|
const udp_content_deliver_all_orig = F &redef;
|
|
|
|
## If true, all UDP responder-side traffic is reported via
|
|
## :bro:see:`tcp_contents`.
|
|
##
|
|
## .. bro:see:: tcp_content_delivery_ports_orig
|
|
## tcp_content_delivery_ports_resp tcp_content_deliver_all_resp
|
|
## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig
|
|
## udp_content_delivery_ports_resp udp_content_deliver_all_orig
|
|
## udp_contents
|
|
const udp_content_deliver_all_resp = F &redef;
|
|
|
|
## Check for expired table entries after this amount of time.
|
|
##
|
|
## .. bro:see:: table_incremental_step table_expire_delay
|
|
const table_expire_interval = 10 secs &redef;
|
|
|
|
## When expiring/serializing table entries, don't work on more than this many table
|
|
## at a time.
|
|
##
|
|
## .. bro:see:: table_expire_interval table_expire_delay
|
|
const table_incremental_step = 5000 &redef;
|
|
|
|
## When expiring table entries, wait this amount of time before checking the next
|
|
## chunk of entries.
|
|
##
|
|
## .. :bro:see:: table_expire_interval table_incremental_step
|
|
const table_expire_delay = 0.01 secs &redef;
|
|
|
|
## Time to wait before timing out a DNS request.
|
|
const dns_session_timeout = 10 sec &redef;
|
|
|
|
## Time to wait before timing out an NTP request.
|
|
const ntp_session_timeout = 300 sec &redef;
|
|
|
|
## Time to wait before timing out an RPC request.
|
|
const rpc_timeout = 24 sec &redef;
|
|
|
|
## How long to hold onto fragments for possible reassembly. A value of 0.0 means
|
|
## "forever", which resists evasion, but can lead to state accrual.
|
|
const frag_timeout = 0.0 sec &redef;
|
|
|
|
## Time window for reordering packets. This is used for dealing with timestamp
|
|
## discrepency between multiple packet sources.
|
|
##
|
|
## .. note:: Setting this can have a major performance impact as now packets need
|
|
## to be potentially copied and buffered.
|
|
const packet_sort_window = 0 usecs &redef;
|
|
|
|
## If positive, indicates the encapsulation header size that should
|
|
## be skipped. This applies to all packets.
|
|
const encap_hdr_size = 0 &redef;
|
|
|
|
## Whether to use the ``ConnSize`` analyzer to count the number of packets and
|
|
## IP-level bytes transfered by each endpoint. If true, these values are returned
|
|
## in the connection's :bro:see:`endpoint` record value.
|
|
const use_conn_size_analyzer = T &redef;
|
|
|
|
# todo::these should go into an enum to make them autodoc'able.
|
|
const ENDIAN_UNKNOWN = 0; ##< Endian not yet determined.
|
|
const ENDIAN_LITTLE = 1; ##< Little endian.
|
|
const ENDIAN_BIG = 2; ##< Big endian.
|
|
const ENDIAN_CONFUSED = 3; ##< Tried to determine endian, but failed.
|
|
|
|
## Deprecated.
|
|
function append_addl(c: connection, addl: string)
|
|
{
|
|
if ( c$addl == "" )
|
|
c$addl= addl;
|
|
|
|
else if ( addl !in c$addl )
|
|
c$addl = fmt("%s %s", c$addl, addl);
|
|
}
|
|
|
|
## Deprecated.
|
|
function append_addl_marker(c: connection, addl: string, marker: string)
|
|
{
|
|
if ( c$addl == "" )
|
|
c$addl= addl;
|
|
|
|
else if ( addl !in c$addl )
|
|
c$addl = fmt("%s%s%s", c$addl, marker, addl);
|
|
}
|
|
|
|
|
|
# Values for :bro:see:`set_contents_file` *direction* argument.
|
|
# todo::these should go into an enum to make them autodoc'able
|
|
const CONTENTS_NONE = 0; ##< Turn off recording of contents.
|
|
const CONTENTS_ORIG = 1; ##< Record originator contents.
|
|
const CONTENTS_RESP = 2; ##< Record responder contents.
|
|
const CONTENTS_BOTH = 3; ##< Record both originator and responder contents.
|
|
|
|
# Values for code of ICMP *unreachable* messages. The list is not exhaustive.
|
|
# todo::these should go into an enum to make them autodoc'able
|
|
#
|
|
# .. bro:see:: :bro:see:`icmp_unreachable `
|
|
const ICMP_UNREACH_NET = 0; ##< Network unreachable.
|
|
const ICMP_UNREACH_HOST = 1; ##< Host unreachable.
|
|
const ICMP_UNREACH_PROTOCOL = 2; ##< Protocol unreachable.
|
|
const ICMP_UNREACH_PORT = 3; ##< Port unreachable.
|
|
const ICMP_UNREACH_NEEDFRAG = 4; ##< Fragement needed.
|
|
const ICMP_UNREACH_ADMIN_PROHIB = 13; ##< Adminstratively prohibited.
|
|
|
|
# Definitions for access to packet headers. Currently only used for
|
|
# discarders.
|
|
# todo::these should go into an enum to make them autodoc'able
|
|
const IPPROTO_IP = 0; ##< Dummy for IP.
|
|
const IPPROTO_ICMP = 1; ##< Control message protocol.
|
|
const IPPROTO_IGMP = 2; ##< Group management protocol.
|
|
const IPPROTO_IPIP = 4; ##< IP encapsulation in IP.
|
|
const IPPROTO_TCP = 6; ##< TCP.
|
|
const IPPROTO_UDP = 17; ##< User datagram protocol.
|
|
const IPPROTO_IPV6 = 41; ##< IPv6 header.
|
|
const IPPROTO_ICMPV6 = 58; ##< ICMP for IPv6.
|
|
const IPPROTO_RAW = 255; ##< Raw IP packet.
|
|
|
|
# Definitions for IPv6 extension headers.
|
|
const IPPROTO_HOPOPTS = 0; ##< IPv6 hop-by-hop-options header.
|
|
const IPPROTO_ROUTING = 43; ##< IPv6 routing header.
|
|
const IPPROTO_FRAGMENT = 44; ##< IPv6 fragment header.
|
|
const IPPROTO_ESP = 50; ##< IPv6 encapsulating security payload header.
|
|
const IPPROTO_AH = 51; ##< IPv6 authentication header.
|
|
const IPPROTO_NONE = 59; ##< IPv6 no next header.
|
|
const IPPROTO_DSTOPTS = 60; ##< IPv6 destination options header.
|
|
const IPPROTO_MOBILITY = 135; ##< IPv6 mobility header.
|
|
|
|
## Values extracted from an IPv6 extension header's (e.g. hop-by-hop or
|
|
## destination option headers) option field.
|
|
##
|
|
## .. bro:see:: ip6_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts
|
|
type ip6_option: record {
|
|
otype: count; ##< Option type.
|
|
len: count; ##< Option data length.
|
|
data: string; ##< Option data.
|
|
};
|
|
|
|
## A type alias for a vector of IPv6 options.
|
|
type ip6_options: vector of ip6_option;
|
|
|
|
## Values extracted from an IPv6 Hop-by-Hop options extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option
|
|
type ip6_hopopts: record {
|
|
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
|
|
## number), e.g. :bro:id:`IPPROTO_ICMP`.
|
|
nxt: count;
|
|
## Length of header in 8-octet units, excluding first unit.
|
|
len: count;
|
|
## The TLV encoded options;
|
|
options: ip6_options;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Destination options extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option
|
|
type ip6_dstopts: record {
|
|
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
|
|
## number), e.g. :bro:id:`IPPROTO_ICMP`.
|
|
nxt: count;
|
|
## Length of header in 8-octet units, excluding first unit.
|
|
len: count;
|
|
## The TLV encoded options;
|
|
options: ip6_options;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Routing extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
|
|
type ip6_routing: record {
|
|
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
|
|
## number), e.g. :bro:id:`IPPROTO_ICMP`.
|
|
nxt: count;
|
|
## Length of header in 8-octet units, excluding first unit.
|
|
len: count;
|
|
## Routing type.
|
|
rtype: count;
|
|
## Segments left.
|
|
segleft: count;
|
|
## Type-specific data.
|
|
data: string;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Fragment extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
|
|
type ip6_fragment: record {
|
|
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
|
|
## number), e.g. :bro:id:`IPPROTO_ICMP`.
|
|
nxt: count;
|
|
## 8-bit reserved field.
|
|
rsv1: count;
|
|
## Fragmentation offset.
|
|
offset: count;
|
|
## 2-bit reserved field.
|
|
rsv2: count;
|
|
## More fragments.
|
|
more: bool;
|
|
## Fragment identification.
|
|
id: count;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Authentication extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
|
|
type ip6_ah: record {
|
|
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
|
|
## number), e.g. :bro:id:`IPPROTO_ICMP`.
|
|
nxt: count;
|
|
## Length of header in 4-octet units, excluding first two units.
|
|
len: count;
|
|
## Reserved field.
|
|
rsv: count;
|
|
## Security Parameter Index.
|
|
spi: count;
|
|
## Sequence number, unset in the case that *len* field is zero.
|
|
seq: count &optional;
|
|
## Authentication data, unset in the case that *len* field is zero.
|
|
data: string &optional;
|
|
};
|
|
|
|
## Values extracted from an IPv6 ESP extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
|
|
type ip6_esp: record {
|
|
## Security Parameters Index.
|
|
spi: count;
|
|
## Sequence number.
|
|
seq: count;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Binding Refresh Request message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_brr: record {
|
|
## Reserved.
|
|
rsv: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Home Test Init message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_hoti: record {
|
|
## Reserved.
|
|
rsv: count;
|
|
## Home Init Cookie.
|
|
cookie: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Care-of Test Init message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_coti: record {
|
|
## Reserved.
|
|
rsv: count;
|
|
## Care-of Init Cookie.
|
|
cookie: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Home Test message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_hot: record {
|
|
## Home Nonce Index.
|
|
nonce_idx: count;
|
|
## Home Init Cookie.
|
|
cookie: count;
|
|
## Home Keygen Token.
|
|
token: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Care-of Test message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_cot: record {
|
|
## Care-of Nonce Index.
|
|
nonce_idx: count;
|
|
## Care-of Init Cookie.
|
|
cookie: count;
|
|
## Care-of Keygen Token.
|
|
token: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Binding Update message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_bu: record {
|
|
## Sequence number.
|
|
seq: count;
|
|
## Acknowledge bit.
|
|
a: bool;
|
|
## Home Registration bit.
|
|
h: bool;
|
|
## Link-Local Address Compatibility bit.
|
|
l: bool;
|
|
## Key Management Mobility Capability bit.
|
|
k: bool;
|
|
## Lifetime.
|
|
life: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Binding Acknowledgement message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_back: record {
|
|
## Status.
|
|
status: count;
|
|
## Key Management Mobility Capability.
|
|
k: bool;
|
|
## Sequence number.
|
|
seq: count;
|
|
## Lifetime.
|
|
life: count;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility Binding Error message.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr ip6_mobility_msg
|
|
type ip6_mobility_be: record {
|
|
## Status.
|
|
status: count;
|
|
## Home Address.
|
|
hoa: addr;
|
|
## Mobility Options.
|
|
options: vector of ip6_option;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility header's message data.
|
|
##
|
|
## .. bro:see:: ip6_mobility_hdr ip6_hdr ip6_ext_hdr
|
|
type ip6_mobility_msg: record {
|
|
## The type of message from the header's MH Type field.
|
|
id: count;
|
|
## Binding Refresh Request.
|
|
brr: ip6_mobility_brr &optional;
|
|
## Home Test Init.
|
|
hoti: ip6_mobility_hoti &optional;
|
|
## Care-of Test Init.
|
|
coti: ip6_mobility_coti &optional;
|
|
## Home Test.
|
|
hot: ip6_mobility_hot &optional;
|
|
## Care-of Test.
|
|
cot: ip6_mobility_cot &optional;
|
|
## Binding Update.
|
|
bu: ip6_mobility_bu &optional;
|
|
## Binding Acknowledgement.
|
|
back: ip6_mobility_back &optional;
|
|
## Binding Error.
|
|
be: ip6_mobility_be &optional;
|
|
};
|
|
|
|
## Values extracted from an IPv6 Mobility header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr
|
|
type ip6_mobility_hdr: record {
|
|
## Protocol number of the next header (RFC 1700 et seq., IANA assigned
|
|
## number), e.g. :bro:id:`IPPROTO_ICMP`.
|
|
nxt: count;
|
|
## Length of header in 8-octet units, excluding first unit.
|
|
len: count;
|
|
## Mobility header type used to identify header's the message.
|
|
mh_type: count;
|
|
## Reserved field.
|
|
rsv: count;
|
|
## Mobility header checksum.
|
|
chksum: count;
|
|
## Mobility header message
|
|
msg: ip6_mobility_msg;
|
|
};
|
|
|
|
## A general container for a more specific IPv6 extension header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_hopopts ip6_dstopts ip6_routing ip6_fragment
|
|
## ip6_ah ip6_esp
|
|
type ip6_ext_hdr: record {
|
|
## The RFC 1700 et seq. IANA assigned number identifying the type of
|
|
## the extension header.
|
|
id: count;
|
|
## Hop-by-hop option extension header.
|
|
hopopts: ip6_hopopts &optional;
|
|
## Destination option extension header.
|
|
dstopts: ip6_dstopts &optional;
|
|
## Routing extension header.
|
|
routing: ip6_routing &optional;
|
|
## Fragment header.
|
|
fragment: ip6_fragment &optional;
|
|
## Authentication extension header.
|
|
ah: ip6_ah &optional;
|
|
## Encapsulating security payload header.
|
|
esp: ip6_esp &optional;
|
|
## Mobility header.
|
|
mobility: ip6_mobility_hdr &optional;
|
|
};
|
|
|
|
## A type alias for a vector of IPv6 extension headers.
|
|
type ip6_ext_hdr_chain: vector of ip6_ext_hdr;
|
|
|
|
## Values extracted from an IPv6 header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip4_hdr ip6_ext_hdr ip6_hopopts ip6_dstopts
|
|
## ip6_routing ip6_fragment ip6_ah ip6_esp
|
|
type ip6_hdr: record {
|
|
class: count; ##< Traffic class.
|
|
flow: count; ##< Flow label.
|
|
len: count; ##< Payload length.
|
|
nxt: count; ##< Protocol number of the next header
|
|
##< (RFC 1700 et seq., IANA assigned number)
|
|
##< e.g. :bro:id:`IPPROTO_ICMP`.
|
|
hlim: count; ##< Hop limit.
|
|
src: addr; ##< Source address.
|
|
dst: addr; ##< Destination address.
|
|
exts: ip6_ext_hdr_chain; ##< Extension header chain.
|
|
};
|
|
|
|
## Values extracted from an IPv4 header.
|
|
##
|
|
## .. bro:see:: pkt_hdr ip6_hdr discarder_check_ip
|
|
type ip4_hdr: record {
|
|
hl: count; ##< Header length in bytes.
|
|
tos: count; ##< Type of service.
|
|
len: count; ##< Total length.
|
|
id: count; ##< Identification.
|
|
ttl: count; ##< Time to live.
|
|
p: count; ##< Protocol.
|
|
src: addr; ##< Source address.
|
|
dst: addr; ##< Destination address.
|
|
};
|
|
|
|
# TCP flags.
|
|
#
|
|
# todo::these should go into an enum to make them autodoc'able
|
|
const TH_FIN = 1; ##< FIN.
|
|
const TH_SYN = 2; ##< SYN.
|
|
const TH_RST = 4; ##< RST.
|
|
const TH_PUSH = 8; ##< PUSH.
|
|
const TH_ACK = 16; ##< ACK.
|
|
const TH_URG = 32; ##< URG.
|
|
const TH_FLAGS = 63; ##< Mask combining all flags.
|
|
|
|
## Values extracted from a TCP header.
|
|
##
|
|
## .. bro:see:: pkt_hdr discarder_check_tcp
|
|
type tcp_hdr: record {
|
|
sport: port; ##< source port.
|
|
dport: port; ##< destination port
|
|
seq: count; ##< sequence number
|
|
ack: count; ##< acknowledgement number
|
|
hl: count; ##< header length (in bytes)
|
|
dl: count; ##< data length (xxx: not in original tcphdr!)
|
|
flags: count; ##< flags
|
|
win: count; ##< window
|
|
};
|
|
|
|
## Values extracted from a UDP header.
|
|
##
|
|
## .. bro:see:: pkt_hdr discarder_check_udp
|
|
type udp_hdr: record {
|
|
sport: port; ##< source port
|
|
dport: port; ##< destination port
|
|
ulen: count; ##< udp length
|
|
};
|
|
|
|
## Values extracted from an ICMP header.
|
|
##
|
|
## .. bro:see:: pkt_hdr discarder_check_icmp
|
|
type icmp_hdr: record {
|
|
icmp_type: count; ##< type of message
|
|
};
|
|
|
|
## A packet header, consisting of an IP header and transport-layer header.
|
|
##
|
|
## .. bro:see:: new_packet
|
|
type pkt_hdr: record {
|
|
ip: ip4_hdr &optional; ##< The IPv4 header if an IPv4 packet.
|
|
ip6: ip6_hdr &optional; ##< The IPv6 header if an IPv6 packet.
|
|
tcp: tcp_hdr &optional; ##< The TCP header if a TCP packet.
|
|
udp: udp_hdr &optional; ##< The UDP header if a UDP packet.
|
|
icmp: icmp_hdr &optional; ##< The ICMP header if an ICMP packet.
|
|
};
|
|
|
|
## A Teredo origin indication header. See :rfc:`4380` for more information
|
|
## about the Teredo protocol.
|
|
##
|
|
## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication
|
|
## teredo_hdr
|
|
type teredo_auth: record {
|
|
id: string; ##< Teredo client identifier.
|
|
value: string; ##< HMAC-SHA1 over shared secret key between client and
|
|
##< server, nonce, confirmation byte, origin indication
|
|
##< (if present), and the IPv6 packet.
|
|
nonce: count; ##< Nonce chosen by Teredo client to be repeated by
|
|
##< Teredo server.
|
|
confirm: count; ##< Confirmation byte to be set to 0 by Teredo client
|
|
##< and non-zero by server if client needs new key.
|
|
};
|
|
|
|
## A Teredo authentication header. See :rfc:`4380` for more information
|
|
## about the Teredo protocol.
|
|
##
|
|
## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication
|
|
## teredo_hdr
|
|
type teredo_origin: record {
|
|
p: port; ##< Unobfuscated UDP port of Teredo client.
|
|
a: addr; ##< Unobfuscated IPv4 address of Teredo client.
|
|
};
|
|
|
|
## A Teredo packet header. See :rfc:`4380` for more information about the
|
|
## Teredo protocol.
|
|
##
|
|
## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication
|
|
type teredo_hdr: record {
|
|
auth: teredo_auth &optional; ##< Teredo authentication header.
|
|
origin: teredo_origin &optional; ##< Teredo origin indication header.
|
|
hdr: pkt_hdr; ##< IPv6 and transport protocol headers.
|
|
};
|
|
|
|
## Definition of "secondary filters". A secondary filter is a BPF filter given as
|
|
## index in this table. For each such filter, the corresponding event is raised for
|
|
## all matching packets.
|
|
global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
|
|
&redef;
|
|
|
|
## Maximum length of payload passed to discarder functions.
|
|
##
|
|
## .. :bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp
|
|
## discarder_check_ip
|
|
global discarder_maxlen = 128 &redef;
|
|
|
|
## Function for skipping packets based on their IP header. If defined, this
|
|
## function will be called for all IP packets before Bro performs any further
|
|
## analysis. If the function signals to discard a packet, no further processing
|
|
## will be performed on it.
|
|
##
|
|
## p: The IP header of the considered packet.
|
|
##
|
|
## Returns: True if the packet should not be analyzed any further.
|
|
##
|
|
## .. :bro:see:: discarder_check_tcp discarder_check_udp discarder_check_icmp
|
|
## discarder_maxlen
|
|
##
|
|
## .. note:: This is very low-level functionality and potentially expensive.
|
|
## Avoid using it.
|
|
global discarder_check_ip: function(p: pkt_hdr): bool;
|
|
|
|
## Function for skipping packets based on their TCP header. If defined, this
|
|
## function will be called for all TCP packets before Bro performs any further
|
|
## analysis. If the function signals to discard a packet, no further processing
|
|
## will be performed on it.
|
|
##
|
|
## p: The IP and TCP headers of the considered packet.
|
|
##
|
|
## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
|
|
##
|
|
## Returns: True if the packet should not be analyzed any further.
|
|
##
|
|
## .. :bro:see:: discarder_check_ip discarder_check_udp discarder_check_icmp
|
|
## discarder_maxlen
|
|
##
|
|
## .. note:: This is very low-level functionality and potentially expensive.
|
|
## Avoid using it.
|
|
global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
|
|
|
|
## Function for skipping packets based on their UDP header. If defined, this
|
|
## function will be called for all UDP packets before Bro performs any further
|
|
## analysis. If the function signals to discard a packet, no further processing
|
|
## will be performed on it.
|
|
##
|
|
## p: The IP and UDP headers of the considered packet.
|
|
##
|
|
## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
|
|
##
|
|
## Returns: True if the packet should not be analyzed any further.
|
|
##
|
|
## .. :bro:see:: discarder_check_ip discarder_check_tcp discarder_check_icmp
|
|
## discarder_maxlen
|
|
##
|
|
## .. note:: This is very low-level functionality and potentially expensive.
|
|
## Avoid using it.
|
|
global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
|
|
|
|
## Function for skipping packets based on their ICMP header. If defined, this
|
|
## function will be called for all ICMP packets before Bro performs any further
|
|
## analysis. If the function signals to discard a packet, no further processing
|
|
## will be performed on it.
|
|
##
|
|
## p: The IP and ICMP headers of the considered packet.
|
|
##
|
|
## Returns: True if the packet should not be analyzed any further.
|
|
##
|
|
## .. :bro:see:: discarder_check_ip discarder_check_tcp discarder_check_udp
|
|
## discarder_maxlen
|
|
##
|
|
## .. note:: This is very low-level functionality and potentially expensive.
|
|
## Avoid using it.
|
|
global discarder_check_icmp: function(p: pkt_hdr): bool;
|
|
|
|
## Bro's watchdog interval.
|
|
const watchdog_interval = 10 sec &redef;
|
|
|
|
## The maximum number of timers to expire after processing each new
|
|
## packet. The value trades off spreading out the timer expiration load
|
|
## with possibly having to hold state longer. A value of 0 means
|
|
## "process all expired timers with each new packet".
|
|
const max_timer_expires = 300 &redef;
|
|
|
|
## With a similar trade-off, this gives the number of remote events
|
|
## to process in a batch before interleaving other activity.
|
|
const max_remote_events_processed = 10 &redef;
|
|
|
|
# These need to match the definitions in Login.h.
|
|
#
|
|
# .. bro:see:: get_login_state
|
|
#
|
|
# todo::use enum to make them autodoc'able
|
|
const LOGIN_STATE_AUTHENTICATE = 0; # Trying to authenticate.
|
|
const LOGIN_STATE_LOGGED_IN = 1; # Successful authentication.
|
|
const LOGIN_STATE_SKIP = 2; # Skip any further processing.
|
|
const LOGIN_STATE_CONFUSED = 3; # We're confused.
|
|
|
|
# It would be nice to replace these function definitions with some
|
|
# form of parameterized types.
|
|
|
|
## Returns minimum of two ``double`` values.
|
|
##
|
|
## a: First value.
|
|
## b: Second value.
|
|
##
|
|
## Returns: The minimum of *a* and *b*.
|
|
function min_double(a: double, b: double): double { return a < b ? a : b; }
|
|
|
|
## Returns maximum of two ``double`` values.
|
|
##
|
|
## a: First value.
|
|
## b: Second value.
|
|
##
|
|
## Returns: The maximum of *a* and *b*.
|
|
function max_double(a: double, b: double): double { return a > b ? a : b; }
|
|
|
|
## Returns minimum of two ``interval`` values.
|
|
##
|
|
## a: First value.
|
|
## b: Second value.
|
|
##
|
|
## Returns: The minimum of *a* and *b*.
|
|
function min_interval(a: interval, b: interval): interval { return a < b ? a : b; }
|
|
|
|
## Returns maximum of two ``interval`` values.
|
|
##
|
|
## a: First value.
|
|
## b: Second value.
|
|
##
|
|
## Returns: The maximum of *a* and *b*.
|
|
function max_interval(a: interval, b: interval): interval { return a > b ? a : b; }
|
|
|
|
## Returns minimum of two ``count`` values.
|
|
##
|
|
## a: First value.
|
|
## b: Second value.
|
|
##
|
|
## Returns: The minimum of *a* and *b*.
|
|
function min_count(a: count, b: count): count { return a < b ? a : b; }
|
|
|
|
## Returns maximum of two ``count`` values.
|
|
##
|
|
## a: First value.
|
|
## b: Second value.
|
|
##
|
|
## Returns: The maximum of *a* and *b*.
|
|
function max_count(a: count, b: count): count { return a > b ? a : b; }
|
|
|
|
## TODO.
|
|
global skip_authentication: set[string] &redef;
|
|
|
|
## TODO.
|
|
global direct_login_prompts: set[string] &redef;
|
|
|
|
## TODO.
|
|
global login_prompts: set[string] &redef;
|
|
|
|
## TODO.
|
|
global login_non_failure_msgs: set[string] &redef;
|
|
|
|
## TODO.
|
|
global login_failure_msgs: set[string] &redef;
|
|
|
|
## TODO.
|
|
global login_success_msgs: set[string] &redef;
|
|
|
|
## TODO.
|
|
global login_timeouts: set[string] &redef;
|
|
|
|
## A MIME header key/value pair.
|
|
##
|
|
## .. bro:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
|
|
type mime_header_rec: record {
|
|
name: string; ##< The header name.
|
|
value: string; ##< The header value.
|
|
};
|
|
|
|
## A list of MIME headers.
|
|
##
|
|
## .. bro:see:: mime_header_rec http_all_headers mime_all_headers
|
|
type mime_header_list: table[count] of mime_header_rec;
|
|
|
|
## The length of MIME data segments delivered to handlers of
|
|
## :bro:see:`mime_segment_data`.
|
|
##
|
|
## .. bro:see:: mime_segment_data mime_segment_overlap_length
|
|
global mime_segment_length = 1024 &redef;
|
|
|
|
## The number of bytes of overlap between successive segments passed to
|
|
## :bro:see:`mime_segment_data`.
|
|
global mime_segment_overlap_length = 0 &redef;
|
|
|
|
## An RPC portmapper mapping.
|
|
##
|
|
## .. bro:see:: pm_mappings
|
|
type pm_mapping: record {
|
|
program: count; ##< The RPC program.
|
|
version: count; ##< The program version.
|
|
p: port; ##< The port.
|
|
};
|
|
|
|
## Table of RPC portmapper mappings.
|
|
##
|
|
## .. bro:see:: pm_request_dump
|
|
type pm_mappings: table[count] of pm_mapping;
|
|
|
|
## An RPC portmapper request.
|
|
##
|
|
## .. bro:see:: pm_attempt_getport pm_request_getport
|
|
type pm_port_request: record {
|
|
program: count; ##< The RPC program.
|
|
version: count; ##< The program version.
|
|
is_tcp: bool; ##< True if using TCP.
|
|
};
|
|
|
|
## An RPC portmapper *callit* request.
|
|
##
|
|
## .. bro:see:: pm_attempt_callit pm_request_callit
|
|
type pm_callit_request: record {
|
|
program: count; ##< The RPC program.
|
|
version: count; ##< The program version.
|
|
proc: count; ##< The procedure being called.
|
|
arg_size: count; ##< The size of the argument.
|
|
};
|
|
|
|
# See const.bif
|
|
# const RPC_SUCCESS = 0;
|
|
# const RPC_PROG_UNAVAIL = 1;
|
|
# const RPC_PROG_MISMATCH = 2;
|
|
# const RPC_PROC_UNAVAIL = 3;
|
|
# const RPC_GARBAGE_ARGS = 4;
|
|
# const RPC_SYSTEM_ERR = 5;
|
|
# const RPC_TIMEOUT = 6;
|
|
# const RPC_AUTH_ERROR = 7;
|
|
# const RPC_UNKNOWN_ERROR = 8;
|
|
|
|
## Mapping of numerical RPC status codes to readable messages.
|
|
##
|
|
## .. bro:see:: pm_attempt_callit pm_attempt_dump pm_attempt_getport
|
|
## pm_attempt_null pm_attempt_set pm_attempt_unset rpc_dialogue rpc_reply
|
|
const RPC_status = {
|
|
[RPC_SUCCESS] = "ok",
|
|
[RPC_PROG_UNAVAIL] = "prog unavail",
|
|
[RPC_PROG_MISMATCH] = "mismatch",
|
|
[RPC_PROC_UNAVAIL] = "proc unavail",
|
|
[RPC_GARBAGE_ARGS] = "garbage args",
|
|
[RPC_SYSTEM_ERR] = "system err",
|
|
[RPC_TIMEOUT] = "timeout",
|
|
[RPC_AUTH_ERROR] = "auth error",
|
|
[RPC_UNKNOWN_ERROR] = "unknown"
|
|
};
|
|
|
|
module NFS3;
|
|
|
|
export {
|
|
## If true, :bro:see:`nfs_proc_read` and :bro:see:`nfs_proc_write` events return
|
|
## the file data that has been read/written.
|
|
##
|
|
## .. .. bro:see:: return_data_max return_data_first_only
|
|
const return_data = F &redef;
|
|
|
|
## If bro:id:`NFS3::return_data` is true, how much data should be returned at
|
|
## most.
|
|
const return_data_max = 512 &redef;
|
|
|
|
## If bro:id:`NFS3::return_data` is true, whether to *only* return data if the read
|
|
## or write offset is 0, i.e., only return data for the beginning of the file.
|
|
const return_data_first_only = T &redef;
|
|
|
|
## Record summarizing the general results and status of NFSv3 request/reply pairs.
|
|
##
|
|
## Note that when *rpc_stats* or *nfs_stats* indicates not successful, the reply
|
|
## record passed to the correpsonding event will be empty and contain uninitialized
|
|
## fields, so don't use it. Also note that time and duration values might not be
|
|
## fully accurate. For TCP, we record times when the corresponding chunk of data
|
|
## is delivered to the analyzer. Depending on the reassembler, this might be well
|
|
## after the first packet of the request was received.
|
|
##
|
|
## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup
|
|
## nfs_proc_mkdir nfs_proc_not_implemented nfs_proc_null
|
|
## nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
|
|
## nfs_proc_rmdir nfs_proc_write nfs_reply_status
|
|
type info_t: record {
|
|
## The RPC status.
|
|
rpc_stat: rpc_status;
|
|
## The NFS status.
|
|
nfs_stat: status_t;
|
|
## The start time of the request.
|
|
req_start: time;
|
|
## The duration of the request.
|
|
req_dur: interval;
|
|
## The length in bytes of the request.
|
|
req_len: count;
|
|
## The start time of the reply.
|
|
rep_start: time;
|
|
## The duration of the reply.
|
|
rep_dur: interval;
|
|
## The length in bytes of the reply.
|
|
rep_len: count;
|
|
};
|
|
|
|
## NFS file attributes. Field names are based on RFC 1813.
|
|
##
|
|
## .. bro:see:: nfs_proc_getattr
|
|
type fattr_t: record {
|
|
ftype: file_type_t; ##< File type.
|
|
mode: count; ##< Mode
|
|
nlink: count; ##< Number of links.
|
|
uid: count; ##< User ID.
|
|
gid: count; ##< Group ID.
|
|
size: count; ##< Size.
|
|
used: count; ##< TODO.
|
|
rdev1: count; ##< TODO.
|
|
rdev2: count; ##< TODO.
|
|
fsid: count; ##< TODO.
|
|
fileid: count; ##< TODO.
|
|
atime: time; ##< Time of last access.
|
|
mtime: time; ##< Time of last modification.
|
|
ctime: time; ##< Time of creation.
|
|
};
|
|
|
|
## NFS *readdir* arguments.
|
|
##
|
|
## .. bro:see:: nfs_proc_readdir
|
|
type diropargs_t : record {
|
|
dirfh: string; ##< The file handle of the directory.
|
|
fname: string; ##< The name of the file we are interested in.
|
|
};
|
|
|
|
## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the lookup
|
|
## succeeded, *fh* is always set and *obj_attr* and *dir_attr* may be set.
|
|
##
|
|
## .. bro:see:: nfs_proc_lookup
|
|
type lookup_reply_t: record {
|
|
fh: string &optional; ##< File handle of object looked up.
|
|
obj_attr: fattr_t &optional; ##< Optional attributes associated w/ file
|
|
dir_attr: fattr_t &optional; ##< Optional attributes associated w/ dir.
|
|
};
|
|
|
|
## NFS *read* arguments.
|
|
##
|
|
## .. bro:see:: nfs_proc_read
|
|
type readargs_t: record {
|
|
fh: string; ##< File handle to read from.
|
|
offset: count; ##< Offset in file.
|
|
size: count; ##< Number of bytes to read.
|
|
};
|
|
|
|
## NFS *read* reply. If the lookup fails, *attr* may be set. If the lookup succeeds,
|
|
## *attr* may be set and all other fields are set.
|
|
type read_reply_t: record {
|
|
attr: fattr_t &optional; ##< Attributes.
|
|
size: count &optional; ##< Number of bytes read.
|
|
eof: bool &optional; ##< Sid the read end at EOF.
|
|
data: string &optional; ##< The actual data; not yet implemented.
|
|
};
|
|
|
|
## NFS *readline* reply. If the request fails, *attr* may be set. If the request
|
|
## succeeds, *attr* may be set and all other fields are set.
|
|
##
|
|
## .. bro:see:: nfs_proc_readlink
|
|
type readlink_reply_t: record {
|
|
attr: fattr_t &optional; ##< Attributes.
|
|
nfspath: string &optional; ##< Contents of the symlink; in general a pathname as text.
|
|
};
|
|
|
|
## NFS *write* arguments.
|
|
##
|
|
## .. bro:see:: nfs_proc_write
|
|
type writeargs_t: record {
|
|
fh: string; ##< File handle to write to.
|
|
offset: count; ##< Offset in file.
|
|
size: count; ##< Number of bytes to write.
|
|
stable: stable_how_t; ##< How and when data is commited.
|
|
data: string &optional; ##< The actual data; not implemented yet.
|
|
};
|
|
|
|
## NFS *wcc* attributes.
|
|
##
|
|
## .. bro:see:: NFS3::write_reply_t
|
|
type wcc_attr_t: record {
|
|
size: count; ##< The dize.
|
|
atime: time; ##< Access time.
|
|
mtime: time; ##< Modification time.
|
|
};
|
|
|
|
## NFS *write* reply. If the request fails, *pre|post* attr may be set. If the
|
|
## request succeeds, *pre|post* attr may be set and all other fields are set.
|
|
##
|
|
## .. bro:see:: nfs_proc_write
|
|
type write_reply_t: record {
|
|
preattr: wcc_attr_t &optional; ##< Pre operation attributes.
|
|
postattr: fattr_t &optional; ##< Post operation attributes.
|
|
size: count &optional; ##< Size.
|
|
commited: stable_how_t &optional; ##< TODO.
|
|
verf: count &optional; ##< Write verifier cookie.
|
|
};
|
|
|
|
## NFS reply for *create*, *mkdir*, and *symlink*. If the proc
|
|
## failed, *dir_\*_attr* may be set. If the proc succeeded, *fh* and the *attr*'s
|
|
## may be set. Note: no guarantee that *fh* is set after success.
|
|
##
|
|
## .. bro:see:: nfs_proc_create nfs_proc_mkdir
|
|
type newobj_reply_t: record {
|
|
fh: string &optional; ##< File handle of object created.
|
|
obj_attr: fattr_t &optional; ##< Optional attributes associated w/ new object.
|
|
dir_pre_attr: wcc_attr_t &optional; ##< Optional attributes associated w/ dir.
|
|
dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir.
|
|
};
|
|
|
|
## NFS reply for *remove*, *rmdir*. Corresponds to *wcc_data* in the spec.
|
|
##
|
|
## .. bro:see:: nfs_proc_remove nfs_proc_rmdir
|
|
type delobj_reply_t: record {
|
|
dir_pre_attr: wcc_attr_t &optional; ##< Optional attributes associated w/ dir.
|
|
dir_post_attr: fattr_t &optional; ##< Optional attributes associated w/ dir.
|
|
};
|
|
|
|
## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
|
|
##
|
|
## .. bro:see:: nfs_proc_readdir
|
|
type readdirargs_t: record {
|
|
isplus: bool; ##< Is this a readdirplus request?
|
|
dirfh: string; ##< The directory filehandle.
|
|
cookie: count; ##< Cookie / pos in dir; 0 for first call.
|
|
cookieverf: count; ##< The cookie verifier.
|
|
dircount: count; ##< "count" field for readdir; maxcount otherwise (in bytes).
|
|
maxcount: count &optional; ##< Only used for readdirplus. in bytes.
|
|
};
|
|
|
|
## NFS *direntry*. *fh* and *attr* are used for *readdirplus*. However, even
|
|
## for *readdirplus* they may not be filled out.
|
|
##
|
|
## .. bro:see:: NFS3::direntry_vec_t NFS3::readdir_reply_t
|
|
type direntry_t: record {
|
|
fileid: count; ##< E.g., inode number.
|
|
fname: string; ##< Filename.
|
|
cookie: count; ##< Cookie value.
|
|
attr: fattr_t &optional; ##< *readdirplus*: the *fh* attributes for the entry.
|
|
fh: string &optional; ##< *readdirplus*: the *fh* for the entry
|
|
};
|
|
|
|
## Vector of NFS *direntry*.
|
|
##
|
|
## .. bro:see:: NFS3::readdir_reply_t
|
|
type direntry_vec_t: vector of direntry_t;
|
|
|
|
## NFS *readdir* reply. Used for *readdir* and *readdirplus*. If an is
|
|
## returned, *dir_attr* might be set. On success, *dir_attr* may be set, all others
|
|
## must be set.
|
|
type readdir_reply_t: record {
|
|
isplus: bool; ##< True if the reply for a *readdirplus* request.
|
|
dir_attr: fattr_t &optional; ##< Directory attributes.
|
|
cookieverf: count &optional; ##< TODO.
|
|
entries: direntry_vec_t &optional; ##< Returned directory entries.
|
|
eof: bool; ##< If true, no more entries in directory.
|
|
};
|
|
|
|
## NFS *fsstat*.
|
|
type fsstat_t: record {
|
|
attrs: fattr_t &optional; ##< Attributes.
|
|
tbytes: double; ##< TODO.
|
|
fbytes: double; ##< TODO.
|
|
abytes: double; ##< TODO.
|
|
tfiles: double; ##< TODO.
|
|
ffiles: double; ##< TODO.
|
|
afiles: double; ##< TODO.
|
|
invarsec: interval; ##< TODO.
|
|
};
|
|
} # end export
|
|
|
|
module Threading;
|
|
|
|
export {
|
|
## The heartbeat interval used by the threading framework.
|
|
## Changing this should usually not be neccessary and will break several tests.
|
|
const heartbeat_interval = 1.0 secs &redef;
|
|
}
|
|
|
|
module GLOBAL;
|
|
|
|
## An NTP message.
|
|
##
|
|
## .. bro:see:: ntp_message
|
|
type ntp_msg: record {
|
|
id: count; ##< Message ID.
|
|
code: count; ##< Message code.
|
|
stratum: count; ##< Stratum.
|
|
poll: count; ##< Poll.
|
|
precision: int; ##< Precision.
|
|
distance: interval; ##< Distance.
|
|
dispersion: interval; ##< Dispersion.
|
|
ref_t: time; ##< Reference time.
|
|
originate_t: time; ##< Originating time.
|
|
receive_t: time; ##< Receive time.
|
|
xmit_t: time; ##< Send time.
|
|
};
|
|
|
|
|
|
## Maps SMB command numbers to descriptive names.
|
|
global samba_cmds: table[count] of string &redef
|
|
&default = function(c: count): string
|
|
{ return fmt("samba-unknown-%d", c); };
|
|
|
|
## An SMB command header.
|
|
##
|
|
## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx
|
|
## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx
|
|
## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot
|
|
## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction
|
|
## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect
|
|
## smb_com_write_andx smb_error smb_get_dfs_referral smb_message
|
|
type smb_hdr : record {
|
|
command: count; ##< The command number (see :bro:see:`samba_cmds` ).
|
|
status: count; ##< The status code.
|
|
flags: count; ##< Flag set 1.
|
|
flags2: count; ##< Flag set 2.
|
|
tid: count; ##< TODO.
|
|
pid: count; ##< Process ID.
|
|
uid: count; ##< User ID.
|
|
mid: count; ##< TODO.
|
|
};
|
|
|
|
## An SMB transaction.
|
|
##
|
|
## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
|
|
## smb_com_transaction smb_com_transaction2
|
|
type smb_trans : record {
|
|
word_count: count; ##< TODO.
|
|
total_param_count: count; ##< TODO.
|
|
total_data_count: count; ##< TODO.
|
|
max_param_count: count; ##< TODO.
|
|
max_data_count: count; ##< TODO.
|
|
max_setup_count: count; ##< TODO.
|
|
# flags: count;
|
|
# timeout: count;
|
|
param_count: count; ##< TODO.
|
|
param_offset: count; ##< TODO.
|
|
data_count: count; ##< TODO.
|
|
data_offset: count; ##< TODO.
|
|
setup_count: count; ##< TODO.
|
|
setup0: count; ##< TODO.
|
|
setup1: count; ##< TODO.
|
|
setup2: count; ##< TODO.
|
|
setup3: count; ##< TODO.
|
|
byte_count: count; ##< TODO.
|
|
parameters: string; ##< TODO.
|
|
};
|
|
|
|
|
|
## SMB transaction data.
|
|
##
|
|
## .. bro:see:: smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap
|
|
## smb_com_transaction smb_com_transaction2
|
|
##
|
|
## .. todo:: Should this really be a record type?
|
|
type smb_trans_data : record {
|
|
data : string; ##< The transaction's data.
|
|
};
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
|
|
## else.
|
|
type smb_tree_connect : record {
|
|
flags: count;
|
|
password: string;
|
|
path: string;
|
|
service: string;
|
|
};
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
|
|
## else.
|
|
type smb_negotiate : table[count] of string;
|
|
|
|
## A list of router addresses offered by a DHCP server.
|
|
##
|
|
## .. bro:see:: dhcp_ack dhcp_offer
|
|
type dhcp_router_list: table[count] of addr;
|
|
|
|
## A DHCP message.
|
|
##
|
|
## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
|
|
## dhcp_offer dhcp_release dhcp_request
|
|
type dhcp_msg: record {
|
|
op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
|
|
m_type: count; ##< The type of DHCP message.
|
|
xid: count; ##< Transaction ID of a DHCP session.
|
|
h_addr: string; ##< Hardware address of the client.
|
|
ciaddr: addr; ##< Original IP address of the client.
|
|
yiaddr: addr; ##< IP address assigned to the client.
|
|
};
|
|
|
|
## A DNS message.
|
|
##
|
|
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
|
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
|
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_message
|
|
## dns_query_reply dns_rejected dns_request
|
|
type dns_msg: record {
|
|
id: count; ##< Transaction ID.
|
|
|
|
opcode: count; ##< Operation code.
|
|
rcode: count; ##< Return code.
|
|
|
|
QR: bool; ##< Query response flag.
|
|
AA: bool; ##< Authoritative answer flag.
|
|
TC: bool; ##< Truncated packet flag.
|
|
RD: bool; ##< Recursion desired flag.
|
|
RA: bool; ##< Recursion available flag.
|
|
Z: count; ##< TODO.
|
|
|
|
num_queries: count; ##< Number of query records.
|
|
num_answers: count; ##< Number of answer records.
|
|
num_auth: count; ##< Number of authoritative records.
|
|
num_addl: count; ##< Number of additional records.
|
|
};
|
|
|
|
## A DNS SOA record.
|
|
##
|
|
## .. bro:see:: dns_SOA_reply
|
|
type dns_soa: record {
|
|
mname: string; ##< Primary source of data for zone.
|
|
rname: string; ##< Mailbox for responsible person.
|
|
serial: count; ##< Version number of zone.
|
|
refresh: interval; ##< Seconds before refreshing.
|
|
retry: interval; ##< How long before retrying failed refresh.
|
|
expire: interval; ##< When zone no longer authoritative.
|
|
minimum: interval; ##< Minimum TTL to use when exporting.
|
|
};
|
|
|
|
## An additional DNS EDNS record.
|
|
##
|
|
## .. bro:see:: dns_EDNS_addl
|
|
type dns_edns_additional: record {
|
|
query: string; ##< Query.
|
|
qtype: count; ##< Query type.
|
|
t: count; ##< TODO.
|
|
payload_size: count; ##< TODO.
|
|
extended_rcode: count; ##< Extended return code.
|
|
version: count; ##< Version.
|
|
z_field: count; ##< TODO.
|
|
TTL: interval; ##< Time-to-live.
|
|
is_query: count; ##< TODO.
|
|
};
|
|
|
|
## An additional DNS TSIG record.
|
|
##
|
|
## bro:see:: dns_TSIG_addl
|
|
type dns_tsig_additional: record {
|
|
query: string; ##< Query.
|
|
qtype: count; ##< Query type.
|
|
alg_name: string; ##< Algorithm name.
|
|
sig: string; ##< Signature.
|
|
time_signed: time; ##< Time when signed.
|
|
fudge: time; ##< TODO.
|
|
orig_id: count; ##< TODO.
|
|
rr_error: count; ##< TODO.
|
|
is_query: count; ##< TODO.
|
|
};
|
|
|
|
# DNS answer types.
|
|
#
|
|
# .. .. bro:see:: dns_answerr
|
|
#
|
|
# todo::use enum to make them autodoc'able
|
|
const DNS_QUERY = 0; ##< A query. This shouldn't occur, just for completeness.
|
|
const DNS_ANS = 1; ##< An answer record.
|
|
const DNS_AUTH = 2; ##< An authorative record.
|
|
const DNS_ADDL = 3; ##< An additional record.
|
|
|
|
## The general part of a DNS reply.
|
|
##
|
|
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply
|
|
## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
|
|
## dns_TXT_reply dns_WKS_reply
|
|
type dns_answer: record {
|
|
## Answer type. One of :bro:see:`DNS_QUERY`, :bro:see:`DNS_ANS`,
|
|
## :bro:see:`DNS_AUTH` and :bro:see:`DNS_ADDL`.
|
|
answer_type: count;
|
|
query: string; ##< Query.
|
|
qtype: count; ##< Query type.
|
|
qclass: count; ##< Query class.
|
|
TTL: interval; ##< Time-to-live.
|
|
};
|
|
|
|
## For DNS servers in these sets, omit processing the AUTH records they include in
|
|
## their replies.
|
|
##
|
|
## .. bro:see:: dns_skip_all_auth dns_skip_addl
|
|
global dns_skip_auth: set[addr] &redef;
|
|
|
|
## For DNS servers in these sets, omit processing the ADDL records they include in
|
|
## their replies.
|
|
##
|
|
## .. bro:see:: dns_skip_all_addl dns_skip_auth
|
|
global dns_skip_addl: set[addr] &redef;
|
|
|
|
## If true, all DNS AUTH records are skipped.
|
|
##
|
|
## .. bro:see:: dns_skip_all_addl dns_skip_auth
|
|
global dns_skip_all_auth = T &redef;
|
|
|
|
## If true, all DNS ADDL records are skipped.
|
|
##
|
|
## .. bro:see:: dns_skip_all_auth dns_skip_addl
|
|
global dns_skip_all_addl = T &redef;
|
|
|
|
## If a DNS request includes more than this many queries, assume it's non-DNS
|
|
## traffic and do not process it. Set to 0 to turn off this functionality.
|
|
global dns_max_queries = 5;
|
|
|
|
## An X509 certificate.
|
|
##
|
|
## .. bro:see:: x509_certificate
|
|
type X509: record {
|
|
version: count; ##< Version number.
|
|
serial: string; ##< Serial number.
|
|
subject: string; ##< Subject.
|
|
issuer: string; ##< Issuer.
|
|
not_valid_before: time; ##< Timestamp before when certificate is not valid.
|
|
not_valid_after: time; ##< Timestamp after when certificate is not valid.
|
|
};
|
|
|
|
## HTTP session statistics.
|
|
##
|
|
## .. bro:see:: http_stats
|
|
type http_stats_rec: record {
|
|
num_requests: count; ##< Number of requests.
|
|
num_replies: count; ##< Number of replies.
|
|
request_version: double; ##< HTTP version of the requests.
|
|
reply_version: double; ##< HTTP Version of the replies.
|
|
};
|
|
|
|
## HTTP message statistics.
|
|
##
|
|
## .. bro:see:: http_message_done
|
|
type http_message_stat: record {
|
|
## When the request/reply line was complete.
|
|
start: time;
|
|
## Whether the message was interrupted.
|
|
interrupted: bool;
|
|
## Reason phrase if interrupted.
|
|
finish_msg: string;
|
|
## Length of body processed (before finished/interrupted).
|
|
body_length: count;
|
|
## Total length of gaps within body_length.
|
|
content_gap_length: count;
|
|
## Length of headers (including the req/reply line, but not CR/LF's).
|
|
header_length: count;
|
|
};
|
|
|
|
## Maximum number of HTTP entity data delivered to events. The amount of data
|
|
## can be limited for better performance, zero disables truncation.
|
|
##
|
|
## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data
|
|
global http_entity_data_delivery_size = 1500 &redef;
|
|
|
|
## Skip HTTP data for performance considerations. The skipped
|
|
## portion will not go through TCP reassembly.
|
|
##
|
|
## .. bro:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size
|
|
const skip_http_data = F &redef;
|
|
|
|
## Maximum length of HTTP URIs passed to events. Longer ones will be truncated
|
|
## to prevent over-long URIs (usually sent by worms) from slowing down event
|
|
## processing. A value of -1 means "do not truncate".
|
|
##
|
|
## .. bro:see:: http_request
|
|
const truncate_http_URI = -1 &redef;
|
|
|
|
## IRC join information.
|
|
##
|
|
## .. bro:see:: irc_join_list
|
|
type irc_join_info: record {
|
|
nick: string;
|
|
channel: string;
|
|
password: string;
|
|
usermode: string;
|
|
};
|
|
|
|
## Set of IRC join information.
|
|
##
|
|
## .. bro:see:: irc_join_message
|
|
type irc_join_list: set[irc_join_info];
|
|
|
|
## Deprecated.
|
|
##
|
|
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
|
|
## else.
|
|
global irc_servers : set[addr] &redef;
|
|
|
|
## Internal to the stepping stone detector.
|
|
const stp_delta: interval &redef;
|
|
|
|
## Internal to the stepping stone detector.
|
|
const stp_idle_min: interval &redef;
|
|
|
|
## Internal to the stepping stone detector.
|
|
global stp_skip_src: set[addr] &redef;
|
|
|
|
## Deprecated.
|
|
const interconn_min_interarrival: interval &redef;
|
|
|
|
## Deprecated.
|
|
const interconn_max_interarrival: interval &redef;
|
|
|
|
## Deprecated.
|
|
const interconn_max_keystroke_pkt_size: count &redef;
|
|
|
|
## Deprecated.
|
|
const interconn_default_pkt_size: count &redef;
|
|
|
|
## Deprecated.
|
|
const interconn_stat_period: interval &redef;
|
|
|
|
## Deprecated.
|
|
const interconn_stat_backoff: double &redef;
|
|
|
|
## Deprecated.
|
|
type interconn_endp_stats: record {
|
|
num_pkts: count;
|
|
num_keystrokes_two_in_row: count;
|
|
num_normal_interarrivals: count;
|
|
num_8k0_pkts: count;
|
|
num_8k4_pkts: count;
|
|
is_partial: bool;
|
|
num_bytes: count;
|
|
num_7bit_ascii: count;
|
|
num_lines: count;
|
|
num_normal_lines: count;
|
|
};
|
|
|
|
## Deprecated.
|
|
const backdoor_stat_period: interval &redef;
|
|
|
|
## Deprecated.
|
|
const backdoor_stat_backoff: double &redef;
|
|
|
|
## Deprecated.
|
|
type backdoor_endp_stats: record {
|
|
is_partial: bool;
|
|
num_pkts: count;
|
|
num_8k0_pkts: count;
|
|
num_8k4_pkts: count;
|
|
num_lines: count;
|
|
num_normal_lines: count;
|
|
num_bytes: count;
|
|
num_7bit_ascii: count;
|
|
};
|
|
|
|
## Description of a signature match.
|
|
##
|
|
## .. bro:see:: signature_match
|
|
type signature_state: record {
|
|
sig_id: string; ##< ID of the matching signature.
|
|
conn: connection; ##< Matching connection.
|
|
is_orig: bool; ##< True if matching endpoint is originator.
|
|
payload_size: count; ##< Payload size of the first matching packet of current endpoint.
|
|
};
|
|
|
|
# Deprecated.
|
|
#
|
|
# .. todo:: This type is no longer used. Remove any reference of this from the
|
|
# core.
|
|
type software_version: record {
|
|
major: int;
|
|
minor: int;
|
|
minor2: int;
|
|
addl: string;
|
|
};
|
|
|
|
# Deprecated.
|
|
#
|
|
# .. todo:: This type is no longer used. Remove any reference of this from the
|
|
# core.
|
|
type software: record {
|
|
name: string;
|
|
version: software_version;
|
|
};
|
|
|
|
## Quality of passive fingerprinting matches.
|
|
##
|
|
## .. .. bro:see:: OS_version
|
|
type OS_version_inference: enum {
|
|
direct_inference, ##< TODO.
|
|
generic_inference, ##< TODO.
|
|
fuzzy_inference, ##< TODO.
|
|
};
|
|
|
|
## Passive fingerprinting match.
|
|
##
|
|
## .. bro:see:: OS_version_found
|
|
type OS_version: record {
|
|
genre: string; ##< Linux, Windows, AIX, ...
|
|
detail: string; ##< Lernel version or such.
|
|
dist: count; ##< How far is the host away from the sensor (TTL)?.
|
|
match_type: OS_version_inference; ##< Quality of the match.
|
|
};
|
|
|
|
## Defines for which subnets we should do passive fingerprinting.
|
|
##
|
|
## .. bro:see:: OS_version_found
|
|
global generate_OS_version_event: set[subnet] &redef;
|
|
|
|
# Type used to report load samples via :bro:see:`load_sample`. For now, it's a
|
|
# set of names (event names, source file names, and perhaps ``<source file, line
|
|
# number>``, which were seen during the sample.
|
|
type load_sample_info: set[string];
|
|
|
|
## ID for NetFlow header. This is primarily a means to sort together NetFlow
|
|
## headers and flow records at the script level.
|
|
type nfheader_id: record {
|
|
## Name of the NetFlow file (e.g., ``netflow.dat``) or the receiving socket address
|
|
## (e.g., ``127.0.0.1:5555``), or an explicit name if specified to
|
|
## ``-y`` or ``-Y``.
|
|
rcvr_id: string;
|
|
## A serial number, ignoring any overflows.
|
|
pdu_id: count;
|
|
};
|
|
|
|
## A NetFlow v5 header.
|
|
##
|
|
## .. bro:see:: netflow_v5_header
|
|
type nf_v5_header: record {
|
|
h_id: nfheader_id; ##< ID for sorting.
|
|
cnt: count; ##< TODO.
|
|
sysuptime: interval; ##< Router's uptime.
|
|
exporttime: time; ##< When the data was exported.
|
|
flow_seq: count; ##< Sequence number.
|
|
eng_type: count; ##< Engine type.
|
|
eng_id: count; ##< Engine ID.
|
|
sample_int: count; ##< Sampling interval.
|
|
exporter: addr; ##< Exporter address.
|
|
};
|
|
|
|
## A NetFlow v5 record.
|
|
##
|
|
## .. bro:see:: netflow_v5_record
|
|
type nf_v5_record: record {
|
|
h_id: nfheader_id; ##< ID for sorting.
|
|
id: conn_id; ##< Connection ID.
|
|
nexthop: addr; ##< Address of next hop.
|
|
input: count; ##< Input interface.
|
|
output: count; ##< Output interface.
|
|
pkts: count; ##< Number of packets.
|
|
octets: count; ##< Number of bytes.
|
|
first: time; ##< Timestamp of first packet.
|
|
last: time; ##< Timestamp of last packet.
|
|
tcpflag_fin: bool; ##< FIN flag for TCP flows.
|
|
tcpflag_syn: bool; ##< SYN flag for TCP flows.
|
|
tcpflag_rst: bool; ##< RST flag for TCP flows.
|
|
tcpflag_psh: bool; ##< PSH flag for TCP flows.
|
|
tcpflag_ack: bool; ##< ACK flag for TCP flows.
|
|
tcpflag_urg: bool; ##< URG flag for TCP flows.
|
|
proto: count; ##< IP protocol.
|
|
tos: count; ##< Type of service.
|
|
src_as: count; ##< Source AS.
|
|
dst_as: count; ##< Destination AS.
|
|
src_mask: count; ##< Source mask.
|
|
dst_mask: count; ##< Destination mask.
|
|
};
|
|
|
|
|
|
## A BitTorrent peer.
|
|
##
|
|
## .. bro:see:: bittorrent_peer_set
|
|
type bittorrent_peer: record {
|
|
h: addr; ##< The peer's address.
|
|
p: port; ##< The peer's port.
|
|
};
|
|
|
|
## A set of BitTorrent peers.
|
|
##
|
|
## .. bro:see:: bt_tracker_response
|
|
type bittorrent_peer_set: set[bittorrent_peer];
|
|
|
|
## BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per
|
|
## http://en.wikipedia.org/wiki/Bencode.
|
|
##
|
|
## .. bro:see:: bittorrent_benc_dir
|
|
type bittorrent_benc_value: record {
|
|
i: int &optional; ##< TODO.
|
|
s: string &optional; ##< TODO.
|
|
d: string &optional; ##< TODO.
|
|
l: string &optional; ##< TODO.
|
|
};
|
|
|
|
## A table of BitTorrent "benc" values.
|
|
##
|
|
## .. bro:see:: bt_tracker_response
|
|
type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
|
|
|
|
## Header table type used by BitTorrent analyzer.
|
|
##
|
|
## .. bro:see:: bt_tracker_request bt_tracker_response
|
|
## bt_tracker_response_not_ok
|
|
type bt_tracker_headers: table[string] of string;
|
|
|
|
module SOCKS;
|
|
export {
|
|
## This record is for a SOCKS client or server to provide either a
|
|
## name or an address to represent a desired or established connection.
|
|
type Address: record {
|
|
host: addr &optional;
|
|
name: string &optional;
|
|
} &log;
|
|
}
|
|
module GLOBAL;
|
|
|
|
@load base/event.bif
|
|
|
|
## BPF filter the user has set via the -f command line options. Empty if none.
|
|
const cmd_line_bpf_filter = "" &redef;
|
|
|
|
## The maximum number of open files to keep cached at a given time.
|
|
## If set to zero, this is automatically determined by inspecting
|
|
## the current/maximum limit on open files for the process.
|
|
const max_files_in_cache = 0 &redef;
|
|
|
|
## Deprecated.
|
|
const log_rotate_interval = 0 sec &redef;
|
|
|
|
## Deprecated.
|
|
const log_rotate_base_time = "0:00" &redef;
|
|
|
|
## Deprecated.
|
|
const log_max_size = 0.0 &redef;
|
|
|
|
## Deprecated.
|
|
const log_encryption_key = "<undefined>" &redef;
|
|
|
|
## Write profiling info into this file in regular intervals. The easiest way to
|
|
## activate profiling is loading :doc:`/scripts/policy/misc/profiling`.
|
|
##
|
|
## .. bro:see:: profiling_interval expensive_profiling_multiple segment_profiling
|
|
global profiling_file: file &redef;
|
|
|
|
## Update interval for profiling (0 disables). The easiest way to activate
|
|
## profiling is loading :doc:`/scripts/policy/misc/profiling`.
|
|
##
|
|
## .. bro:see:: profiling_file expensive_profiling_multiple segment_profiling
|
|
const profiling_interval = 0 secs &redef;
|
|
|
|
## Multiples of profiling_interval at which (more expensive) memory profiling is
|
|
## done (0 disables).
|
|
##
|
|
## .. bro:see:: profiling_interval profiling_file segment_profiling
|
|
const expensive_profiling_multiple = 0 &redef;
|
|
|
|
## If true, then write segment profiling information (very high volume!)
|
|
## in addition to profiling statistics.
|
|
##
|
|
## .. bro:see:: profiling_interval expensive_profiling_multiple profiling_file
|
|
const segment_profiling = F &redef;
|
|
|
|
## Output modes for packet profiling information.
|
|
##
|
|
## .. bro:see:: pkt_profile_mode pkt_profile_freq pkt_profile_mode pkt_profile_file
|
|
type pkt_profile_modes: enum {
|
|
PKT_PROFILE_MODE_NONE, ##< No output.
|
|
PKT_PROFILE_MODE_SECS, ##< Output every :bro:see:`pkt_profile_freq` seconds.
|
|
PKT_PROFILE_MODE_PKTS, ##< Output every :bro:see:`pkt_profile_freq` packets.
|
|
PKT_PROFILE_MODE_BYTES, ##< Output every :bro:see:`pkt_profile_freq` bytes.
|
|
};
|
|
|
|
## Output modes for packet profiling information.
|
|
##
|
|
## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode pkt_profile_file
|
|
const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef;
|
|
|
|
## Frequency associated with packet profiling.
|
|
##
|
|
## .. bro:see:: pkt_profile_modes pkt_profile_mode pkt_profile_mode pkt_profile_file
|
|
const pkt_profile_freq = 0.0 &redef;
|
|
|
|
## File where packet profiles are logged.
|
|
##
|
|
## .. bro:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode pkt_profile_mode
|
|
global pkt_profile_file: file &redef;
|
|
|
|
## Rate at which to generate :bro:see:`load_sample` events. As all
|
|
## events, the event is only generated if you've also defined a
|
|
## :bro:see:`load_sample` handler. Units are inverse number of packets; e.g., a
|
|
## value of 20 means "roughly one in every 20 packets".
|
|
##
|
|
## .. bro:see:: load_sample
|
|
global load_sample_freq = 20 &redef;
|
|
|
|
## Rate at which to generate :bro:see:`gap_report` events assessing to what degree
|
|
## the measurement process appears to exhibit loss.
|
|
##
|
|
## .. bro:see:: gap_report
|
|
const gap_report_freq = 1.0 sec &redef;
|
|
|
|
## Whether we want :bro:see:`content_gap` and :bro:see:`gap_report` for partial
|
|
## connections. A connection is partial if it is missing a full handshake. Note
|
|
## that gap reports for partial connections might not be reliable.
|
|
##
|
|
## .. bro:see:: content_gap gap_report partial_connection
|
|
const report_gaps_for_partial = F &redef;
|
|
|
|
## The CA certificate file to authorize remote Bros/Broccolis.
|
|
##
|
|
## .. bro:see:: ssl_private_key ssl_passphrase
|
|
const ssl_ca_certificate = "<undefined>" &redef;
|
|
|
|
## File containing our private key and our certificate.
|
|
##
|
|
## .. bro:see:: ssl_ca_certificate ssl_passphrase
|
|
const ssl_private_key = "<undefined>" &redef;
|
|
|
|
## The passphrase for our private key. Keeping this undefined
|
|
## causes Bro to prompt for the passphrase.
|
|
##
|
|
## .. bro:see:: ssl_private_key ssl_ca_certificate
|
|
const ssl_passphrase = "<undefined>" &redef;
|
|
|
|
## Default mode for Bro's user-space dynamic packet filter. If true, packets that
|
|
## aren't explicitly allowed through, are dropped from any further processing.
|
|
##
|
|
## .. note:: This is not the BPF packet filter but an additional dynamic filter
|
|
## that Bro optionally applies just before normal processing starts.
|
|
##
|
|
## .. bro:see:: install_dst_addr_filter install_dst_net_filter
|
|
## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter
|
|
## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter
|
|
const packet_filter_default = F &redef;
|
|
|
|
## Maximum size of regular expression groups for signature matching.
|
|
const sig_max_group_size = 50 &redef;
|
|
|
|
## Deprecated. No longer functional.
|
|
const enable_syslog = F &redef;
|
|
|
|
## Description transmitted to remote communication peers for identification.
|
|
const peer_description = "bro" &redef;
|
|
|
|
## If true, broadcast events received from one peer to all other peers.
|
|
##
|
|
## .. bro:see:: forward_remote_state_changes
|
|
##
|
|
## .. note:: This option is only temporary and will disappear once we get a more
|
|
## sophisticated script-level communication framework.
|
|
const forward_remote_events = F &redef;
|
|
|
|
## If true, broadcast state updates received from one peer to all other peers.
|
|
##
|
|
## .. bro:see:: forward_remote_events
|
|
##
|
|
## .. note:: This option is only temporary and will disappear once we get a more
|
|
## sophisticated script-level communication framework.
|
|
const forward_remote_state_changes = F &redef;
|
|
|
|
## Place-holder constant indicating "no peer".
|
|
const PEER_ID_NONE = 0;
|
|
|
|
# Signature payload pattern types.
|
|
# todo::use enum to help autodoc
|
|
# todo::Still used?
|
|
#const SIG_PATTERN_PAYLOAD = 0;
|
|
#const SIG_PATTERN_HTTP = 1;
|
|
#const SIG_PATTERN_FTP = 2;
|
|
#const SIG_PATTERN_FINGER = 3;
|
|
|
|
# Deprecated.
|
|
# todo::Should use the new logging framework directly.
|
|
const REMOTE_LOG_INFO = 1; ##< Deprecated.
|
|
const REMOTE_LOG_ERROR = 2; ##< Deprecated.
|
|
|
|
# Source of logging messages from the communication framework.
|
|
# todo::these should go into an enum to make them autodoc'able.
|
|
const REMOTE_SRC_CHILD = 1; ##< Message from the child process.
|
|
const REMOTE_SRC_PARENT = 2; ##< Message from the parent process.
|
|
const REMOTE_SRC_SCRIPT = 3; ##< Message from a policy script.
|
|
|
|
## Synchronize trace processing at a regular basis in pseudo-realtime mode.
|
|
##
|
|
## .. bro:see:: remote_trace_sync_peers
|
|
const remote_trace_sync_interval = 0 secs &redef;
|
|
|
|
## Number of peers across which to synchronize trace processing in
|
|
## pseudo-realtime mode.
|
|
##
|
|
## .. bro:see:: remote_trace_sync_interval
|
|
const remote_trace_sync_peers = 0 &redef;
|
|
|
|
## Whether for :bro:attr:`&synchronized` state to send the old value as a
|
|
## consistency check.
|
|
const remote_check_sync_consistency = F &redef;
|
|
|
|
## Analyzer tags. The core automatically defines constants
|
|
## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
|
|
##
|
|
## .. bro:see:: dpd_config
|
|
##
|
|
## .. todo::We should autodoc these automaticallty generated constants.
|
|
type AnalyzerTag: count;
|
|
|
|
## Set of ports activating a particular protocol analysis.
|
|
##
|
|
## .. bro:see:: dpd_config
|
|
type dpd_protocol_config: record {
|
|
ports: set[port] &optional; ##< Set of ports.
|
|
};
|
|
|
|
## Port configuration for Bro's "dynamic protocol detection". Protocol
|
|
## analyzers can be activated via either well-known ports or content analysis.
|
|
## This table defines the ports.
|
|
##
|
|
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
|
|
## dpd_match_only_beginning dpd_ignore_ports
|
|
const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
|
|
|
|
## Reassemble the beginning of all TCP connections before doing
|
|
## signature-matching. Enabling this provides more accurate matching at the
|
|
## expensive of CPU cycles.
|
|
##
|
|
## .. bro:see:: dpd_config dpd_buffer_size
|
|
## dpd_match_only_beginning dpd_ignore_ports
|
|
##
|
|
## .. note:: Despite the name, this option affects *all* signature matching, not
|
|
## only signatures used for dynamic protocol detection.
|
|
const dpd_reassemble_first_packets = T &redef;
|
|
|
|
## Size of per-connection buffer used for dynamic protocol detection. For each
|
|
## connection, Bro buffers this initial amount of payload in memory so that
|
|
## complete protocol analysis can start even after the initial packets have
|
|
## already passed through (i.e., when a DPD signature matches only later).
|
|
## However, once the buffer is full, data is deleted and lost to analyzers that are
|
|
## activated afterwards. Then only analyzers that can deal with partial
|
|
## connections will be able to analyze the session.
|
|
##
|
|
## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
|
|
## dpd_ignore_ports
|
|
const dpd_buffer_size = 1024 &redef;
|
|
|
|
## If true, stops signature matching if dpd_buffer_size has been reached.
|
|
##
|
|
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
|
|
## dpd_config dpd_ignore_ports
|
|
##
|
|
## .. note:: Despite the name, this option affects *all* signature matching, not
|
|
## only signatures used for dynamic protocol detection.
|
|
const dpd_match_only_beginning = T &redef;
|
|
|
|
## If true, don't consider any ports for deciding which protocol analyzer to
|
|
## use. If so, the value of :bro:see:`dpd_config` is ignored.
|
|
##
|
|
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
|
|
## dpd_match_only_beginning dpd_config
|
|
const dpd_ignore_ports = F &redef;
|
|
|
|
## Ports which the core considers being likely used by servers. For ports in
|
|
## this set, is may heuristically decide to flip the direction of the
|
|
## connection if it misses the initial handshake.
|
|
const likely_server_ports: set[port] &redef;
|
|
|
|
## Deprated. Set of all ports for which we know an analyzer, built by
|
|
## :doc:`/scripts/base/frameworks/dpd/main`.
|
|
##
|
|
## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
|
|
## itself we still need it.
|
|
global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
|
|
|
|
## Per-incident timer managers are drained after this amount of inactivity.
|
|
const timer_mgr_inactivity_timeout = 1 min &redef;
|
|
|
|
## If true, output profiling for time-machine queries.
|
|
const time_machine_profiling = F &redef;
|
|
|
|
## If true, warns about unused event handlers at startup.
|
|
const check_for_unused_event_handlers = F &redef;
|
|
|
|
# If true, dumps all invoked event handlers at startup.
|
|
# todo::Still used?
|
|
# const dump_used_event_handlers = F &redef;
|
|
|
|
## Deprecated.
|
|
const suppress_local_output = F &redef;
|
|
|
|
## Holds the filename of the trace file given with -w (empty if none).
|
|
##
|
|
## .. bro:see:: record_all_packets
|
|
const trace_output_file = "";
|
|
|
|
## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it. By
|
|
## default, Bro applies (very few) heuristics to reduce the volume. A side effect
|
|
## of setting this to true is that we can write the packets out before we actually
|
|
## process them, which can be helpful for debugging in case the analysis triggers a
|
|
## crash.
|
|
##
|
|
## .. bro:see:: trace_output_file
|
|
const record_all_packets = F &redef;
|
|
|
|
## Ignore certain TCP retransmissions for :bro:see:`conn_stats`. Some connections
|
|
## (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive.
|
|
## If *ignore_keep_alive_rexmit* is set to true, such retransmissions will be
|
|
## excluded in the rexmit counter in :bro:see:`conn_stats`.
|
|
##
|
|
## .. bro:see:: conn_stats
|
|
const ignore_keep_alive_rexmit = F &redef;
|
|
|
|
module Tunnel;
|
|
export {
|
|
## The maximum depth of a tunnel to decapsulate until giving up.
|
|
## Setting this to zero will disable all types of tunnel decapsulation.
|
|
const max_depth: count = 2 &redef;
|
|
|
|
## Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
|
|
const enable_ip = T &redef;
|
|
|
|
## Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
|
|
const enable_ayiya = T &redef;
|
|
|
|
## Toggle whether to do IPv6-in-Teredo decapsulation.
|
|
const enable_teredo = T &redef;
|
|
|
|
## With this option set, the Teredo analysis will first check to see if
|
|
## other protocol analyzers have confirmed that they think they're
|
|
## parsing the right protocol and only continue with Teredo tunnel
|
|
## decapsulation if nothing else has yet confirmed. This can help
|
|
## reduce false positives of UDP traffic (e.g. DNS) that also happens
|
|
## to have a valid Teredo encapsulation.
|
|
const yielding_teredo_decapsulation = T &redef;
|
|
|
|
## With this set, the Teredo analyzer waits until it sees both sides
|
|
## of a connection using a valid Teredo encapsulation before issuing
|
|
## a :bro:see:`protocol_confirmation`. If it's false, the first
|
|
## occurence of a packet with valid Teredo encapsulation causes a
|
|
## confirmation. Both cases are still subject to effects of
|
|
## :bro:see:`Tunnel::yielding_teredo_decapsulation`.
|
|
const delay_teredo_confirmation = T &redef;
|
|
|
|
## How often to cleanup internal state for inactive IP tunnels.
|
|
const ip_tunnel_timeout = 24hrs &redef;
|
|
} # end export
|
|
module GLOBAL;
|
|
|
|
## Number of bytes per packet to capture from live interfaces.
|
|
const snaplen = 8192 &redef;
|
|
|
|
# Load the logging framework here because it uses fairly deep integration with
|
|
# BiFs and script-land defined types.
|
|
@load base/frameworks/logging
|
|
|
|
@load base/frameworks/input
|
|
|