mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
348 lines
17 KiB
C++
348 lines
17 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#pragma once
|
|
|
|
#include "zeek/Val.h"
|
|
#include "zeek/EventRegistry.h"
|
|
#include "zeek/Stats.h"
|
|
|
|
namespace zeek::detail {
|
|
|
|
extern int watchdog_interval;
|
|
|
|
extern int max_timer_expires;
|
|
|
|
extern int ignore_checksums;
|
|
extern int partial_connection_ok;
|
|
extern int tcp_SYN_ack_ok;
|
|
extern int tcp_match_undelivered;
|
|
|
|
extern double frag_timeout;
|
|
|
|
extern double tcp_SYN_timeout;
|
|
extern double tcp_session_timer;
|
|
extern double tcp_connection_linger;
|
|
extern double tcp_attempt_delay;
|
|
extern double tcp_close_delay;
|
|
extern double tcp_partial_close_delay;
|
|
extern double tcp_reset_delay;
|
|
|
|
extern int tcp_max_initial_window;
|
|
extern int tcp_max_above_hole_without_any_acks;
|
|
extern int tcp_excessive_data_without_further_acks;
|
|
extern int tcp_max_old_segments;
|
|
|
|
extern double non_analyzed_lifetime;
|
|
extern double tcp_inactivity_timeout;
|
|
extern double udp_inactivity_timeout;
|
|
extern double icmp_inactivity_timeout;
|
|
|
|
extern int tcp_storm_thresh;
|
|
extern double tcp_storm_interarrival_thresh;
|
|
extern bool tcp_content_deliver_all_orig;
|
|
extern bool tcp_content_deliver_all_resp;
|
|
|
|
extern bool udp_content_deliver_all_orig;
|
|
extern bool udp_content_deliver_all_resp;
|
|
extern bool udp_content_delivery_ports_use_resp;
|
|
|
|
extern double dns_session_timeout;
|
|
extern double rpc_timeout;
|
|
|
|
extern int mime_segment_length;
|
|
extern int mime_segment_overlap_length;
|
|
|
|
extern int http_entity_data_delivery_size;
|
|
extern int truncate_http_URI;
|
|
|
|
extern int dns_skip_all_auth;
|
|
extern int dns_skip_all_addl;
|
|
extern int dns_max_queries;
|
|
|
|
extern double stp_delta;
|
|
extern double stp_idle_min;
|
|
extern double table_expire_interval;
|
|
extern double table_expire_delay;
|
|
extern int table_incremental_step;
|
|
|
|
extern int orig_addr_anonymization, resp_addr_anonymization;
|
|
extern int other_addr_anonymization;
|
|
|
|
extern double connection_status_update_interval;
|
|
|
|
extern double profiling_interval;
|
|
extern int expensive_profiling_multiple;
|
|
|
|
extern int segment_profiling;
|
|
extern int pkt_profile_mode;
|
|
extern double pkt_profile_freq;
|
|
extern int load_sample_freq;
|
|
|
|
extern int packet_filter_default;
|
|
|
|
extern int sig_max_group_size;
|
|
|
|
extern int dpd_reassemble_first_packets;
|
|
extern int dpd_buffer_size;
|
|
extern int dpd_match_only_beginning;
|
|
extern int dpd_late_match_stop;
|
|
extern int dpd_ignore_ports;
|
|
|
|
extern int check_for_unused_event_handlers;
|
|
|
|
extern double timer_mgr_inactivity_timeout;
|
|
|
|
extern int record_all_packets;
|
|
|
|
extern bro_uint_t bits_per_uid;
|
|
|
|
// Initializes globals that don't pertain to network/event analysis.
|
|
extern void init_general_global_var();
|
|
|
|
extern void init_event_handlers();
|
|
extern void init_net_var();
|
|
extern void init_builtin_types();
|
|
|
|
} // namespace zeek::detail
|
|
|
|
constexpr auto init_general_global_var [[deprecated("Remove in v4.1. Use zeek::detail::init_general_global_var.")]] = zeek::detail::init_general_global_var;
|
|
constexpr auto init_event_handlers [[deprecated("Remove in v4.1. Use zeek::detail::init_event_handlers.")]] = zeek::detail::init_event_handlers;
|
|
constexpr auto init_net_var [[deprecated("Remove in v4.1. Use zeek::detail::init_net_var.")]] = zeek::detail::init_net_var;
|
|
|
|
extern int& watchdog_interval [[deprecated("Remove in v4.1. Use zeek::detail::watchdog_interval.")]];
|
|
extern int& max_timer_expires [[deprecated("Remove in v4.1. Use zeek::detail::max_timer_expires.")]];
|
|
extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::detail::ignore_checksums.")]];
|
|
extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]];
|
|
extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]];
|
|
extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]];
|
|
extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]];
|
|
extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]];
|
|
extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]];
|
|
extern double& tcp_connection_linger [[deprecated("Remove in v4.1. Use zeek::detail::tcp_connection_linger.")]];
|
|
extern double& tcp_attempt_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_attempt_delay.")]];
|
|
extern double& tcp_close_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_close_delay.")]];
|
|
extern double& tcp_partial_close_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_partial_close_delay.")]];
|
|
extern double& tcp_reset_delay [[deprecated("Remove in v4.1. Use zeek::detail::tcp_reset_delay.")]];
|
|
extern int& tcp_max_initial_window [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_initial_window.")]];
|
|
extern int& tcp_max_above_hole_without_any_acks [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_above_hole_without_any_acks.")]];
|
|
extern int& tcp_excessive_data_without_further_acks [[deprecated("Remove in v4.1. Use zeek::detail::tcp_excessive_data_without_further_acks.")]];
|
|
extern int& tcp_max_old_segments [[deprecated("Remove in v4.1. Use zeek::detail::tcp_max_old_segments.")]];
|
|
extern double& non_analyzed_lifetime [[deprecated("Remove in v4.1. Use zeek::detail::non_analyzed_lifetime.")]];
|
|
extern double& tcp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_inactivity_timeout.")]];
|
|
extern double& udp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::udp_inactivity_timeout.")]];
|
|
extern double& icmp_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::icmp_inactivity_timeout.")]];
|
|
extern int& tcp_storm_thresh [[deprecated("Remove in v4.1. Use zeek::detail::tcp_storm_thresh.")]];
|
|
extern double& tcp_storm_interarrival_thresh [[deprecated("Remove in v4.1. Use zeek::detail::tcp_storm_interarrival_thresh.")]];
|
|
extern bool& tcp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::detail::tcp_content_deliver_all_orig.")]];
|
|
extern bool& tcp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::detail::tcp_content_deliver_all_resp.")]];
|
|
extern bool& udp_content_deliver_all_orig [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_deliver_all_orig.")]];
|
|
extern bool& udp_content_deliver_all_resp [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_deliver_all_resp.")]];
|
|
extern bool& udp_content_delivery_ports_use_resp [[deprecated("Remove in v4.1. Use zeek::detail::udp_content_delivery_ports_use_resp.")]];
|
|
extern double& dns_session_timeout [[deprecated("Remove in v4.1. Use zeek::detail::dns_session_timeout.")]];
|
|
extern double& rpc_timeout [[deprecated("Remove in v4.1. Use zeek::detail::rpc_timeout.")]];
|
|
extern int& mime_segment_length [[deprecated("Remove in v4.1. Use zeek::detail::mime_segment_length.")]];
|
|
extern int& mime_segment_overlap_length [[deprecated("Remove in v4.1. Use zeek::detail::mime_segment_overlap_length.")]];
|
|
extern int& http_entity_data_delivery_size [[deprecated("Remove in v4.1. Use zeek::detail::http_entity_data_delivery_size.")]];
|
|
extern int& truncate_http_URI [[deprecated("Remove in v4.1. Use zeek::detail::truncate_http_URI.")]];
|
|
extern int& dns_skip_all_auth [[deprecated("Remove in v4.1. Use zeek::detail::dns_skip_all_auth.")]];
|
|
extern int& dns_skip_all_addl [[deprecated("Remove in v4.1. Use zeek::detail::dns_skip_all_addl.")]];
|
|
extern int& dns_max_queries [[deprecated("Remove in v4.1. Use zeek::detail::dns_max_queries.")]];
|
|
extern double& stp_delta [[deprecated("Remove in v4.1. Use zeek::detail::stp_delta.")]];
|
|
extern double& stp_idle_min [[deprecated("Remove in v4.1. Use zeek::detail::stp_idle_min.")]];
|
|
extern double& table_expire_interval [[deprecated("Remove in v4.1. Use zeek::detail::table_expire_interval.")]];
|
|
extern double& table_expire_delay [[deprecated("Remove in v4.1. Use zeek::detail::table_expire_delay.")]];
|
|
extern int& table_incremental_step [[deprecated("Remove in v4.1. Use zeek::detail::table_incremental_step.")]];
|
|
extern int& orig_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::orig_addr_anonymization.")]];
|
|
extern int& resp_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::resp_addr_anonymization.")]];
|
|
extern int& other_addr_anonymization [[deprecated("Remove in v4.1. Use zeek::detail::other_addr_anonymization.")]];
|
|
extern double& connection_status_update_interval [[deprecated("Remove in v4.1. Use zeek::detail::connection_status_update_interval.")]];
|
|
extern double& profiling_interval [[deprecated("Remove in v4.1. Use zeek::detail::profiling_interval.")]];
|
|
extern int& expensive_profiling_multiple [[deprecated("Remove in v4.1. Use zeek::detail::expensive_profiling_multiple.")]];
|
|
extern int& segment_profiling [[deprecated("Remove in v4.1. Use zeek::detail::segment_profiling.")]];
|
|
extern int& pkt_profile_mode [[deprecated("Remove in v4.1. Use zeek::detail::pkt_profile_mode.")]];
|
|
extern double& pkt_profile_freq [[deprecated("Remove in v4.1. Use zeek::detail::pkt_profile_freq.")]];
|
|
extern int& load_sample_freq [[deprecated("Remove in v4.1. Use zeek::detail::load_sample_freq.")]];
|
|
extern int& packet_filter_default [[deprecated("Remove in v4.1. Use zeek::detail::packet_filter_default.")]];
|
|
extern int& sig_max_group_size [[deprecated("Remove in v4.1. Use zeek::detail::sig_max_group_size.")]];
|
|
extern int& dpd_reassemble_first_packets [[deprecated("Remove in v4.1. Use zeek::detail::dpd_reassemble_first_packets.")]];
|
|
extern int& dpd_buffer_size [[deprecated("Remove in v4.1. Use zeek::detail::dpd_buffer_size.")]];
|
|
extern int& dpd_match_only_beginning [[deprecated("Remove in v4.1. Use zeek::detail::dpd_match_only_beginning.")]];
|
|
extern int& dpd_late_match_stop [[deprecated("Remove in v4.1. Use zeek::detail::dpd_late_match_stop.")]];
|
|
extern int& dpd_ignore_ports [[deprecated("Remove in v4.1. Use zeek::detail::dpd_ignore_ports.")]];
|
|
extern int& check_for_unused_event_handlers [[deprecated("Remove in v4.1. Use zeek::detail::check_for_unused_event_handlers.")]];
|
|
extern double& timer_mgr_inactivity_timeout [[deprecated("Remove in v4.1. Use zeek::detail::timer_mgr_inactivity_timeout.")]];
|
|
extern int& record_all_packets [[deprecated("Remove in v4.1. Use zeek::detail::record_all_packets.")]];
|
|
extern bro_uint_t& bits_per_uid [[deprecated("Remove in v4.1. Use zeek::detail::bits_per_uid.")]];
|
|
|
|
[[deprecated("Remove in v4.1. Use zeek::id::conn_id.")]]
|
|
extern zeek::RecordType* conn_id;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::endpoint.")]]
|
|
extern zeek::RecordType* endpoint;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* endpoint_stats;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::connection.")]]
|
|
extern zeek::RecordType* connection_type;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::fa_file.")]]
|
|
extern zeek::RecordType* fa_file_type;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::fa_metadata.")]]
|
|
extern zeek::RecordType* fa_metadata_type;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* icmp_conn;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* icmp_context;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* signature_state;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* SYN_packet;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* pcap_packet;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* raw_pkt_hdr_type;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* l2_hdr_type;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::transport_proto.")]]
|
|
extern zeek::EnumType* transport_proto;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::string_set.")]]
|
|
extern zeek::TableType* string_set;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::string_array.")]]
|
|
extern zeek::TableType* string_array;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::count_set.")]]
|
|
extern zeek::TableType* count_set;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::string_vec.")]]
|
|
extern zeek::VectorType* string_vec;
|
|
[[deprecated("Remove in v4.1. Use zeek::id::index_vec.")]]
|
|
extern zeek::VectorType* index_vec;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::VectorType* mime_matches;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* mime_match;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* socks_address;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* tcp_reassembler_ports_orig;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* tcp_reassembler_ports_resp;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* tcp_content_delivery_ports_orig;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* tcp_content_delivery_ports_resp;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* udp_content_delivery_ports_orig;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* udp_content_delivery_ports_resp;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* udp_content_ports;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* mime_header_rec;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableType* mime_header_list;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* http_stats_rec;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* http_message_stat;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* pm_mapping;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableType* pm_mappings;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* pm_port_request;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* pm_callit_request;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* geo_location;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* entropy_test_result;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_msg;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_answer;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_soa;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_edns_additional;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_edns_ecs;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_tsig_additional;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_rrsig_rr;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_dnskey_rr;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_nsec3_rr;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* dns_ds_rr;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* dns_skip_auth;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* dns_skip_addl;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* stp_skip_src;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* preserve_orig_addr;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* preserve_resp_addr;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* preserve_other_addr;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* rotate_info;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::StringVal* log_rotate_base_time;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::StringVal* peer_description;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::Val* profiling_file;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::Val* pkt_profile_file;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableType* irc_join_list;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* irc_join_info;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableVal* likely_server_ports;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::StringVal* trace_output_file;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* script_id;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableType* id_table;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* record_field;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::TableType* record_field_table;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::RecordType* call_argument;
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::VectorType* call_argument_vector;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::StringVal* cmd_line_bpf_filter;
|
|
|
|
[[deprecated("Remove in v4.1. Perform your own lookup.")]]
|
|
extern zeek::StringVal* global_hash_seed;
|
|
|
|
#include "const.bif.netvar_h"
|
|
#include "types.bif.netvar_h"
|
|
#include "event.bif.netvar_h"
|
|
#include "reporter.bif.netvar_h"
|
|
#include "supervisor.bif.netvar_h"
|
|
#include "packet_analysis.bif.netvar_h"
|