mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
c72c1cba6f
This commit revamps the handling of analyzer violations that happen
before an analyzer confirms the protocol.
The current state is that an analyzer is disabled after 5 violations, if
it has not been confirmed. If it has been confirmed, it is disabled
after a single violation.
The reason for this is a historic mistake. In Zeek up to versions 1.5,
analyzers were unconditianally removed when they raised the first
protocol violation.
When this script was ported to the new layout for Zeek 2.0 in
b4b990cfb5, a logic error was introduced
that caused analyzers to no longer be disabled if they were not
confirmed.
This was the state for ~8 years, till the DPD::max_violations options
was added, which instates the current approach of disabling unconfirmed
analyzers after 5 violations. Sadly, there is not much discussion about
this change - from my hazy memory, I think this was discovered during
performance tests and the new behavior was added without checking into
the history of previous changes.
This commit reinstates the originally intended behavior of DPD. When an
analyzer that has not been confirmed raises a protocol violation, it is
immediately removed from the connection. This also makes a lot of sense
- this allows the analyzer to be in a "tasting" phase at the beginning
of the connection, and to error out quickly once it realizes that it was
attached to a connection not containing the desired protocol.
This change also removes the DPD::max_violations option, as it no longer
serves any purpose after this change. (In practice, the option remains
with an &deprecated warning, but it is no longer used for anything).
There are relatively minimal test-baseline changes due to this; they are
mostly triggered by the removal of the data structure and by less
analyzer errors being thrown, as unconfirmed analyzers are disabled
after the first error.
931 lines
41 KiB
Text
931 lines
41 KiB
Text
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
[zeek, <...>/record-fields.zeek]
|
|
connection {
|
|
* conn: record Conn::Info, log=F, optional=T
|
|
Conn::Info {
|
|
* conn_state: string, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* history: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id {
|
|
* orig_h: addr, log=T, optional=F
|
|
* orig_p: port, log=T, optional=F
|
|
* proto: count, log=F, optional=T
|
|
* resp_h: addr, log=T, optional=F
|
|
* resp_p: port, log=T, optional=F
|
|
}
|
|
* ip_proto: count, log=T, optional=T
|
|
* local_orig: bool, log=T, optional=T
|
|
* local_resp: bool, log=T, optional=T
|
|
* missed_bytes: count, log=T, optional=T
|
|
* orig_bytes: count, log=T, optional=T
|
|
* orig_ip_bytes: count, log=T, optional=T
|
|
* orig_pkts: count, log=T, optional=T
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* resp_bytes: count, log=T, optional=T
|
|
* resp_ip_bytes: count, log=T, optional=T
|
|
* resp_pkts: count, log=T, optional=T
|
|
* service: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* tunnel_parents: set[string], log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dce_rpc: record DCE_RPC::Info, log=F, optional=T
|
|
DCE_RPC::Info {
|
|
* endpoint: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* named_pipe: string, log=T, optional=T
|
|
* operation: string, log=T, optional=T
|
|
* rtt: interval, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dce_rpc_backing: table[count] of record DCE_RPC::BackingState, log=F, optional=T
|
|
DCE_RPC::BackingState {
|
|
* info: record DCE_RPC::Info, log=F, optional=F
|
|
DCE_RPC::Info { ... }
|
|
* state: record DCE_RPC::State, log=F, optional=F
|
|
DCE_RPC::State {
|
|
* ctx_to_uuid: table[count] of string, log=F, optional=T
|
|
* named_pipe: string, log=F, optional=T
|
|
* uuid: string, log=F, optional=T
|
|
}
|
|
}
|
|
* dce_rpc_state: record DCE_RPC::State, log=F, optional=T
|
|
DCE_RPC::State { ... }
|
|
* dhcp: record DHCP::Info, log=F, optional=T
|
|
DHCP::Info {
|
|
* assigned_addr: addr, log=T, optional=T
|
|
* client_addr: addr, log=T, optional=T
|
|
* client_chaddr: string, log=F, optional=T
|
|
* client_fqdn: string, log=T, optional=T
|
|
* client_message: string, log=T, optional=T
|
|
* client_port: port, log=F, optional=T
|
|
* domain: string, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* host_name: string, log=T, optional=T
|
|
* last_message_ts: time, log=F, optional=T
|
|
* lease_time: interval, log=T, optional=T
|
|
* mac: string, log=T, optional=T
|
|
* msg_types: vector of string, log=T, optional=T
|
|
* requested_addr: addr, log=T, optional=T
|
|
* server_addr: addr, log=T, optional=T
|
|
* server_message: string, log=T, optional=T
|
|
* server_port: port, log=F, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uids: set[string], log=T, optional=F
|
|
}
|
|
* dnp3: record DNP3::Info, log=F, optional=T
|
|
DNP3::Info {
|
|
* fc_reply: string, log=T, optional=T
|
|
* fc_request: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* iin: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dns: record DNS::Info, log=F, optional=T
|
|
DNS::Info {
|
|
* AA: bool, log=T, optional=T
|
|
* RA: bool, log=T, optional=T
|
|
* RD: bool, log=T, optional=T
|
|
* TC: bool, log=T, optional=T
|
|
* TTLs: vector of interval, log=T, optional=T
|
|
* Z: count, log=T, optional=T
|
|
* answers: vector of string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* qclass: count, log=T, optional=T
|
|
* qclass_name: string, log=T, optional=T
|
|
* qtype: count, log=T, optional=T
|
|
* qtype_name: string, log=T, optional=T
|
|
* query: string, log=T, optional=T
|
|
* rcode: count, log=T, optional=T
|
|
* rcode_name: string, log=T, optional=T
|
|
* rejected: bool, log=T, optional=T
|
|
* rtt: interval, log=T, optional=T
|
|
* saw_query: bool, log=F, optional=T
|
|
* saw_reply: bool, log=F, optional=T
|
|
* total_answers: count, log=F, optional=T
|
|
* total_replies: count, log=F, optional=T
|
|
* trans_id: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* dns_state: record DNS::State, log=F, optional=T
|
|
DNS::State {
|
|
* pending_queries: table[count] of record Queue::Queue, log=F, optional=T
|
|
Queue::Queue {
|
|
* bottom: count, log=F, optional=T
|
|
* initialized: bool, log=F, optional=T
|
|
* settings: record Queue::Settings, log=F, optional=T
|
|
Queue::Settings {
|
|
* max_len: count, log=F, optional=T
|
|
}
|
|
* size: count, log=F, optional=T
|
|
* top: count, log=F, optional=T
|
|
* vals: table[count] of any, log=F, optional=T
|
|
}
|
|
* pending_query: record DNS::Info, log=F, optional=T
|
|
DNS::Info { ... }
|
|
* pending_replies: table[count] of record Queue::Queue, log=F, optional=T
|
|
Queue::Queue { ... }
|
|
}
|
|
* dpd: record DPD::Info, log=F, optional=T
|
|
DPD::Info {
|
|
* analyzer: string, log=T, optional=F
|
|
* failure_reason: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* duration: interval, log=F, optional=F
|
|
* extract_orig: bool, log=F, optional=T
|
|
* extract_resp: bool, log=F, optional=T
|
|
* ftp: record FTP::Info, log=F, optional=T
|
|
FTP::Info {
|
|
* arg: string, log=T, optional=T
|
|
* capture_password: bool, log=F, optional=T
|
|
* cmdarg: record FTP::CmdArg, log=F, optional=T
|
|
FTP::CmdArg {
|
|
* arg: string, log=F, optional=T
|
|
* cmd: string, log=F, optional=T
|
|
* cwd_consumed: bool, log=F, optional=T
|
|
* seq: count, log=F, optional=T
|
|
* ts: time, log=F, optional=F
|
|
}
|
|
* command: string, log=T, optional=T
|
|
* command_seq: count, log=F, optional=T
|
|
* cwd: string, log=F, optional=T
|
|
* data_channel: record FTP::ExpectedDataChannel, log=T, optional=T
|
|
FTP::ExpectedDataChannel {
|
|
* orig_h: addr, log=T, optional=F
|
|
* passive: bool, log=T, optional=F
|
|
* resp_h: addr, log=T, optional=F
|
|
* resp_p: port, log=T, optional=F
|
|
}
|
|
* file_size: count, log=T, optional=T
|
|
* fuid: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* last_auth_requested: string, log=F, optional=T
|
|
* mime_type: string, log=T, optional=T
|
|
* passive: bool, log=F, optional=T
|
|
* password: string, log=T, optional=T
|
|
* pending_commands: table[count] of record FTP::CmdArg, log=F, optional=F
|
|
FTP::CmdArg { ... }
|
|
* reply_code: count, log=T, optional=T
|
|
* reply_msg: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
}
|
|
* ftp_data_reuse: bool, log=F, optional=T
|
|
* history: string, log=F, optional=F
|
|
* http: record HTTP::Info, log=F, optional=T
|
|
HTTP::Info {
|
|
* capture_password: bool, log=F, optional=T
|
|
* current_entity: record HTTP::Entity, log=F, optional=T
|
|
HTTP::Entity {
|
|
* filename: string, log=F, optional=T
|
|
}
|
|
* host: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* info_code: count, log=T, optional=T
|
|
* info_msg: string, log=T, optional=T
|
|
* method: string, log=T, optional=T
|
|
* orig_filenames: vector of string, log=T, optional=T
|
|
* orig_fuids: vector of string, log=T, optional=T
|
|
* orig_mime_depth: count, log=F, optional=T
|
|
* orig_mime_types: vector of string, log=T, optional=T
|
|
* origin: string, log=T, optional=T
|
|
* password: string, log=T, optional=T
|
|
* proxied: set[string], log=T, optional=T
|
|
* range_request: bool, log=F, optional=T
|
|
* referrer: string, log=T, optional=T
|
|
* request_body_len: count, log=T, optional=T
|
|
* resp_filenames: vector of string, log=T, optional=T
|
|
* resp_fuids: vector of string, log=T, optional=T
|
|
* resp_mime_depth: count, log=F, optional=T
|
|
* resp_mime_types: vector of string, log=T, optional=T
|
|
* response_body_len: count, log=T, optional=T
|
|
* status_code: count, log=T, optional=T
|
|
* status_msg: string, log=T, optional=T
|
|
* tags: set[enum HTTP::Tags], log=T, optional=F
|
|
* trans_depth: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* uri: string, log=T, optional=T
|
|
* user_agent: string, log=T, optional=T
|
|
* username: string, log=T, optional=T
|
|
* version: string, log=T, optional=T
|
|
}
|
|
* http_state: record HTTP::State, log=F, optional=T
|
|
HTTP::State {
|
|
* current_request: count, log=F, optional=T
|
|
* current_response: count, log=F, optional=T
|
|
* pending: table[count] of record HTTP::Info, log=F, optional=F
|
|
HTTP::Info { ... }
|
|
* trans_depth: count, log=F, optional=T
|
|
}
|
|
* id: record conn_id, log=F, optional=F
|
|
conn_id { ... }
|
|
* inner_vlan: int, log=F, optional=T
|
|
* irc: record IRC::Info, log=F, optional=T
|
|
IRC::Info {
|
|
* addl: string, log=T, optional=T
|
|
* command: string, log=T, optional=T
|
|
* dcc_file_name: string, log=T, optional=T
|
|
* dcc_file_size: count, log=T, optional=T
|
|
* dcc_mime_type: string, log=T, optional=T
|
|
* fuid: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* nick: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
* value: string, log=T, optional=T
|
|
}
|
|
* krb: record KRB::Info, log=F, optional=T
|
|
KRB::Info {
|
|
* cipher: string, log=T, optional=T
|
|
* client: string, log=T, optional=T
|
|
* client_cert: record Files::Info, log=F, optional=T
|
|
Files::Info {
|
|
* analyzers: set[string], log=T, optional=T
|
|
* depth: count, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* extracted: string, log=T, optional=T
|
|
* extracted_cutoff: bool, log=T, optional=T
|
|
* extracted_size: count, log=T, optional=T
|
|
* filename: string, log=T, optional=T
|
|
* fuid: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=T
|
|
conn_id { ... }
|
|
* is_orig: bool, log=T, optional=T
|
|
* local_orig: bool, log=T, optional=T
|
|
* md5: string, log=T, optional=T
|
|
* mime_type: string, log=T, optional=T
|
|
* missing_bytes: count, log=T, optional=T
|
|
* overflow_bytes: count, log=T, optional=T
|
|
* parent_fuid: string, log=T, optional=T
|
|
* seen_bytes: count, log=T, optional=T
|
|
* sha1: string, log=T, optional=T
|
|
* sha256: string, log=T, optional=T
|
|
* source: string, log=T, optional=T
|
|
* timedout: bool, log=T, optional=T
|
|
* total_bytes: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=T
|
|
* x509: record X509::Info, log=F, optional=T
|
|
X509::Info {
|
|
* basic_constraints: record X509::BasicConstraints, log=T, optional=T
|
|
X509::BasicConstraints {
|
|
* ca: bool, log=T, optional=F
|
|
* path_len: count, log=T, optional=T
|
|
}
|
|
* certificate: record X509::Certificate, log=T, optional=F
|
|
X509::Certificate {
|
|
* cn: string, log=F, optional=T
|
|
* curve: string, log=T, optional=T
|
|
* exponent: string, log=T, optional=T
|
|
* issuer: string, log=T, optional=F
|
|
* key_alg: string, log=T, optional=F
|
|
* key_length: count, log=T, optional=T
|
|
* key_type: string, log=T, optional=T
|
|
* not_valid_after: time, log=T, optional=F
|
|
* not_valid_before: time, log=T, optional=F
|
|
* serial: string, log=T, optional=F
|
|
* sig_alg: string, log=T, optional=F
|
|
* subject: string, log=T, optional=F
|
|
* tbs_sig_alg: string, log=F, optional=F
|
|
* version: count, log=T, optional=F
|
|
}
|
|
* client_cert: bool, log=T, optional=T
|
|
* deduplication_index: record X509::LogCertHash, log=F, optional=T
|
|
X509::LogCertHash {
|
|
* client_cert: bool, log=F, optional=F
|
|
* fingerprint: string, log=F, optional=F
|
|
* host_cert: bool, log=F, optional=F
|
|
}
|
|
* extensions: vector of record X509::Extension, log=F, optional=T
|
|
X509::Extension {
|
|
* critical: bool, log=F, optional=F
|
|
* name: string, log=F, optional=F
|
|
* oid: string, log=F, optional=F
|
|
* short_name: string, log=F, optional=T
|
|
* value: string, log=F, optional=F
|
|
}
|
|
* extensions_cache: vector of any, log=F, optional=T
|
|
* fingerprint: string, log=T, optional=F
|
|
* handle: opaque, log=F, optional=F
|
|
* host_cert: bool, log=T, optional=T
|
|
* san: record X509::SubjectAlternativeName, log=T, optional=T
|
|
X509::SubjectAlternativeName {
|
|
* dns: vector of string, log=T, optional=T
|
|
* email: vector of string, log=T, optional=T
|
|
* ip: vector of addr, log=T, optional=T
|
|
* other_fields: bool, log=F, optional=F
|
|
* uri: vector of string, log=T, optional=T
|
|
}
|
|
* ts: time, log=T, optional=F
|
|
}
|
|
}
|
|
* client_cert_fuid: string, log=T, optional=T
|
|
* client_cert_subject: string, log=T, optional=T
|
|
* error_code: count, log=F, optional=T
|
|
* error_msg: string, log=T, optional=T
|
|
* forwardable: bool, log=T, optional=T
|
|
* from: time, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* logged: bool, log=F, optional=T
|
|
* renewable: bool, log=T, optional=T
|
|
* request_type: string, log=T, optional=T
|
|
* server_cert: record Files::Info, log=F, optional=T
|
|
Files::Info { ... }
|
|
* server_cert_fuid: string, log=T, optional=T
|
|
* server_cert_subject: string, log=T, optional=T
|
|
* service: string, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* till: time, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* ldap: record LDAP::State, log=F, optional=T
|
|
LDAP::State {
|
|
* messages: table[int] of record LDAP::MessageInfo, log=F, optional=T
|
|
LDAP::MessageInfo {
|
|
* argument: string, log=T, optional=T
|
|
* diagnostic_message: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* message_id: int, log=T, optional=T
|
|
* object: string, log=T, optional=T
|
|
* opcode: string, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: int, log=T, optional=T
|
|
}
|
|
* searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
|
|
LDAP::SearchInfo {
|
|
* attributes: vector of string, log=T, optional=T
|
|
* base_object: string, log=T, optional=T
|
|
* deref_aliases: string, log=T, optional=T
|
|
* diagnostic_message: string, log=T, optional=T
|
|
* filter: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* message_id: int, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* result_count: count, log=T, optional=T
|
|
* scope: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
}
|
|
* modbus: record Modbus::Info, log=F, optional=T
|
|
Modbus::Info {
|
|
* exception: string, log=T, optional=T
|
|
* func: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* pdu_type: string, log=T, optional=T
|
|
* tid: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* unit: count, log=T, optional=T
|
|
}
|
|
* mqtt: record MQTT::ConnectInfo, log=F, optional=T
|
|
MQTT::ConnectInfo {
|
|
* client_id: string, log=T, optional=T
|
|
* connect_status: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* proto_name: string, log=T, optional=T
|
|
* proto_version: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* will_payload: string, log=T, optional=T
|
|
* will_topic: string, log=T, optional=T
|
|
}
|
|
* mqtt_state: record MQTT::State, log=F, optional=T
|
|
MQTT::State {
|
|
* publish: table[count] of record MQTT::PublishInfo, log=F, optional=T
|
|
MQTT::PublishInfo {
|
|
* ack: bool, log=F, optional=T
|
|
* comp: bool, log=F, optional=T
|
|
* from_client: bool, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* payload: string, log=T, optional=F
|
|
* payload_len: count, log=T, optional=F
|
|
* qos: string, log=T, optional=F
|
|
* qos_level: count, log=F, optional=T
|
|
* rec: bool, log=F, optional=T
|
|
* rel: bool, log=F, optional=T
|
|
* retain: bool, log=T, optional=F
|
|
* status: string, log=T, optional=T
|
|
* topic: string, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* subscribe: table[count] of record MQTT::SubscribeInfo, log=F, optional=T
|
|
MQTT::SubscribeInfo {
|
|
* ack: bool, log=T, optional=T
|
|
* action: enum MQTT::SubUnsub, log=T, optional=F
|
|
* granted_qos_level: count, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* qos_levels: vector of count, log=T, optional=T
|
|
* topics: vector of string, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
}
|
|
* mysql: record MySQL::Info, log=F, optional=T
|
|
MySQL::Info {
|
|
* arg: string, log=T, optional=F
|
|
* cmd: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* response: string, log=T, optional=T
|
|
* rows: count, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* ntlm: record NTLM::Info, log=F, optional=T
|
|
NTLM::Info {
|
|
* domainname: string, log=T, optional=T
|
|
* done: bool, log=F, optional=T
|
|
* hostname: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* server_dns_computer_name: string, log=T, optional=T
|
|
* server_nb_computer_name: string, log=T, optional=T
|
|
* server_tree_name: string, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* username: string, log=T, optional=T
|
|
}
|
|
* ntp: record NTP::Info, log=F, optional=T
|
|
NTP::Info {
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* mode: count, log=T, optional=F
|
|
* num_exts: count, log=T, optional=T
|
|
* org_time: time, log=T, optional=F
|
|
* poll: interval, log=T, optional=F
|
|
* precision: interval, log=T, optional=F
|
|
* rec_time: time, log=T, optional=F
|
|
* ref_id: string, log=T, optional=F
|
|
* ref_time: time, log=T, optional=F
|
|
* root_delay: interval, log=T, optional=F
|
|
* root_disp: interval, log=T, optional=F
|
|
* stratum: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: count, log=T, optional=F
|
|
* xmt_time: time, log=T, optional=F
|
|
}
|
|
* orig: record endpoint, log=F, optional=F
|
|
endpoint {
|
|
* flow_label: count, log=F, optional=F
|
|
* l2_addr: string, log=F, optional=T
|
|
* num_bytes_ip: count, log=F, optional=T
|
|
* num_pkts: count, log=F, optional=T
|
|
* size: count, log=F, optional=F
|
|
* state: count, log=F, optional=F
|
|
}
|
|
* postgresql: record PostgreSQL::Info, log=F, optional=T
|
|
PostgreSQL::Info {
|
|
* application_name: string, log=T, optional=T
|
|
* backend: string, log=T, optional=T
|
|
* backend_arg: string, log=T, optional=T
|
|
* database: string, log=T, optional=T
|
|
* frontend: string, log=T, optional=T
|
|
* frontend_arg: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* rows: count, log=T, optional=T
|
|
* success: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
}
|
|
* postgresql_state: record PostgreSQL::State, log=F, optional=T
|
|
PostgreSQL::State {
|
|
* application_name: string, log=F, optional=T
|
|
* database: string, log=F, optional=T
|
|
* errors: vector of string, log=F, optional=F
|
|
* rows: count, log=F, optional=T
|
|
* user: string, log=F, optional=T
|
|
* version: record PostgreSQL::Version, log=F, optional=T
|
|
PostgreSQL::Version {
|
|
* major: count, log=F, optional=F
|
|
* minor: count, log=F, optional=F
|
|
}
|
|
}
|
|
* quic: record QUIC::Info, log=F, optional=T
|
|
QUIC::Info {
|
|
* client_initial_dcid: string, log=T, optional=T
|
|
* client_protocol: string, log=T, optional=T
|
|
* client_scid: string, log=T, optional=T
|
|
* history: string, log=T, optional=T
|
|
* history_state: vector of string, log=F, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* logged: bool, log=F, optional=T
|
|
* server_name: string, log=T, optional=T
|
|
* server_scid: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: string, log=T, optional=F
|
|
}
|
|
* radius: record RADIUS::Info, log=F, optional=T
|
|
RADIUS::Info {
|
|
* connect_info: string, log=T, optional=T
|
|
* framed_addr: addr, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* logged: bool, log=F, optional=T
|
|
* mac: string, log=T, optional=T
|
|
* reply_msg: string, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* ttl: interval, log=T, optional=T
|
|
* tunnel_client: string, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
* username: string, log=T, optional=T
|
|
}
|
|
* rdp: record RDP::Info, log=F, optional=T
|
|
RDP::Info {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* cert_count: count, log=T, optional=T
|
|
* cert_permanent: bool, log=T, optional=T
|
|
* cert_type: string, log=T, optional=T
|
|
* client_build: string, log=T, optional=T
|
|
* client_channels: vector of string, log=T, optional=T
|
|
* client_dig_product_id: string, log=T, optional=T
|
|
* client_name: string, log=T, optional=T
|
|
* cookie: string, log=T, optional=T
|
|
* desktop_height: count, log=T, optional=T
|
|
* desktop_width: count, log=T, optional=T
|
|
* done: bool, log=F, optional=T
|
|
* encryption_level: string, log=T, optional=T
|
|
* encryption_method: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* keyboard_layout: string, log=T, optional=T
|
|
* requested_color_depth: string, log=T, optional=T
|
|
* result: string, log=T, optional=T
|
|
* security_protocol: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* removal_hooks: set[func], log=F, optional=T
|
|
* resp: record endpoint, log=F, optional=F
|
|
endpoint { ... }
|
|
* rfb: record RFB::Info, log=F, optional=T
|
|
RFB::Info {
|
|
* auth: bool, log=T, optional=T
|
|
* authentication_method: string, log=T, optional=T
|
|
* client_major_version: string, log=T, optional=T
|
|
* client_minor_version: string, log=T, optional=T
|
|
* desktop_name: string, log=T, optional=T
|
|
* done: bool, log=F, optional=T
|
|
* height: count, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* server_major_version: string, log=T, optional=T
|
|
* server_minor_version: string, log=T, optional=T
|
|
* share_flag: bool, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* width: count, log=T, optional=T
|
|
}
|
|
* service: set[string], log=F, optional=F
|
|
* service_violation: set[string], log=F, optional=T
|
|
* sip: record SIP::Info, log=F, optional=T
|
|
SIP::Info {
|
|
* call_id: string, log=T, optional=T
|
|
* content_type: string, log=T, optional=T
|
|
* date: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* method: string, log=T, optional=T
|
|
* reply_to: string, log=T, optional=T
|
|
* request_body_len: count, log=T, optional=T
|
|
* request_from: string, log=T, optional=T
|
|
* request_path: vector of string, log=T, optional=T
|
|
* request_to: string, log=T, optional=T
|
|
* response_body_len: count, log=T, optional=T
|
|
* response_from: string, log=T, optional=T
|
|
* response_path: vector of string, log=T, optional=T
|
|
* response_to: string, log=T, optional=T
|
|
* seq: string, log=T, optional=T
|
|
* status_code: count, log=T, optional=T
|
|
* status_msg: string, log=T, optional=T
|
|
* subject: string, log=T, optional=T
|
|
* trans_depth: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* uri: string, log=T, optional=T
|
|
* user_agent: string, log=T, optional=T
|
|
* warning: string, log=T, optional=T
|
|
}
|
|
* sip_state: record SIP::State, log=F, optional=T
|
|
SIP::State {
|
|
* current_request: count, log=F, optional=T
|
|
* current_response: count, log=F, optional=T
|
|
* pending: table[count] of record SIP::Info, log=F, optional=F
|
|
SIP::Info { ... }
|
|
}
|
|
* smb_state: record SMB::State, log=F, optional=T
|
|
SMB::State {
|
|
* current_cmd: record SMB::CmdInfo, log=F, optional=T
|
|
SMB::CmdInfo {
|
|
* argument: string, log=T, optional=T
|
|
* command: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* referenced_file: record SMB::FileInfo, log=T, optional=T
|
|
SMB::FileInfo {
|
|
* action: enum SMB::Action, log=T, optional=T
|
|
* fid: count, log=F, optional=T
|
|
* fuid: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* name: string, log=T, optional=T
|
|
* path: string, log=T, optional=T
|
|
* prev_name: string, log=T, optional=T
|
|
* size: count, log=T, optional=T
|
|
* times: record SMB::MACTimes, log=T, optional=T
|
|
SMB::MACTimes {
|
|
* accessed: time, log=T, optional=F
|
|
* accessed_raw: count, log=F, optional=F
|
|
* changed: time, log=T, optional=F
|
|
* changed_raw: count, log=F, optional=F
|
|
* created: time, log=T, optional=F
|
|
* created_raw: count, log=F, optional=F
|
|
* modified: time, log=T, optional=F
|
|
* modified_raw: count, log=F, optional=F
|
|
}
|
|
* ts: time, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
* uuid: string, log=F, optional=T
|
|
}
|
|
* referenced_tree: record SMB::TreeInfo, log=F, optional=T
|
|
SMB::TreeInfo {
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* native_file_system: string, log=T, optional=T
|
|
* path: string, log=T, optional=T
|
|
* service: string, log=T, optional=T
|
|
* share_type: string, log=T, optional=T
|
|
* ts: time, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* rtt: interval, log=T, optional=T
|
|
* smb1_offered_dialects: vector of string, log=F, optional=T
|
|
* smb2_create_options: count, log=F, optional=T
|
|
* smb2_offered_dialects: vector of count, log=F, optional=T
|
|
* status: string, log=T, optional=T
|
|
* sub_command: string, log=T, optional=T
|
|
* tree: string, log=T, optional=T
|
|
* tree_service: string, log=T, optional=T
|
|
* ts: time, log=T, optional=T
|
|
* uid: string, log=T, optional=F
|
|
* username: string, log=T, optional=T
|
|
* version: string, log=T, optional=F
|
|
}
|
|
* current_file: record SMB::FileInfo, log=F, optional=T
|
|
SMB::FileInfo { ... }
|
|
* current_tree: record SMB::TreeInfo, log=F, optional=T
|
|
SMB::TreeInfo { ... }
|
|
* fid_map: table[count] of record SMB::FileInfo, log=F, optional=T
|
|
SMB::FileInfo { ... }
|
|
* pending_cmds: table[count] of record SMB::CmdInfo, log=F, optional=T
|
|
SMB::CmdInfo { ... }
|
|
* pipe_map: table[count] of string, log=F, optional=T
|
|
* recent_files: set[string], log=F, optional=T
|
|
* tid_map: table[count] of record SMB::TreeInfo, log=F, optional=T
|
|
SMB::TreeInfo { ... }
|
|
}
|
|
* smtp: record SMTP::Info, log=F, optional=T
|
|
SMTP::Info {
|
|
* cc: set[string], log=T, optional=T
|
|
* date: string, log=T, optional=T
|
|
* entity: record SMTP::Entity, log=F, optional=T
|
|
SMTP::Entity {
|
|
* filename: string, log=F, optional=T
|
|
}
|
|
* entity_count: count, log=F, optional=T
|
|
* first_received: string, log=T, optional=T
|
|
* from: string, log=T, optional=T
|
|
* fuids: vector of string, log=T, optional=T
|
|
* has_client_activity: bool, log=F, optional=T
|
|
* helo: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* in_reply_to: string, log=T, optional=T
|
|
* last_reply: string, log=T, optional=T
|
|
* mailfrom: string, log=T, optional=T
|
|
* msg_id: string, log=T, optional=T
|
|
* path: vector of addr, log=T, optional=T
|
|
* process_received_from: bool, log=F, optional=T
|
|
* process_smtp_headers: bool, log=F, optional=T
|
|
* rcptto: set[string], log=T, optional=T
|
|
* reply_to: string, log=T, optional=T
|
|
* second_received: string, log=T, optional=T
|
|
* subject: string, log=T, optional=T
|
|
* tls: bool, log=T, optional=T
|
|
* to: set[string], log=T, optional=T
|
|
* trans_depth: count, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user_agent: string, log=T, optional=T
|
|
* x_originating_ip: addr, log=T, optional=T
|
|
}
|
|
* smtp_state: record SMTP::State, log=F, optional=T
|
|
SMTP::State {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* helo: string, log=F, optional=T
|
|
* invalid_transactions: count, log=F, optional=T
|
|
* messages_transferred: count, log=F, optional=T
|
|
* mime_depth: count, log=F, optional=T
|
|
* pending_messages: set[record SMTP::Info], log=F, optional=T
|
|
SMTP::Info] {
|
|
}
|
|
* trans_mail_from_seen: bool, log=F, optional=T
|
|
* trans_rcpt_to_seen: bool, log=F, optional=T
|
|
}
|
|
* snmp: record SNMP::Info, log=F, optional=T
|
|
SNMP::Info {
|
|
* community: string, log=T, optional=T
|
|
* display_string: string, log=T, optional=T
|
|
* duration: interval, log=T, optional=T
|
|
* get_bulk_requests: count, log=T, optional=T
|
|
* get_requests: count, log=T, optional=T
|
|
* get_responses: count, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* set_requests: count, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* up_since: time, log=T, optional=T
|
|
* version: string, log=T, optional=F
|
|
}
|
|
* socks: record SOCKS::Info, log=F, optional=T
|
|
SOCKS::Info {
|
|
* bound: record SOCKS::Address, log=T, optional=T
|
|
SOCKS::Address {
|
|
* host: addr, log=T, optional=T
|
|
* name: string, log=T, optional=T
|
|
}
|
|
* bound_p: port, log=T, optional=T
|
|
* capture_password: bool, log=F, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* password: string, log=T, optional=T
|
|
* request: record SOCKS::Address, log=T, optional=T
|
|
SOCKS::Address { ... }
|
|
* request_p: port, log=T, optional=T
|
|
* status: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* user: string, log=T, optional=T
|
|
* version: count, log=T, optional=F
|
|
}
|
|
* ssh: record SSH::Info, log=F, optional=T
|
|
SSH::Info {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* auth_attempts: count, log=T, optional=T
|
|
* auth_success: bool, log=T, optional=T
|
|
* capabilities: record SSH::Capabilities, log=F, optional=T
|
|
SSH::Capabilities {
|
|
* compression_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
|
|
SSH::Algorithm_Prefs {
|
|
* client_to_server: vector of string, log=F, optional=T
|
|
* server_to_client: vector of string, log=F, optional=T
|
|
}
|
|
* encryption_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
|
|
SSH::Algorithm_Prefs { ... }
|
|
* is_server: bool, log=F, optional=F
|
|
* kex_algorithms: vector of string, log=F, optional=F
|
|
* languages: record SSH::Algorithm_Prefs, log=F, optional=T
|
|
SSH::Algorithm_Prefs { ... }
|
|
* mac_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
|
|
SSH::Algorithm_Prefs { ... }
|
|
* server_host_key_algorithms: vector of string, log=F, optional=F
|
|
}
|
|
* cipher_alg: string, log=T, optional=T
|
|
* client: string, log=T, optional=T
|
|
* compression_alg: string, log=T, optional=T
|
|
* direction: enum Direction, log=T, optional=T
|
|
* host_key: string, log=T, optional=T
|
|
* host_key_alg: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* kex_alg: string, log=T, optional=T
|
|
* logged: bool, log=F, optional=T
|
|
* mac_alg: string, log=T, optional=T
|
|
* server: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: count, log=T, optional=T
|
|
}
|
|
* ssl: record SSL::Info, log=F, optional=T
|
|
SSL::Info {
|
|
* analyzer_id: count, log=F, optional=T
|
|
* cert_chain: vector of record Files::Info, log=F, optional=T
|
|
Files::Info { ... }
|
|
* cert_chain_fps: vector of string, log=T, optional=T
|
|
* cipher: string, log=T, optional=T
|
|
* client_cert_chain: vector of record Files::Info, log=F, optional=T
|
|
Files::Info { ... }
|
|
* client_cert_chain_fps: vector of string, log=T, optional=T
|
|
* client_depth: count, log=F, optional=T
|
|
* client_issuer: string, log=T, optional=T
|
|
* client_key_exchange_seen: bool, log=F, optional=T
|
|
* client_psk_seen: bool, log=F, optional=T
|
|
* client_subject: string, log=T, optional=T
|
|
* client_ticket_empty_session_seen: bool, log=F, optional=T
|
|
* curve: string, log=T, optional=T
|
|
* delay_tokens: set[string], log=F, optional=T
|
|
* established: bool, log=T, optional=T
|
|
* hrr_seen: bool, log=F, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* issuer: string, log=T, optional=T
|
|
* last_alert: string, log=T, optional=T
|
|
* logged: bool, log=F, optional=T
|
|
* next_protocol: string, log=T, optional=T
|
|
* resumed: bool, log=T, optional=T
|
|
* server_depth: count, log=F, optional=T
|
|
* server_name: string, log=T, optional=T
|
|
* session_id: string, log=F, optional=T
|
|
* sni_matches_cert: bool, log=T, optional=T
|
|
* ssl_history: string, log=T, optional=T
|
|
* subject: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* version: string, log=T, optional=T
|
|
* version_num: count, log=F, optional=T
|
|
}
|
|
* start_time: time, log=F, optional=F
|
|
* syslog: record Syslog::Info, log=F, optional=T
|
|
Syslog::Info {
|
|
* facility: string, log=T, optional=F
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* message: string, log=T, optional=F
|
|
* proto: enum transport_proto, log=T, optional=F
|
|
* severity: string, log=T, optional=F
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
}
|
|
* thresholds: record ConnThreshold::Thresholds, log=F, optional=T
|
|
ConnThreshold::Thresholds {
|
|
* duration: set[interval], log=F, optional=T
|
|
* orig_byte: set[count], log=F, optional=T
|
|
* orig_packet: set[count], log=F, optional=T
|
|
* resp_byte: set[count], log=F, optional=T
|
|
* resp_packet: set[count], log=F, optional=T
|
|
}
|
|
* tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T
|
|
Tunnel::EncapsulatingConn {
|
|
* cid: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* tunnel_type: enum Tunnel::Type, log=T, optional=F
|
|
* uid: string, log=T, optional=T
|
|
}
|
|
* uid: string, log=F, optional=F
|
|
* vlan: int, log=F, optional=T
|
|
* websocket: record WebSocket::Info, log=F, optional=T
|
|
WebSocket::Info {
|
|
* client_extensions: vector of string, log=T, optional=T
|
|
* client_key: string, log=F, optional=T
|
|
* client_protocols: vector of string, log=T, optional=T
|
|
* host: string, log=T, optional=T
|
|
* id: record conn_id, log=T, optional=F
|
|
conn_id { ... }
|
|
* server_accept: string, log=F, optional=T
|
|
* server_extensions: vector of string, log=T, optional=T
|
|
* subprotocol: string, log=T, optional=T
|
|
* ts: time, log=T, optional=F
|
|
* uid: string, log=T, optional=F
|
|
* uri: string, log=T, optional=T
|
|
* user_agent: string, log=T, optional=T
|
|
}
|
|
}
|