_images/zeek-logo-text.png

Zeek Documentation

Important

Make sure to read the appropriate documentation version.

The purpose of this document is to assist the Zeek community with implementing Zeek in their environments. The document includes material on Zeek’s unique capabilities, how to install it, how to interpret the default logs that Zeek generates, and how to modify Zeek to fit your needs. The document is the result of a volunteer community effort. If you would like to contribute, or want more information, please visit the Zeek web page for details on how to connect with the community.

About Zeek

What Is Zeek?

Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.

The first benefit a new user derives from Zeek is the extensive set of logs describing network activity. These logs include not only a comprehensive record of every connection seen on the wire, but also application-layer transcripts. These include all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; SSL certificates; key content of SMTP sessions; and much more. By default, Zeek writes all this information into well-structured tab-separated or JSON log files suitable for post-processing with external software. Users can also choose to have external databases or SIEM products consume, store, process, and present the data for querying.

In addition to the logs, Zeek comes with built-in functionality for a range of analysis and detection tasks, including extracting files from HTTP sessions, detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, and much more.

In addition to shipping such powerful functionality “out of the box,” Zeek is a fully customizable and extensible platform for traffic analysis. Zeek provides users a domain-specific, Turing-complete scripting language for expressing arbitrary analysis tasks. Think of the Zeek language as a “domain-specific Python” (or Perl): just like Python, the system comes with a large set of pre-built functionality (the “standard library”), yet users can also put Zeek to use in novel ways by writing custom code. Indeed, all of Zeek’s default analyses, including logging, are done via scripts; no specific analysis is hard-coded into the core of the system.

Zeek runs on commodity hardware and hence provides a low-cost alternative to expensive proprietary solutions. In many ways Zeek exceeds the capabilities of other network monitoring tools, which typically remain limited to a small set of hard-coded analysis tasks. Zeek is not a classic signature-based intrusion detection system (IDS); while it supports such standard functionality as well, Zeek’s scripting language facilitates a much broader spectrum of very different approaches to finding malicious activity. These include semantic misuse detection, anomaly detection, and behavioral analysis.

A large variety of sites deploy Zeek to protect their infrastructure, including many universities, research labs, supercomputing centers, open-science communities, major corporations, and government agencies. Zeek specifically targets high-speed, high-volume network monitoring, and an increasing number of sites are now using the system to monitor their 10GE networks, with some already moving on to 100GE links.

Zeek accommodates high-performance settings by supporting scalable load-balancing. Large sites typically run “Zeek Clusters” in which a high-speed front end load balancer distributes the traffic across an appropriate number of back end PCs, all running dedicated Zeek instances on their individual traffic slices. A central manager system coordinates the process, synchronizing state across the back ends and providing the operators with a central management interface for configuration and access to aggregated logs. Zeek’s integrated management framework, ZeekControl, supports such cluster setups out-of-the-box.

Zeek’s cluster features support single-system and multi-system setups. That’s part of Zeek’s scalability advantages. For example, administrators can scale Zeek within one system for as long as possible, and then transparently add more systems when necessary.

In brief, Zeek is optimized for interpreting network traffic and generating logs based on that traffic. It is not optimized for byte matching, and users seeking signature detection approaches would be better served by trying intrusion detection systems such as Suricata. Zeek is also not a protocol analyzer in the sense of Wireshark, seeking to depict every element of network traffic at the frame level, or a system for storing traffic in packet capture (PCAP) form. Rather, Zeek sits at the “happy medium” representing compact yet high fidelity network logs, generating better understanding of network traffic and usage.

Why Zeek?

Zeek offers many advantages for security and network teams who want to better understand how their infrastructure is being used.

Security teams generally depend upon four sorts of data sources when trying to detect and respond to suspicious and malicious activity. These include third party sources such as law enforcement, peers, and commercial or nonprofit threat intelligence organizations; network data; infrastructure and application data, including logs from cloud environments; and endpoint data. Zeek is primarily a platform for collecting and analyzing the second form of data – network data. All four are important elements of any security team’s program, however.

When looking at data derived from the network, there are four types of data available to analysts. As defined by the network security monitoring paradigm, these four data types are full content, transaction data, extracted content, and alert data. Using these data types, one can record traffic, summarize traffic, extract traffic (or perhaps more accurately, extract content in the form of files), and judge traffic, respectively.

It’s critical to collect and analyze the four types of network security monitoring data. The question becomes one of determining the best way to accomplish this goal. Thankfully, Zeek as a NSM platform enables collection of at least two, and in some ways three, of these data forms, namely transaction data, extracted content, and alert data.

Zeek is best known for its transaction data. By default, when run and told to watch a network interface, Zeek will generate a collection of compact, high-fidelity, richly-annotated set of transaction logs. These logs describe the protocols and activity seen on the wire, in a judgement-free, policy-neutral manner. This documentation will spend a considerable amount of time describing the most common Zeek log files such that readers will become comfortable with the format and learn to apply them to their environment.

Zeek can also easily carve files from network traffic, thanks to its file extraction capabilities. Analysts can then send those files to execution sandboxes or other file examination tools for additional investigation. Zeek has some capability to perform classical byte-centric intrusion detection, but that job is best suited for packages like the open source Snort or Suricata engines. Zeek has other capabilities however that are capable of providing judgements in the form of alerts, through its notice mechanism.

Zeek is not optimized for writing traffic to disk in the spirit of a full content data collection, and that task is best handled by software written to fulfill that requirement.

Beyond the forms of network data that Zeek can natively collect and generate, Zeek has advantages that appeared in the What Is Zeek? section. These include its built-in functionality for a range of analysis and detection tasks, and its status as a fully customizable and extensible platform for traffic analysis. Zeek is also attractive because of its ability to run on commodity hardware, giving users of all types the ability to at least try Zeek in a low-cost manner.

History

Zeek has a rich history stretching back to the 1990s. Vern Paxson designed and implemented the initial version in 1995 as a researcher at the Lawrence Berkeley National Laboratory (LBNL). The original software was called “Bro,” as an “Orwellian reminder that monitoring comes hand in hand with the potential for privacy violations”.

LBNL first deployed Zeek in 1996, and the USENIX Security Symposium published Vern’s original paper on Zeek in 1998, and awarded it the Best Paper Award that year He published a refined version of the paper in 1999 as Bro: A System for Detecting Network Intruders in Real-Time.

In 2003, the National Science Foundation (NSF) began supporting research and advanced development on Bro at the International Computer Science Institute (ICSI). (Vern still leads the ICSI Networking and Security group.)

Over the years, a growing team of ICSI researchers and students kept adding novel functions to Zeek, while LBNL continued its support with funding from the Department of Energy (DOE). Much of Zeek’s capabilities originate in academic research projects, with results often published at top-tier conferences. A key to Zeek’s success was the project’s ability to bridge the gap between academia and operations. This relationship helped ground research on Zeek in real-world challenges.

With a growing operational user community, the research-centric development model eventually became a bottleneck to the system’s evolution. Research grants did not support the more mundane parts of software development and maintenance. However, those elements were crucial for the end-user experience. As a result, deploying Zeek required overcoming a steep learning curve.

In 2010, NSF sought to address this challenge by awarding ICSI a grant from its Software Development for Cyberinfrastructure fund. The National Center for Supercomputing Applications (NCSA) joined the team as a core partner, and the Zeek project began to overhaul many of the user-visible parts of the system for the 2.0 release in 2012.

After Zeek 2.0, the project enjoyed tremendous growth in new deployments across a diverse range of settings, and the ongoing collaboration between ICSI (co-PI Robin Sommer) and NCSA (co-PI Adam Slagell) brought a number of important features. In 2012, Zeek added native IPv6 support, long before many enterprise networking monitoring tools. In 2013, NSF renewed its support with a second grant that established the Bro Center of Expertise at ICSI and NCSA, promoting Zeek as a comprehensive, low-cost security capability for research and education communities. To facilitate both debugging and education, try.zeek.org (formerly try.bro.org) was launched in 2014. This provided an interactive way for users to test a script with their own packet captures against a variety of Zeek versions and easily share sample code with others. For Zeek clusters and external communication, the Broker communication framework was added. Last, but not least, the Zeek package manager was created in 2016, funded by an additional grant from the Mozilla Foundation.

In the fall of 2018, the project leadership team decided to change the name of the software from Bro to Zeek. The leadership team desired a name that better reflected the values of the community while avoiding the negative connotations of so-called “bro culture” outside the computing world. The project released version 3.0 in the fall of 2019, the first release bearing the name Zeek. The year 2020 saw a renewed focus on community and growing the Zeek community, with increased interaction via social media, webinars, Slack channels, and related outreach efforts.

For a history of the project from 1995 to 2015, see Vern Paxson’s talk from BroCon 2015, Reflecting on Twenty Years of Bro.

For background on the decision to rename Bro to Zeek, see Vern Paxson’s talk from BroCon 2018, Renaming Bro.

Architecture

_images/architecture.png

At a very high level, Zeek is architecturally layered into two major components. Its event engine (or core) reduces the incoming packet stream into a series of higher-level events. These events reflect network activity in policy-neutral terms, i.e., they describe what has been seen, but not why, or whether it is significant.

For example, every HTTP request on the wire turns into a corresponding http_request event that carries with it the involved IP addresses and ports, the URI being requested, and the HTTP version in use. The event however does not convey any further interpretation, such as whether that URI corresponds to a known malware site.

The event engine component comprises a number of subcomponents, including in particular the packet processing pipeline consisting of: input sources, packet analysis, session analysis, and file analysis. Input sources ingest incoming network traffic from network interfaces. Packet analysis processes lower-level protocols, starting all the way down at the link layer. Session analysis handles application-layer protocols, such as HTTP, FTP, etc. File analysis dissects the content of files transferred over sessions. The event engine provides a plugin architecture for adding any of these from outside of the core Zeek code base, allowing to expand Zeek’s capabilities as needed.

Semantics related to the events are derived by Zeek’s second main component, the script interpreter, which executes a set of event handlers written in Zeek’s custom scripting language. These scripts can express a site’s security policy, such as what actions to take when the monitor detects different types of activity.

More generally scripts can derive any desired properties and statistics from the input traffic. In fact, all of Zeek’s default output comes from scripts included in the distribution. Zeek’s language comes with extensive domain-specific types and support functionality. Crucially, Zeek’s language allows scripts to maintain state over time, enabling them to track and correlate the evolution of what they observe across connection and host boundaries. Zeek scripts can generate real-time alerts and also execute arbitrary external programs on demand. One might use this functionality to trigger an active response to an attack.

Monitoring With Zeek

Detection and Response Workflow

As noted in the previous sections, Zeek is optimized, more or less “out of the box,” to provide two of the four types of network security monitoring data. Without any major configuration, Zeek offers transaction data and extracted content data, in the form of logs summarizing protocols and files seen traversing the wire. Zeek can also provide some degree of alert data in the form of notices, and analysts can modify Zeek to create custom alerts if desired. A dedicated intrusion detection engine like Suricata or Snort might be more appropriate, however. Finally, Zeek does not collect full content data in pcap format, although other open source projects do provide that functionality.

Broadly speaking, incident detection and response begins with the collection of security data, followed by its analysis. In the analysis phase, in the absence of an explicit alert of malicious activity, investigators can work two broad investigative categories: “matching” and “hunting.” Matching means querying and reviewing security data for signs of known indicators of compromise. Hunting means working without indicators of compromise, relying instead on creating a hypothesis of how adversary activity might manifest in security data. Matching is the sort of activity that can be easily automated. Hunting is an activity that is difficult to automate because it relies upon the creation of a cyber security “experiment” to yield results and often a little bit of human intuition.

In the common vernacular, some security teams believe hunting involves querying data for indicators of compromise. That is really just a search function, i.e., looking for matches of “expected bad” in collected data. True hunting involves more of a scientific method that requires formulating a hypothesis, testing the hypothesis in sample and production data, and then refining the process until it yields results or is disproved. Investigative methods which yield results Zeek data plays a role in matching or hunting operations. Analysts may query a store of Zeek transaction logs for indicators of compromise, and begin a security investigation when they see a match on an IP address, or username, or HTTP user-agent string, or any single or combination of the hundreds of elements Zeek derives from network traffic. Analysts can also pose a hypothesis of how certain adversary behavior may appear in Zeek data, and then query that data for signs that prove or disprove their hypothesis.

Beyond the matching and hunting paradigms, analysts can use Zeek within an “incident detection alert” workflow. In this scenario, an IDS creates an alert that catches the attention of a security team member. Because IDS alerts are often light on details, analysts require corroborating data to decide if the alert represents normal, suspicious, or malicious activity. Analysts can “pivot” from the IDS alert to a variety of logs generated by Zeek. If the IDS alert provides the community identification (community ID) supported by Zeek, the analyst can easily tie the IDS alert to specific Zeek logs. Based on the data provided by Zeek, analysts may be able to resolve the incident. At the very least, the analyst can accelerate the alert validation and verification process by having access to data beyond the initial IDS notification.

Finally, analysts can use Zeek data to improve the validation process when prompted by any other external stimulus. For example, an analyst might notice an odd process running on a system, as reported by their endpoint detection and response (EDR) or anti-virus agent. Alternatively, an analyst might receive a report from a user or a peer involving suspicious activity on an Internet-facing Web server. In either case, the analyst with access to Zeek data can seek to learn all they can about the systems in question, simply by querying the repository storing their Zeek logs. This security design pattern has immense benefits, as it does not affect the end state of the suspicious asset. Not touching a system that may be compromised has two benefits. First, an intruder who has compromised the asset remains unawares that the security team is investigating it. Second, the forensic integrity of the asset remains intact, as the analyst is working with logs stored off-device.

Instrumentation and Collection

Zeek is designed to watch live network traffic. Although Zeek can process packet captures saved in PCAP format, most users deploy Zeek to gain near-real-time insights into network usage patterns. Administrators run Zeek by telling it to “sniff” one or more network interfaces, generating transaction logs, insights, and extracted file contents, based on the network traffic seen on those network interfaces.

Some users may choose to run Zeek on a single computer used for general computing purposes, watching network traffic to and from that single computer. That system might be an office laptop used for business purposes, chosen for experimentation with Zeek. This is a simple way to become familiar with the logs that Zeek creates. This approach is similar to running Tcpdump or Wireshark on one’s computer for the same educational purposes.

Most users, however, run Zeek on a computer selected solely for the purpose of network security monitoring. Security personnel call that computer a “sensor” and they select, configure, and deploy it specifically to watch network traffic. They select a location in an environment that offers visibility to multiple computers, and deploy the sensor with Zeek to instrument that network segment.

When choosing a place to deploy a sensor, users will likely prioritize a requirement like the following:

Identify a single location in the network to instrument with a network tap or switch span port that provides the maximum visibility. This means seeing traffic from all devices on the network, with a strong preference for identifying devices by observing them with their original source IP address.

Users new to Zeek may choose to try Zeek in their home or in a small office environment. Figure 1 depicts the standard SOHO network architecture. Letters A-D are possible monitoring locations, to be discussed below.

_images/collection-figure1.png

Figure 1: Standard SOHO Architecture

Most home users and many small office environments are connected to the Internet via customer premise equipment (CPE) provided by their Internet service provider (ISP). This box may or may not be available or visible to the customer. In the context of a system like Verizon FIOS, for example, the ISP CPE is the box attached to the outside of a residence, with a warning that only Verizon technicians should open it. For fiber connectivity, the ISP might call this device an Optical Network Terminal or ONT.

The ISP also provides a gateway device that provides routing and wireless access point (WAP) functionality. This is the piece of equipment familiar to most home and small office users. It typically has a gigabit copper Ethernet connection that connects to the ISP CPE, on its wide area network (WAN) side, and four gigabit copper Ethernet ports for devices on its local area network (LAN) side. Customer devices gain network access via WiFi to the ISP WAP or via copper Ethernet cables to the embedded switch on the same device.

On the WAN side of the router, the device usually has a public IP address provided by the ISP. This may not necessarily be the case, however. On the LAN side of the router, the device provides RFC 1918 private addresses, often in the 192.168.0.0/16 subnet. The router acts as a gateway, using network address translation (NAT), or for the more strictly minded, network port address translation (NPAT), so that client devices share a single IP address provided by the ISP. (Note that in some situations, multiple residences even share the same public IP address, and differentiate between each other via the port range. That is not considered in this document as it is extraneous to the discussion.)

Where does one monitor, given this architecture?

Location A is off limits to the customer. It is likely a cable exiting the ISP CPE and entering the ground.

Location B is a possibility, assuming the cable between the ISP CPE and router is a copper Ethernet cable. One could insert a reliable network tap (typically outside the home user’s budget) or a decent small managed switch with a span port (like a Netgear GS30Xe model).

However, and this is crucial: because of the NAT done by the router, all traffic will appear to originate from a single IP address. Whether the customer has 100 devices or 1 device, they will all share the single IP address. This reality makes it much more difficult for a security analyst to track down the originator of suspicious or malicious network traffic.

Location C is essentially not possible. Yes, there are various penetration testing tools and wireless network troubleshooting tools that can try to access WiFi traffic. However, they do not expose the traffic in a form usable to security analysts, assuming that the WiFi protocols in use are at all modern.

Location D is a possibility, assuming that the user installs a network tap or switch span port as in location B. However, monitoring only at location D would ignore WiFi traffic.

In other words, the standard SOHO network architecture is not well-suited for network security monitoring, because there isn’t a good place, by default, to see the originating IP addresses, which are generally needed to investigate suspicious and malicious activity.

In contrast, the Visible Network Architecture shown in Figure 2 depicts the sort of setup one needs if visibility is designed into the architecture, rather than added as an afterthought.

_images/collection-figure2.png

Figure 2: Visible Network Architecture

The major changes include the following:

The ISP router is no longer also acting as a WAP. The WiFi capability is disabled. No other changes are required on the router. Strictly speaking, WiFi need not be disabled, so long as no one uses it.

The customer has purchased her own router. That device may or may not also provide NAT.

The customer explicitly owns a switch, to which wired devices may connect. That switch has a span port.

The customer explicitly owns her own wireless access point, acting as a bridge, and not offering NAT.

Don’t be fooled into thinking that one need only buy a new combination router/WAP. It’s essential to split these functions. Consumer-grade customer routers do not offer span ports, which cheap consumer-grade network switches do. This architecture takes advantage of that fact in order to provide suitable monitoring locations.

Let’s review the options.

Location A is still off-limits.

Location B is still a bad idea.

Location C is a good option, if one places a network tap here, or another small switch with a span port, and neither the customer router nor customer WAP is doing NAT.

Location D is a better option. Now one need only ensure that the customer WAP is not doing NAT. In fact, one need not introduce another switch or tap here, assuming one can span the uplink port on the customer switch.

Location E would only see wired devices, and is not a good option because it ignores WiFi devices.

Location F would only see WiFi devices, and is not a good option because it ignores wired devices.

Location G is essentially impossible, as with Figure 1.

The bottom line is that the location D is the best monitoring location, assuming that the customer WAP is not doing NAT. If the customer WAP is acting as a router with NAT, then all of the wireless devices will have the same source IP address as seen in location D.

In an architecture designed for visibility, introducing a network tap, or simply spanning the uplink from the network switch, at point D, satisfies the visibility requirement.

It is possible to simplify the architecture shown in figure 2 to that which follows:

_images/collection-figure3.png

Figure 3: Simplified Visible Network Architecture

The customer router between monitoring points C and D is gone, as one can rely upon the ISP router if so desired.

In summary, one could deploy a Zeek sensor at location D, or C, if the simplified architecture is in place, as C and D are logically similar. Going forward, this document will discuss monitoring at location D.

Gaining access to traffic at point D requires either a span port to be enabled on the customer switch, or a network tap to be deployed at location D. Professional Zeek users prefer high-quality, powered network taps wherever possible, for a variety of reasons. When they are not available, as in the case of a SOHO or test environment, then a span port on a managed switch is an acceptable alternative.

Once the network tap or span port is providing network traffic to the Zeek sensor, one can turn to matters beyond instrumentation and collection.

Storage and Review

As Zeek ingests network traffic, either by monitoring one or more live network interfaces or by processing stored traffic in a capture file, it creates a variety of logs and other artifacts. By default Zeek writes that data to a storage location designated via its configuration files. Zeek possesses the capability to write the logs in several formats and perform certain log management processes like compression and archiving.

Analysts make use of Zeek data by reviewing the logs it generates. Review methods can be as simple as using text processing tools packaged with the underlying operating system. Depending on the format of the logs, users may apply more specialized processing tools, some of which are available with Zeek. In many cases, Zeek administrators ship logs to specialized storage and review applications. These are usually referred to collectively as Security and Information Event Management (SIEM) platforms. Some of these log management and SIEM platforms are available as open source offerings, while others are commercially available.

Get Started

Installing Zeek

Prerequisites

Before installing Zeek, you’ll need to ensure that some dependencies are in place.

Required Dependencies

Zeek requires the following libraries and tools to be installed before you begin:

To build Zeek from source, the following additional dependencies are required:

To install the required dependencies, you can use:

  • RPM/RedHat-based Linux:

    sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python3 python3-devel swig zlib-devel

    Additionally, on RHEL/CentOS 7, you can install and activate a devtoolset to get access to recent GCC versions. You will also have to install and activate CMake 3. For example:

    sudo yum install cmake3 devtoolset-7
scl enable devtoolset-7 bash

  • DEB/Debian-based Linux:

    sudo apt-get install cmake make gcc g++ flex libfl-dev bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev

  • FreeBSD:

    Most required dependencies should come with a minimal FreeBSD install except for the following.

    sudo pkg install -y bash git cmake swig bison python3 base64
pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'`
sudo pkg install -y $pyver-sqlite3

  • macOS:

    Compiling source code on Macs requires first installing either Xcode or the “Command Line Tools” (which is a much smaller download). To check if either is installed, run the xcode-select -p command. If you see an error message, then neither is installed and you can then run xcode-select --install which will prompt you to either get Xcode (by clicking “Get Xcode”) or to install the command line tools (by clicking “Install”).

    macOS comes with all required dependencies except for CMake, SWIG, Bison, and OpenSSL (OpenSSL headers were removed in macOS 10.11, therefore OpenSSL must be installed manually for macOS versions 10.11 or newer).

    Distributions of these dependencies can likely be obtained from your preferred macOS package management system (e.g. Homebrew, MacPorts, or Fink). Specifically for Homebrew, the cmake, swig, openssl, and bison packages provide the required dependencies. For MacPorts, the cmake, swig, swig-python, openssl, and bison packages provide the required dependencies.

Optional Dependencies

Zeek can make use of some optional libraries and tools if they are found at build time:

Geolocation is probably the most interesting and can be installed on most platforms by following the instructions for installing the GeoIP library and database.

The zkg package manager, included in the Zeek installation, requires two external Python modules:

These install easily via pip (pip3 install GitPython semantic-version) and also ship with some distributions:

  • RPM/RedHat-based Linux:

    sudo yum install python3-GitPython python3-semantic_version

  • DEB/Debian-based Linux:

    sudo apt-get install python3-git python3-semantic-version

zkg also requires a git installation, which the above system packages pull in as a dependency. If you install via pip, remember that you also need git itself.

Installing Zeek

Zeek can be downloaded as either pre-built binary packages for Linux, or in source code form. On many platforms, Zeek also comes already integrated into package management systems (e.g., Homebrew on macOS), Note, however, that such external packages may not always be fully up to date.

Using Pre-Built Binary Release Packages for Linux

We are providing prebuilt binary packages for a variety of Linux distributions. See the Binary-Packages wiki for the latest updates on binary releases and for more information.

You can download the packages for the latest feature release build here for all the supported distributions. Please follow the instructions on that link to add rpm/deb repositories for the corresponding OS; grabbing the binary files directly does not give you all dependencies. The package source files are available here.

As an example, for CentOS:

For CentOS 8 run the following as root:

cd /etc/yum.repos.d/
wget https://download.opensuse.org/repositories/security:/zeek/CentOS_8_Stream/security:zeek.repo
yum install zeek

For CentOS 7 run the following as root:

cd /etc/yum.repos.d/
wget https://download.opensuse.org/repositories/security:/zeek/CentOS_7/security:zeek.repo
yum install zeek

Furthermore, you can download the packages for the latest LTS release build here and nightly builds are also available here for all the supported operating systems. Please follow the instructions on the links to add rpm/deb repositories for the corresponding OS; grabbing the binary files directly does not give you all dependencies. The source files for LTS builds are available here and for nightly builds source files are here.

For example, if you prefer to use the most recent LTS release, use yum install zeek-lts, and for the nightly builds use yum install zeek-nightly instead.

The primary install prefix for binary packages is /opt/zeek (depending on which version you’re using).

Installing from Source

Zeek releases are bundled into source packages for convenience and are available on the downloads page. The source code can be manually downloaded from the link in the .tar.gz format to the target system for installation.

If you plan to contribute to Zeek or just want to try out the latest features under development, you should obtain Zeek’s source code through its Git repositories hosted at https://github.com/zeek:

git clone --recursive https://github.com/zeek/zeek

Note

If you choose to clone the zeek repository non-recursively for a “minimal Zeek experience”, be aware that compiling it depends on several of the other submodules as well, so you’ll likely have to build/install those independently first.

The typical way to build and install from source is (for more options, run ./configure --help):

./configure
make
make install

If the configure script fails, then it is most likely because it either couldn’t find a required dependency or it couldn’t find a sufficiently new version of a dependency. Assuming that you already installed all required dependencies, then you may need to use one of the --with-* options that can be given to the configure script to help it locate a dependency. To find out what all different options ./configure supports, run ./configure --help.

The default installation path is /usr/local/zeek, which would typically require root privileges when doing the make install. A different installation path can be chosen by specifying the configure script --prefix option. Note that /usr, /opt/bro/, and /opt/zeek are the standard prefixes for binary Zeek packages to be installed, so those are typically not good choices unless you are creating such a package.

OpenBSD users, please see our FAQ if you are having problems installing Zeek.

Depending on the Zeek package you downloaded, there may be auxiliary tools and libraries available in the auxil/ directory. Some of them will be automatically built and installed along with Zeek. There are --disable-* options that can be given to the configure script to turn off unwanted auxiliary projects that would otherwise be installed automatically. Finally, use make install-aux to install some of the other programs that are in the auxil/zeek-aux directory.

Finally, if you want to build the Zeek documentation (not required, because all of the documentation for the latest Zeek release is available at https://docs.zeek.org), there are instructions in doc/README in the source distribution.

Cross Compiling
Prerequisites

You need three things on the host system:

  1. The Zeek source tree.

  2. A cross-compilation toolchain, such as one built via crosstool-NG.

  3. Pre-built Zeek dependencies from the target system. This usually includes libpcap, zlib, OpenSSL, and Python development headers and libraries.

Configuration and Compiling

You first need to compile a few build tools native to the host system for use during the later cross-compile build. In the root of your Zeek source tree:

./configure --builddir=../zeek-buildtools
( cd ../zeek-buildtools && make binpac bifcl )

Next configure Zeek to use your cross-compilation toolchain (this example uses a Raspberry Pi as the target system):

./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../zeek-buildtools/auxil/binpac/src/binpac --with-bifcl=$(pwd)/../zeek-buildtools/src/bifcl

Here, the RaspberryPi-toolchain.cmake file specifies a CMake toolchain. In the toolchain file, you need to point the toolchain and compiler at the cross-compilation toolchain. It might look something the following:

# Operating System on which CMake is targeting.
set(CMAKE_SYSTEM_NAME Linux)

# The CMAKE_STAGING_PREFIX option may not work.
# Given that Zeek is configured:
#
#   `./configure --prefix=<dir>`
#
# The options are:
#
#   (1) `make install` and then copy over the --prefix dir from host to
#       target system.
#
#   (2) `DESTDIR=<staging_dir> make install` and then copy over the
#       contents of that staging directory.

set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
set(CMAKE_C_COMPILER   ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)

# The cross-compiler/linker will use these paths to locate dependencies.
set(CMAKE_FIND_ROOT_PATH
    /home/jon/x-tools/zeek-rpi-deps
    ${toolchain}/arm-rpi-linux-gnueabihf/sysroot
)

set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)

If that configuration succeeds you are ready to build:

make

And if that works, install on your host system:

make install

Once installed, you can copy/move the files from the installation prefix on the host system to the target system and start running Zeek as usual.

Configure the Run-Time Environment

You may want to adjust your PATH environment variable according to the platform/shell/package you’re using since neither /usr/local/zeek/bin/ or /opt/zeek/bin/ are in the default PATH. For example:

Bourne-Shell Syntax:

export PATH=/usr/local/zeek/bin:$PATH

C-Shell Syntax:

setenv PATH /usr/local/zeek/bin:$PATH

Or substitute /opt/zeek/bin instead if you installed from a binary package.

Quick Start Guide

Zeek works on most modern Unix-based systems and requires no custom hardware. It can be downloaded in either pre-built binary package or source code forms. See Installing Zeek for instructions on how to install Zeek.

In the examples below, $PREFIX is used to reference the Zeek installation root directory, which by default is /usr/local/zeek if you install from source and /opt/zeek if you install from the pre-built binary packages.

Managing Zeek with ZeekControl

ZeekControl is an interactive shell for easily operating/managing Zeek installations on a single system or even across multiple systems in a traffic-monitoring cluster. This section explains how to use ZeekControl to manage a stand-alone Zeek installation. For a complete reference on ZeekControl, see the ZeekControl documentation. For instructions on how to configure a Zeek cluster, see the Zeek Cluster Setup documentation.

Note

Using the standalone / single process mode of Zeek is not suitable for setups with significant amounts of traffic. In these cases one will almost certainly want to make use of a Zeek cluster, even on a single system.

A Minimal Starting Configuration

These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single (standalone) Zeek instance on the localhost:

  1. [Required]: In $PREFIX/etc/node.cfg, set the right interface to monitor.

    For example:

    vi $PREFIX/etc/node.cfg

    [zeek]
type=standalone
host=localhost
interface=eth0   # change this according to your listening interface in ifconfig

  2. [Optional but recommended]: In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.

  3. [Optional]: In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.

Now start the ZeekControl shell like:

zeekctl

Since this is the first-time use of the shell, perform an initial installation of the ZeekControl configuration:

[ZeekControl] > install

Then start up a Zeek instance:

[ZeekControl] > start

There is another ZeekControl command, deploy, that combines the above two steps and can be run after any changes to Zeek policy scripts or the ZeekControl configuration. Note that the check command is available to validate a modified configuration before installing it.

[ZeekControl] > deploy

If there are errors while trying to start the Zeek instance, you can view the details with the diag command. If started successfully, the Zeek instance will begin analyzing traffic according to a default policy and output the results in $PREFIX/logs/current directory.

Note

The user starting ZeekControl needs permission to capture network traffic. If you are not root, you may need to grant further privileges to the account you’re using; see the FAQ. Also, if it looks like Zeek is not seeing any traffic, check out the FAQ entry on checksum offloading.

You can leave it running for now, but to stop this Zeek instance you would do:

[ZeekControl] > stop

Once Zeek is stopped, the log files in the $PREFIX/logs/current directory are compressed and moved into the current day named folder inside the $PREFIX/logs directory.

Browsing Log Files

By default, logs are written out in human-readable (ASCII) format and data is organized into columns (tab-delimited). Logs that are part of the current rotation interval are accumulated in $PREFIX/logs/current/ (if Zeek is not running, the directory will be empty). For example, the http.log contains the results of Zeek HTTP protocol analysis. Here are the first few columns of http.log:

# ts          uid          orig_h        orig_p  resp_h         resp_p
1311627961.8  HSH4uV8KVJg  192.168.1.100 52303   192.150.187.43 80

Logs that deal with analysis of a network protocol will often start like this: a timestamp, a unique connection identifier (UID), and a connection 4-tuple (originator host/port and responder host/port). The UID can be used to identify and correlate all logged activity (possibly across multiple log files) associated with a given connection 4-tuple over its lifetime.

The remaining columns of protocol-specific logs then detail the protocol-dependent activity that’s occurring. E.g. http.log’s next few columns (shortened for brevity) show a request to the root of Zeek website:

# method   host         uri  referrer  user_agent
GET        zeek.org  /    -         <...>Chrome/12.0.742.122<...>

Apart from the conventional network protocol specific log files, Zeek also generates other important log files based on the network traffic statistics, interesting activity captured in the traffic, and detection focused log files. Some logs that are worth explicit mention:

  • conn.log

    Contains an entry for every connection seen on the wire, with basic properties such as time and duration, originator and responder IP addresses, services and ports, payload size, and much more. This log provides a comprehensive record of the network’s activity.

  • notice.log

    Identifies specific activity that Zeek recognizes as potentially interesting, odd, or bad. In Zeek-speak, such activity is called a “notice”.

  • known_services.log

    This log file contains the services detected on the local network and are known to be actively used by the clients on the network. It helps in enumerating what all services are observed on a local network and if they all are intentional and known to the network administrator.

  • weird.log

    Contains unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware/services, or even an attacker attempting to avoid/confuse a sensor.

By default, ZeekControl regularly takes all the logs from $PREFIX/logs/current and archives/compresses them to a directory named by date, e.g. $PREFIX/logs/2021-01-01. The frequency at which this is done can be configured via the LogRotationInterval option in $PREFIX/etc/zeekctl.cfg. The default is every hour.

Filesystem Walkthrough

When Zeek is installed on a system, it creates various directories under the default installation path /usr/local/zeek/ or /opt/zeek/. It is useful to know the basic filesystem layout and which directories contain what information. Below is the basic Zeek filesystem layout:

$PREFIX/ (e.g. /opt/zeek/ or /usr/local/zeek/)
|_ bin/
|_ etc/
|_ include/
|_ lib/
|_ logs/
|_ share/
|_ spool/

Some subdirectories worth more explanation are:

  • $PREFIX/bin/

    This directory contains all the binaries that get installed as part of Zeek installation. Few important ones you should know about are:

    • zeek

      Binary to use when running Zeek as a command line utility. More information on using the binary follows in the next section.

    • zeek-cut

      Extracts columns from zeek logs (non-JSON), comes handy for log analysis, and also converts Unix epoch time to human readable format.

    • zeekctl

      Mainly used as a Zeek cluster management tool, it’s an interactive shell to easily operate/manage Zeek installations.

  • $PREFIX/etc/

    This directory contains the important configuration files that need to be modified for the minimal starting configuration as well as for configuring an advanced Zeek cluster installation. This is one of the important directories from the user perspective, and one should be familiar with the files in contains:

    • networks.cfg

      Define your local networks here. Zeek analytics are network aware and it is recommended to use this file to define your local networks for efficient and correct analysis of the network traffic.

    • node.cfg

      Configure a stand-alone node or a Zeek cluster configuration by defining various node types and their corresponding settings. It has examples defined for both stand-alone and clustered configurations for the user to use.

    • zeekctl.cfg

      Configuration file for ZeekControl management. It contains the settings of default logs directory, log rotation time interval and email configuration.

  • $PREFIX/logs/

    As the name suggests it is the default logs directory where Zeek stores the rotated logs from the current directory:

    • current

      It is a symlink to the spool directory that is defined in the zeekctl.cfg configuration file. It contains the active log files that Zeek currently writes to when running via ZeekControl.

  • $PREFIX/share/

    This is the directory containing all the Zeek scripts that are shipped with Zeek, which are highly customizable to support traffic analysis for your specific environment. For the people who are interested in learning more about Zeek scripts and different frameworks, this is a great place to start. The important sub-directories under share are:

    • zeek/base/

      It contains base scripts that are always loaded by Zeek (unless the -b command line option is supplied). These files should never be edited directly as changes will be lost when upgrading to newer versions of Zeek. Base scripts deal either with collecting basic/useful state about network activities or providing frameworks/utilities that extend Zeek’s functionality without any performance cost.

    • zeek/policy/

      Additional policy scripts that zeek ships with. Scripts under the policy/ directory may be more situational or costly, and so users must explicitly choose if they want to load them. By default, Zeek loads a few of the most useful policy scripts, as enabled via the local.zeek file in the site directory. These scripts should likewise never be modified.

    • zeek/site/

      It is the directory where local site-specific files/scripts can be put without fear of being clobbered later (with Zeek upgrades). The main entry point for the default analysis configuration of a Zeek instance managed by ZeekControl is the $PREFIX/share/zeek/site/local.zeek script, which can be used to load additional custom or policy scripts.

Zeek as a Command-Line Utility

If you prefer not to use ZeekControl (e.g., you don’t need its automation and management features), here’s how to directly control Zeek for your analysis activities from the command line for both live traffic and offline working from traces.

Monitoring Live Traffic

Analyzing live traffic from an interface is simple:

zeek -i en0 <list of scripts to load>

en0 should be replaced by the interface on which you want to monitor the traffic. The standard base scripts will be loaded and enabled by default. A list of additional scripts can be provided in the command as indicated above by <list of scripts to load>. Any such scripts supplied as space-separated files or paths will be loaded by Zeek in addition to the standard base scripts.

Zeek will output log files into the current working directory.

Note

The FAQ entries about capturing as an unprivileged user and checksum offloading are particularly relevant at this point.

Reading Packet Capture (pcap) Files

When you want to do offline analysis of already captured pcap files, Zeek is a very handy tool to analyze the pcap and gives a high level holistic view of the traffic captured in the pcap.

If you want to capture packets from an interface and write them to a file to later analyze it with Zeek, then it can be done like this:

sudo tcpdump -i en0 -s 0 -w mypackets.trace

Where en0 should be replaced by the correct interface for your system, for example as shown by the ifconfig command. (The -s 0 argument tells it to capture whole packets; in cases where it’s not supported use -s 65535 instead).

After capturing traffic for a while, kill the tcpdump (with ctrl-c), and tell Zeek to perform all the default analysis on the capture:

zeek -r mypackets.trace

Zeek will output log files into the current working directory. If you want them written into a directory see below.

If no logs are generated for a pcap, try to run the pcap with -C to tell Zeek to ignore invalid IP Checksums:

zeek –C –r mypackets.trace

If you are interested in more detection, you can load the local.zeek script that is included as a suggested configuration:

zeek -r mypackets.trace local

If you want to run a custom or an extra script (assuming it’s in the default search path, more on this in the next section) to detect any particular behavior in the pcap, run Zeek with following command:

zeek –r mypackets.trace my-script.zeek

For example you can use the option logdir from the command line to write files into a directory:

mkdir output_directory ; zeek -r mypackets.trace LogAscii::logdir=output_directory
Tracing Events

Zeek provides a mechanism for recording the events that occur during an execution run (on live traffic, or from a pcap) in a manner that you can then later replay to get the same effect but without the traffic source. You can also edit the recording to introduce differences between the original, such as introducing corner-cases to aid in testing, or anonymizing sensitive information.

You create a trace using:

zeek --event-trace=mytrace.zeek <traffic-option> <other-options> <scripts...>

or, equivalently:

zeek -E mytrace.zeek <traffic-option> <other-options> <scripts...>

Here, the traffic-option would be -i or -r to arrange for a source of network traffic. The trace will be written to the file mytrace.zeek which, as the extension suggests, is itself a Zeek script. You can then replay the events using:

zeek <other-options> <scripts...> mytrace.zeek

The generated script aims to ensure that event values that were related during the original run stay related when replayed; re-execution should proceed in a manner identical to how it did originally. There are however several considerations:

  • Zeek is unable to trace events that include values that cannot be faithfully recreated in a Zeek script, namely those having types of opaque, file, or any. Rather than produce an incomplete trace, it reports these as errors and refrains from generating any output.

  • Zeek only traces events that reflect traffic processing, i.e., those occurring after network_time is set.

  • The trace does not include events generated by scripts, only those generated by the “event engine”.

  • The trace is generated upon Zeek cleanly exiting, so if Zeek crashes, no trace will be produced. Stopping Zeek via ctrl-c does trigger a clean exit.

  • A subtle issue arises regarding any changes that the scripts in the original execution made to values present in subsequent events. If you re-run using the event trace script as well as those scripts, the changes the scripts make during the re-run will be discarded and instead replaced with the changes made during the original execution. This generally won’t matter if you’re using the exact same scripts for replay as originally, but if you’ve made changes to those scripts, then it could. If you need the replay script to “respond” to changes made during the re-execution, you can delete from the replay script every line marked with the comment # from script.

Note

It’s possible that some timers will behave differently upon replay than originally. If you encounter this and it creates a problem, we would be interested to hear about it so we can consider whether the problem can be remedied.

Telling Zeek Which Scripts to Load

A command-line invocation of Zeek typically looks like:

zeek <options> <scripts...>

Where the last arguments are the specific policy scripts that this Zeek instance will load. These arguments don’t have to include the .zeek file extension, and if the corresponding script resides in the default search path, then it requires no path qualification. The following directories are included in the default search path for Zeek scripts:

./
<prefix>/share/zeek/
<prefix>/share/zeek/policy/
<prefix>/share/zeek/site/

These prefix paths can be used to load scripts like this:

zeek -r mypackets.trace frameworks/files/extract-all-files

This will load the $PREFIX/share/zeek/policy/frameworks/files/extract-all-files.zeek script which will cause Zeek to extract all of the files it discovers in the pcap.

Note

If one wants Zeek to be able to load scripts that live outside the default directories in Zeek’s installation root, the full path to the file(s) must be provided. See the default search path by running zeek --help and look at ZEEKPATH. You can also extend the search path by setting the environment variable ZEEKPATH to additional directories (note that you will need to repeat the original path when setting ZEEKPATH as otherwise Zeek will not find it standard scripts.)

If you take a look inside a Zeek script, you might notice the @load directive in the Zeek language to declare dependence on other scripts. This directive is similar to the #include of C/C++, except the semantics are, “load this script if it hasn’t already been loaded.”

Further, a directory of scripts can also be specified as an argument to be loaded as a “package” if the directory contains a __load__.zeek script that defines the scripts that are part of the package (note the double underscore (_) characters on each end).

For example:

zeek -r mypackets.trace detect-traceroute

This will load the scripts inside the directory “detect-traceroute”, which is under $PREFIX/share/zeek/policy/misc/detect-traceroute and contains a __load__.zeek script telling zeek which scripts to load under that directory to run against the pcap.

Local Site Customization

There is one script that is installed which is considered “local site customization” and is not overwritten when upgrades take place. To use the site-specific local.zeek script, just add it to the command-line (can also be loaded through scripts with @load; ZeekControl loads it automatically):

zeek -i en0 local

With a fresh installation, this causes Zeek to load a script that prints a warning about lacking the Site::local_nets variable being configured. You can supply this information in the local.zeek file or at the command line like this (supply your “local” subnets in place of the example subnets):

zeek -r mypackets.trace local -e "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"

When running with ZeekControl, this value is set by configuring the networks.cfg file. Note the example also shows how you can execute script code without it being in a .zeek file.

Running Zeek Without Installing

For developers that wish to run Zeek directly from the build/ directory (i.e., without performing make install), they will have to first adjust ZEEKPATH to look for scripts and additional files inside the build directory. Sourcing either build/zeek-path-dev.sh or build/zeek-path-dev.csh as appropriate for the current shell accomplishes this and also augments your PATH so you can use the Zeek binary directly:

./configure
make
source build/zeek-path-dev.sh
zeek <options>

Next Steps

By this point, we’ve covered how to set up the most basic Zeek instance, browsing log files and a basic filesystem layout. Here’s some suggestions on what to explore next:

  • Simply continue reading further into this documentation to find out more about the contents of Zeek log files and how to write custom Zeek scripts.

  • Look at the scripts in $PREFIX/share/zeek/policy for further ones you may want to load; you can browse their documentation at the overview of script packages.

  • Reading the code of scripts that ship with Zeek is also a great way to gain further understanding of the language and how scripts tend to be structured.

  • Review the FAQ.

  • Join the Zeek community Slack channel for interacting with the fellow Zeekers and Zeek core developers.

  • Track Zeek code releases by reading the “Release Notes” for each release. The “Get Zeek” web page points to this file for each new version of Zeek. These notes appear as the file NEWS, which summarizes the most important changes in the new version. These same notes are attached to the release page on GitHub for each release. For details on each change, see the separate CHANGES file, also accompanying each release.

Zeek Cluster Setup

A Zeek Cluster is a set of systems jointly analyzing the traffic of a network link in a coordinated fashion. You can operate such a setup from a central manager system easily using ZeekControl because it hides much of the complexity of the multi-machine installation.

Cluster Architecture

Zeek is not multithreaded, so once the limitations of a single processor core are reached the only option currently is to spread the workload across many cores, or even many physical computers. The cluster deployment scenario for Zeek is the current solution to build these larger systems. The tools and scripts that accompany Zeek provide the structure to easily manage many Zeek processes examining packets and doing correlation activities but acting as a singular, cohesive entity. This document describes the Zeek cluster architecture. For information on how to configure a Zeek cluster, see the documentation for ZeekControl.

Architecture

The figure below illustrates the main components of a Zeek cluster.

_images/deployment.png

For more specific information on the way Zeek processes are connected, how they function, and how they communicate with each other, see the Broker Framework Documentation.

Tap

The tap is a mechanism that splits the packet stream in order to make a copy available for inspection. Examples include the monitoring port on a switch and an optical splitter on fiber networks.

Frontend

The frontend is a discrete hardware device or on-host technique that splits traffic into many streams or flows. The Zeek binary does not do this job. There are numerous ways to accomplish this task, some of which are described below in Frontend Options.

Manager

The manager is a Zeek process that has two primary jobs. It receives log messages and notices from the rest of the nodes in the cluster using the Zeek communications protocol (note that if you use a separate logger node, then the logger receives all logs instead of the manager). The result is a single log instead of many discrete logs that you have to combine in some manner with post-processing. The manager also supports other functionality and analysis which requires a centralized, global view of events or data.

Logger

A logger is an optional Zeek process that receives log messages from the rest of the nodes in the cluster using the Zeek communications protocol. The purpose of having a logger receive logs instead of the manager is to reduce the load on the manager. If no logger is needed, then the manager will receive logs instead.

Proxy

A proxy is a Zeek process that may be used to offload data storage or any arbitrary workload. A cluster may contain multiple proxy nodes. The default scripts that come with Zeek make minimal use of proxies, so a single one may be sufficient, but customized use of them to partition data or workloads provides greater cluster scalability potential than just doing similar tasks on a single, centralized Manager node.

Zeek processes acting as proxies don’t tend to be extremely hard on CPU or memory and users frequently run proxy processes on the same physical host as the manager.

Worker

The worker is the Zeek process that sniffs network traffic and does protocol analysis on the reassembled traffic streams. Most of the work of an active cluster takes place on the workers and as such, the workers typically represent the bulk of the Zeek processes that are running in a cluster. The fastest memory and CPU core speed you can afford is recommended since all of the protocol parsing and most analysis will take place here. There are no particular requirements for the disks in workers since almost all logging is done remotely to the manager, and normally very little is written to disk.

Frontend Options

There are many options for setting up a frontend flow distributor. In many cases it is beneficial to do multiple stages of flow distribution on the network and on the host.

Discrete hardware flow balancers
cPacket

If you are monitoring one or more 10G physical interfaces, the recommended solution is to use either a cFlow or cVu device from cPacket because they are used successfully at a number of sites. These devices will perform layer-2 load balancing by rewriting the destination Ethernet MAC address to cause each packet associated with a particular flow to have the same destination MAC. The packets can then be passed directly to a monitoring host where each worker has a BPF filter to limit its visibility to only that stream of flows, or onward to a commodity switch to split the traffic out to multiple 1G interfaces for the workers. This greatly reduces costs since workers can use relatively inexpensive 1G interfaces.

OpenFlow Switches

We are currently exploring the use of OpenFlow based switches to do flow-based load balancing directly on the switch, which greatly reduces frontend costs for many users. This document will be updated when we have more information.

On host flow balancing
PF_RING

The PF_RING software for Linux has a “clustering” feature which will do flow-based load balancing across a number of processes that are sniffing the same interface. This allows you to easily take advantage of multiple cores in a single physical host because Zeek’s main event loop is single threaded and can’t natively utilize all of the cores. If you want to use PF_RING, see the documentation on how to configure Zeek with PF_RING.

Netmap

FreeBSD has an in-progress project named Netmap which will enable flow-based load balancing as well. When it becomes viable for real world use, this document will be updated.

Click! Software Router

Click! can be used for flow based load balancing with a simple configuration. This solution is not recommended on Linux due to Zeek’s PF_RING support and only as a last resort on other operating systems since it causes a lot of overhead due to context switching back and forth between kernel and userland several times per packet.

Cluster Configuration

A Zeek Cluster is a set of systems jointly analyzing the traffic of a network link in a coordinated fashion. You can operate such a setup from a central manager system easily using ZeekControl because it hides much of the complexity of the multi-machine installation.

This section gives examples of how to setup common cluster configurations using ZeekControl. For a full reference on ZeekControl, see the ZeekControl documentation.

Preparing to Setup a Cluster

In this document we refer to the user account used to set up the cluster as the “Zeek user”. When setting up a cluster the Zeek user must be set up on all hosts, and this user must have ssh access from the manager to all machines in the cluster, and it must work without being prompted for a password/passphrase (for example, using ssh public key authentication). Also, on the worker nodes this user must have access to the target network interface in promiscuous mode.

Additional storage must be available on all hosts under the same path, which we will call the cluster’s prefix path. We refer to this directory as <prefix>. If you build Zeek from source, then <prefix> is the directory specified with the --prefix configure option, or /usr/local/zeek by default. The Zeek user must be able to either create this directory or, where it already exists, must have write permission inside this directory on all hosts.

When trying to decide how to configure the Zeek nodes, keep in mind that there can be multiple Zeek instances running on the same host. For example, it’s possible to run a proxy and the manager on the same host. However, it is recommended to run workers on a different machine than the manager because workers can consume a lot of CPU resources. The maximum recommended number of workers to run on a machine should be one or two less than the number of CPU cores available on that machine. Using a load-balancing method (such as PF_RING) along with CPU pinning can decrease the load on the worker machines. Also, in order to reduce the load on the manager process, it is recommended to have a logger in your configuration. If a logger is defined in your cluster configuration, then it will receive logs instead of the manager process.

Basic Cluster Configuration

With all prerequisites in place, perform the following steps to setup a Zeek cluster (do this as the Zeek user on the manager host only):

  • Edit the ZeekControl configuration file, <prefix>/etc/zeekctl.cfg, and change the value of any options to be more suitable for your environment. You will most likely want to change the value of the MailTo and LogRotationInterval options. A complete reference of all ZeekControl options can be found in the ZeekControl documentation.

  • Edit the ZeekControl node configuration file, <prefix>/etc/node.cfg to define where logger, manager, proxies, and workers are to run. For a cluster configuration, you must comment-out (or remove) the standalone node in that file, and either uncomment or add node entries for each node in your cluster (logger, manager, proxy, and workers). For example, if you wanted to run five Zeek nodes (two workers, one proxy, a logger, and a manager) on a cluster consisting of three machines, your cluster configuration would look like this:

    [logger]
type=logger
host=10.0.0.10

[manager]
type=manager
host=10.0.0.10

[proxy-1]
type=proxy
host=10.0.0.10

[worker-1]
type=worker
host=10.0.0.11
interface=eth0

[worker-2]
type=worker
host=10.0.0.12
interface=eth0

    For a complete reference of all options that are allowed in the node.cfg file, see the ZeekControl documentation.

  • Edit the network configuration file <prefix>/etc/networks.cfg. This file lists all of the networks which the cluster should consider as local to the monitored environment.

  • Install Zeek on all machines in the cluster using ZeekControl:

    > zeekctl install

  • See the ZeekControl documentation for information on setting up a cron job on the manager host that can monitor the cluster.

PF_RING Cluster Configuration

PF_RING allows speeding up the packet capture process by installing a new type of socket in Linux systems. It supports 10Gbit hardware packet filtering using standard network adapters, and user-space DNA (Direct NIC Access) for fast packet capture/transmission.

Installing PF_RING

  1. Download and install PF_RING for your system following the instructions here. The following commands will install the PF_RING libraries and kernel module (replace the version number 5.6.2 in this example with the version that you downloaded):

    cd /usr/src
tar xvzf PF_RING-5.6.2.tar.gz
cd PF_RING-5.6.2/userland/lib
./configure --prefix=/opt/pfring
make install

cd ../libpcap
./configure --prefix=/opt/pfring
make install

cd ../tcpdump-4.1.1
./configure --prefix=/opt/pfring
make install

cd ../../kernel
make
make install

modprobe pf_ring enable_tx_capture=0 min_num_slots=32768

    Refer to the documentation for your Linux distribution on how to load the pf_ring module at boot time. You will need to install the PF_RING library files and kernel module on all of the workers in your cluster.

  2. Download the Zeek source code.

  3. Configure and install Zeek using the following commands:

    ./configure --with-pcap=/opt/pfring
make
make install

  4. Make sure Zeek is correctly linked to the PF_RING libpcap libraries:

    ldd /usr/local/zeek/bin/zeek | grep pcap
      libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000)

  5. Configure ZeekControl to use PF_RING (explained below).

  6. Run “zeekctl install” on the manager. This command will install Zeek and required scripts to all machines in your cluster.

Using PF_RING

In order to use PF_RING, you need to specify the correct configuration options for your worker nodes in ZeekControl’s node configuration file. Edit the node.cfg file and specify lb_method=pf_ring for each of your worker nodes. Next, use the lb_procs node option to specify how many Zeek processes you’d like that worker node to run, and optionally pin those processes to certain CPU cores with the pin_cpus option (CPU numbering starts at zero). The correct pin_cpus setting to use is dependent on your CPU architecture (Intel and AMD systems enumerate processors in different ways). Using the wrong pin_cpus setting can cause poor performance. Here is what a worker node entry should look like when using PF_RING and CPU pinning:

[worker-1]
type=worker
host=10.0.0.50
interface=eth0
lb_method=pf_ring
lb_procs=10
pin_cpus=2,3,4,5,6,7,8,9,10,11
Using PF_RING+DNA with symmetric RSS

You must have a PF_RING+DNA license in order to do this. You can sniff each packet only once.

  1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.

  2. Run “ethtool -L dna0 combined 10” (this will establish 10 RSS queues on your NIC) on each worker host. You must make sure that you set the number of RSS queues to the same as the number you specify for the lb_procs option in the node.cfg file.

  3. On the manager, configure your worker(s) in node.cfg:

    [worker-1]
type=worker
host=10.0.0.50
interface=dna0
lb_method=pf_ring
lb_procs=10
Using PF_RING+DNA with pfdnacluster_master

You must have a PF_RING+DNA license and a libzero license in order to do this. You can load balance between multiple applications and sniff the same packets multiple times with different tools.

  1. Load the DNA NIC driver (i.e. ixgbe) on each worker host.

  2. Run “ethtool -L dna0 1” (this will establish 1 RSS queues on your NIC) on each worker host.

  3. Run the pfdnacluster_master command on each worker host. For example:

    pfdnacluster_master -c 21 -i dna0 -n 10

    Make sure that your cluster ID (21 in this example) matches the interface name you specify in the node.cfg file. Also make sure that the number of processes you’re balancing across (10 in this example) matches the lb_procs option in the node.cfg file.

  4. If you are load balancing to other processes, you can use the pfringfirstappinstance variable in zeekctl.cfg to set the first application instance that Zeek should use. For example, if you are running pfdnacluster_master with “-n 10,4” you would set pfringfirstappinstance=4. Unfortunately that’s still a global setting in zeekctl.cfg at the moment but we may change that to something you can set in node.cfg eventually.

  5. On the manager, configure your worker(s) in node.cfg:

    [worker-1]
type=worker
host=10.0.0.50
interface=dnacluster:21
lb_method=pf_ring
lb_procs=10

Zeek Log Formats and Inspection

Zeek creates a variety of logs when run in its default configuration. This data can be intimidating for a first-time user. In this section, we will process a sample packet trace with Zeek, and take a brief look at the sorts of logs Zeek creates. We will look at logs created in the traditional format, as well as logs in JSON format. We will also introduce a few command-line tools to examine Zeek logs.

Working with a Sample Trace

For the examples that follow, we will use Zeek on a Linux system to process network traffic captured and stored to disk. We saved this trace file earlier in packet capture (PCAP) format as tm1t.pcap. The command line protocol analyzer Tcpdump, which ships with most Unix-like distributions, summarizes the contents of this file.

zeek@zeek:~/zeek-test$ tcpdump -n -r tm1t.pcap

reading from file tm1t.pcap, link-type EN10MB (Ethernet)
14:39:59.305988 IP 192.168.4.76.36844 > 192.168.4.1.53: 19671+ A? testmyids.com. (31)
14:39:59.306059 IP 192.168.4.76.36844 > 192.168.4.1.53: 8555+ AAAA? testmyids.com. (31)
14:39:59.354577 IP 192.168.4.1.53 > 192.168.4.76.36844: 8555 0/1/0 (94)
14:39:59.372840 IP 192.168.4.1.53 > 192.168.4.76.36844: 19671 1/0/0 A 31.3.245.133 (47)
14:39:59.430166 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [S], seq 3723031366, win 65535, options [mss 1460,sackOK,TS val 3137978796 ecr 0,nop,wscale 11], length 0
14:39:59.512232 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [S.], seq 2993782376, ack 3723031367, win 28960, options [mss 1460,sackOK,TS val 346747623 ecr 3137978796,nop,wscale 7], length 0
14:39:59.512284 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [.], ack 1, win 32, options [nop,nop,TS val 3137978878 ecr 346747623], length 0
14:39:59.512593 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [P.], seq 1:78, ack 1, win 32, options [nop,nop,TS val 3137978878 ecr 346747623], length 77: HTTP: GET / HTTP/1.1
14:39:59.600488 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [.], ack 78, win 227, options [nop,nop,TS val 346747711 ecr 3137978878], length 0
14:39:59.604000 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [P.], seq 1:296, ack 78, win 227, options [nop,nop,TS val 346747713 ecr 3137978878], length 295: HTTP: HTTP/1.1 200 OK
14:39:59.604020 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [.], ack 296, win 33, options [nop,nop,TS val 3137978970 ecr 346747713], length 0
14:39:59.604493 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [F.], seq 78, ack 296, win 33, options [nop,nop,TS val 3137978970 ecr 346747713], length 0
14:39:59.684281 IP 31.3.245.133.80 > 192.168.4.76.46378: Flags [F.], seq 296, ack 79, win 227, options [nop,nop,TS val 346747796 ecr 3137978970], length 0
14:39:59.684346 IP 192.168.4.76.46378 > 31.3.245.133.80: Flags [.], ack 297, win 33, options [nop,nop,TS val 3137979050 ecr 346747796], length 0

This is a simple exchange involving domain name system (DNS) traffic followed by HyperText Transfer Protocol (HTTP) traffic.

Rather than run Zeek against a live interface, we will ask Zeek to digest this trace. This process allows us to vary Zeek’s run-time operation, keeping the traffic constant.

First we make two directories to store the log files that Zeek will produce. Then we will move into the “default” directory.

zeek@zeek:~/zeek-test$ mkdir default
zeek@zeek:~/zeek-test$ mkdir json
zeek@zeek:~/zeek-test$ cd default/

Zeek TSV Format Logs

From this location on disk, we tell Zeek to digest the tm1t.pcap file.

zeek@zeek:~/zeek-test/default$ zeek -C -r ../tm1t.pcap

The -r flag tells Zeek where to find the trace of interest.

The -C flag tells Zeek to ignore any TCP checksum errors. This happens on many systems due to a feature called “checksum offloading,” but it does not affect our analysis.

Zeek completes its task without reporting anything to the command line. This is standard Unix-like behavior. Using the ls command we see what files Zeek created when processing the trace.

zeek@zeek:~/zeek-test/default$ ls -al

total 28
drwxrwxr-x 2 zeek zeek 4096 Jun  5 14:48 .
drwxrwxr-x 4 zeek zeek 4096 Jun  5 14:43 ..
-rw-rw-r-- 1 zeek zeek  737 Jun  5 14:48 conn.log
-rw-rw-r-- 1 zeek zeek  778 Jun  5 14:48 dns.log
-rw-rw-r-- 1 zeek zeek  712 Jun  5 14:48 files.log
-rw-rw-r-- 1 zeek zeek  883 Jun  5 14:48 http.log
-rw-rw-r-- 1 zeek zeek  254 Jun  5 14:48 packet_filter.log

Zeek created five files. We will look at the contents of Zeek log data in detail in later sections. For now, we will take a quick look at each file, beginning with the conn.log.

We use the cat command to show the contents of each log.

zeek@zeek:~/zeek-test/default$ cat conn.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   conn
#open   2020-06-05-14-48-32
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   service duration        orig_bytes      resp_bytes      conn_state    local_orig      local_resp      missed_bytes    history orig_pkts       orig_ip_bytes   resp_pkts       resp_ip_bytes   tunnel_parents
#types  time    string  addr    port    addr    port    enum    string  interval        count   count   string  bool    bool    count   string  count   count count    count   set[string]
1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     dns     0.066852        62      141     SF      -    -0       Dd      2       118     2       197     -
1591367999.430166       CLqEx41jYPOdfHF586      192.168.4.76    46378   31.3.245.133    80      tcp     http    0.254115        77      295     SF      -    -0       ShADadFf        6       397     4       511     -
#close  2020-06-05-14-48-32

Next we look at Zeek’s dns.log.

zeek@zeek:~/zeek-test/default$ cat dns.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   dns
#open   2020-06-05-14-48-32
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   trans_id        rtt     query   qclass  qclass_name     qtypeqtype_name       rcode   rcode_name      AA      TC      RD      RA      Z       answers TTLs    rejected
#types  time    string  addr    port    addr    port    enum    count   interval        string  count   string  count   string  count   string  bool    bool bool     bool    count   vector[string]  vector[interval]        bool
1591367999.306059       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     8555    -       testmyids.com   1       C_INTERNET   28       AAAA    0       NOERROR F       F       T       F       0       -       -       F
1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     19671   0.066852        testmyids.com   1       C_INTERNET    1       A       0       NOERROR F       F       T       T       0       31.3.245.133    3600.000000     F
#close  2020-06-05-14-48-32

Next we look at Zeek’s files.log.

zeek@zeek:~/zeek-test/default$ cat files.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   files
#open   2020-06-05-14-48-32
#fields ts      fuid    tx_hosts        rx_hosts        conn_uids       source  depth   analyzers       mime_type       filename        duration        local_orig    is_orig seen_bytes      total_bytes     missing_bytes   overflow_bytes  timedout        parent_fuid     md5     sha1    sha256  extracted       extracted_cutoff      extracted_size
#types  time    string  set[addr]       set[addr]       set[string]     string  count   set[string]     string  string  interval        bool    bool    countcount    count   count   bool    string  string  string  string  string  bool    count
1591367999.604000       FEEsZS1w0Z0VJIb5x4      31.3.245.133    192.168.4.76    CLqEx41jYPOdfHF586      HTTP    0       (empty) text/plain      -       0.000000      -       F       39      39      0       0       F       -       -       -       -       -       -       -
#close  2020-06-05-14-48-32

Next we look at Zeek’s http.log.

zeek@zeek:~/zeek-test/default$ cat http.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   http
#open   2020-06-05-14-48-32
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  host    uri     referrer        version user_agent    origin  request_body_len        response_body_len       status_code     status_msg      info_code       info_msg        tags    username        password      proxied orig_fuids      orig_filenames  orig_mime_types resp_fuids      resp_filenames  resp_mime_types
#types  time    string  addr    port    addr    port    count   string  string  string  string  string  string  string  count   count   count   string  countstring   set[enum]       string  string  set[string]     vector[string]  vector[string]  vector[string]  vector[string]  vector[string]  vector[string]
1591367999.512593       CLqEx41jYPOdfHF586      192.168.4.76    46378   31.3.245.133    80      1       GET     testmyids.com   /       -       1.1     curl/7.47.0   -       0       39      200     OK      -       -       (empty) -       -       -       -       -       -       FEEsZS1w0Z0VJIb5x4      -       text/plain
#close  2020-06-05-14-48-32

Finally, we look at Zeek’s packet_filter.log. This log shows any filters that Zeek applied when processing the trace.

zeek@zeek:~/zeek-test/default$ cat packet_filter.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   packet_filter
#open   2020-06-05-14-48-32
#fields ts      node    filter  init    success
#types  time    string  string  bool    bool
1591368512.420771       zeek    ip or not ip    T       T
#close  2020-06-05-14-48-32

As we can see with each log file, there is a set of headers beginning with the hash character (#) followed by metadata about the trace. This format is the standard version of Zeek data, represented as tab separated values (TSV).

Interpreting this data as shown requires remembering which “column” applies to which “value.” For example, in the dns.log, the third field is id.orig_h, so when we see data in that field, such as 192.168.4.76, we know that 192.168.4.76 is id.orig_h.

One of the common use cases for interacting with Zeek log files requires analyzing specific fields. Investigators may not need to see all of the fields produced by Zeek when solving a certain problem. The following sections offer a few ways to address this concern when processing Zeek logs in text format.

Zeek TSV Format and awk

A very traditional way of interacting with Zeek logs involves using native Unix-like text processing tools like awk. Awk requires specifying the fields of interest as positions in the log file. Take a second look at the dns.log entry above, and consider the parameters necessary to view only the source IP address, the query, and the response. These values appear in the 3rd, 10th, and 22nd fields in the Zeek TSV log entries. Therefore, we could invoke awk using the following syntax:

zeek@zeek:~/zeek-test/default$ awk '/^[^#]/ {print $3, $10, $22}' dns.log

192.168.4.76 testmyids.com -
192.168.4.76 testmyids.com 31.3.245.133

Now we have a much more compact view, with just the fields we want. Unfortunately, this requires specifying fields by location. If we were to modify the log output, or if the Zeek project were to change the log output, any scripts we built using awk and field locations would require modification. For this reason, the Zeek project recommends alternatives like the following.

Zeek TSV Format and zeek-cut

The Zeek project provides a tool called zeek-cut to make it easier for analysts to interact with Zeek logs in TSV format. It parses the header in each file and allows the user to refer to the specific columnar data available. This is in contrast to tools like awk that require the user to refer to fields referenced by their position.

Consider the dns.log generated earlier. If we process it with zeek-cut, without any modifications, this is the result:

zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut

1591367999.306059       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     8555    -       testmyids.com   1       C_INTERNET   28       AAAA    0       NOERROR F       F       T       F       0       -       -       F
1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     19671   0.066852        testmyids.com   1       C_INTERNET    1       A       0       NOERROR F       F       T       T       0       31.3.245.133    3600.000000     F

That is the dns.log, minus the header fields showed earlier. Note we have to invoke the cat utility in a pipeline to process files with zeek-cut.

If we pass zeek-cut the fields we wish to see, the output looks like this:

zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut id.orig_h query answers

192.168.4.76    testmyids.com   -
192.168.4.76    testmyids.com   31.3.245.133

The sequence of field names given to zeek-cut determines the output order. This means you can also use zeek-cut to reorder fields. For example:

zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut query answers id.orig_h

testmyids.com   -               192.168.4.76
testmyids.com   31.3.245.133    192.168.4.76

This feature can be helpful when piping output into programs like sort.

zeek-cut uses output redirection through the cat command and | operator. Whereas tools like awk allow you to indicate the log file as a command line option, zeek-cut only takes input through redirection such as | and <.

For example, instead of using cat and the pipe redirector, we could obtain the previous output with this syntax:

zeek@zeek:~/zeek-test/default$ zeek-cut id.orig_h query answers < dns.log

192.168.4.76    testmyids.com   -
192.168.4.76    testmyids.com   31.3.245.133

Note that in its default setup using ZeekControl (but not with a simple command-line invocation like zeek -i eth0), watching a live interface and writing logs to disk, Zeek will rotate log files on an hourly basis. Zeek will move the current log file into a directory named using the format YYYY-MM-DD. Zeek will use gzip to compress the file with a naming convention that includes the log file type and time range of the file.

When processing a compressed log file, use the zcat tool instead of cat to read the file. Consider working with the gzip-encoding file created in the following example. For demonstration purposes, we create a copy of the dns.log file as dns1.log, gzip it, and then read it with zcat instead of cat.

so16@so16:~/zeek-test/default$ cp dns.log dns1.log
so16@so16:~/zeek-test/default$ gzip dns1.log
so16@so16:~/zeek-test/default$ zcat dns1.log.gz

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   dns
#open   2020-06-05-14-48-32
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   trans_id        rtt     query   qclass  qclass_name     qtypeqtype_name       rcode   rcode_name      AA      TC      RD      RA      Z       answers TTLs    rejected
#types  time    string  addr    port    addr    port    enum    count   interval        string  count   string  count   string  count   string  bool    bool bool     bool    count   vector[string]  vector[interval]        bool
1591367999.306059       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     8555    -       testmyids.com   1       C_INTERNET   28       AAAA    0       NOERROR F       F       T       F       0       -       -       F
1591367999.305988       CazOhH2qDUiJTWMCY       192.168.4.76    36844   192.168.4.1     53      udp     19671   0.066852        testmyids.com   1       C_INTERNET    1       A       0       NOERROR F       F       T       T       0       31.3.245.133    3600.000000     F
#close  2020-06-05-14-48-32

zeek-cut accepts the flag -d to convert the epoch time values in the log files to human-readable format. For example, observe the default timestamp value:

zeek@zeek:~/zeek-test/default$ zcat dns1.log.gz | zeek-cut ts id.orig_h query answers

1591367999.306059       192.168.4.76    testmyids.com   -
1591367999.305988       192.168.4.76    testmyids.com   31.3.245.133

Now see the effect of using the -d flag:

zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut -d ts id.orig_h query answers

2020-06-05T14:39:59+0000        192.168.4.76    testmyids.com   -
2020-06-05T14:39:59+0000        192.168.4.76    testmyids.com   31.3.245.133

Converting the timestamp from a log file to UTC can be accomplished with the -u option.

The default time format when using the -d or -u is the strftime format string %Y-%m-%dT%H:%M:%S%z which results in a string with year, month, day of month, followed by hour, minutes, seconds and the timezone offset.

The default format can be altered by using the -D and -U flags, using the standard strftime syntax. For example, to format the timestamp in the US-typical “Middle Endian” you could use a format string of: %d-%m-%YT%H:%M:%S%z

zeek@zeek:~/zeek-test/default$ cat dns.log | zeek-cut -D %d-%m-%YT%H:%M:%S%z ts id.orig_h query answers

05-06-2020T14:39:59+0000        192.168.4.76    testmyids.com   -
05-06-2020T14:39:59+0000        192.168.4.76    testmyids.com   31.3.245.133

Using awk and zeek-cut have been the traditional method of interacting with Zeek logs. In the next section we will look at the possibilities once we enable an alternative output format.

Zeek JSON Format Logs

During the last decade, the Javascript Object Notation (JSON) format has become a standard way to label and store many types of data. Zeek offers support for this format. In the following example we will re-run the tm1t.pcap trace through Zeek, but request that it output logs in JSON format.

First we change into the json directory to avoid overwriting our existing log files.

zeek@zeek:~/zeek-test/default$ cd ../json/

Next we tell Zeek to output logs in JSON format using the command as shown.

zeek@zeek:~/zeek-test/json$ zeek -C -r ../tm1t.pcap LogAscii::use_json=T

When we look at the directory contents, we see the same five output files.

zeek@zeek:~/zeek-test/json$ ls -al

total 28
drwxrwxr-x 2 zeek zeek 4096 Jun  5 14:47 .
drwxrwxr-x 4 zeek zeek 4096 Jun  5 14:43 ..
-rw-rw-r-- 1 zeek zeek  708 Jun  5 14:47 conn.log
-rw-rw-r-- 1 zeek zeek  785 Jun  5 14:47 dns.log
-rw-rw-r-- 1 zeek zeek  325 Jun  5 14:47 files.log
-rw-rw-r-- 1 zeek zeek  405 Jun  5 14:47 http.log
-rw-rw-r-- 1 zeek zeek   90 Jun  5 14:47 packet_filter.log

However, if we look at the file contents, the format is much different.

First we look at packet_filter.log.

zeek@zeek:~/zeek-test/json$ cat packet_filter.log

{"ts":1591368442.854585,"node":"zeek","filter":"ip or not ip","init":true,"success":true}
zeek@zeek:~/zeek-test/json$ cat conn.log
{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.06685185432434082,"orig_bytes":62,"resp_bytes":141,"conn_state":"SF","missed_bytes":0,"history":"Dd","orig_pkts":2,"orig_ip_bytes":118,"resp_pkts":2,"resp_ip_bytes":197}
{"ts":1591367999.430166,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"proto":"tcp","service":"http","duration":0.25411510467529297,"orig_bytes":77,"resp_bytes":295,"conn_state":"SF","missed_bytes":0,"history":"ShADadFf","orig_pkts":6,"orig_ip_bytes":397,"resp_pkts":4,"resp_ip_bytes":511}

Next we look at dns.log.

zeek@zeek:~/zeek-test/json$ cat dns.log

{"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}
{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600.0],"rejected":false}

Next we look at files.log.

zeek@zeek:~/zeek-test/json$ cat files.log

{"ts":1591367999.604,"fuid":"FEEsZS1w0Z0VJIb5x4","tx_hosts":["31.3.245.133"],"rx_hosts":["192.168.4.76"],"conn_uids":["C5bLoe2Mvxqhawzqqd"],"source":"HTTP","depth":0,"analyzers":[],"mime_type":"text/plain","duration":0.0,"is_orig":false,"seen_bytes":39,"total_bytes":39,"missing_bytes":0,"overflow_bytes":0,"timedout":false}

Next we look at the http.log.

zeek@zeek:~/zeek-test/json$ cat http.log

{"ts":1591367999.512593,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"trans_depth":1,"method":"GET","host":"testmyids.com","uri":"/","version":"1.1","user_agent":"curl/7.47.0","request_body_len":0,"response_body_len":39,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FEEsZS1w0Z0VJIb5x4"],"resp_mime_types":["text/plain"]}

Comparing the two log styles, we see strengths and weaknesses for each. For example, the TSV format shows the Zeek types associated with each entry, such as string, addr, port, and so on. The JSON format does not include that data. However, the JSON format associates each field “key” with a “value,” such as "id.orig_p":46378. While this necessarily increases the amount of disk space used to store the raw logs, it makes it easier for analysts and software to interpret the data, as the key is directly associated with the value that follows. For this reason, most developers and analysts have adopted the JSON output format for Zeek logs. That is the format we will use for the log analysis sections of the documentation.

Zeek JSON Format and jq

Analysts sometimes choose to inspect JSON-formatted Zeek files using applications that recognize JSON format, such as jq, which is a JSON parser by Stephen Dolan, available at Github (https://stedolan.github.io/jq/). It may already be installed on your Unix-like system.

In the following example we process the dns.log file with the . filter, which tells jq to simply output what it finds in the file. By default jq outputs JSON formatted data in its “pretty-print” style, which puts one key:value pair on each line as shown.

so16@so16:~/zeek-test/json$ jq . dns.log

{
  "ts": 1591367999.306059,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 8555,
  "query": "testmyids.com",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 28,
  "qtype_name": "AAAA",
  "rcode": 0,
  "rcode_name": "NOERROR",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": false,
  "Z": 0,
  "rejected": false
}
{
  "ts": 1591367999.305988,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 19671,
  "rtt": 0.06685185432434082,
  "query": "testmyids.com",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 1,
  "qtype_name": "A",
  "rcode": 0,
  "rcode_name": "NOERROR",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": true,
  "Z": 0,
  "answers": [
    "31.3.245.133"
  ],
  "TTLs": [
    3600
  ],
  "rejected": false
}

We can tell jq to output what it sees in “compact” format using the -c switch.

so16@so16:~/zeek-test/json$ jq . -c dns.log

{"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}
{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600],"rejected":false}

The power of jq becomes evident when we decide we only want to see specific values. For example, the following tells jq to look at the dns.log and report the source IP of systems doing DNS queries, followed by the query, and any answer to the query.

so16@so16:~/zeek-test/json$ jq -c '[."id.orig_h", ."query", ."answers"]' dns.log

["192.168.4.76","testmyids.com",null]
["192.168.4.76","testmyids.com",["31.3.245.133"]]

For a more comprehensive description of the capabilities of jq, see the jq manual.

With this basic understanding of how to interact with Zeek logs, we can now turn to specific logs and interpret their values.

Conclusion

This section showed a sample of the sorts of logs that Zeek generates when processing a simple network trace. It explained the differences between logs in the traditional TSV format and the newer JSON format. It also demonstrated the use of a few simple command line tools to inspect Zeek logs in both formats.

Zeek Logs

conn.log

The connection log, or conn.log, is one of the most important logs Zeek creates. It may seem like the idea of a “connection” is most closely associated with stateful protocols like Transmission Control Protocol (TCP), unlike stateless protocols like User Datagram Protocol (UDP). Zeek’s conn.log, however, tracks both sorts of protocols. This section of the manual will explain key elements of the conn.log.

The Zeek script reference, derived from the Zeek code, completely explains the meaning of each field in the conn.log (and other logs). It would be duplicative to manually recreate that information in another format here. Therefore, this entry seeks to show how an analyst would make use of the information in the conn.log. Those interested in getting details on every element of the conn.log should reference Conn::Info. For additional explanation, including Zeek’s notions of originator and responder, see The Connection Record Data Type.

Throughout the sections that follow, we will inspect Zeek logs in JSON format.

Inspecting the conn.log

To inspect the conn.log, we will use the same techniques we learned in the last section of the manual. First, we have a JSON-formatted log file, either collected by Zeek watching a live interface, or by Zeek processing stored traffic. We use the jq utility to review the contents.

zeek@zeek:~zeek-test/json$ jq . -c conn.log

{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.06685185432434082,"orig_bytes":62,"resp_bytes":141,"conn_state":"SF","missed_bytes":0,"history":"Dd","orig_pkts":2,"orig_ip_bytes":118,"resp_pkts":2,"resp_ip_bytes":197}

{"ts":1591367999.430166,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"proto":"tcp","service":"http","duration":0.25411510467529297,"orig_bytes":77,"resp_bytes":295,"conn_state":"SF","missed_bytes":0,"history":"ShADadFf","orig_pkts":6,"orig_ip_bytes":397,"resp_pkts":4,"resp_ip_bytes":511}

Alternatively, we could see each field printed on its own line:

zeek@zeek:~zeek-test/json$ jq . conn.log

{
  "ts": 1591367999.305988,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "service": "dns",
  "duration": 0.06685185432434082,
  "orig_bytes": 62,
  "resp_bytes": 141,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "Dd",
  "orig_pkts": 2,
  "orig_ip_bytes": 118,
  "resp_pkts": 2,
  "resp_ip_bytes": 197
}
{
  "ts": 1591367999.430166,
  "uid": "C5bLoe2Mvxqhawzqqd",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 46378,
  "id.resp_h": "31.3.245.133",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 0.25411510467529297,
  "orig_bytes": 77,
  "resp_bytes": 295,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadFf",
  "orig_pkts": 6,
  "orig_ip_bytes": 397,
  "resp_pkts": 4,
  "resp_ip_bytes": 511
}

What an analyst derives from any log is a function of the questions that he or she is trying to ask of it. The conn.log primarily captures so-called “layer 3” and “layer 4” elements of network activity. This is essentially who is talking to whom, when, for how long, and with what protocol.

Understanding the Second conn.log Entry

Let’s use this framework to parse the two log entries. We will start with the second entry first. I will explain why shortly. For reference, that entry is the following:

{
  "ts": 1591367999.430166,
  "uid": "C5bLoe2Mvxqhawzqqd",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 46378,
  "id.resp_h": "31.3.245.133",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 0.25411510467529297,
  "orig_bytes": 77,
  "resp_bytes": 295,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadFf",
  "orig_pkts": 6,
  "orig_ip_bytes": 397,
  "resp_pkts": 4,
  "resp_ip_bytes": 511
}

For the second log, 192.168.4.76 talked to 31.3.245.133.

The log timestamp, indicated by the ts field, is 1591367999.430166, which translates as shown below, courtesy of the Unix date command:

zeek@zeek:~zeek-test/json$ date -d @"1591367999.430166"

Fri Jun  5 14:39:59 UTC 2020

The two systems conversation only lasted 0.25411510467529297 seconds. (The operating system provides this value.)

They spoke the HyperText Transfer Protocol (HTTP), identified by Zeek as HTTP over TCP using TCP port 80 listening on 31.3.245.133.

If we wanted to move beyond who talked with whom, when, for how long, and with what protocol, the second conn.log entry offers a few more items of interest. For example, we know that 192.168.4.76 sent 77 bytes of data in its application layer payload, and 397 bytes in its IP layer payload.

We can verify that 77 byte figure by decoding the HTTP traffic sent from 192.168.4.76 during this session. We use tshark, the command line version of Wireshark, to do so.

zeek@zeek:~zeek-test/json$ tshark -V -r ../../tmi1.pcap http and ip.src==192.168.4.76

Frame 21: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun  5, 2020 14:39:59.512593000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1591367999.512593000 seconds
    [Time delta from previous captured frame: 0.000309000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 17.461008000 seconds]
    Frame Number: 21
    Frame Length: 143 bytes (1144 bits)
    Capture Length: 143 bytes (1144 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http]
Ethernet II, Src: 08:00:27:97:99:0d, Dst: fc:ec:da:49:e0:10
    Destination: fc:ec:da:49:e0:10
        Address: fc:ec:da:49:e0:10
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 08:00:27:97:99:0d
        Address: 08:00:27:97:99:0d
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.4.76, Dst: 31.3.245.133
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 129
    Identification: 0xfdf1 (65009)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x6308 [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.4.76
    Destination: 31.3.245.133
Transmission Control Protocol, Src Port: 46378, Dst Port: 80, Seq: 1, Ack: 1, Len: 77
    Source Port: 46378
    Destination Port: 80
    [Stream index: 0]
    [TCP Segment Len: 77]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 78    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 32
    [Calculated window size: 65536]
    [Window size scaling factor: 2048]
    Checksum: 0xd9f0 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 3137978878, TSecr 346747623
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 3137978878
            Timestamp echo reply: 346747623
    [SEQ/ACK analysis]
        [iRTT: 0.082118000 seconds]
        [Bytes in flight: 77]
        [Bytes sent since last PSH flag: 77]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.082427000 seconds]
        [Time since previous frame in this TCP stream: 0.000309000 seconds]
    TCP payload (77 bytes)
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    Host: testmyids.com\r\n
    User-Agent: curl/7.47.0\r\n
    Accept: */*\r\n
    \r\n
    [Full request URI: http://testmyids.com/]
    [HTTP request 1/1]

In the highlighted output, we see that tshark notes 77 bytes of data carried by TCP from 192.168.4.76. I highlighted what that data was, beginning with a GET request.

Another way to look at this TCP segment is to dump the hex contents using a different tshark option, as shown below.

zeek@zeek:~zeek-test/json$ tshark -x -r ../../tmi1.pcap http and ip.src==192.168.4.76

0000  fc ec da 49 e0 10 08 00 27 97 99 0d 08 00 45 00   ...I....'.....E.
0010  00 81 fd f1 40 00 40 06 63 08 c0 a8 04 4c 1f 03   ....@.@.c....L..
0020  f5 85 b5 2a 00 50 dd e8 f3 47 b2 71 7e 69 80 18   ...*.P...G.q~i..
0030  00 20 d9 f0 00 00 01 01 08 0a bb 09 c1 fe 14 aa   . ..............
0040  f2 e7 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 31   ..GET / HTTP/1.1
0050  0d 0a 48 6f 73 74 3a 20 74 65 73 74 6d 79 69 64   ..Host: testmyid
0060  73 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e   s.com..User-Agen
0070  74 3a 20 63 75 72 6c 2f 37 2e 34 37 2e 30 0d 0a   t: curl/7.47.0..
0080  41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 0d 0a      Accept: */*....

The hexadecimal values appear on the left, and the ASCII decode appears on the right. If you count the highlighted hex values, you will find 77 of them, hence the 77 bytes of application layer data carried by TCP.

The connection state field, conn_state, showed that the connection terminated normally, as depicted by the SF entry. This means that, for this TCP session, both sides adopted a “graceful close” mechanism. If you remember this trace from the last chapter, you’ll remember seeing that it opened with a TCP three way handshake (SYN - SYN ACK - ACK) and terminated with a graceful close (FIN ACK - FIN ACK - ACK).

Finally, the history field contains the string ShADadFf. Remember that capitalized letters indicate an action by the connection originator. Lowercase letters indicate an action by the responder. This means that ShADadFf translates to the following:

S - The originator sent a SYN segment.
h - The responder sent a SYN ACK segment.
A - The originator sent an ACK segment.
D - The originator sent at least one segment with payload data. In this case, that was HTTP over TCP.
a - The responder replied with an ACK segment.
d - The responder replied with at least one segment with payload data.
F - The originator sent a FIN ACK segment.
f - The responder replied with a FIN ACK segment.

This log entry demonstrates how Zeek is able to pack so much information into a compact representation.

Understanding the First conn.log Entry

Now let’s turn to the first conn.log entry, reproduced below for easy reference.

{
  "ts": 1591367999.305988,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "service": "dns",
  "duration": 0.06685185432434082,
  "orig_bytes": 62,
  "resp_bytes": 141,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "Dd",
  "orig_pkts": 2,
  "orig_ip_bytes": 118,
  "resp_pkts": 2,
  "resp_ip_bytes": 197
}

For the first entry, 192.168.4.76 talked to 192.168.4.1.

The log timestamp is 1591367999.305988, which translates as shown below, courtesy of the Unix date command:

zeek@zeek:~zeek-test/json$ date -d @"1591367999.305988"

Fri Jun  5 14:39:59 UTC 2020

The two systems’ “conversation” only lasted 0.06685185432434082 seconds. (Again, such precision!)

They spoke the Domain Name System (DNS) protocol, identified by Zeek as DNS over UDP using UDP port 53 listening on 192.168.4.1.

The connection state for this conversation is listed as SF, the same as the TCP version. However, UDP has no concept of state, leaving that duty to a higher level protocol. In the context of UDP, SF means that Zeek assesses the conversations as “normal establishment and termination” of the “connection.”

Similarly, the history field is simply Dd, indicating that each party to the conversation sent data to the other.

The uid and Other Fields

Notice that both conn.log entries contain uid fields. These are unique identifiers assigned by Zeek that we will use to track related activity in other transaction logs.

There are other fields which may appear in the conn.log, depending on the protocol being summarized. For details on the meaning of those fields, see Conn::Info.

Conclusion

Zeek’s conn.log is a foundational log that offers a great deal of information on its own. However, it becomes even more useful when it acts as the starting point for investigating related Zeek logs. We turn to that capability in the following sections.

dns.log

The Domain Name System (DNS) log, or dns.log, is one of the most important data sources generated by Zeek. Although recent developments in domain name resolution have challenged traditional methods for collecting DNS data, dns.log remains a powerful tool for security and network administrators.

Those interested in getting details on every element of the dns.log should refer to DNS::Info.

Throughout the sections that follow, we will inspect Zeek logs in JSON format.

Inspecting the dns.log

To inspect the dns.log, we will use the same techniques we learned earlier in the manual. First, we have a JSON-formatted log file, either collected by Zeek watching a live interface, or by Zeek processing stored traffic. We use the jq utility to review the contents.

zeek@zeek:~/zeek-test/json$ jq . -c dns.log

{"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}

{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600],"rejected":false}

As before, we could see each field printed on its own line:

zeek@zeek:~/zeek-test/json$ jq . dns.log

{
  "ts": 1591367999.306059,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 8555,
  "query": "testmyids.com",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 28,
  "qtype_name": "AAAA",
  "rcode": 0,
  "rcode_name": "NOERROR",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": false,
  "Z": 0,
  "rejected": false
}
{
  "ts": 1591367999.305988,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 19671,
  "rtt": 0.06685185432434082,
  "query": "testmyids.com",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 1,
  "qtype_name": "A",
  "rcode": 0,
  "rcode_name": "NOERROR",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": true,
  "Z": 0,
  "answers": [
    "31.3.245.133"
  ],
  "TTLs": [
    3600
  ],
  "rejected": false
}

As emphasized in the conn.log material, what an analyst derives from any log is a function of the questions that he or she is trying to ask of it. The dns.log captures application-level name resolution activity, assuming that traffic is not encrypted, as is the case with DNS over HTTPS (DoH) or DNS over TLS (DoT). Applications mainly use DNS to resolve names to IP addresses, IP addresses to names, and certain other functions. Intruders use DNS for the same purposes, but may also subvert the protocol to carry command-and-control traffic, obfuscated or encrypted payload data, or other unwanted functions. DNS is a suitable protocol for these nefarious activities because administrators tend to allow it throughout their purview, as it is necessary for normal network operation.

In brief, when looking at the dns.log, analysts will primarily want to know who is asking a question, what is the nature of the question, who answered the question, and how was the question answered.

Understanding the Second dns.log Entry

Let’s use this framework to parse the two log entries. We will start with the second entry. For reference, that entry is the following:

{
  "ts": 1591367999.305988,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 19671,
  "rtt": 0.06685185432434082,
  "query": "testmyids.com",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 1,
  "qtype_name": "A",
  "rcode": 0,
  "rcode_name": "NOERROR",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": true,
  "Z": 0,
  "answers": [
    "31.3.245.133"
  ],
  "TTLs": [
    3600
  ],
  "rejected": false
}

According to this log entry, 192.168.4.76 asked 192.168.4.1 for the A record of the host testmyids.com, and received the answer 31.3.245.133. There are more details in the log, but those are the key elements an analyst should be able to extract.

Understanding the First dns.log Entry

Let’s take a look at the first dns.log entry. For reference, that entry is the following:

{
  "ts": 1591367999.306059,
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 8555,
  "query": "testmyids.com",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 28,
  "qtype_name": "AAAA",
  "rcode": 0,
  "rcode_name": "NOERROR",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": false,
  "Z": 0,
  "rejected": false
}

According to this log entry, 192.168.4.76 asked 192.168.4.1 for the AAAA record of the host testmyids.com, and did not receive an answer.

This is technically true, but it is not the whole story. If we augment stock Zeek with an additional script available from the project, we get a bit more information.

Specifically, we can enable a new script, policy/protocols/dns/auth-addl.zeek.

We can invoke the script using this syntax:

zeek@zeek:~/zeek-test/json2$ zeek -C LogAscii::use_json=T protocols/dns/auth-addl.zeek -r ../tm1t.pcap

The end result shows more information for the first dns.log entry:

zeek@zeek:~/zeek-test/json2$ cat dns.log | head -1

{"ts":1591367999.306059,"uid":"CQsafSKqmlOyqrgC6","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false,"auth":["ns59.1and1.co.uk"]}

The bolded auth item in the log entry shows that ns59.1and1.co.uk is the authoritative name server that is designated to answer questions about the AAAA record for testmyids.com.

There are more details in the log, but those are the key elements an analyst should be able to extract.

The uid and Other Fields

Note the uid field in both log entries is CMdzit1AMNsmfAIiQc. This is the same UID value that appeared in the conn.log entry for a DNS record. That means the DNS activity in the conn.log and the DNS activity in this dns.log entry are the same.

You could have used the UID in the conn.log to search for the corresponding records in the dns.log using this UID. For example:

zeek@zeek:~/zeek-test/json$ grep CMdzit1AMNsmfAIiQc dns.log

{"ts":1591367999.306059,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":8555,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":false,"Z":0,"rejected":false}

{"ts":1591367999.305988,"uid":"CMdzit1AMNsmfAIiQc","id.orig_h":"192.168.4.76","id.orig_p":36844,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","trans_id":19671,"rtt":0.06685185432434082,"query":"testmyids.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["31.3.245.133"],"TTLs":[3600.0],"rejected":false}

Note the matching uid fields in the dns.log entries. In this simple example, these are the only two entries in the dns.log. Extrapolate this technique to logs with billions of records and you will appreciate the value!

Remember that a single conn.log entry summarized all of the DNS traffic associate with the “connection” bearing UID CMdzit1AMNsmfAIiQc. Zeek treated the 4 packets associated with this conversation as a connection because they shared the same source and destination IP addresses and ports, and occurred over the UDP protocol. The single conn.log entry had the timestamp 1591367999.305988, which is also the timestamp of the first dns.log entry.

Zeek’s DNS protocol analyzer created two log entries because it recognized two different DNS exchanges. The first involved a query and response for IPv6-related information, i.e., a AAAA record for testmyids.com. The second involved a query and response for IPv4-related information, i.e., an A record for testmyids.com. It is interesting to note that the DNS resolver on the 192.168.4.76 system requested IPv6 information first, and then IPv4.

Conclusion

Zeek’s dns.log is a critical log that offers a great deal of information on how systems are interacting with the Internet and each other. In the next section we will look at other core Internet protocols.

http.log

The HyperText Transfer Protocol (HTTP) log, or http.log, is another core data source generated by Zeek. With the transition from clear-text HTTP to encrypted HTTPS traffic, the http.log is less active in many environments. In some cases, however, organizations implement technologies or practices to expose HTTPS as HTTP. Whether you’re looking at legacy HTTP on the wire, or HTTPS that has been exposed as HTTP, Zeek’s http.log offers utility for examining normal, suspicious, and malicious activity.

The Zeek scripting manual, derived from the Zeek source code, completely explains the meaning of each field in the http.log (and other logs). It would be duplicative to manually recreate that information in another format here. Therefore, this entry seeks to show how an analyst would make use of the information in the http.log. Those interested in getting details on every element of the http.log should refer to HTTP::Info.

Throughout the sections that follow, we will inspect Zeek logs in JSON format.

Inspecting the http.log

To inspect the http.log, we will use the same techniques we learned earlier in the manual. First, we have a JSON-formatted log file, either collected by Zeek watching a live interface, or by Zeek processing stored traffic. We use the jq utility to review the contents.

zeek@zeek:~/zeek-test/json$ jq . -c http.log

{"ts":1591367999.512593,"uid":"C5bLoe2Mvxqhawzqqd","id.orig_h":"192.168.4.76","id.orig_p":46378,"id.resp_h":"31.3.245.133","id.resp_p":80,"trans_depth":1,"method":"GET","host":"testmyids.com","uri":"/","version":"1.1","user_agent":"curl/7.47.0","request_body_len":0,"response_body_len":39,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FEEsZS1w0Z0VJIb5x4"],"resp_mime_types":["text/plain"]}

This is a very simple http.log. With only one entry, it’s the simplest possible entry. As before, we could see each field printed on its own line:

zeek@zeek:~/zeek-test/json$ jq . http.log

{
  "ts": 1591367999.512593,
  "uid": "C5bLoe2Mvxqhawzqqd",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 46378,
  "id.resp_h": "31.3.245.133",
  "id.resp_p": 80,
  "trans_depth": 1,
  "method": "GET",
  "host": "testmyids.com",
  "uri": "/",
  "version": "1.1",
  "user_agent": "curl/7.47.0",
  "request_body_len": 0,
  "response_body_len": 39,
  "status_code": 200,
  "status_msg": "OK",
  "tags": [],
  "resp_fuids": [
    "FEEsZS1w0Z0VJIb5x4"
  ],
  "resp_mime_types": [
    "text/plain"
  ]
}

HTTP is a protocol that was initially fairly simple. Over time it has become increasingly complicated. It’s not the purpose of this manual to describe how HTTP can be used and abused. Rather, we will take a brief look at the most important elements of this http.log entry, which is almost all of them.

Understanding the http.log Entry

Similar to the previous dns.log, the http.log is helpful because it combines elements from the conversation between the source and destination in one log entry. The most fundamental elements of the log answer questions concerning who made a request, who responded, and the nature of the request and response.

In this entry, we see that 192.168.4.76 made a request to 31.3.245.133. The originator made a HTTP version 1.1 GET request for the / or root of the site testmyids.com hosted by the responder, passing a user agent of curl/7.47.0.

The responder replied with a 200 OK message, with a MIME (Multipurpose Internet Mail Extensions) type of text/plain. Zeek provides us a file ID (or fuid) of FEEsZS1w0Z0VJIb5x4. If we had configured Zeek to log files of type text/plain, we could look at the content returned by the responder.

Finally, note the UID of C5bLoe2Mvxqhawzqqd. This is the same UID found in the conn.log for this TCP connection. This allows us to link the conn.log entry with this http.log entry.

Reviewing the Original Traffic

To better understand the original traffic, and how it relates to the Zeek http.log, let’s look at the contents manually. HTTP is a clear-text protocol. Assuming the contents are also clear text, and not obfuscated or encrypted, we can look at the contents. In the following example I use the venerable program tcpflow to create two files. One contains data from the originator to the responder, while the second contains data from the responder to the originator.

zeek@zeek:~/zeek-test$ tcpflow -r tm1t.pcap port 80

Let’s first look at the data from the originator to the responder.

zeek@zeek:~/zeek-test$ cat 192.168.004.076.46378-031.003.245.133.00080

GET / HTTP/1.1
Host: testmyids.com
User-Agent: curl/7.47.0
Accept: */*

Here is the data from the responder to the originator.

zeek@zeek:~/zeek-test$ cat 031.003.245.133.00080-192.168.004.076.46378

HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Fri, 05 Jun 2020 14:40:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 39
Connection: keep-alive
Last-Modified: Fri, 10 Jan 2020 21:36:02 GMT
ETag: "27-59bcfe9932c32"
Accept-Ranges: bytes

uid=0(root) gid=0(root) groups=0(root)

As you can see, there are elements, particularly in the response, that do not appear in the http.log. For example, the Server type of nginx/1.16.1 is not logged. If an analyst or administrator decided that he or she wished to include that data in his or her http.log, it is possible to make adjustments.

The data from the responder also shows the application payload it sent:

uid=0(root) gid=0(root) groups=0(root)

This is the output of a Unix uname -a command. It is hosted at the server testmyids.com to trigger a “GPL ATTACK_RESPONSE id check returned root” alert found in open source intrusion detection engine rule sets, such as that supported by Suricata. Analysts sometimes use this site to test if their intrusion detection engines are functioning properly. A more modern option with many different tests can be found at https://github.com/0xtf/testmynids.org.

Conclusion

Zeek’s http.log is another important log that offers a great deal of information on how systems are interacting with the Internet and each other. In the example in this section we looked at a very simple interaction between an originator and a responder. We could see the benefit of summarizing an HTTP request and response in a single log entry. In the next section we will look at other core Internet protocols.

files.log

One of Zeek’s powerful features is the ability to extract content from network traffic and write it to disk as a file. This is easiest to understand with a protocol like File Transfer Protocol (FTP), a classic means to exchange files over a channel separate from that used to exchange commands. Protocols like HTTP are slightly more complicated, as it includes headers which must be interpreted and not included in any file content transferred by the protocol.

Zeek’s files.log is a record of files that Zeek observed while inspecting network traffic. The existence of an entry in files.log does not mean that Zeek necessarily extracted file content and wrote it to disk. Analysts must configure Zeek to extract files by type in order to have them written to disk.

In the following example, an analyst has configured Zeek to extract files of MIME type application/x-dosexec and write them to disk. To understand the chain of events that result in having a file on disk, we will start with the conn.log, progress to the http.log, and conclude with the files.log.

The Zeek scripting manual, derived from the Zeek source code, completely explains the meaning of each field in the files.log (and other logs). It would be duplicative to manually recreate that information in another format here. Therefore, this entry seeks to show how an analyst would make use of the information in the files.log. Those interested in getting details on every element of the files.log should refer to Files::Info.

Throughout the sections that follow, we will inspect Zeek logs in JSON format. As we have shown how to access logs like this previously using the command line, we will only show the log entries themselves.

Inspecting the conn.log

The log with which we begin our analysis for this case is the conn.log. It contains the following entry of interest.

{
  "ts": 1596820191.94147,
  "uid": "CzoFRWTQ6YIzfFXHk",
  "id.orig_h": "192.168.4.37",
  "id.orig_p": 58264,
  "id.resp_h": "23.195.64.241",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 0.050640106201171875,
  "orig_bytes": 211,
  "resp_bytes": 179604,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadtFf",
  "orig_pkts": 93,
  "orig_ip_bytes": 5091,
  "resp_pkts": 129,
  "resp_ip_bytes": 186320
}

We see that 192.168.4.37 contacted 23.195.64.241 via HTTP and connected to port 80 TCP. The responder sent 179604 bytes of data during the conversation.

Because this conversation appears to have taken place using HTTP, a clear text protocol, there is a good chance that we can directly inspect the HTTP headers and the payloads that were exchanged.

We will use the UID, CzoFRWTQ6YIzfFXHk, to find corresponding entries in other log sources to better understand what happened during this conversation.

Inspecting the http.log

We search our http.log files for samples containing the UID of interest and find the following entry:

{
  "ts": 1596820191.94812,
  "uid": "CzoFRWTQ6YIzfFXHk",
  "id.orig_h": "192.168.4.37",
  "id.orig_p": 58264,
  "id.resp_h": "23.195.64.241",
  "id.resp_p": 80,
  "trans_depth": 1,
  "method": "GET",
  "host": "download.microsoft.com",
  "uri": "/download/d/e/5/de5351d6-4463-4cc3-a27c-3e2274263c43/wfetch.exe",
  "version": "1.1",
  "user_agent": "Wget/1.19.4 (linux-gnu)",
  "request_body_len": 0,
  "response_body_len": 179272,
  "status_code": 200,
  "status_msg": "OK",
  "tags": [],
  "resp_fuids": [
    "FBbQxG1GXLXgmWhbk9"
  ],
  "resp_mime_types": [
    "application/x-dosexec"
  ]
}

The most interesting elements of this log entry include the following:

"method": "GET",
"host": "download.microsoft.com",
"uri": "/download/d/e/5/de5351d6-4463-4cc3-a27c-3e2274263c43/wfetch.exe",

This shows us what file the client was trying to retrieve, wfetch.exe, from what site, download.microsoft.com.

The following element shows us the client that made the request:

"user_agent": "Wget/1.19.4 (linux-gnu)",

According to this log entry, the user agent was not a Microsoft product, but was a Linux version of the wget utility. User agent fields can be manipulated, so we cannot trust that this was exactly what happened. It is probable however that wget was used in this case.

The following entry shows us that the Web server responding positively to the request:

"status_code": 200,
"status_msg": "OK",

Based on this entry and the amount of bytes transferred, it is likely that the client received the file it requested.

The final two entries of interest tell us something more about the content that was transferred and how to locate it:

"resp_fuids": [
  "FBbQxG1GXLXgmWhbk9"
],
"resp_mime_types": [
  "application/x-dosexec"

The first entry provides a file identifier. This is similar to the connection identifier in the conn.log, except that we use the file identifier to locate specific file contents when written to disk.

The second entry shows that Zeek recognized the file content as application/x-dosexec, which likely means that the client retrieved a Windows executable file.

Inspecting the files.log

Armed with the file identifier value, we can search any of our files.log repositories for matching values. By searching for the FUID of FBbQxG1GXLXgmWhbk9 we find the following entry.

{
  "ts": 1596820191.969902,
  "fuid": "FBbQxG1GXLXgmWhbk9",
  "tx_hosts": [
    "23.195.64.241"
  ],
  "rx_hosts": [
    "192.168.4.37"
  ],
  "conn_uids": [
    "CzoFRWTQ6YIzfFXHk"
  ],
  "source": "HTTP",
  "depth": 0,
  "analyzers": [
    "EXTRACT",
    "PE"
  ],
  "mime_type": "application/x-dosexec",
  "duration": 0.015498876571655273,
  "is_orig": false,
  "seen_bytes": 179272,
  "total_bytes": 179272,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "extracted": "HTTP-FBbQxG1GXLXgmWhbk9.exe",
  "extracted_cutoff": false
}

Note that this files.log entry also contains the UID we found in the conn.log, e.g., CzoFRWTQ6YIzfFXHk. Theoretically we could have just searched for that UID value and not bothered to locate the FUID in the http.log. However, I find that it makes sense to follow this sort of progression, as we cannot rely on this same analytical workflow for all cases.

In this files.log data, we see that the EXTRACT and PE analyzer events were activated. Zeek saw 179272 bytes transferred and does not appear to have missed any bytes. Zeek extracted the file it saw as HTTP-FBbQxG1GXLXgmWhbk9.exe, which means we should be able to locate that file on disk.

Inspecting the Extracted File

The location for extracted files will vary depending on your Zeek configuration. In my example, Zeek wrote extracted files to a directory called extract_files/. Here is the file in question:

$ ls -al HTTP-FBbQxG1GXLXgmWhbk9.exe

-rw-rw-r-- 1 zeek zeek 179272 Aug  7 17:23 HTTP-FBbQxG1GXLXgmWhbk9.exe

Note the byte count, 179272, matches the value in the files.log.

Here is what the Linux file command thinks of this file.

$ file HTTP-FBbQxG1GXLXgmWhbk9.exe

HTTP-FBbQxG1GXLXgmWhbk9.exe: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive

This looks like a Windows executable. You can use the md5sum utility to generate a MD5 hash of the file.

$ md5sum HTTP-FBbQxG1GXLXgmWhbk9.exe

6711727adf76599bf50c9426057a35fe  HTTP-FBbQxG1GXLXgmWhbk9.exe

We can search by the hash value on VirusTotal using the vt command line tool, provided we have registered and initialized vt with our free API key.

$ ./vt file 6711727adf76599bf50c9426057a35fe

- _id: "82f39086658ce80df4da6a49fef9d3062a00fd5795a4dd5042de32907bcb5b89"
  _type: "file"
  authentihash: "2a07d356273d32bf0c5aff83ea847351128fc3971b44052f92b6fb4f45c2272f"
  creation_date: 1030609542  # 2002-08-29 08:25:42 +0000 UTC
  first_submission_date: 1354191312  # 2012-11-29 12:15:12 +0000 UTC
  last_analysis_date: 1592215708  # 2020-06-15 10:08:28 +0000 UTC
  last_analysis_results:
    ALYac:
      category: "undetected"
      engine_name: "ALYac"
      engine_update: "20200615"
      engine_version: "1.1.1.5"
      method: "blacklist"
...edited…
 last_analysis_stats:
    confirmed-timeout: 0
    failure: 0
    harmless: 0
    malicious: 0
    suspicious: 0
    timeout: 0
    type-unsupported: 2
    undetected: 74
  last_modification_date: 1592220693  # 2020-06-15 11:31:33 +0000 UTC
  last_submission_date: 1539056691  # 2018-10-09 03:44:51 +0000 UTC
  magic: "PE32 executable for MS Windows (GUI) Intel 80386 32-bit"
  md5: "6711727adf76599bf50c9426057a35fe"
  meaningful_name: "WEXTRACT.EXE"
  names:
  - "Wextract"
  - "WEXTRACT.EXE"
  - "wfetch.exe"
  - "583526"
  packers:
    F-PROT: "CAB, ZIP"
    PEiD: "Microsoft Visual C++ v6.0 SPx"
  pe_info:
    entry_point: 23268
    imphash: "1494de9b53e05fc1f40cb92afbdd6ce4"
    import_list:
    - imported_functions:
      - "GetLastError"
      - "IsDBCSLeadByte"
      - "DosDateTimeToFileTime"
      - "ReadFile"
      - "GetStartupInfoA"
      - "GetSystemInfo"
      - "lstrlenA"
...edited...
 size: 179272
  ssdeep: "3072:BydJq5oyVzs+h0Jk5irDStDD5QOsP0CLRQq8ZZ3xlf/AQnFlFuKIUaKJH:UW2+AiDWOsPxQq8HHf/A07namH"
  tags:
  - "invalid-signature"
  - "peexe"
  - "signed"
  - "overlay"
  times_submitted: 33
  total_votes:
    harmless: 1
    malicious: 0
  trid:
  - file_type: "Microsoft Update - Self Extracting Cabinet"
    probability: 46.3
  - file_type: "Win32 MS Cabinet Self-Extractor (WExtract stub)"
    probability: 41.4
  - file_type: "Win32 Executable MS Visual C++ (generic)"
    probability: 4.2
  - file_type: "Win64 Executable (generic)"
    probability: 3.7
  - file_type: "Win16 NE executable (generic)"
    probability: 1.9
  type_description: "Win32 EXE"
  type_tag: "peexe"
  unique_sources: 24
  vhash: "  size: 179272
  ssdeep: "3072:BydJq5oyVzs+h0Jk5irDStDD5QOsP0CLRQq8ZZ3xlf/AQnFlFuKIUaKJH:UW2+AiDWOsPxQq8HHf/A07namH"
  tags:
  - "invalid-signature"
  - "peexe"
  - "signed"
  - "overlay"
  times_submitted: 33
  total_votes:
    harmless: 1
    malicious: 0
  trid:
  - file_type: "Microsoft Update - Self Extracting Cabinet"
    probability: 46.3
  - file_type: "Win32 MS Cabinet Self-Extractor (WExtract stub)"
    probability: 41.4
  - file_type: "Win32 Executable MS Visual C++ (generic)"
    probability: 4.2
  - file_type: "Win64 Executable (generic)"
    probability: 3.7
  - file_type: "Win16 NE executable (generic)"
    probability: 1.9
  type_description: "Win32 EXE"
  type_tag: "peexe"
  unique_sources: 24
  vhash: "0150366d1570e013z1004cmz1f03dz"

You can access the entire report via the Web here.

It appears this is a harmless Windows executable. However, by virtue of having it extracted from network traffic, analysts have many options for investigation when the file is not considered benign.

Conclusion

Zeek’s file extraction capabilities offer many advantages to analysts. Administrators can configure Zeek to compute MD5 hashes of files that Zeek sees in network traffic. Rather than computing a hash on a file written to disk, Zeek could simply compute the hash as part of its inspection process. The purpose of this document was to show some of the data in the files.log, how it relates to other Zeek logs, and how analysts might make use of it.

ftp.log

Zeek’s ftp.log summarizes activity using the File Transfer Protocol (FTP). Similar to the http.log, ftp.log captures the essential information an analyst would likely need to understand how a client and server interact using FTP.

FTP is an interesting protocol in the sense that it uses one TCP connection as a control channel and a second TCP connection as a file transfer channel. The control channel usually involves a FTP server listening on port 21 TCP. The file transfer channel, however, depends on the choices made by the client and server. With “passive FTP,” the server advertises a second TCP port to which the client should connect, and the client connects to that TCP port to initiate the file transfer. With “active FTP,” the server connects to a TCP port advertised by the client, although the server uses a source port of 20 TCP. It is more common to see passive FTP on the Internet today due to middleboxes (such as firewalls or other filtering devices) interfering with active FTP connections inbound to clients.

For full details on each field in the ftp.log file, please refer to FTP::Info.

Finding the ftp.log

In the following example, an analyst knows to look for Zeek logs on a specific day bearing a specific UID. They search in the specified directory using the zgrep command and pipe the results to the Unix command sed, removing characters prior to the .gz: that would appear in the output. This facilitates piping the results into the jq utility for easier viewing.

$ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | sed 's/.*gz://' | jq .

{
  "_path": "conn",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:10.266225Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:01.485394Z",
  "uid": "CLkXf2CMo11hD8FQ5",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 53380,
  "id.resp_h": "196.216.2.24",
  "id.resp_p": 21,
  "proto": "tcp",
  "service": "ftp",
  "duration": 3.780829906463623,
  "orig_bytes": 184,
  "resp_bytes": 451,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShAdDafF",
  "orig_pkts": 20,
  "orig_ip_bytes": 1232,
  "resp_pkts": 17,
  "resp_ip_bytes": 1343,
  "community_id": "1:lEESxqaSVYqFZvWNb4OccTa9sTs="
}
{
  "_path": "ftp",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:04.077276Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:03.553287Z",
  "uid": "CLkXf2CMo11hD8FQ5",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 53380,
  "id.resp_h": "196.216.2.24",
  "id.resp_p": 21,
  "user": "anonymous",
  "password": "ftp@example.com",
  "command": "EPSV",
  "reply_code": 229,
  "reply_msg": "Entering Extended Passive Mode (|||31746|).",
  "data_channel.passive": true,
  "data_channel.orig_h": "192.168.4.76",
  "data_channel.resp_h": "196.216.2.24",
  "data_channel.resp_p": 31746
}
{
  "_path": "ftp",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:05.117287Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:04.597290Z",
  "uid": "CLkXf2CMo11hD8FQ5",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 53380,
  "id.resp_h": "196.216.2.24",
  "id.resp_p": 21,
  "user": "anonymous",
  "password": "ftp@example.com",
  "command": "RETR",
  "arg": "ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5",
  "file_size": 74,
  "reply_code": 226,
  "reply_msg": "Transfer complete.",
  "fuid": "FueF95uKPrUuDnMc4"
}

This output presents three log files. The first is a conn.log entry for the FTP control channel connection involving port 21 TCP. The second two describe what happened during the FTP control channel.

Before looking at the details, let’s see a reconstruction of the FTP control channel.

Reconstructing the FTP Control Channel

In the following example, we use the tcpflow program introduced in the http.log section to reconstruct the FTP control channel. By using the -c option, we can tell tcpflow` to interleave the traffic sent by both sides of the conversation. I pass it the port 53380 parameter to be sure I reconstruct traffic involving that connection, which was the source port for the FTP client. (If I chose something like 21 TCP instead, I could have reconstructed numerous FTP sessions beyond the one in question here.)

In this example, 196.216.2.24 is the FTP server, and 192.168.4.76 is the FTP client.

After the first two entries, I have manually edited the output for readability.

$ tcpflow -c -r snort.log.1597554100-196.216.2.24.pcap port 53380

196.216.002.024.00021-192.168.004.076.53380 [server to client]: 220 ::::: Welcome to the AFRINIC FTP service ::::::

192.168.004.076.53380-196.216.002.024.00021 [client to server]: USER anonymous

server: 331 Please specify the password.

client: PASS ftp@example.com

server: 230 Login successful.

client: PWD

server: 257 "/"

client: CWD pub

server: 250 Directory successfully changed.

client: CWD stats

server: 250 Directory successfully changed.

client: CWD afrinic

server: 250 Directory successfully changed.

client: EPSV

server: 229 Entering Extended Passive Mode (|||31746|).

client: TYPE I

server: 200 Switching to Binary mode.

client: SIZE delegated-afrinic-extended-latest.md5

server: 213 74

client: RETR delegated-afrinic-extended-latest.md5

server: 150 Opening BINARY mode data connection for delegated-afrinic-extended-latest.md5 (74 bytes).

server: 226 Transfer complete.

client: QUIT

server: 221 Goodbye.

Reading this transcript, some important items include the following:

  • This is a FTP server that allows anonymous access.

  • The data channel occurs using passive FTP.

  • The FTP server opens port 31746 TCP to accept the FTP connection over which it will transfer the requested file.

  • The file transferred is delegated-afrinic-extended-latest.md5, a 74 byte file.

With this understanding in place, let’s see how Zeek represents this activity.

Inspecting the ftp.log

Let’s take a second look at the two ftp.log entries.

{
  "_path": "ftp",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:04.077276Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:03.553287Z",
  "uid": "CLkXf2CMo11hD8FQ5",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 53380,
  "id.resp_h": "196.216.2.24",
  "id.resp_p": 21,
  "user": "anonymous",
  "password": "ftp@example.com",
  "command": "EPSV",
  "reply_code": 229,
  "reply_msg": "Entering Extended Passive Mode (|||31746|).",
  "data_channel.passive": true,
  "data_channel.orig_h": "192.168.4.76",
  "data_channel.resp_h": "196.216.2.24",
  "data_channel.resp_p": 31746
}

The first ftp.log entry shows us that the FTP client logged in as user ftp@example.com, requested a form of passive connection for its data channel, and the server offered port 31746 TCP for that connection.

{
  "_path": "ftp",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:05.117287Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:04.597290Z",
  "uid": "CLkXf2CMo11hD8FQ5",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 53380,
  "id.resp_h": "196.216.2.24",
  "id.resp_p": 21,
  "user": "anonymous",
  "password": "ftp@example.com",
  "command": "RETR",
  "arg": "ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5",
  "file_size": 74,
  "reply_code": 226,
  "reply_msg": "Transfer complete.",
  "fuid": "FueF95uKPrUuDnMc4"
}

The second ftp.log entry gives details on the file retrieved from the FTP server, such as the path on the server, its name, and the fact that the file transfer completed. We also have a file identifier (FueF95uKPrUuDnMc4) that we could use to find the file on disk, if we configured Zeek to extract and save this sort of content.

Finding the Data Channel

For the sake of completeness, let’s take a look at the FTP data channel using port 31746 TCP as our guide. I grep for the port number and the TCP protocol to try to be more specific, although I could have added the source and destination IP addresses too.

$ zcat 2020-08-16/conn_20200816_06\:00\:00-07\:00\:00+0000.log.gz | grep 31746 | grep tcp | sed 's/.*gz://' | jq .

{
  "_path": "conn",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:09.771034Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:03.774520Z",
  "uid": "CzLMFA3Eh8KBlY4kS7",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 60474,
  "id.resp_h": "196.216.2.24",
  "id.resp_p": 31746,
  "proto": "tcp",
  "service": "ftp-data",
  "duration": 0.9965000152587891,
  "orig_bytes": 0,
  "resp_bytes": 74,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShAdfFa",
  "orig_pkts": 4,
  "orig_ip_bytes": 216,
  "resp_pkts": 4,
  "resp_ip_bytes": 290,
  "community_id": "1:DNwvGR6Ots6pISvsdXBUIaG8y3Q="
}

Zeek notes that this is a ftp-data service, which is another way we could have used to find this connection.

Conclusion

FTP is still in use, despite the fact that encrypted alternatives abound. Zeek’s ftp.log provides a compact way to summarize the salient features of a FTP control channel, pointing out details of the control activity and how to locate the data channel.

ssl.log

In the section discussing the http.log, we noted that most HTTP traffic is now encrypted and transmitted as HTTPS. Zeek does not create a https.log, because Zeek (or other network inspection tools, for that matter) does not natively recognize HTTP when it is encrypted as HTTPS.

HTTPS is most often encrypted using Transport Layer Security (TLS), which presents many variants in live traffic. Zeek parses TLS traffic and records its findings in the ssl.log. SSL refers to Secure Sockets Layer, an obsolete predecessor to TLS.

TLS is not restricted to encrypting HTTPS, however. Many other protocols use TLS to encrypt their contents, including Simple Mail Transfer Protocol (SMTP).

Remember that to see the meaning of each field in the ssl.log, check SSL::Info.

Reviewing TLS Versions Seen on the Network

To get an idea of the sorts of TLS traffic running in my network, I ran the following command to search hundreds of days of Zeek ssl.log entries:

$ for i in `find . -name ssl*.log.gz`; do zcat $i; done | jq '[."version"]' | grep -v "\]" | grep -v "\[" | sort -n | uniq -c | sort -rn

11279341   "TLSv12"
2877117   "TLSv13"
 303084   "unknown-64282"
 198154   null
  23181   "TLSv10"
   5756   "TLSv11"
    348   "DTLSv12"
     78   "DTLSv10"

TLS 1.0 and 1.1 are obsolete. TLS 1.2 and 1.3 are common, with 1.3 gaining ground on 1.2 DTLS is a variant used to encrypt UDP traffic. unknown-64282 is apparently a Facebook-created variant of TLS 1.3. Almost 20,000 connections advertised no TLS version, but were recognized by Zeek as some form of TLS.

To try to see what protocols the TLS might be encrypting, I ran the following command to search 10 days of Zeek ssl.log entries:

$ for i in `find ./2020-08-1* -name ssl*.log.gz`; do zcat $i; done | jq -c '[."version", ."next_protocol"]' | sort -n | uniq -c | sort -rn

246868 ["TLSv12",null]
144291 ["TLSv13",null]
 86708 ["TLSv12","http/1.1"]
 85082 ["TLSv12","h2"]
  8450 ["unknown-64282",null]
  1966 [null,null]
   722 ["TLSv12","apns-pack-v1:4096:4096"]
   504 ["TLSv10",null]
   234 ["TLSv10","http/1.1"]
   154 ["TLSv12","grpc-exp"]
    83 ["TLSv11",null]
    13 ["DTLSv12",null]

HTTP/1.1 is obviously HTTP. The h2 entry refers to the newer HTTP/2 protocol. The apns-pack-v1:4096:4096 entry appears to refer to Apple Push Notification Service, which utilizes Application Layer Protocol Negotiation (ALPN), a TLS extension. The grpc-exp entry appears to refer to another ALPN method that uses the gRPC remote procedure call (RPC) library.

With this brief look at the types of TLS traffic one might find in a network done, it’s time to look at a sample connection that generates a ssl.log entry.

Preparing to Inspect the ssl.log

To generate network traffic that uses TLS encryption, I retrieved the index page of the https://www.taosecurity.com using curl.

After processing the traffic with Zeek, I had several log files to analyze. First let’s look at the conn.log. We will focus on the Web session itself, and not related traffic like any DNS lookups required to resolve the hostname to an IP address.

{
  "ts": 1598377391.716515,
  "uid": "CsukF91Bx9mrqdEaH9",
  "id.orig_h": "192.168.4.49",
  "id.orig_p": 56718,
  "id.resp_h": "13.32.202.10",
  "id.resp_p": 443,
  "proto": "tcp",
  "service": "ssl",
  "duration": 0.497269868850708,
  "orig_bytes": 929,
  "resp_bytes": 31113,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadfF",
  "orig_pkts": 37,
  "orig_ip_bytes": 2861,
  "resp_pkts": 34,
  "resp_ip_bytes": 32889
}

We have a client, 192.168.4.49, interacting with a server, 13.32.202.10, offering an encrypted service on port 443 TCP. Zeek reports this as ssl, but that is a generic term that applies to TLS as well. We can use the connection identifier, CsukF91Bx9mrqdEaH9, to find associated Zeek logs.

Inspecting the ssl.log When TLS 1.2 Applies

Using the connection identifier, we find the associated ssl.log entry for this conversation.

{
  "ts": 1598377391.921726,
  "uid": "CsukF91Bx9mrqdEaH9",
  "id.orig_h": "192.168.4.49",
  "id.orig_p": 56718,
  "id.resp_h": "13.32.202.10",
  "id.resp_p": 443,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "curve": "secp256r1",
  "server_name": "www.taosecurity.com",
  "resumed": false,
  "next_protocol": "h2",
  "established": true,
  "cert_chain_fuids": [
    "F2XEvj1CahhdhtfvT4",
    "FZ7ygD3ERPfEVVohG9",
    "F7vklpOKI4yX9wmvh",
    "FAnbnR32nIIr2j9XV"
  ],
  "client_cert_chain_fuids": [],
  "subject": "CN=www.taosecurity.com",
  "issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US"
}

This is a rich log entry that tells us a lot about the connection. We see that the server and client agree to speak TLS 1.2, with the designated cipher suite and elliptic curve. The server name, www.taosecurity.com appears, which matches the subject of the certificate presented by the Web server. We can see that Amazon issued the certificate. The next protocol involved was HTTP/2, as the next_protocol field lists h2. Zeek provides file identifiers for the four certificates that the server presented to the client. The client did not present any certificates to the server.

We will use the certificate information when we look at the next log in our series, the x509.log.

Inspecting the ssl.log When TLS 1.3 Applies

The last section showed Zeek’s ssl.log when visiting a server that negotiated a TLS 1.2 connection. The following example shows how the situation changes when the parties use TLS 1.3.

To generate the traffic, I used curl with a switch to try TLS 1.3 encryption.

$ curl -v --tlsv1.3 https://www.taosecurity.com

curl provided the following, in addition to the content of the Web site:

* Connected to www.taosecurity.com (13.32.202.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: C:\ProgramData\chocolatey\lib\curl\tools\curl-7.72.0-win64-mingw\bin\curl-ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4880 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.taosecurity.com
*  start date: Jun  1 00:00:00 2020 GMT
*  expire date: Jul  1 12:00:00 2021 GMT
*  subjectAltName: host "www.taosecurity.com" matched cert's "www.taosecurity.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x1f9ff0c7600)
} [5 bytes data]
> GET / HTTP/2
> Host: www.taosecurity.com
> user-agent: curl/7.72.0
> accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 200
< content-type: text/html
< content-length: 28708
< date: Tue, 01 Sep 2020 18:07:59 GMT
< last-modified: Tue, 01 Sep 2020 14:36:01 GMT
< etag: "9a6a530f507d79ba54daa5872b3cad22"
< accept-ranges: bytes
< server: AmazonS3
< vary: Accept-Encoding
< x-cache: Miss from cloudfront
< via: 1.1 c09a013ad199e52fd50ddc5543a72f45.cloudfront.net (CloudFront)
< x-amz-cf-pop: IAD66-C1
< x-amz-cf-id: wXc1bcKla5qIePZ29LBk1fgATzgf1jLYiRvSmnyZcb7Q1eB_ZJSbaA==
<
{ [16032 bytes data]

Note that the certificate details are visible here, because we are looking from the perspective of the Web client, not a passive network observation system.

Here is the conn.log:

{
  "ts": 1598983678.546522,
  "uid": "CcJfBs3hXLJn7oHVu7",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 58802,
  "id.resp_h": "13.32.202.2",
  "id.resp_p": 443,
  "proto": "tcp",
  "service": "ssl",
  "duration": 0.13053107261657715,
  "orig_bytes": 831,
  "resp_bytes": 34650,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadFf",
  "orig_pkts": 17,
  "orig_ip_bytes": 1523,
  "resp_pkts": 30,
  "resp_ip_bytes": 35862
}

Here is the ssl.log:

{
  "ts": 1598983678.585087,
  "uid": "CcJfBs3hXLJn7oHVu7",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 58802,
  "id.resp_h": "13.32.202.2",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "www.taosecurity.com",
  "resumed": true,
  "established": true
}

Note that there is no mention of certificates in the ssl.log. TLS 1.3 hides these from passive observation systems. We are able to see the server name, www.taosecurity.com, however, as well as some information about the encryption used. These include the TLS version, the cipher, and the elliptic curve.

Inspecting the ssl.log When ESNI/ECH Applies

There is one more concern for an analyst working with the ssl.log.

Encrypted Server Name Indication (ESNI) or Encrypted Client Hello (ECH) are methods by which the Server Name Identification field is no longer sent as plain text. The mechanics of this process are less important than the effects on Zeek ssl.log entries.

To generate traffic for this example, I used a modern version of Firefox, configured to support ESNI, and visited a Web site, https://only.esni.defo.ie/, that only accepts connections from systems supporting ESNI.

After processing the traffic with Zeek, I had the following logs.

First, I had two conn.log entries:

{"ts":1598631659.652789,"uid":"Cg9oVc87cdxWf5Dla","id.orig_h":"192.168.4.142","id.orig_p":63213,"id.resp_h":"185.24.233.103","id.resp_p":443,"proto":"tcp","service":"ssl","duration":5.702061891555786,"orig_bytes":1467,"resp_bytes":3160,"conn_state":"SF","missed_bytes":0,"history":"ShADadTtFf","orig_pkts":11,"orig_ip_bytes":2347,"resp_pkts":8,"resp_ip_bytes":4645}

{"ts":1598631659.331871,"uid":"Cixuvq2LQrbqxU4Y17","id.orig_h":"192.168.4.142","id.orig_p":63210,"id.resp_h":"185.24.233.103","id.resp_p":443,"proto":"tcp","service":"ssl","duration":6.023154020309448,"orig_bytes":2193,"resp_bytes":45269,"conn_state":"SF","missed_bytes":0,"history":"ShADadFf","orig_pkts":14,"orig_ip_bytes":2765,"resp_pkts":37,"resp_ip_bytes":46761}

Second, I had two ssl.log entries:

{
  "ts": 1598631659.431907,
  "uid": "Cixuvq2LQrbqxU4Y17",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 63210,
  "id.resp_h": "185.24.233.103",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_256_GCM_SHA384",
  "curve": "x25519",
  "resumed": true,
  "established": true
}
{
  "ts": 1598631659.752715,
  "uid": "Cg9oVc87cdxWf5Dla",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 63213,
  "id.resp_h": "185.24.233.103",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_256_GCM_SHA384",
  "curve": "x25519",
  "resumed": true,
  "established": true
}

As you can see, there is no identifying information in the ssl.log here. There are no certificate identifier entries either, although we will talk about that log type in the next section. As the visit to https://only.esni.defo.ie/ also used DNS over HTTPs (DoH), there is no DNS record showing the identity of the remote server, as might be revealed in a conventional DNS request and response.

As you might expect, this situation has some network security monitoring practitioners concerned by the loss of visibility, and the opportunity for intruders to leverage ESNI-enabled servers and Doh-enabled clients to evade inspection.

Leveraging JA3 and JA3S

JA3 and JA3S are mechanisms to profile the TLS implementations on clients and servers, respectively. These are clever tools to tell analysts more about each end of a connection. To learn more, see the following project page:

https://github.com/salesforce/ja3

When running Zeek with the JA3 and JA3S packages, the scripts will append data to the ssl.log as follows.

In the first example, a Web client (curl) connects to the Google Web site using TLS 1.3. The ssl.log shows the following entry.

{
  "ts": "2020-09-16T14:01:26.194646Z",
  "uid": "CH3QeG4kCxFL8eZrs1",
  "id.orig_h": "192.168.4.37",
  "id.orig_p": 58842,
  "id.resp_h": "172.217.15.100",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_256_GCM_SHA384",
  "curve": "x25519",
  "server_name": "www.google.com",
  "resumed": true,
  "established": true,
  "ja3": "3830b2a4fbcea64e74db382e467f5b3b",
  "ja3s": "907bf3ecef1c987c889946b737b43de8"
}

Zeek computes the JA3 (client) and JA3S (server) hashes as shown.

In the second example, the same Web client connects to the Corelight Web site.

{
  "ts": "2020-09-16T13:58:21.878466Z",
  "uid": "CtbyI4sDwTIPROUv6",
  "id.orig_h": "192.168.4.37",
  "id.orig_p": 49572,
  "id.resp_h": "99.86.230.78",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "www.corelight.com",
  "resumed": true,
  "established": true,
  "ja3": "3830b2a4fbcea64e74db382e467f5b3b",
  "ja3s": "f4febc55ea12b31ae17cfb7e614afda8"
}

The JA3 (client) hash has stayed the same, but the JA3S (server) hash has changed.

In the third example, the same Web client connects to the TaoSecurity Web site.

{
  "ts": "2020-09-16T13:54:57.033503Z",
  "uid": "CXc63QyS40XspAmcd",
  "id.orig_h": "192.168.4.37",
  "id.orig_p": 41608,
  "id.resp_h": "99.84.222.6",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "www.taosecurity.com",
  "resumed": true,
  "established": true,
  "ja3": "0bae189478c11bed9d6259ae0ffc9493",
  "ja3s": "f4febc55ea12b31ae17cfb7e614afda8"
}

This is an odd result. The JA3 (client) hash has changed, but the JA3S (server) hash has stayed the same. I can explain the server hash staying the same by noting that both the Corelight and TaoSecurity Web sites appear to be hosted by Amazon, meaning the Web servers providing each site are offering the same TLS parameters.

However, I would have expected the JA3 (client) hash to have been the same as the previous two examples. I repeated the connection and got the same JA3 and JA3S hashes.

Conclusion

This section showed that the default ssl.log provides several details of interest to defenders, even when inspecting encrypted traffic. As administrators and intruders deploy newer encryption technologies, however, defenders will find it increasingly difficult to differentiate among normal, suspicious, and malicious traffic.

x509.log

In the last section we looked at Zeek’s ssl.log, a source which offered details on TLS connections. In this section we will look an associated source, Zeek’s x509.log. The x509.log captures details on certificates exchanged during certain TLS negotiations. We will compare sessions using TLS 1.2 and TLS 1.3

For details on all of the fields in the x509.log, please refer to X509::Info.

Inspecting the x509.log When TLS 1.2 Applies

In the following example, we return to the traffic generated by Curl using TLS 1.2. For reference, here is the ssl.log entry for that activity.

{
  "ts": 1598377391.921726,
  "uid": "CsukF91Bx9mrqdEaH9",
  "id.orig_h": "192.168.4.49",
  "id.orig_p": 56718,
  "id.resp_h": "13.32.202.10",
  "id.resp_p": 443,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "curve": "secp256r1",
  "server_name": "www.taosecurity.com",
  "resumed": false,
  "next_protocol": "h2",
  "established": true,
  "cert_chain_fuids": [
    "F2XEvj1CahhdhtfvT4",
    "FZ7ygD3ERPfEVVohG9",
    "F7vklpOKI4yX9wmvh",
    "FAnbnR32nIIr2j9XV"
  ],
  "client_cert_chain_fuids": [],
  "subject": "CN=www.taosecurity.com",
  "issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US"
}

This ssl.log entry mentions four cert_chain_fuids, or certificate identifiers. We see each of them in the following entries in the corresponding x509.log data:

{
  "ts": 1598377391.938343,
  "id": "F2XEvj1CahhdhtfvT4",
  "certificate.version": 3,
  "certificate.serial": "0B58BC3898391F36592BA1BE1F6B03EF",
  "certificate.subject": "CN=www.taosecurity.com",
  "certificate.issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US",
  "certificate.not_valid_before": 1590969600,
  "certificate.not_valid_after": 1625140800,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 2048,
  "certificate.exponent": "65537",
  "san.dns": [
    "www.taosecurity.com",
    "taosecurity.com",
    "*.taosecurity.com"
  ],
  "basic_constraints.ca": false
}
{
  "ts": 1598377391.938343,
  "id": "FZ7ygD3ERPfEVVohG9",
  "certificate.version": 3,
  "certificate.serial": "067F94578587E8AC77DEB253325BBC998B560D",
  "certificate.subject": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US",
  "certificate.issuer": "CN=Amazon Root CA 1,O=Amazon,C=US",
  "certificate.not_valid_before": 1445472000,
  "certificate.not_valid_after": 1760832000,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 2048,
  "certificate.exponent": "65537",
  "basic_constraints.ca": true,
  "basic_constraints.path_len": 0
}
{
  "ts": 1598377391.938343,
  "id": "F7vklpOKI4yX9wmvh",
  "certificate.version": 3,
  "certificate.serial": "067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6",
  "certificate.subject": "CN=Amazon Root CA 1,O=Amazon,C=US",
  "certificate.issuer": "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
  "certificate.not_valid_before": 1432555200,
  "certificate.not_valid_after": 2145834000,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 2048,
  "certificate.exponent": "65537",
  "basic_constraints.ca": true
}
{
  "ts": 1598377391.938343,
  "id": "FAnbnR32nIIr2j9XV",
  "certificate.version": 3,
  "certificate.serial": "A70E4A4C3482B77F",
  "certificate.subject": "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
  "certificate.issuer": "OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\\, Inc.,C=US",
  "certificate.not_valid_before": 1251849600,
  "certificate.not_valid_after": 2035129156,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 2048,
  "certificate.exponent": "65537",
  "basic_constraints.ca": true
}

These four certificates offer a lot of detail for defensive teams. Defenders can search their data repositories for values that appear in other certificates, perhaps identifying associations among intruder activity patterns.

Inspecting the x509.log When TLS 1.3 Applies

In the following example, we return to the traffic generated by Curl using TLS 1.3. For reference, here is the ssl.log entry for that activity.

{
  "ts": 1598983678.585087,
  "uid": "CcJfBs3hXLJn7oHVu7",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 58802,
  "id.resp_h": "13.32.202.2",
  "id.resp_p": 443,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "www.taosecurity.com",
  "resumed": true,
  "established": true
}

Notice that we see no reference to file identifies for certificates. That means there is no x509.log for TLS 1.3! (The section title was a bit of a trick question.)

Remember from the previous material that when ESNI or ECH are in play, the server name field in the ssl.log is also missing.

Conclusion

This section showed that the default x509.log provides several details of interest to defenders, even when inspecting encrypted traffic. As administrators and intruders deploy newer encryption technologies, however, defenders will find it increasingly difficult to differentiate among normal, suspicious, and malicious traffic.

smtp.log

In the section discussing the http.log, we noted that most HTTP traffic is now encrypted and transmitted as HTTPS. We face a similar situation with Simple Mail Transfer Protocol (SMTP). For a protocol with “simple” in its name, modern instantiations of SMTP are surprisingly complex.

For the purpose of this article, it’s sufficient to recognize that a mail user agent (MUA) seeking to submit email via SMTP will contact a mail submission agent (MSA). Modern implementations will use ports 587 or 465 TCP, which is encrypted using TLS. Unencrypted implementations will use port 25 TCP.

Because SMTP traffic on ports 587 or 465 TCP is encrypted, we will not see individual emails when observing traffic using those protocols. This section will demonstrate how Zeek reports on email traffic using ports 25, 465, and 587 TCP.

Remember that to see the meaning of each field in the smtp.log, check SMTP::Info.

Inspecting SMTP Traffic

The following is a capture of an SMTP session retrieved from an online packet capture database. I have reconstructed the session using tcpflow and edited it to remove material not necessary to make my point.

SMTP server: 220-xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

SMTP client: EHLO GP

SMTP server: 250-xc90.websitewelcome.com Hello GP [122.162.143.157]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP

SMTP client: AUTH LOGIN

SMTP server: 334 VXNlcm5hbWU6

SMTP client: Z3VycGFydGFwQHBhdHJpb3RzLmlu

SMTP server: 334 UGFzc3dvcmQ6

SMTP client: cHVuamFiQDEyMw==

SMTP server: 235 Authentication succeeded

SMTP client: MAIL FROM: <gurpartap@patriots.in>

SMTP server: 250 OK

SMTP client: RCPT TO: <raj_deol2002in@yahoo.co.in>

SMTP server: 250 Accepted

SMTP client: DATA

SMTP server: 354 Enter message, ending with "." on a line by itself

SMTP client: From: "Gurpartap Singh" <gurpartap@patriots.in>
To: <raj_deol2002in@yahoo.co.in>
Subject: SMTP
Date: Mon, 5 Oct 2009 11:36:07 +0530
Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0004_01CA45B0.095693F0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==
Content-Language: en-us
x-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=
x-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}

This is a multipart message in MIME format.

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: multipart/alternative;
.boundary="----=_NextPart_001_0005_01CA45B0.095693F0"


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/plain;
.charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello



I send u smtp pcap file

Find the attachment



GPS


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/html;
.charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microso
SMTP client: ft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
...edited...
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>
SMTP client:

<p class=3DMsoNormal>Hello<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>

<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>GPS<o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_001_0005_01CA45B0.095693F0--

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: text/plain;
.name="NEWS.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
.filename="NEWS.txt"

Version 4.9.9.1
* Many bug fixes
* Improved editor
...edited...
SMTP client: From: "Gurpartap Singh" <gurpartap@patriots.in>
To: <raj_deol2002in@yahoo.co.in>
Subject: SMTP
Date: Mon, 5 Oct 2009 11:36:07 +0530
Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0004_01CA45B0.095693F0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==
Content-Language: en-us
x-cr-hashedpuzzle: SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=
x-cr-puzzleid: {CAA37F59-1850-45C7-8540-AA27696B5398}

This is a multipart message in MIME format.

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: multipart/alternative;
.boundary="----=_NextPart_001_0005_01CA45B0.095693F0"


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/plain;
.charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello



I send u smtp pcap file

Find the attachment



GPS


------=_NextPart_001_0005_01CA45B0.095693F0
Content-Type: text/html;
.charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas
SMTP client: -microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
...edited...
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div cl
SMTP client: ass=3DSection1>

<p class=3DMsoNormal>Hello<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>

<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>GPS<o:p></o:p></p>

</div>

</body>

</html>

------=_NextPart_001_0005_01CA45B0.095693F0--

------=_NextPart_000_0004_01CA45B0.095693F0
Content-Type: text/plain;
.name="NEWS.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
.filename="NEWS.txt"

Version 4.9.9.1
* Many bug fixes
* Improved editor
...edited...
* Allow user to specify an alternate configuration file in Environment =
Options=20
...edited...
Version 4.9.4.1 (5.0 beta 4.1):

* back to gcc 2.95.3
* Profiling support
* new update/packages checker (vUpdate)
* Lots of bugfixes

------=_NextPart_000_00
SMTP client: 04_01CA45B0.095693F0--

.

SMTP server: 250 OK id=1Mugho-0003Dg-Un

SMTP client: QUIT

SMTP server: 221 xc90.websitewelcome.com closing connection

Looking at these transcripts, it looks like a single message in text and HTML formats, sent with Message-ID: <000301ca4581$ef9e57f0$cedb07d0$@in>, was transmitted. It included an attachment that looks like the release notes for software. Let’s see what Zeek can make of this.

Inspecting the smtp.log

One of the best aspects of Zeek is making sense of all of the information present in a protocol that Zeek understands. Here is the entry from the smtp.log for the email shown above.

{
  "ts": 1254722768.219663,
  "uid": "C1qe8w3QHRF2N5tVV5",
  "id.orig_h": "10.10.1.4",
  "id.orig_p": 1470,
  "id.resp_h": "74.53.140.153",
  "id.resp_p": 25,
  "trans_depth": 1,
  "helo": "GP",
  "mailfrom": "gurpartap@patriots.in",
  "rcptto": [
    "raj_deol2002in@yahoo.co.in"
  ],
  "date": "Mon, 5 Oct 2009 11:36:07 +0530",
  "from": "\"Gurpartap Singh\" <gurpartap@patriots.in>",
  "to": [
    "<raj_deol2002in@yahoo.co.in>"
  ],
  "msg_id": "<000301ca4581$ef9e57f0$cedb07d0$@in>",
  "subject": "SMTP",
  "last_reply": "250 OK id=1Mugho-0003Dg-Un",
  "path": [
    "74.53.140.153",
    "10.10.1.4"
  ],
  "user_agent": "Microsoft Office Outlook 12.0",
  "tls": false,
  "fuids": [
    "Fel9gs4OtNEV6gUJZ5",
    "Ft4M3f2yMvLlmwtbq9",
    "FL9Y0d45OI4LpS6fmh"
  ]
}

Fields like the mailfrom, rcptto, from, and to fields are also easy to see in this log output. The user_agent, IP addresses involved in transmission (path), and the msg_id are also easy to find. Finally, Zeek provides three file identifiers that we can use to find associated extracted files, if any are present.

Inspecting Extracted Files

A look into the extracted_files/ directory yields the following entries:

$ file extract_files/*

extract_files/SMTP-Fel9gs4OtNEV6gUJZ5.txt: ASCII text, with CRLF line terminators
extract_files/SMTP-FL9Y0d45OI4LpS6fmh.txt: ASCII text, with CRLF line terminators

We see two files here, both in ASCII text format. They have two of the three file identifiers seen in the smtp.log entry. The third is likely not present because this instance of Zeek was configured to only extract files in text format.

Let’s look at the two files using the head application, which by default only provides the first 10 lines.

$ head extract_files/SMTP-Fel9gs4OtNEV6gUJZ5.txt

Hello



I send u smtp pcap file

Find the attachment

$ head extract_files/SMTP-FL9Y0d45OI4LpS6fmh.txt

Version 4.9.9.1
* Many bug fixes
* Improved editor

Version 4.9.9.0
* Support for latest Mingw compiler system builds
* Bug fixes

Version 4.9.8.9
* New code tooltip display

The first file is the content of the email message. The second file is the beginning of the attachment.

Inspecting Zeek Logs for Traffic to Port 465 TCP

Analysts are more likely to find encrypted SMTP traffic in modern environments. Encrypted SMTP traffic will likely use either port 465 TCP or 587 TCP. In this example, we will look at Zeek logs for SMTP traffic using port 465 TCP.

You may see port 465 TCP as “SMTPS,” meaning “SMTP Secure.” This is a defacto standard, although it was not officially ratified by the Internet Assigned Numbers Authority (IANA). In fact, IANA has assigned port 465 TCP to the “URL Rendezvous Directory for SSM,” where SSM probably means Source-Specific Multicast (SSM). However, IANA’s Service Name and Transport Protocol Port Number Registry also lists “Message Submission over TLS” for port 465 TCP, which is the encrypted version of its entry for port 25 TCP and SMTP.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

In any case, for a sample SMTPS of port 465 TCP traffic for SMTP connection, Zeek produced the following logs.

First is a conn.log entry, where SSL is seen as the service:

{
  "ts": "2020-08-15T13:14:33.101858Z",
  "uid": "CZ4iBM3vh98hH5GmV",
  "id.orig_h": "192.168.4.43",
  "id.orig_p": 61329,
  "id.resp_h": "74.125.192.108",
  "id.resp_p": 465,
  "proto": "tcp",
  "service": "ssl",
  "duration": 0.08411312103271484,
  "orig_bytes": 348,
  "resp_bytes": 3257,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADdafF",
  "orig_pkts": 11,
  "orig_ip_bytes": 800,
  "resp_pkts": 10,
  "resp_ip_bytes": 3669,
  "community_id": "1:NArgsDn5hgq6xjy6xTiMPZCgDKE="
}

Zeek created two files.log entries for observed x509 certificates:

{
  "ts": "2020-08-15T13:14:33.157292Z",
  "fuid": "F2cHKgS8RS2OyLdI4",
  "tx_hosts": [
    "74.125.192.108"
  ],
  "rx_hosts": [
    "192.168.4.43"
  ],
  "conn_uids": [
    "CZ4iBM3vh98hH5GmV"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "MD5",
    "SHA1"
  ],
  "mime_type": "application/x-x509-user-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1228,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "772f22ceaa7d6e285a9068718e8251af",
  "sha1": "5849d577c3f434125724459e3b32025247fda56d"
}

{
  "ts": "2020-08-15T13:14:33.157292Z",
  "fuid": "Fl9EEK26t5qzDVW3vf",
  "tx_hosts": [
    "74.125.192.108"
  ],
  "rx_hosts": [
    "192.168.4.43"
  ],
  "conn_uids": [
    "CZ4iBM3vh98hH5GmV"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "MD5",
    "SHA1"
  ],
  "mime_type": "application/x-x509-ca-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1102,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "dbb23c939236012e71d5f44dbc2acea0",
  "sha1": "dfe2070c79e7ff36a925ffa327ffe3deecf8f9c2"
}

Finally Zeek created a ssl.log entry with a server_name field that helps us see that the encrypted traffic was probably SMTP:

{
  "ts": "2020-08-15T13:14:33.157292Z",
  "uid": "CZ4iBM3vh98hH5GmV",
  "id.orig_h": "192.168.4.43",
  "id.orig_p": 61329,
  "id.resp_h": "74.125.192.108",
  "id.resp_p": 465,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "smtp.gmail.com",
  "resumed": false,
  "established": true,
  "cert_chain_fuids": [
    "F2cHKgS8RS2OyLdI4",
    "Fl9EEK26t5qzDVW3vf"
  ],
  "client_cert_chain_fuids": [],
  "validation_status": "ok"
}

Inspecting Zeek Logs for Traffic to Port 587 TCP

The default server port for encrypted SMTP message submission is port 587 TCP.

For a sample SMTPS of port 587 TCP traffic for SMTP connection, Zeek produced the following logs.

First is a conn.log entry, where SSL and SMTP are seen as the services:

{
  "ts": "2020-08-09T23:31:46.626484Z",
  "uid": "CCqmLfIrqQeWvXol4",
  "id.orig_h": "192.168.4.41",
  "id.orig_p": 49334,
  "id.resp_h": "17.42.251.41",
  "id.resp_p": 587,
  "proto": "tcp",
  "service": "ssl,smtp",
  "duration": 61.12906002998352,
  "orig_bytes": 1659,
  "resp_bytes": 7198,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShAdDafFr",
  "orig_pkts": 29,
  "orig_ip_bytes": 3179,
  "resp_pkts": 26,
  "resp_ip_bytes": 8534,
  "community_id": "1:wM+UdwdNy9VK/LEhFBTcQCtAqo8="
}

Note that is different from the port 465 TCP session, where only SSL was noted.

Next are three files.log entries for x509 certificates.

{
  "ts": "2020-08-09T23:31:46.800843Z",
  "fuid": "FmLTdUtlSHFynFf4j",
  "tx_hosts": [
    "17.42.251.41"
  ],
  "rx_hosts": [
    "192.168.4.41"
  ],
  "conn_uids": [
    "CCqmLfIrqQeWvXol4"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "SHA1",
    "MD5"
  ],
  "mime_type": "application/x-x509-user-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 3939,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "484d47f1b847d67981eade5b2b1f5618",
  "sha1": "c262f01e83d6ce0c361e8b049e5be8fe6e55806b"
}
{
  "ts": "2020-08-09T23:31:46.800843Z",
  "fuid": "F5ITBU2e5kcvYpOZJd",
  "tx_hosts": [
    "17.42.251.41"
  ],
  "rx_hosts": [
    "192.168.4.41"
  ],
  "conn_uids": [
    "CCqmLfIrqQeWvXol4"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "SHA1",
    "MD5"
  ],
  "mime_type": "application/x-x509-ca-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1092,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "48f0e38385112eeca5fc9ffd402eaecd",
  "sha1": "8e8321ca08b08e3726fe1d82996884eeb5f0d655"
}
{
  "ts": "2020-08-09T23:31:46.800843Z",
  "fuid": "F453Xk1oZcMiI6X3a7",
  "tx_hosts": [
    "17.42.251.41"
  ],
  "rx_hosts": [
    "192.168.4.41"
  ],
  "conn_uids": [
    "CCqmLfIrqQeWvXol4"
  ],
  "source": "SSL",
  "depth": 0,
  "analyzers": [
    "X509",
    "SHA1",
    "MD5"
  ],
  "mime_type": "application/x-x509-ca-cert",
  "duration": 0,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 856,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "f775ab29fb514eb7775eff053c998ef5",
  "sha1": "de28f4a4ffe5b92fa3c503d1a349a7f9962a8212"
}

Next we have a smtp.log entry that shows the clear text fields Zeek could extract prior to the negotiation of encryption:

{
  "ts": "2020-08-09T23:31:46.696892Z",
  "uid": "CCqmLfIrqQeWvXol4",
  "id.orig_h": "192.168.4.41",
  "id.orig_p": 49334,
  "id.resp_h": "17.42.251.41",
  "id.resp_p": 587,
  "trans_depth": 1,
  "helo": "[192.168.4.41]",
  "last_reply": "220 2.0.0 Ready to start TLS",
  "path": [
    "17.42.251.41",
    "192.168.4.41"
  ],
  "tls": true,
  "fuids": [],
  "is_webmail": false
}

Finally we have a ssl.log entry with a helpful server_name implying that this SMTP traffic.

{
  "ts": "2020-08-09T23:31:46.800843Z",
  "uid": "CCqmLfIrqQeWvXol4",
  "id.orig_h": "192.168.4.41",
  "id.orig_p": 49334,
  "id.resp_h": "17.42.251.41",
  "id.resp_p": 587,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "curve": "secp256r1",
  "server_name": "p71-smtp.mail.me.com",
  "resumed": false,
  "established": true,
  "cert_chain_fuids": [
    "FmLTdUtlSHFynFf4j",
    "F5ITBU2e5kcvYpOZJd",
    "F453Xk1oZcMiI6X3a7"
  ],
  "client_cert_chain_fuids": [],
  "validation_status": "ok"
}

It is helpful that the more standardized protocol running on port 587 TCP has more SMTP-related coverage, despite being encrypted.

Other Email Protocols: IMAP over TLS

Before finishing this section, it might be helpful to look at two other email protocols and what Zeek makes of them.

Internet Message Access Protocol (IMAP) is a protocol that clients use to retrieve email from mail servers. The server for the clear-text variant listens on port 143 TCP. The encrypted variant, IMAP over TLS (referred to earlier as IMAP over SSL), listens on port 993 TCP.

There is currently no imap.log created by Zeek for the unencrypted or encrypted variants.

The following example shows what Zeek sees when IMAP over TLS is active on port 993 TCP.

Zeek creates a conn.log entry, as per usual, with the next service identified as SSL:

{
  "ts": "2020-08-17T03:01:16.752745Z",
  "uid": "CZzvVe1KOD9D1TewCk",
  "id.orig_h": "192.168.4.23",
  "id.orig_p": 61579,
  "id.resp_h": "172.253.122.108",
  "id.resp_p": 993,
  "proto": "tcp",
  "service": "ssl",
  "duration": 0.8354301452636719,
  "orig_bytes": 1582,
  "resp_bytes": 2499,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADadFfR",
  "orig_pkts": 37,
  "orig_ip_bytes": 3482,
  "resp_pkts": 35,
  "resp_ip_bytes": 4327,
  "community_id": "1:Ug0SOBN+9zdqsSiesc5zQf9mr+I="
}

The server_name in the ssl.log entry indicates that this is a IMAP session.

{
  "ts": "2020-08-17T03:01:16.865252Z",
  "uid": "CZzvVe1KOD9D1TewCk",
  "id.orig_h": "192.168.4.23",
  "id.orig_p": 61579,
  "id.resp_h": "172.253.122.108",
  "id.resp_p": 993,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "imap.gmail.com",
  "resumed": true,
  "established": true
}

Note the use of TLS 1.3. Because this protocol is used, we do not have certificate details, i.e., there are no files.log or x509.log details.

Other Email Protocols: POP over TLS

A protocol similar to IMAP using a different port is Post Office Protocol (POP). The traditional unencrypted server listens on port 110 TCP. The encrypted variant listens on port 995 TCP. As before, here are two entries.

There is currently no pop.log created by Zeek for the unencrypted or encrypted variants.

The following example shows what Zeek sees when POP over TLS is active on port 995 TCP.

Zeek creates a conn.log entry, as per usual, with the next service identified as SSL:

{
  "ts": "2020-07-02T21:19:34.048427Z",
  "uid": "CzhwYd95h2GWh9bD8",
  "id.orig_h": "192.168.4.42",
  "id.orig_p": 50938,
  "id.resp_h": "142.250.31.109",
  "id.resp_p": 995,
  "proto": "tcp",
  "service": "ssl",
  "duration": 11.121870994567871,
  "orig_bytes": 2056,
  "resp_bytes": 1034478,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADadtfFr",
  "orig_pkts": 226,
  "orig_ip_bytes": 11156,
  "resp_pkts": 865,
  "resp_ip_bytes": 1075618,
  "community_id": "1:41G4TR4OvkRdEhCPft5bqJWyJVc="
}

The server_name in the ssl.log entry indicates that this is a IMAP session.

{
  "ts": "2020-07-02T21:19:34.067004Z",
  "uid": "CzhwYd95h2GWh9bD8",
  "id.orig_h": "192.168.4.42",
  "id.orig_p": 50938,
  "id.resp_h": "142.250.31.109",
  "id.resp_p": 995,
  "version": "TLSv13",
  "cipher": "TLS_AES_128_GCM_SHA256",
  "curve": "x25519",
  "server_name": "pop.gmail.com",
  "resumed": true,
  "established": true
}

Again note the use of TLS 1.3. Because this protocol is used, we do not have certificate details, i.e., there are no files.log or x509.log details.

Conclusion

This section showed how Zeek renders logs for SMTP traffic, whether using an older clear text or modern encrypted version. It is helpful to query Zeek logs periodically to determine what sorts of SMTP traffic is present in your environment.

ssh.log

Secure Shell (SSH) is one of the fundamental protocols of the Internet age. System administrators use SSH to securely access systems, typically running a SSH has always been encrypted, so security analysts have never examined its contents as they may have done with Telnet or other clear text system administration protocols.

Zeek seeks to provide a variety of details about SSH sessions.

For more detail on each field, please see SSH::Info.

Lateral Movement

In the first example we will look at lateral movement. This term refers to a connection between two systems on the same subnet, or at least within the same network or organization.

{
  "ts": "2020-09-16T13:39:18.425492Z",
  "uid": "C72qTo2v3FBhwysEIc",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 54161,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 22,
  "version": 2,
  "auth_success": true,
  "auth_attempts": 1,
  "client": "SSH-2.0-SecureBlackbox",
  "server": "SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1",
  "cipher_alg": "aes128-ctr",
  "mac_alg": "umac-64@openssh.com",
  "compression_alg": "none",
  "kex_alg": "diffie-hellman-group1-sha1",
  "host_key_alg": "ssh-rsa",
  "host_key": "f9:1f:45:88:dd:da:82:c5:7c:9d:75:c3:ac:e6:f4:f6",
  "hasshVersion": "1.0",
  "hassh": "3f0109679e469fced2c82384f0fa3917",
  "hasshServer": "b003da101c8caf37ce9e3ca3cd9d049b",
  "cshka": "ssh-rsa,ssh-dss",
  "hasshAlgorithms": "diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1;aes128-ctr,aes192-ctr,aes256-ctr;umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128@openssh.com,hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160@openssh.com,hmac-ripemd160;none,zlib,zlib@openssh.com",
  "sshka": "ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519",
  "hasshServerAlgorithms": "curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com"
}

There’s a lot to this log. I’ve bolded the central elements as these are probably the most immediately actionable elements. They indicate that a client (192.168.4.142) successfully logged into a SSH server (192.168.4.1).

The rest of the data generally profiles the nature of the client and server and the encryption they used for the session. For example, the various hassh fields come from the HASSH Zeek package and are similar to the JA3 and JA3S packages mentioned in the ssl.log chapter.

The hassh field provides a hash characterizing the encryption offered by the SSH client. The hasshServer field characterizes the encryption offered by the SSH server.

Failed Lateral Movement

In the following example, I created failed logins to generate Zeek logs. Here I entered a wrong password, then hit the return key twice.

$ ssh me@192.168.4.1

Welcome to MyServer

me@192.168.4.1's password: **[wrong password entered]**
me@192.168.4.1's password: **[no password, return]**
me@192.168.4.1's password: **[no password, return]**
Permission denied (publickey,password).

Zeek produced the following log:

{
  "ts": "2020-09-16T14:23:41.005323Z",
  "uid": "COfRkd4UVXYwu1GTqh",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 57442,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 22,
  "version": 2,
  "auth_attempts": 0,
  "client": "SSH-2.0-OpenSSH_7.5",
  "server": "SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1",
  "cipher_alg": "aes128-ctr",
  "mac_alg": "hmac-md5",
  "compression_alg": "zlib@openssh.com",
  "kex_alg": "curve25519-sha256@libssh.org",
  "host_key_alg": "ssh-rsa",
  "host_key": "f9:1f:45:88:dd:da:82:c5:7c:9d:75:c3:ac:e6:f4:f6",
  "hasshVersion": "1.0",
  "hassh": "0d7f08c427fb41f68ec40fbe8fb7b5cb",
  "hasshServer": "b003da101c8caf37ce9e3ca3cd9d049b",
  "cshka": "ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519",
  "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se;hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com;zlib@openssh.com,zlib,none",
  "sshka": "ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519",
  "hasshServerAlgorithms": "curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96;none,zlib@openssh.com"
}

Notice there is no entry like this from the successful login:

"auth_success": true,

That is helpful. However, there is the following entry, which is odd:

"auth_attempts": 0,

There was definitely at least one authentication attempt. I cannot explain this result.

Outbound Movement

One aspect of Zeek’s ssh.log that I find useful is the determination if the SSH login was “inbound” or “outbound”. In the following example, we see a login from the enterprise using the 192.168.4.0/24 network, to a host on the Internet:

{
  "ts": "2020-09-16T13:08:58.933098Z",
  "uid": "Cjmfpo49s3lei7CBla",
  "id.orig_h": "192.168.4.49",
  "id.orig_p": 39550,
  "id.resp_h": "205.166.94.16",
  "id.resp_p": 22,
  "version": 2,
  "auth_success": true,
  "auth_attempts": 2,
  "direction": "OUTBOUND",
  "client": "SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u7",
  "server": "SSH-2.0-OpenSSH_8.0",
  "cipher_alg": "chacha20-poly1305@openssh.com",
  "mac_alg": "umac-64-etm@openssh.com",
  "compression_alg": "none",
  "kex_alg": "curve25519-sha256",
  "host_key_alg": "ssh-ed25519",
  "host_key": "e4:ff:65:d7:be:5d:c8:44:1d:89:6b:50:f5:50:a0:ce",
  "hasshVersion": "1.0",
  "hassh": "0df0d56bb50c6b2426d8d40234bf1826",
  "hasshServer": "b12d2871a1189eff20364cf5333619ee",
  "cshka": "ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
  "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com,zlib",
  "sshka": "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519",
  "hasshServerAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com"
}

Analysts can use this sort of log entry to identify when systems for which they are responsible are connecting to SSH servers outside their organization.

Inbound Movement

In the following example, Zeek notices an inbound SSH connection:

{
  "ts": "2020-09-16T13:29:23.245216Z",
  "uid": "CzEmsljW9ooL0WnBd",
  "id.orig_h": "35.196.195.158",
  "id.orig_p": 53160,
  "id.resp_h": "192.168.4.37",
  "id.resp_p": 22,
  "version": 2,
  "auth_success": true,
  "auth_attempts": 1,
  "direction": "INBOUND",
  "client": "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2",
  "server": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3",
  "cipher_alg": "chacha20-poly1305@openssh.com",
  "mac_alg": "umac-64-etm@openssh.com",
  "compression_alg": "none",
  "kex_alg": "curve25519-sha256",
  "host_key_alg": "ecdsa-sha2-nistp256",
  "host_key": "a3:41:03:32:1f:8c:8e:82:92:9f:62:8c:38:82:d3:74",
  "hasshVersion": "1.0",
  "hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
  "hasshServer": "b12d2871a1189eff20364cf5333619ee",
  "cshka": "ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
  "hasshAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com,zlib",
  "sshka": "ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519",
  "hasshServerAlgorithms": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1;chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com;umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1;none,zlib@openssh.com"
}

If an analyst does not expect this sort of activity, then it could indicate a problem.

Failed Movement

In the following example, we see something a bit different:

{
  "ts": "2020-09-16T13:29:08.560780Z",
  "uid": "CFb8DZ1DLzStfZaERb",
  "id.orig_h": "205.166.94.9",
  "id.orig_p": 55699,
  "id.resp_h": "192.168.4.37",
  "id.resp_p": 22,
  "auth_attempts": 0,
  "direction": "INBOUND",
  "server": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3"
}

Notice that there is no successful authentication message. There is also no client identification string. We only see the server’s message. I generated this activity using Netcat. I connected to port 22 TCP and did not send any data.

Conclusion

This section has provided some details on the elements of the ssh.log that could be of use to analysts.

pe.log

Earlier we looked at the data provided by Zeek’s files.log. In this section we will take a step further for one type of log – Zeek’s pe.log. In this instance, “pe” stands for portable executable, a format associated with Microsoft binaries.

For more details on the specifics of the format, please refer to PE::Info.

Starting with conn.log

This example starts with the conn.log. It’s not strictly necessary to explain the pe.log, although I wanted to include a very recent example of a modern application conducting activities via HTTP.

{
  "ts": "2020-09-23T00:24:31.210053Z",
  "uid": "Cq2b9jR12c4lqZafg",
  "id.orig_h": "192.168.4.152",
  "id.orig_p": 59125,
  "id.resp_h": "63.88.73.83",
  "id.resp_p": 80,
  "proto": "tcp",
  "service": "http",
  "duration": 25.614583015441895,
  "orig_bytes": 5753,
  "resp_bytes": 1975717,
  "conn_state": "SF",
  "local_orig": true,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "ShADadttFf",
  "orig_pkts": 521,
  "orig_ip_bytes": 29041,
  "resp_pkts": 1367,
  "resp_ip_bytes": 2030409,
}

This example shows a host, 192.168.4.152, conducting a HTTP session with 63.88.73.83 over port 80 TCP. The server sends 2 MB of content to the client.

Continuing with http.log

The http.log entries associated with UID Cq2b9jR12c4lqZafg are fascinating. There are multiple entries. I have reproduced a sample of them below.

{
  "ts": "2020-09-23T00:24:31.235201Z",
  "uid": "Cq2b9jR12c4lqZafg",
  "id.orig_h": "192.168.4.152",
  "id.orig_p": 59125,
  "id.resp_h": "63.88.73.83",
  "id.resp_p": 80,
  "trans_depth": 1,
  "method": "HEAD",
  "host": "r8---sn-8xgp1vo-p5ql.gvt1.com",
  "uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",
  "version": "1.1",
  "user_agent": "Microsoft BITS/7.8",
  "request_body_len": 0,
  "response_body_len": 0,
  "status_code": 200,
  "status_msg": "OK",
  "tags": []
}

The first entry shown above provides details on a HEAD request for a binary titled 85.0.4183.121_85.0.4183.102_chrome_updater.exe. The user agent is the Microsoft Background Intelligent Transfer Service (BITS). The server responses with a successful message, 200 OK. Note that I have inserted -public-ip-edited- in the URI rather than expose the public IP address of the system requesting this file.

The fact that the BITS client provides the public IP address in the URI indicates that either the server is sending this information to the client, or that the client is requesting this information from an Internet-residing system. There is no native way for this client to know its public IP address when it is sitting behind a network address (port) translation device.

This aspect of the URI could help administrators better understand their networks, as it can sometimes be difficult to map private IP addresses (like 192.168.4.152) to their public representations (here -public-ip-edited-).

Also note the value for the host field showing r8---sn-8xgp1vo-p5ql.gvt1.com. I resolved the odd name to see the following:

$ host r8---sn-8xgp1vo-p5ql.gvt1.com

r8---sn-8xgp1vo-p5ql.gvt1.com is an alias for r8.sn-8xgp1vo-p5ql.gvt1.com.
r8.sn-8xgp1vo-p5ql.gvt1.com has address 63.88.73.83
r8.sn-8xgp1vo-p5ql.gvt1.com has IPv6 address 2600:803:f00:1::13

Let’s look at the next http.log entry.

{
  "ts": "2020-09-23T00:24:31.334435Z",
  "uid": "Cq2b9jR12c4lqZafg",
  "id.orig_h": "192.168.4.152",
  "id.orig_p": 59125,
  "id.resp_h": "63.88.73.83",
  "id.resp_p": 80,
  "trans_depth": 2,
  "method": "GET",
  "host": "r8---sn-8xgp1vo-p5ql.gvt1.com",
  "uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",
  "version": "1.1",
  "user_agent": "Microsoft BITS/7.8",
  "request_body_len": 0,
  "response_body_len": 1392,
  "status_code": 206,
  "status_msg": "Partial Content",
  "tags": [],
  "resp_fuids": [
    "FGYKX64SkXc4OcvlFf"
  ]
}

In the previous http.log entry we see that the BITS client has made a GET request for the same file. The server is providing it via “partial content”, represented by the 206 status code.

Also note we now have a file UID present in the http.log: FGYKX64SkXc4OcvlFf.

The next http.log entry is similar, although the amount of data sent is different.

{
  "ts": "2020-09-23T00:24:35.247333Z",
  "uid": "Cq2b9jR12c4lqZafg",
  "id.orig_h": "192.168.4.152",
  "id.orig_p": 59125,
  "id.resp_h": "63.88.73.83",
  "id.resp_p": 80,
  "trans_depth": 3,
  "method": "GET",
  "host": "r8---sn-8xgp1vo-p5ql.gvt1.com",
  "uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",
  "version": "1.1",
  "user_agent": "Microsoft BITS/7.8",
  "request_body_len": 0,
  "response_body_len": 1995,
  "status_code": 206,
  "status_msg": "Partial Content",
  "tags": []
}

I have removed the half a dozen or so intervening messages as they are very similar to the preceding entries. I include the last one for reference. It is similar to the previous entries, although the response body length shows much more data was sent.

{
  "ts": "2020-09-23T00:24:46.547359Z",
  "uid": "Cq2b9jR12c4lqZafg",
  "id.orig_h": "192.168.4.152",
  "id.orig_p": 59125,
  "id.resp_h": "63.88.73.83",
  "id.resp_p": 80,
  "trans_depth": 12,
  "method": "GET",
  "host": "r8---sn-8xgp1vo-p5ql.gvt1.com",
  "uri": "/edgedl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe?cms_redirect=yes&mh=t-&mip=-public-ip-edited-&mm=28&mn=sn-8xgp1vo-p5ql&ms=nvh&mt=1600820539&mv=m&mvi=8&pl=19&shardbypass=yes",
  "version": "1.1",
  "user_agent": "Microsoft BITS/7.8",
  "request_body_len": 0,
  "response_body_len": 652148,
  "status_code": 206,
  "status_msg": "Partial Content",
  "tags": []
}

That concludes the relevant http.log entries. Using the file UID we can search the files.log next.

Continuing with files.log

The relevant files.log entry contains the following:

{
  "ts": "2020-09-23T00:24:31.334435Z",
  "fuid": "FGYKX64SkXc4OcvlFf",
  "tx_hosts": [
    "63.88.73.83"
  ],
  "rx_hosts": [
    "192.168.4.152"
  ],
  "conn_uids": [
    "Cq2b9jR12c4lqZafg"
  ],
  "source": "HTTP",
  "depth": 0,
  "analyzers": [
    "MD5",
    "PE",
    "SHA1",
    "EXTRACT"
  ],
  "mime_type": "application/x-dosexec",
  "duration": 15.468528032302856,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 1967360,
  "total_bytes": 1967360,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "a5843bd951f148e99b7265e5bd159fb7",
  "sha1": "fc8b8deb5b34fec1f3f094e579667b2bddee0b21",
  "extracted": "/nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe",
  "extracted_cutoff": false
}

This files.log entry shows that the content returned by the BITS server included a Windows executable. Zeek calculates MD5 and SHA1 hashes, and also shows the location on disk for the extracted file.

Do you remember a similar entry from the Zeek documentation on files.log?

"analyzers": [
    "EXTRACT",
    "PE"
  ],

In that example, we have active extract and PE analyzers.

In the current files.log, we have additional analyzers present:

"analyzers": [
  "MD5",
  "PE",
  "SHA1",
  "EXTRACT"
],

Thanks to these analyzers, we have the MD5 and SHA1 hashes, along with a pe.log entry and an extracted file.

Continuing with pe.log

Finally we come to the pe.log. We are able to connect it with the appropriate activity using the file UID FGYKX64SkXc4OcvlFf.

{
  "ts": "2020-09-23T00:24:36.395445Z",
  "id": "FGYKX64SkXc4OcvlFf",
  "machine": "AMD64",
  "compile_ts": "2020-09-19T00:10:08.000000Z",
  "os": "Windows XP x64 or Server 2003",
  "subsystem": "WINDOWS_GUI",
  "is_exe": true,
  "is_64bit": true,
  "uses_aslr": true,
  "uses_dep": true,
  "uses_code_integrity": false,
  "uses_seh": true,
  "has_import_table": true,
  "has_export_table": false,
  "has_cert_table": true,
  "has_debug_data": true,
  "section_names": [
    ".text",
    ".rdata",
    ".data",
    ".pdata",
    ".00cfg",
    ".rsrc",
    ".reloc"
  ]
}

The compile time is one of the more interesting details for analysts. This is a freshly compiled Windows executable.

Reviewing the Extracted Binary

As we did in the files.log documentation, we can analyze our extracted file using the command line version of VirusTotal.

Here is the extracted file on disk. Notice the filename includes the file UID calculated by Zeek, i.e., FGYKX64SkXc4OcvlFf.

$ file /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe

/nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe: PE32+ executable (GUI) x86-64, for MS Windows

We use the Linux md5sum utility to calculate the MD5 hash.

$ md5sum /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe

a5843bd951f148e99b7265e5bd159fb7  /nsm/zeek/extracted/HTTP-FGYKX64SkXc4OcvlFf.exe

Note the MD5 hash matches the one provided by Zeek in the files.log entry.

Next we submit the hash, not the binary, to VirusTotal for analysis. Whenever possible, submit hashes to cloud file analysis engines. This preserves the confidentiality of your sample.

The output is edited for readability.

$ vt file a5843bd951f148e99b7265e5bd159fb7

- _id: "14a1b9947b77174244a6f6bfd2cd7e1b1c860a09b3b5d74f07b81e45b5548de4"
  _type: "file"
  authentihash: "a4a6a1011bb3e33af37a1dce19bd41b72d5360dc4175d570ec7260d1d9815747"
  creation_date: 1600474208  # 2020-09-19 00:10:08 +0000 UTC
  first_submission_date: 1600711798  # 2020-09-21 18:09:58 +0000 UTC
  last_analysis_date: 1600840562  # 2020-09-23 05:56:02 +0000 UTC
  last_analysis_results:
    ALYac:
      category: "undetected"
      engine_name: "ALYac"
      engine_update: "20200923"
      engine_version: "1.1.1.5"
      method: "blacklist"
   ...edited...
    eGambit:
      category: "undetected"
      engine_name: "eGambit"
      engine_update: "20200923"
      method: "blacklist"
  last_analysis_stats:
    confirmed-timeout: 0
    failure: 0
    harmless: 0
    malicious: 0
    suspicious: 0
    timeout: 0
    type-unsupported: 4
    undetected: 69
  last_modification_date: 1600878930  # 2020-09-23 16:35:30 +0000 UTC
  last_submission_date: 1600830769  # 2020-09-23 03:12:49 +0000 UTC
  magic: "PE32+ executable for MS Windows (GUI) Mono/.Net assembly"
  md5: "a5843bd951f148e99b7265e5bd159fb7"
  meaningful_name: "mini_installer"
  names:
  - "85.0.4183.121_85.0.4183.102_chrome_updater.exe"
  - "mini_installer"
  - "HTTP-FjcOYuaXbbQFV1cJj.exe"
  pe_info:
    entry_point: 4096
    imphash: "ec06ab323a50409817b4a6a54b98f157"
    import_list:
    - imported_functions:
      - "CommandLineToArgvW"
      library_name: "SHELL32.dll"
    - imported_functions:
      - "GetLastError"
      - "GetVolumePathNameW"
   ...edited...
      - "GetEnvironmentVariableW"
      library_name: "KERNEL32.dll"
    machine_type: 34404
    overlay:
      chi2: 1124223.375
      entropy: 4.492208003997803
      filetype: "binary Computer Graphics Metafile"
      md5: "ddc7adbbc3760a81d8510e57fedbe055"
      offset: 1951232
      size: 16128
    resource_details:
    - chi2: 286.0988464355469
      entropy: 7.999892711639404
      filetype: "Data"
      lang: "ENGLISH US"
      sha256: "133ccfebc6cebb05333ed1677bb419716a8ad00b39417f2f4fa6ee45bdbb92df"
      type: "B7"
  ...edited...
    timestamp: 1600474208
  reputation: 0
  sha1: "fc8b8deb5b34fec1f3f094e579667b2bddee0b21"
  sha256: "14a1b9947b77174244a6f6bfd2cd7e1b1c860a09b3b5d74f07b81e45b5548de4"
  signature_info:
    copyright: "Copyright 2020 Google LLC. All rights reserved."
    counter signers: "TIMESTAMP-SHA256-2019-10-15; DigiCert SHA2 Assured ID Timestamping CA; DigiCert"
    counter signers details:
    - algorithm: "sha256RSA"
      cert issuer: "DigiCert SHA2 Assured ID Timestamping CA"
      name: "TIMESTAMP-SHA256-2019-10-15"
      serial number: "04 CD 3F 85 68 AE 76 C6 1B B0 FE 71 60 CC A7 6D"
      status: "Valid"
      thumbprint: "0325BD505EDA96302DC22F4FA01E4C28BE2834C5"
      valid from: "12:00 AM 10/01/2019"
      valid to: "12:00 AM 10/17/2030"
      valid usage: "Timestamp Signing"
    - algorithm: "sha256RSA"
      cert issuer: "DigiCert Assured ID Root CA"
      name: "DigiCert SHA2 Assured ID Timestamping CA"
      serial number: "0A A1 25 D6 D6 32 1B 7E 41 E4 05 DA 36 97 C2 15"
      status: "Valid"
      thumbprint: "3BA63A6E4841355772DEBEF9CDCF4D5AF353A297"
      valid from: "12:00 PM 01/07/2016"
      valid to: "12:00 PM 01/07/2031"
      valid usage: "Timestamp Signing"
    - algorithm: "sha1RSA"
      cert issuer: "DigiCert Assured ID Root CA"
      name: "DigiCert"
      serial number: "0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39"
      status: "Valid"
      thumbprint: "0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"
      valid from: "12:00 AM 11/10/2006"
      valid to: "12:00 AM 11/10/2031"
      valid usage: "Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing"
    description: "Google Chrome Installer"
    file version: "85.0.4183.121"
    internal name: "mini_installer"
    product: "Google Chrome Installer"
    signers: "Google LLC; DigiCert SHA2 Assured ID Code Signing CA; DigiCert"
    signers details:
    - algorithm: "sha256RSA"
      cert issuer: "DigiCert SHA2 Assured ID Code Signing CA"
      name: "Google LLC"
      serial number: "0C 15 BE 4A 15 BB 09 03 C9 01 B1 D6 C2 65 30 2F"
      status: "Valid"
      thumbprint: "CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E"
      valid from: "12:00 AM 11/07/2018"
      valid to: "12:00 PM 11/17/2021"
      valid usage: "Code Signing"
    ...edited...
  ssdeep: "49152:zS2WLLoAgkZlbpkJDy5KrwM4wN9UT90hZv6AFV56vt9IWA:m2WvgSbpkFAKrwMpTZJV5kgW"
  tags:
  - "peexe"
  - "assembly"
  - "overlay"
  - "runtime-modules"
  - "signed"
  - "64bits"
  - "trusted"
  times_submitted: 2
  total_votes:
    harmless: 0
    malicious: 0
  trid:
  - file_type: "OS/2 Executable (generic)"
    probability: 33.6
  - file_type: "Generic Win/DOS Executable"
    probability: 33.1
  - file_type: "DOS Executable Generic"
    probability: 33.1
  trusted_verdict:
    filename: "85.0.4183.121_85.0.4183.102_chrome_updater.exe"
    link: "https://dl.google.com/dl/release2/chrome/SAWXCyZhLAbPfxC5kv_Fkw_85.0.4183.121/85.0.4183.121_85.0.4183.102_chrome_updater.exe"
    organization: "Google"
    verdict: "goodware"
  type_description: "Win32 EXE"
  type_tag: "peexe"
  unique_sources: 2
  vhash: "016076651d151515751az36hz1lz"

This file appears to be a component of the Google Chrome Installer. It is not malicious software.

Conclusion

Although the pe.log was only part of this section, I wanted to show an integrated set of Zeek logs for this example, beginning with the conn.log, continuing with the http.log and files.log, and concluding with the pe.log. This is recent activity and shows that modern software still uses HTTP in some cases!

dhcp.log

Dynamic Host Configuration Protocol is a core protocol found in Internet Protocol (IP) networks. Using the protocol, DHCP servers provide clients with IP addresses and other key information needed to make use of the network. This entry will describe some aspects of Zeek’s dhcp.log that may be of use to network and security personnel.

As with all entries in this document, for full explanation of each field in the log, see DHCP::Info.

DORA via Tcpdump

The method by which a client requests and receives an IP address and other parameters from a DHCP server is represented by the acronym DORA. DORA stands for Discover - Offer - Request - Acknowledge. The following tcpdump output of a complete DORA exchange demonstrates this protocol in action.

$ tcpdump -n -r snort.log.1601610971.bootp.pcap

reading from file snort.log.1601610971.bootp.pcap, link-type EN10MB (Ethernet)

04:14:39.119370 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 302
04:14:39.120138 IP 192.168.4.1.67 > 192.168.4.152.68: BOOTP/DHCP, Reply, length 302
04:14:39.158211 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 337
04:14:39.456915 IP 192.168.4.1.67 > 192.168.4.152.68: BOOTP/DHCP, Reply, length 302

The default output for tcpdump doesn’t say much, other than showing the IP addresses (or lack thereof, in the case of the 0.0.0.0` source IP addresses). It is helpful to see this “simplified” output, however, before delving into the details. It is slightly deceptive in the “request” and “reply” messages, as strictly speaking these are more detailed and are DORA messages.

DORA via Tcpdump Verbose Mode

We can add the -vvv flag to tcpdump to provide more verbose output, as shown in the examples that follow.

The first datagram shows that a host that does not have an IP address set (i.e., it’s using 0.0.0.0) sends a broadcast to 255.255.255.255 on port 67 UDP. This client has had an IP address before as shown by its request for 192.168.4.152. Note the hostname and the presence of a Microsoft 5.0 vendor class.

This is a DHCP Discover message from a client to any DHCP server listening on the local network:

04:14:39.119370 IP (tos 0x0, ttl 128, id 44414, offset 0, flags [none], proto UDP (17), length 330)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 302, xid 0xfd9859a7, Flags [none] (0x0000)
          Client-Ethernet-Address 3c:58:c2:2f:91:21
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Client-ID Option 61, length 7: ether 3c:58:c2:2f:91:21
            Requested-IP Option 50, length 4: 192.168.4.152
            Hostname Option 12, length 15: "3071N0098017422"
            Vendor-Class Option 60, length 8: "MSFT 5.0"
            Parameter-Request Option 55, length 14:
              Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
              Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server
              Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route
              Classless-Static-Route-Microsoft, Option 252
            END Option 255, length 0

The second datagram is a reply from the local DHCP server running on 192.168.4.1. The server replies directly to 192.168.4.152, which in this case will end up at the system using MAC address 3c:58:c2:2f:91:21, such that the destination IP address is probably not relevant here. Remember that if the client at MAC address 3c:58:c2:2f:91:21 had no IP address to begin with, it would only receive the DHCP offer by virtue of the DHCP offer datagram being addressed to its MAC address. The server is not offering a specified domain name other than “localdomain.”

This is a DHCP Offer message, from the DHCP server to the client:

04:14:39.120138 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 330)
    192.168.4.1.67 > 192.168.4.152.68: [udp sum ok] BOOTP/DHCP, Reply, length 302, xid 0xfd9859a7, Flags [none] (0x0000)
          Your-IP 192.168.4.152
          Client-Ethernet-Address 3c:58:c2:2f:91:21
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Server-ID Option 54, length 4: 192.168.4.1
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Default-Gateway Option 3, length 4: 192.168.4.1
            Domain-Name-Server Option 6, length 4: 192.168.4.1
            Domain-Name Option 15, length 11: "localdomain"
            T119 Option 119, length 13: 11.108.111.99.97.108.100.111.109.97.105.110.0
            END Option 255, length 0

The third datagram is a reply to the server’s reply. Here the client requests the IP address 192.168.4.152. We also see it provide a fully qualified domain name (FQDN) for itself, belonging to the FCPS educational domain. Again note the client does not include an IP address for itself in the layer 3 header. It uses 0.0.0.0 as in the initial Discover message.

This is a DHCP Request message from the client to the DHCP server:

04:14:39.158211 IP (tos 0x0, ttl 128, id 44415, offset 0, flags [none], proto UDP (17), length 365)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 3c:58:c2:2f:91:21, length 337, xid 0xfd9859a7, Flags [none] (0x0000)
          Client-Ethernet-Address 3c:58:c2:2f:91:21
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Client-ID Option 61, length 7: ether 3c:58:c2:2f:91:21
            Requested-IP Option 50, length 4: 192.168.4.152
            Server-ID Option 54, length 4: 192.168.4.1
            Hostname Option 12, length 15: "3071N0098017422"
            FQDN Option 81, length 27: "3071N0098017422.fcps.edu"
            Vendor-Class Option 60, length 8: "MSFT 5.0"
            Parameter-Request Option 55, length 14:
              Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
              Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server
              Netbios-Node, Netbios-Scope, Option 119, Classless-Static-Route
              Classless-Static-Route-Microsoft, Option 252
            END Option 255, length 0

Finally the server sends its last message, essentially confirming the information sent in the DHCP Offer message. Note that tcpdump is unable to make sense of what it renders as T119 Option 119. We will return to that shortly.

This is a DHCP Acknowledgement message, sent from the DHCP server to the client:

04:14:39.456915 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 330)
    192.168.4.1.67 > 192.168.4.152.68: [udp sum ok] BOOTP/DHCP, Reply, length 302, xid 0xfd9859a7, Flags [none] (0x0000)
          Your-IP 192.168.4.152
          Client-Ethernet-Address 3c:58:c2:2f:91:21
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: 192.168.4.1
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Default-Gateway Option 3, length 4: 192.168.4.1
            Domain-Name-Server Option 6, length 4: 192.168.4.1
            Domain-Name Option 15, length 11: "localdomain"
            T119 Option 119, length 13: 11.108.111.99.97.108.100.111.109.97.105.110.0
            END Option 255, length 0

Acknowledgement via tshark

We could look at the entire trace using tshark (the command line version of Wireshark), but it would largely be redundant. Rather, I would like to look at the Acknowledgment message to explain about the T119 Option that tcpdump could not decode.

To find the datagram of interest, I tell tshark to read the packet capture of interest. I tell it to look for the “bootp” transaction identifier associated with the DORA exchange of interest. (BOOTP refers to Bootstrap, a precursor protocol that Tshark still uses for DHCP filters.) I also tell tshark to look for the specific BOOTP (DHCP) option value (5) associated with the ACK message.

$ tshark -V -n -r snort.log.1601610971.bootp.pcap bootp.id == 0xfd9859a7 and bootp.option.dhcp == 5

Frame 4: 344 bytes on wire (2752 bits), 344 bytes captured (2752 bits) on interface 0
    Interface id: 0 (unknown)
        Interface name: unknown
    Encapsulation type: Ethernet (1)
    Arrival Time: Oct  2, 2020 04:14:39.456915000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1601612079.456915000 seconds
    [Time delta from previous captured frame: 0.298704000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.337545000 seconds]
    Frame Number: 4
    Frame Length: 344 bytes (2752 bits)
    Capture Length: 344 bytes (2752 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:bootp]
Ethernet II, Src: fc:ec:da:49:e0:10, Dst: 3c:58:c2:2f:91:21
    Destination: 3c:58:c2:2f:91:21
        Address: 3c:58:c2:2f:91:21
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: fc:ec:da:49:e0:10
        Address: fc:ec:da:49:e0:10
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.4.1, Dst: 192.168.4.152
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x10 (DSCP: Unknown, ECN: Not-ECT)
        0001 00.. = Differentiated Services Codepoint: Unknown (4)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 330
    Identification: 0x0000 (0)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 128
    Protocol: UDP (17)
    Header checksum: 0xafa9 [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.4.1
    Destination: 192.168.4.152
User Datagram Protocol, Src Port: 67, Dst Port: 68
    Source Port: 67
    Destination Port: 68
    Length: 310
    Checksum: 0x92db [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
Bootstrap Protocol (ACK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xfd9859a7
    Seconds elapsed: 0
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 192.168.4.152
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: 3c:58:c2:2f:91:21
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (ACK)
        Length: 1
        DHCP: ACK (5)
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 192.168.4.1
    Option: (51) IP Address Lease Time
        Length: 4
        IP Address Lease Time: (86400s) 1 day
    Option: (1) Subnet Mask
        Length: 4
        Subnet Mask: 255.255.255.0
    Option: (3) Router
        Length: 4
        Router: 192.168.4.1
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 192.168.4.1
    Option: (15) Domain Name
        Length: 11
        Domain Name: localdomain
    Option: (119) Domain Search
        Length: 13
        FQDN: localdomain
    Option: (255) End
        Option End: 255

This output looks similar to what tcpdump reported, except here we can see the decode for Option 119. It looks like the DHCP server is providing the FQDN of “localdomain.”

Zeek’s Rendition of DORA

With this background, let’s look at Zeek’s depiction of this DHCP exchange.

{
  "ts": "2020-10-02T04:14:39.135304Z",
  "uids": [
    "COoA8M1gbTowuPlVT",
    "CapFoX32zVg3R6TATc"
  ],
  "client_addr": "192.168.4.152",
  "server_addr": "192.168.4.1",
  "mac": "3c:58:c2:2f:91:21",
  "host_name": "3071N0098017422",
  "client_fqdn": "3071N0098017422.fcps.edu",
  "domain": "localdomain",
  "requested_addr": "192.168.4.152",
  "assigned_addr": "192.168.4.152",
  "lease_time": 86400,
  "msg_types": [
    "DISCOVER",
    "OFFER",
    "REQUEST",
    "ACK"
  ],
  "duration": 0.416348934173584
}

As you can see, Zeek has taken the important elements from all four DORA messages and produced a single log entry. Every field is interesting, so I did not highlight them all.

Two UIDs

You might be wondering why there are two UID fields for this single DHCP exchange. Let’s look at the two corresponding conn.log entries.

The first one shows a “conversation” between 0.0.0.0 and 255.255.255.0. This represents the DHCP Discover message, caused by a client not knowing its source IP address, sending its search to the local network for a DHCP server.

{
  "ts": "2020-10-02T04:14:14.443346Z",
  "uid": "COoA8M1gbTowuPlVT",
  "id.orig_h": "0.0.0.0",
  "id.orig_p": 68,
  "id.resp_h": "255.255.255.255",
  "id.resp_p": 67,
  "proto": "udp",
  "service": "dhcp",
  "duration": 63.16645097732544,
  "orig_bytes": 1211,
  "resp_bytes": 0,
  "conn_state": "S0",
  "local_orig": false,
  "local_resp": false,
  "missed_bytes": 0,
  "history": "D",
  "orig_pkts": 4,
  "orig_ip_bytes": 1323,
  "resp_pkts": 0,
  "resp_ip_bytes": 0,
  "sensorname": "so16-enp0s8"
}

Notice that Zeek has tracked 4 “orig packets” here, which does not strictly correspond to the 2 datagrams from 0.0.0.0 to 255.255.255.255. Remember the DORA via tcpdump output?

It’s possible Zeek included other packets involving 0.0.0.0 and 255.255.255.255 when it created this log entry since this is a broadcast and Zeek generally may trouble with that because it doesn’t fit the “connection” abstraction.

The second message shows a conversation between 192.168.4.152, the DHCP client, and 192.168.4.1, the DHCP server.

{
  "ts": "2020-10-02T04:14:39.120138Z",
  "uid": "CapFoX32zVg3R6TATc",
  "id.orig_h": "192.168.4.152",
  "id.orig_p": 68,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 67,
  "proto": "udp",
  "service": "dhcp",
  "duration": 0.3367769718170166,
  "orig_bytes": 0,
  "resp_bytes": 604,
  "conn_state": "SHR",
  "local_orig": true,
  "local_resp": true,
  "missed_bytes": 0,
  "history": "^d",
  "orig_pkts": 0,
  "orig_ip_bytes": 0,
  "resp_pkts": 2,
  "resp_ip_bytes": 660,
  "sensorname": "so16-enp0s8"
}

Here the count of 2 resp_pkts is correct.

Enumerating DHCP Servers

Analysts can use Zeek’s dhcp.log to enumerate systems providing DHCP services. Consider the output of the following query.

$ find . -name "dhcp**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."server_addr"]' | sort | uniq -c | sort -nr | head -10

1337 [null]
 119 ["192.168.4.1"]

Here we see that 192.168.4.1 is providing DHCP services on this network. The null entries refer to DHCP log entries that do not have a server_addr field. One example is Zeek’s log for this DHCP Discover message:

{
  "ts": "2020-10-06T23:59:48.577749Z",
  "uids": [
    "CctZMx18mIK1qj9Vci"
  ],
  "mac": "80:ee:73:52:eb:59",
  "host_name": "ds61",
  "msg_types": [
    "DISCOVER"
  ],
  "duration": 0
}

This log entry does not have a server_addr field, so the query above returns a null result.

Conclusion

DHCP is crucial to the proper operation of any IP network. DHCP logs help analysts map IP addresses to MAC addresses, and may also reveal hostnames. When investigating suspicious or malicious activity, analysts need to know what system was assigned what IP address, as DHCP leases expire. However, depending on the network, systems may retain specific IP addresses for a long time as they may request an old address as was seen in this example. Of course, administrators who have configured DHCP to provide fixed IP addresses based on MAC address will ensure that these machines receive the same IP address, despite relying on the “dynamic” nature of DHCP.

ntp.log

Network Time Protocol (NTP) is another core protocol found in IP networks. NTP is a mechanism by which clients can adjust their local clocks to more closely match those of NTP servers. Many devices ship with NTP clients already configured to contact public NTP servers. Administrators can use Zeek logs to identify NTP clients and servers, and determine if they are operating as expected.

As with all entries in this document, for full explanation of each field in the log, see NTP::Info.

NTP via tcpdump

NTP is a request-response protocol, as demonstrated by the following exchange decoded by tcpdump:

00:29:07.927672 IP 192.168.4.49.38461 > 208.79.89.249.123: NTPv4, Client, length 48
00:29:07.995844 IP 208.79.89.249.123 > 192.168.4.49.38461: NTPv4, Server, length 48

Using the verbose feature, we see the following details:

00:29:07.927672 IP (tos 0x10, ttl 64, id 3186, offset 0, flags [DF], proto UDP (17), length 76)
    192.168.4.49.38461 > 208.79.89.249.123: [udp sum ok] NTPv4, length 48
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3811105747.215585991 (2020/10/08 00:29:07)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3811105747.215585991 (2020/10/08 00:29:07)

00:29:07.995844 IP (tos 0x0, ttl 56, id 18045, offset 0, flags [DF], proto UDP (17), length 76)
    208.79.89.249.123 > 192.168.4.49.38461: [udp sum ok] NTPv4, length 48
        Server, Leap indicator:  (0), Stratum 2 (secondary reference), poll 3 (8s), precision -24
        Root Delay: 0.009216, Root dispersion: 0.021224, Reference-ID: 127.67.113.92
          Reference Timestamp:  3811105455.942204197 (2020/10/08 00:24:15)
          Originator Timestamp: 3811105747.215585991 (2020/10/08 00:29:07)
          Receive Timestamp:    3811105747.964280626 (2020/10/08 00:29:07)
          Transmit Timestamp:   3811105747.964314032 (2020/10/08 00:29:07)
            Originator - Receive Timestamp:  +0.748694635
            Originator - Transmit Timestamp: +0.748728040

A look at RFC 5905, explaining NTPv4, helps us understand the timestamps shown in the decoded output:

LI Leap Indicator (leap): 2-bit integer warning of an impending leap second
to be inserted or deleted in the last minute of the current month with values
defined in Figure 9.

           +-------+----------------------------------------+
           | Value | Meaning                                |
           +-------+----------------------------------------+
           | 0     | no warning                             |
           | 1     | last minute of the day has 61 seconds  |
           | 2     | last minute of the day has 59 seconds  |
           | 3     | unknown (clock unsynchronized)         |
           +-------+----------------------------------------+

                         Figure 9: Leap Indicator

VN Version Number (version): 3-bit integer representing the NTP version
number, currently 4.

Mode (mode): 3-bit integer representing the mode, with values defined in
Figure 10.

                      +-------+--------------------------+
                      | Value | Meaning                  |
                      +-------+--------------------------+
                      | 0     | reserved                 |
                      | 1     | symmetric active         |
                      | 2     | symmetric passive        |
                      | 3     | client                   |
                      | 4     | server                   |
                      | 5     | broadcast                |
                      | 6     | NTP control message      |
                      | 7     | reserved for private use |
                      +-------+--------------------------+

                       Figure 10: Association Modes

Stratum (stratum): 8-bit integer representing the stratum, with values
defined in Figure 11.

        +--------+-----------------------------------------------------+
        | Value  | Meaning                                             |
        +--------+-----------------------------------------------------+
        | 0      | unspecified or invalid                              |
        | 1      | primary server (e.g., equipped with a GPS receiver) |
        | 2-15   | secondary server (via NTP)                          |
        | 16     | unsynchronized                                      |
        | 17-255 | reserved                                            |
        +--------+-----------------------------------------------------+

                         Figure 11: Packet Stratum

Poll: 8-bit signed integer representing the maximum interval between
successive messages, in log2 seconds.

Precision: 8-bit signed integer representing the precision of the system
clock, in log2 seconds. For instance, a value of -18 corresponds to a
precision of about one microsecond.

Root Delay (rootdelay): Total round-trip delay to the reference clock, in NTP
short format.

Root Dispersion (rootdisp): Total dispersion to the reference clock, in NTP
short format.

Reference ID (refid): 32-bit code identifying the particular server or
reference clock.

Reference Timestamp: Time when the system clock was last set or corrected, in
NTP timestamp format.

Origin Timestamp (org): Time at the client when the request departed for the
server, in NTP timestamp format.

Receive Timestamp (rec): Time at the server when the request arrived from the
client, in NTP timestamp format.

Transmit Timestamp (xmt): Time at the server when the response left for the
client, in NTP timestamp format.

Destination Timestamp (dst): Time at the client when the reply arrived from
the server, in NTP timestamp format.

It makes sense that the reference, originator, and receive timestamps would be zero in the client request, but non-zero in the server reply.

NTP via tcpdump and tshark

Let’s look at tshark’s decode for the NTP-specific data, to see if tcpdump missed anything:

Client to server:

Network Time Protocol (NTP Version 4, client)
    Flags: 0x23, Leap Indicator: no warning, Version number: NTP Version 4, Mode: client
        00.. .... = Leap Indicator: no warning (0)
        ..10 0... = Version number: NTP Version 4 (4)
        .... .011 = Mode: client (3)
    Peer Clock Stratum: unspecified or invalid (0)
    Peer Polling Interval: invalid (0)
    Peer Clock Precision: 1.000000 sec
    Root Delay: 0 seconds
    Root Dispersion: 0 seconds
    Reference ID: NULL
    Reference Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Origin Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Receive Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Transmit Timestamp: Oct  8, 2020 00:29:07.215585991 UTC

Server to client:

Network Time Protocol (NTP Version 4, server)
    Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
        00.. .... = Leap Indicator: no warning (0)
        ..10 0... = Version number: NTP Version 4 (4)
        .... .100 = Mode: server (4)
    Peer Clock Stratum: secondary reference (2)
    Peer Polling Interval: invalid (3)
    Peer Clock Precision: 0.000000 sec
    Root Delay: 0.00921630859375 seconds
    Root Dispersion: 0.0212249755859375 seconds
    Reference ID: 127.67.113.92
    Reference Timestamp: Oct  8, 2020 00:24:15.942204197 UTC
    Origin Timestamp: Oct  8, 2020 00:29:07.215585991 UTC
    Receive Timestamp: Oct  8, 2020 00:29:07.964280626 UTC
    Transmit Timestamp: Oct  8, 2020 00:29:07.964314032 UTC

It does not appear that tshark reveals any details that tcpdump did not. One difference is that for the client reference, origin, and receive timestamps, Tshark renders the 0 values as the Unix epoch, i.e., Jan  1, 1970 00:00:00.000000000 UTC.

NTP via Zeek

Here is how Zeek summarizes this NTP activity:

{
  "ts": "2020-10-08T00:29:07.977170Z",
  "uid": "CqlPpF1AQVLMPgGiL5",
  "id.orig_h": "192.168.4.49",
  "id.orig_p": 38461,
  "id.resp_h": "208.79.89.249",
  "id.resp_p": 123,
  "version": 4,
  "mode": 3,
  "stratum": 0,
  "poll": 1,
  "precision": 1,
  "root_delay": 0,
  "root_disp": 0,
  "ref_id": "\\x00\\x00\\x00\\x00",
  "ref_time": "1970-01-01T00:00:00.000000Z",
  "org_time": "1970-01-01T00:00:00.000000Z",
  "rec_time": "1970-01-01T00:00:00.000000Z",
  "xmt_time": "2020-10-08T00:29:07.215586Z",
  "num_exts": 0
}

{
  "ts": "2020-10-08T00:29:08.081209Z",
  "uid": "CqlPpF1AQVLMPgGiL5",
  "id.orig_h": "192.168.4.49",
  "id.orig_p": 38461,
  "id.resp_h": "208.79.89.249",
  "id.resp_p": 123,
  "version": 4,
  "mode": 4,
  "stratum": 2,
  "poll": 8,
  "precision": 5.960464477539063e-08,
  "root_delay": 0.00921630859375,
  "root_disp": 0.0212249755859375,
  "ref_id": "127.67.113.92",
  "ref_time": "2020-10-08T00:24:15.942204Z",
  "org_time": "2020-10-08T00:29:07.215586Z",
  "rec_time": "2020-10-08T00:29:07.964281Z",
  "xmt_time": "2020-10-08T00:29:07.964314Z",
  "num_exts": 0
}

By looking at the mode field in each log, we see that the first entry is a NTP client request (mode 3), and the second is the server’s reply (mode 4).

These log entries make an interesting comparison with those for DHCP. Zeek’s DHCP logs seek to summarize potentially up to four individual datagrams (for the DORA exchange) into one log entry. In contrast, Zeek’s NTP logs create an entry for each NTP message.

Identifying NTP Servers

As with DHCP servers, Zeek can help identify NTP servers used by clients. The following query shows a subset of systems and the NTP servers they have queried:

$ find . -name "ntp**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."id.orig_h", ."id.resp_h"]' | sort | uniq -c | sort -nr | head -10

570 ["192.168.4.48","193.0.0.229"]
271 ["192.168.4.76","91.189.91.157"]
271 ["192.168.4.76","216.229.0.50"]
270 ["192.168.4.76","74.6.168.73"]
270 ["192.168.4.76","72.30.35.88"]
270 ["192.168.4.76","38.229.71.1"]
216 ["192.168.4.149","84.16.73.33"]
206 ["192.168.4.48","50.205.244.21"]
164 ["192.168.4.57","216.239.35.12"]
162 ["192.168.4.57","216.239.35.8"]

The following query summarizes only the NTP servers seen by Zeek:

$ find . -name "ntp**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."id.resp_h"]' | sort | uniq -c | sort -nr | head -10

570 ["193.0.0.229"]
470 ["17.253.20.253"]
468 ["17.253.20.125"]
357 ["91.189.91.157"]
287 ["216.229.0.50"]
286 ["74.6.168.73"]
276 ["72.30.35.88"]
270 ["38.229.71.1"]
221 ["84.16.73.33"]
206 ["50.205.244.21"]

Security and network administrators can use queries like this to identify systems that are polling unauthorized NTP servers.

Conclusion

NTP is an important protocol for modern network administration. Without accurate clocks, many systems will not be able to complete cryptographic exchanges. Be sure systems are kept up to date using the NTP servers you expect them to query.

SMB Logs (plus DCE-RPC, Kerberos, NTLM)

Server Message Block (SMB) is a protocol most commonly associated with Microsoft Windows enterprise administration. While there are implementations for other operating systems, such as Linux, Mac OS, FreeBSD, and the like, many security and network analysts seek information on SMB due to its use in Windows environments.

Introduction

For the most part, the log analysis sections of this document address a single Zeek log, such as conn.log or dns.log. When Zeek encounters SMB protocol usage, it usually creates multiple logs of varying types. In addition to the ubiquitous conn.log, Zeek may generate dce_rpc.log, kerberos.log, ntlm.log, smb_cmd.log, smb_files.log, smb_mapping.log, pe.log, and even notice.log entries.

This section will build upon a paper by Nate Marx published December 20, 2017 titled “An Introduction to SMB for Network Security Analysts.” The paper analyzes a set of packet captures that contain activity in a simulated compromised Windows environment.

The paper is available here:

https://401trg.github.io/pages/an-introduction-to-smb-for-network-security-analysts.html

The packet captures are available here:

https://github.com/401trg/detections/tree/master/pcaps

Thorough documentation of several versions of SMB are available online thanks to Microsoft.

SMB version 1 is posted here:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/f210069c-7086-4dc2-885e-861d837df688

SMB versions 2 and 3 are posted here:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/5606ad47-5ee0-437a-817e-70c366052962

For information on the individual field values in these SMB-affiliated logs, please refer to DCE_RPC::Info, KRB::Info, NTLM::Info, SMB::CmdInfo, SMB::FileInfo, and SMB::TreeInfo.

When presenting information in this section, my general convention is to bold commands and items of interest in the resulting output.

Leveraging BZAR

Before looking at individual logs associated with SMB, it’s helpful to first consider adding the BZAR package to your repertoire.

BZAR stands for Bro/Zeek ATT&CK-based Analytics and Reporting. Mark Fernandez and others from MITRE and the Zeek community wrote BZAR to generate notice.log entries when certain patterns of activity appear in some SMB logs.

You can learn more about BZAR at https://github.com/mitre-attack/bzar and install it via the zkg package manager by saying

zkg install bzar

I suggest using BZAR when one first begins looking at SMB logs. Without BZAR, it could be difficult to know what might be worth investigating and what might be normal. However, even with BZAR, it is no easy feat to differentiate among normal, suspicious, and malicious SMB activity. Still, leveraging the BZAR policy script for Zeek will give analysts a place to begin their investigations.

Running the net user Command

Let’s start our investigation of SMB logs with the case labelled “RPC” in Nate Marx’s paper. The relevant packet capture file is titled 20171220_smb_net_user.pcap.

If we process the packet capture with Zeek and BZAR, the following files appear:

  • conn.log

  • dce_rpc.log

  • kerberos.log

  • notice.log

  • packet_filter.log

  • smb_mapping.log

Let’s look at the conn.log first to get a general overview of the traffic.

{
  "ts": 1507562478.10937,
  "uid": "CzgIrZ31Lh5vCHioWi",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49282,
  "id.resp_h": "192.168.10.10",
  "id.resp_p": 445,
  "proto": "tcp",
  "service": "gssapi,smb,dce_rpc,krb",
  "duration": 0.22932004928588867,
  "orig_bytes": 16271,
  "resp_bytes": 13720,
  "conn_state": "S1",
  "missed_bytes": 0,
  "history": "ShADda",
  "orig_pkts": 78,
  "orig_ip_bytes": 19403,
  "resp_pkts": 77,
  "resp_ip_bytes": 16812
}

We see that 192.168.10.31 initiated a connection to 192.168.10.10. The destination port is 445 TCP, which is associated with SMB activity. Note that Zeek observed the services on this connection as gssapi,smb,dce_rpc,krb, which represents Generic Security Service Application Programming Interface, Server Message Block, Distributed Computing Environment Remote Procedure Call, and Kerberos.

The GSS-API reference likely relates to authentication, as noted in the Windows protocol guide for SMB versions 2 and 3. It does not produce any logs named gssapi. SMB is expected as we are looking for it in this case, and will create smb-named logs. DCE-RPC is a protocol associated with Windows networking and command execution between machines, and will likely create a dce_rpc.log entry. Kerberos is an authentication protocol that will likely create a kerberos.log entry.

notice.log

Let’s see what the notice.log has to say about this activity.

{
  "ts": 1507562478.117387,
  "note": "ATTACK::Discovery",
  "msg": "Detected activity from host 192.168.10.31, total attempts 5 within timeframe 5.0 mins",
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}
{
  "ts": 1507562478.124176,
  "note": "ATTACK::Discovery",
  "msg": "Detected activity from host 192.168.10.31, total attempts 10 within timeframe 5.0 mins",
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}
{
  "ts": 1507562478.138992,
  "note": "ATTACK::Discovery",
  "msg": "Detected activity from host 192.168.10.31, total attempts 15 within timeframe 5.0 mins",
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}

These three entries all indicate the same sort of activity: 192.168.10.31 is doing some sort of “discovery” action. We do not know the nature of the reconnaissance nor do we know the target. However, when combined with the conn.log we saw previously, we can assume that 192.168.10.10 is the target.

dce_rpc.log

The notice.log alerted us to suspicious or malicious activity from 192.168.10.31. Perhaps the dce_rpc.log can help us understand what is happening?

Let’s look at the first entry in dce_rpc.log.

{
  "ts": 1507562478.112879,
  "uid": "CzgIrZ31Lh5vCHioWi",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49282,
  "id.resp_h": "192.168.10.10",
  "id.resp_p": 445,
  "rtt": 0.0003020763397216797,
  "named_pipe": "\\pipe\\lsass",
  "endpoint": "samr",
  "operation": "SamrConnect5"
}

This entry shows that 192.168.10.31 connected to 192.168.10.10 via a named pipe titled lsass. Microsoft’s documentation says “a pipe is a section of shared memory that processes use for communication. The process that creates a pipe is the pipe server. A process that connects to a pipe is a pipe client… Named pipes can be used to provide communication between processes on the same computer or between processes on different computers across a network.”

Ref: https://docs.microsoft.com/en-us/windows/win32/ipc/pipes

The lsass named pipe refers to the Local Security Authority Subsystem Service (LSASS). The endpoint, samr, refers to the Security Accounts Manager. Microsoft’s documentation says “the SamrConnect5 method obtains a handle to a server object.”

Ref: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/c842a897-0a42-4ca5-a607-2afd05271dae

Even if you do not fully understand all of these details (and who does!), it appears that 192.168.10.31 is trying to remotely access 192.168.10.10 in a way that requires security authentication on the client, via DCE-RPC over SMB.

All of the entries in the dce_rpc.log have the same source and destination addresses and ports. We can summarize them by extracting only the relevant fields using jq:

If we look at every one of the 46 entries in the dce_rpc.log, we will see repeats of some commands. These do not add to our general understanding of what is happening. To show a reduced set of commands, I invoke jq and pipe the output through uniq to only show unique outputs:

$ jq -c '[."named_pipe", ."endpoint", ."operation"]' dce_rpc.log | uniq

["\\pipe\\lsass","samr","SamrConnect5"]
["\\pipe\\lsass","samr","SamrEnumerateDomainsInSamServer"]
["\\pipe\\lsass","samr","SamrLookupDomainInSamServer"]
["\\pipe\\lsass","samr","SamrOpenDomain"]
["\\pipe\\lsass","samr","SamrLookupNamesInDomain"]
["\\pipe\\lsass","samr","SamrOpenUser"]
["\\pipe\\lsass","samr","SamrQueryInformationUser"]
["\\pipe\\lsass","samr","SamrQuerySecurityObject"]
["\\pipe\\lsass","samr","SamrGetGroupsForUser"]
["\\pipe\\lsass","samr","SamrGetAliasMembership"]
["\\pipe\\lsass","samr","SamrCloseHandle"]
["\\pipe\\lsass","samr","SamrConnect5"]
["\\pipe\\lsass","samr","SamrEnumerateDomainsInSamServer"]
["\\pipe\\lsass","samr","SamrLookupDomainInSamServer"]
["\\pipe\\lsass","samr","SamrOpenDomain"]
["\\pipe\\lsass","samr","SamrQueryInformationDomain"]
["\\pipe\\lsass","samr","SamrCloseHandle"]
["\\pipe\\lsass","lsarpc","LsarOpenPolicy2"]
["\\pipe\\lsass","lsarpc","LsarQueryInformationPolicy"]
["\\pipe\\lsass","samr","SamrConnect5"]
["\\pipe\\lsass","samr","SamrOpenDomain"]
["\\pipe\\lsass","samr","SamrCloseHandle"]
["\\pipe\\lsass","lsarpc","LsarLookupNames3"]
["\\pipe\\lsass","samr","SamrGetAliasMembership"]
["\\pipe\\lsass","samr","SamrCloseHandle"]
["\\pipe\\lsass","lsarpc","LsarClose"]
["\\pipe\\lsass","samr","SamrConnect5"]
["\\pipe\\lsass","samr","SamrEnumerateDomainsInSamServer"]
["\\pipe\\lsass","samr","SamrLookupDomainInSamServer"]
["\\pipe\\lsass","samr","SamrOpenDomain"]
["\\pipe\\lsass","samr","SamrLookupNamesInDomain"]
["\\pipe\\lsass","samr","SamrOpenUser"]
["\\pipe\\lsass","samr","SamrGetGroupsForUser"]
["\\pipe\\lsass","samr","SamrLookupIdsInDomain"]
["\\pipe\\lsass","samr","SamrCloseHandle"]

The bolded entries indicate that 192.168.10.31 is performing some sort of user enumeration against 192.168.10.10. Again, we don’t necessarily know exactly what all of this means, but if there is no reason from 192.168.10.31 to be performing this action, then it’s worth investigating!

kerberos.log and smb_mapping.log

Let’s see if the kerberos.log has anything new to add to our investigation.

{
  "ts": 1507562478.110863,
  "uid": "CzgIrZ31Lh5vCHioWi",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49282,
  "id.resp_h": "192.168.10.10",
  "id.resp_p": 445
}

These are the same details we found through the conn.log, but it confirms that Zeek identified Kerberos authentication in use.

The smb_mapping.log offers one entry as well:

{
  "ts": 1507562478.111677,
  "uid": "CzgIrZ31Lh5vCHioWi",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49282,
  "id.resp_h": "192.168.10.10",
  "id.resp_p": 445,
  "path": "\\\\DC1.contoso.local\\IPC$",
  "share_type": "PIPE"
}

Here we see the first mention of the IPC$ share. As noted in Mr. Marx’s paper, Windows uses the IPC$ share as a means to enable remote procedure calls. We knew this was the case when we reviewed the dce_rpc.log. It’s possible that the DC1 in the path value for this log means that 192.168.10.10 is a domain controller. It’s likely that there is user reconnaissance occurring.

If we look at the explanation for this activity noted in Mr. Marx’s paper, he says that a simulated intruder on 192.168.10.31 executed the net user command against 192.168.10.10. The intruder took this action to enumerate the user list on the target.

In the next two cases we will see what it looks like when simulated intruders move files from one system to another.

Connecting to a SMB Share and Uploading a File

We continue our exploration of SMB logs by reviewing the first case discussed in Mr. Marx’s paper. The relevant packet capture file is titled 20171220_smb_mimikatz_copy.pcap. Mr. Marx’s discussion appears in the section “The Basics” in his paper.

If we process the packet capture with Zeek and BZAR, the following files appear:

  • conn.log

  • extract_files/

  • files.log

  • kerberos.log

  • notice.log

  • packet_filter.log

  • pe.log

  • smb_files.log

  • smb_mapping.log

Let’s look at the conn.log first to get a general overview of the traffic.

conn.log

The conn.log has two entries:

{
  "ts": 1507565438.203425,
  "uid": "CR7Vww4LuLkMzi4jMd",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49238,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "proto": "tcp",
  "service": "krb,smb,gssapi",
  "duration": 1.1398930549621582,
  "orig_bytes": 814051,
  "resp_bytes": 11657,
  "conn_state": "S1",
  "missed_bytes": 0,
  "history": "ShADda",
  "orig_pkts": 66,
  "orig_ip_bytes": 816703,
  "resp_pkts": 91,
  "resp_ip_bytes": 15309
}
{
  "ts": 1507565425.183882,
  "uid": "CyeWAg1QrRKQL0HHMi",
  "id.orig_h": "192.168.10.30",
  "id.orig_p": 138,
  "id.resp_h": "192.168.10.255",
  "id.resp_p": 138,
  "proto": "udp",
  "conn_state": "S0",
  "missed_bytes": 0,
  "history": "D",
  "orig_pkts": 1,
  "orig_ip_bytes": 207,
  "resp_pkts": 0,
  "resp_ip_bytes": 0
}

The first entry shows a connection initiated by 192.168.10.31 to 192.168.10.30.

The second entry is likely a SMB-related Windows broadcast, as seen by the destination IP address of 192.168.10.255. According to a Wireshark decode of that datagram, it’s a Windows Browser Protocol message, namely a “Become backup browser” command with the “browser to promote” being “VICTIM-PC”. “Browser” in this case does not refer to a Web browser; it’s about accessing resources on the local network.

Let’s next turn to the notice.log.

notice.log

I have selected examples of the two unique log types appearing in notice.log.

{
  "ts": 1507565439.130425,
  "uid": "CR7Vww4LuLkMzi4jMd",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49238,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "proto": "tcp",
  "note": "ATTACK::Lateral_Movement",
  "msg": "Detected SMB::FILE_WRITE to admin file share '\\\\admin-pc\\c$temp\\mimikatz.exe'",
  "sub": "T1021.002 Remote Services: SMB/Windows Admin Shares + T1570 Lateral Tool Transfer",
  "src": "192.168.10.31",
  "dst": "192.168.10.30",
  "p": 445,
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}

{
  "ts": 1507565439.343318,
  "uid": "CR7Vww4LuLkMzi4jMd",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49238,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "fuid": "FwVZpk12AKBjE11UNg",
  "file_mime_type": "application/x-dosexec",
  "file_desc": "temp",
  "proto": "tcp",
  "note": "ATTACK::Lateral_Movement_Extracted_File",
  "msg": "Saved a copy of the file written to SMB admin file share",
  "sub": "CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe",
  "src": "192.168.10.31",
  "dst": "192.168.10.30",
  "p": 445,
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}

My processing of the packet capture produced 13 of the first entry and 1 of the second entry.

These two entries in the notice.log tell us a lot, but also provide material for additional investigation.

First, the note, msg, and sub entries of each log provide useful information.

Both notes relate to “lateral movement.” If a new analyst is not familiar with that term, the sub field in the first log entry provides a reference to “T1570 Lateral Tool Transfer.” T1570 refers to the MITRE ATT&CK technique number 1570, which is described here:

https://attack.mitre.org/techniques/T1570/

The ATT&CK Web site explains Lateral Tool Transfer thus:

Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.” (emphasis added)

With this understanding, the msg from the first log makes more sense:

Detected SMB::FILE_WRITE to admin file share '\\\\admin-pc\\c$temp\\mimikatz.exe'

Zeek is trying to tell us that the BZAR script detected a transfer of a file called mikikatz.exe.

The details from the second log tell us what actions Zeek took when it noticed this activity:

"msg": "Saved a copy of the file written to SMB admin file share",
"sub": "CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe",

This means we should be able to look in a directory associated with our run of Zeek to find an extracted copy of this file.

Finally, as with many Zeek logs, we have an id (in this case, CR7Vww4LuLkMzi4jMd), and IP addresses which we can use to pivot through other Zeek data. Note the src and dst entries in both logs indicate that 192.168.10.31 copied a file to 192.168.10.30.

extract_files/, files.log, and pe.log, and VirusTotal

Next, let’s look for the extracted file. We can use the Linux file command to get some details:

$ file extract_files/CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c\$temp_mimikatz.exe

extract_files/CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe: PE32+ executable (console) x86-64, for MS Windows

As we learned in the files.log documentation, we can look in that data for similar information on extracted files:

{
  "ts": 1507565439.130425,
  "fuid": "FwVZpk12AKBjE11UNg",
  "tx_hosts": [
    "192.168.10.31"
  ],
  "rx_hosts": [
    "192.168.10.30"
  ],
  "conn_uids": [
    "CR7Vww4LuLkMzi4jMd"
  ],
  "source": "SMB",
  "depth": 0,
  "analyzers": [
    "SHA1",
    "SHA256",
    "PE",
    "MD5",
    "EXTRACT"
  ],
  "mime_type": "application/x-dosexec",
  "filename": "temp\\mimikatz.exe",
  "duration": 0.0034439563751220703,
  "is_orig": true,
  "seen_bytes": 804352,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": true,
  "md5": "2c527d980eb30daa789492283f9bf69e",
  "sha1": "d007f64dae6bc5fdfe4ff30fe7be9b7d62238012",
  "sha256": "fb55414848281f804858ce188c3dc659d129e283bd62d58d34f6e6f568feab37",
  "extracted": "CR7Vww4LuLkMzi4jMd_FwVZpk12AKBjE11UNg__admin-pc_c$temp_mimikatz.exe",
  "extracted_cutoff": false
}

Here I highlighted the MIME type, showing a Windows executable, as well as the filename, which includes a directory.

Let’s take a quick look at the pe.log entry:

{
  "ts": 1507565439.130425,
  "id": "FwVZpk12AKBjE11UNg",
  "machine": "AMD64",
  "compile_ts": 1502638084,
  "os": "Windows XP x64 or Server 2003",
  "subsystem": "WINDOWS_CUI",
  "is_exe": true,
  "is_64bit": true,
  "uses_aslr": true,
  "uses_dep": true,
  "uses_code_integrity": false,
  "uses_seh": true,
  "has_import_table": true,
  "has_export_table": false,
  "has_cert_table": false,
  "has_debug_data": false,
  "section_names": [
    ".text",
    ".rdata",
    ".data",
    ".pdata",
    ".rsrc",
    ".reloc"
  ]
}

There’s some interesting information in this log, like the compile time. We can convert it to a human readable form using the Linux date command.

$ date -d @1502638084

Sun Aug 13 15:28:04 UTC 2017

Finally, we can use the md5 from the file.log entry to query VirusTotal, as we also did previously:

$ vt file "2c527d980eb30daa789492283f9bf69e"

- _id: "fb55414848281f804858ce188c3dc659d129e283bd62d58d34f6e6f568feab37"
  _type: "file"
  authentihash: "02c86c9977c85a08f18ac1dae02f1cdda569eaba51ec6d17aed6f4ebc2adaf21"
  creation_date: 1502638084  # 2017-08-13 15:28:04 +0000 UTC
  crowdsourced_yara_results:
  - description: "mimikatz"
    rule_name: "mimikatz"
    ruleset_id: "00043243d1"
    ruleset_name: "gen_mimikatz"
    source: "https://github.com/Neo23x0/signature-base"
  - description: "Detects Mimikatz strings"
    rule_name: "Mimikatz_Strings"
    ruleset_id: "00043243d1"
    ruleset_name: "gen_mimikatz"
    source: "https://github.com/Neo23x0/signature-base"
  - description: "Detects Mimikatz SkeletonKey in Memory"
    rule_name: "HKTL_Mimikatz_SkeletonKey_in_memory_Aug20_1"
    ruleset_id: "00043243d1"
    ruleset_name: "gen_mimikatz"
    source: "https://github.com/Neo23x0/signature-base"
  - description: "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)"
    rule_name: "Powerkatz_DLL_Generic"
    ruleset_id: "000d2a7a67"
    ruleset_name: "gen_powerkatz"
    source: "https://github.com/Neo23x0/signature-base"
  - description: "Detects Mimikatz by using some special strings"
    rule_name: "Mimikatz_Gen_Strings"
    ruleset_id: "000be577b3"
    ruleset_name: "thor-hacktools"
    source: "https://github.com/Neo23x0/signature-base"
  first_submission_date: 1502652611  # 2017-08-13 19:30:11 +0000 UTC
  last_analysis_date: 1602435563  # 2020-10-11 16:59:23 +0000 UTC

I reproduced the first set of results generated by VirusTotal’s crowdsourced_yara_results to show that this is indeed a copy of Mimikatz, the ubiquitous credential-dumping tool used for lateral movement in Windows environments.

kerberos.log, smb_mapping.log, and smb_files.log

We have learned that 192.168.10.31 copied mimikatz.exe to 192.168.10.30. This is probably the most important aspect of the activity, and it is based on BZAR’s interpretation of the SMB logs. Let’s take a quick look at those logs to see if we can glean anything more from them.

The kerberos.log has a single short entry:

{
  "ts": 1507565438.204785,
  "uid": "CR7Vww4LuLkMzi4jMd",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49238,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445
}

This indicates that Kerberos, an authentication measure used by Windows, had a role in this connection.

The smb_mapping.log also has a single short entry:

{
  "ts": 1507565438.205583,
  "uid": "CR7Vww4LuLkMzi4jMd",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49238,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "path": "\\\\admin-pc\\c$",
  "share_type": "DISK"
}

We see evidence of connecting to the administrative file share on 192.168.10.30.

The smb_files.log has many entries. The first looks like this:

{
  "ts": 1507565438.205868,
  "uid": "CR7Vww4LuLkMzi4jMd",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49238,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "action": "SMB::FILE_OPEN",
  "path": "\\\\admin-pc\\c$",
  "name": "<share_root>",
  "size": 4096,
  "times.modified": 1507316839.5820882,
  "times.accessed": 1507316839.5820882,
  "times.created": 1247539136.5268176,
  "times.changed": 1507316839.5820882
}

All of the entries have the same uid, id.orig_h, id.orig_p, id.resp_h, and id.resp_p. The size and times entries aren’t especially interesting here.

I include the specific jq syntax in case you’ve forgotten how to tell jq what fields you want to see:

$ jq -c '[."action", ."path", ."name"]' smb_files.log

["SMB::FILE_OPEN","\\\\admin-pc\\c$","<share_root>"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
["SMB::FILE_WRITE","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
["SMB::FILE_WRITE","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]

These results do not tell us anything we did not know from the entries the BZAR script made in the notice.log. However, I include them here to help show how BZAR decided to write in the notice.log that it detected lateral movement via the copy of the file mimikatz.exe from 192.168.10.31 to 192.168.10.30.

Connecting to a SMB Share and Downloading a File

We continue our exploration of SMB logs by reviewing the second case discussed in Nate Marx’s paper. The relevant packet capture file is titled 20171220_smb_mimikatz_copy_to_host.pcap. Mr. Marx’s discussion appears at the end of the section titled “The Basics” in his paper.

If we process the packet capture with Zeek and BZAR, the following files appear:

  • conn.log

  • files.log

  • kerberos.log

  • packet_filter.log

  • pe.log

  • smb_files.log

  • smb_mapping.log

Note that this time we do not have an extract_files/ directory nor a notice.log!

We’ll start with the conn.log as we did with the previous case.

conn.log

The conn.log for this case has only one entry:

{
  "ts": 1512585460.295445,
  "uid": "C4j5Ds3VyExc2ZAOh9",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 1112,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "proto": "tcp",
  "service": "krb,gssapi,smb",
  "duration": 13.435487985610962,
  "orig_bytes": 5762,
  "resp_bytes": 812728,
  "conn_state": "S1",
  "missed_bytes": 0,
  "history": "ShADda",
  "orig_pkts": 74,
  "orig_ip_bytes": 8734,
  "resp_pkts": 575,
  "resp_ip_bytes": 835740
}

We see the same pattern: 192.168.10.31 initiated a connection to 192.168.10.30, to port 445 TCP. In the previous case and the current case, 192.168.10.31 connected to a Windows share on 192.168.10.30. What happened next was different.

In the first case, 192.168.10.31 uploaded a file to 192.168.10.30.

In the second case, 192.168.10.31 downloaded a file from 192.168.10.30.

Now let’s look at the files.log and pe.log, as we do not have a notice.log to check.

files.log and pe.log

We see one entry in files.log:

{
  "ts": 1512585460.300969,
  "fuid": "FNMweB3f2OvTZ4UZLe",
  "tx_hosts": [
    "192.168.10.30"
  ],
  "rx_hosts": [
    "192.168.10.31"
  ],
  "conn_uids": [
    "C4j5Ds3VyExc2ZAOh9"
  ],
  "source": "SMB",
  "depth": 0,
  "analyzers": [
    "PE"
  ],
  "mime_type": "application/x-dosexec",
  "filename": "temp\\mimikatz.exe",
  "duration": 0.010069131851196289,
  "is_orig": false,
  "seen_bytes": 804352,
  "total_bytes": 804352,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false
}

This files.log entry is similar to that seen in the previous case, except the tx_hosts and rx_hosts values are reversed. This log indicates that 192.168.10.30 sent a file titled mimikatz.exe to 192.168.10.31, or, said differently, 192.168.10.31 downloaded a file from 192.168.10.30.

With either language, the file started at 192.168.10.30 (the tx_hosts) and ended up on 192.168.10.31 (the rx_hosts).

This is the reverse of the previous case.

Here is the pe.log:

{
  "ts": 1512585460.300969,
  "id": "FNMweB3f2OvTZ4UZLe",
  "machine": "AMD64",
  "compile_ts": 1502638084,
  "os": "Windows XP x64 or Server 2003",
  "subsystem": "WINDOWS_CUI",
  "is_exe": true,
  "is_64bit": true,
  "uses_aslr": true,
  "uses_dep": true,
  "uses_code_integrity": false,
  "uses_seh": true,
  "has_import_table": true,
  "has_export_table": false,
  "has_cert_table": false,
  "has_debug_data": false,
  "section_names": [
    ".text",
    ".rdata",
    ".data",
    ".pdata",
    ".rsrc",
    ".reloc"
  ]
}

This output is the same as the previous case, to include the compile time. There is a different id field because this file was transferred in a different connection.

kerberos.log, smb_mapping.log, and smb_files.log

Let’s see what the other relevant files say.

The kerberos.log has one entry:

{
  "ts": 1512585460.296744,
  "uid": "C4j5Ds3VyExc2ZAOh9",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 1112,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445
}

This is very similar to the previous kerberos.log entry, because the direction of the connection and the authentication is the same.

The smb_mapping.log has one entry:

{
  "ts": 1512585460.297722,
  "uid": "C4j5Ds3VyExc2ZAOh9",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 1112,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "path": "\\\\admin-pc\\c$",
  "share_type": "DISK"
}

This is also very similar to the previous smb_mapping.log entry, because the direction of the connection and the share access is the same.

The smb_files.log only has two entries:

{
  "ts": 1512585460.298136,
  "uid": "C4j5Ds3VyExc2ZAOh9",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 1112,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "action": "SMB::FILE_OPEN",
  "path": "\\\\admin-pc\\c$",
  "name": "temp\\mimikatz.exe",
  "size": 804352,
  "times.modified": 1512171135.77705,
  "times.accessed": 1512585399.9219997,
  "times.created": 1512585399.9219997,
  "times.changed": 1512585399.9376247
}
{
  "ts": 1512585460.299373,
  "uid": "C4j5Ds3VyExc2ZAOh9",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 1112,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "action": "SMB::FILE_OPEN",
  "path": "\\\\admin-pc\\c$",
  "name": "temp",
  "size": 0,
  "times.modified": 1512585399.9219997,
  "times.accessed": 1512585399.9219997,
  "times.created": 1512585360.2032497,
  "times.changed": 1512585399.9219997
}

These entries are similar to those from the previous case, at least as far as the id.orig_h and id.resp_h IP addresses and the id.resp_p port values.

Summarizing these two logs, as we did for the previous case, yields these values:

$ jq -c '[."action", ."path", ."name"]' smb_files.log

["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp\\mimikatz.exe"]
["SMB::FILE_OPEN","\\\\admin-pc\\c$","temp"]

Looking at these logs, I would not as an analyst be able to tell exactly what is happening here, other than to say it looks like mimikatz.exe is being transferred. Only the files.log entry makes it possible to see the direction of the transfer:

The file started at 192.168.10.30 (the tx_hosts) and ended up on 192.168.10.31 (the tx_hosts).

In the next section we will look at how someone might execute a file once it is present on a target.

Scheduling Mimikatz via the At Service

The following analysis is based on the 20171220_smb_at_schedule.pcap and appears near the end of the RPC section of Mr. Marx’s paper.

After processing the packet capture with Zeek and BZAR, we have the following logs:

  • conn.log

  • files.log

  • packet_filter.log

  • smb_files.log

This is a short set of logs to analyze. We will start with the conn.log.

conn.log

Looking at the conn.log, we see one entry:

{
  "ts": 1508525002.992213,
  "uid": "Cirxt14nybZjVhpOAk",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49266,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "proto": "tcp",
  "service": "dce_rpc,smb",
  "duration": 12.397327899932861,
  "orig_bytes": 1155,
  "resp_bytes": 1037,
  "conn_state": "OTH",
  "missed_bytes": 0,
  "history": "DdAR",
  "orig_pkts": 11,
  "orig_ip_bytes": 1595,
  "resp_pkts": 9,
  "resp_ip_bytes": 1397
}

We see 192.168.10.31 initiated a connection to 192.168.10.30, port 445 TCP. Zeek recognized this as DCE RPC and SMB traffic. Note that for some reason Zeek did not create a dce_rpc.log for this activity.

smb_files.log

The smb_files.log holds the next clue to this activity. It contains three entries:

{
  "ts": 1508525002.992213,
  "uid": "Cirxt14nybZjVhpOAk",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49266,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "action": "SMB::FILE_OPEN",
  "name": "atsvc",
  "size": 0
}
{
  "ts": 1508525002.992213,
  "uid": "Cirxt14nybZjVhpOAk",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49266,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "action": "SMB::FILE_WRITE",
  "name": "atsvc",
  "size": 0,
  "data_offset_req": 0,
  "data_len_req": 160
}
{
  "ts": 1508525002.992213,
  "uid": "Cirxt14nybZjVhpOAk",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49266,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "fuid": "Fw42Pp34N0CC79C5Ua",
  "action": "SMB::FILE_WRITE",
  "name": "atsvc",
  "size": 0,
  "data_offset_req": 0,
  "data_len_req": 160
}

We see SMB FILE_OPEN and FILE_WRITE messages to the atsvc. This indicates that 192.168.10.31 is accessing the Windows At service, used for scheduling processes on Windows. Note that Windows and hence Zeek treats the At service as a “file,” even though it is a service offered by Windows.

files.log

An odd result of Windows providing the At service as a “file” is that Zeek creates a files.log entry for it. Here is that entry:

{
  "ts": 1508525002.992817,
  "fuid": "Fw42Pp34N0CC79C5Ua",
  "tx_hosts": [
    "192.168.10.31"
  ],
  "rx_hosts": [
    "192.168.10.30"
  ],
  "conn_uids": [
    "Cirxt14nybZjVhpOAk"
  ],
  "source": "SMB",
  "depth": 0,
  "analyzers": [],
  "filename": "atsvc",
  "duration": 0.00038909912109375,
  "is_orig": true,
  "seen_bytes": 160,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false
}

This file does not tell us anything we did not already know. Zeek did not extract a file either, because the “file” in this instance is an abstraction used to represent the At service on the Windows target.

Reviewing the Packet Capture with tshark

If administrators are authorized to use the At service to schedule jobs, from the indicated source to the indicated destination, then it may not be possible for a security analyst to identify this as malicious activity. We might be able to learn a bit more about the activity by looking at the packet capture directly.

To create the following output, I told tshark to only display the source IP address, the protocol, and the information field for each frame. I also specified that it look at SMB version 2 traffic.

$ tshark -r 20171220_smb_at_schedule.pcap -T fields -e _ws.col.No. -e _ws.col.Source -e _ws.col.Protocol -e _ws.col.Info -Y smb2

1       192.168.10.31   SMB2    Create Request File: atsvc
2       192.168.10.30   SMB2    Create Response File: atsvc
3       192.168.10.31   SMB2    GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: atsvc
4       192.168.10.30   SMB2    GetInfo Response
5       192.168.10.31   DCERPC  Bind: call_id: 2, Fragment: Single, 3 context items: ATSVC V1.0 (32bit NDR), ATSVC V1.0 (64bit NDR), ATSVC V1.0 (6cb71c2c-9812-4540-0300-000000000000)
6       192.168.10.30   SMB2    Write Response
7       192.168.10.31   SMB2    Read Request Len:1024 Off:0 File: atsvc
8       192.168.10.30   DCERPC  Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK
9       192.168.10.31   ATSVC   JobAdd request
10      192.168.10.30   SMB2    Ioctl Response, Error: STATUS_PENDING
11      192.168.10.30   ATSVC   JobAdd response
13      192.168.10.31   SMB2    Close Request File: atsvc
14      192.168.10.30   SMB2    Close Response
16      192.168.10.31   SMB2    Tree Disconnect Request
17      192.168.10.30   SMB2    Tree Disconnect Response
18      192.168.10.31   SMB2    Session Logoff Request
19      192.168.10.30   SMB2    Session Logoff Response

Right away in frame 1 we see the request to create a “file” for the atsvc.

Frame 9 might have the details of the Atsvc request. We can look at the details using tshark. The -O (capital letter O) command specifies which layer of the decode we want to see.

$ tshark -r 20171220_smb_at_schedule.pcap -V -Y frame.number==9 -O atsvc

Frame 9: 338 bytes on wire (2704 bits), 338 bytes captured (2704 bits)
Ethernet II, Src: 08:00:27:7f:b5:8b, Dst: 08:00:27:a1:27:e8
Internet Protocol Version 4, Src: 192.168.10.31, Dst: 192.168.10.30
Transmission Control Protocol, Src Port: 49266, Dst Port: 445, Seq: 636, Ack: 541, Len: 284
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 160, Call: 2, Ctx: 1
Microsoft AT-Scheduler Service, JobAdd
    Operation: JobAdd (0)
    Pointer to Servername (uint16): \\admin-pc
        Referent ID: 0x0000000000020000
        Max Count: 11
        Offset: 0
        Actual Count: 11
        Server: \\admin-pc
    Pointer to Job Info (atsvc_JobInfo)
        JobInfo
            Job Time: 47100000
            Days Of Month: 0x00000000: (No values set)
                .... .... .... .... .... .... .... ...0 = First: First is NOT SET
                .... .... .... .... .... .... .... ..0. = Second: Second is NOT SET
                .... .... .... .... .... .... .... .0.. = Third: Third is NOT SET
                .... .... .... .... .... .... .... 0... = Fourth: Fourth is NOT SET
                .... .... .... .... .... .... ...0 .... = Fifth: Fifth is NOT SET
                .... .... .... .... .... .... ..0. .... = Sixth: Sixth is NOT SET
                .... .... .... .... .... .... .0.. .... = Seventh: Seventh is NOT SET
                .... .... .... .... .... .... 0... .... = Eight: Eight is NOT SET
                .... .... .... .... .... ...0 .... .... = Ninth: Ninth is NOT SET
                .... .... .... .... .... ..0. .... .... = Tenth: Tenth is NOT SET
                .... .... .... .... .... .0.. .... .... = Eleventh: Eleventh is NOT SET
                .... .... .... .... .... 0... .... .... = Twelfth: Twelfth is NOT SET
                .... .... .... .... ...0 .... .... .... = Thitteenth: Thitteenth is NOT SET
                .... .... .... .... ..0. .... .... .... = Fourteenth: Fourteenth is NOT SET
                .... .... .... .... .0.. .... .... .... = Fifteenth: Fifteenth is NOT SET
                .... .... .... .... 0... .... .... .... = Sixteenth: Sixteenth is NOT SET
                .... .... .... ...0 .... .... .... .... = Seventeenth: Seventeenth is NOT SET
                .... .... .... ..0. .... .... .... .... = Eighteenth: Eighteenth is NOT SET
                .... .... .... .0.. .... .... .... .... = Ninteenth: Ninteenth is NOT SET
                .... .... .... 0... .... .... .... .... = Twentyth: Twentyth is NOT SET
                .... .... ...0 .... .... .... .... .... = Twentyfirst: Twentyfirst is NOT SET
                .... .... ..0. .... .... .... .... .... = Twentysecond: Twentysecond is NOT SET
                .... .... .0.. .... .... .... .... .... = Twentythird: Twentythird is NOT SET
                .... .... 0... .... .... .... .... .... = Twentyfourth: Twentyfourth is NOT SET
                .... ...0 .... .... .... .... .... .... = Twentyfifth: Twentyfifth is NOT SET
                .... ..0. .... .... .... .... .... .... = Twentysixth: Twentysixth is NOT SET
                .... .0.. .... .... .... .... .... .... = Twentyseventh: Twentyseventh is NOT SET
                .... 0... .... .... .... .... .... .... = Twentyeighth: Twentyeighth is NOT SET
                ...0 .... .... .... .... .... .... .... = Twentyninth: Twentyninth is NOT SET
                ..0. .... .... .... .... .... .... .... = Thirtieth: Thirtieth is NOT SET
                .0.. .... .... .... .... .... .... .... = Thirtyfirst: Thirtyfirst is NOT SET
            Days Of Week: 0x00: (No values set)
                .... ...0 = DAYSOFWEEK MONDAY: DAYSOFWEEK_MONDAY is NOT SET
                .... ..0. = DAYSOFWEEK TUESDAY: DAYSOFWEEK_TUESDAY is NOT SET
                .... .0.. = DAYSOFWEEK WEDNESDAY: DAYSOFWEEK_WEDNESDAY is NOT SET
                .... 0... = DAYSOFWEEK THURSDAY: DAYSOFWEEK_THURSDAY is NOT SET
                ...0 .... = DAYSOFWEEK FRIDAY: DAYSOFWEEK_FRIDAY is NOT SET
                ..0. .... = DAYSOFWEEK SATURDAY: DAYSOFWEEK_SATURDAY is NOT SET
                .0.. .... = DAYSOFWEEK SUNDAY: DAYSOFWEEK_SUNDAY is NOT SET
            Flags: 0x00: (No values set)
                .... ...0 = JOB RUN PERIODICALLY: JOB_RUN_PERIODICALLY is NOT SET
                .... ..0. = JOB EXEC ERROR: JOB_EXEC_ERROR is NOT SET
                .... .0.. = JOB RUNS TODAY: JOB_RUNS_TODAY is NOT SET
                .... 0... = JOB ADD CURRENT DATE: JOB_ADD_CURRENT_DATE is NOT SET
                ...0 .... = JOB NONINTERACTIVE: JOB_NONINTERACTIVE is NOT SET
            Pointer to Command (uint16): c:\mimikatz.exe
                Referent ID: 0x0000000000020000
                Max Count: 16
                Offset: 0
                Actual Count: 16
                Command: c:\mimikatz.exe

Once you get past the spelling errors in the “Days of Month” section, we see in the “Pointer to Command” section a reference to c:mimikatz.exe. This detail was not available in the Zeek logs, but this additional information helps us recognize this activity as being likely malicious.

We can look to see if the command succeeded by reviewing the details of frame 11.

$ tshark -r 20171220_smb_at_schedule.pcap -V -Y frame.number==11 -O atsvc

Frame 11: 202 bytes on wire (1616 bits), 202 bytes captured (1616 bits)
Ethernet II, Src: 08:00:27:a1:27:e8, Dst: 08:00:27:7f:b5:8b
Internet Protocol Version 4, Src: 192.168.10.30, Dst: 192.168.10.31
Transmission Control Protocol, Src Port: 445, Dst Port: 49266, Seq: 618, Ack: 920, Len: 148
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Response, Fragment: Single, FragLen: 32, Call: 2, Ctx: 1, [Req: #9]
Microsoft AT-Scheduler Service, JobAdd
    Operation: JobAdd (0)
    [Request in frame: 9]
    Pointer to Job Id (uint32)
        Job Id: 2
    NT Error: STATUS_SUCCESS (0x00000000)

The NT Error message shows STATUS_SUCCESS, which indicates that the job was scheduled via the At service.

In the next section we will introduce another capability associated with Windows lateral movement.

Using PsExec to Retrieve a File from a Target

Microsoft describes PsExec in the following terms:

“PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”

Ref: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Intruders are fond of PsExec for the very capabilities that Microsoft describes.

The following analysis is based on the 20171220_smb_psexec_mimikatz_ticket_dump.pcap file described in the PsExec section of Nate Marx’s paper.

Zeek creates the following output for this packet capture, along with an extract_files/ directory. I use the wc command to show how many lines appear in each file.

$ wc -l *.log

 9 conn.log
20 dce_rpc.log
 9 dns.log
 1 files.log
 2 kerberos.log
 8 notice.log
 1 packet_filter.log
 1 pe.log
 5 smb_files.log
 2 smb_mapping.log

We’ll start with the conn.log but move to the notice.log quickly thereafter.

conn.log

Because we saw that there were 9 entries in the conn.log, I’m going to summarize them using the following command:

$ jq -c '[."uid", ."id.orig_h", ."id.resp_h", ."id.resp_p", ."proto", ."service"]' conn.log

["CT7qITytKtae83Tyi","192.168.10.31","192.168.10.10",88,"tcp","krb_tcp"]
["CBFaLB1HJivXnb9Jw2","192.168.10.31","192.168.10.30",135,"tcp","dce_rpc"]
["CqgZIa4KYnX4cNHJo8","192.168.10.31","192.168.10.30",49155,"tcp","dce_rpc"]
["C95D4lsjb4GjGbBq2","192.168.10.31","192.168.10.255",137,"udp","dns"]
["CEcy2LEJUZQrLwO4b","192.168.10.31","192.168.10.10",53,"udp","dns"]
["CPlgJVWL9yrKdUsX8","192.168.10.31","192.168.10.10",53,"udp","dns"]
["C6zoLD2QgM71nvWdX5","192.168.10.30","192.168.10.255",137,"udp","dns"]
["C6HQVsDf8VCu0XTJe","192.168.10.31","192.168.10.30",445,"tcp","smb,krb,gssapi"]
["Cishox1cH3JLghxiV8","192.168.10.31","192.168.10.10",3,"icmp",null]

The 4 TCP connections likely are the sessions we want to investigate in this case. However, because we have a notice.log for this activity, it’s smartest to look at those entries next.

notice.log

The notice.log for this activity has 8 entries. I tried to distill them to the bare minimum required to convey what is happening, according to Zeek and BZAR.

$ jq -c '[."uid", ."note", ."msg", ."sub", ."src", ."dst"]' notice.log | uniq

["C6HQVsDf8VCu0XTJe","ATTACK::Lateral_Movement","Detected SMB::FILE_WRITE to admin file share '\\\\admin-pc\\ADMIN$PSEXESVC.exe'","T1021.002 Remote Services: SMB/Windows Admin Shares + T1570 Lateral Tool Transfer","192.168.10.31","192.168.10.30"]

["C6HQVsDf8VCu0XTJe","ATTACK::Lateral_Movement_Extracted_File","Saved a copy of the file written to SMB admin file share","C6HQVsDf8VCu0XTJe_FtIFnm3ZqI1s96P74l__admin-pc_ADMIN$PSEXESVC.exe","192.168.10.31","192.168.10.30"]

["CqgZIa4KYnX4cNHJo8","ATTACK::Execution","svcctl::CreateServiceWOW64W","T1569.002 System Services: Service Execution","192.168.10.31","192.168.10.30"]

[null,"ATTACK::Lateral_Movement_and_Execution","Detected activity against host 192.168.10.30, total score 1004 within timeframe 10.0 mins",null,null,null]

["CqgZIa4KYnX4cNHJo8","ATTACK::Execution","svcctl::StartServiceW","T1569.002 System Services: Service Execution","192.168.10.31","192.168.10.30"]

The highlighted fields indicate suspicious or malicious activity. We see evidence of lateral tool transfer to 192.168.10.30 via SMB of a file named psexecsvc.exe, then service execution.

dce_rpc.log

Let’s see if the dce_rpc.log adds any useful details. We saw earlier that this log has 20 entries. The first two shows us the pattern that occupies all 20 entries.

{
  "ts": 1507565599.588936,
  "uid": "CBFaLB1HJivXnb9Jw2",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49240,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 135,
  "rtt": 0.0002448558807373047,
  "named_pipe": "135",
  "endpoint": "epmapper",
  "operation": "ept_map"
}

{
  "ts": 1507565599.601632,
  "uid": "CqgZIa4KYnX4cNHJo8",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49241,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 49155,
  "rtt": 0.0003237724304199219,
  "named_pipe": "49155",
  "endpoint": "svcctl",
  "operation": "OpenSCManagerW"
}

The first entry shows a call to the Windows endpoint mapper, epmapper, on port 135 TCP on 192.168.10.30. The response from this service directs the client 192.168.10.31 to port 49155 TCP on 192.168.10.30. The second and subsequent dce_rpc.log entries involve port 49155 TCP on the target, which is offering svcctrl.

We see the target IP address is 192.168.10.30, confirming the activity in the notice.log. As we did with a previous dce_rpc.log, we can simplify this one into the following entries:

$ jq -c '[."named_pipe", ."endpoint", ."operation"]' dce_rpc.log | uniq

["135","epmapper","ept_map"]
["49155","svcctl","OpenSCManagerW"]
["49155","svcctl","CreateServiceWOW64W"]
["49155","svcctl","CloseServiceHandle"]
["49155","svcctl","OpenServiceW"]
["49155","svcctl","StartServiceW"]
["49155","svcctl","QueryServiceStatus"]
["49155","svcctl","CloseServiceHandle"]
["49155","svcctl","OpenSCManagerW"]
["49155","svcctl","OpenServiceW"]
["49155","svcctl","ControlService"]
["49155","svcctl","QueryServiceStatus"]
["49155","svcctl","CloseServiceHandle"]
["49155","svcctl","OpenServiceW"]
["49155","svcctl","DeleteService"]
["49155","svcctl","CloseServiceHandle"]

We see some sort of successful interaction with the svcctrl service on the target.

Incidentally, we can’t see much more using a protocol analyzer like tshark, either:

$ tshark -r 20171220_smb_psexec_mimikatz_ticket_dump.pcap -V -Y frame.number==76 -O svcctl

Frame 76: 258 bytes on wire (2064 bits), 258 bytes captured (2064 bits)
Ethernet II, Src: 08:00:27:7f:b5:8b, Dst: 08:00:27:a1:27:e8
Internet Protocol Version 4, Src: 192.168.10.31, Dst: 192.168.10.30
Transmission Control Protocol, Src Port: 49241, Dst Port: 49155, Seq: 1945, Ack: 366, Len: 204
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Request, Fragment: Single, FragLen: 204, Call: 2, Ctx: 0
Microsoft Service Control, OpenSCManagerW
    Operation: OpenSCManagerW (15)
    Encrypted stub data: 02353eb074e7e350b9632e05b550f725c99d41d419165110...

As Mr. Marx notes in his paper, the content of these exchanges are encrypted within the Microsoft Service Control layer.

kerberos.log

The kerberos.log contains two entries:

{
  "ts": 1507565599.590346,
  "uid": "CT7qITytKtae83Tyi",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49242,
  "id.resp_h": "192.168.10.10",
  "id.resp_p": 88,
  "request_type": "TGS",
  "client": "RonHD/CONTOSO.LOCAL",
  "service": "HOST/admin-pc",
  "success": true,
  "till": 2136422885,
  "cipher": "aes256-cts-hmac-sha1-96",
  "forwardable": true,
  "renewable": true
}
{
  "ts": 1507565599.575721,
  "uid": "C6HQVsDf8VCu0XTJe",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49239,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445
}

The first entry includes the acronym TGS, which means Ticket Granting service. The system 192.168.10.10 appears to be a domain controller, as we saw in an earlier case. We gather some information on the intruder’s system, namely that it is RonHD in the CONTOSO.LOCAL domain.

The second entry shows that the aggressor 192.168.10.31 used Kerberos to authenticate to the target 192.168.10.30.

smb_mapping.log

The smb_mapping.log contains two entries:

{
  "ts": 1507565599.576613,
  "uid": "C6HQVsDf8VCu0XTJe",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49239,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "path": "\\\\admin-pc\\ADMIN$",
  "share_type": "DISK"
}
{
  "ts": 1507565599.729707,
  "uid": "C6HQVsDf8VCu0XTJe",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49239,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "path": "\\\\admin-pc\\IPC$",
  "share_type": "PIPE"
}

As we learned earlier, connections to the ADMIN$ and IPC$ shares on a target system are suspicious or malicious if they are not already authorized.

smb_files.log

There are many entries in the smb_files.log. The first looks like this:

{
  "ts": 1507565599.576942,
  "uid": "C6HQVsDf8VCu0XTJe",
  "id.orig_h": "192.168.10.31",
  "id.orig_p": 49239,
  "id.resp_h": "192.168.10.30",
  "id.resp_p": 445,
  "action": "SMB::FILE_OPEN",
  "path": "\\\\admin-pc\\ADMIN$",
  "name": "PSEXESVC.exe",
  "size": 0,
  "times.modified": 1507565599.607777,
  "times.accessed": 1507565599.607777,
  "times.created": 1507565599.607777,
  "times.changed": 1507565599.607777
}

As we noted earlier, use of psexecsvc.exe is likely malicious as intruders use it to run PsExec on remote systems.

We can summarize all of the entries in smb_files.log with the following syntax:

$ jq -c '[."action", ."path", ."name"]' smb_files.log

["SMB::FILE_OPEN","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
["SMB::FILE_WRITE","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
["SMB::FILE_WRITE","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
["SMB::FILE_OPEN","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]
["SMB::FILE_DELETE","\\\\admin-pc\\ADMIN$","PSEXESVC.exe"]

This does not give us any more context but it shows the sorts of data in the smb_files.log.

extract_files/, files.log, and pe.log, and VirusTotal

As we did in a previous case, we can look into the files that Zeek and BZAR captured for this activity.

The extract_files/ directory contains one executable file:

extract_files/C6HQVsDf8VCu0XTJe_FtIFnm3ZqI1s96P74l__admin-pc_ADMIN$PSEXESVC.exe: PE32 executable (console) Intel 80386, for MS Windows

Zeek’s files.log says the following about it:

{
  "ts": 1507565599.578328,
  "fuid": "FtIFnm3ZqI1s96P74l",
  "tx_hosts": [
    "192.168.10.31"
  ],
  "rx_hosts": [
    "192.168.10.30"
  ],
  "conn_uids": [
    "C6HQVsDf8VCu0XTJe"
  ],
  "source": "SMB",
  "depth": 0,
  "analyzers": [
    "MD5",
    "SHA1",
    "PE",
    "EXTRACT",
    "SHA256"
  ],
  "mime_type": "application/x-dosexec",
  "filename": "PSEXESVC.exe",
  "duration": 0.0006651878356933594,
  "is_orig": true,
  "seen_bytes": 145568,
  "missing_bytes": 0,
  "overflow_bytes": 0,
  "timedout": false,
  "md5": "75b55bb34dac9d02740b9ad6b6820360",
  "sha1": "a17c21b909c56d93d978014e63fb06926eaea8e7",
  "sha256": "141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944",
  "extracted": "C6HQVsDf8VCu0XTJe_FtIFnm3ZqI1s96P74l__admin-pc_ADMIN$PSEXESVC.exe",
  "extracted_cutoff": false
}

Zeek’s pe.log says the following:

{
  "ts": 1507565599.578328,
  "id": "FtIFnm3ZqI1s96P74l",
  "machine": "I386",
  "compile_ts": 1467139314,
  "os": "Windows XP",
  "subsystem": "WINDOWS_CUI",
  "is_exe": true,
  "is_64bit": false,
  "uses_aslr": true,
  "uses_dep": true,
  "uses_code_integrity": false,
  "uses_seh": true,
  "has_import_table": true,
  "has_export_table": false,
  "has_cert_table": true,
  "has_debug_data": false,
  "section_names": [
    ".text",
    ".rdata",
    ".data",
    ".rsrc",
    ".reloc"
  ]
}

The compile time translates to human readable format as this:

$ date -d @1467139314

Tue Jun 28 18:41:54 UTC 2016

We can also check VirusTotal using the MD5 hash:

$ vt file "75b55bb34dac9d02740b9ad6b6820360"

- _id: "141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944"
  _type: "file"
  authentihash: "62287971b29db5858ceaf92e9db310862e9082608f9dd3ac7f5ed3f71c7cfc38"
  creation_date: 1467139314  # 2016-06-28 18:41:54 +0000 UTC
  first_seen_itw_date: 1463443155  # 2016-05-16 23:59:15 +0000 UTC
  first_submission_date: 1467293310  # 2016-06-30 13:28:30 +0000 UTC
  last_analysis_date: 1606108041  # 2020-11-23 05:07:21 +0000 UTC
  last_analysis_results:
    ALYac:
      category: "undetected"
      engine_name: "ALYac"
      engine_update: "20201123"
      engine_version: "1.1.1.5"
      method: "blacklist"
...truncated…

The various dates for this copy of PsExecSvc are interesting.

I am not sure how to account for a first seen in the wild date that precedes the creation date. I think it’s interesting that only a few hours before I worked with this sample, someone else was doing the same thing, but via uploading the executable!

After this analysis, all we know is that PsExecSvc is being used successfully against 192.168.10.31. Mr. Marx’s paper notes that his activity involved retrieving a file from the target. We cannot tell that from these logs. This is an example of using Zeek logs to identify suspicious or malicious activity, and then pivoting to host-centric data to determine exactly what is happening.

ntlm.log

One log we have not seen in any of these cases is the ntlm.log. This log captures old-style Windows NT Lan Manager (NTLM) authentication details. The packet capture smb-on-windows-10.pcapng provided by the Wireshark project produces a ntlm.log when Zeek processes it.

Ref: https://wiki.wireshark.org/SMB2

{
  "ts": 1476605364.033848,
  "uid": "CNicnvp8Qdqbqm96a",
  "id.orig_h": "192.168.199.133",
  "id.orig_p": 49672,
  "id.resp_h": "192.168.199.1",
  "id.resp_p": 139,
  "hostname": "DESKTOP-V1FA0UQ",
  "server_nb_computer_name": "SCV",
  "server_dns_computer_name": "SCV",
  "success": true
}
{
  "ts": 1476605590.442053,
  "uid": "CLVEN87g2bfZgXqP5",
  "id.orig_h": "192.168.199.132",
  "id.orig_p": 49670,
  "id.resp_h": "192.168.199.133",
  "id.resp_p": 445,
  "username": "user",
  "hostname": "DESKTOP-2AEFM7G",
  "domainname": "DESKTOP-2AEFM7G",
  "server_nb_computer_name": "DESKTOP-V1FA0UQ",
  "server_dns_computer_name": "DESKTOP-V1FA0UQ"
}
{
  "ts": 1476605590.474118,
  "uid": "C74tDzQl0ttE8v813",
  "id.orig_h": "192.168.199.132",
  "id.orig_p": 49671,
  "id.resp_h": "192.168.199.133",
  "id.resp_p": 445,
  "username": "user",
  "hostname": "DESKTOP-2AEFM7G",
  "domainname": "DESKTOP-2AEFM7G",
  "server_nb_computer_name": "DESKTOP-V1FA0UQ",
  "server_dns_computer_name": "DESKTOP-V1FA0UQ"
}
{
  "ts": 1476605590.484196,
  "uid": "CzLJgJ2nrXGMxvnXze",
  "id.orig_h": "192.168.199.132",
  "id.orig_p": 49672,
  "id.resp_h": "192.168.199.133",
  "id.resp_p": 445,
  "username": "user",
  "hostname": "DESKTOP-2AEFM7G",
  "domainname": "DESKTOP-2AEFM7G",
  "server_nb_computer_name": "DESKTOP-V1FA0UQ",
  "server_dns_computer_name": "DESKTOP-V1FA0UQ"
}
{
  "ts": 1476605590.496004,
  "uid": "Ct46uQ2dOQuqnp5YPj",
  "id.orig_h": "192.168.199.132",
  "id.orig_p": 49673,
  "id.resp_h": "192.168.199.133",
  "id.resp_p": 445,
  "username": "user",
  "hostname": "DESKTOP-2AEFM7G",
  "domainname": "DESKTOP-2AEFM7G",
  "server_nb_computer_name": "DESKTOP-V1FA0UQ",
  "server_dns_computer_name": "DESKTOP-V1FA0UQ"
}
{
  "ts": 1476605609.93236,
  "uid": "CQorcF2L5fLEA4EImh",
  "id.orig_h": "192.168.199.132",
  "id.orig_p": 49674,
  "id.resp_h": "192.168.199.133",
  "id.resp_p": 445,
  "username": "Tim Tester",
  "hostname": "DESKTOP-2AEFM7G",
  "domainname": "DESKTOP-2AEFM7G",
  "server_nb_computer_name": "DESKTOP-V1FA0UQ",
  "server_dns_computer_name": "DESKTOP-V1FA0UQ"
}
{
  "ts": 1476605761.4297,
  "uid": "CBbRT6X875vQPAgJj",
  "id.orig_h": "192.168.199.132",
  "id.orig_p": 49675,
  "id.resp_h": "192.168.199.133",
  "id.resp_p": 445,
  "username": "Willi Wireshark",
  "hostname": "DESKTOP-2AEFM7G",
  "domainname": "DESKTOP-2AEFM7G",
  "server_nb_computer_name": "DESKTOP-V1FA0UQ",
  "server_dns_computer_name": "DESKTOP-V1FA0UQ",
  "success": true
}

This pcap produces a lot of Zeek logs, so I wanted to only show these entries. Analysts would probably take two investigative steps. First, should 192.168.199.132 be trying to access these other systems? Second, should the authentication have succeeded, as denoted by the two “true” results?

Conclusion

This has been a large section, but the goal was to present a set of cases and show how Zeek and BZAR (when available) made sense of them. I recommend reading Mr. Marx’s paper for more details as well.

irc.log

Internet Relay Chat (IRC) is an older protocol that enables real time chat and collaboration. The Zeek project hosted an IRC channel for many years to support development and discussion. Some intruders eventually began using IRC to control botnets, primarily for two reasons. First, as IRC had legitimate uses, it may not have been suspicious or malicious to see IRC traffic on the wire. Second, IRC enabled command-and-control, thanks to the ability for operators to issue instructions to clients that controlled compromised systems.

Traditionally, IRC clients connect via a clear-text TCP session to an IRC server listening on port 6667. The commands and responses are text-based, making it possible for an analyst to manually inspect them. More recent implementations of IRC servers offer IRC over TLS, with the servers listening on port 6697 TCP. However, for both unencrypted or encrypted sessions, IRC servers can listen on any TCP port.

For full details on each field in the irc.log file, please see IRC::Info.

Reconstructing an IRC Session

Before examining the data provided by Zeek’s irc.log, it might be useful to see the contents of an IRC session. I generated the following activity using the Hexchat IRC client.

I have edited the transcript to focus on essential items. Text in bold was sent by the IRC client. The server sent the remaining text.

CAP LS 302
:barjavel.freenode.net NOTICE * :*** Looking up your hostname...
NICK zeektest
USER zeektest 0 * :realname
:barjavel.freenode.net NOTICE * :*** Checking Ident
:barjavel.freenode.net NOTICE * :*** Found your hostname
:barjavel.freenode.net NOTICE * :*** No Ident response
:barjavel.freenode.net CAP * LS :account-notify away-notify cap-notify chghost extended-join identify-msg multi-prefix sasl tls
CAP REQ :account-notify away-notify cap-notify chghost extended-join identify-msg multi-prefix
:barjavel.freenode.net CAP zeektest ACK :account-notify away-notify cap-notify chghost extended-join identify-msg multi-prefix 
CAP END
:barjavel.freenode.net 001 zeektest :Welcome to the freenode Internet Relay Chat Network zeektest
:barjavel.freenode.net 002 zeektest :Your host is barjavel.freenode.net[195.154.200.232/6667], running version ircd-seven-1.1.9
:barjavel.freenode.net 003 zeektest :This server was created Thu Dec 19 2019 at 20:10:02 UTC
:barjavel.freenode.net 004 zeektest barjavel.freenode.net ircd-seven-1.1.9 DOQRSZaghilopsuwz CFILMPQSbcefgijklmnopqrstuvz bkloveqjfI
:barjavel.freenode.net 005 zeektest CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstuz CHANLIMIT=#:120 PREFIX=(ov)@+ MAXLIST=bqeI:100 MODES=4 NETWORK=freenode STATUSMSG=@+ CALLERID=g CASEMAPPING=rfc1459 :are supported by this server
:barjavel.freenode.net 005 zeektest CHARSET=ascii NICKLEN=16 CHANNELLEN=50 TOPICLEN=390 DEAF=D FNC TARGMAX=NAMES:1,LIST:1,KICK:1,WHOIS:1,PRIVMSG:4,NOTICE:4,ACCEPT:,MONITOR: EXTBAN=$,ajrxz CLIENTVER=3.0 WHOX KNOCK CPRIVMSG :are supported by this server
:barjavel.freenode.net 005 zeektest CNOTICE ETRACE SAFELIST ELIST=CTU MONITOR=100 :are supported by this server
:barjavel.freenode.net 251 zeektest :There are 101 users and 82081 invisible on 31 servers
:barjavel.freenode.net 252 zeektest 43 :IRC Operators online
:barjavel.freenode.net 253 zeektest 45 :unknown connection(s)
:barjavel.freenode.net 254 zeektest 41982 :channels formed
:barjavel.freenode.net 255 zeektest :I have 3809 clients and 1 servers
:barjavel.freenode.net 265 zeektest 3809 5891 :Current local users 3809, max 5891
:barjavel.freenode.net 266 zeektest 82182 90930 :Current global users 82182, max 90930
:barjavel.freenode.net 250 zeektest :Highest connection count: 5892 (5891 clients) (1543159 connections received)
:barjavel.freenode.net 375 zeektest :- barjavel.freenode.net Message of the Day -
:barjavel.freenode.net 372 zeektest :- Welcome to barjavel.freenode.net in Paris, FR, EU.
...edited…
:barjavel.freenode.net 372 zeektest :- Thank you for using freenode!
:barjavel.freenode.net 376 zeektest :End of /MOTD command.
:zeektest MODE zeektest :+i
JOIN #freenode
:zeektest!~zeektest@pool-XX-XXX-XXX-XX.washdc.fios.verizon.net JOIN #freenode * :realname
:barjavel.freenode.net 332 zeektest #freenode :Welcome to #freenode | Don't copy/paste spam | No politics. | Feel free to message staff at any time. You can find us using /stats p (shows immediately-available staff) or /who freenode/staff/* (shows all staff)
:barjavel.freenode.net 333 zeektest #freenode deadk 1604191950
...edited…
:ChanServ!ChanServ@services. NOTICE zeektest :+[#freenode] Please read the topic.
:services. 328 zeektest #freenode :https://freenode.net/
WHO #freenode %chtsunfra,152
:barjavel.freenode.net 324 zeektest #freenode +CLPcntjf 5:10 #freenode-overflow
...edited…
PING LAG641756037
:barjavel.freenode.net PONG barjavel.freenode.net :LAG641756037
:willcl_ark!~quassel@cpc123780-trow7-2-0-cust177.18-1.cable.virginm.net AWAY :Away
:EGH!~EGH@79.142.76.202 JOIN #freenode EGH :Erik
PRIVMSG #freenode :One more test... thanks everyone.
QUIT :Leaving
:zeektest!~zeektest@pool-XX-XXX-XXX-XX.washdc.fios.verizon.net QUIT :Client Quit
ERROR :Closing Link: pool-XX-XXX-XXX-XX.washdc.fios.verizon.net (Client Quit)

As you can see, there is a lot of detail about the IRC server and the channels and users it supports. The client uses the nickname zeektest and joins the #freenode channel. It issues one message. One more test… thanks everyone, and then quits.

I captured this traffic by manually setting disabling TLS. Otherwise, the protocol exchange would have been opaque to Zeek (and other NSM tools).

With this basic background on IRC, let’s see how Zeek renders this activity.

Port 6667 conn.log

Zeek generated the following conn.log entry for the example traffic.

{
  "ts": 1607009493.558305,
  "uid": "CDsHGC2ZJuJh10XNbk",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 52856,
  "id.resp_h": "195.154.200.232",
  "id.resp_p": 6667,
  "proto": "tcp",
  "service": "irc",
  "duration": 55.26594305038452,
  "orig_bytes": 311,
  "resp_bytes": 239330,
  "conn_state": "RSTO",
  "missed_bytes": 0,
  "history": "ShADadfR",
  "orig_pkts": 41,
  "orig_ip_bytes": 1963,
  "resp_pkts": 185,
  "resp_ip_bytes": 246742
}

We see that Zeek correctly identified this traffic as IRC. We can expect to see an irc.log entry.

Port 6667 irc.log

Zeek generated the following three irc.log entries:

{
  "ts": 1607009493.733304,
  "uid": "CDsHGC2ZJuJh10XNbk",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 52856,
  "id.resp_h": "195.154.200.232",
  "id.resp_p": 6667,
  "command": "NICK",
  "value": "zeektest"
}
{
  "ts": 1607009493.733304,
  "uid": "CDsHGC2ZJuJh10XNbk",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 52856,
  "id.resp_h": "195.154.200.232",
  "id.resp_p": 6667,
  "nick": "zeektest",
  "command": "USER",
  "value": "zeektest",
  "addl": "0 * realname"
}
{
  "ts": 1607009514.481161,
  "uid": "CDsHGC2ZJuJh10XNbk",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 52856,
  "id.resp_h": "195.154.200.232",
  "id.resp_p": 6667,
  "nick": "zeektest",
  "user": "zeektest",
  "command": "JOIN",
  "value": "#freenode",
  "addl": ""
}

We see that Zeek collected information on three aspects of the IRC activity. It captured the setting of the NICK and USER values, as well as a JOIN command.

Looking at the Zeek scripting reference, it looks like Zeek will also track Direct Client-to-Client (or Direct Client Connection, also known as DCC) activity, usually used to exchange files via IRC.

Now that we know what a traditional unencrypted IRC session looks like, let’s see how a modern TLS-encrypted IRC session appears.

Port 6697 conn.log

Running Zeek against a capture of IRC over TLS, Zeek produces the following conn.log entry.

{
  "ts": 1607009173.307125,
  "uid": "CxLRXG3BJ8KYCW6flg",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 59423,
  "id.resp_h": "185.30.166.38",
  "id.resp_p": 6697,
  "proto": "tcp",
  "service": "ssl",
  "duration": 80.66936779022217,
  "orig_bytes": 1162,
  "resp_bytes": 251941,
  "conn_state": "RSTR",
  "missed_bytes": 0,
  "history": "ShADadfr",
  "orig_pkts": 49,
  "orig_ip_bytes": 3134,
  "resp_pkts": 197,
  "resp_ip_bytes": 259833
}

Here we see that Zeek only knows that it is looking at a TLS session.

Port 6697 ssl.log and x509.log

Because this traffic is encrypted via TLS, Zeek produced ssl.log and x509.log entries.

First, let’s look at ssl.log:

{
  "ts": 1607009173.826036,
  "uid": "CxLRXG3BJ8KYCW6flg",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 59423,
  "id.resp_h": "185.30.166.38",
  "id.resp_p": 6697,
  "version": "TLSv12",
  "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "curve": "secp256r1",
  "server_name": "chat.freenode.net",
  "resumed": false,
  "established": true,
  "cert_chain_fuids": [
    "F6pDkA4niQwyXPxugf",
    "F1JGJ81fmUN17LOYnk"
  ],
  "client_cert_chain_fuids": [],
  "subject": "CN=verne.freenode.net",
  "issuer": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US"
}

The references to Freenode and chat can help clue an analyst to the likelihood that the client is engaging in IRC sessions.

Now let’s look at the x509.log:

{
  "ts": 1607009173.828159,
  "id": "F6pDkA4niQwyXPxugf",
  "certificate.version": 3,
  "certificate.serial": "040831FAE9EF9E4D666A4B9EDE996878C79B",
  "certificate.subject": "CN=verne.freenode.net",
  "certificate.issuer": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",
  "certificate.not_valid_before": 1605501336,
  "certificate.not_valid_after": 1613277336,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 4096,
  "certificate.exponent": "65537",
  "san.dns": [
    "chat.au.freenode.com",
    "chat.au.freenode.net",
    "chat.au.freenode.org",
    "chat.eu.freenode.com",
    "chat.eu.freenode.net",
    "chat.eu.freenode.org",
    "chat.freenode.com",
    "chat.freenode.net",
    "chat.freenode.org",
    "chat.ipv4.freenode.com",
    "chat.ipv4.freenode.net",
    "chat.ipv4.freenode.org",
    "chat.ipv6.freenode.com",
    "chat.ipv6.freenode.net",
    "chat.ipv6.freenode.org",
    "chat.us.freenode.com",
    "chat.us.freenode.net",
    "chat.us.freenode.org",
    "ipv6.chat.freenode.net",
    "ipv6.irc.freenode.net",
    "irc.au.freenode.com",
    "irc.au.freenode.net",
    "irc.au.freenode.org",
    "irc.eu.freenode.com",
    "irc.eu.freenode.net",
    "irc.eu.freenode.org",
    "irc.freenode.com",
    "irc.freenode.net",
    "irc.freenode.org",
    "irc.ipv4.freenode.com",
    "irc.ipv4.freenode.net",
    "irc.ipv4.freenode.org",
    "irc.ipv6.freenode.com",
    "irc.ipv6.freenode.net",
    "irc.ipv6.freenode.org",
    "irc.us.freenode.com",
    "irc.us.freenode.net",
    "irc.us.freenode.org",
    "verne.freenode.net"
  ],
  "basic_constraints.ca": false
}
{
  "ts": 1607009173.828159,
  "id": "F1JGJ81fmUN17LOYnk",
  "certificate.version": 3,
  "certificate.serial": "0A0141420000015385736A0B85ECA708",
  "certificate.subject": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",
  "certificate.issuer": "CN=DST Root CA X3,O=Digital Signature Trust Co.",
  "certificate.not_valid_before": 1458232846,
  "certificate.not_valid_after": 1615999246,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 2048,
  "certificate.exponent": "65537",
  "basic_constraints.ca": true,
  "basic_constraints.path_len": 0
}

The bolded entries containing strings with “IRC”, “chat”, and Freenode are again clues that IRC is in play here.

Port 31337 conn.log

Here is a different session where port 31337 TCP offered clear-text IRC connections. Zeek produced three conn.log entries, involving clients with IP addresses of 10.240.0.3, 10.240.0.4, and 10.240.0.5. Here is an entry for the client 10.240.0.5.

{
  "ts": 1461774814.057057,
  "uid": "Cs0hwm3slMw4IBDU0h",
  "id.orig_h": "10.240.0.5",
  "id.orig_p": 42277,
  "id.resp_h": "10.240.0.2",
  "id.resp_p": 31337,
  "proto": "tcp",
  "service": "irc",
  "duration": 787.9501581192017,
  "orig_bytes": 1026,
  "resp_bytes": 10425,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadfF",
  "orig_pkts": 95,
  "orig_ip_bytes": 5974,
  "resp_pkts": 87,
  "resp_ip_bytes": 14957
}

Zeek identified the protocol as IRC by using its dynamic port detection functionality. It did not need to see IRC on port 6667 TCP in order to recognize the protocol.

Port 31337 irc.log

Zeek produced many entries in the irc.log for this activity, so I extracted the key values.

$ jq -c '[."id.orig_h", ."nick", ."user", ."command", ."value", ."addl"]' irc.log

["10.240.0.3",null,null,"NICK","Matir",null]
["10.240.0.3","Matir",null,"USER","root-poppopret","root-poppopret 10.240.0.2 matir"]
["10.240.0.3","Matir","root-poppopret","JOIN","#ctf",""]
["10.240.0.4",null,null,"NICK","andrewg",null]
["10.240.0.4","andrewg",null,"USER","root-poppopret","root-poppopret 10.240.0.2 andrewg"]
["10.240.0.4","andrewg","root-poppopret","JOIN","#ctf",""]
["10.240.0.5",null,null,"NICK","itsl0wk3y",null]
["10.240.0.5","itsl0wk3y",null,"USER","root-poppopret","root-poppopret 10.240.0.2 l0w"]
["10.240.0.5","itsl0wk3y","root-poppopret","JOIN","#ctf",""]

As with the previous irc.log, you can see elements like the nickname, username, commands, and additional data for the connections. You do not see any details of what users said to each other.

Botnet IRC Traffic

The following example is an excerpt from a case provided by the Malware Capture Facility, a sister project to the Stratosphere IPS Project. The case is CTU-IoT-Malware-Capture-3-1, located here:

https://mcfp.felk.cvut.cz/publicDatasets/IoTDatasets/CTU-IoT-Malware-Capture-3-1/

The case includes IRC traffic caused by systems compromised and under the control of the Muhstihk botnet. More details are available in this blog post:

https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/

Here is a summary of the conn.log for the malicious IRC traffic.

$ jq -c '[."id.orig_h", ."id.resp_h", ."id.resp_p", ."proto", ."service"]' conn.log

["192.168.2.5","111.230.241.23",2407,"tcp","irc"]
["192.168.2.5","51.38.81.99",2407,"tcp","irc"]
["192.168.2.5","185.61.149.22",2407,"tcp",null]
["192.168.2.5","54.39.23.28",2407,"tcp","irc"]
["192.168.2.5","54.39.23.28",2407,"tcp","irc"]
["192.168.2.5","185.47.129.56",2407,"tcp",null]
["213.140.50.114","192.168.2.5",1,"icmp",null]
["192.168.2.5","111.230.241.23",2407,"tcp","irc"]
["192.168.2.5","54.39.23.28",2407,"tcp","irc"]

We see the victim, 192.168.2.5, connecting to multiple IRC servers on port 2407 TCP. Note that Zeek does not recognize all of the IRC traffic using its IRC protocol analyzer. Zeek does see six IRC sessions that it parses in the irc.log.

Here is a summary of the irc.log for the IRC traffic created by this botnet client.

$ jq -c '[."id.orig_h", ."id.resp_h", ."nick", ."user", ."command", ."value", ."addl"]' irc.log

["192.168.2.5","111.230.241.23",null,null,"NICK","A5|1|5358668|black-pe",null]
["192.168.2.5","111.230.241.23","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
["192.168.2.5","51.38.81.99",null,null,"NICK","A5|1|5358668|black-pe",null]
["192.168.2.5","51.38.81.99","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
["192.168.2.5","51.38.81.99","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
["192.168.2.5","54.39.23.28",null,null,"NICK","A5|1|5358668|black-pe",null]
["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
["192.168.2.5","54.39.23.28",null,null,"NICK","A5|1|5358668|black-pe",null]
["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
["192.168.2.5","111.230.241.23",null,null,"NICK","A5|1|5358668|black-pe",null]
["192.168.2.5","111.230.241.23","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
["192.168.2.5","111.230.241.23","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]
["192.168.2.5","54.39.23.28",null,null,"NICK","A5|1|5358668|black-pe",null]
["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe",null,"USER","muhstik","localhost localhost muhstik-11052018"]
["192.168.2.5","54.39.23.28","A5|1|5358668|black-pe","muhstik","JOIN","#a925d765"," with channel key: ':8974'"]

Here is an example transcript for one of the IRC sessions:

NICK A5|1|5358668|black-pe
USER muhstik localhost localhost :muhstik-11052018
PING :A2A5630
PONG :A2A5630
:x4.tipu 010 A5|1|5358668|black-pe x4.tipu 0
:x4.tipu 010 A5|1|5358668|black-pe pomf 6667
ERROR :Closing Link: A5|1|5358668|black-pe[109.81.208.168] (This server is full.)

Thankfully for the analyst, it declares itself using the easily-searchable name muhstik. This makes it easy to do open source research and identify the malicious nature of the activity.

Conclusion

Security analysts may still encounter IRC when botnets and other malware use it for command-and-control. As other forms of modern collaboration and chat have become prevalent, the normality of IRC has become a remnant of a bygone era.

rdp.log

Remote Desktop Protocol (RDP) is a protocol Microsoft developed to enable remote graphical communication. RDP implementations exist for other operating systems, but RDP is most popular on systems running Windows NT 4.0 and newer.

Older versions of RDP are unencrypted, while newer versions offer SSL and TLS encryption.

Standard RDP servers listen on port 3389 TCP. Administrators can configure the service to listen on any port, however. The following material investigates the process by which a simulated intruder gains access to a system via RDP. First he makes many connections to the RDP server, testing usernames and passwords. Following the correct guessing of a username and password, he connects and briefly interacts with the system offering access via RDP.

For full details on each field in the rdp.log file, please refer to RDP::Info.

conn.log

Let’s start with the conn.log for the activity in question. I’ve broken it into two sets of activities. The first is the reconnaissance and the second is the interactive session.

I’ve summarized the first set of conn.log entries using the following syntax:

$ jq -c '[."id.orig_h", ."id.resp_h", ."id.resp_p", ."service", ."orig_bytes", ."resp_bytes"]' conn.log | sort | uniq -c

38 ["192.168.4.160","192.168.4.161",3389,"ssl",1392,1238]
 1 ["192.168.4.160","192.168.4.161",3389,"ssl",3365,4855]

We see 38 sessions which contain the same number of bytes sent and received by the client and server, and 1 session which contains a different number of bytes. That could indicate a successful connection. Port 3389 TCP is the destination, but remember that any TCP port could host a RDP server. Also note Zeek reports the service as SSL, because this RDP session is encrypted by TLS.

The second set of conn.log entries contains the following session:

{
  "ts": 1607353272.790635,
  "uid": "CFdEZNjN5MtPzGMS8",
  "id.orig_h": "192.168.4.160",
  "id.orig_p": 59758,
  "id.resp_h": "192.168.4.161",
  "id.resp_p": 3389,
  "proto": "tcp",
  "service": "ssl",
  "duration": 109.49137687683105,
  "orig_bytes": 66747,
  "resp_bytes": 1823511,
  "conn_state": "RSTR",
  "missed_bytes": 0,
  "history": "ShADdaFr",
  "orig_pkts": 2913,
  "orig_ip_bytes": 183287,
  "resp_pkts": 2250,
  "resp_ip_bytes": 1913523
}

This activity is similar to the previous, except that the client and server have sent many more bytes of data.

rdp.log

The following syntax summarizes the relevant content in the first set of Zeek rdp.log entries, caused by the simulated intruder’s RDP reconnaissance:

$ jq -c '[."id.orig_h", ."id.resp_h", ."id.resp_p", ."cookie", ."result", ."security_protocol", ."cert_count"]' rdp.log | sort | uniq -c

39 ["192.168.4.160","192.168.4.161",3389,"test","encrypted","HYBRID",0]

There is nothing in these logs to indicate whether the session was successful or not. However, Zeek was able to determine that RDP was in use, based on its recognition of the protocol.

Here is the entire rdp.log entry for the interactive RDP session:

{
  "ts": 1607353272.791158,
  "uid": "CFdEZNjN5MtPzGMS8",
  "id.orig_h": "192.168.4.160",
  "id.orig_p": 59758,
  "id.resp_h": "192.168.4.161",
  "id.resp_p": 3389,
  "cookie": "test",
  "result": "encrypted",
  "security_protocol": "HYBRID",
  "cert_count": 0
}

As before, there is nothing stating that this is an interactive session.

ssl.log and x509.log

The Zeek logs associated with TLS-encrypted sessions might tell us a bit about the RDP server. Here is a ssl.log entry for the interactive session:

{
  "ts": 1607353272.79572,
  "uid": "CFdEZNjN5MtPzGMS8",
  "id.orig_h": "192.168.4.160",
  "id.orig_p": 59758,
  "id.resp_h": "192.168.4.161",
  "id.resp_p": 3389,
  "version": "TLSv12",
  "cipher": "TLS_RSA_WITH_AES_256_GCM_SHA384",
  "server_name": "192.168.4.161",
  "resumed": false,
  "established": true,
  "cert_chain_fuids": [
    "FWesoX2H43hXhuqoGb"
  ],
  "client_cert_chain_fuids": [],
  "subject": "CN=WinDev2010Eval",
  "issuer": "CN=WinDev2010Eval"
}

From this information it looks like the target is a Windows development server.

Here is the corresponding x509.log entry. We match it to the preceding ssl.log entry using the id field.

{
  "ts": 1607353272.79572,
  "id": "FWesoX2H43hXhuqoGb",
  "certificate.version": 3,
  "certificate.serial": "5578FF9983F26AA6442533AB6AD54C72",
  "certificate.subject": "CN=WinDev2010Eval",
  "certificate.issuer": "CN=WinDev2010Eval",
  "certificate.not_valid_before": 1602434171,
  "certificate.not_valid_after": 1618245371,
  "certificate.key_alg": "rsaEncryption",
  "certificate.sig_alg": "sha256WithRSAEncryption",
  "certificate.key_type": "rsa",
  "certificate.key_length": 2048,
  "certificate.exponent": "65537"
}

While this might have some significance in other investigations, here it is not as important.

Running the Test

For those who might want to simulate this activity themselves, I wanted to share how I conducted this experiment.

$ hydra -t 1 -V -f -l test -P wordlist.txt rdp://192.168.4.161

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-07 09:46:30
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 1 task per 1 server, overall 1 task, 4999 login tries (l:1/p:4999), ~4999 tries per task
[DATA] attacking rdp://192.168.4.161:3389/
[ATTEMPT] target 192.168.4.161 - login "test" - pass "123456" - 1 of 4999 [child 0] (0/0)
[ATTEMPT] target 192.168.4.161 - login "test" - pass "12345" - 2 of 4999 [child 0] (0/0)
[ATTEMPT] target 192.168.4.161 - login "test" - pass "123456789" - 3 of 4999 [child 0] (0/0)
[ATTEMPT] target 192.168.4.161 - login "test" - pass "password" - 4 of 4999 [child 0] (0/0)
...edited...
[ATTEMPT] target 192.168.4.161 - login "test" - pass "liverpool" - 38 of 4999 [child 0] (0/0)
[ATTEMPT] target 192.168.4.161 - login "test" - pass "football" - 39 of 4999 [child 0] (0/0)
[3389][rdp] host: 192.168.4.161   login: test   password: football
[STATUS] attack finished for 192.168.4.161 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-07 09:46:53

I used the reconnaissance tool THC-Hydra by van Hauser/THC & David Maciejak. I provided a word list that had a password that I had enabled on a test account on the Windows RDP server at 192.168.4.161. I ran Hydra from a Kali Linux virtual machine against a Windows 10 development virtual machine and captured the traffic on Kali Linux. I then processed it with Zeek to produce the logs in this section.

Conclusion

When processing unencrypted RDP sessions, Zeek can provide a bit more information than that provided here. However, in my experience Zeek is most helpful for identifying systems which should or should not be offering RDP services. Zeek will also generate records for interactive sessions, helping analysts identify when authorized or unauthorized users access systems via RDP.

For more information on analyzing RDP in context of vulnerabilities that appeared in 2020, please see the following blog posts:

https://corelight.blog/2019/05/23/how-to-use-corelight-and-zeek-logs-to-mitigate-rds-rdp-vulnerabilities/

https://corelight.blog/2020/05/13/analyzing-encrypted-rdp-connections/

traceroute.log

Traceroute is a network diagnostic method by which a system can try to determine the intermediate routing devices between it and a remote system. Implementations exist for all operating systems. The method generally relies on sending Internet Control Message Protocol (ICMP) messages or User Datagram Protocol (UDP) datagrams with incrementing Internet Protocol (IP) time to live (TTL) values. Some custom implementations use TCP, as it is the IP TTL value which is the key to the method. For more on how traceroute works, please consult a networking book.

Zeek ships with a script that tries to identify traceroute activity. The script tracks ICMP time exceeded messages indicating low TTL values.

For full details on each field in the traceroute.log file, please refer to Traceroute::Info.

traceroute.log

The traceroute.log only contains four fields. Here is an example excerpt:

{"ts":"2020-12-07T05:14:54.202099Z","src":"192.168.4.48","dst":"213.133.109.134","proto":"udp"}
{"ts":"2020-12-07T05:14:54.367071Z","src":"192.168.4.48","dst":"131.72.76.118","proto":"icmp"}
{"ts":"2020-12-07T05:25:13.222095Z","src":"192.168.4.48","dst":"216.113.20.1","proto":"udp"}
{"ts":"2020-12-07T05:30:58.502092Z","src":"192.168.4.48","dst":"193.0.14.129","proto":"udp"}

Beyond the timestamp, source IP address, and destination IP address, the only remaining field is the protocol, proto. This field indicates the protocol that was used by the traceroute program. In the second entry, traceroute used ICMP. In the other three cases, traceroute used UDP.

Conclusion

The traceroute.log may not be enabled by default on your Zeek installation. It is useful if you want to identify systems using the method to try to enumerate routing devices between the initiator and the target.

tunnel.log

The purpose of Zeek’s tunnel.log is to identify encapsulated traffic. A common use case in modern networks involves encapsulating IPv6 traffic within IPv4. It’s also entirely possible to tunnel IPv4 over IPv6. This document will provide a few examples of how Zeek interprets tunneled traffic. The author captured the first example on his home network. The remainder appear courtesy of the PacketLife Web site operated by Jeremy Stretch:

https://packetlife.net/captures/category/tunneling/

For full details on each field in the tunnel.log file, please refer to Tunnel::Info.

Teredo

The following example demonstrates Teredo traffic generated by a Microsoft game console. Teredo is an encapsulation protocol whereby IPv4 carries IPv6 traffic.

https://docs.microsoft.com/en-us/windows/win32/teredo/portal

tcpdump and tshark

Here is tcpdump output for the traffic in question:

00:55:58.290539 IP 192.168.4.31.3074 > 40.84.25.61.65444: UDP, length 61
00:55:59.321945 IP 192.168.4.31.3074 > 40.84.25.61.3544: UDP, length 61
00:55:59.337323 IP 40.84.25.61.3544 > 192.168.4.31.3074: UDP, length 109

Here is tshark output for the traffic in question:

1 192.168.4.31 3074 40.84.25.61  65444 UDP 103 3074 → 65444 Len=61
2 fe80::ffff:ffff:fffe 3074 ff02::2      3544 ICMPv6 103 Router Solicitation
3 fe80::8000:f227:d7ab:e6c3 3544 fe80::ffff:ffff:fffe 3074 ICMPv6 151 Router Advertisement

Notice that tshark shows frames 2 and 3 as IPv6, whereas tcpdump shows them as IPv4.

Let’s take a closer look at frame 2 to see the encapsulation in detail:

Frame 2: 103 bytes on wire (824 bits), 103 bytes captured (824 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec 15, 2020 00:55:59.321945000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1607993759.321945000 seconds
    [Time delta from previous captured frame: 1.031406000 seconds]
    [Time delta from previous displayed frame: 1.031406000 seconds]
    [Time since reference or first frame: 1.031406000 seconds]
    Frame Number: 2
    Frame Length: 103 bytes (824 bits)
    Capture Length: 103 bytes (824 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:teredo:ipv6:icmpv6]
Ethernet II, Src: bc:83:85:56:2f:67, Dst: fc:ec:da:49:e0:10
    Destination: fc:ec:da:49:e0:10
        Address: fc:ec:da:49:e0:10
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: bc:83:85:56:2f:67
        Address: bc:83:85:56:2f:67
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.4.31, Dst: 40.84.25.61
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 89
    Identification: 0xbb91 (48017)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 128
    Protocol: UDP (17)
    Header checksum: 0x78aa [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.4.31
    Destination: 40.84.25.61
User Datagram Protocol, Src Port: 3074, Dst Port: 3544
    Source Port: 3074
    Destination Port: 3544
    Length: 69
    Checksum: 0x7fdc [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
Teredo IPv6 over UDP tunneling
    Teredo Authentication header
        Client identifier length: 0
        Authentication value length: 0
        Nonce value: 6aeec3b128884291
        Confirmation byte: 00
Internet Protocol Version 6, Src: fe80::ffff:ffff:fffe, Dst: ff02::2
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
    Payload Length: 8
    Next Header: ICMPv6 (58)
    Hop Limit: 255
    Source: fe80::ffff:ffff:fffe
    Destination: ff02::2
Internet Control Message Protocol v6
    Type: Router Solicitation (133)
    Code: 0
    Checksum: 0x7d38 [correct]
    [Checksum Status: Good]
    Reserved: 00000000

The bolded elements show an ICMPv6 message inside an IPv6 packet, inside a UDP datagram, inside a IPv4 packet. Frame 3 is similar.

conn.log

The conn.log for this traffic contains the following:

{
  "ts": 1607993759.321945,
  "uid": "CO9T0A3FPac5ig4hud",
  "id.orig_h": "192.168.4.31",
  "id.orig_p": 3074,
  "id.resp_h": "40.84.25.61",
  "id.resp_p": 3544,
  "proto": "udp",
  "service": "teredo",
  "duration": 0.015377998352050781,
  "orig_bytes": 61,
  "resp_bytes": 109,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "Dd",
  "orig_pkts": 1,
  "orig_ip_bytes": 89,
  "resp_pkts": 1,
  "resp_ip_bytes": 137
}

This first conn.log entry addresses frames 2 and 3 in the original packet capture. Zeek identifies Teredo as the service within a UDP datagram. Port 3544 UDP appears to be associated with Teredo per Microsoft’s documentation. Port 3074 UDP appears to be associated with Microsoft game consoles as well, perhaps due to NAT traversal. Note the uid field. It will appear again shortly.

{
  "ts": 1607993758.290539,
  "uid": "CUqiKk4m6VpWwcaJ4l",
  "id.orig_h": "192.168.4.31",
  "id.orig_p": 3074,
  "id.resp_h": "40.84.25.61",
  "id.resp_p": 65444,
  "proto": "udp",
  "conn_state": "S0",
  "missed_bytes": 0,
  "history": "D",
  "orig_pkts": 1,
  "orig_ip_bytes": 89,
  "resp_pkts": 0,
  "resp_ip_bytes": 0
}

This second conn.log entry refers to frame 1 in the packet capture. Note the uid field. It will appear again shortly as well.

{
  "ts": 1607993759.321945,
  "uid": "CoiibpW4Ov0n1xvj",
  "id.orig_h": "fe80::ffff:ffff:fffe",
  "id.orig_p": 133,
  "id.resp_h": "ff02::2",
  "id.resp_p": 134,
  "proto": "icmp",
  "conn_state": "OTH",
  "missed_bytes": 0,
  "orig_pkts": 1,
  "orig_ip_bytes": 48,
  "resp_pkts": 0,
  "resp_ip_bytes": 0,
  "tunnel_parents": [
    "CO9T0A3FPac5ig4hud"
  ]
}

Here Zeek has created a new conn.log entry for the ICMPv6 traffic carried within a tunnel. The UID of the original connection carrying this traffic appears in the tunnel_parents field. It refers to the first entry in the conn.log.

{
  "ts": 1607993758.290539,
  "uid": "C6Gikx4eC6wXR3xOqg",
  "id.orig_h": "fe80::8000:ffff:ffff:fffe",
  "id.orig_p": 133,
  "id.resp_h": "ff02::2",
  "id.resp_p": 134,
  "proto": "icmp",
  "conn_state": "OTH",
  "missed_bytes": 0,
  "orig_pkts": 1,
  "orig_ip_bytes": 48,
  "resp_pkts": 0,
  "resp_ip_bytes": 0,
  "tunnel_parents": [
    "CUqiKk4m6VpWwcaJ4l"
  ]
}

Similar to the previous conn.log entry, here is another tunneled ICMPv6 message. This corresponds to the second conn.log entry reviewed earlier.

{
  "ts": 1607993759.337323,
  "uid": "C8h2gZ3EjWUW5xKh2",
  "id.orig_h": "fe80::8000:f227:d7ab:e6c3",
  "id.orig_p": 134,
  "id.resp_h": "fe80::ffff:ffff:fffe",
  "id.resp_p": 133,
  "proto": "icmp",
  "conn_state": "OTH",
  "missed_bytes": 0,
  "orig_pkts": 1,
  "orig_ip_bytes": 88,
  "resp_pkts": 0,
  "resp_ip_bytes": 0,
  "tunnel_parents": [
    "CO9T0A3FPac5ig4hud"
  ]
}

Zeek creates a final conn.log entry for tunneled traffic. This also corresponds to the first conn.log entry by virtue of its tunnel_parent value.

tunnel.log

Zeek’s tunnel.log offers the following entries for this encapsulated traffic.

{
  "ts": 1607993758.290539,
  "uid": "CUqiKk4m6VpWwcaJ4l",
  "id.orig_h": "192.168.4.31",
  "id.orig_p": 3074,
  "id.resp_h": "40.84.25.61",
  "id.resp_p": 65444,
  "tunnel_type": "Tunnel::TEREDO",
  "action": "Tunnel::DISCOVER"
}
{
  "ts": 1607993759.321945,
  "uid": "CO9T0A3FPac5ig4hud",
  "id.orig_h": "192.168.4.31",
  "id.orig_p": 3074,
  "id.resp_h": "40.84.25.61",
  "id.resp_p": 3544,
  "tunnel_type": "Tunnel::TEREDO",
  "action": "Tunnel::DISCOVER"
}
{
  "ts": 1607993759.337323,
  "uid": "CO9T0A3FPac5ig4hud",
  "id.orig_h": "192.168.4.31",
  "id.orig_p": 3074,
  "id.resp_h": "40.84.25.61",
  "id.resp_p": 3544,
  "tunnel_type": "Tunnel::TEREDO",
  "action": "Tunnel::CLOSE"
}
{
  "ts": 1607993759.337323,
  "uid": "CUqiKk4m6VpWwcaJ4l",
  "id.orig_h": "192.168.4.31",
  "id.orig_p": 3074,
  "id.resp_h": "40.84.25.61",
  "id.resp_p": 65444,
  "tunnel_type": "Tunnel::TEREDO",
  "action": "Tunnel::CLOSE"
}

The action messages indicate how Zeek is tracking the connections. When it first identifies a tunnel, it reports DISCOVER. When it assesses that the tunnel is no longer used, Zeek reports CLOSE.

The take-away from this activity is that Zeek has identified Teredo traffic. The tunnel.log entries abstract the somewhat complicated detailed logs and produce results that are a bit friendlier to the analyst. Here we see that the systems involved are opening and closing Teredo tunnels. If this is not authorized traffic, it is enough to begin a more detailed investigation.

IP in IP

The next example shows transporting IPv4 inside IPv4 traffic. RFC 1853 states:

“The IP in IP encapsulation Protocol/Payload number 4 RFC 1700 has long been used to bridge portions of the Internet which have disjoint capabilities or policies.”

This is another encapsulation method that might surprise an analyst or network administrator, assuming it is not authorized for use.

tcpdump and tshark

Here is tcpdump’s view of the sample traffic:

12:12:06.059907 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 0, length 80 (ipip-proto-4)
12:12:06.067958 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 0, length 80 (ipip-proto-4)
12:12:06.075906 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 1, length 80 (ipip-proto-4)
12:12:06.083920 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 1, length 80 (ipip-proto-4)
12:12:06.091909 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 2, length 80 (ipip-proto-4)
12:12:06.099922 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 2, length 80 (ipip-proto-4)
12:12:06.107906 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 3, length 80 (ipip-proto-4)
12:12:06.116057 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 3, length 80 (ipip-proto-4)
12:12:06.123910 IP 10.0.0.1 > 10.0.0.2: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 4, seq 4, length 80 (ipip-proto-4)
12:12:06.131919 IP 10.0.0.2 > 10.0.0.1: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 4, seq 4, length 80 (ipip-proto-4)

Here is tshark’s view of the first packet:

Frame 1: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 21, 2008 12:12:06.059907000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1214050326.059907000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 134 bytes (1072 bits)
    Capture Length: 134 bytes (1072 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:ip:icmp:data]
Ethernet II, Src: c2:00:57:75:00:00, Dst: c2:01:57:75:00:00
    Destination: c2:01:57:75:00:00
        Address: c2:01:57:75:00:00
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: c2:00:57:75:00:00
        Address: c2:00:57:75:00:00
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 120
    Identification: 0x0014 (20)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 255
    Protocol: IPIP (4)
    Header checksum: 0xa76b [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.1
    Destination: 10.0.0.2
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 100
    Identification: 0x0014 (20)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 255
    Protocol: ICMP (1)
    Header checksum: 0xb57f [validation disabled]
    [Header checksum status: Unverified]
    Source: 1.1.1.1
    Destination: 2.2.2.2
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0x4305 [correct]
    [Checksum Status: Good]
    Identifier (BE): 4 (0x0004)
    Identifier (LE): 1024 (0x0400)
    Sequence number (BE): 0 (0x0000)
    Sequence number (LE): 0 (0x0000)
    Data (72 bytes)

0000  00 00 00 00 00 09 3b 38 ab cd ab cd ab cd ab cd   ......;8........
0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0040  ab cd ab cd ab cd ab cd                           ........
        Data: 0000000000093b38abcdabcdabcdabcdabcdabcdabcdabcd...
        [Length: 72]

Note that both renditions depict the outer and inner IP addresses in use, as well as the encapsulated ICMP traffic.

conn.log

Zeek creates a single conn.log entry for this traffic.

{
  "ts": 1214050326.059907,
  "uid": "CaG4lb2HwGhNGLo1d2",
  "id.orig_h": "1.1.1.1",
  "id.orig_p": 8,
  "id.resp_h": "2.2.2.2",
  "id.resp_p": 0,
  "proto": "icmp",
  "duration": 0.07201194763183594,
  "orig_bytes": 360,
  "resp_bytes": 360,
  "conn_state": "OTH",
  "missed_bytes": 0,
  "orig_pkts": 5,
  "orig_ip_bytes": 500,
  "resp_pkts": 5,
  "resp_ip_bytes": 500,
  "tunnel_parents": [
    "CllZAw139PBBVBawlj"
  ]
}

Notice the only conn.log entry lists the encapsulated source and destination IP addresses for the traffic, i.e., 1.1.1.1 and 2.2.2.2. To see the outer IP addresses, we need to look for the tunnel_parents connection in the tunnel.log.

tunnel.log

The tunnel.log also contains a single entry:

{
  "ts": 1214050326.059907,
  "uid": "CllZAw139PBBVBawlj",
  "id.orig_h": "10.0.0.1",
  "id.orig_p": 0,
  "id.resp_h": "10.0.0.2",
  "id.resp_p": 0,
  "tunnel_type": "Tunnel::IP",
  "action": "Tunnel::DISCOVER"
}

Here we learn that the outer IP addresses are 10.0.0.1 and 10.0.0.2. The tunnel type is IP. The action of Tunnel::DISCOVER means that Zeek has identified a new tunnel or encapsulation.

IP over IP via GRE

Let’s look at a more common variation of IP within IP. This method uses Generic Routing Encapsulation, or GRE.

tcpdump and tshark

Here is tcpdump’s view of the traffic:

12:06:06.434897 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 0, length 80
12:06:06.442931 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 0, length 80
12:06:06.450900 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 1, length 80
12:06:06.498938 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 1, length 80
12:06:06.506904 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 2, length 80
12:06:06.514914 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 2, length 80
12:06:06.522905 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 3, length 80
12:06:06.570925 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 3, length 80
12:06:06.578905 IP 10.0.0.1 > 10.0.0.2: GREv0, length 104: IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 2, seq 4, length 80
12:06:06.586923 IP 10.0.0.2 > 10.0.0.1: GREv0, length 104: IP 2.2.2.2 > 1.1.1.1: ICMP echo reply, id 2, seq 4, length 80

Here is tshark’s view of the first packet:

Frame 1: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 21, 2008 12:06:06.434897000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1214049966.434897000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 138 bytes (1104 bits)
    Capture Length: 138 bytes (1104 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:gre:ip:icmp:data]
Ethernet II, Src: c2:00:57:75:00:00, Dst: c2:01:57:75:00:00
    Destination: c2:01:57:75:00:00
        Address: c2:01:57:75:00:00
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: c2:00:57:75:00:00
        Address: c2:00:57:75:00:00
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 124
    Identification: 0x000a (10)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 255
    Protocol: Generic Routing Encapsulation (47)
    Header checksum: 0xa746 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.0.0.1
    Destination: 10.0.0.2
Generic Routing Encapsulation (IP)
    Flags and Version: 0x0000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...0 .... .... .... = Sequence Number Bit: No
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 100
    Identification: 0x000a (10)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 255
    Protocol: ICMP (1)
    Header checksum: 0xb589 [validation disabled]
    [Header checksum status: Unverified]
    Source: 1.1.1.1
    Destination: 2.2.2.2
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0xbfd4 [correct]
    [Checksum Status: Good]
    Identifier (BE): 2 (0x0002)
    Identifier (LE): 512 (0x0200)
    Sequence number (BE): 0 (0x0000)
    Sequence number (LE): 0 (0x0000)
    Data (72 bytes)

0000  00 00 00 00 00 03 be 70 ab cd ab cd ab cd ab cd   .......p........
0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0040  ab cd ab cd ab cd ab cd                           ........
        Data: 000000000003be70abcdabcdabcdabcdabcdabcdabcdabcd...
        [Length: 72]

Note that both renditions depict the outer and inner IP addresses in use, as well as the encapsulated ICMP traffic. This time, in contrast with the previous example, the inner traffic follows a GRE header.

conn.log

Zeek creates a single conn.log entry for this traffic:

{
  "ts": 1214049966.434897,
  "uid": "Cxg76d2N73I9DhmZ5l",
  "id.orig_h": "1.1.1.1",
  "id.orig_p": 8,
  "id.resp_h": "2.2.2.2",
  "id.resp_p": 0,
  "proto": "icmp",
  "duration": 0.15202593803405762,
  "orig_bytes": 360,
  "resp_bytes": 360,
  "conn_state": "OTH",
  "missed_bytes": 0,
  "orig_pkts": 5,
  "orig_ip_bytes": 500,
  "resp_pkts": 5,
  "resp_ip_bytes": 500,
  "tunnel_parents": [
    "C2ELkSIprfG0oMEae"
  ]
}

As with the previous example, the only conn.log entry lists the encapsulated source and destination IP addresses for the traffic, i.e., 1.1.1.1 and 2.2.2.2. To see the outer IP addresses, we need to look for the tunnel_parents connection in the tunnel.log.

tunnel.log

The tunnel.log also contains a single entry:

{
  "ts": 1214049966.434897,
  "uid": "C2ELkSIprfG0oMEae",
  "id.orig_h": "10.0.0.1",
  "id.orig_p": 0,
  "id.resp_h": "10.0.0.2",
  "id.resp_p": 0,
  "tunnel_type": "Tunnel::GRE",
  "action": "Tunnel::DISCOVER"
}

We see again that the outer IP addresses are 10.0.0.1 and 10.0.0.2. The tunnel type is GRE, unlike the previous IP. The action of Tunnel::DISCOVER means that Zeek has identified a new tunnel or encapsulation.

IPv4 in PPP in GRE in IPv4 in IPv6

We’ve saved the most complicated example for last.

In this example, we see the following very complicated protocol stack:

Ethernet II
802.1Q virtual LAN (VLAN)
IPv6
IPv4
GRE
Point-to-Point Protocol (PPP)
IPv4
UDP
Domain Name System

I am not sure what created this trace, although I suspect it may be from a mobile asset.

tcpdump and tshark

Here is tcpdump’s view of the sample traffic:

03:35:03.821897 IP6 2402:f000:1:8e01::5555 > 2607:fcd0:100:2300::b108:2a6b: IP 16.0.0.200 > 192.52.166.154: GREv1, call 6016, seq 430001, ack 539254, length 119: IP 172.16.44.3.40768 > 8.8.8.8.53: 42540+ AAAA? xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678. (71)

03:35:04.035791 IP6 2607:fcd0:100:2300::b108:2a6b > 2402:f000:1:8e01::5555: IP 192.52.166.154 > 16.0.0.200: GREv1, call 17, seq 539320, length 190: IP 8.8.8.8.53 > 172.16.44.3.40768: 42540 NXDomain 0/1/0 (146)

Here is tshark’s view of the first packet:

Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec  3, 2014 03:35:03.821897000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1417577703.821897000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 197 bytes (1576 bits)
    Capture Length: 197 bytes (1576 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:vlan:ethertype:ipv6:ip:gre:ppp:ip:udp:dns]
Ethernet II, Src: 00:12:1e:f2:61:3d, Dst: c5:00:00:00:82:c4
    Destination: c5:00:00:00:82:c4
        Address: c5:00:00:00:82:c4
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: 00:12:1e:f2:61:3d
        Address: 00:12:1e:f2:61:3d
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0110 0100 = ID: 100
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: 2402:f000:1:8e01::5555, Dst: 2607:fcd0:100:2300::b108:2a6b
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
    Payload Length: 139
    Next Header: IPIP (4)
    Hop Limit: 246
    Source: 2402:f000:1:8e01::5555
    Destination: 2607:fcd0:100:2300::b108:2a6b
Internet Protocol Version 4, Src: 16.0.0.200, Dst: 192.52.166.154
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 139
    Identification: 0x8caf (36015)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: Generic Routing Encapsulation (47)
    Header checksum: 0x75fe [validation disabled]
    [Header checksum status: Unverified]
    Source: 16.0.0.200
    Destination: 192.52.166.154
Generic Routing Encapsulation (PPP)
    Flags and Version: 0x3081
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..1. .... .... .... = Key Bit: Yes
        ...1 .... .... .... = Sequence Number Bit: Yes
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 1... .... = Acknowledgment: Yes
        .... .... .000 0... = Flags (Reserved): 0
        .... .... .... .001 = Version: Enhanced GRE (1)
    Protocol Type: PPP (0x880b)
    Payload Length: 103
    Call ID: 6016
    Sequence Number: 430001
    Acknowledgment Number: 539254
Point-to-Point Protocol
    Address: 0xff
    Control: 0x03
    Protocol: Internet Protocol version 4 (0x0021)
Internet Protocol Version 4, Src: 172.16.44.3, Dst: 8.8.8.8
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 99
    Identification: 0x0000 (0)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 60
    Protocol: UDP (17)
    Header checksum: 0x5667 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.16.44.3
    Destination: 8.8.8.8
User Datagram Protocol, Src Port: 40768, Dst Port: 53
    Source Port: 40768
    Destination Port: 53
    Length: 79
    Checksum: 0x2d23 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
Domain Name System (query)
    Transaction ID: 0xa62c
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678: type AAAA, class IN
            Name: xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678
            [Name Length: 53]
            [Label Count: 1]
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)

Both tcpdump and tshark show the three levels of IP addresses used in this complicated frame.

conn.log

Let’s see what Zeek makes of this complicated exchange.

{
  "ts": 1417577703.821897,
  "uid": "CiJXLc43tlknoHbXH9",
  "id.orig_h": "172.16.44.3",
  "id.orig_p": 40768,
  "id.resp_h": "8.8.8.8",
  "id.resp_p": 53,
  "proto": "udp",
  "service": "dns",
  "duration": 0.21389389038085938,
  "orig_bytes": 71,
  "resp_bytes": 146,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "Dd",
  "orig_pkts": 1,
  "orig_ip_bytes": 99,
  "resp_pkts": 1,
  "resp_ip_bytes": 174,
  "tunnel_parents": [
    "CBvCtfO5sjjyQb2V4"
  ]
}

We see Zeek has burrowed all the way down to the innermost IP address, 172.16.44.3, making a DNS request to 8.8.8.8.

tunnel.log

Zeek’s tunnel.log contains two entries for this session.

{
  "ts": 1417577703.821897,
  "uid": "CPnYZx2edh7O2ueTm4",
  "id.orig_h": "2402:f000:1:8e01::5555",
  "id.orig_p": 0,
  "id.resp_h": "2607:fcd0:100:2300::b108:2a6b",
  "id.resp_p": 0,
  "tunnel_type": "Tunnel::IP",
  "action": "Tunnel::DISCOVER"
}
{
  "ts": 1417577703.821897,
  "uid": "CBvCtfO5sjjyQb2V4",
  "id.orig_h": "16.0.0.200",
  "id.orig_p": 0,
  "id.resp_h": "192.52.166.154",
  "id.resp_p": 0,
  "tunnel_type": "Tunnel::GRE",
  "action": "Tunnel::DISCOVER"
}

Zeek displays the two outer IP addresses, and ties them to the inner address using the uid field. The uid matches the tunnel_parents field in the conn.log.

dns.log

For completeness, let’s take a look at the dns.log Zeek created for this activity.

{
  "ts": 1417577703.821897,
  "uid": "CiJXLc43tlknoHbXH9",
  "id.orig_h": "172.16.44.3",
  "id.orig_p": 40768,
  "id.resp_h": "8.8.8.8",
  "id.resp_p": 53,
  "proto": "udp",
  "trans_id": 42540,
  "query": "xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678",
  "qclass": 1,
  "qclass_name": "C_INTERNET",
  "qtype": 28,
  "qtype_name": "AAAA",
  "rcode": 3,
  "rcode_name": "NXDOMAIN",
  "AA": false,
  "TC": false,
  "RD": true,
  "RA": false,
  "Z": 0,
  "rejected": false
}

Here is a AAAA query, meaning the client wants the IPv6 address for the domain listed in the query. As you might guess, the DNS server reply (not shown here) is for a root name server.

Conclusion

Zeek’s tunnel.log is a useful way to accomplish two tasks. First, the presence of a tunnel.log in your collection of Zeek outputs means Zeek has detected and reported on encapsulated traffic. If you do not expect to see such activity in your environment, it is worth investigating. Second, the tunnel.log provides a means to show the outermost IP addresses associated with the activity reported in the conn.log when encapsulation is present.

dpd.log

Dynamic protocol detection (DPD) is a method by which Zeek identifies protocols on ports beyond those used as standard services. Rather than selecting which application protocol analyzer to use based on a connection’s server port, Zeek’s dynamic analyzer framework associates an analyzer tree with every connection. This analyzer tree permits Zeek to perform protocol analysis independently of port numbers.

By using a set of signatures which match typical protocol dialogues, Zeek is able to look at payload to find the correct analyzers. When such a signature matches, it turns on the corresponding analyzer to confirm it. Zeek can turn off analyzers when it becomes obvious that they are parsing the wrong protocol. This allows Zeek to use “loose” protocol signatures, and, if in doubt, try multiple analyzers in parallel.

Zeek’s dpd.log reports problems with the DPD mechanism. This document will provide examples of this reporting in action.

For full details on each field in the dpd.log file, please refer to DPD::Info.

One Specific Example

The following is an example of traffic that generated a dpd.log entry.

tcpdump and tshark

tcpdump reports the traffic as follows:

02:44:24.274569 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [S], seq 163388510, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:44:24.339007 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [S.], seq 3902980842, ack 163388511, win 14600, options [mss 1460,nop,wscale 8], length 0
02:44:24.340486 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [.], ack 1, win 513, length 0
02:44:24.340668 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [P.], seq 1:518, ack 1, win 513, length 517
02:44:24.407539 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [.], ack 518, win 62, length 0
02:44:24.410681 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [P.], seq 1:468, ack 518, win 62, length 467
02:44:24.411048 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [F.], seq 468, ack 518, win 62, length 0
02:44:24.412575 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [.], ack 469, win 511, length 0
02:44:24.412857 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [P.], seq 518:525, ack 469, win 511, length 7
02:44:24.412860 IP 192.168.4.142.50540 > 184.168.176.1.443: Flags [F.], seq 525, ack 469, win 511, length 0
02:44:24.477936 IP 184.168.176.1.443 > 192.168.4.142.50540: Flags [.], ack 526, win 62, length 0

On the face of it, there does not appear to be anything unusual about this traffic. It appears to be a brief session to TCP port 443.

tshark reports the traffic as follows:

 2 192.168.4.142 50540 184.168.176.1 443 TCP 66 50540 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
 4 184.168.176.1 443 192.168.4.142 50540 TCP 62 443 → 50540 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 WS=256
 6 192.168.4.142 50540 184.168.176.1 443 TCP 60 50540 → 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0
 7 192.168.4.142 50540 184.168.176.1 443 TLSv1 571 Client Hello
 9 184.168.176.1 443 192.168.4.142 50540 TCP 60 443 → 50540 [ACK] Seq=1 Ack=518 Win=15872 Len=0
10 184.168.176.1 443 192.168.4.142 50540 HTTP 521 HTTP/1.1 400 Bad Request  (text/html)
11 184.168.176.1 443 192.168.4.142 50540 TCP 60 443 → 50540 [FIN, ACK] Seq=468 Ack=518 Win=15872 Len=0
13 192.168.4.142 50540 184.168.176.1 443 TCP 60 50540 → 443 [ACK] Seq=518 Ack=469 Win=130816 Len=0
14 192.168.4.142 50540 184.168.176.1 443 TCP 61 50540 → 443 [PSH, ACK] Seq=518 Ack=469 Win=130816 Len=7
15 192.168.4.142 50540 184.168.176.1 443 TCP 60 50540 → 443 [FIN, ACK] Seq=525 Ack=469 Win=130816 Len=0
24 184.168.176.1 443 192.168.4.142 50540 TCP 60 443 → 50540 [ACK] Seq=469 Ack=526 Win=15872 Len=0

tshark reveals something weird is happening here. Frame 10 shows that tshark decoded a plain-text HTTP message from port 443 TCP. This should not be happening. A second look shows that the TLS session did not appear to complete, as there is no response to the TLS client hello message.

Here is frame 10 in detail. I passed tshark the -x switch to provide a hex and ASCII output at the end.

Frame 10: 521 bytes on wire (4168 bits), 521 bytes captured (4168 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec 10, 2020 02:44:24.410681000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1607568264.410681000 seconds
    [Time delta from previous captured frame: 0.003142000 seconds]
    [Time delta from previous displayed frame: 0.003142000 seconds]
    [Time since reference or first frame: 0.136113000 seconds]
    Frame Number: 10
    Frame Length: 521 bytes (4168 bits)
    Capture Length: 521 bytes (4168 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines]
Ethernet II, Src: fc:ec:da:49:e0:10, Dst: 60:f2:62:3c:9c:68
    Destination: 60:f2:62:3c:9c:68
        Address: 60:f2:62:3c:9c:68
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: fc:ec:da:49:e0:10
        Address: fc:ec:da:49:e0:10
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 184.168.176.1, Dst: 192.168.4.142
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 507
    Identification: 0xcc4e (52302)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 55
    Protocol: TCP (6)
    Header checksum: 0x47ce [validation disabled]
    [Header checksum status: Unverified]
    Source: 184.168.176.1
    Destination: 192.168.4.142
Transmission Control Protocol, Src Port: 443, Dst Port: 50540, Seq: 1, Ack: 518, Len: 467
    Source Port: 443
    Destination Port: 50540
    [Stream index: 1]
    [TCP Segment Len: 467]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 468    (relative sequence number)]
    Acknowledgment number: 518    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window size value: 62
    [Calculated window size: 15872]
    [Window size scaling factor: 256]
    Checksum: 0xde95 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [iRTT: 0.065917000 seconds]
        [Bytes in flight: 467]
        [Bytes sent since last PSH flag: 467]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.136112000 seconds]
        [Time since previous frame in this TCP stream: 0.003142000 seconds]
    TCP payload (467 bytes)
Hypertext Transfer Protocol
    [Expert Info (Warning/Security): Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.]
        [Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.]
        [Severity level: Warning]
        [Group: Security]
    HTTP/1.1 400 Bad Request\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
            [HTTP/1.1 400 Bad Request\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Response Version: HTTP/1.1
        Status Code: 400
        [Status Code Description: Bad Request]
        Response Phrase: Bad Request
    Date: Thu, 10 Dec 2020 02:44:24 GMT\r\n
    Server: Apache\r\n
    Content-Length: 301\r\n
        [Content length: 301]
    Connection: close\r\n
    Content-Type: text/html; charset=iso-8859-1\r\n
    \r\n
    [HTTP response 1/1]
    File Data: 301 bytes
Line-based text data: text/html (10 lines)
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n
    <html><head>\n
    <title>400 Bad Request</title>\n
    </head><body>\n
    <h1>Bad Request</h1>\n
    <p>Your browser sent a request that this server could not understand.<br />\n
    </p>\n
    <hr>\n
    <address>Apache Server at virtualhost.184.168.176.1 Port 80</address>\n
    </body></html>\n

0000  60 f2 62 3c 9c 68 fc ec da 49 e0 10 08 00 45 00   `.b<.h...I....E.
0010  01 fb cc 4e 40 00 37 06 47 ce b8 a8 b0 01 c0 a8   ...N@.7.G.......
0020  04 8e 01 bb c5 6c e8 a2 c2 eb 09 bd 1e 64 50 18   .....l.......dP.
0030  00 3e de 95 00 00 48 54 54 50 2f 31 2e 31 20 34   .>....HTTP/1.1 4
0040  30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a   00 Bad Request..
0050  44 61 74 65 3a 20 54 68 75 2c 20 31 30 20 44 65   Date: Thu, 10 De
0060  63 20 32 30 32 30 20 30 32 3a 34 34 3a 32 34 20   c 2020 02:44:24
0070  47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61   GMT..Server: Apa
0080  63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   che..Content-Len
0090  67 74 68 3a 20 33 30 31 0d 0a 43 6f 6e 6e 65 63   gth: 301..Connec
00a0  74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e   tion: close..Con
00b0  74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f   tent-Type: text/
00c0  68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73   html; charset=is
00d0  6f 2d 38 38 35 39 2d 31 0d 0a 0d 0a 3c 21 44 4f   o-8859-1....<!DO
00e0  43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49   CTYPE HTML PUBLI
00f0  43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20   C "-//IETF//DTD
0100  48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c   HTML 2.0//EN">.<
0110  68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74   html><head>.<tit
0120  6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65   le>400 Bad Reque
0130  73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61   st</title>.</hea
0140  64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64   d><body>.<h1>Bad
0150  20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70    Request</h1>.<p
0160  3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65   >Your browser se
0170  6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61   nt a request tha
0180  74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f   t this server co
0190  75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61   uld not understa
01a0  6e 64 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c   nd.<br />.</p>.<
01b0  68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61   hr>.<address>Apa
01c0  63 68 65 20 53 65 72 76 65 72 20 61 74 20 76 69   che Server at vi
01d0  72 74 75 61 6c 68 6f 73 74 2e 31 38 34 2e 31 36   rtualhost.184.16
01e0  38 2e 31 37 36 2e 31 20 50 6f 72 74 20 38 30 3c   8.176.1 Port 80<
01f0  2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79   /address>.</body
0200  3e 3c 2f 68 74 6d 6c 3e 0a                        ></html>.

You can see the HTTP headers and page content in the payload of this frame. I bolded the hex and ASCII output for the HTT part of the HTTP header in the payload. tshark reports a warning as seen in the bolded output.

conn.log

Here is the conn.log that Zeek generated for this activity:

{
  "ts": 1607568264.274569,
  "uid": "C8blOJ21azairPrWf8",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 50540,
  "id.resp_h": "184.168.176.1",
  "id.resp_p": 443,
  "proto": "tcp",
  "duration": 0.1382908821105957,
  "orig_bytes": 524,
  "resp_bytes": 467,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "ShADadfF",
  "orig_pkts": 6,
  "orig_ip_bytes": 776,
  "resp_pkts": 5,
  "resp_ip_bytes": 675
}

The conn.log entry is fairly normal.

ssl.log

Here is the ssl.log that Zeek generated for this activity:

{
  "ts": 1607568264.340668,
  "uid": "C8blOJ21azairPrWf8",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 50540,
  "id.resp_h": "184.168.176.1",
  "id.resp_p": 443,
  "server_name": "usafaikidonews.com",
  "resumed": false,
  "established": false
}

The ssl.log shows that a TLS encrypted session was not established.

dpd.log

Here is the dpd.log that Zeek generated for this activity:

{
  "ts": 1607568264.410681,
  "uid": "C8blOJ21azairPrWf8",
  "id.orig_h": "192.168.4.142",
  "id.orig_p": 50540,
  "id.resp_h": "184.168.176.1",
  "id.resp_p": 443,
  "proto": "tcp",
  "analyzer": "SSL",
  "failure_reason": "Invalid version late in TLS connection. Packet reported version: 21588"
}

Here we see that DPD and the SSL analyzer report an error in the TLS connection, as expected. The question is, to what does version: 21588 refer?

Decoding 21588

Let’s take a look at part of frame 9, which is the TLS client hello:

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
...truncated...

0000  fc ec da 49 e0 10 60 f2 62 3c 9c 68 08 00 45 00   ...I..`.b<.h..E.
0010  02 2d 97 6c 40 00 80 06 33 7e c0 a8 04 8e b8 a8   .-.l@...3~......
0020  b0 01 c5 6c 01 bb 09 bd 1c 5f e8 a2 c2 eb 50 18   ...l....._....P.
0030  02 01 6e 33 00 00 16 03 01 02 00 01 00 01 fc 03   ..n3............
0040  03 97 16 82 4f e0 ff e3 3e 6f d8 33 28 9a 97 b8   ....O...>o.3(...
0050  1a f0 73 6b 12 98 af 25 e2 a5 bc 6c 2e aa b1 69   ..sk...%...l...i
0060  be 20 bf d4 27 c5 22 bf 0d 90 83 24 80 36 ad 11   . ..'."....$.6..
0070  17 8a 2d a2 a1 42 1d ef 6b 1f ef ce cf 9a e2 f5   ..-..B..k.......
0080  be 79 00 20 2a 2a 13 01 13 02 13 03 c0 2b c0 2f   .y. **.......+./
0090  c0 2c c0 30 cc a9 cc a8 c0 13 c0 14 00 9c 00 9d   .,.0............
00a0  00 2f 00 35 01 00 01 93 ca ca 00 00 00 00 00 17   ./.5............
00b0  00 15 00 00 12 75 73 61 66 61 69 6b 69 64 6f 6e   .....usafaikidon
00c0  65 77 73 2e 63 6f 6d 00 17 00 00 ff 01 00 01 00   ews.com.........

I’ve bolded a few points. The important ones are 0x160301. These are the values indicating a TLS handshake and TLS 1.0. This is apparently not an attempt at a TLS 1.0 connection, however, as the second bolded hex value of 0x0303 shows TLS 1.2 in play.

Now, compare this output with what appeared in the odd “HTTP” frame shown earlier:

0000  60 f2 62 3c 9c 68 fc ec da 49 e0 10 08 00 45 00   `.b<.h...I....E.
0010  01 fb cc 4e 40 00 37 06 47 ce b8 a8 b0 01 c0 a8   ...N@.7.G.......
0020  04 8e 01 bb c5 6c e8 a2 c2 eb 09 bd 1e 64 50 18   .....l.......dP.
0030  00 3e de 95 00 00 48 54 54 50 2f 31 2e 31 20 34   .>....HTTP/1.1 4
0040  30 30 20 42 61 64 20 52 65 71 75 65 73 74 0d 0a   00 Bad Request..

The 0x48 value is in the location where a TLS content type message would sit. In the previous frame, the value was 0x16, for a handshake. Here it is 0x48, which is ASCII letter H. Next we see 0x5454, which is ASCII letters T T. In decimal, the value for 0x5454 is 21588. In other words, where Zeek was looking to find a TLS version, it found decimal 21588. In the previous frame, the corresponding value was 0x0301 for TLSv1.0. That is why Zeek generated an error in its dpd.log with the message “Invalid version late in TLS connection. Packet reported version: 21588”.

Assorted Examples

The following represents a summary of some dpd.log entries, sorted by count, observed in my reference network.

$ find ./corelightswslogs/ -name "dpd*20**.gz" | while read -r file; do zcat -f "$file"; done | jq -c '[."proto", ."analyzer", ."failure_reason"]' | sort | uniq -c | sort -nr

 165341 ["tcp","HTTP","not a http reply line"]
    162 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 0"]
    114 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 21588"]
     36 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 25344"]
     28 ["udp","NTP","Binpac exception: binpac exception: out_of_bound: Extension_Field:value: 3476019 > 52"]
     17 ["udp","SIP","Binpac exception: binpac exception: string mismatch at /bro/src/analyzer/protocol/sip/sip-protocol.pac:43: \nexpected pattern: \"SIP/\"\nactual data: \"\\x05\""]
      9 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 8516"]
      8 ["udp","SIP","Binpac exception: binpac exception: string mismatch at /bro/src/analyzer/protocol/sip/sip-protocol.pac:43: \nexpected pattern: \"SIP/\"\nactual data: \"\\x01\""]
...edited...
      1 ["udp","SIP","Binpac exception: binpac exception: out_of_bound: SIP_Version:anonymous_field_009: 4 > 2"]
      1 ["udp","DTLS","Invalid version in DTLS connection. Packet reported version: 59228"]
      1 ["udp","DTLS","Invalid version in DTLS connection. Packet reported version: 52736"]
      1 ["udp","DTLS","Invalid version in DTLS connection. Packet reported version: 52480"]
      1 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 5123"]
      1 ["tcp","SSL","Invalid version late in TLS connection. Packet reported version: 40499"]
      1 ["tcp","IRC","too many long lines"]

As you can see, Zeek saw problems with HTTP, SSL, NTP, Session Initiation Protocol (SIP), Datagram Transport Layer Security (DTLS), and IRC.

Conclusion

Zeek’s dpd.log may help analysts identify suspicious activity, depending on how it violates Zeek’s protocol parsers. In that sense, it is sort of a specialized version of Zeek’s weird.log. Periodic analysis of the entries may identify traffic worthy of additional investigation.

known_*.log and software.log

Zeek produces several logs that help summarize certain aspects of the network it monitors. These logs track a few aspects of the local network, such as SSL/TLS certificates, host IP addresses, services, and applications.

The sections which follow will present examples of entries in known_certs.log, known_hosts.log, known_services.log, and software.log files collected on live networks.

For full details on each field of those log files, see Known::CertsInfo, Known::HostsInfo, Known::ServicesInfo, and Software::Info.

known_certs.log

The known_certs.log captures information about SSL/TLS certificates seen on the local network. Here is one example:

{
  "ts": "2020-12-31T15:15:53.690221Z",
  "host": "192.168.4.1",
  "port_num": 443,
  "subject": "L=San Jose,ST=CA,O=Ubiquiti Networks,CN=UBNT Router UI,C=US",
  "issuer_subject": "L=San Jose,ST=CA,O=Ubiquiti Networks,CN=UBNT Router UI,C=US",
  "serial": "98D0AD47D748CDD6"
}

This example shows a device offering a TLS server on port 443 TCP, with a certificate associated with Ubiquiti Networks.

known_hosts.log

The known_hosts.log simply records a timestamp and an IP address when Zeek observes a new system on the local network.

{"ts":"2021-01-03T01:19:26.260073Z","host":"192.168.4.25"}
{"ts":"2021-01-03T01:19:27.353353Z","host":"192.168.4.29"}
{"ts":"2021-01-03T01:19:32.488179Z","host":"192.168.4.43"}
{"ts":"2021-01-03T01:19:58.792683Z","host":"192.168.4.142"}
...edited...
{"ts":"2021-01-03T12:17:22.496004Z","host":"192.168.4.115"}

This edited example shows how this log could be part of an IP address inventory program.

known_services.log

The known_services.log records a timestamp, IP, port number, protocol, and service (if available) when Zeek observes a system offering a new service on the local network. Here is what a single entry looks like:

{
  "ts": "2021-01-03T01:19:36.242774Z",
  "host": "192.168.4.1",
  "port_num": 53,
  "port_proto": "udp",
  "service": [
    "DNS"
  ]
}

For the following list, I used the jq utility to remove the timestamp but show the other log values.

["192.168.4.43",51472,"tcp",[]]
["192.168.4.1",443,"tcp",["SSL"]]
["192.168.4.1",80,"tcp",["HTTP"]]
["192.168.4.1",22,"tcp",["SSH"]]
["192.168.4.1",53,"tcp",["DNS"]]
["192.168.4.1",123,"udp",["NTP"]]
["192.168.4.50",49745,"tcp",[]]
["192.168.4.158",4500,"udp",[]]
["192.168.4.159",53032,"tcp",[]]
["192.168.4.142",36807,"udp",[]]
["192.168.4.1",53,"udp",["DNS"]]
["192.168.4.149",8080,"tcp",["HTTP"]]
["192.168.4.1",67,"udp",["DHCP"]]
["192.168.4.43",64744,"tcp",[]]
["192.168.4.43",52793,"tcp",[]]
["192.168.4.29",52827,"tcp",[]]
["192.168.4.43",64807,"tcp",[]]
["192.168.4.43",64752,"tcp",[]]
["192.168.4.149",3478,"udp",[]]

Note how many of the services do not have names associated with them.

software.log

Zeek’s software.log collects details on applications operated by the hosts it sees on the local network. The log captures information like the following:

{
  "ts": "2021-01-03T00:16:22.694616Z",
  "host": "192.168.4.25",
  "software_type": "HTTP::BROWSER",
  "name": "Windows-Update-Agent",
  "version.major": 10,
  "version.minor": 0,
  "version.minor2": 10011,
  "version.minor3": 16384,
  "version.addl": "Client",
  "unparsed_version": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.0"
}

It is amazing in 2021 that so many modern applications still use clear text protocols subject to collection and analysis by software like Zeek.

Services beyond HTTP may also reveal interesting details. Consider these three entries:

["192.168.4.1","SSH::SERVER","OpenSSH",6,6,1,null,"p1","OpenSSH_6.6.1p1 Debian-4~bpo70+1"]
["192.168.4.37","SSH::CLIENT","OpenSSH",6,6,1,null,"p1","OpenSSH_6.6.1p1 Debian-4~bpo70+1"]
["192.168.4.37","SSH::CLIENT","OpenSSH",7,6,null,null,"p1","OpenSSH_7.6p1"]

These examples show an SSH server and two different SSH clients.

Conclusion

Details recorded in known_certs.log, known_hosts,log, known_services.log, and software.log files can help network and security analysts better understand the nature of the activity in their environment. Some of this information relies on capturing clear text, while other aspects are based solely on the presence of the services and hosts on the network.

weird.log and notice.log

Zeek offers two logs for activities that seem out of the ordinary: weird.log and notice.log.

There’s a distinction between them:

  • weird.log is various random stuff where analyzers ran into trouble understanding the traffic in terms of their protocols; basically whenever there’s something unexpected at the protocol level, that’s a weird (for a lack of anything better to do with it). That means that “weirds” are also essentially hardcoded by whoever wrote that analyzer. They can also be generated by scripts, but that’s rarer.

  • notice.log on the other hand are situations explicitly detected and reported by Zeek scripts as inspection-worthy. It’s usually not protocol errors, but something semantically higher (like a self-signed cert). Notices are part of the script-level analysis and can be raised by Zeek packages as well.

Weirds can often be ignored because of volume, but notices are much more interesting, they are the closest Zeek is coming to IDS alerts.

For details on the fields, please refer to Weird::Info and Notice::Info.

weird.log

The best references on the contents of the weird.log appear in the briefings and writings by Fatema Bannat Wala, such as What Is Weird in Zeek, published 13 November 2019.

https://zeek.org/2019/11/13/what-is-weird-in-zeek/

She spoke on the topic in 2018:

https://www.youtube.com/watch?v=XeJcBBZjaVA

She spoke on the topic in 2020 as well:

https://www.youtube.com/watch?v=s4VSYwfHP0s

For example, the following is a count of individual weird.log entries over a 24 hour period on a home network:

553 ["window_recision",false]
129 ["unknown_protocol",false]
  1 ["truncated_IP",false]
  5 ["TCP_seq_underflow_or_misorder",false]
  4 ["TCP_ack_underflow_or_misorder",false]
  2 ["SYN_seq_jump",false]
  1 ["SYN_inside_connection",false]
  1 ["SYN_after_close",false]
128 ["non_ip_packet_in_ethernet",false]
 23 ["line_terminated_with_single_CR",false]
  1 ["DNS_RR_unknown_type",false]
  3 ["data_after_reset",false]
  1 ["bad_TCP_header_len",false]
 21 ["bad_HTTP_request",false]
  2 ["above_hole_data_without_any_acks",false]

We will look at one of these entries below.

notice.log

The notice.log does not have as much documentation as weird.log. For an example of notice.log entries over a 24 hour period from a home network, consider the following:

654 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (unable to get local issuer certificate)"]
 48 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate in certificate chain)"]
 13 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate)"]

We will look at one of these entries below.

Investigating a weird.log and notice.log Entry

Taking a look at two entries in the weird.log, we see they reference the same connection:

{
  "ts": "2021-01-04T04:59:21.582639Z",
  "uid": "CxdbSa2KGTlMl3PPB2",
  "id.orig_h": "192.168.4.129",
  "id.orig_p": 51020,
  "id.resp_h": "40.71.25.43",
  "id.resp_p": 8080,
  "name": "bad_HTTP_request",
  "notice": false,
  "peer": "so16-enp0s8-1"
}
{
  "ts": "2021-01-04T04:59:21.582639Z",
  "uid": "CxdbSa2KGTlMl3PPB2",
  "id.orig_h": "192.168.4.129",
  "id.orig_p": 51020,
  "id.resp_h": "40.71.25.43",
  "id.resp_p": 8080,
  "name": "line_terminated_with_single_CR",
  "notice": false,
  "peer": "so16-enp0s8-1"
}

We see a bad_HTTP_request and a line_terminated_with_single_CR. We happen to also have an entry for this connection in the notice.log:

{
  "ts": "2021-01-04T04:59:23.038713Z",
  "uid": "CxdbSa2KGTlMl3PPB2",
  "id.orig_h": "192.168.4.129",
  "id.orig_p": 51020,
  "id.resp_h": "40.71.25.43",
  "id.resp_p": 8080,
  "fuid": "FtEE2txjFBxLDbffi",
  "proto": "tcp",
  "note": "SSL::Invalid_Server_Cert",
  "msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
  "sub": "CN=*.cloudapp.net,OU=Smart Controller Development,O=GTO Access Systems\\, LLC,DC=smartcontroller,DC=local",
  "src": "192.168.4.129",
  "dst": "40.71.25.43",
  "p": 8080,
  "peer_descr": "so16-enp0s8-1",
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}

We see a SSL::Invalid_Server_Cert message here.

This is truly an odd connection. It appears to involve an IoT device. There is no conn.log entry for the activity, which could indicate it is a long-running connection that did not terminate during the period for which we have logs.

Conclusion

The weird.log and notice.log files can be used for more than just odd behavior, but that is one of their main uses in current Zeek implementations. Analysts can find activity that may reveal something suspicious, malicious, or simply software/devices operating oddly.

capture_loss.log and reporter.log

Zeek produces several logs that tell administrators how well Zeek is managing its analysis and reporting on network traffic.

This capture_loss.log reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers. When it detects a “gap,” it assumes that the missing traffic corresponds to traffic loss.

The reporter.log reports internal warnings and errors. Zeek generates these based on how it is handling traffic and computing requirements.

Details on the format of each log appears in CaptureLoss::Info and Reporter::Info.

capture_loss.log

The following is an example of entries in a capture_loss.log:

{
  "ts": "2021-01-04T00:04:24.688236Z",
  "ts_delta": 900.0000550746918,
  "peer": "so16-enp0s8-1",
  "gaps": 41,
  "acks": 9944,
  "percent_lost": 0.412308930008045
}
{
  "ts": "2021-01-04T00:19:24.688265Z",
  "ts_delta": 900.0000290870667,
  "peer": "so16-enp0s8-1",
  "gaps": 9,
  "acks": 8530,
  "percent_lost": 0.10550996483001172
}
{
  "ts": "2021-01-04T00:34:24.688449Z",
  "ts_delta": 900.0001838207245,
  "peer": "so16-enp0s8-1",
  "gaps": 0,
  "acks": 52019,
  "percent_lost": 0
}
{
  "ts": "2021-01-04T00:49:24.688552Z",
  "ts_delta": 900.0001029968262,
  "peer": "so16-enp0s8-1",
  "gaps": 0,
  "acks": 108863,
  "percent_lost": 0
}

In these logs, capture loss never exceeded 1%. For example, when Zeek reports 0.412308930008045, that means 0.4123% capture loss, not 41.23% capture loss. In other words, this sensor is doing well capturing the traffic on the link it monitors (a small amount of loss is tolerable).

reporter.log

The following is an example entries in the reporter.log:

{
  "ts": "2021-01-04T01:15:02.622164Z",
  "level": "Reporter::INFO",
  "message": "received termination signal",
  "location": ""
}
{
  "ts": "2021-01-04T01:19:15.713689Z",
  "level": "Reporter::INFO",
  "message": "BPFConf filename set: /etc/nsm/so16-enp0s8/bpf-bro.conf (logger)",
  "location": "/opt/bro/share/zeek/securityonion/./bpfconf.zeek, line 81"
}
{
  "ts": "2021-01-04T01:19:22.786812Z",
  "level": "Reporter::INFO",
  "message": "BPFConf filename set: /etc/nsm/so16-enp0s8/bpf-bro.conf (proxy)",
  "location": "/opt/bro/share/zeek/securityonion/./bpfconf.zeek, line 81"
}

The first message refers to Zeek receiving a termination signal. The second two messages refer to Zeek setting a file for configuring Berkeley Packet Filters.

Conclusion

The capture_loss.log and reporter.log files are helpful when administrators need to understand how their Zeek deployment is performing. Keep an eye on the capture_loss.log to keep the performance within an acceptable level.

Introduction to Scripting

The Basics

Understanding Scripts

Zeek includes an event-driven scripting language that provides the primary means for an organization to extend and customize Zeek’s functionality. Virtually all of the output generated by Zeek is, in fact, generated by Zeek scripts. It’s almost easier to consider Zeek to be an entity behind-the-scenes processing connections and generating events while Zeek’s scripting language is the medium through which we mere mortals can achieve communication. Zeek scripts effectively notify Zeek that should there be an event of a type we define, then let us have the information about the connection so we can perform some function on it. For example, the ssl.log file is generated by a Zeek script that walks the entire certificate chain and issues notifications if any of the steps along the certificate chain are invalid. This entire process is setup by telling Zeek that should it see a server or client issue an SSL HELLO message, we want to know about the information about that connection.

It’s often easiest to understand Zeek’s scripting language by looking at a complete script and breaking it down into its identifiable components. In this example, we’ll take a look at how Zeek checks the SHA1 hash of various files extracted from network traffic against the Team Cymru Malware hash registry. Part of the Team Cymru Malware Hash registry includes the ability to do a host lookup on a domain with the format <MALWARE_HASH>.malware.hash.cymru.com where <MALWARE_HASH> is the SHA1 hash of a file. Team Cymru also populates the TXT record of their DNS responses with both a “first seen” timestamp and a numerical “detection rate”. The important aspect to understand is Zeek already generating hashes for files via the Files framework, but it is the script policy/frameworks/files/detect-MHR.zeek that is responsible for generating the appropriate DNS lookup, parsing the response, and generating a notice if appropriate.

detect-MHR.zeek
##! Detect file downloads that have hash values matching files in Team
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).

@load base/frameworks/files
@load base/frameworks/notice
@load frameworks/files/hash-all-files

module TeamCymruMalwareHashRegistry;

export {
    redef enum Notice::Type += {
        ## The hash value of a file transferred over HTTP matched in the
        ## malware hash registry.
        Match
    };

    ## File types to attempt matching against the Malware Hash Registry.
    option match_file_types = /application\/x-dosexec/ |
                             /application\/vnd.ms-cab-compressed/ |
                             /application\/pdf/ |
                             /application\/x-shockwave-flash/ |
                             /application\/x-java-applet/ |
                             /application\/jar/ |
                             /video\/mp4/;

    ## The Match notice has a sub message with a URL where you can get more
    ## information about the file. The %s will be replaced with the SHA-1
    ## hash of the file.
    option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";

    ## The malware hash registry runs each malware sample through several
    ## A/V engines.  Team Cymru returns a percentage to indicate how
    ## many A/V engines flagged the sample as malicious. This threshold
    ## allows you to require a minimum detection rate.
    option notice_threshold = 10;
}

function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
    {
    local hash_domain = fmt("%s.malware.hash.cymru.com", hash);

    when ( local MHR_result = lookup_hostname_txt(hash_domain) )
        {
        # Data is returned as "<dateFirstDetected> <detectionRate>"
        local MHR_answer = split_string1(MHR_result, / /);

        if ( |MHR_answer| == 2 )
            {
            local mhr_detect_rate = to_count(MHR_answer[1]);

            if ( mhr_detect_rate >= notice_threshold )
                {
                local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
                local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
                local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
                local virustotal_url = fmt(match_sub_url, hash);
                # We don't have the full fa_file record here in order to
                # avoid the "when" statement cloning it (expensive!).
                local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
                Notice::populate_file_info2(fi, n);
                NOTICE(n);
                }
            }
        }
    }

event file_hash(f: fa_file, kind: string, hash: string)
    {
    if ( kind == "sha1" && f?$info && f$info?$mime_type &&
         match_file_types in f$info$mime_type )
        do_mhr_lookup(hash, Notice::create_file_info(f));
    }

Visually, there are three distinct sections of the script. First, there is a base level with no indentation where libraries are included in the script through @load and a namespace is defined with module. This is followed by an indented and formatted section explaining the custom variables being provided (export) as part of the script’s namespace. Finally there is a second indented and formatted section describing the instructions to take for a specific event (event file_hash). Don’t get discouraged if you don’t understand every section of the script; we’ll cover the basics of the script and much more in following sections.

detect-MHR.zeek
@load base/frameworks/files
@load base/frameworks/notice
@load frameworks/files/hash-all-files

The first part of the script consists of @load directives which process the __load__.zeek script in the respective directories being loaded. The @load directives are often considered good practice or even just good manners when writing Zeek scripts to make sure they can be used on their own. While it’s unlikely that in a full production deployment of Zeek these additional resources wouldn’t already be loaded, it’s not a bad habit to try to get into as you get more experienced with Zeek scripting. If you’re just starting out, this level of granularity might not be entirely necessary. The @load directives are ensuring the Files framework, the Notice framework and the script to hash all files has been loaded by Zeek.

detect-MHR.zeek
export {
    redef enum Notice::Type += {
        ## The hash value of a file transferred over HTTP matched in the
        ## malware hash registry.
        Match
    };

    ## File types to attempt matching against the Malware Hash Registry.
    option match_file_types = /application\/x-dosexec/ |
                             /application\/vnd.ms-cab-compressed/ |
                             /application\/pdf/ |
                             /application\/x-shockwave-flash/ |
                             /application\/x-java-applet/ |
                             /application\/jar/ |
                             /video\/mp4/;

    ## The Match notice has a sub message with a URL where you can get more
    ## information about the file. The %s will be replaced with the SHA-1
    ## hash of the file.
    option match_sub_url = "https://www.virustotal.com/en/search/?query=%s";

    ## The malware hash registry runs each malware sample through several
    ## A/V engines.  Team Cymru returns a percentage to indicate how
    ## many A/V engines flagged the sample as malicious. This threshold
    ## allows you to require a minimum detection rate.
    option notice_threshold = 10;
}

The export section redefines an enumerable constant that describes the type of notice we will generate with the Notice framework. Zeek allows for re-definable constants, which at first, might seem counter-intuitive. We’ll get more in-depth with constants in a later chapter, for now, think of them as variables that can only be altered before Zeek starts running. By extending the Notice::Type as shown, this allows for the NOTICE function to generate notices with a $note field set as TeamCymruMalwareHashRegistry::Match. Notices allow Zeek to generate some kind of extra notification beyond its default log types. Often times, this extra notification comes in the form of an email generated and sent to a preconfigured address, but can be altered depending on the needs of the deployment. The export section is finished off with the definition of a few constants that list the kind of files we want to match against and the minimum percentage of detection threshold in which we are interested.

Up until this point, the script has merely done some basic setup. With the next section, the script starts to define instructions to take in a given event.

detect-MHR.zeek
function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
    {
    local hash_domain = fmt("%s.malware.hash.cymru.com", hash);

    when ( local MHR_result = lookup_hostname_txt(hash_domain) )
        {
        # Data is returned as "<dateFirstDetected> <detectionRate>"
        local MHR_answer = split_string1(MHR_result, / /);

        if ( |MHR_answer| == 2 )
            {
            local mhr_detect_rate = to_count(MHR_answer[1]);

            if ( mhr_detect_rate >= notice_threshold )
                {
                local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
                local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
                local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
                local virustotal_url = fmt(match_sub_url, hash);
                # We don't have the full fa_file record here in order to
                # avoid the "when" statement cloning it (expensive!).
                local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
                Notice::populate_file_info2(fi, n);
                NOTICE(n);
                }
            }
        }
    }

event file_hash(f: fa_file, kind: string, hash: string)
    {
    if ( kind == "sha1" && f?$info && f$info?$mime_type &&
         match_file_types in f$info$mime_type )
        do_mhr_lookup(hash, Notice::create_file_info(f));

The workhorse of the script is contained in the event handler for file_hash. The file_hash event allows scripts to access the information associated with a file for which Zeek’s file analysis framework has generated a hash. The event handler is passed the file itself as f, the type of digest algorithm used as kind and the hash generated as hash.

In the file_hash event handler, there is an if statement that is used to check for the correct type of hash, in this case a SHA1 hash. It also checks for a mime type we’ve defined as being of interest as defined in the constant match_file_types. The comparison is made against the expression f$info$mime_type, which uses the $ dereference operator to check the value mime_type inside the variable f$info. If the entire expression evaluates to true, then a helper function is called to do the rest of the work. In that function, a local variable is defined to hold a string comprised of the SHA1 hash concatenated with .malware.hash.cymru.com; this value will be the domain queried in the malware hash registry.

The rest of the script is contained within a when block. In short, a when block is used when Zeek needs to perform asynchronous actions, such as a DNS lookup, to ensure that performance isn’t effected. The when block performs a DNS TXT lookup and stores the result in the local variable MHR_result. Effectively, processing for this event continues and upon receipt of the values returned by lookup_hostname_txt, the when block is executed. The when block splits the string returned into a portion for the date on which the malware was first detected, and the detection rate, by splitting the text on space and storing the values returned in a local table variable. In the do_mhr_lookup function, if the table returned by split1 has two entries, indicating a successful split, we store the detection date in mhr_first_detected and the rate in mhr_detect_rate using the appropriate conversion functions. From this point on, Zeek knows it has seen a file transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest of the script is dedicated to producing a notice.

The detection time is processed into a string representation and stored in readable_first_detected. The script then compares the detection rate against the notice_threshold that was defined earlier. If the detection rate is high enough, the script creates a concise description of the notice and stores it in the message variable. It also creates a possible URL to check the sample against virustotal.com’s database, and makes the call to NOTICE to hand the relevant information off to the Notice framework.

In approximately a few dozen lines of code, Zeek provides an amazing utility that would be incredibly difficult to implement and deploy with other products. In truth, claiming that Zeek does this in such a small number of lines is a misdirection; there is a truly massive number of things going on behind-the-scenes in Zeek, but it is the inclusion of the scripting language that gives analysts access to those underlying layers in a succinct and well defined manner.

The Event Queue and Event Handlers

Zeek’s scripting language is event driven which is a gear change from the majority of scripting languages with which most users will have previous experience. Scripting in Zeek depends on handling the events generated by Zeek as it processes network traffic, altering the state of data structures through those events, and making decisions on the information provided. This approach to scripting can often cause confusion to users who come to Zeek from a procedural or functional language, but once the initial shock wears off it becomes more clear with each exposure.

Zeek’s core acts to place events into an ordered “event queue”, allowing event handlers to process them on a first-come-first-serve basis. In effect, this is Zeek’s core functionality as without the scripts written to perform discrete actions on events, there would be little to no usable output. As such, a basic understanding of the event queue, the events being generated, and the way in which event handlers process those events is a basis for not only learning to write scripts for Zeek but for understanding Zeek itself.

Gaining familiarity with the specific events generated by Zeek is a big step towards building a mind set for working with Zeek scripts. The majority of events generated by Zeek are defined in the built-in-function (*.bif) files which also act as the basis for online event documentation. These in-line comments are compiled into an online documentation system using Zeekygen. Whether starting a script from scratch or reading and maintaining someone else’s script, having the built-in event definitions available is an excellent resource to have on hand. For the 2.0 release the Zeek developers put significant effort into organization and documentation of every event. This effort resulted in built-in-function files organized such that each entry contains a descriptive event name, the arguments passed to the event, and a concise explanation of the functions use.

## Generated for DNS requests. For requests with multiple queries, this event
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
##    transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);

Above is a segment of the documentation for the event dns_request (and the preceding link points to the documentation generated out of that). It’s organized such that the documentation, commentary, and list of arguments precede the actual event definition used by Zeek. As Zeek detects DNS requests being issued by an originator, it issues this event and any number of scripts then have access to the data Zeek passes along with the event. In this example, Zeek passes not only the message, the query, query type and query class for the DNS request, but also a record used for the connection itself.

The Connection Record Data Type

Of all the events defined by Zeek, an overwhelmingly large number of them are passed the connection record data type, in effect, making it the backbone of many scripting solutions. The connection record itself, as we will see in a moment, is a mass of nested data types used to track state on a connection through its lifetime. Let’s walk through the process of selecting an appropriate event, generating some output to standard out and dissecting the connection record so as to get an overview of it. We will cover data types in more detail later.

While Zeek is capable of packet level processing, its strengths lay in the context of a connection between an originator and a responder.

Note

Zeek’s notions of originator and responder aim to capture the natural roles of connection endpoints given the protocol information observed. They differ from the packet-level concepts of source and destination, as well as from higher-level abstractions such as client and server.

Zeek’s protocol analyzers determine originator and responder when establishing connection state, with the sender of the initial packet usually becoming the originator and the recipient becoming the responder. However, analyzers may subsequently flip the roles if protocol semantics suggest it. For example, in the presence of packet loss the first observed packet in a DNS transaction may indicate that it is in fact the response to a missing query. Zeek’s DNS analyzer will flip the endpoint roles, making the sender of this packet the connection’s responder.

Zeek defines events for the primary parts of the connection life-cycle, such as the following:

Of the events listed, the event that will give us the best insight into the connection record data type will be connection_state_remove . As detailed in the in-line documentation, Zeek generates this event just before it decides to remove this event from memory, effectively forgetting about it. Let’s take a look at a simple example script, that will output the connection record for a single connection.

connection_record_01.zeek
1@load base/protocols/conn
2
3event connection_state_remove(c: connection)
4    {
5    print c;
6    }

Again, we start with @load, this time importing the base/protocols/conn scripts which supply the tracking and logging of general information and state of connections. We handle the connection_state_remove event and simply print the contents of the argument passed to it. For this example we’re going to run Zeek in “bare mode” which loads only the minimum number of scripts to retain operability and leaves the burden of loading required scripts to the script being run. While bare mode is a low level functionality incorporated into Zeek, in this case, we’re going to use it to demonstrate how different features of Zeek add more and more layers of information about a connection. This will give us a chance to see the contents of the connection record without it being overly populated.

$ zeek -b -r http/get.trace connection_record_01.zeek
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={

}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]

As you can see from the output, the connection record is something of a jumble when printed on its own. Regularly taking a peek at a populated connection record helps to understand the relationship between its fields as well as allowing an opportunity to build a frame of reference for accessing data in a script.

Zeek makes extensive use of nested data structures to store state and information gleaned from the analysis of a connection as a complete unit. To break down this collection of information, you will have to make use of Zeek’s field delimiter $. For example, the originating host is referenced by c$id$orig_h which if given a narrative relates to orig_h which is a member of id which is a member of the data structure referred to as c that was passed into the event handler. Given that the responder port c$id$resp_p is 80/tcp, it’s likely that Zeek’s base HTTP scripts can further populate the connection record. Let’s load the base/protocols/http scripts and check the output of our script.

Zeek uses the dollar sign as its field delimiter and a direct correlation exists between the output of the connection record and the proper format of a dereferenced variable in scripts. In the output of the script above, groups of information are collected between brackets, which would correspond to the $-delimiter in a Zeek script.

connection_record_02.zeek
1@load base/protocols/conn
2@load base/protocols/http
3
4event connection_state_remove(c: connection)
5    {
6    print c;
7    }

$ zeek -b -r http/get.trace connection_record_02.zeek
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={

}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={

}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={

}, current_request=1, current_response=1, trans_depth=1]]

The addition of the base/protocols/http scripts populates the http=[] member of the connection record. While Zeek is doing a massive amount of work in the background, it is in what is commonly called “scriptland” that details are being refined and decisions being made. Were we to continue running in “bare mode” we could slowly keep adding infrastructure through @load statements. For example, were we to @load base/frameworks/logging, Zeek would generate a conn.log and http.log for us in the current working directory. As mentioned above, including the appropriate @load statements is not only good practice, but can also help to indicate which functionalities are being used in a script. Take a second to run the script without the -b flag and check the output when all of Zeek’s functionality is applied to the trace file.

Data Types and Data Structures

Scope

Before embarking on a exploration of Zeek’s native data types and data structures, it’s important to have a good grasp of the different levels of scope available in Zeek and the appropriate times to use them within a script. The declarations of variables in Zeek come in two forms. Variables can be declared with or without a definition in the form SCOPE name: TYPE or SCOPE name = EXPRESSION respectively; each of which produce the same result if EXPRESSION evaluates to the same type as TYPE. The decision as to which type of declaration to use is likely to be dictated by personal preference and readability.

data_type_declaration.zeek
1event zeek_init()
2    {
3    local a: int;
4    a = 10;
5    local b = 10;
6
7    if ( a == b )
8        print fmt("A: %d, B: %d", a, b);
9    }
Global Variables

A global variable is used when the state of variable needs to be tracked, not surprisingly, globally. While there are some caveats, when a script declares a variable using the global scope, that script is granting access to that variable from other scripts. However, when a script uses the module keyword to give the script a namespace, more care must be given to the declaration of globals to ensure the intended result. When a global is declared in a script with a namespace there are two possible outcomes. First, the variable is available only within the context of the namespace. In this scenario, other scripts within the same namespace will have access to the variable declared while scripts using a different namespace or no namespace altogether will not have access to the variable. Alternatively, if a global variable is declared within an export { ... } block that variable is available to any other script through the naming convention of <module name>::<variable name>, i.e. the variable needs to be “scoped” by the name of the module in which it was declared.

When the module keyword is used in a script, the variables declared are said to be in that module’s “namespace”. Where as a global variable can be accessed by its name alone when it is not declared within a module, a global variable declared within a module must be exported and then accessed via <module name>::<variable name>.

Constants

Zeek also makes use of constants, which are denoted by the const keyword. Unlike globals, constants can only be set or altered at parse time if the &redef attribute has been used. Afterwards (in runtime) the constants are unalterable. In most cases, re-definable constants are used in Zeek scripts as containers for configuration options. For example, the configuration option to log passwords decrypted from HTTP streams is stored in HTTP::default_capture_password as shown in the stripped down excerpt from base/protocols/http/main.zeek below.

http_main.zeek
1module HTTP;
2
3export {
4    ## This setting changes if passwords used in Basic-Auth are captured or
5    ## not.
6    const default_capture_password = F &redef;
7}

Because the constant was declared with the &redef attribute, if we needed to turn this option on globally, we could do so by adding the following line to our site/local.zeek file before firing up Zeek.

data_type_const_simple.zeek
1@load base/protocols/http
2
3redef HTTP::default_capture_password = T;

While the idea of a re-definable constant might be odd, the constraint that constants can only be altered at parse-time remains even with the &redef attribute. In the code snippet below, a table of strings indexed by ports is declared as a constant before two values are added to the table through redef statements. The table is then printed in a zeek_init event. Were we to try to alter the table in an event handler, Zeek would notify the user of an error and the script would fail.

data_type_const.zeek
1const port_list: table[port] of string &redef;
2
3redef port_list += { [6666/tcp] = "IRC"};
4redef port_list += { [80/tcp] = "WWW" };
5
6event zeek_init()
7    {
8    print port_list;
9    }

$ zeek -b data_type_const.zeek
{
[80/tcp] = WWW,
[6666/tcp] = IRC
}
Local Variables

Whereas globals and constants are widely available in scriptland through various means, when a variable is defined with a local scope, its availability is restricted to the body of the event or function in which it was declared. Local variables tend to be used for values that are only needed within a specific scope and once the processing of a script passes beyond that scope and no longer used, the variable is deleted. Zeek maintains names of locals separately from globally visible ones, an example of which is illustrated below.

data_type_local.zeek
 1function add_two(i: count): count
 2    {
 3    local added_two = i+2;
 4    print fmt("i + 2 = %d", added_two);
 5    return added_two;
 6    }
 7
 8event zeek_init()
 9    {
10    local test = add_two(10);
11    }

The script executes the event handler zeek_init which in turn calls the function add_two(i: count) with an argument of 10. Once Zeek enters the add_two function, it provisions a locally scoped variable called added_two to hold the value of i+2, in this case, 12. The add_two function then prints the value of the added_two variable and returns its value to the zeek_init event handler. At this point, the variable added_two has fallen out of scope and no longer exists while the value 12 still in use and stored in the locally scoped variable test. When Zeek finishes processing the zeek_init function, the variable called test is no longer in scope and, since there exist no other references to the value 12, the value is also deleted.

Data Structures

It’s difficult to talk about Zeek’s data types in a practical manner without first covering the data structures available in Zeek. Some of the more interesting characteristics of data types are revealed when used inside of a data structure, but given that data structures are made up of data types, it devolves rather quickly into a “chicken-and-egg” problem. As such, we’ll introduce data types from a bird’s eye view before diving into data structures and from there a more complete exploration of data types.

The table below shows the atomic types used in Zeek, of which the first four should seem familiar if you have some scripting experience, while the remaining six are less common in other languages. It should come as no surprise that a scripting language for a Network Security Monitoring platform has a fairly robust set of network-centric data types and taking note of them here may well save you a late night of reinventing the wheel.

Data Type

Description

int

64 bit signed integer

count

64 bit unsigned integer

double

double precision floating precision

bool

boolean (T/F)

addr

IP address, IPv4 and IPv6

port

transport layer port

subnet

CIDR subnet mask

time

absolute epoch time

interval

a time interval

pattern

regular expression
Sets

Sets in Zeek are used to store unique elements of the same data type. In essence, you can think of them as “a unique set of integers” or “a unique set of IP addresses”. While the declaration of a set may differ based on the data type being collected, the set will always contain unique elements and the elements in the set will always be of the same data type. Such requirements make the set data type perfect for information that is already naturally unique such as ports or IP addresses. The code snippet below shows both an explicit and implicit declaration of a locally scoped set.

data_struct_set_declaration.zeek
1event zeek_init()
2    {
3    local ssl_ports: set[port];
4    local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
5    }

As you can see, sets are declared using the format SCOPE var_name: set[TYPE]. Adding and removing elements in a set is achieved using the add and delete statements. Once you have elements inserted into the set, it’s likely that you’ll need to either iterate over that set or test for membership within the set, both of which are covered by the in operator. In the case of iterating over a set, combining the for statement and the in operator will allow you to sequentially process each element of the set as seen below.

data_struct_set_declaration.zeek
17    for ( i in ssl_ports )
18        print fmt("SSL Port: %s", i);
19
20    for ( i in non_ssl_ports )
21        print fmt("Non-SSL Port: %s", i);

Here, the for statement loops over the contents of the set storing each element in the temporary variable i. With each iteration of the for loop, the next element is chosen. Since sets are not an ordered data type, you cannot guarantee the order of the elements as the for loop processes.

To test for membership in a set the in statement can be combined with an if statement to return a true or false value. If the exact element in the condition is already in the set, the condition returns true and the body executes. The in statement can also be negated by the ! operator to create the inverse of the condition. While we could rewrite the corresponding line below as if ( !( 587/tcp in ssl_ports )) try to avoid using this construct; instead, negate the in operator itself. While the functionality is the same, using the !in is more efficient as well as a more natural construct which will aid in the readability of your script.

data_struct_set_declaration.zeek
13    # Check for SMTPS 
14    if ( 587/tcp !in ssl_ports )
15        add ssl_ports[587/tcp];

You can see the full script and its output below.

data_struct_set_declaration.zeek
 1event zeek_init()
 2    {
 3    local ssl_ports: set[port];
 4    local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
 5    
 6    # SSH
 7    add ssl_ports[22/tcp];
 8    # HTTPS
 9    add ssl_ports[443/tcp];
10    # IMAPS
11    add ssl_ports[993/tcp];
12    
13    # Check for SMTPS 
14    if ( 587/tcp !in ssl_ports )
15        add ssl_ports[587/tcp];
16    
17    for ( i in ssl_ports )
18        print fmt("SSL Port: %s", i);
19
20    for ( i in non_ssl_ports )
21        print fmt("Non-SSL Port: %s", i);
22    }

$ zeek data_struct_set_declaration.zeek
SSL Port: 22/tcp
SSL Port: 443/tcp
SSL Port: 587/tcp
SSL Port: 993/tcp
Non-SSL Port: 80/tcp
Non-SSL Port: 25/tcp
Non-SSL Port: 143/tcp
Non-SSL Port: 23/tcp
Tables

A table in Zeek is a mapping of a key to a value or yield. While the values don’t have to be unique, each key in the table must be unique to preserve a one-to-one mapping of keys to values.

data_struct_table_declaration.zeek
 1event zeek_init()
 2    {
 3    # Declaration of the table.
 4    local ssl_services: table[string] of port;
 5
 6    # Initialize the table.
 7    ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
 8
 9    # Insert one key-yield pair into the table.
10    ssl_services["IMAPS"] = 993/tcp;
11
12    # Check if the key "SMTPS" is not in the table.
13    if ( "SMTPS" !in ssl_services )
14        ssl_services["SMTPS"] = 587/tcp;
15
16    # Iterate over each key in the table.
17    for ( k in ssl_services )
18        print fmt("Service Name:  %s - Common Port: %s", k, ssl_services[k]);
19    }

$ zeek data_struct_table_declaration.zeek
Service Name:  SSH - Common Port: 22/tcp
Service Name:  HTTPS - Common Port: 443/tcp
Service Name:  SMTPS - Common Port: 587/tcp
Service Name:  IMAPS - Common Port: 993/tcp

In this example, we’ve compiled a table of SSL-enabled services and their common ports. The explicit declaration and constructor for the table are on two different lines and lay out the data types of the keys (strings) and the data types of the yields (ports) and then fill in some sample key and yield pairs. You can also use a table accessor to insert one key-yield pair into the table. When using the in operator on a table, you are effectively working with the keys of the table. In the case of an if statement, the in operator will check for membership among the set of keys and return a true or false value. The example shows how to check if SMTPS is not in the set of keys for the ssl_services table and if the condition holds true, we add the key-yield pair to the table. Finally, the example shows how to use a for statement to iterate over each key currently in the table.

Simple examples aside, tables can become extremely complex as the keys and values for the table become more intricate. Tables can have keys comprised of multiple data types and even a series of elements called a “tuple”. The flexibility gained with the use of complex tables in Zeek implies a cost in complexity for the person writing the scripts but pays off in effectiveness given the power of Zeek as a network security platform.

data_struct_table_complex.zeek
 1event zeek_init()
 2    {
 3    local samurai_flicks: table[string, string, count, string] of string;
 4    
 5    samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
 6    samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
 7    samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
 8    samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
 9    
10    for ( [d, s, y, a] in samurai_flicks )
11        print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
12    }

$ zeek -b data_struct_table_complex.zeek
Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai
Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai
Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada
Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai

This script shows a sample table of strings indexed by two strings, a count, and a final string. With a tuple acting as an aggregate key, the order is important as a change in order would result in a new key. Here, we’re using the table to track the director, studio, year or release, and lead actor in a series of samurai flicks. It’s important to note that in the case of the for statement, it’s an all or nothing kind of iteration. We cannot iterate over, say, the directors; we have to iterate with the exact format as the keys themselves. In this case, we need squared brackets surrounding four temporary variables to act as a collection for our iteration. While this is a contrived example, we could easily have had keys containing IP addresses (addr), ports (port) and even a string calculated as the result of a reverse hostname lookup.

Vectors

If you’re coming to Zeek with a programming background, you may or may not be familiar with a vector data type depending on your language of choice. On the surface, vectors perform much of the same functionality as associative arrays with unsigned integers as their indices. They are however more efficient than that and they allow for ordered access. As such any time you need to sequentially store data of the same type, in Zeek you should reach for a vector. Vectors are a collection of objects, all of which are of the same data type, to which elements can be dynamically added or removed. Since Vectors use contiguous storage for their elements, the contents of a vector can be accessed through a zero-indexed numerical offset.

The format for the declaration of a Vector follows the pattern of other declarations, namely, SCOPE v: vector of T where v is the name of your vector, and T is the data type of its members. For example, the following snippet shows an explicit and implicit declaration of two locally scoped vectors. The script populates the first vector by inserting values at the end; it does that by placing the vector name between two vertical pipes to get the vector’s current length before printing the contents of both Vectors and their current lengths.

data_struct_vector_declaration.zeek
 1event zeek_init()
 2    {
 3    local v1: vector of count;
 4    local v2 = vector(1, 2, 3, 4);
 5    
 6    v1 += 1;
 7    v1 += 2;
 8    v1 += 3;
 9    v1 += 4;
10    
11    print fmt("contents of v1: %s", v1);
12    print fmt("length of v1: %d", |v1|);
13    print fmt("contents of v2: %s", v2);
14    print fmt("length of v2: %d", |v2|);
15    }

$ zeek data_struct_vector_declaration.zeek
contents of v1: [1, 2, 3, 4]
length of v1: 4
contents of v2: [1, 2, 3, 4]
length of v2: 4

In a lot of cases, storing elements in a vector is simply a precursor to then iterating over them. Iterating over a vector is easy with the for keyword. The sample below iterates over a vector of IP addresses and for each IP address, masks that address with 18 bits. The for keyword is used to generate a locally scoped variable called i which will hold the index of the current element in the vector. Using i as an index to addr_vector we can access the current item in the vector with addr_vector[i].

data_struct_vector_iter.zeek
1event zeek_init()
2    {
3    local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
4
5    for (i in addr_vector)
6        print mask_addr(addr_vector[i], 18);
7    }

$ zeek -b data_struct_vector_iter.zeek
1.2.0.0/18
2.3.0.0/18
3.4.0.0/18
Data Types Revisited
addr

The addr, or address, data type manages to cover a surprisingly large amount of ground while remaining succinct. IPv4, IPv6 and even hostname constants are included in the addr data type. While IPv4 addresses use the default dotted quad formatting, IPv6 addresses use the RFC 2373 defined notation with the addition of squared brackets wrapping the entire address. When you venture into hostname constants, Zeek performs a little slight of hand for the benefit of the user; a hostname constant is, in fact, a set of addresses. Zeek will issue a DNS request when it sees a hostname constant in use and return a set whose elements are the answers to the DNS request. For example, if you were to use local google = www.google.com; you would end up with a locally scoped set[addr] with elements that represent the current set of round robin DNS entries for google. At first blush, this seems trivial, but it is yet another example of Zeek making the life of the common Zeek scripter a little easier through abstraction applied in a practical manner. (Note however that these IP addresses will never get updated during Zeek’s processing, so often this mechanism most useful for addresses that are expected to remain static.).

port

Transport layer port numbers in Zeek are represented in the format of <unsigned integer>/<protocol name>, e.g., 22/tcp or 53/udp. Zeek supports TCP(/tcp), UDP(/udp), ICMP(/icmp) and UNKNOWN(/unknown) as protocol designations. While ICMP doesn’t have an actual port, Zeek supports the concept of ICMP “ports” by using the ICMP message type and ICMP message code as the source and destination port respectively. Ports can be compared for equality using the == or != operators and can even be compared for ordering. Zeek gives the protocol designations the following “order”: unknown < tcp < udp < icmp. For example 65535/tcp is smaller than 0/udp.

subnet

Zeek has full support for CIDR notation subnets as a base data type. There is no need to manage the IP and the subnet mask as two separate entities when you can provide the same information in CIDR notation in your scripts. The following example below uses a Zeek script to determine if a series of IP addresses are within a set of subnets using a 20 bit subnet mask.

data_type_subnets.zeek
 1event zeek_init()
 2    {
 3    local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, [2001:db8:b120::]/64);
 4    local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.1.1, [2001:db8:b120::1]);
 5
 6    for ( a in addresses )
 7        {
 8        for ( s in subnets )
 9            {
10            if ( addresses[a] in subnets[s] )
11                print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
12            }
13        }
14
15    }

Because this is a script that doesn’t use any kind of network analysis, we can handle the event zeek_init which is always generated by Zeek’s core upon startup. In the example script, two locally scoped vectors are created to hold our lists of subnets and IP addresses respectively. Then, using a set of nested for loops, we iterate over every subnet and every IP address and use an if statement to compare an IP address against a subnet using the in operator. The in operator returns true if the IP address falls within a given subnet based on the longest prefix match calculation. For example, 10.0.0.1 in 10.0.0.0/8 would return true while 192.168.2.1 in 192.168.1.0/24 would return false. When we run the script, we get the output listing the IP address and the subnet in which it belongs.

$ zeek data_type_subnets.zeek
172.16.4.56 belongs to subnet 172.16.0.0/20
172.16.47.254 belongs to subnet 172.16.32.0/20
172.16.22.45 belongs to subnet 172.16.16.0/20
172.16.1.1 belongs to subnet 172.16.0.0/20
time

While there is currently no supported way to add a time constant in Zeek, two built-in functions exist to make use of the time data type. Both network_time and current_time return a time data type but they each return a time based on different criteria. The current_time function returns what is called the wall-clock time as defined by the operating system. However, network_time returns the timestamp of the last packet processed be it from a live data stream or saved packet capture. Both functions return the time in epoch seconds, meaning strftime must be used to turn the output into human readable output. The script below makes use of the connection_established event handler to generate text every time a SYN/ACK packet is seen responding to a SYN packet as part of a TCP handshake. The text generated, is in the format of a timestamp and an indication of who the originator and responder were. We use the strftime format string of %Y-%m-%d %H:%M:%S to produce a common date time formatted time stamp.

data_type_time.zeek
1event connection_established(c: connection)
2    {
3    print fmt("%s:  New connection established from %s to %s\n", strftime("%Y/%m/%d %H:%M:%S", network_time()), c$id$orig_h, c$id$resp_h);
4    }

When the script is executed we get an output showing the details of established connections.

$ zeek -r wikipedia.trace data_type_time.zeek
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2\x0a
2011/06/18 19:03:09:  New connection established from 141.142.220.235 to 173.192.163.128\x0a
interval

The interval data type is another area in Zeek where rational application of abstraction makes perfect sense. As a data type, the interval represents a relative time as denoted by a numeric constant followed by a unit of time. For example, 2.2 seconds would be 2.2sec and thirty-one days would be represented by 31days. Zeek supports usec, msec, sec, min, hr, or day which represent microseconds, milliseconds, seconds, minutes, hours, and days respectively. In fact, the interval data type allows for a surprising amount of variation in its definitions. There can be a space between the numeric constant or they can be crammed together like a temporal portmanteau. The time unit can be either singular or plural. All of this adds up to to the fact that both 42hrs and 42 hr are perfectly valid and logically equivalent in Zeek. The point, however, is to increase the readability and thus maintainability of a script. Intervals can even be negated, allowing for - 10mins to represent “ten minutes ago”.

Intervals in Zeek can have mathematical operations performed against them allowing the user to perform addition, subtraction, multiplication, division, and comparison operations. As well, Zeek returns an interval when differencing two time values using the - operator. The script below amends the script started in the section above to include a time delta value printed along with the connection establishment report.

data_type_interval.zeek
 1# Store the time the previous connection was established.
 2global last_connection_time: time;
 3
 4# boolean value to indicate whether we have seen a previous connection.
 5global connection_seen: bool = F;
 6
 7event connection_established(c: connection)
 8    {
 9    local net_time: time  = network_time();
10
11    print fmt("%s:  New connection established from %s to %s", strftime("%Y/%m/%d %H:%M:%S", net_time), c$id$orig_h, c$id$resp_h);
12
13    if ( connection_seen )
14        print fmt("     Time since last connection: %s", net_time - last_connection_time);
15
16    last_connection_time = net_time;
17    connection_seen = T;
18    }

When we re-execute the script we see an additional line in the output, displaying the time delta since the last fully established connection.

$ zeek -r wikipedia.trace data_type_interval.zeek
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
     Time since last connection: 132.0 msecs 97.0 usecs
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
     Time since last connection: 177.0 usecs
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
     Time since last connection: 2.0 msecs 177.0 usecs
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
     Time since last connection: 33.0 msecs 898.0 usecs
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
     Time since last connection: 35.0 usecs
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
     Time since last connection: 2.0 msecs 532.0 usecs
2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2
     Time since last connection: 7.0 msecs 866.0 usecs
2011/06/18 19:03:09:  New connection established from 141.142.220.235 to 173.192.163.128
     Time since last connection: 817.0 msecs 703.0 usecs
Pattern

Zeek has support for fast text searching operations using regular expressions and even goes so far as to declare a native data type for the patterns used in regular expressions. A pattern constant is created by enclosing text within the forward slash characters. Zeek supports syntax very similar to the Flex lexical analyzer syntax. The most common use of patterns in Zeek you are likely to come across is embedded matching using the in operator. Embedded matching adheres to a strict format, requiring the regular expression or pattern constant to be on the left side of the in operator and the string against which it will be tested to be on the right.

data_type_pattern_01.zeek
 1event zeek_init()
 2    {
 3    local test_string = "The quick brown fox jumps over the lazy dog.";
 4    local test_pattern = /quick|lazy/;
 5    
 6    if ( test_pattern in test_string )
 7        {
 8        local results = split_string(test_string, test_pattern);
 9        print results[0];
10        print results[1];
11        print results[2];
12        }
13    }

In the sample above, two local variables are declared to hold our sample sentence and regular expression. Our regular expression in this case will return true if the string contains either the word quick or the word lazy. The if statement in the script uses embedded matching and the in operator to check for the existence of the pattern within the string. If the statement resolves to true, split_string is called to break the string into separate pieces. split_string takes a string and a pattern as its arguments and returns a vector of strings. Each element of the vector represents segments before and after any matches against the pattern but excluding the actual matches. In this case, our pattern matches twice resulting in a vector with three elements.

$ zeek data_type_pattern_01.zeek
The
 brown fox jumps over the
 dog.

Patterns can also be used to compare strings using equality and inequality operators through the == and != operators respectively. When used in this manner however, the string must match entirely to resolve to true. For example, the script below uses two ternary conditional statements to illustrate the use of the == operator with patterns. The output is altered based on the result of the comparison between the pattern and the string.

data_type_pattern_02.zeek
 1event zeek_init()
 2    {
 3    local test_string = "equality";
 4
 5    local test_pattern = /equal/;
 6    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
 7    
 8    test_pattern = /equality/;
 9    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
10    }

$ zeek data_type_pattern_02.zeek
equality and /^?(equal)$?/ are not equal
equality and /^?(equality)$?/ are equal
Record Data Type

With Zeek’s support for a wide array of data types and data structures, an obvious extension is to include the ability to create custom data types composed of atomic types and further data structures. To accomplish this, Zeek introduces the record type and the type keyword. Similar to how you would define a new data structure in C with the typedef and struct keywords, Zeek allows you to cobble together new data types to suit the needs of your situation.

When combined with the type keyword, record can generate a composite type. We have, in fact, already encountered a complex example of the record data type in the earlier sections, the connection record passed to many events. Another one, Conn::Info, which corresponds to the fields logged into conn.log, is shown by the excerpt below.

data_type_record.zeek
 1module Conn;
 2
 3export {
 4    ## The record type which contains column fields of the connection log.
 5    type Info: record {
 6        ts:           time            &log;
 7        uid:          string          &log;
 8        id:           conn_id         &log;
 9        proto:        transport_proto &log;
10        service:      string          &log &optional;
11        duration:     interval        &log &optional;
12        orig_bytes:   count           &log &optional;
13        resp_bytes:   count           &log &optional;
14        conn_state:   string          &log &optional;
15        local_orig:   bool            &log &optional;
16        local_resp:   bool            &log &optional;
17        missed_bytes: count           &log &default=0;
18        history:      string          &log &optional;
19        orig_pkts:     count      &log &optional;
20        orig_ip_bytes: count      &log &optional;
21        resp_pkts:     count      &log &optional;
22        resp_ip_bytes: count      &log &optional;
23        tunnel_parents: set[string] &log;
24    };
25}

Looking at the structure of the definition, a new collection of data types is being defined as a type called Info. Since this type definition is within the confines of an export block, what is defined is, in fact, Conn::Info.

The formatting for a declaration of a record type in Zeek includes the descriptive name of the type being defined and the separate fields that make up the record. The individual fields that make up the new record are not limited in type or number as long as the name for each field is unique.

data_struct_record_01.zeek
 1type Service: record {
 2    name: string;
 3    ports: set[port];
 4    rfc: count;
 5};
 6
 7function print_service(serv: Service)
 8    {
 9    print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
10    
11    for ( p in serv$ports )
12        print fmt("  port: %s", p);
13    }
14
15event zeek_init()
16    {
17    local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
18    local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
19    
20    print_service(dns);
21    print_service(http);
22    }

$ zeek data_struct_record_01.zeek
Service: dns(RFC1035)
  port: 53/udp
  port: 53/tcp
Service: http(RFC2616)
  port: 8080/tcp
  port: 80/tcp

The sample above shows a simple type definition that includes a string, a set of ports, and a count to define a service type. Also included is a function to print each field of a record in a formatted fashion and a zeek_init event handler to show some functionality of working with records. The definitions of the DNS and HTTP services are both done in-line using squared brackets before being passed to the print_service function. The print_service function makes use of the $ dereference operator to access the fields within the newly defined Service record type.

As you saw in the definition for the Conn::Info record, other records are even valid as fields within another record. We can extend the example above to include another record that contains a Service record.

data_struct_record_02.zeek
 1type Service: record {
 2    name: string;
 3    ports: set[port];
 4    rfc: count;
 5    };
 6
 7type System: record {
 8    name: string;
 9    services: set[Service];
10    };
11
12function print_service(serv: Service)
13    {
14    print fmt("  Service: %s(RFC%d)",serv$name, serv$rfc);
15    
16    for ( p in serv$ports )
17        print fmt("    port: %s", p);
18    }
19
20function print_system(sys: System)
21    {
22    print fmt("System: %s", sys$name);
23    
24    for ( s in sys$services )
25        print_service(s);
26    }
27
28event zeek_init()
29    {
30    local server01: System;
31    server01$name = "morlock";
32    add server01$services[[ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]];
33    add server01$services[[ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]];
34    print_system(server01);
35    
36    
37    # local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
38    # local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
39    # print_service(dns);
40    # print_service(http);
41    }

$ zeek data_struct_record_02.zeek
System: morlock
  Service: http(RFC2616)
    port: 8080/tcp
    port: 80/tcp
  Service: dns(RFC1035)
    port: 53/udp
    port: 53/tcp

The example above includes a second record type in which a field is used as the data type for a set. Records can be repeatedly nested within other records, their fields reachable through repeated chains of the $ dereference operator.

It’s also common to see a type used to simply alias a data structure to a more descriptive name. The example below shows an example of this from Zeek’s own type definitions file.

init-bare.zeek
type string_array: table[count] of string;
type string_set: set[string];
type addr_set: set[addr];

The three lines above alias a type of data structure to a descriptive name. Functionally, the operations are the same, however, each of the types above are named such that their function is instantly identifiable. This is another place in Zeek scripting where consideration can lead to better readability of your code and thus easier maintainability in the future.

Custom Logging

Armed with a decent understanding of the data types and data structures in Zeek, exploring the various frameworks available is a much more rewarding effort. The framework with which most users are likely to have the most interaction is the Logging Framework. Designed in such a way to so as to abstract much of the process of creating a file and appending ordered and organized data into it, the Logging Framework makes use of some potentially unfamiliar nomenclature. Specifically, Log Streams, Filters and Writers are simply abstractions of the processes required to manage a high rate of incoming logs while maintaining full operability. If you’ve seen Zeek employed in an environment with a large number of connections, you know that logs are produced incredibly quickly; the ability to process a large set of data and write it to disk is due to the design of the Logging Framework.

Data is written to a Log Stream based on decision making processes in Zeek’s scriptland. Log Streams correspond to a single log as defined by the set of name/value pairs that make up its fields. That data can then be filtered, modified, or redirected with Logging Filters which, by default, are set to log everything. Filters can be used to break log files into subsets or duplicate that information to another output. The final output of the data is defined by the writer. Zeek’s default writer is simple tab separated ASCII files but Zeek also includes support for DataSeries and Elasticsearch outputs as well as additional writers currently in development. While these new terms and ideas may give the impression that the Logging Framework is difficult to work with, the actual learning curve is, in actuality, not very steep at all. The abstraction built into the Logging Framework makes it such that a vast majority of scripts needs not go past the basics. In effect, writing to a log file is as simple as defining the format of your data, letting Zeek know that you wish to create a new log, and then calling the Log::write method to output log records.

The Logging Framework is an area in Zeek where, the more you see it used and the more you use it yourself, the more second nature the boilerplate parts of the code will become. As such, let’s work through a contrived example of simply logging the digits 1 through 10 and their corresponding factorial to the default ASCII log writer. It’s always best to work through the problem once, simulating the desired output with print and fmt before attempting to dive into the Logging Framework.

framework_logging_factorial_01.zeek
 1module Factor;
 2
 3function factorial(n: count): count
 4    {
 5    if ( n == 0 )
 6        return 1;
 7    else
 8        return ( n * factorial(n - 1) );
 9    }
10
11event zeek_init()
12    {
13    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
14    
15    for ( n in numbers )
16        print fmt("%d", factorial(numbers[n]));
17    }

$ zeek framework_logging_factorial_01.zeek
1
2
6
24
120
720
5040
40320
362880
3628800

This script defines a factorial function to recursively calculate the factorial of a unsigned integer passed as an argument to the function. Using print and fmt we can ensure that Zeek can perform these calculations correctly as well get an idea of the answers ourselves.

The output of the script aligns with what we expect so now it’s time to integrate the Logging Framework.

framework_logging_factorial_02.zeek
 1module Factor;
 2
 3export {
 4    # Append the value LOG to the Log::ID enumerable.
 5    redef enum Log::ID += { LOG };
 6
 7    # Define a new type called Factor::Info.
 8    type Info: record {
 9        num:           count &log;
10        factorial_num: count &log;
11        };
12    }
13
14function factorial(n: count): count
15    {
16    if ( n == 0 )
17        return 1;
18    
19    else
20        return ( n * factorial(n - 1) );
21    }
22
23event zeek_init()
24    {
25    # Create the logging stream.
26    Log::create_stream(LOG, [$columns=Info, $path="factor"]);
27    }
28
29event zeek_done()
30    {
31    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
32    for ( n in numbers )
33        Log::write( Factor::LOG, [$num=numbers[n],
34                                  $factorial_num=factorial(numbers[n])]);
35    }

As mentioned above we have to perform a few steps before we can issue the Log::write method and produce a logfile. As we are working within a namespace and informing an outside entity of workings and data internal to the namespace, we use an export block. First we need to inform Zeek that we are going to be adding another Log Stream by adding a value to the Log::ID enumerable. In this script, we append the value LOG to the Log::ID enumerable, however due to this being in an export block the value appended to Log::ID is actually Factor::LOG. Next, we define the fields that make up the data of our logs and dictate its format. This script defines a new record datatype called Info (actually, Factor::Info) with two fields, both unsigned integers. Each of the fields in the Factor::Info record type include the &log attribute, indicating that these fields should be passed to the Logging Framework when Log::write is called. Any record fields without the &log attribute are ignored by the Logging Framework. The next step is to create the logging stream with Log::create_stream which takes a Log::ID and a record as its arguments. In this example, we call the Log::create_stream method and pass Factor::LOG and the Factor::Info record as arguments. From here on out, if we issue the Log::write command with the correct Log::ID and a properly formatted Factor::Info record, a log entry will be generated.

Now, if we run this script, instead of generating logging information to stdout, no output is created. Instead the output is all in factor.log, properly formatted and organized.

$ zeek framework_logging_factorial_02.zeek
$ cat factor.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     factor
#open     2018-12-14-21-47-18
#fields   num     factorial_num
#types    count   count
1 1
2 2
3 6
4 24
5 120
6 720
7 5040
8 40320
9 362880
10        3628800
#close    2018-12-14-21-47-18

While the previous example is a simplistic one, it serves to demonstrate the small pieces of script code that need to be in place in order to generate logs. For example, it’s common to call Log::create_stream in zeek_init and while in a live example, determining when to call Log::write would likely be done in an event handler, in this case we use zeek_done .

If you’ve already spent time with a deployment of Zeek, you’ve likely had the opportunity to view, search through, or manipulate the logs produced by the Logging Framework. The log output from a default installation of Zeek is substantial to say the least, however, there are times in which the way the Logging Framework by default isn’t ideal for the situation. This can range from needing to log more or less data with each call to Log::write or even the need to split log files based on arbitrary logic. In the later case, Filters come into play along with the Logging Framework. Filters grant a level of customization to Zeek’s scriptland, allowing the script writer to include or exclude fields in the log and even make alterations to the path of the file in which the logs are being placed. Each stream, when created, is given a default filter called, not surprisingly, default. When using the default filter, every key value pair with the &log attribute is written to a single file. For the example we’ve been using, let’s extend it so as to write any factorial which is a factor of 5 to an alternate file, while writing the remaining logs to factor.log.

framework_logging_factorial_03.zeek
 1module Factor;
 2
 3export {
 4    redef enum Log::ID += { LOG };
 5
 6    type Info: record {
 7        num:           count &log;
 8        factorial_num: count &log;
 9        };
10    }
11
12function factorial(n: count): count
13    {
14    if ( n == 0 )
15        return 1;
16    
17    else
18        return (n * factorial(n - 1));
19    }
20
21event zeek_done()
22    {
23    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
24    for ( n in numbers )
25        Log::write( Factor::LOG, [$num=numbers[n],
26                                  $factorial_num=factorial(numbers[n])]);
27    }
28
29function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
30    {
31    if ( rec$factorial_num % 5 == 0 )
32        return "factor-mod5";
33    
34    else
35        return "factor-non5";
36    }
37
38event zeek_init()
39    {
40    Log::create_stream(LOG, [$columns=Info, $path="factor"]);
41    
42    local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
43    Log::add_filter(Factor::LOG, filter);
44    Log::remove_filter(Factor::LOG, "default");
45    }

To dynamically alter the file in which a stream writes its logs, a filter can specify a function that returns a string to be used as the filename for the current call to Log::write. The definition for this function has to take as its parameters a Log::ID called id, a string called path and the appropriate record type for the logs called rec. You can see the definition of mod5 used in this example conforms to that requirement. The function simply returns factor-mod5 if the factorial is divisible evenly by 5, otherwise, it returns factor-non5. In the additional zeek_init event handler, we define a locally scoped Log::Filter and assign it a record that defines the name and path_func fields. We then call Log::add_filter to add the filter to the Factor::LOG Log::ID and call Log::remove_filter to remove the default filter for Factor::LOG. Had we not removed the default filter, we’d have ended up with three log files: factor-mod5.log with all the factorials that are a factors of 5, factor-non5.log with the factorials that are not factors of 5, and factor.log which would have included all factorials.

$ zeek framework_logging_factorial_03.zeek
$ cat factor-mod5.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     factor-mod5
#open     2018-12-14-21-47-18
#fields   num     factorial_num
#types    count   count
5 120
6 720
7 5040
8 40320
9 362880
10        3628800
#close    2018-12-14-21-47-1

The ability of Zeek to generate easily customizable and extensible logs which remain easily parsable is a big part of the reason Zeek has gained a large measure of respect. In fact, it’s difficult at times to think of something that Zeek doesn’t log and as such, it is often advantageous for analysts and systems architects to instead hook into the logging framework to be able to perform custom actions based upon the data being sent to the Logging Frame. To that end, every default log stream in Zeek generates a custom event that can be handled by anyone wishing to act upon the data being sent to the stream. By convention these events are usually in the format log_x where x is the name of the logging stream; as such the event raised for every log sent to the Logging Framework by the HTTP parser would be log_http. Instead of using an external script to parse the http.log file and do post-processing for each entry, this can be done in real time inside Zeek by defining an event handler for the log_http event.

Telling Zeek to raise an event in your own Logging stream is as simple as exporting that event name and then adding that event in the call to Log::create_stream. Going back to our simple example of logging the factorial of an integer, we add log_factor to the export block and define the value to be passed to it, in this case the Factor::Info record. We then list the log_factor function as the $ev field in the call to Log::create_stream

framework_logging_factorial_04.zeek
 1module Factor;
 2
 3export {
 4    redef enum Log::ID += { LOG };
 5
 6    type Info: record {
 7        num:           count &log;
 8        factorial_num: count &log;
 9        };
10    
11    global log_factor: event(rec: Info);
12    }
13
14function factorial(n: count): count
15    {
16    if ( n == 0 )
17        return 1;
18    
19    else
20        return (n * factorial(n - 1));
21    }
22
23event zeek_init()
24    {
25    Log::create_stream(LOG, [$columns=Info, $ev=log_factor, $path="factor"]);
26    }
27
28event zeek_done()
29    {
30    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
31    for ( n in numbers )
32        Log::write( Factor::LOG, [$num=numbers[n],
33                                  $factorial_num=factorial(numbers[n])]);
34    }
35
36function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
37    {
38    if ( rec$factorial_num % 5 == 0 )
39        return "factor-mod5";
40    
41    else
42        return "factor-non5";
43    }
44
45event zeek_init()
46    {
47    local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
48    Log::add_filter(Factor::LOG, filter);
49    Log::remove_filter(Factor::LOG, "default");
50    }

Raising Notices

While Zeek’s Logging Framework provides an easy and systematic way to generate logs, there still exists a need to indicate when a specific behavior has been detected and a method to allow that detection to come to someone’s attention. To that end, the Notice Framework is in place to allow script writers a codified means through which they can raise a notice, as well as a system through which an operator can opt-in to receive the notice. Zeek holds to the philosophy that it is up to the individual operator to indicate the behaviors in which they are interested and as such Zeek ships with a large number of policy scripts which detect behavior that may be of interest but it does not presume to guess as to which behaviors are “action-able”. In effect, Zeek works to separate the act of detection and the responsibility of reporting. With the Notice Framework it’s simple to raise a notice for any behavior that is detected.

To raise a notice in Zeek, you only need to indicate to Zeek that you are provide a specific Notice::Type by exporting it and then make a call to NOTICE supplying it with an appropriate Notice::Info record. Often times the call to NOTICE includes just the Notice::Type, and a concise message. There are however, significantly more options available when raising notices as seen in the definition of Notice::Info. The only field in Notice::Info whose attributes make it a required field is the note field. Still, good manners are always important and including a concise message in $msg and, where necessary, the contents of the connection record in $conn along with the Notice::Type tend to comprise the minimum of information required for an notice to be considered useful. If the $conn variable is supplied the Notice Framework will auto-populate the $id and $src fields as well. Other fields that are commonly included, $identifier and $suppress_for are built around the automated suppression feature of the Notice Framework which we will cover shortly.

One of the default policy scripts raises a notice when an SSH login has been heuristically detected and the originating hostname is one that would raise suspicion. Effectively, the script attempts to define a list of hosts from which you would never want to see SSH traffic originating, like DNS servers, mail servers, etc. To accomplish this, the script adheres to the separation of detection and reporting by detecting a behavior and raising a notice. Whether or not that notice is acted upon is decided by the local Notice Policy, but the script attempts to supply as much information as possible while staying concise.

scripts/policy/protocols/ssh/interesting-hostnames.zeek
##! This script will generate a notice if an apparent SSH login originates
##! or heads to a host with a reverse hostname that looks suspicious.  By
##! default, the regular expression to match "interesting" hostnames includes
##! names that are typically used for infrastructure hosts like nameservers,
##! mail servers, web servers and ftp servers.

@load base/frameworks/notice

module SSH;

export {
    redef enum Notice::Type += {
        ## Generated if a login originates or responds with a host where
        ## the reverse hostname lookup resolves to a name matched by the
        ## :zeek:id:`SSH::interesting_hostnames` regular expression.
        Interesting_Hostname_Login,
    };

    ## Strange/bad host names to see successful SSH logins from or to.
    option interesting_hostnames =
            /^d?ns[0-9]*\./ |
            /^smtp[0-9]*\./ |
            /^mail[0-9]*\./ |
            /^pop[0-9]*\./  |
            /^imap[0-9]*\./ |
            /^www[0-9]*\./  |
            /^ftp[0-9]*\./;
}

function check_ssh_hostname(id: conn_id, uid: string, host: addr)
    {
    when ( local hostname = lookup_addr(host) )
        {
        if ( interesting_hostnames in hostname )
            {
            NOTICE([$note=Interesting_Hostname_Login,
                    $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
                             Site::is_local_addr(host) ? "local" : "remote",
                             host == id$orig_h ? "client" : "server"),
                    $sub=hostname, $id=id, $uid=uid]);
            }
        }
    }

event ssh_auth_successful(c: connection, auth_method_none: bool)
    {
    for ( host in set(c$id$orig_h, c$id$resp_h) )
        {
        check_ssh_hostname(c$id, c$uid, host);
        }
    }

While much of the script relates to the actual detection, the parts specific to the Notice Framework are actually quite interesting in themselves. The script’s export block adds the value SSH::Interesting_Hostname_Login to the enumerable constant Notice::Type to indicate to the Zeek core that a new type of notice is being defined. The script then calls NOTICE and defines the $note, $msg, $sub, id, and $uid fields of the Notice::Info record. (More commonly, one would set $conn instead, however this script avoids using the connection record inside the when-statement for performance reasons.) There are two ternary if statements that modify the $msg text depending on whether the host is a local address and whether it is the client or the server. This use of fmt and ternary operators is a concise way to lend readability to the notices that are generated without the need for branching if statements that each raise a specific notice.

The opt-in system for notices is managed through writing Notice::policy hooks. A Notice::policy hook takes as its argument a Notice::Info record which will hold the same information your script provided in its call to NOTICE. With access to the Notice::Info record for a specific notice you can include logic such as in statements in the body of your hook to alter the policy for handling notices on your system. In Zeek, hooks are akin to a mix of functions and event handlers: like functions, calls to them are synchronous (i.e., run to completion and return); but like events, they can have multiple bodies which will all execute. For defining a notice policy, you define a hook and Zeek will take care of passing in the Notice::Info record. The simplest kind of Notice::policy hooks simply check the value of $note in the Notice::Info record being passed into the hook and performing an action based on the answer. The hook below adds the Notice::ACTION_EMAIL action for the SSH::Interesting_Hostname_Login notice raised in the policy/protocols/ssh/interesting-hostnames.zeek script.

framework_notice_hook_01.zeek
1@load policy/protocols/ssh/interesting-hostnames.zeek
2
3hook Notice::policy(n: Notice::Info)
4  {
5  if ( n$note == SSH::Interesting_Hostname_Login )
6      add n$actions[Notice::ACTION_EMAIL];
7  }

In the example above we’ve added Notice::ACTION_EMAIL to the n$actions set. This set, defined in the Notice Framework scripts, can only have entries from the Notice::Action type, which is itself an enumerable that defines the values shown in the table below along with their corresponding meanings. The Notice::ACTION_LOG action writes the notice to the Notice::LOG logging stream which, in the default configuration, will write each notice to the notice.log file and take no further action. The Notice::ACTION_EMAIL action will send an email to the address or addresses defined in the Notice::mail_dest variable with the particulars of the notice as the body of the email. The last action, Notice::ACTION_ALARM sends the notice to the Notice::ALARM_LOG logging stream which is then rotated hourly and its contents emailed in readable ASCII to the addresses in Notice::mail_dest.

Notice::ACTION_NONE

Take no action

Notice::ACTION_LOG

Send the notice to the Notice::LOG logging stream.

Notice::ACTION_EMAIL

Send an email with the notice in the body.

Notice::ACTION_ALARM

Send the notice to the Notice::Alarm_LOG stream.

While actions like the Notice::ACTION_EMAIL action have appeal for quick alerts and response, a caveat of its use is to make sure the notices configured with this action also have a suppression. A suppression is a means through which notices can be ignored after they are initially raised if the author of the script has set an identifier. An identifier is a unique string of information collected from the connection relative to the behavior that has been observed by Zeek.

scripts/policy/protocols/ssl/expiring-certs.zeek
NOTICE([$note=Certificate_Expires_Soon,
        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
        $conn=c, $suppress_for=1day,
        $identifier=cat(c$id$resp_h, c$id$resp_p, hash),
        $fuid=fuid]);

In the policy/protocols/ssl/expiring-certs.zeek script which identifies when SSL certificates are set to expire and raises notices when it crosses a predefined threshold, the call to NOTICE above also sets the $identifier entry by concatenating the responder IP, port, and the hash of the certificate. The selection of responder IP, port and certificate hash fits perfectly into an appropriate identifier as it creates a unique identifier with which the suppression can be matched. Were we to take out any of the entities used for the identifier, for example the certificate hash, we could be setting our suppression too broadly, causing an analyst to miss a notice that should have been raised. Depending on the available data for the identifier, it can be useful to set the $suppress_for variable as well. The expiring-certs.zeek script sets $suppress_for to 1day, telling the Notice Framework to suppress the notice for 24 hours after the first notice is raised. Once that time limit has passed, another notice can be raised which will again set the 1day suppression time. Suppressing for a specific amount of time has benefits beyond simply not filling up an analyst’s email inbox; keeping the notice alerts timely and succinct helps avoid a case where an analyst might see the notice and, due to over exposure, ignore it.

The $suppress_for variable can also be altered in a Notice::policy hook, allowing a deployment to better suit the environment in which it is be run. Using the example of expiring-certs.zeek, we can write a Notice::policy hook for SSL::Certificate_Expires_Soon to configure the $suppress_for variable to a shorter time.

framework_notice_hook_suppression_01.zeek
1@load policy/protocols/ssl/expiring-certs.zeek
2
3hook Notice::policy(n: Notice::Info) 
4   {
5   if ( n$note == SSL::Certificate_Expires_Soon )
6       n$suppress_for = 12hrs;
7   }

While Notice::policy hooks allow you to build custom predicate-based policies for a deployment, there are bound to be times where you don’t require the full expressiveness that a hook allows. In short, there will be notice policy considerations where a broad decision can be made based on the Notice::Type alone. To facilitate these types of decisions, the Notice Framework supports Notice Policy shortcuts. These shortcuts are implemented through the means of a group of data structures that map specific, predefined details and actions to the effective name of a notice. Primarily implemented as a set or table of enumerables of Notice::Type, Notice Policy shortcuts can be placed as a single directive in your local.zeek file as a concise readable configuration. As these variables are all constants, it bears mentioning that these variables are all set at parse-time before Zeek is fully up and running and not set dynamically.

Name

Description

Data Type

Notice::ignored_types

Ignore the Notice::Type entirely

set[Notice::Type]

Notice::emailed_types

Set Notice::ACTION_EMAIL to this Notice::Type

set[Notice::Type]

Notice::alarmed_types

Set Notice::ACTION_ALARM to this Notice::Type

set[Notice::Type]

Notice::not_suppressed_types

Remove suppression from this Notice::Type

set[Notice::Type]

Notice::type_suppression_intervals

Alter the $suppress_for value for this Notice::Type

table[Notice::Type] of interval

The table above details the five Notice Policy shortcuts, their meaning and the data type used to implement them. With the exception of Notice::type_suppression_intervals a set data type is employed to hold the Notice::Type of the notice upon which a shortcut should applied. The first three shortcuts are fairly self explanatory, applying an action to the Notice::Type elements in the set, while the latter two shortcuts alter details of the suppression being applied to the Notice. The shortcut Notice::not_suppressed_types can be used to remove the configured suppression from a notice while Notice::type_suppression_intervals can be used to alter the suppression interval defined by $suppress_for in the call to NOTICE.

framework_notice_shortcuts_01.zeek
1@load policy/protocols/ssh/interesting-hostnames.zeek
2@load base/protocols/ssh/
3
4redef Notice::emailed_types += {
5    SSH::Interesting_Hostname_Login
6};

The Notice Policy shortcut above adds the Notice::Type of SSH::Interesting_Hostname_Login to the Notice::emailed_types set while the shortcut below alters the length of time for which those notices will be suppressed.

framework_notice_shortcuts_02.zeek
1@load policy/protocols/ssh/interesting-hostnames.zeek
2@load base/protocols/ssh/
3
4redef Notice::type_suppression_intervals += {
5    [SSH::Interesting_Hostname_Login] = 1day,
6};

Finding Potential Usage Errors

Usage errors concern variables used-but-not-guaranteed-set or set-but-not-ever-used. Zeek generates reports for these if you specify the -u flag. It exits after producing the report, so if it simply exits with no output, then it did not find any usage errors.

Variables reported as “used without definition” appear to have a code path to them the could access their value even though it has not been initialized. If upon inspection you determine that there is no actual hazard, you can mark the definition with an &is_assigned attribute to assure the optimizer that the value will be set.

Variables reported as “assignment unused” have a value assigned to them that is meaningless since prior to any use of that value, another value is assigned to the same variable. Such assignments are worth inspecting as they sometimes reflect logic errors. You can suppress the report by adding an &is_used attribute to the original definition. If the determination is indeed incorrect, that represents a bug in Zeek’s analysis, so something to report via the Issue Tracker.

Frameworks

Zeek includes several software frameworks that provide commonly used functionality to the scripting layer. Among other things, these frameworks enhance Zeek’s ability to ingest data, structure and filter its outputs, adapt settings at runtime, and interact with other components in your network. Most frameworks include functionality implemented in Zeek’s core, with corresponding data structures and APIs exposed to the script layer.

Some frameworks target relatively specific use cases, while others run in nearly every Zeek installation. The logging framework, for example, provides the machinery behind all of the Zeek logs covered earlier. Frameworks also build on each other, so it’s well worth knowing their capabilities. The next sections cover them in detail.

Broker Communication Framework

Zeek now uses the Broker Library to exchange information with other Zeek processes. Broker itself uses CAF (C++ Actor Framework) internally for connecting nodes and exchanging arbitrary data over networks. Broker then introduces, on top of CAF, a topic-based publish/subscribe communication pattern using a data model that is compatible to Zeek’s. Broker itself can be utilized outside the context of Zeek, with Zeek itself making use of only a few predefined Broker message formats that represent Zeek events, log entries, etc.

In summary, the Zeek’s Broker framework provides basic facilities for connecting broker-enabled peers (e.g. Zeek instances) to each other and exchanging messages (e.g. events and logs).

Cluster Layout / API

Layout / Topology

  • Each worker node connects to all proxies.

  • All node types connect to all logger nodes and the manager node.

_images/cluster-layout.png

Some general suggestions as to the purpose/utilization of each node type:

  • Workers: are a good first choice for doing the brunt of any work you need done. They should be spending a lot of time performing the actual job of parsing/analyzing incoming data from packets, so you might choose to look at them as doing a “first pass” analysis and then deciding how the results should be shared with other nodes in the cluster.

  • Proxies: serve as intermediaries for data storage and work/calculation offloading. Good for helping offload work or data in a scalable and distributed way. Since any given worker is connected to all proxies and can agree on an “arbitrary key -> proxy node” mapping (more on that later), you can partition work or data amongst them in a uniform manner. e.g. you might choose to use proxies as a method of sharing non-persistent state or as a “second pass” analysis for any work that you don’t want interfering with the workers’ capacity to keep up with capturing and parsing packets. Note that the default scripts that come with Zeek make minimal use of proxies, so if you are coming from a previous ZeekControl deployment, you may want to try reducing down to a single proxy node. If you come to have custom/community scripts that utilize proxies, that would be the time to start considering scaling up the number of proxies to meet demands.

  • Manager: this node will be good at performing decisions that require a global view of things since it is in a centralized location, connected to everything. However, that also makes it easy to overload, so try to use it sparingly and only for tasks that must be done in a centralized or authoritative location. Optionally, for some deployments, the Manager can also serve as the sole Logger.

  • Loggers: these nodes should simply be spending their time writing out logs to disk and not used for much else. In the default cluster configuration, logs get distributed among available loggers in a round-robin fashion, providing failover capability should any given logger temporarily go offline.

Data Management/Sharing Strategies

There’s maybe no single, best approach or pattern to use when you need a Zeek script to store or share long-term state and data. The two approaches that were previously used were either using the &synchronized attribute on tables/sets or by explicitly sending events to specific nodes on which you wanted data to be stored. The former is no longer possible, though there are several new possibilities that the new Broker/Cluster framework offer, namely distributed data store and data partitioning APIs.

Data Stores

Broker provides a distributed key-value store interface with optional choice of using a persistent backend. For more detail, see this example.

Some ideas/considerations/scenarios when deciding whether to use a data store for your use-case:

  • If you need the full data set locally in order to achieve low-latency queries using data store “clones” can provide that.

  • If you need data that persists across restarts of Zeek processes, then data stores can also provide that.

  • If the data you want to store is complex (tables, sets, records) or you expect to read, modify, and store back, then data stores may not be able to provide simple, race-free methods of performing the pattern of logic that you want.

  • If the data set you want to store is excessively large, that’s still problematic even for stores that use a persistent backend as they are implemented in a way that requires a full snapshot of the store’s contents to fit in memory (this limitation may change in the future).

Data Partitioning

New data partitioning strategies are available using the API in base/frameworks/cluster/pools.zeek. Using that API, developers of custom Zeek scripts can define a custom pool of nodes that best fits the needs of their script.

One example strategy is to use Highest Random Weight (HRW) hashing to partition data tables amongst the pool of all proxy nodes. e.g. using Cluster::publish_hrw. This could allow clusters to be scaled more easily than the approach of “the entire data set gets synchronized to all nodes” as the solution to memory limitations becomes “just add another proxy node”. It may also take away some of the messaging load that used to be required to synchronize data sets across all nodes.

The tradeoff of this approach, is that nodes that leave the pool (due to crashing, etc.) cause a temporary gap in the total data set until workers start hashing keys to a new proxy node that is still alive, causing data to now be located and updated there.

If the developer of a script expects its workload to be particularly intensive, wants to ensure that their operations get exclusive access to nodes, or otherwise set constraints on the number of nodes within a pool utilized by their script, then the Cluster::PoolSpec structure will allow them to do that while still allowing users of that script to override the default suggestions made by the original developer.

Broker Framework Examples

The broker framework provides basic facilities for connecting Zeek instances to each other and exchanging messages, like events or logs.

See base/frameworks/broker/main.zeek for an overview of the main Broker API.

Topic Naming Conventions

All Broker-based messaging involves two components: the information you want to send (e.g. an event w/ its arguments) along with an associated topic name string. The topic strings are used as a filtering mechanism: Broker uses a publish/subscribe communication pattern where peers advertise interest in topic prefixes and only receive messages which match one of their prefix subscriptions.

Broker itself supports arbitrary topic strings, however Zeek generally follows certain conventions in choosing these topics to help avoid conflicts and generally make them easier to remember.

As a reminder of how topic subscriptions work, subscribers advertise interest in a topic prefix and then receive any messages published by a peer to a topic name that starts with that prefix. E.g. Alice subscribes to the “alice/dogs” prefix, then would receive the following message topics published by Bob:

  • topic “alice/dogs/corgi”

  • topic “alice/dogs”

  • topic “alice/dogsarecool/oratleastilikethem”

Alice would not receive the following message topics published by Bob:

  • topic “alice/cats/siamese”

  • topic “alice/cats”

  • topic “alice/dog”

  • topic “alice”

Note that the topics aren’t required to form a slash-delimited hierarchy, the subscription matching is purely a byte-per-byte prefix comparison.

However, Zeek scripts generally will follow a topic naming hierarchy and any given script will make the topic names it uses apparent via some redef’able constant in its export section. Generally topics that Zeek scripts use will be along the lines of zeek/<namespace>/<specifics> with <namespace> being the script’s module name (in all-undercase). For example, you might expect an imaginary Pretend framework to publish/subscribe using topic names like zeek/pretend/my_cool_event. For scripts that use Broker as a means of cluster-aware analysis, it’s usually sufficient for them to make use of the topics declared by the cluster framework. For scripts that are meant to establish communication flows unrelated to Zeek cluster, new topics are declared (examples being the NetControl and Control frameworks).

For cluster operation, see base/frameworks/cluster/main.zeek for a list of topics that are useful for steering published events to the various node classes. E.g. you have the ability to broadcast to all nodes of a given class (e.g. just workers) or just send to a specific node within a class.

The topic names that logs get published under are a bit nuanced. In the default cluster configuration, they are round-robin published to explicit topic names that identify a single logger. In standalone Zeek processes, logs get published to the topic indicated by Broker::default_log_topic_prefix.

For those writing their own scripts which need new topic names, a suggestion would be to avoid prefixing any new topics/prefixes with zeek/ as any changes in scripts shipping with Zeek will use that prefix and it’s better to not risk unintended conflicts. Again, it’s often less confusing to just re-use existing topic names instead of introducing new topic names. The typical use case is writing a cluster-enabled script, which usually just needs to route events based upon node classes, and that already has usable topics in the cluster framework.

Connecting to Peers

Zeek can accept incoming connections by calling Broker::listen.

connecting-listener.zeek
 1redef exit_only_after_terminate = T;
 2
 3event zeek_init()
 4    {
 5    Broker::listen("127.0.0.1");
 6    }
 7
 8event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 9    {
10    print "peer added", endpoint;
11    }
12
13event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
14    {
15    print "peer lost", endpoint;
16    terminate();
17    }

Zeek can initiate outgoing connections by calling Broker::peer.

connecting-connector.zeek
 1redef exit_only_after_terminate = T;
 2
 3event zeek_init()
 4    {
 5    Broker::peer("127.0.0.1");
 6    }
 7
 8event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 9    {
10    print "peer added", endpoint;
11    terminate();
12    }

In either case, connection status updates are monitored via the Broker::peer_added and Broker::peer_lost events.

Remote Events

To receive remote events, you need to first subscribe to a “topic” to which the events are being sent. A topic is just a string chosen by the sender, and named in a way that helps organize events into various categories. See the topic naming conventions section for more on how topics work and are chosen.

Use the Broker::subscribe function to subscribe to topics and define any event handlers for events that peers will send.

events-listener.zeek
 1redef exit_only_after_terminate = T;
 2global msg_count = 0;
 3global my_event: event(msg: string, c: count);
 4global my_auto_event: event(msg: string, c: count);
 5
 6event zeek_init()
 7    {
 8    Broker::subscribe("zeek/event/");
 9    Broker::listen("127.0.0.1");
10    }
11
12event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
13    {
14    print "peer added", endpoint;
15    }
16
17event my_event(msg: string, c: count)
18    {
19    ++msg_count;
20    print "got my_event", msg, c;
21
22    if ( msg_count == 5 )
23        terminate();
24    }
25
26event my_auto_event(msg: string, c: count)
27    {
28    ++msg_count;
29    print "got my_auto_event", msg, c;
30
31    if ( msg_count == 5 )
32        terminate();
33    }

There are two different ways to send events.

The first is to call the Broker::publish function which you can supply directly with the event and its arguments or give it the return value of Broker::make_event in case you need to send the same event/args multiple times. When publishing events like this, local event handlers for the event are not called.

The second option is to call the Broker::auto_publish function where you specify a particular event that will be automatically sent to peers whenever the event is called locally via the normal event invocation syntax. When auto-publishing events, local event handlers for the event are called in addition to sending the event to any subscribed peers.

events-connector.zeek
 1redef exit_only_after_terminate = T;
 2global my_event: event(msg: string, c: count);
 3global my_auto_event: event(msg: string, c: count);
 4
 5event zeek_init()
 6    {
 7    Broker::peer("127.0.0.1");
 8    Broker::auto_publish("zeek/event/my_auto_event", my_auto_event);
 9    }
10
11event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
12    {
13    print "peer added", endpoint;
14    Broker::publish("zeek/event/my_event", my_event, "hi", 0);
15    event my_auto_event("stuff", 88);
16    Broker::publish("zeek/event/my_event", my_event, "...", 1);
17    event my_auto_event("more stuff", 51);
18    local e = Broker::make_event(my_event, "bye", 2);
19    Broker::publish("zeek/event/my_event", e);
20    }
21
22event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
23    {
24    terminate();
25    }
26
27event my_event(msg: string, c: count)
28    {
29    print "got my_event", msg, c;
30    }
31
32event my_auto_event(msg: string, c: count)
33    {
34    print "got my_auto_event", msg, c;
35    }

Note that the subscription model is prefix-based, meaning that if you subscribe to the zeek/events topic prefix you would receive events that are published to topic names zeek/events/foo and zeek/events/bar but not zeek/misc.

Remote Logging
testlog.zeek
 1module Test;
 2
 3export {
 4    redef enum Log::ID += { LOG };
 5
 6    type Info: record {
 7        msg: string &log;
 8        num: count &log;
 9    };
10
11    global log_test: event(rec: Test::Info);
12}
13
14event zeek_init() &priority=5
15    {
16    Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
17    }

To toggle remote logs, redef Log::enable_remote_logging. Use the Broker::subscribe function to advertise interest in logs written by peers. The topic names that Zeek uses are determined by Broker::log_topic.

logs-listener.zeek
 1@load ./testlog
 2
 3redef exit_only_after_terminate = T;
 4
 5event zeek_init()
 6    {
 7    Broker::subscribe("zeek/logs");
 8    Broker::listen("127.0.0.1");
 9    }
10
11event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
12    {
13    print "peer added", endpoint;
14    }
15
16event Test::log_test(rec: Test::Info)
17    {
18    print "got log event", rec;
19
20    if ( rec$num == 5 )
21        terminate();
22    }
logs-connector.zeek
 1@load ./testlog
 2
 3redef exit_only_after_terminate = T;
 4global n = 0;
 5
 6event zeek_init()
 7    {
 8    Broker::peer("127.0.0.1");
 9    }
10
11event do_write()
12    {
13    if ( n == 6 )
14        return;
15
16    Log::write(Test::LOG, [$msg = "ping", $num = n]);
17    ++n;
18    event do_write();
19    }
20
21event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
22    {
23    print "peer added", endpoint;
24    event do_write();
25    }
26
27event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
28    {
29    terminate();
30    }
31
32event Test::log_test(rec: Test::Info)
33    {
34    print "wrote log", rec;
35    Broker::publish("zeek/logs/forward/test", Test::log_test, rec);
36    }

Note that logging events are only raised locally on the node that performs the Log::write and not automatically published to peers.

Distributed Data Stores

See base/frameworks/broker/store.zeek for an overview of the Broker data store API.

There are two flavors of key-value data store interfaces: master and clone.

A master data store can be cloned from remote peers which may then perform lightweight, local queries against the clone, which automatically stays synchronized with the master store. Clones cannot modify their content directly, instead they send modifications to the centralized master store which applies them and then broadcasts them to all clones.

Master stores get to choose what type of storage backend to use. E.g. In-memory versus SQLite for persistence.

Data stores also support expiration on a per-key basis using an amount of time relative to the entry’s last modification time.

stores-listener.zeek
 1redef exit_only_after_terminate = T;
 2
 3global h: opaque of Broker::Store;
 4global expected_key_count = 4;
 5global key_count = 0;
 6
 7# Lookup a value in the store based on an arbitrary key string.
 8function do_lookup(key: string)
 9    {
10    when ( local res = Broker::get(h, key) )
11        {
12        ++key_count;
13        print "lookup", key, res;
14
15        # End after we iterated over looking up each key in the store twice.
16        if ( key_count == expected_key_count * 2 )
17            terminate();
18        }
19    # All data store queries must specify a timeout
20    timeout 3sec
21        { print "timeout", key; }
22    }
23
24event check_keys()
25    {
26    # Here we just query for the list of keys in the store, and show how to
27    # look up each one's value.
28    when ( local res = Broker::keys(h) )
29        {
30        print "clone keys", res;
31
32        if ( res?$result )
33            {
34            # Since we know that the keys we are storing are all strings,
35            # we can conveniently cast the result of Broker::keys to
36            # a native Bro type, namely 'set[string]'.
37            for ( k in res$result as string_set )
38                do_lookup(k);
39
40            # Alternatively, we can use a generic iterator to iterate
41            # over the results (which we know is of the 'set' type because
42            # that's what Broker::keys() always returns).  If the keys
43            # we stored were not all of the same type, then you would
44            # likely want to use this method of inspecting the store's keys.
45            local i = Broker::set_iterator(res$result);
46
47            while ( ! Broker::set_iterator_last(i) )
48                {
49                do_lookup(Broker::set_iterator_value(i) as string);
50                Broker::set_iterator_next(i);
51                }
52            }
53        }
54    # All data store queries must specify a timeout.
55    # You also might see timeouts on connecting/initializing a clone since
56    # it hasn't had time to get fully set up yet.
57    timeout 1sec
58        {
59        print "timeout";
60        schedule 1sec { check_keys() };
61        }
62    }
63
64event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
65    {
66    print "peer added";
67    # We could create a clone early, like in zeek_init and it will periodically
68    # try to synchronize with its master once it connects, however, we just
69    # create it now since we know the peer w/ the master store has just
70    # connected.
71    h = Broker::create_clone("mystore");
72
73    event check_keys();
74    }
75
76event zeek_init()
77    {
78    Broker::listen("127.0.0.1");
79    }
stores-connector.zeek
 1redef exit_only_after_terminate = T;
 2
 3global h: opaque of Broker::Store;
 4
 5global ready: event();
 6
 7event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 8    {
 9    terminate();
10    }
11
12event zeek_init()
13    {
14    h = Broker::create_master("mystore");
15
16    local myset: set[string] = {"a", "b", "c"};
17    local myvec: vector of string = {"alpha", "beta", "gamma"};
18    Broker::put(h, "one", 110);
19    Broker::put(h, "two", 223);
20    Broker::put(h, "myset", myset);
21    Broker::put(h, "myvec", myvec);
22    Broker::increment(h, "one");
23    Broker::decrement(h, "two");
24    Broker::insert_into_set(h, "myset", "d");
25    Broker::remove_from(h, "myset", "b");
26    Broker::push(h, "myvec", "delta");
27
28    Broker::peer("127.0.0.1");
29    }

Note that all data store queries must be made within Zeek’s asynchronous when statements and must specify a timeout block.

Cluster Framework Examples

This section contains a few brief examples of how various communication patterns one might use when developing Zeek scripts that are to operate in the context of a cluster.

A Reminder About Events and Module Namespaces

For simplicity, the following examples do not use any modules/namespaces. If you choose to use them within your own code, it’s important to remember that the event and schedule dispatching statements should always use the fully-qualified event name.

For example, this will likely not work as expected:

module MyModule;

export {
    global my_event: event();
}

event my_event()
    {
    print "got my event";
    }

event zeek_init()
    {
    event my_event();
    schedule 10sec { my_event() };
    }

This code runs without errors, however, the local my_event handler will never be called and also not any remote handlers either, even if Broker::auto_publish was used elsewhere for it. Instead, at minimum you would need change the zeek_init() handler:

event zeek_init()
    {
    event MyModule::my_event();
    schedule 10sec { MyModule::my_event() };
    }

Though, an easy rule of thumb to remember would be to always use the explicit module namespace scoping and you can’t go wrong:

module MyModule;

export {
    global MyModule::my_event: event();
}

event MyModule::my_event()
    {
    print "got my event";
    }

event zeek_init()
    {
    event MyModule::my_event();
    schedule 10sec { MyModule::my_event() };
    }

Event types that reside in the default namespace (such as zeek_init or connection_established) require no qualification, even when scheduled from inside a module. Don’t force qualification of such events by prefixing with GLOBAL::.

Note that other identifiers in Zeek do not have this inconsistency related to module namespacing, it’s just events that require explicitness.

Manager Sending Events To Workers

This is fairly straightforward, we just need a topic name which we know all workers are subscribed combined with the event we want to send them.

event manager_to_workers(s: string)
    {
    print "got event from manager", s;
    }

event some_event_handled_on_manager()
    {
    Broker::publish(Cluster::worker_topic, manager_to_workers,
                    "hello v0");

    # If you know this event is only handled on the manager, you don't
    # need any of the following conditions, they're just here as an
    # example of how you can further discriminate based on node identity.

    # Can check based on the name of the node.
    if ( Cluster::node == "manager" )
        Broker::publish(Cluster::worker_topic, manager_to_workers,
                        "hello v1");

    # Can check based on the type of the node.
    if ( Cluster::local_node_type() == Cluster::MANAGER )
        Broker::publish(Cluster::worker_topic, manager_to_workers,
                        "hello v2");

    # The run-time overhead of the above conditions can even be
    # eliminated by using the following conditional directives.
    # It's evaluated once per node at parse-time and, if false,
    # any code within is just ignored / treated as not existing at all.
@if ( Cluster::local_node_type() == Cluster::MANAGER )
        Broker::publish(Cluster::worker_topic, manager_to_workers,
                        "hello v3");
@endif
    }
Worker Sending Events To Manager

This should look almost identical to the previous case of sending an event from the manager to workers, except it simply changes the topic name to one which the manager is subscribed.

event worker_to_manager(worker_name: string)
    {
    print "got event from worker", worker_name;
    }

event some_event_handled_on_worker()
    {
    Broker::publish(Cluster::manager_topic, worker_to_manager,
                    Cluster::node);
    }
Worker Sending Events To All Workers

Since workers are not directly connected to each other in the cluster topology, this type of communication is a bit different than what we did before since we have to manually relay the event via some node that is connected to all workers. The manager or a proxy satisfies that requirement:

event worker_to_workers(worker_name: string)
    {
@if ( Cluster::local_node_type() == Cluster::MANAGER ||
      Cluster::local_node_type() == Cluster::PROXY )
        Broker::publish(Cluster::worker_topic, worker_to_workers,
                        worker_name);
@else
        print "got event from worker", worker_name;
@endif
    }

event some_event_handled_on_worker()
    {
    # We know the manager is connected to all workers, so we could
    # choose to relay the event across it.
    Broker::publish(Cluster::manager_topic,  worker_to_workers,
                    Cluster::node + " (via manager)");

    # We also know that any given proxy is connected to all workers,
    # though now we have a choice of which proxy to use.  If we
    # want to distribute the work associated with relaying uniformly,
    # we can use a round-robin strategy.  The key used here is simply
    # used by the cluster framework internally to keep track of
    # which node is up next in the round-robin.
    local pt = Cluster::rr_topic(Cluster::proxy_pool, "example_key");
    Broker::publish(pt, worker_to_workers,
                    Cluster::node + " (via a proxy)");
    }
Worker Distributing Events Uniformly Across Proxies

If you want to offload some data/work from a worker to your proxies, we can make use of a Highest Random Weight (HRW) hashing distribution strategy to uniformly map an arbitrary key space across all available proxies.

event worker_to_proxies(worker_name: string)
    {
    print "got event from worker", worker_name;
    }

global my_counter = 0;

event some_event_handled_on_worker()
    {
    # The key here is used to choose which proxy shall receive
    # the event.  Different keys may map to different nodes, but
    # any given key always maps to the same node provided the
    # pool of nodes remains consistent.  If a proxy goes offline,
    # that key maps to a different node until the original comes
    # back up.
    Cluster::publish_hrw(Cluster::proxy_pool,
                         cat("example_key", ++my_counter),
                         worker_to_proxies, Cluster::node);
    }

Broker-backed Zeek Tables for Data Synchronization and Persistence

Starting with Zeek 3.2, it is possible to “bind” a Zeek table to a backing Broker store. Changes to the Zeek table are sent to the Broker store. Similarly, changes of the Broker store are applied to the Zeek table.

This feature allows easy distribution of table contents across a cluster. It also offers persistence for tables (when using a persistent Broker store backend like SQLite).

To give a short example, to distribute a table over a cluster you can use the &backend attribute.

global t: table[string] of count &backend=Broker::MEMORY;

The &backend attribute creates a master data store on the manager and a clone data store on all other node on the cluster. This in essence means that the table exists twice in each Zeek process. One copy of the table is contained in a Broker data store (either a master or a clone depending on the node), which data store distributes the data across the cluster—and, depending on the backend, might also make the data persistent. Since Broker data stores are only accessible via asynchronous operations, and accessing them might not always be immediate, a second copy of the table, which is immediately accessible, is held inside the Zeek core. This is the copy that you see and interact with on the Zeek side.

Cluster Framework

The basic premise of Zeek clusterization is to break down network traffic into smaller pieces, while preserving the affinity of individual network sessions to a single analysis process. Cluster architecture thus allows Zeek to distribute that analysis across many dozens or hundreds of worker processes, allowing the monitoring system to scale up to line speeds of 100G or more.

_images/cluster-diagram.png

Figure 1: Block diagram of cluster setup showing multiple network feeds to a traffic aggregator. This device sends traffic to workers after symmetric hashing/load-balancing. Traffic is then fed to the Zeek cluster using load-balancing network cards.

Zeek’s Cluster Components

By distributing network traffic across hosts and processes, overall traffic finally reaches a volume that can be effectively analyzed by a single worker process. Zeek then acts as a distributed network security monitor to perform analysis across many dozens or hundreds of workers, all acting on a small fraction of the overall traffic volume. The analysis of the worker process is further facilitated by nodes such as manager and proxies, ultimately logging the alerts and or relevant network logs. A Zeek cluster therefore consists of four main components: a manager, workers, proxies, and a logger.

Manager

The manager is a Zeek process that has two primary jobs. It normally receives log messages and notices from the rest of the nodes in the cluster using the Zeek communications protocol. It combines the individual logs that each worker produces, so that the result is a set of joint logs instead of many discrete logs that you would have to combine in some manner with post-processing. (Note that if you use a separate logger node, then the logger receives all logs instead of the manager.) The manager also supports other functionality and analysis which requires a centralized, global view of events or data.

Worker

The worker is the Zeek process that sniffs network traffic and does protocol analysis on the reassembled traffic streams. Most of the work of an active cluster takes place on the workers. Workers typically represent the bulk of the Zeek processes that are running in a cluster. The fastest memory and CPU core speed you can afford is recommended since all of the protocol parsing and most analysis will take place here. There are no particular requirements for the disks in workers since almost all logging is done remotely to the manager (or dedicated logger). Normally, very little is written to disk.

Proxy

A proxy is a Zeek process that may be used to offload data storage or any arbitrary workload. A cluster may contain multiple proxy nodes. The default scripts that come with Zeek make only minimal use of proxies, so a single one will usually be sufficient. But custom scripts may make more use of it to partition data or workloads, providing greater cluster scalability potential than just doing similar tasks on a single, centralized manager node.

Zeek processes acting as proxies don’t tend to be extremely hard on CPU or memory, and users frequently run proxy processes on the same physical host as the manager.

Logger

A logger is an optional Zeek process that receives log messages from the rest of the nodes in the cluster using the Zeek communications protocol. The purpose of having a logger to receive logs instead of the manager is to reduce the load on the manager. If no logger is needed, then the manager will receive logs instead.

Running a Zeek Cluster

Zeek Cluster Setup

This link describes the cluster setup in great detail.

General Usage and Deployment

The biggest advantage to using a Zeek cluster is that most of its inner workings are transparent to the user. Clusterization is a clever trick to divide-and-conquer ever increasing network traffic volume.

As a practitioner one must know how to set up a cluster by defining components such as the manager, proxies, loggers and workers in the <prefix>/etc/node.cfg file on the manager.

Edit the ZeekControl node configuration file, <prefix>/etc/node.cfg, to define where the logger, manager, proxies, and workers will run. For a cluster configuration, comment-out (or remove) the standalone node in that file, and either uncomment or add node entries for each node in your cluster (logger, manager, proxy, and workers).

For example, to run five Zeek nodes (two workers, one proxy, a logger, and a manager) on a cluster consisting of three machines, the cluster configuration would look like this:

[logger]
type=logger
host=10.0.0.10

[manager]
type=manager
host=10.0.0.10

[proxy-1]
type=proxy
host=10.0.0.10

[worker-1]
type=worker
host=10.0.0.11
interface=eth0

[worker-2]
type=worker
host=10.0.0.12
interface=eth0

To set up a cluster we need a network-aggregator/load balancing device which can aggregate inputs from network sources, such as taps or span ports. This device also performs the critical function of ensuring each TCP session is distributed to a single link. This function is provided through symmetric hashing.

Once the tap aggregator is set, output from each port is sent to a “Zeek node” which is typically built on commodity hardware. Zeek clusters have evolved from running the manager, workers and proxies on individual servers, to most often now running a “cluster-in-a-box” setup, where a powerful multi-core box with dedicated cores hosts the workers, proxies logger and manager. We’ve seen instances of 90 workers running on a single physical server.

At present the preferred way to run a cluster is to use a load-balancing network card such as Myricom NICs or Intel cards with PF_RING or AF_PACKET support. The NIC (and associated software) further divides the traffic to multiple Zeek worker processes running on the ‘Zeek- node’.

While the Zeek cluster allows us to monitor traffic at scale, an optional add-on technology called “shunting” is helpful to reduce the volume that needs be processed.. Shunting can detect specific large data flows based on predetermined characteristics and communicate with the network tap via an API to stop sending those flows to Zeek for analysis. This allows Zeek to maintain awareness and logs of these shunted large flows while dramatically reducing the analysis load necessary to process traffic.

The following links gives more specific information on how to set up clusterization using one of the above approaches: Cluster Configuration.

Developing Scripts/Heuristics

This section is for developers who are interested in writing packages/scripts/heuristics and want to take advantage of clusterization.

In order to make your scripts/packages “clusterized,” one must understand the purpose of each of the cluster components (manager, workers, proxies and logger) and how/where the data is generated and how to move data/information across the different nodes in the cluster.

  • Workers: Workers are a good first choice for doing the brunt of any work. They should be spending a lot of time parsing or analyzing incoming data from packets. You might choose them to do a “first pass” analysis and then decide how the results should be shared with other nodes in the cluster.

  • Proxies: Proxies serve as intermediaries for data storage and computation offloading. Proxies help offload work or data in a scalable and distributed way. Since any given worker is connected to all proxies and can agree on an “arbitrary key -> proxy node” mapping (discussed later), you can partition work or data amongst them in a uniform manner. You might choose to use proxies as a method to share non-persistent state or as a “second pass” analysis for any work that you don’t want interfering with the workers’ capacity to keep up with capturing and parsing packets. The default scripts that come with Zeek make minimal use of proxies. If you are migrating from a previous ZeekControl deployment, you may want to implement a single proxy node. If you have custom or community scripts that utilize proxies, considering scaling up the number of proxies to meet demand.

  • Manager: A manager will make decisions that require a global view, as it is in a centralized location and connected to everything. However, that connectivity also makes it easy to overload it. Try to use a manager sparingly and only for tasks that must be done in a centralized or authoritative location. Optionally, for some deployments, the manager can also serve as the sole logger.

  • Loggers: Loggers should simply write logs to disk. In the default cluster configuration, log content gets distributed among available loggers in a round-robin fashion, providing failover capability should any given logger temporarily go offline.

The Need to Move Data and Events Across Different Nodes

Imagine you have a list of IP addresses that you want to distribute across all workers to keep in a watch list, such as the Intel framework. You may also want to aggregate results across workers to see if that count crosses a threshold, such as using scan detection. Finally, you might want to extract URLs from emails and then redistribute the extracted URLs to all workers to be able to find which of these extracted URLs got clicked on. All these examples tend to introduce challenges in a Zeek cluster setup due to data centrality issues. In other words, the very advantageous divide-and-conquer approach of clusterization also introduces complexity in Zeek scripts. However, with the introduction of the Broker communication framework and additional helper functions, data centrality complexities can be addressed efficiently. One must rely on clusterization techniques provided by Zeek scripting, the Broker API, and clusterization components.

When clustering your scripts, the fundamental work to move data or events in the context of a cluster falls primarily on few high level abstractions of communication patterns:

  1. Manager-to-worker

  2. Worker-to-manager

  3. Worker-to-proxy

  4. Worker-to-manager-to-worker

  5. Manager-to-worker-to-manager

All the communication between workers, proxies and manager is established by Zeek via the Broker framework. The Broker framework provides basic facilities for connecting Zeek instances to each other and exchanging messages, events or data.

Cluster Topics

All Broker-based messaging involves two components: the information you want to send, such as an event with its arguments, along with an associated topic name string. The topic strings are used as a filtering mechanism: Broker uses a publish-subscribe communication pattern where peers advertise interest in topic prefixes and only receive messages which match one of their prefix subscriptions. Broker itself supports arbitrary topic strings. However, Zeek generally follows certain conventions in choosing these topics to help avoid conflicts and generally make them easier to remember.

To communicate between workers, proxies and manager one needs to know the topic name to which all workers, proxies and manager are subscribed. Two main topics that are important to be familiar with for cluster communication are:

  1. Cluster::worker_topic - to which all workers are subscribed

  2. Cluster::manager_topic - to which manager is subscribed

In addition to these, Cluster::proxy_pool (comprises all the proxies) is a useful set.

The following table illustrates all the topics and communication events for clusterization, along with potential use cases:

Event

Topic

Use cases

Manager to worker

Cluster::worker_topic

  • Read input file on manager

  • Distribute data and events from manager to workers

Worker to manager

Cluster::manager_topic

  • Find characteristics of a “scan” eg. SYN-only pkts

  • Send data to manager for aggregation

Workers to proxy

Cluster::proxy_pool

  • Aggregation (eg. DNS query types)

Worker to manager to worker

Cluster::manager_topic + Cluster::worker_topic

  • Find URLs in emails

  • Send to manager

  • Distribute to workers to check against HTTP GET requests

Manager to worker to manager

Cluster::worker_topic + Cluster::manager_topic

  • Read input file on manager

  • Distribute data to workers

  • Workers to report counts of connections to manager

  • Aggregate the counts on manager
Publishing Events Across the Cluster

Broker, as well as Zeek’s higher-level cluster framework, provide a set of function to publish events, including:

Function

Description

Use

Broker::publish

Publishes an event at a given topic

Standard function to send an event to all nodes subscribed to a given topic

Broker::auto_publish

Automatically send an otherwise generated Zeek event to any interested peers whenever it is locally dispatched.

Avoid, since it is somewhat “magical”, unless you’ve got code compartmentalization running with @ifdef directives.

Cluster::publish_hrw

Publishes an event to a node within a pool according to Highest Random Weight (HRW) hashing strategy; see details below

Use this in cases of any aggregation needs - eg. scan detection or anything that needs a counter going.

Cluster::publish_rr

Publishes an event to a node within a pool according to Round-Robin distribution strategy.

Generally used inside Zeek for multiple logger nodes.

An example sending an event from worker to manager:

event worker_to_manager(worker_name: string)
    {
    print "got event from worker", worker_name;
    }

event some_event_handled_on_worker()
    {
    Broker::publish(Cluster::manager_topic, worker_to_manager,
                    Cluster::node);
    }

More details and code snippets and documentation on Broker communication frameworks are available at Broker Communication Framework.

Distributing Events Uniformly Across Proxies

If you want to offload some data/work from a worker to your proxies, we can make use of a Highest Random Weight (HRW) hashing distribution strategy to uniformly map an arbitrary key space across all available proxies through Cluster::publish_hrw. This function publishes an event to one node within a pool according to a Highest Random Weight hashing strategy. By assigning Cluster::proxy_pool to this event, one can utilize proxies to handle it. Note that Cluster::publish_hrw requires a unique key as an input to the hashing function to uniformly distribute keys among available nodes. Often this key is a source or destination IP address. If you are using Cluster::publish_hrw for an aggregate function, such as counts unique across the workers, make sure to appropriately select the hashing key.

The following example illustrates this issue. Assume that we are counting the number of scanner IPs from each /24 subnet. If the key were the source IP, then depending on the hashing, different IP addresses from the same /24 might end up on different proxies for the aggregation function. In this case one might instead want to use a more inclusive hashing key, such as the subnet (/24) itself. To illustrate the issue, in the notice log below, you see that 3 scanners each from 52.100.165.0/24 went to proxy-1 and proxy-2. Ideally we want a single count of 6 scanners instead.

1600212249.061779             Scan::Subnet  52.100.165.0/24 has 3 spf IPs originating from it 52.100.165.249  52.100.165.237  52.100.165.246  -       52.100.165.246  -       -             proxy-2 Notice::ACTION_LOG      3600.000000          F

1600212293.581745       Scan::Subnet        52.100.165.0/24 has 3 spf IPs originating from it 52.100.165.247  52.100.165.244  52.100.165.205        -       52.100.165.205  -       -       proxy-1 Notice::ACTION_LOG      3600.000000

Instead, we can ensure the hash key is 52.100.165.0/24 instead of the original IP, as the hash for 52.100.165.0/24 will be the same for all addresses belonging to this subnet. Then the data will reach only one proxy. To that end, we can use the mask_address function to extract subnet information for a given IP address to use as a key in the hash function:

local spf = mask_address(orig);

@if ( Cluster::is_enabled())
    Cluster::publish_hrw(Cluster::proxy_pool, spf, smtpsink::aggregate_stats, c) ;
@else
    event smtpsink::aggregate_stats(c);
@endif

Carefully select the key for Cluster::publish_hrw. If done right, this feature will bring tremendous benefits in code scalability, especially when working with aggregate and threshold functions.

Note

In scripting for clusterization, using the correct module names and namespaces is crucial as both events and data are transmitted to different systems. In order to make sure the contexts are correct, all functions, events and datasets should be scoped within their respective namespaces and modules. An easy rule of thumb is to always use the explicit module namespace scoping. See A Reminder About Events and Module Namespaces for further explanation and examples.

Clusterization of Zeek scripts can be an intimidating task for beginners. However, with reliance on the new Broker framework, clusterization has become simpler and straightforward. Consider the following:

  1. Communication overhead: Be sure not to generate unnecessary communication overhead. For example, scan detection is one of the worst cases for distributed analysis. One needs to count connections from a given IP address across all workers and then aggregate them on a proxy or manager. All the connections have to reach an aggregate function before Zeek can determine if a given source is a scanner or not. This happens because each worker only has a limited picture of the activity generated by a given remote IP.

  2. Communication optimizations: Once a given remote IP is identified as desired, make sure a manager reports that to the worker, and workers stop sending any further data for that IP to the manager. This is especially useful in scan detection where it takes only a few connections to identify scans, while a given scanner might send millions of probes eventually. If done right, workers will only send the first N connections, and stop after that, thus saving a lot of communication overheads. However, it makes sense to stop workers from sending any further connection information

  3. Clusterization also requires timely state synchronization across the workers, to make sure that all workers have a common view of a particular heuristic.

  4. When writing scripts for clusterization make sure your detection runs in both cluster and standalone setup.

A Cluster Script Walkthrough

Let’s say we want to count how many connections a remote IP is making to a host in our network on port 3389 UDP. Due to the distributed nature of Zeek clusters, connections are distributed across the workers based on a 5-tuple hash (source IP, source port, destination IP, destination port, and protocol). To get a central view of a connection between a given IP pair, one must deploy a clusterized scripting approach. The following example highlights how to go about doing so.

In this use case, we intend to create an aggregation function. Cluster::publish_hrw appears to be the appropriate function, since it allows offloading a lot of work to proxies, thus leaving workers and manager to process traffic.

In order to make sure all the connections between two hosts go to a single specific proxy, we need to make sure the key for the hashing function accommodates this constraint. We will use orig_h+resp_h as the key. We create a new data-type called pair as seen in code below. This allows us to use the orig+resp as a unique key across the code, including in the candidate table. Further, we create a new data type called stats to keep track of additional data associated with a connection pair.

module DoS;

export {

    redef enum Notice::Type += {
        Threshold,
        Victim_3389UDP,
    };

    type pair: record {
          orig: addr;
          resp: addr;
    };

    type stats: record {
        orig: addr;
        resp: addr ;
        orig_bytes: count &default=0;
        resp_bytes: count &default=0;
        conns: count &default=0;
    };

    global dos_candidates: table [pair] of stats  &create_expire=1 day;

    global DoS::aggregate_stats:event(s: stats);
}

We choose the connection_state_remove event as the primary event to tap into. connection_state_remove is generated when a connection’s internal state is about to be removed from memory. It’s appropriate for this case, as all the information about the connection is now included in the connection record c. One disadvantage of using connection_state_remove is that the event is fired at the very end of the connection, after the expiration timeouts are over. Thus, there are delays, and any operation which happens on the data is “after-the-fact” that connection is over. While this could be a problem in approaches such as proactive blocking and early detection heuristics, in this case of aggregation it is not an issue.

The thing to pay attention to in the code snippet below is the @if-@else-@endif directives which differentiate between clusterized and standalone operation of the script. With the @if construct, the specified expression must evaluate to type bool. If the value is true, then the following script lines (up to the next @else or @endif) are available to be executed. In this case we check if Cluster::is_enabled. If so, we call Cluster::publish_hrw along with the key (hash_pair) and the aggregate function followed by parameters, which is the stats record in this case. If the cluster isn’t running that aggregate function, it is directly called.

event connection_state_remove(c: connection)
    {
    local service = c$id$resp_p;
    local resp = c$id$resp_h;

    if ( service != 3389/udp )
        return;

    if ( resp !in Site::local_nets )
        return;

    local s: stats;
    s$orig = c$id$orig_h;
    s$resp = c$id$resp_h;
    s$orig_bytes = c$conn$orig_ip_bytes;
    s$resp_bytes = c$conn$resp_ip_bytes;

    local hash_pair: pair;
    hash_pair$orig = c$id$orig_h;
    hash_pair$resp = resp;

    @if ( Cluster::is_enabled() )
        Cluster::publish_hrw(Cluster::proxy_pool, hash_pair, DoS::aggregate_stats, s);
    @else
        event DoS::aggregate_stats(s);
    @endif
    }

Since hash_pair makes the key unique, irrespective of what worker this specific connection has gone to, it will end up on a one specific proxy only.

event DoS::aggregate_stats(s: stats)
    {
    local p: pair ;
    p$orig = s$orig;
    p$resp = s$resp ;

    if ( p !in dos_candidates )
        {
        local tmp_s: stats;
        tmp_s$orig = s$orig;
        tmp_s$resp = s$resp;
        tmp_s$orig_bytes = 0;
        tmp_s$resp_bytes= 0;
        tmp_s$conns = 0;

        dos_candidates[p] = tmp_s;
        }

    dos_candidates[p]$conns += 1;
    dos_candidates[p]$orig_bytes += s$orig_bytes;
    dos_candidates[p]$resp_bytes += s$resp_bytes;

    local n = dos_candidates[p]$conns;

    local thresh = check_ip_threshold(dos_threshold, ip_pair_threshold_idx, p, n);

    if ( thresh )
        {
        local msg = fmt("%s pair has reached %s threshold %s",
                        p, n, dos_candidates[p]);
        NOTICE([$note=DoS::Threshold, $src=p$orig, $msg=msg]);

        if ( dos_candidates[p]$resp_bytes > 0 )
            NOTICE([$note=DoS::Victim, $src=p$orig, $msg=msg,
                   $identifier=cat(p$resp), $suppress_for=1 hrs]);
        }
    }

Conclusion

We hope that this guide will help you take advantage of Zeek’s cluster capabilities in your deployment.

Configuration Framework

Zeek includes a configuration framework that allows updating script options at runtime. This functionality consists of an option declaration in the Zeek language, configuration files that enable changing the value of options at runtime, option-change callbacks to process updates in your Zeek scripts, a couple of script-level functions to manage config settings directly, and a log file (config.log) that contains information about every option value change according to Config::Info.

Introduction

The configuration framework provides an alternative to using Zeek script constants to store various Zeek settings.

While traditional constants work well when a value is not expected to change at runtime, they cannot be used for values that need to be modified occasionally. While a redef allows a re-definition of an already defined constant in Zeek, these redefinitions can only be performed when Zeek first starts. Afterwards, constants can no longer be modified.

However, it is clearly desirable to be able to change at runtime many of the configuration options that Zeek offers. Restarting Zeek can be time-consuming and causes it to lose all connection state and knowledge that it accumulated. Zeek’s configuration framework solves this problem.

Declaring Options

The option keyword allows variables to be declared as configuration options:

module Test;

export {
    option my_networks: set[subnet] = {};
    option enable_feature = F;
    option hostname = "testsystem";
    option timeout_after = 1min;
    option my_ports: vector of port = {};
}

Options combine aspects of global variables and constants. Like global variables, options cannot be declared inside a function, hook, or event handler. Like constants, options must be initialized when declared (the type can often be inferred from the initializer but may need to be specified when ambiguous). The value of an option can change at runtime, but options cannot be assigned a new value using normal assignments.

The initial value of an option can be redefined with a redef declaration just like for global variables and constants. However, there is no need to specify the &redef attribute in the declaration of an option. For example, given the above option declarations, here are possible redefs that work anyway:

redef Test::enable_feature = T;
redef Test::my_networks += { 10.1.0.0/16, 10.2.0.0/16 };

Changing Options

The configuration framework facilitates reading in new option values from external files at runtime. Configuration files contain a mapping between option names and their values. Each line contains one option assignment, formatted as follows:

[option name][tab/spaces][new value]

Lines starting with # are comments and ignored.

You register configuration files by adding them to Config::config_files, a set of filenames. Simply say something like the following in local.zeek:

redef Config::config_files += { "/path/to/config.dat" };

Zeek will then monitor the specified file continuously for changes. For example, editing a line containing:

Test::enable_feature T

to the config file while Zeek is running will cause it to automatically update the option’s value in the scripting layer. The next time your code accesses the option, it will see the new value.

Note

The config framework is clusterized. In a cluster configuration, only the manager node watches the specified configuration files, and relays option updates across the cluster.

Config File Formatting

The formatting of config option values in the config file is not the same as in Zeek’s scripting language. Keep an eye on the reporter.log for warnings from the config reader in case of incorrectly formatted values, which it’ll generally ignore when encountered. The following table summarizes supported types and their value representations:

Data Type

Sample Config File Entry

Comments

addr

1.2.3.4

Plain IPv4 or IPv6 address, as in Zeek. No /32 or similar netmasks.

bool

T

T or 1 for true, F or 0 for false

count

42

Plain, nonnegative integer.

double

-42.5

Plain double number.

enum

Enum::FOO_A

Plain enum string.

int

-1

Plain integer.

interval

3600.0

Always in epoch seconds, with optional fraction of seconds. Never includes a time unit.

pattern

/(foo|bar)/

The regex pattern, within forward-slash characters.

port

42/tcp

Port number with protocol, as in Zeek. When the protocol part is missing, Zeek interprets it as /unknown.

set

80/tcp,53/udp

The set members, formatted as per their own type, separated by commas. For an empty set, use an empty string: just follow the option name with whitespace.

Sets with multiple index types (e.g. set[addr,string]) are currently not supported in config files.

string

Don’t bite, Zeek

Plain string, no quotation marks. Given quotation marks become part of the string. Everything after the whitespace separator delineating the option name becomes the string. Saces and special characters are fine. Backslash characters (e.g. \n) have no special meaning.

subnet

1.2.3.4/16

Plain subnet, as in Zeek.

time

1608164505.5

Always in epoch seconds, with optional fraction of seconds. Never includes a time unit.

vector

1,2,3,4

The set members, formatted as per their own type, separated by commas. For an empty vector, use an empty string: just follow the option name with whitespace.

This leaves a few data types unsupported, notably tables and records. If you require these, build up an instance of the corresponding type manually (perhaps from a separate input framework file) and then call Config::set_value to update the option:

module Test;

export {
    option host_port: table[addr] of port = {};
}

event zeek_init() {
    local t: table[addr] of port = { [10.0.0.2] = 123/tcp };
    Config::set_value("Test::host_port", t);
}

Regardless of whether an option change is triggered by a config file or via explicit Config::set_value calls, Zeek always logs the change to config.log. A sample entry:

#fields ts      id      old_value       new_value       location
#types  time    string  string  string  string
1608167352.498872      Test::a_count     42      3      config.txt

Mentioning options repeatedly in the config files leads to multiple update events; the last entry “wins”. Mentioning options that do not correspond to existing options in the script layer is safe, but triggers warnings in reporter.log:

warning: config.txt/Input::READER_CONFIG: Option 'an_unknown' does not exist. Ignoring line.

Internally, the framework uses the Zeek input framework to learn about config changes. If you inspect the configuration framework scripts, you will notice that the scripts simply catch input framework events and call Config::set_value to set the relevant option to the new value. If you want to change an option in your scripts at runtime, you can likewise call Config::set_value directly from a script (in a cluster configuration, this only needs to happen on the manager, as the change will be automatically sent to all other nodes in the cluster).

Note

The input framework is usually very strict about the syntax of input files, but that is not the case for configuration files. These require no header lines, and both tabs and spaces are accepted as separators. A custom input reader, specifically for reading config files, facilitates this.

Tip

The gory details of option-parsing reside in Ascii::ParseValue() in src/threading/formatters/Ascii.cc and Value::ValueToVal in src/threading/SerialTypes.cc in the Zeek core.

Change Handlers

A change handler is a user-defined function that Zeek calls each time an option value changes. This allows you to react programmatically to option changes. The following example shows how to register a change handler for an option that has a data type of addr (for other data types, the return type and second parameter data type must be adjusted accordingly):

module Test;

export {
    option testaddr = 127.0.0.1;
}

# Note: the data type of 2nd parameter and return type must match
function change_addr(id: string, new_value: addr): addr
    {
    print fmt("Value of %s changed from %s to %s", id, testaddr, new_value);
    return new_value;
    }

event zeek_init()
    {
    Option::set_change_handler("Test::testaddr", change_addr);
    }

Immediately before Zeek changes the specified option value, it invokes any registered change handlers. The value returned by the change handler is the value Zeek assigns to the option. This allows, for example, checking of values to reject invalid input (the original value can be returned to override the change).

Note

Option::set_change_handler expects the name of the option to invoke the change handler for, not the option itself. Also, that name includes the module name, even when registering from within the module.

It is possible to define multiple change handlers for a single option. In this case, the change handlers are chained together: the value returned by the first change handler is the “new value” seen by the next change handler, and so on. The built-in function Option::set_change_handler takes an optional third argument that can specify a priority for the handlers.

A change handler function can optionally have a third argument of type string. When a config file triggers a change, then the third argument is the pathname of the config file. When the Config::set_value function triggers a change, then the third argument of the change handler is the value passed to the optional third argument of the Config::set_value function.

Tip

Change handlers are also used internally by the configuration framework. If you look at the script-level source code of the config framework, you can see that change handlers log the option changes to config.log.

When Change Handlers Trigger

Change handlers often implement logic that manages additional internal state. For example, depending on a performance toggle option, you might initialize or clean up a caching structure. In such scenarios you need to know exactly when and whether a handler gets invoked. The following hold:

  • When no config files get registered in Config::config_files, change handlers do not run.

  • When none of any registered config files exist on disk, change handlers do not run.

That is, change handlers are tied to config files, and don’t automatically run with the option’s default values.

  • When a config file exists on disk at Zeek startup, change handlers run with the file’s config values.

  • When the config file contains the same value the option already defaults to, its change handlers are invoked anyway.

  • zeek_init handlers run before any change handlers — i.e., they run with the options’ default values.

  • Since the config framework relies on the input framework, the input framework’s inherent asynchrony applies: you can’t assume when exactly an option change manifests in the code.

If your change handler needs to run consistently at startup and when options change, you can call the handler manually from zeek_init when you register it. That way, initialization code always runs for the option’s default value, and also for any new values.

module Test;

export {
    option use_cache = T;
}

function use_cache_hdlr(id: string, new_value: bool): bool
    {
    if ( new_value ) {
        # Ensure caching structures are set up properly
    }

    return new_value;
    }

event zeek_init()
    {
    use_cache_hdlr("Test::use_cache", use_cache);
    Option::set_change_handler("Test::use_cache", use_cache_hdlr);
    }

File Analysis

In the past, writing Zeek scripts with the intent of analyzing file content could be cumbersome because of the fact that the content would be presented in different ways, via events, at the script-layer depending on which network protocol was involved in the file transfer. Scripts written to analyze files over one protocol would have to be copied and modified to fit other protocols. The file analysis framework (FAF) instead provides a generalized presentation of file-related information. The information regarding the protocol involved in transporting a file over the network is still available, but it no longer has to dictate how one organizes their scripting logic to handle it. A goal of the FAF is to provide analysis specifically for files that is analogous to the analysis Zeek provides for network connections.

File Lifecycle Events

The key events that may occur during the lifetime of a file are: file_new, file_over_new_connection, file_timeout, file_gap, and file_state_remove. Handling any of these events provides some information about the file such as which network connection and protocol are transporting the file, how many bytes have been transferred so far, and its MIME type.

Here’s a simple example:

file_analysis_01.zeek
 1event connection_state_remove(c: connection)
 2    {
 3    print "connection_state_remove";
 4    print c$uid;
 5    print c$id;
 6    for ( s in c$service )
 7        print s;
 8    }
 9
10event file_state_remove(f: fa_file)
11    {
12    print "file_state_remove";
13    print f$id;
14    for ( cid in f$conns )
15        {
16        print f$conns[cid]$uid;
17        print cid;
18        }
19    print f$source;
20    }

$ zeek -r http/get.trace file_analysis_01.zeek
file_state_remove
FakNcS1Jfe01uljb3
CHhAvVGS1DHFjwGM9
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
HTTP
connection_state_remove
CHhAvVGS1DHFjwGM9
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
HTTP

This doesn’t perform any interesting analysis yet, but does highlight the similarity between analysis of connections and files. Connections are identified by the usual 5-tuple or a convenient UID string while files are identified just by a string of the same format as the connection UID. So there’s unique ways to identify both files and connections and files hold references to a connection (or connections) that transported it.

Adding Analysis

There are builtin file analyzers which can be attached to files. Once attached, they start receiving the contents of the file as Zeek extracts it from an ongoing network connection. What they do with the file contents is up to the particular file analyzer implementation, but they’ll typically either report further information about the file via events (e.g. Files::ANALYZER_MD5 will report the file’s MD5 checksum via file_hash once calculated) or they’ll have some side effect (e.g. Files::ANALYZER_EXTRACT will write the contents of the file out to the local file system).

In the future there may be file analyzers that automatically attach to files based on heuristics, similar to the Dynamic Protocol Detection (DPD) framework for connections, but many will always require an explicit attachment decision.

Here’s a simple example of how to use the MD5 file analyzer to calculate the MD5 of plain text files:

file_analysis_02.zeek
 1event file_sniff(f: fa_file, meta: fa_metadata)
 2    {
 3    if ( ! meta?$mime_type ) return;
 4    print "new file", f$id;
 5    if ( meta$mime_type == "text/plain" )
 6        Files::add_analyzer(f, Files::ANALYZER_MD5);
 7    }
 8
 9event file_hash(f: fa_file, kind: string, hash: string)
10    {
11    print "file_hash", f$id, kind, hash;
12    }

$ zeek -r http/get.trace file_analysis_02.zeek
new file, FakNcS1Jfe01uljb3
file_hash, FakNcS1Jfe01uljb3, md5, 397168fd09991a0e712254df7bc639ac

Some file analyzers might have tunable parameters that need to be specified in the call to Files::add_analyzer:

event file_new(f: fa_file)
    {
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
                        [$extract_filename="myfile"]);
    }

In this case, the file extraction analyzer doesn’t generate any further events, but does have the effect of writing out the file contents to the local file system at the location resulting from the concatenation of the path specified by FileExtract::prefix and the string, myfile. Of course, for a network with more than a single file being transferred, it’s probably preferable to specify a different extraction path for each file, unlike this example.

Regardless of which file analyzers end up acting on a file, general information about the file (e.g. size, time of last data transferred, MIME type, etc.) are logged in files.log.

Input Framework Integration

The FAF comes with a simple way to integrate with the Input Framework, so that Zeek can analyze files from external sources in the same way it analyzes files that it sees coming over traffic from a network interface it’s monitoring. It only requires a call to Input::add_analysis:

file_analysis_03.zeek
 1redef exit_only_after_terminate = T;
 2
 3event file_new(f: fa_file)
 4    {
 5    print "new file", f$id;
 6    Files::add_analyzer(f, Files::ANALYZER_MD5);
 7    }
 8
 9event file_state_remove(f: fa_file)
10    {
11    print "file_state_remove";
12    Input::remove(f$source);
13    terminate();
14    }
15
16event file_hash(f: fa_file, kind: string, hash: string)
17    {
18    print "file_hash", f$id, kind, hash;
19    }
20
21event zeek_init()
22    {
23    local source: string = "./myfile";
24    Input::add_analysis([$source=source, $name=source]);
25    }

Note that the “source” field of fa_file corresponds to the “name” field of Input::AnalysisDescription since that is what the input framework uses to uniquely identify an input stream.

Example output of the above script may be:

$ echo "Hello world" > myfile
$ zeek file_analysis_03.zeek
new file, FZedLu4Ajcvge02jA8
file_hash, FZedLu4Ajcvge02jA8, md5, f0ef7081e1539ac00ef5b761b4fb01b3
file_state_remove

Nothing that special, but it at least verifies the MD5 file analyzer saw all the bytes of the input file and calculated the checksum correctly!

GeoLocation

During the process of creating policy scripts the need may arise to find the geographic location for an IP address. Zeek had support for the GeoIP library at the policy script level from release 1.3 to 2.5.x to account for this need. Starting with release 2.6, GeoIP support requires libmaxminddb. To use this functionality, you need to first install the libmaxminddb software, and then install the GeoLite2 city database before building Zeek.

Install libmaxminddb

Before building Zeek, you need to install libmaxminddb.

  • RPM/RedHat-based Linux:

    sudo yum install libmaxminddb-devel

  • DEB/Debian-based Linux:

    sudo apt-get install libmaxminddb-dev

  • FreeBSD:

    sudo pkg install libmaxminddb

  • Mac OS X:

    You need to install from your preferred package management system (e.g. Homebrew, MacPorts, or Fink). For Homebrew, the name of the package that you need is libmaxminddb.

GeoLite2-City Database Installation

Zeek can use the city or country database. The city database includes cities and regions in addition to countries.

First, signup for a MaxMind account, which is now required to download even free/public GeoIP databases. Then, you can download databases. For example, download the GeoLite2-City database and decompress it.

Next, the file GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb needs to be moved to the GeoIP database directory. This directory might already exist and will vary depending on which platform and package you are using. For FreeBSD, use /usr/local/share/GeoIP. For Linux, use /usr/share/GeoIP or /var/lib/GeoIP (choose whichever one already exists).

mv <extracted subdir>/GeoLite2-City.mmdb <path_to_database_dir>/GeoLite2-City.mmdb

Testing

Before using the GeoIP functionality, it is a good idea to verify that everything is setup correctly. After installing libmaxminddb and the GeoIP city database, and building Zeek, you can quickly check if the GeoIP functionality works by running a command like this:

zeek -e "print lookup_location(8.8.8.8);"

If you see an error message similar to “Failed to open GeoIP location database”, then you may need to either rename or move your GeoIP location database file. If the mmdb_dir value is set to a directory pathname (it is not set by default), then Zeek looks for location database files in that directory. If none are found or if mmdb_dir is not set, then Zeek looks for location database files in the following order:

  • /usr/share/GeoIP/GeoLite2-City.mmdb

  • /var/lib/GeoIP/GeoLite2-City.mmdb

  • /usr/local/share/GeoIP/GeoLite2-City.mmdb

  • /usr/local/var/GeoIP/GeoLite2-City.mmdb

  • /usr/share/GeoIP/GeoLite2-Country.mmdb

  • /var/lib/GeoIP/GeoLite2-Country.mmdb

  • /usr/local/share/GeoIP/GeoLite2-Country.mmdb

  • /usr/local/var/GeoIP/GeoLite2-Country.mmdb

If you see an error message similar to “Zeek was not configured for GeoIP support”, then you need to rebuild Zeek and make sure it is linked against libmaxminddb. Normally, if libmaxminddb is installed correctly then it should automatically be found when building Zeek. If this doesn’t happen, then you may need to specify the path to the libmaxminddb installation (e.g. ./configure --with-geoip=<path>).

Usage

There is a built-in function that provides the GeoIP functionality:

function lookup_location(a:addr): geo_location

The return value of the lookup_location function is a record type called geo_location, and it consists of several fields containing the country, region, city, latitude, and longitude of the specified IP address. Since one or more fields in this record will be uninitialized for some IP addresses (for example, the country and region of an IP address might be known, but the city could be unknown), a field should be checked if it has a value before trying to access the value.

Example

To show every ftp connection from hosts in Ohio, this is now very easy:

event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
{
  local client = c$id$orig_h;
  local loc = lookup_location(client);

  if (loc?$region && loc$region == "OH" && loc$country_code == "US")
  {
    local city = loc?$city ? loc$city : "<unknown>";

    print fmt("FTP Connection from:%s (%s,%s,%s)", client, city,
      loc$region, loc$country_code);
  }
}

Input Framework

Zeek features a flexible input framework that allows users to import arbitrary data into Zeek. Data is either read into Zeek tables or directly converted to events for scripts to handle as they see fit. A modular reader architecture allows reading from files, databases, or other data sources.

This chapter gives an overview of how to use the input framework, with examples. For more complex scenarios take a look at the test cases in testing/btest/scripts/base/frameworks/input/ in the Zeek distribution.

Note

The input framework has no awareness of Zeek’s cluster architecture. Zeek supports all of the mechanisms covered below on any cluster node. The config and intelligence frameworks both leverage the input framework, adding logic that applies the input framework on the manager node, distributing ingested information across the cluster via events.

Reading Data into Tables

Probably the most interesting use-case of the input framework is to read data into a Zeek table. By default, the input framework reads the data in the same format as it is written by Zeek’s logging framework: a tab-separated ASCII file.

We will show the ways to read files into Zeek with a simple example. For this example we assume that we want to import data from a denylist that contains server IP addresses as well as the timestamp and the reason for the block.

An example input file could look like this (note that all fields must be tab-separated):

#fields ip timestamp reason
192.168.17.1 1333252748 Malware host
192.168.27.2 1330235733 Botnet server
192.168.250.3 1333145108 Virus detected

To read a file into a Zeek table, two record types have to be defined. One contains the types and names of the columns that should constitute the table keys, and the second contains the types and names of the columns that should constitute the table values.

In our case, we want to be able to look up IPs. Hence, our key record only contains the server IP. All other elements should be stored as the table content.

type Idx: record {
    ip: addr;
};

type Val: record {
    timestamp: time;
    reason: string;
};

Note that the names of the fields in the record definitions must correspond to the column names listed in the #fields line of the input file, in this case ip, timestamp, and reason. Also note that the ordering of the columns does not matter, because each column is identified by name.

The input file is read into the table with a call of the Input::add_table function:

global denylist: table[addr] of Val = table();

event zeek_init() {
    Input::add_table([$source="denylist.file", $name="denylist",
                      $idx=Idx, $val=Val, $destination=denylist]);
    Input::remove("denylist");
}

With these three lines we first create an empty table that should receive the denylist data and then instruct the input framework to open an input stream named “denylist” to read the data into the table. The third line removes the input stream again, because we do not need it any more after the data has been read.

Note that while the key and content records may use &optional fields, omitting columns (usually via the “-” character) requires care. Since the key record’s columns expand into a list of values for indexing into the receiving table (note how in the above example denylist is indexed via a plain addr) and all of those values must be present for indexing, you cannot in practice omit these values. For content records, omitting is meaningful, but only permitted for columns with the &optional attribute. The framework skips offending input lines with a warning.

Note

Prior to version 4.1 Zeek accepted such inputs, unsafely. When transitioning from such versions to Zeek 4.1 or newer, users with omitted fields in their input data may observe discrepancies in the loaded data sets.

Asynchronous processing

Since some data files might be rather large, the input framework works asynchronously. A new thread is created for each new input stream. This thread opens the input data file, converts the data into an internal format and sends it back to the main Zeek thread. Because of this, the data is not immediately accessible. Depending on the size of the data source it might take from a few milliseconds up to a few seconds until all data is present in the table. Please note that this means that when Zeek is running without an input source or on very short captured files, it might terminate before the data is present in the table (because Zeek already handled all packets before the import thread finished).

Subsequent calls to an input source are queued until the previous action has been completed. Because of this it is, for example, possible to call Input::add_table and Input::remove in two subsequent lines: the remove action will remain queued until the first read has been completed.

Once the input framework finishes reading from a data source, it fires the Input::end_of_data event. Once this event has been received all data from the input file is available in the table.

event Input::end_of_data(name: string, source: string) {
    # now all data is in the table
    print denylist;
}

The table can be used while the data is still being read — it just might not contain all lines from the input file before the event has fired. After the table has been populated it can be used like any other Zeek table and denylist entries can easily be tested:

if ( 192.168.18.12 in denylist )
    # take action
Sets instead of tables

For some use cases the key/value notion that drives tabular data does not apply, for example when the main purpose of the data is to test for membership in a set. The input framework supports this approach by using sets as the destination data type, and omitting $val in Input::add_table:

type Idx: record {
    ip: addr;
};

global denylist: set[addr] = set();

event zeek_init() {
    Input::add_table([$source="denylist.file", $name="denylist",
                     $idx=Idx, $destination=denylist]);
    Input::remove("denylist");
}
Re-reading and streaming data

For some data sources (such as many denylists), the input data changes continually. The input framework supports additional techniques to manage such ever-changing input.

The first, very basic method is an explicit refresh of an input stream. When an input stream is open (meaning it has not yet been removed by a call to Input::remove), the function Input::force_update can be called. This will trigger a complete refresh of the table: any changed elements from the file will be updated, new ones added, and any elements no longer in the input data get removed. After the update is finished the Input::end_of_data event will be raised.

In our example the call would look as follows:

Input::force_update("denylist");

Alternatively, the input framework can automatically refresh the table contents when it detects a change to the input file. To use this feature you need to specify a non-default read mode by setting the mode option of the Input::add_table call. Valid values are Input::MANUAL (the default), Input::REREAD, and Input::STREAM. For example, setting the value of the mode option in the previous example would look like this:

Input::add_table([$source="denylist.file", $name="denylist",
                  $idx=Idx, $val=Val, $destination=denylist,
                  $mode=Input::REREAD]);

When using the reread mode (i.e., $mode=Input::REREAD), Zeek continually checks if the input file has been changed. If the file has been changed, it is re-read and the data in the Zeek table is updated to reflect the current state. Each time a change has been detected and all the new data has been read into the table, the Input::end_of_data event is raised.

When using the streaming mode (i.e., $mode=Input::STREAM), Zeek assumes that the input is an append-only file to which new data is continually appended. Zeek continually checks for new data at the end of the file and will add the new data to the table. If newer lines in the file have the same table index as previous lines, they will overwrite the values in the output table. Because of the nature of streaming reads (data is continually added to the table), the Input::end_of_data event is never raised when using streaming reads.

Tip

Change detection happens via periodic “heartbeat” events, defaulting to a frequency of once per second as defined by the global Threading::heartbeat_interval constant. The reader considers the input file changed when the file’s inode or modification time has changed since the last check.

Receiving change events

When re-reading files, it might be interesting to know exactly which lines in the source files have changed. For this reason, the input framework can raise an event each time when a data item is added to, removed from, or changed in a table.

The event definition looks like this (note that you can change the name of this event in your own Zeek script):

event entry(description: Input::TableDescription, tpe: Input::Event,
            left: Idx, right: Val) {
    # do something here...
    print fmt("%s = %s", left, right);
}

The event must be specified in $ev in the Input::add_table call:

Input::add_table([$source="denylist.file", $name="denylist",
                  $idx=Idx, $val=Val, $destination=denylist,
                  $mode=Input::REREAD, $ev=entry]);

The description argument of the event contains the arguments that were originally supplied to the Input::add_table call. Hence, the name of the stream can, for example, be accessed with description$name. The tpe argument of the event is an enum containing the type of the change that occurred.

If a line that was not previously present in the table has been added, then the value of tpe will be Input::EVENT_NEW. In this case left contains the index of the added table entry and right contains the values of the added entry.

If a table entry that already was present is altered during the re-reading or streaming read of a file, then the value of tpe will be Input::EVENT_CHANGED. In this case left contains the index of the changed table entry and right contains the values of the entry before the change. The reason for this is that the table already has been updated when the event is raised. The current value in the table can be ascertained by looking up the current table value. Hence it is possible to compare the new and the old values of the table.

If a table element is removed because it was no longer present during a re-read, then the value of tpe will be Input::EVENT_REMOVED. In this case left contains the index and right the values of the removed element.

Filtering data during import

The input framework also allows a user to filter the data during the import. To this end, predicate functions are used. A predicate function is called before a new element is added/changed/removed from a table. The predicate can either accept or veto the change by returning true for an accepted change and false for a rejected change. Furthermore, it can alter the data before it is written to the table.

The following example filter will reject adding entries to the table when they were generated over a month ago. It will accept all changes and all removals of values that are already present in the table.

Input::add_table([$source="denylist.file", $name="denylist",
                  $idx=Idx, $val=Val, $destination=denylist,
                  $mode=Input::REREAD,
                  $pred(tpe: Input::Event, left: Idx, right: Val) = {
                    if ( tpe != Input::EVENT_NEW ) {
                        return T;
                    }
                    return (current_time() - right$timestamp) < 30day;
                  }]);

To change elements while they are being imported, the predicate function can manipulate left and right. Note that predicate functions are called before the change is committed to the table. Hence, when a table element is changed (tpe is Input::EVENT_CHANGED), left and right contain the new values, but the destination (denylist in our example) still contains the old values. This allows predicate functions to examine the changes between the old and the new version before deciding if they should be allowed.

Broken input data

The input framework notifies you of problems during data ingestion in two ways. First, reporter messages, ending up in reporter.log, indicate the type of problem and the file in which the problem occurred:

#fields ts      level   message location
0.000000        Reporter::WARNING       denylist.file/Input::READER_ASCII: Did not find requested field ip in input data file denylist.file.   (empty)

Second, the Input::TableDescription and Input::EventDescription records feature an $error_ev member to trigger events indicating the same message and severity levels as shown above. The use of these events mirrors that of change events.

For both approaches, the framework suppresses repeated messages regarding the same file, so mistakes in large data files do not trigger a message flood.

Finally, the ASCII reader allows coarse control over the robustness in case of problems during data ingestion. Concretely, the InputAscii::fail_on_invalid_lines and InputAscii::fail_on_file_problem flags indicate whether problems should merely trigger warnings or lead to processing failure. Both default to warnings.

Reading Data to Events

The second data ingestion mode of the input framework directly generates Zeek events from ingested data instead of inserting them to a table. Event streams work very similarly to the table streams discussed above, and most of the features discussed (such as predicates for filtering) also work for event streams. To read the denylist of the previous example into an event stream, we use the Input::add_event function:

type Val: record {
    ip: addr;
    timestamp: time;
    reason: string;
};

event denylistentry(description: Input::EventDescription,
                     tpe: Input::Event, data: Val) {
    # do something here...
    print "data:", data;
}

event zeek_init() {
    Input::add_event([$source="denylist.file", $name="denylist",
                     $fields=Val, $ev=denylistentry]);
}

Event streams differ from table streams in two ways:

  • An event stream needs no separate index and value declarations — instead, all source data types are provided in a single record definition.

  • Since the framework perceives a continuous stream of events, it has no concept of a data baseline (e.g. a table) to compare the incoming data to. Therefore the change event type (an Input::Event instance, tpe in the above) is currently always Input::EVENT_NEW.

These aside, event streams work exactly the same as table streams and support most of the options that are also supported for table streams.

Data Readers

The input framework supports different kinds of readers for different kinds of source data files. At the moment, the framework defaults to ingesting ASCII files formatted in the Zeek log file format (tab-separated values with a #fields header line). Several other readers are included in Zeek, and Zeek packages/plugins can provide additional ones.

Reader selection proceeds as follows. The Input::default_reader variable defines the default reader: Input::READER_ASCII. When you call Input::add_table or Input::add_event this reader gets used automatically. You can override the default by assigning the $reader member in the description record passed into these calls. See test cases in testing/btest/scripts/base/frameworks/input/ for examples.

The ASCII Reader

The ASCII reader, enabled by default or by selecting Input::READER_ASCII, understands Zeek’s TSV log format. It actually understands the full set of directives in the preamble of those log files, e.g. to define the column separator. This is rarely used, and most commonly input files merely start with a tab-separated row that names the #fields in the input file, as shown earlier.

Warning

The ASCII reader has no notion of file locking, including UNIX’s advisory locking. For large files, this means the framework might process a file that’s still written to. The reader handles resulting errors robustly (e.g. via the reporter log, as described earlier), but nevertheless will encounter errors. In order to avoid these problems it’s best to produce a new input file on the side, and then atomically rename it to the filename monitored by the framework.

There’s currently no JSON ingestion mode for this reader.

The Benchmark Reader

The benchmark reader, selected via Input::READER_BENCHMARK, helps the Zeek developers optimize the speed of the input framework. It can generate arbitrary amounts of semi-random data in all Zeek data types supported by the input framework.

The Binary Reader

This reader, selected via Input::READER_BINARY, is intended for use with file analysis input streams to ingest file content (and is the default type of reader for those streams).

The Raw Reader

The raw reader, selected via Input::READER_RAW, reads a file that is split by a specified record separator (newline by default). The contents are returned line-by-line as strings; it can, for example, be used to read configuration files and the like and is probably only useful in the event mode and not for reading data to tables.

The SQLite Reader

The SQLite input reader, selected via Input::READER_SQLITE, provides a way to access SQLite databases from Zeek. SQLite is a simple, file-based, widely used SQL database system. Due to the transactional nature of SQLite, databases can be used by several applications simultaneously. Hence they can, for example, be used to make constantly evolving datasets available to Zeek on a continuous basis.

Reading Data from SQLite Databases

Like with Zeek’s logging support, reading data from SQLite databases is built into Zeek without any extra configuration needed. Just like text-based input readers, the SQLite reader can read data — in this case the result of SQL queries — into tables or events.

Reading Data into Tables

To read data from a SQLite database, we first have to provide Zeek with the information how the resulting data will be structured. For this example, we expect that we have a SQLite database, which contains host IP addresses and the user accounts that are allowed to log into a specific machine.

The SQLite commands to create the schema are as follows:

create table machines_to_users (
host text unique not null,
users text not null);

insert into machines_to_users values (
    '192.168.17.1', 'johanna,matthias,seth');
insert into machines_to_users values (
    '192.168.17.2', 'johanna');
insert into machines_to_users values (
    '192.168.17.3', 'seth,matthias');

After creating a file called hosts.sqlite with this content, we can read the resulting table into Zeek:

type Idx: record {
   host: addr;
};

type Val: record {
   users: set[string];
};

global hostslist: table[addr] of Val = table();

event zeek_init()
   {
   Input::add_table([$source="/var/db/hosts",
       $name="hosts",
       $idx=Idx,
       $val=Val,
       $destination=hostslist,
       $reader=Input::READER_SQLITE,
       $config=table(["query"] = "select * from machines_to_users;")
       ]);

   Input::remove("hosts");
   }

event Input::end_of_data(name: string, source: string)
   {
   if ( name != "hosts" )
       return;

   # now all data is in the table
   print "Hosts list has been successfully imported";

   # List the users of one host.
   print hostslist[192.168.17.1]$users;
   }

The hostslist table can now be used to check host logins against an available user list.

Turning Data into Events

The second mode is to use the SQLite reader to output the input data as events. Typically there are two reasons to do this. First, the structure of the input data is too complicated for a direct table import. In this case, the data can be read into an event which can then create the necessary data structures in Zeek in scriptland. Second, the dataset is too big to hold in memory. In this case, event-driven ingestion can perform checks on-demand.

As an example, let’s consider a large database with malware hashes. Live database queries allow us to cross-check sporadically occurring downloads against this evolving database. The SQLite commands to create the schema are as follows:

create table malware_hashes (
    hash text unique not null,
    description text not null);

insert into malware_hashes values ('86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', 'malware a');
insert into malware_hashes values ('e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98', 'malware b');
insert into malware_hashes values ('84a516841ba77a5b4648de2cd0dfcb30ea46dbb4', 'malware c');
insert into malware_hashes values ('3c363836cf4e16666669a25da280a1865c2d2874', 'malware d');
insert into malware_hashes values ('58e6b3a414a1e090dfc6029add0f3555ccba127f', 'malware e');
insert into malware_hashes values ('4a0a19218e082a343a1b17e5333409af9d98f0f5', 'malware f');
insert into malware_hashes values ('54fd1711209fb1c0781092374132c66e79e2241b', 'malware g');
insert into malware_hashes values ('27d5482eebd075de44389774fce28c69f45c8a75', 'malware h');
insert into malware_hashes values ('73f45106968ff8dc51fba105fa91306af1ff6666', 'ftp-trace');

The following code uses the file-analysis framework to get the sha1 hashes of files that are transmitted over the network. For each hash, a SQL-query runs against SQLite. If the query returns a result, we output the matching hash.

@load frameworks/files/hash-all-files

type Val: record {
   hash: string;
   description: string;
};

event line(description: Input::EventDescription, tpe: Input::Event, r: Val)
   {
   print fmt("malware-hit with hash %s, description %s", r$hash, r$description);
   }

global malware_source = "/var/db/malware";

event file_hash(f: fa_file, kind: string, hash: string)
   {

   # check all sha1 hashes
   if ( kind=="sha1" )
       {
       Input::add_event(
           [
           $source=malware_source,
           $name=hash,
           $fields=Val,
           $ev=line,
           $want_record=T,
           $config=table(
               ["query"] = fmt("select * from malware_hashes where hash='%s';", hash)
               ),
           $reader=Input::READER_SQLITE
           ]);
       }
   }

event Input::end_of_data(name: string, source:string)
   {
   if ( source == malware_source )
       Input::remove(name);
   }

If you run this script against the trace in testing/btest/Traces/ftp/ipv4.trace, you will get one hit.

Intelligence Framework

Introduction

The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization.

Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item. The metadata in the default scripts has been deliberately kept to a minimum.

Quick Start

First we need to define the intelligence data to match. Let’s look for the domain www.reddit.com. For the details of the file format see the Loading Intelligence section below.

#fields       indicator       indicator_type  meta.source
www.reddit.com        Intel::DOMAIN   my_special_source

Now we need to tell Zeek about the data. Add this line to your local.zeek to load an intelligence file:

redef Intel::read_files += { "/somewhere/yourdata.txt" };

In a cluster, the text files only need to reside on the manager.

Add the following line to local.zeek to load the scripts that send “seen” data into the Intelligence Framework to be checked against the loaded intelligence data:

@load frameworks/intel/seen

Intelligence data matches will be logged to the intel.log file. A match on www.reddit.com might look like this:

{
"ts":1320279566.452687,
"uid":"C4llPsinsviGyNY45",
"id.orig_h":"192.168.2.76",
"id.orig_p":52026,
"id.resp_h":"132.235.215.119",
"id.resp_p":80,
"seen.indicator":"www.reddit.com",
"seen.indicator_type":"Intel::DOMAIN",
"seen.where":"HTTP::IN_HOST_HEADER",
"seen.node":"zeek",
"matched":[
        "Intel::DOMAIN"
],
"sources":[
        "my_special_source"
]}

You can explore this example on try.zeek.org.

Architecture

The Intelligence Framework can be thought of as containing three separate portions. The first part involves loading intelligence data. The second is a mechanism for indicating to the intelligence framework that a piece of data which needs to be checked has been seen. The third handles when a positive match has been discovered.

_images/intel-architecture.png

The figure above depicts how these portions work together: loading intelligence inserts the data into an in-memory data store that is managed by the intelligence framework. During traffic analysis, scripts report the seen data to the framework to check against the loaded items.

Loading Intelligence

By default, intelligence data is loaded through plain text files using the Input Framework. In clusters the manager is the only node that needs the intelligence data. The intelligence framework has distribution mechanisms which will push data out to all of the nodes that need it.

Here is an example of the intelligence data format. All fields must be separated by a single tab character and fields containing only a hyphen are considered to be null values. Note that there may be additional fields depending on the loaded extensions. One example is the policy/frameworks/intel/do_notice.zeek script as described below.

#fields indicator       indicator_type  meta.source     meta.desc       meta.url
1.2.3.4 Intel::ADDR     source1 Sending phishing email  http://source1.com/badhosts/1.2.3.4
a.b.com Intel::DOMAIN   source2 Name used for data exfiltration -

For a list of all built-in indicator_type values, please refer to the documentation of Intel::Type.

To load the data once the files are created, add the following to your local.zeek to specify which intel files to load (with your own file names of course):

redef Intel::read_files += {
        "/somewhere/feed1.txt",
        "/somewhere/feed2.txt",
};

Remember, the files only need to be present on the file system of the manager node on cluster deployments.

The intel framework is very flexible so that intelligence matching can be extended in numerous ways. For example, the policy/frameworks/intel/do_notice.zeek script implements a simple mechanism to raise a Zeek notice (of type Intel::Notice) for user-specified intelligence matches. To use this feature, add the following line to local.zeek:

@load frameworks/intel/do_notice

The script adds additional metadata fields. In particular, if the do_notice field of type bool is set to T for an intelligence item, Zeek will create a notice when the item is matched.

Seen Data

When some bit of data is extracted from network traffic (such as an email address in the “From” header in a SMTP message), the Intelligence Framework needs to be informed that this data was discovered so that its presence will be checked within the loaded intelligence data. This is accomplished through the Intel::seen function.

Zeek includes a default set of scripts that will send data to the intelligence framework. To load all of the scripts included with Zeek for sending “seen” data to the intelligence framework, just add this line to local.zeek:

@load frameworks/intel/seen

Alternatively, specific scripts in that directory can be loaded. Keep in mind that as more data is sent to the intelligence framework, the CPU load consumed by Zeek will increase depending on how many times the Intel::seen function is being called. The effect of this condition depends on the nature and volume of the traffic Zeek monitors.

Zeek’s intelligence framework can only match loaded items if corresponding occurrences are reported as seen. For example, the scripts included with Zeek will only report IP addresses from established TCP connections to the intelligence framework. Thus, neither UDP traffic nor one-sided traffic will trigger intelligence hits by default. However, it is easy to report additional observations to the framework. The following will report the IPs of all connections (including ICMP, UDP and one-sided traffic) to the intelligence framework:

event new_connection(c: connection)
        {
        Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
        Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
        }

Note that using the new_connection event could have a significant impact on the overall performance as much more data might be processed by the intelligence framework.

Intelligence Matches

The Intelligence Framework provides an event that is generated whenever a match is discovered. This event is named Intel::match and receives two arguments. First, a record of type Intel::Seen that describes the observation as reported to the framework. It contains information about what was seen (e.g., the domain www.slideshare.net), where it was seen (e.g. in an X509 certificate) and further context (e.g., a connection or a file record) if available. The second argument is a set of intelligence items that matched the observation. A set is used because multiple items may match a given observation. For example, assume you have ingested the IP 1.2.3.4 from source A and from source B as well as the subnet 1.2.3.0/24 from source B. If the IP 1.2.3.4 is seen in your traffic, the match event will receive all three intelligence items.

In a cluster setup, the match event is raised on the manager. This is important to keep in mind when writing a script that handles the event. While the context information about the match is available through the event parameters, the handler itself is executed on the manager. Thus, one cannot access any state that is local to the worker node that reported the observation in the first place. Other interaction is also limited. For example, one cannot reliably trigger file extraction based on an intelligence hit: Once the manager processes the match event and comes to the conclusion that file extraction would be desired, the worker that triggered the hit is most likely done processing the corresponding data. Instead, one would need to start by extracting all files that are potentially relevant, keep the ones that refer to an intelligence hit and regularly discard the others.

Intelligence matches are logged to the intel.log file. For further description of each field in that file, see the documentation for the Intel::Info record.

The following are two matches from a sample intel.log:

{
  "ts": "2019-03-12T18:22:19.252191Z",
  "uid": "Cpue7J1KNReqCodXHc",
  "id.orig_h": "192.168.4.6",
  "id.orig_p": 64738,
  "id.resp_h": "13.107.18.13",
  "id.resp_p": 443,
  "seen.indicator": "www.slideshare.net",
  "seen.indicator_type": "Intel::DOMAIN",
  "seen.where": "X509::IN_CERT",
  "seen.node": "so16-enp0s8-1",
  "matched": [
    "Intel::DOMAIN"
  ],
  "sources": [
    "from http://hosts-file.net/fsa.txt via intel.criticalstack.com"
  ],
  "fuid": "FnRp0j1YMig5KhcMDg",
  "file_mime_type": "application/x-x509-user-cert",
  "file_desc": "13.107.18.13:443/tcp"
}
{
  "ts": "2019-03-12T18:32:19.821962Z",
  "uid": "CvusFJ2HdbTnCLxEUa",
  "id.orig_h": "192.168.4.6",
  "id.orig_p": 64826,
  "id.resp_h": "13.107.42.14",
  "id.resp_p": 443,
  "seen.indicator": "www.slideshare.net",
  "seen.indicator_type": "Intel::DOMAIN",
  "seen.where": "X509::IN_CERT",
  "seen.node": "so16-enp0s8-1",
  "matched": [
    "Intel::DOMAIN"
  ],
  "sources": [
    "from http://hosts-file.net/fsa.txt via intel.criticalstack.com"
  ],
  "fuid": "FUrrLa45T7a8hjdRy",
  "file_mime_type": "application/x-x509-user-cert",
  "file_desc": "13.107.42.14:443/tcp"
}

These examples show there were matches in a domain observed in a X509 certificate. That domain was www.slideshare.net. This is unusual as that domain is used for legitimate purposes. This example demonstrates that analysts must vet intelligence feeds for their local use and applicability.

Logging Framework

Zeek comes with a flexible key-value based logging interface that allows fine-grained control of what gets logged and how it is logged. This document describes how logging can be customized and extended.

Terminology

Zeek’s logging interface is built around three main abstractions:

Streams

A log stream corresponds to a single log. It defines the set of fields that a log consists of with their names and types. Examples are the conn stream for recording connection summaries, and the http stream for recording HTTP activity.

Filters

Each stream has a set of filters attached to it that determine what information gets written out, and how. By default, each stream has one default filter that just logs everything directly to disk. However, additional filters can be added to record only a subset of the log records, write to different outputs, or set a custom rotation interval. If all filters are removed from a stream, then output is disabled for that stream.

Writers

Each filter has a writer. A writer defines the actual output format for the information being logged. The default writer is the ASCII writer, which produces tab-separated ASCII files. Other writers are available, like for binary output or direct logging into a database.

There are several different ways to customize Zeek’s logging: you can create a new log stream, you can extend an existing log with new fields, you can apply filters to an existing log stream, or you can customize the output format by setting log writer options. All of these approaches are described in this document.

Streams

In order to log data to a new log stream, all of the following needs to be done:

  • A record type must be defined which consists of all the fields that will be logged (by convention, the name of this record type is usually “Info”).

  • A log stream ID (an enum with type name Log::ID) must be defined that uniquely identifies the new log stream.

  • A log stream must be created using the Log::create_stream function.

  • When the data to be logged becomes available, the Log::write function must be called.

In the following example, we create a new module, Foo, which creates a new log stream.

module Foo;

export {
    # Create an ID for our new stream. By convention, this is
    # called "LOG".
    redef enum Log::ID += { LOG };

    # Define the record type that will contain the data to log.
    type Info: record {
        ts: time        &log;
        id: conn_id     &log;
        service: string &log &optional;
        missed_bytes: count &log &default=0;
    };
}

# Optionally, we can add a new field to the connection record so that
# the data we are logging (our "Info" record) will be easily
# accessible in a variety of event handlers.
redef record connection += {
    # By convention, the name of this new field is the lowercase name
    # of the module.
    foo: Info &optional;
};

# This event is handled at a priority higher than zero so that if
# users modify this stream in another script, they can do so at the
# default priority of zero.
event zeek_init() &priority=5
    {
    # Create the stream. This adds a default filter automatically.
    Log::create_stream(Foo::LOG, [$columns=Info, $path="foo"]);
    }

In the definition of the Info record above, notice that each field has the &log attribute. Without this attribute, a field will not appear in the log output. Also notice one field has the &optional attribute. This indicates that the field might not be assigned any value before the log record is written. Finally, a field with the &default attribute has a default value assigned to it automatically.

At this point, the only thing missing is a call to the Log::write function to send data to the logging framework. The actual event handler where this should take place will depend on where your data becomes available. In this example, the connection_established event provides our data, and we also store a copy of the data being logged into the connection record:

event connection_established(c: connection)
    {
    local rec: Foo::Info = [$ts=network_time(), $id=c$id];

    # Store a copy of the data in the connection record so other
    # event handlers can access it.
    c$foo = rec;

    Log::write(Foo::LOG, rec);
    }

If you run Zeek with this script, a new log file foo.log will be created. Although we only specified four fields in the Info record above, the log output will actually contain seven fields because one of the fields (the one named id) is itself a record type. Since a conn_id record has four fields, then each of these fields is a separate column in the log output. Note that the way that such fields are named in the log output differs slightly from the way we would refer to the same field in a Zeek script (each dollar sign is replaced with a period). For example, to access the first field of a conn_id in a Zeek script we would use the notation id$orig_h, but that field is named id.orig_h in the log output.

When you are developing scripts that add data to the connection record, care must be given to when and how long data is stored. Normally data saved to the connection record will remain there for the duration of the connection and from a practical perspective it’s not uncommon to need to delete that data before the end of the connection.

Add Fields to a Log

You can add additional fields to a log by extending the record type that defines its content, and setting a value for the new fields before each log record is written.

Let’s say we want to add a boolean field is_private to Conn::Info that indicates whether the originator IP address is part of the RFC 1918 space:

# Add a field to the connection log record.
redef record Conn::Info += {
    ## Indicate if the originator of the connection is part of the
    ## "private" address space defined in RFC1918.
    is_private: bool &default=F &log;
};

As this example shows, when extending a log stream’s Info record, each new field must always be declared either with a &default value or as &optional. Furthermore, you need to add the &log attribute or otherwise the field won’t appear in the log file.

Now we need to set the field. Although the details vary depending on which log is being extended, in general it is important to choose a suitable event in which to set the additional fields because we need to make sure that the fields are set before the log record is written. Sometimes the right choice is the same event which writes the log record, but at a higher priority (in order to ensure that the event handler that sets the additional fields is executed before the event handler that writes the log record).

In this example, since a connection’s summary is generated at the time its state is removed from memory, we can add another handler at that time that sets our field correctly:

event connection_state_remove(c: connection)
    {
    if ( c$id$orig_h in Site::private_address_space )
        c$conn$is_private = T;
    }

Now conn.log will show a new field is_private of type bool. If you look at the Zeek script which defines the connection log stream base/protocols/conn/main.zeek, you will see that Log::write gets called in an event handler for the same event as used in this example to set the additional fields, but at a lower priority than the one used in this example (i.e., the log record gets written after we assign the is_private field).

For extending logs this way, one needs a bit of knowledge about how the script that creates the log stream is organizing its state keeping. Most of the standard Zeek scripts attach their log state to the connection record where it can then be accessed, just like c$conn above. For example, the HTTP analysis adds a field http of type HTTP::Info to the connection record.

Define a Logging Event

Sometimes it is helpful to do additional analysis of the information being logged. For these cases, a stream can specify an event that will be generated every time a log record is written to it. To do this, we need to modify the example module shown above to look something like this:

module Foo;

export {
    redef enum Log::ID += { LOG };

    type Info: record {
        ts: time     &log;
        id: conn_id  &log;
        service: string &log &optional;
        missed_bytes: count &log &default=0;
    };

    # Define a logging event. By convention, this is called
    # "log_<stream>".
    global log_foo: event(rec: Info);
}

event zeek_init() &priority=5
    {
    # Specify the "log_foo" event here in order for Zeek to raise it.
    Log::create_stream(Foo::LOG, [$columns=Info, $ev=log_foo,
                       $path="foo"]);
    }

All of Zeek’s default log streams define such an event. For example, the connection log stream raises the event Conn::log_conn. You could use that for example for flagging when a connection to a specific destination exceeds a certain duration:

redef enum Notice::Type += {
    ## Indicates that a connection remained established longer
    ## than 5 minutes.
    Long_Conn_Found
};

event Conn::log_conn(rec: Conn::Info)
    {
    if ( rec?$duration && rec$duration > 5mins )
        NOTICE([$note=Long_Conn_Found,
                $msg=fmt("unusually long conn to %s", rec$id$resp_h),
                $id=rec$id]);
    }

Often, these events can be an alternative to post-processing Zeek logs externally with Perl scripts. Much of what such an external script would do later offline, one may instead do directly inside of Zeek in real-time.

Disable a Stream

One way to “turn off” a log is to completely disable the stream. For example, the following example will prevent the conn.log from being written:

event zeek_init()
    {
    Log::disable_stream(Conn::LOG);
    }

Note that this must run after the stream is created, so the priority of this event handler must be lower than the priority of the event handler where the stream was created.

Filters

A stream has one or more filters attached to it. A stream without any filters will not produce any log output. Filters govern two aspects of log production: they control which of the stream’s log entries get written out, and they define how to actually implement the log writes. They do the latter by specifying a log writer that implements the write operation, such as the ASCII writer (see below) for text file output. When a stream is created, it automatically gets a default filter attached to it. This default filter can be removed or replaced, or other filters can be added to the stream. This is accomplished by using either the Log::add_filter or Log::remove_filter function. This section shows how to use filters to do such tasks as rename a log file, split the output into multiple files, control which records are written, and set a custom rotation interval.

Each filter has a unique name, scoped to the stream it belongs to. That is, all filters attached to a given stream have different names. Calling Log::add_filter to add a filter with a name that already exists for the stream replaces the existing filter.

Rename a Log File

Normally, the log filename for a given log stream is determined when the stream is created, unless you explicitly specify a different one by adding a filter.

The easiest way to change a log filename is to simply replace the default log filter with a new filter that specifies a value for the path field. In this example, conn.log will be changed to myconn.log:

event zeek_init()
    {
    # Replace default filter for the Conn::LOG stream in order to
    # change the log filename.

    local f = Log::get_filter(Conn::LOG, "default");
    f$path = "myconn";
    Log::add_filter(Conn::LOG, f);
    }

Keep in mind that the path field of a log filter never contains the filename extension. The extension will be determined later by the log writer.

Add an Additional Output File

Normally, a log stream writes to only one log file. However, you can add filters so that the stream writes to multiple files. This is useful if you want to restrict the set of fields being logged to the new file.

In this example, a new filter is added to the Conn::LOG stream that writes two fields to a new log file:

event zeek_init()
    {
    # Add a new filter to the Conn::LOG stream that logs only
    # timestamp and originator address.

    local filter: Log::Filter = [$name="orig-only", $path="origs",
                                 $include=set("ts", "id.orig_h")];
    Log::add_filter(Conn::LOG, filter);
    }

Note

When multiple filters added to a stream use the same path value, Zeek will disambiguate the output file names by adding numeric suffixes to the name. If we say $path="conn" in the above example, Zeek warns us about the fact that it’ll write this filter’s log entries to a different file:

1071580905.346457 warning: Write using filter 'orig-only' on path 'conn' changed to use new path 'conn-2' to avoid conflict with filter 'default'

The same also happens when omitting a path value, in which case the filter inherits the value of the stream’s path member.

Notice how the include filter attribute specifies a set that limits the fields to the ones given. The names correspond to those in the Conn::Info record (however, because the id field is itself a record, we can specify an individual field of id by the dot notation shown in the example).

Using the code above, in addition to the regular conn.log, you will now also get a new log file origs.log that looks like the regular conn.log, but will have only the fields specified in the include filter attribute.

If you want to skip only some fields but keep the rest, there is a corresponding exclude filter attribute that you can use instead of include to list only the ones you are not interested in.

If you want to make this the only log file for the stream, you can remove the default filter:

event zeek_init()
    {
    # Remove the filter called "default".
    Log::remove_filter(Conn::LOG, "default");
    }
Determine Log Path Dynamically

Instead of using the path filter attribute, a filter can determine output paths dynamically based on the record being logged. That allows, e.g., to record local and remote connections into separate files. To do this, you define a function that returns the desired path, and use the path_func filter attribute:

# Note: if using ZeekControl then you don't need to redef local_nets.
redef Site::local_nets = { 192.168.0.0/16 };

function myfunc(id: Log::ID, path: string, rec: Conn::Info) : string
    {
    # Return "conn-local" if originator is a local IP, otherwise
    # return "conn-remote".
    local r = Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
    return fmt("%s-%s", path, r);
    }

event zeek_init()
    {
    local filter: Log::Filter = [$name="conn-split",
             $path_func=myfunc, $include=set("ts", "id.orig_h")];
    Log::add_filter(Conn::LOG, filter);
    }

Running this will now produce two new files, conn-local.log and conn-remote.log, with the corresponding entries (for this example to work, the Site::local_nets must specify your local network). One could extend this further for example to log information by subnets or even by IP address. Be careful, however, as it is easy to create many files very quickly.

The myfunc function has one drawback: it can be used only with the Conn::LOG stream as the record type is hardcoded into its argument list. However, Zeek allows to do a more generic variant:

function myfunc(id: Log::ID, path: string,
                rec: record { id: conn_id; } ) : string
    {
    local r = Site::is_local_addr(rec$id$orig_h) ? "local" : "remote";
    return fmt("%s-%s", path, r);
    }

This function can be used with all log streams that have records containing an id: conn_id field.

Filtering Log Records

We just saw ways how to customize the logged columns. The logging framework also lets you control which records Zeek writes out. It relies on Zeek’s hook mechanism to do this, as follows. The framework provides two levels of “policy” hooks, a global one and a set of filter-level ones. The hook handlers can implement additional processing of a log record, including vetoing the writing of the record. Any handler that uses a break statement to leave the hook declares that a record shall not be written out. Anyone can attach handlers to these hooks, which look as follows:

type Log::StreamPolicyHook: hook(rec: any, id: ID);
type Log::PolicyHook: hook(rec: any, id: ID, filter: Filter);

For both hook types, the rec argument contains the entry to be logged and is an instance of the record type associated with the stream’s columns, and id identifies the log stream.

The logging framework defines one global hook policy hook: Log::log_stream_policy. For every log write, this hook gets invoked first. Any of its handlers may decide to veto the log entry. The framework then iterates over the log stream’s filters. Each filter has a filter$policy hook of type Log::PolicyHook. Its handlers receive the log record, the ID of the log stream, and the filter record itself. Each handler can veto the write. After the filter’s hook has run, any veto (by Log::log_stream_policy or the filter’s hook) aborts the write via that filter. If no veto has occurred, the filter now steers the log record to its output.

You can pass arbitrary state through these hook handlers. For example, you can extending streams or filters via a redef, or pass key-value pairs via the filter$config table..

Since you’ll often want to use uniform handling for all writes on a given stream, log streams offer a default hook, provided when constructing the stream, that the stream’s filters will use if they don’t provide their own. To support hooks on your log streams, you should always define a default hook when creating new streams, as follows:

module Foo;

export {
    ## The logging stream identifier.
    redef enum Log::ID += { LOG };

    ## A default logging policy hook for the stream.
    global log_policy: Log::PolicyHook;

    # Define the record type that will contain the data to log.
    type Info: record {
        ts: time        &log;
        id: conn_id     &log;
        service: string &log &optional;
        missed_bytes: count &log &default=0;
    };
}

event zeek_init() &priority=5
    {
    # Create the stream, adding the default policy hook:
    Log::create_stream(Foo::LOG, [$columns=Info, $path="foo", $policy=log_policy]);
    }

With this hook in place, it’s now easy to add a filtering predicate for the Foo log from anywhere:

hook Foo::log_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
    {
    # Let's only log complete information:
    if ( rec$missed_bytes > 0 )
        break;
    }

The Zeek distribution features default hooks for all of its streams. Here’s a more realistic example, using HTTP:

hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
    {
    # Record only connections with successfully analyzed HTTP traffic
    if ( ! rec?$service || rec$service != "http" )
        break;
    }

To override a hook selectively in a new filter, set the hook when adding the filter to a stream:

hook my_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
    {
    # Let's only log incomplete flows:
    if ( rec$missed_bytes == 0 )
        break;
    }

event zeek_init()
    {
    local filter: Log::Filter = [$name="incomplete-only",
                                 $path="foo-incomplete",
                                 $policy=my_policy];
    Log::add_filter(Foo::LOG, filter);
    }

Note that this approach has subtle implications: the new filter does not use the Foo::log_policy hook, and that hook does not get invoked for writes to this filter. Any vetos or additional processing implemented in Foo::log_policy handlers no longer happens for the new filter. Such hook replacement should rarely be necessary; you may find it preferable to narrow the stream’s default handler to the filter in question:

hook Foo::log_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
    {
    if ( filter$name != "incomplete-only" )
        return;

    # Let's only log incomplete flows:
    if ( rec$missed_bytes == 0 )
        break;
    }

For tasks that need to run once per-write, not once per-write-and-filter, use the Log::log_stream_policy instead:

hook Log::log_stream_policy(rec: Foo::Info, id: Log::ID)
    {
    # Called once per write
    }

hook Foo::log_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
    {
    # Called once for each of Foo's filters.
    }

To change an existing filter first retrieve it, then update it, and re-establish it:

hook my_policy(rec: Foo::Info, id: Log::ID, filter: Log::Filter)
    {
    # Let's only log incomplete flows:
    if ( rec$missed_bytes == 0 )
        break;
    }

event zeek_init()
    {
    local f = Log::get_filter(Foo::LOG, "default");
    f$policy = my_policy;
    Log::add_filter(Foo::LOG, f);
    }

Note

Policy hooks can also modify the log records, but with subtle implications. The logging framework applies all of a stream’s log filters sequentially to the same log record, so modifications made in a hook handler will persist not only into subsequent handlers in the same hook, but also into any in filters processed subsequently. In contrast to hook priorities, filters provide no control over their processing order.

Log Rotation and Post-Processing

The logging framework provides fine-grained control over when and how to rotate log files. Log rotation means that Zeek periodically renames an active log file, such as conn.log, in a manner configurable by the user (e.g., renaming to conn_21-01-03_14-05-00.log to timestamp it), and starts over on a fresh conn.log file. Post-processing means that Zeek can also apply optional additional processing to the rotated file, such as compression or file transfers. These mechanisms apply naturally to file-based log writers, but are available to other writers as well for more generalized forms of periodic additional processing of their outputs.

Rotation Timing

The log rotation interval is globally controllable for all filters by redefining the Log::default_rotation_interval constant, or specifically for certain Log::Filter instances by setting their interv field. The default value, 0secs, disables rotation.

Note

When using ZeekControl, this option is set automatically via the ZeekControl configuration.

Here’s an example of changing just the Conn::LOG stream’s default filter rotation:

event zeek_init()
    {
    local f = Log::get_filter(Conn::LOG, "default");
    f$interv = 1 min;
    Log::add_filter(Conn::LOG, f);
    }
Controlling File Naming

The redef’able Log::rotation_format_func determines the naming of the rotated-to file. The logging framework invokes the function with sufficient context (a Log::RotationFmtInfo record), from which it determines the output name in two parts: the output directory, and the output file’s base name, meaning its name without a suffix. It returns these two components via a Log::RotationPath record. The output directory defaults to Log::default_rotation_dir (a config option) and incorporates a timestamp in the base name, as specified by Log::default_rotation_date_format.

For examples of customized log rotation, take a look at the relevant test cases.

Post-Processing of Rotated Logs

Post-processing can proceed via defaults configured across all log filters, or with per-filter customizations. Zeek provides helpful default infrastructure to simplify running shell commands on rotated logs, but you’re free to define your own post-processing infrastructure from scratch.

By default, the Log::default_rotation_postprocessor_cmd, if defined, runs on every rotated log. The wrapper function making the actual command invocation is Log::run_rotation_postprocessor_cmd. It passes six additional arguments to the configured shell command:

  • The rotated-to file name (e.g. conn_21-01-03_14-05-00.log)

  • The original base name (e.g. conn)

  • The timestamp at which the original log file got created (e.g. 21-01-03_14.04.00)

  • The timestamp at which the original log file got rotated (e.g. 21-01-03_15.05.00)

  • 1 if Zeek is terminating, 0 otherwise

  • The name of the writer (e.g. ascii for the ASCII writer)

Warning

Zeek ignores failures (non-zero exit codes) of this shell command: the default rotation postprocessor command returns T regardless. Be careful if you implement your own postprocessor function: returning F from it will cause the corresponding log writer instance to shut down, therefore do so only when the writer really won’t be able to continue.

Zeek ships with ready-to-use postprocessors for file transfer via SCP and SFTP. The Zeek project also provides an external tool, zeek-archiver, that performs log compression outside of the Zeek process for robustness.

Other Features
Log Extension Fields

The logging framework provides rudimentary support for adding additional columns to an already defined log format, globally for all logs or for individual log filters only. Records returned by the Log::default_ext_func function get added to every log, and the ext_func member of Log::Filter in filter records allows local overrides.

You can configure a prefix string separately for either of these options — this string ensures that the resulting fields don’t collide with already existing log fields. The prefix defaults to an underscore, via Log::default_ext_prefix. The ext_prefix field in filter records overrides as needed.

The following example, taken straight from a Zeek testcase, adds three extra columns to all logs:

type Extension: record {
    write_ts: time &log;
    stream: string &log;
    system_name: string &log;
};

function add_extension(path: string): Extension
  {
  return Extension($write_ts    = network_time(),
                   $stream      = path,
                   $system_name = peer_description);
  }

redef Log::default_ext_func = add_extension;

A resulting conn.log:

#fields  _write_ts  _stream  _system_name  ts  uid …
#types  time  string  string  time  string  …
1071580905.346457  conn  zeek  1071580904.891921  Cod6Wj3YeJFHgkaO8j …

Note

Extension fields remain separate from the original log record. They remain invisible to filters, policy hooks, and log events. After filter processing determines that an entry is to be logged, the framework simply tucks the extension’s members onto the list of fields to write out.

Field Name Mapping

On occasion it can be handy to rewrite column names as they appear in a Zeek log. A typical use case for this would be to ensure that column naming complies with the requirements of your log ingestion system. To achieve this, you can provide name translation maps, and here too you can do this either globally or per-filter. The maps are simple string tables with the keys being Zeek’s field names and the values being the ones to actually write out. Field names not present in the maps remain unchanged. The global variant is the (normally empty) Log::default_field_name_map, and the corresponding filter-local equivalent is the filter’s field_name_map member.

For example, the following name map gets rid of the dots in the usual naming of connection IDs:

redef Log::default_field_name_map = {
     ["id.orig_h"] = "id_orig_h",
     ["id.orig_p"] = "id_orig_p",
     ["id.resp_h"] = "id_resp_h",
     ["id.resp_p"] = "id_resp_p"
};

With it, all logs rendering a connection identifier tuple now use …

#fields  ts  uid  id_orig_h  id_orig_p  id_resp_h  id_resp_p ...

… instead of the default names:

#fields  ts  uid  id.orig_h  id.orig_p  id.resp_h  id.resp_p ...

If you’d prefer this change only for a given log filter, make the change to the filter record directly. The following changes the naming only for conn.log:

event zeek_init()
   {
   local f = Log::get_filter(Conn::LOG, "default");
   f$field_name_map = table(
       ["id.orig_h"] = "id_orig_h",
       ["id.orig_p"] = "id_orig_p",
       ["id.resp_h"] = "id_resp_h",
       ["id.resp_p"] = "id_resp_p");
   Log::add_filter(Conn::LOG, f);
   }
Printing to Log Messages

Zeek’s print statement normally writes to stdout or a specific output file. By adjusting the Log::print_to_log enum value you can redirect such statements to instead go directly into a Zeek log. Possible values include:

The Log::print_log_path defines the name of the log file, Log::PrintLogInfo its columns, and Log::log_print events allow you to process logged messages via event handlers.

Local vs Remote Logging

In its log processing, Zeek considers whether log writes should happen locally to a Zeek node or remotely on another node, after forwarding log entries to it. Single-node Zeek setups default to local logging, whereas cluster setups enable local logging only on logger nodes, and log remotely on all but the logger nodes. You normally don’t need to go near these settings, but you can do so by redef’ing the Log::enable_local_logging and Log::enable_remote_logging booleans, respectively.

Writers

Each filter has a writer. If you do not specify a writer when adding a filter to a stream, then the ASCII writer is the default.

There are two ways to specify a non-default writer. To change the default writer for all log filters, just redefine the Log::default_writer option. Alternatively, you can specify the writer to use on a per-filter basis by setting a value for the filter’s writer field. Consult the documentation of the writer to use to see if there are other options that are needed.

ASCII Writer

By default, the ASCII writer outputs log files that begin with several lines of metadata, followed by the actual log output. The metadata describes the format of the log file, the path of the log (i.e., the log filename without file extension), and also specifies the time that the log was created and the time when Zeek finished writing to it. The ASCII writer has a number of options for customizing the format of its output, see base/frameworks/logging/writers/ascii.zeek. If you change the output format options, then be careful to check whether your post-processing scripts can still recognize your log files.

Some writer options are global (i.e., they affect all log filters using that log writer). For example, to change the output format of all ASCII logs to JSON format:

redef LogAscii::use_json = T;

A similar global option is the logdir option specifying a directory as the location for output files.

redef LogAscii::logdir = output_directory;

Both can be used from the command line, alone or together with other scripts:

zeek -r ../test-capture.cap LogAscii::use_json=T

mkdir output_directory ; zeek -r ../test-capture.cap LogAscii::logdir=output_directory

Some writer options are filter-specific (i.e., they affect only the filters that explicitly specify the option). For example, to change the output format of the conn.log only:

event zeek_init()
    {
    local f = Log::get_filter(Conn::LOG, "default");
    # Use tab-separated-value mode
    f$config = table(["tsv"] = "T");
    Log::add_filter(Conn::LOG, f);
    }
SQLite Writer

SQLite is a simple, file-based, widely used SQL database system. Using SQLite allows Zeek to write and access data in a format that is easy to use in interchange with other applications. Due to the transactional nature of SQLite, databases can be used by several applications simultaneously. Zeek’s input framework supports a SQLite reader.

Logging support for SQLite is available in all Zeek installations. There is no need to load any additional scripts or for any compile-time configurations. Sending data from existing logging streams to SQLite is rather straightforward. Most likely you’ll want SQLite output only for select log filters, so you have to configure one to use the SQLite writer. The following example code adds SQLite as a filter for the connection log:

event zeek_init()
    {
    local filter: Log::Filter =
        [
        $name="sqlite",
        $path="/var/db/conn",
        $config=table(["tablename"] = "conn"),
        $writer=Log::WRITER_SQLITE
        ];

     Log::add_filter(Conn::LOG, filter);
    }

Zeek will create the database file /var/db/conn.sqlite if it does not already exist. It will also create a table with the name conn (if it does not exist) and start appending connection information to the table.

Zeek does not currently support rotating SQLite databases as it does for ASCII logs. You have to take care to create them in adequate locations.

If you examine the resulting SQLite database, the schema will contain the same fields that are present in the ASCII log files:

sqlite3 /var/db/conn.sqlite

SQLite version 3.8.0.2 2013-09-03 17:11:13
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .schema
CREATE TABLE conn (
'ts' double precision,
'uid' text,
'id.orig_h' text,
'id.orig_p' integer,
...

Note that with the above code the ASCII conn.log will still be created, because it adds an additional log filter alongside the default, ASCII-logging one. To prevent this you can remove the default filter:

Log::remove_filter(Conn::LOG, "default");

To create a custom SQLite log file, you have to create a new log stream that contains just the information you want to commit to the database. See the above documentation on how to create custom log streams.

None Writer

The None writer, selected via Log::WRITER_NONE, is largely a troubleshooting and development aide. It discards all log entries it receives, but behaves like a proper writer to the rest of the logging framework, including, for example, pretended log rotation. If you enable its debugging mode by setting LogNone::debug to T, Zeek reports operational details about the writer’s activity to stdout.

Management Framework

The management framework provides a Zeek-based, service-oriented architecture and event-driven APIs to manage a Zeek cluster that monitors live traffic. It provides a central, stateful controller that relays and orchestrates cluster management tasks across connected agents. Each agent manages Zeek processes in its local instance, the Zeek process tree controlled by the local Zeek Supervisor. A management client lets the user interact with the controller to initiate cluster management tasks, such as deployment of cluster configurations, monitoring of operational aspects, or to restart cluster nodes. The default client is zeek-client, included in the Zeek distribution.

Quickstart

Run the following (as root) to launch an all-in-one management instance on your system:

# zeek -C -j policy/frameworks/management/controller policy/frameworks/management/agent

The above will stay in the foreground. In a new shell, save the following content to a file cluster.cfg and adapt the workers’ sniffing interfaces to your system:

[manager]
role = manager

[logger]
role = logger

[worker-01]
role = worker
interface = lo

[worker-02]
role = worker
interface = eth0

Run the following command (as any user) to deploy the configuration:

$ zeek-client deploy-config cluster.cfg
{
  "errors": [],
  "results": {
    "id": "9befc56c-f7e8-11ec-8626-7c10c94416bb",
    "nodes": {
      "logger": {
        "instance": "agent-testbox",
        "success": true
      },
      "manager": {
        "instance": "agent-testbox",
        "success": true
      },
      "worker-01": {
        "instance": "agent-testbox",
        "success": true
      },
      "worker-02": {
        "instance": "agent-testbox",
        "success": true
      }
    }
  }
}

You are now running a Zeek cluster on your system. Try zeek-client get-nodes to see more details about the cluster’s current status. (In the above, “testbox” is the system’s hostname.)

Architecture and Terminology

Controller

The controller forms the central hub of cluster management. It exists once in every installation and runs as a Zeek process solely dedicated to management tasks. It awaits instructions from a management client and communicates with one or more agents to manage their cluster nodes.

All controller communication happens via Broker-based Zeek event exchange, usually in the form of request-response event pairs tagged with a request ID to provide context. The controller is stateful and persists cluster configurations to disk. In a multi-system setup, the controller runs inside a separate, dedicated Zeek instance. In a single-system setup, the controller can run as an additional process in the local instance.

The controller’s API resides in the Management::Controller::API module. Additional code documentation is here.

Instance

A Zeek instance comprises the set of processes managed by a Zeek Supervisor. The management framework builds heavily on the Supervisor framework and cannot run without it. Typically, a single instance includes all Zeek processes on the local system (a physical machine, a container, etc), but running multiple instances on a system is possible.

Agent

Management agents implement instance-level cluster management tasks. Every instance participating in cluster management runs an agent. Agents peer with the controller to receive instructions (a node restart, say), carry them out, and respond with the outcomme. The direction of connection establishment for the peering depends on configuration and can go either way (more on this below); by default, agents connect to the controller.

The agent’s API resides in the Management::Agent::API module. Additional code documentation is here.

Agents add script-layer code to both the Supervisor (details here) and Zeek cluster nodes (details here) to enable management tasks (e.g. to tap into node stdout/stderr output) and to receive confirmation of successful node startup.

Cluster nodes

The Zeek processes involved in traffic analysis and log output make up the Zeek cluster, via the cluster framework. The management framework does not change the cluster framework, and all of its concepts (the manager, logger(s), workers, etc) apply as before. Cluster nodes refer to individual Zeek processes in the cluster, as managed by the Supervisor.

Client

The management client provides the user’s interface to cluster management. It allows configuration and deployment of the Zeek cluster, insight into the running cluster, the ability to restart nodes, etc. The client uses the controller’s event API to communicate and is the only component in the framework not (necessarily) implemented in Zeek’s script layer. The Zeek distribution ships with zeek-client, a command-line client implemented in Python, to provide management functionality. Users are welcome to implement other clients.

Goals and Relationship to ZeekControl

The management framework first shipped in usable form in Zeek 5.0. It will replace the aging ZeekControl over the course of the coming releases. The framework is not compatible with ZeekControl’s approach to cluster management: use one or the other, not both.

The framework currently targets single-instance deployments, i.e., setups in which traffic monitoring happens on a single system. While the management framework technically supports clusters spanning multiple monitoring systems, much of the infrastructure users know from zeekctl (such as the ability to deploy Zeek scripts and additional configuration) is not yet available in the management framework.

ZeekControl remains included in the Zeek distribution, and remains the recommended solution for multi-system clusters and those needing rich management capabilities.

Running Controller and Agent

Joint launch

The easiest approach is to run a single Zeek instance in which the Supervisor launches both an agent and the controller. The framework comes pre-configured for this use-case. Its invocation looks as follows:

# zeek -j policy/frameworks/management/controller policy/frameworks/management/agent

The -j flag enables the Supervisor and is required for successful launch of the framework. (Without it, the above command will simply return.)

Note

If you’re planning to monitor the machine’s own traffic, add the -C flag to avoid checksum errors, which commonly happen in local monitoring due to offload of the checksum computation to the NIC.

Separate controller and agent instances

You can also separate the agent and controller instances. For this, you’d say

# zeek -j policy/frameworks/management/agent

for the agent, and

# zeek -j policy/frameworks/management/controller

for the controller. You can run the latter as a regular user, assuming the user has write access to the installation’s spool and log directories (more on this below). While technically not required to operate a stand-alone controller, the Supervisor is currently also required in this scenario, so don’t omit the -j.

Controller and agent instances on separate systems

You can also separate the two across different systems, though that approach will only really start to make sense when the framework fully supports running multiple traffic-sniffing instances. To do this, you either need to configure the agent to find the controller, or tell the controller where to find the agent. For the former, redefine the corresponding config setting, for example by saying

redef Management::Agent::controller = [$address="1.2.3.4", $bound_port=21500/tcp];

in local.zeek and then launching

# zeek -j policy/frameworks/management/agent local

To make the controller connect to remote agents, deploy configurations that include the location of such agents in the configuration. More on this below.

Multiple instances

You can run multiple instances on a single system, but it requires some care. Doing so requires specifying a different listening port for each agent, and additionally providing a different listening port for each instance’s Supervisor. Since agents communicate with their Supervisor to facilitate node management, the Supervisor needs to listen (though only locally). Furthermore, you need to ensure this agent runs with a unique name (see the next section for more on naming).

Assuming you already have an instance running, a launch of an additional agent might look as follows:

# zeek -j policy/frameworks/management/agent \
  Management::Agent::default_port=2152/tcp \
  Management::Agent::name=agent-standby \
  Broker::default_port=10001/tcp

Finally, as already mentioned, you can spread multiple instances across multiple systems to explore distributed cluster management. This simplifies the individual launch invocations, but for practical distributed cluster use you may find the framework’s current cluster management features lacking when compared to ZeekControl.

Controller and agent naming

The management framework identifies all nodes in the system by name, and all nodes (agent(s), controller, and Zeek cluster nodes) must have unique names. By default, the framework chooses agent-<hostname> and controller-<hostname> for agent and controller, respectively. To reconfigure naming, set the ZEEK_AGENT_NAME / ZEEK_CONTROLLER_NAME environment variables, or redefine the following:

redef Management::Controller::name = "controller1";
redef Management::Agent::name = "agent1";
Firewalling and encryption

By default, the controller listens for clients and agents on 2150/tcp. Unless you run all components, including the client, on a single system, you’ll want to open up this port on the controller’s system. The agent’s default port is 2151/tcp. It always listens; this allows cluster nodes to connect to it to send status reports. If the agents connect to the controller, your firewall may block the agent’s port since host-local connectivity from cluster nodes to the agent process suffices.

To switch agent and/or controller to a different port, set environment variables ZEEK_CONTROLLER_PORT / ZEEK_AGENT_PORT, or use the following:

redef Management::Controller::default_port = 21500/tcp;
redef Management::Agent::default_port = 21510/tcp;

By default, agent and controller listen globally. To make them listen on a specific interface, set environment variable ZEEK_CONTROLLER_ADDR / ZEEK_AGENT_ADDR, or redefine the framework’s fallback default address:

redef Management::default_address = "127.0.0.1";

The framework inherits Broker’s TLS capabilities and defaults. For details, please refer to the Broker config settings.

Note

zeek-client currently doesn’t support client-side certificates.

Additional framework configuration

The framework features a number of additional settings that we cover as needed in the remainder of this chapter. Refer to the following to browse them all:

Node Operation and Outputs

The framework places every Supervisor-created node into its own working directory, located in $(zeek-config --prefix)/var/lib/nodes/<name>. You can reconfigure this by setting the ZEEK_MANAGEMENT_STATE_DIR or redefining Management::state_dir. Doing either will change the toplevel directory (i.e., replacing the path up to and including var/lib in the above); the framework will still create the nodes/<name> directory structure within it.

Outputs in the resulting directory include:

  • Two separate ad-hoc logs (not structured by Zeek’s logging framework) capturing the node’s stdout and stderr streams. Their naming is configurable, defaulting simply to stdout and stderr.

  • Zeek log files prior to log rotation.

  • Persisted Zeek state, such as Broker-backed tables.

Log Management

The framework configures log rotation and archival via Zeek’s included zeek-archiver tool, as follows:

  • The Log::default_rotation_interval is one hour, with both local and remote logging enabled. You are free to adjust it as needed.

  • The log rotation directory defaults to $(zeek-config --prefix)/spool/log-queue. To adjust this, redefine Log::default_rotation_dir as usual. You can also relocate the spool by setting the ZEEK_MANAGEMENT_SPOOL_DIR environment variable or redefining Management::spool_dir. The framework will place log-queue into that new destination.

  • The log rotation callback rotates node-local logs into the log queue, with naming suitable for zeek-archiver. An example:

    conn__2022-06-20-10-00-00__2022-06-20-11-00-00__.log

    For details, take a look at the implementation in scripts/policy/frameworks/management/persistence.zeek.

  • Once per log rotation interval, the agent launches log archival to archive rotated logs into the installation’s log directory ($(zeek-config --root)/logs). By default this invokes zeek-archiver, which establishes a datestamp directory in the logs directory and places the compressed logs into it:

    # cd $(zeek-config --root)/logs
# ls -l
total 4
drwx------. 2 root root 4096 Jun 20 21:17 2022-06-20
# cd 2022-06-20
# ls -l
total 712
-rw-r--r--. 1 root root   280 Jun 20 20:17 broker.19:00:00-20:00:00.log.gz
-rw-r--r--. 1 root root 24803 Jun 20 20:17 conn.19:00:00-20:00:00.log.gz
-rw-r--r--. 1 root root 26036 Jun 20 21:17 conn.20:00:00-21:00:00.log.gz
-rw-r--r--. 1 root root   350 Jun 20 20:17 dhcp.19:00:00-20:00:00.log.gz
-rw-r--r--. 1 root root   400 Jun 20 21:17 dhcp.20:00:00-21:00:00.log.gz
...

You can adapt the log archival configuration via the following settings:

The zeek-client CLI

Zeek ships with a command-line client for the Management framework: zeek-client, installed alongside the other executables in the distribution. It looks as follows:

$ zeek-client --help
usage: zeek-client [-h] [-c FILE] [--controller HOST:PORT]
                   [--set SECTION.KEY=VAL] [--quiet | --verbose] [--version]
                   {deploy,deploy-config,get-config,get-id-value,get-instances,get-nodes,monitor,restart,stage-config,show-settings,test-timeout}
                   ...

A Zeek management client

options:
  -h, --help            show this help message and exit
  -c FILE, --configfile FILE
                        Path to zeek-client config file. (Default:
                        /usr/local/zeek/etc/zeek-client.cfg)
  --controller HOST:PORT
                        Address and port of the controller, either of which
                        may be omitted (default: 127.0.0.1:2150)
  --set SECTION.KEY=VAL
                        Adjust a configuration setting. Can use repeatedly.
                        See show-settings.
  --quiet, -q           Suppress informational output to stderr.
  --verbose, -v         Increase informational output to stderr. Repeat for
                        more output (e.g. -vvv).
  --version             Show version number and exit.

commands:
  {deploy,deploy-config,get-config,get-id-value,get-instances,get-nodes,monitor,restart,stage-config,show-settings,test-timeout}
                        See `zeek-client <command> -h` for per-command usage
                        info.
    deploy              Deploy a staged cluster configuration.
    deploy-config       Upload a cluster configuration and deploy it.
    get-config          Retrieve staged or deployed cluster configuration.
    get-id-value        Show the value of a given identifier in Zeek cluster
                        nodes.
    get-instances       Show instances connected to the controller.
    get-nodes           Show active Zeek nodes at each instance.
    monitor             For troubleshooting: do nothing, just report events.
    restart             Restart cluster nodes.
    stage-config        Upload a cluster configuration for later deployment.
    show-settings       Show zeek-client's own configuration.
    test-timeout        Send timeout test event.

environment variables:

    ZEEK_CLIENT_CONFIG_FILE:      Same as `--configfile` argument, but lower precedence.
    ZEEK_CLIENT_CONFIG_SETTINGS:  Same as a space-separated series of `--set` arguments, but lower precedence.

Run commands with --help for additional details.

The majority of zeek-client’s commands send off a request to the controller, wait for it to act on it, retrieve the response, and render it to the console. The output is typically in JSON format, though a few commands also support .ini output.

Looking at the Management::Controller::API module, you’ll notice that the structure of response event arguments is fairly rigid, consisting of one or more Management::Result records. zeek-client does not render these directly to JSON. Instead, it translates the responses to a more convenient JSON format reflecting specific types of requests. Several commands share a common output format.

Configuration

The client features a handful of configuration settings, reported when running zeek-client show-settings:

$ zeek-client show-settings
[client]
request_timeout_secs = 20
peer_retry_secs = 1
peering_status_attempts = 10
peering_status_retry_delay_secs = 0.5
rich_logging_format = False
pretty_json = True
verbosity = 0

[controller]
host = 127.0.0.1
port = 2150

You can override these via a configuration file, the environment variable ZEEK_CLIENT_CONFIG_SETTINGS, and the --set command-line argument, in order of increasing precedence. To identify a setting, use <section>.<setting>, as shown by your client. For example, in order to specify a controller’s location on the network, you could:

  • Put the following in a config file, either at its default location shown in the help output (usually $(zeek-config --prefix)/etc/zeek-client.cfg) or one that you provide via -c/--configfile:

    [controller]
host = mycontroller
port = 21500

  • Set the environment:

    ZEEK_CLIENT_CONFIG_SETTINGS="controller.host=mycontroller controller.port=21500"

  • Use the --set option, possibly repeatedly:

    $ zeek-client --set controller.host=mycontroller --set controller.port=21500 ...

Other than the controller coordinates, the settings should rarely require changing. If you’re curious about their meaning, please consult the source code.

Auto-complete

On systems with an installed argcomplete package, zeek-client features command-line auto-completion. For example:

$ zeek-client --set controller.<TAB>
controller.host=127.0.0.1  controller.port=2150
Zeek build dependency

zeek-client outsources most of its functionality to its (included) zeekclient Python module, and depends on Broker for event I/O. Due to this dependency we don’t currently provide zeek-client as a standalone package. We plan to support Broker’s new WebSocket data transport in the near future to simplify this.

Users with custom Zeek builds who don’t require zeek-client can skip it by configuring their build with --disable-zeek-client.

Common cluster management tasks

With a running controller and agent, it’s time start using zeek-client for actual cluster management tasks. By default, the client will connect to a controller running on the local system. If that doesn’t match your setting, instruct the client to contact the controller via one of the approaches shown earlier.

Checking connected agents

Use zeek-client get-instances to get a summary of agents currently peered with the controller:

$ zeek-client get-instances
{
  "agent-testbox": {
    "host": "127.0.0.1"
  }
}

For agents connecting to the controller you’ll see the above output; for agents the controller connected to you’ll also see those agent’s listening ports.

Defining a cluster configuration

For zeek-client, cluster configurations are simple .ini files with two types of sections: the special instances section defines the instances involved in the cluster, represented by their agents. All other sections in the file name individual cluster nodes and describe their roles and properties.

Here’s a full-featured configuration describing the available options, assuming a single agent running on a machine “testbox” with default settings:

# The instances section describes where you run Management agents
# and whether these agents connect to the controller, or the controller
# connects to them. Each instance (or, equivalently, the agent running
# on it) is identified by a unique name. The names in this configuration
# must match the names the agents use in the Zeek configuration. Without
# customization, that name is "agent-<hostname>".
[instances]
# A value-less entry means this agent connects to the controller:
agent-testbox

# An entry with a value of the form "<host>:<port>" means the controller will
# connect to them.
#
# agent-testbox = 12.34.56.78:1234

# All other sections identify Zeek cluster nodes. The section name sets
# the name of the node:
[manager]

# Nodes typically state which instance they run on:
instance = agent-testbox

# Every node needs to define its role. Possible values are "manager",
# "logger", "proxy", and "worker".
role = manager

# For nodes that require a listening port (all roles but workers),
# you can choose to define a port. If you omit it, the framework will
# define ports for you. Only give a number; TCP is implied.
#
# port = 1234

# You can provide additional scripts that a node should run. These scripts
# must be available on the instance. Space-separate multiple scripts.
#
# scripts = policy/tuning/json-logs policy/misc/loaded-scripts

# You can define environment variables for the node. List them as <key>=<value>,
# space-separated if you provide multiple. If the value has whitespace, say
# <key>="<the value>'
#
# env = FOO=BAR

# For workers, specify a sniffing interface as follows:
#
# interface = <name>

# To express CPU affinity, use the following:
#
# cpu_affinity = <num>

[logger]
instance = agent-testbox
role = logger

[proxy1]
instance = agent-testbox
role = proxy

[proxy2]
instance = agent-testbox
role = proxy

[worker1]
instance = agent-testbox
role = worker
interface = eth0

[worker2]
instance = agent-testbox
role = worker
interface = eth1

[worker3]
instance = agent-testbox
role = worker
interface = eth2

[worker4]
instance = agent-testbox
role = worker
interface = eth3
Simplification for instance-local deployment

In practice you can omit many of the settings. We already saw in the Quickstart section that a configuration deployed locally in a joint agent-controller setup need not specify any instances at all. In that case, use of the local instance agent-<hostname> is implied. If you use other agent naming or more complex setups, every node needs to specify its instance.

Simplification for agent-to-controller connectivity

In setups where agents connect to the controller, you may omit the instances section if it would merely repeat the list of instances claimed by the nodes.

Simplification for port selection

All but the worker nodes in a Zeek cluster require a listening port, and you can specify one for each node as shown in the above configuration. If you’d rather not pick ports, the controller can auto-enumerate ports for you, as follows:

  • The Management::Controller::auto_assign_ports Boolean, which defaults to T, controls whether port auto-enumeration is active. Redefining to F disables the feature.

  • Management::Controller::auto_assign_start_port defines the starting point for port enumeration. This defaults to 2200/tcp.

  • Any nodes with explicitly configured ports will keep them.

  • For other nodes, the controller will assign ports first to the manager, then logger(s), then proxies. Within each of those groups, it first groups nodes in the same instance (to obtain locally sequential ports), and orders these alphabetically by name before enumerating. It also avoids conflicts with configured agent and controller ports.

  • The controller does not verify that selected ports are in fact unclaimed. It’s up to you to ensure an available pool of unclaimed listening ports from the start port onward.

By retrieving the deployed configuration from the controller (see the next two sections) you can examine which ports the controller selected.

Staging and deploying configurations

The framework structures deployment of a cluster configuration into two phases:

  1. First, the cluster configuration is staged: the client uploads it to the controller, which validates its content, and — upon successful validation — persists this configuration to disk. Restarting the controller at this point will preserve this configuration in its staged state. Validation checks the configuration for consistency and structural errors, such as doubly defind nodes, port collisions, or inconsistent instance use. The controller only ever stores a single staged configuration.

  2. Then, deployment applies needed finalization to the configuration (e.g. to auto-enumerate ports) and, assuming all needed instances have peered, distributes the configuration to their agents. Deployment replaces any pre-existing Zeek cluster, shutting down the existing node processes. The controller also persists the deployed configuration to disk, alongside the staged one. Deployment does not need to be successful to preserve a deployed configuration: it’s the attempt to deploy that matters.

Internally, configurations bear an identifier string to allow tracking. The client selects this identifier, which comes with no further assurances — for example, identical configurations need not bear the same identifier.

To stage a configuration, use the following:

$ zeek-client stage-config cluster.cfg
{
  "errors": [],
  "results": {
    "id": "5e90197a-f850-11ec-a77f-7c10c94416bb"
  }
}

The errors array contains textual description of any validation problems encountered, causing the client to exit with error. The reported id is the configuration’s identifier, as set by the client.

Then, trigger deployment of the staged configuration:

$ zeek-client deploy
{
  "errors": [],
  "results": {
    "id": "5e90197a-f850-11ec-a77f-7c10c94416bb"
    "nodes": {
      "logger": {
        "instance": "agent-testbox4",
        "success": true
      },
      "manager": {
        "instance": "agent-testbox4",
        "success": true
      },
      "worker-01": {
        "instance": "agent-testbox4",
        "success": true
      },
      "worker-02": {
        "instance": "agent-testbox4",
        "success": true
      }
    }
  }
}

Success! Note the matching identifiers. The errors array covers any internal problems, and per-node summaries report the deployment outcome. In case of launch errors in individual nodes, stdout/stderr is captured and hopefully provides clues. Revisiting the quickstart example, let’s introduce an error in cluster.cfg:

[manager]
role = manager

[logger]
role = logger

[worker-01]
role = worker
interface = lo

[worker-02]
role = worker
interface = not-a-valid-interface

Since staging and deployment will frequently go hand-in-hand, the client provides the deploy-config command to combine them into one. Let’s use it:

$ zeek-client deploy-config cluster.cfg
{
  "errors": [
    "request timed out"
  ],
  "results": {
    "id": "eed87b02-f851-11ec-80e7-7c10c94416bb",
    "nodes": {
      "logger": {
        "instance": "agent-testbox",
        "success": true
      },
      "manager": {
        "instance": "agent-testbox",
        "success": true
      },
      "worker-01": {
        "instance": "agent-testbox",
        "success": true
      },
      "worker-02": {
        "instance": "agent-testbox",
        "stderr": "fatal error: problem with interface not-a-valid-interface (pcap_error: No such device exists (pcap_activate))",
        "stdout": "",
        "success": false
      }
    }
  }
}

The client exits with error, the timeout error refers to the fact that one of the launch commands timed out, and worker-02’s stderr shows the problem. The Supervisor will continue to try to launch the node with ever-increasing reattempt delays, and keep failing.

Retrieving configurations

The client’s get-config command lets you retrieve staged and deployed configurations from the controller, in JSON or .ini form. This is helpful for examining the differences between the two. Following the successful deployment shown above, we have:

$ zeek-client get-config
[instances]
agent-testbox

[logger]
instance = agent-testbox
role = LOGGER

[manager]
instance = agent-testbox
role = MANAGER

[worker-01]
instance = agent-testbox
role = WORKER
interface = lo

[worker-02]
instance = agent-testbox
role = WORKER
interface = eth0

You can see here how the client’s instance-local simplification filled in instances under the hood.

The .ini output is reusable as deployable configuration. The same configuration is available in JSON, showing more detail:

$ zeek-client get-config --as-json
{
  "id": "5e90197a-f850-11ec-a77f-7c10c94416bb",
  "instances": [
    {
      "name": "agent-testbox"
    }
  ],
  "nodes": [
    {
      "cpu_affinity": null,
      "env": {},
      "instance": "agent-testbox",
      "interface": null,
      "name": "logger",
      "options": null,
      "port": null,
      "role": "LOGGER",
      "scripts": null
    },
    {
      "cpu_affinity": null,
      "env": {},
      "instance": "agent-testbox",
      "interface": null,
      "name": "manager",
      "options": null,
      "port": null,
      "role": "MANAGER",
      "scripts": null
    },
    {
      "cpu_affinity": null,
      "env": {},
      "instance": "agent-testbox",
      "interface": "lo",
      "name": "worker-01",
      "options": null,
      "port": null,
      "role": "WORKER",
      "scripts": null
    },
    {
      "cpu_affinity": null,
      "env": {},
      "instance": "agent-testbox",
      "interface": "eth0",
      "name": "worker-02",
      "options": null,
      "port": null,
      "role": "WORKER",
      "scripts": null
    }
  ]
}

Finally, you can also retrieve the deployed configuration (in either format):

$ zeek-client get-config --deployed
[instances]
agent-testbox

[logger]
instance = agent-testbox
role = LOGGER
port = 2201

[manager]
instance = agent-testbox
role = MANAGER
port = 2200

[worker-01]
instance = agent-testbox
role = WORKER
interface = lo

[worker-02]
instance = agent-testbox
role = WORKER
interface = eth0

Note the manager’s and logger’s auto-enumerated ports in this one.

Showing the current instance nodes

To see the current node status as visible to the Supervisors in each agent’s instance, use the get-nodes command:

$ zeek-client get-nodes
{
  "errors": [],
  "results": {
    "agent-testbox": {
      "agent-testbox": {
        "cluster_role": null,
        "mgmt_role": "AGENT",
        "pid": 52076,
        "state": "RUNNING"
      },
      "controller-testbox": {
        "cluster_role": null,
        "mgmt_role": "CONTROLLER",
        "pid": 52075,
        "port": 2151,
        "state": "RUNNING"
      },
      "logger": {
        "cluster_role": "LOGGER",
        "mgmt_role": null,
        "pid": 54075,
        "port": 2201,
        "state": "RUNNING"
      },
      "manager": {
        "cluster_role": "MANAGER",
        "mgmt_role": null,
        "pid": 54073,
        "port": 2200,
        "state": "RUNNING"
      },
      "worker-01": {
        "cluster_role": "WORKER",
        "mgmt_role": null,
        "pid": 54074,
        "state": "RUNNING"
      },
      "worker-02": {
        "cluster_role": "WORKER",
        "mgmt_role": null,
        "pid": 54072,
        "state": "RUNNING"
      }
    }
  }
}

This groups nodes by instances, while also showing agents and controllers, so agent-testbox shows up twice in the above. Nodes can be in two states, PENDING upon launch and before the new node has checked in with the agent, and RUNNING once that has happened. Nodes also have a role either in cluster management (as AGENT or CONTROLLER), or in the Zeek cluster. The information shown per node essentially reflects the framework’s Management::NodeStatus record.

Showing current global identifier values

For troubleshooting scripts in production it can be very handy to verify the contents of global variables in specific nodes. The client supports this via the get-id-value command. To use it, specify the name of a global identifier, as well as any node names from which you’d like to retrieve it. The framework renders the value to JSON directly in the queried cluster node, side-stepping potential serialization issues for complex types, and integrates the result in the response:

$ zeek-client get-id-value LogAscii::use_json
{
  "errors": [],
  "results": {
    "logger": false,
    "manager": false,
    "worker-01": false,
    "worker-02": false
  }
}

$ zeek-client get-id-value Log::all_streams worker-01
{
  "errors": [],
  "results": {
    "worker-01": {
      "Broker::LOG": {
        "columns": null,
        "path": "broker",
        "policy": "Broker::log_policy"
      },
      "Cluster::LOG": {
        "columns": null,
        "path": "cluster",
        "policy": "Cluster::log_policy"
      },
      ...
      "X509::LOG": {
        "columns": null,
        "ev": "X509::log_x509",
        "path": "x509",
        "policy": "X509::log_policy"
      },
      "mysql::LOG": {
        "columns": null,
        "ev": "MySQL::log_mysql",
        "path": "mysql",
        "policy": "MySQL::log_policy"
      }
    }
  }
}
Restarting cluster nodes

The restart command allows you to restart specific cluster nodes, or the entire cluster. Note that this refers only to the operational cluster (manager, workers, etc) — this will not restart any agents or a co-located controller.

Here’s the current manager:

$ zeek-client get-nodes | jq '.results."agent-testbox".manager'
{
  "cluster_role": "MANAGER",
  "mgmt_role": null,
  "pid": 54073,
  "port": 2200,
  "state": "RUNNING"
}

Let’s restart it:

$ zeek-client restart manager
{
  "errors": [],
  "results": {
    "manager": true
  }
}

It’s back up and running (note the PID change):

$ zeek-client get-nodes | jq '.results."agent-testbox".manager'
{
  "cluster_role": "MANAGER",
  "mgmt_role": null,
  "pid": 68752,
  "port": 2200,
  "state": "RUNNING"
}

NetControl Framework

Zeek can connect with network devices like, for example, switches or soft- and hardware firewalls using the NetControl framework. The NetControl framework provides a flexible, unified interface for active response and hides the complexity of heterogeneous network equipment behind a simple task-oriented API, which is easily usable via Zeek scripts. This document gives an overview of how to use the NetControl framework in different scenarios; to get a better understanding of how it can be used in practice, it might be worthwhile to take a look at the integration tests.

NetControl Architecture

NetControl framework architecture

NetControl architecture (click to enlarge).

The basic architecture of the NetControl framework is shown in the figure above. Conceptually, the NetControl framework sits between the user provided scripts (which use the Zeek event engine) and the network device (which can either be a hardware or software device), that is used to implement the commands.

The NetControl framework supports a number of high-level calls, like the NetControl::drop_address function, or a lower level rule syntax. After a rule has been added to the NetControl framework, NetControl sends the rule to one or several of its backends. Each backend is responsible to communicate with a single hard- or software device. The NetControl framework tracks rules throughout their entire lifecycle and reports the status (like success, failure and timeouts) back to the user scripts.

The backends are implemented as Zeek scripts using a plugin based API; an example for this is base/frameworks/netcontrol/plugins/broker.zeek. This document will show how to write plugins in NetControl Plugins.

NetControl API

High-level NetControl API

In this section, we will introduce the high level NetControl API. As mentioned above, NetControl uses backends to communicate with the external devices that will implement the rules. You will need at least one active backend before you can use NetControl. For our examples, we will just use the debug plugin to create a backend. This plugin outputs all actions that are taken to the standard output.

Backends should be initialized in the NetControl::init event, calling the NetControl::activate function after the plugin instance has been initialized. The debug plugin can be initialized as follows:

event NetControl::init()
  {
  local debug_plugin = NetControl::create_debug(T);
  NetControl::activate(debug_plugin, 0);
  }

After at least one backend has been added to the NetControl framework, the framework can be used and will send added rules to the added backend.

The NetControl framework contains several high level functions that allow users to drop connections of certain addresses and networks, shunt network traffic, etc. The following table shows and describes all of the currently available high-level functions.

Function

Description

NetControl::drop_address

Calling this function causes NetControl to block all packets involving an IP address from being forwarded.

NetControl::drop_connection

Calling this function stops all packets of a specific connection (identified by its 5-tuple) from being forwarded.

NetControl::drop_address_catch_release

Calling this function causes all packets of a specific source IP to be blocked. This function uses catch-and-release functionality and the IP address is only dropped for a short amount of time to conserve rule space in the network hardware. It is immediately re-dropped when it is seen again in traffic. See Catch and Release for more information.

NetControl::shunt_flow

Calling this function causes NetControl to stop forwarding a uni-directional flow of packets to Zeek. This allows Zeek to conserve resources by shunting flows that have been identified as being benign.

NetControl::redirect_flow

Calling this function causes NetControl to redirect a uni-directional flow to another port of the networking hardware.

NetControl::quarantine_host

Calling this function allows Zeek to quarantine a host by sending DNS traffic to a host with a special DNS server, which resolves all queries as pointing to itself. The quarantined host is only allowed between the special server, which will serve a warning message detailing the next steps for the user.

NetControl::whitelist_address

Calling this function causes NetControl to push a whitelist entry for an IP address to the networking hardware.

NetControl::whitelist_subnet

Calling this function causes NetControl to push a whitelist entry for a subnet to the networking hardware.

After adding a backend, all of these functions can immediately be used and will start sending the rules to the added backend(s). To give a very simple example, the following script will simply block the traffic of all connections that it sees being established:

netcontrol-1-drop-with-debug.zeek
 1event NetControl::init()
 2    {
 3    local debug_plugin = NetControl::create_debug(T);
 4    NetControl::activate(debug_plugin, 0);
 5    }
 6
 7event connection_established(c: connection)
 8    {
 9    NetControl::drop_connection(c$id, 20 secs);
10    }

Running this script on a file containing one connection will cause the debug plugin to print one line to the standard output, which contains information about the rule that was added. It will also cause creation of netcontrol.log, which contains information about all actions that are taken by NetControl:

$ zeek -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]

$ cat netcontrol.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol
#open     2018-12-14-18-50-53
#fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
#types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
1398529018.678276 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
1398529018.678276 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
#close    2018-12-14-18-50-53

In our case, netcontrol.log contains several NetControl::MESSAGE entries, which show that the debug plugin has been initialized and added. Afterwards, there are two NetControl::RULE entries; the first shows that the addition of a rule has been requested (state is NetControl::REQUESTED). The following line shows that the rule was successfully added (the state is NetControl::SUCCEEDED). The remainder of the log line gives more information about the added rule, which in our case applies to a specific 5-tuple.

In addition to the netcontrol.log, the drop commands also create a second, additional log called netcontrol_drop.log. This log file is much more succinct and only contains information that is specific to drops that are enacted by NetControl:

$ cat netcontrol_drop.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol_drop
#open     2018-12-14-18-50-53
#fields   ts      rule_id orig_h  orig_p  resp_h  resp_p  expire  location
#types    time    string  addr    port    addr    port    interval        string
1398529018.678276 2       192.168.18.50   56981   74.125.239.97   443     20.000000       -
#close    2018-12-14-18-50-53

While this example of blocking all connections is usually not very useful, the high-level API gives an easy way to take action, for example when a host is identified doing some harmful activity. To give a more realistic example, the following code automatically blocks a recognized SSH guesser:

netcontrol-2-ssh-guesser.zeek
 1@load protocols/ssh/detect-bruteforcing
 2
 3redef SSH::password_guesses_limit=10;
 4
 5event NetControl::init()
 6    {
 7    local debug_plugin = NetControl::create_debug(T);
 8    NetControl::activate(debug_plugin, 0);
 9    }
10
11hook Notice::policy(n: Notice::Info)
12    {
13    if ( n$note == SSH::Password_Guessing )
14        NetControl::drop_address(n$src, 60min);
15    }

$ zeek -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=1.0 hr, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]

$ cat netcontrol.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol
#open     2018-12-14-18-50-54
#fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
#types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
1427726759.303199 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       3600.000000     -       Debug-All
1427726759.303199 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       3600.000000     -       Debug-All
#close    2018-12-14-18-50-54

Note that in this case, instead of calling NetControl directly, we also can use the Notice::ACTION_DROP action of the notice framework:

netcontrol-3-ssh-guesser.zeek
 1@load protocols/ssh/detect-bruteforcing
 2
 3redef SSH::password_guesses_limit=10;
 4
 5event NetControl::init()
 6    {
 7    local debug_plugin = NetControl::create_debug(T);
 8    NetControl::activate(debug_plugin, 0);
 9    }
10
11hook Notice::policy(n: Notice::Info)
12    {
13    if ( n$note == SSH::Password_Guessing )
14        add n$actions[Notice::ACTION_DROP];
15    }

$ zeek -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.56.1/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]

$ cat netcontrol.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol
#open     2018-12-14-18-50-55
#fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
#types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
1427726759.303199 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       600.000000      ACTION_DROP: T  Debug-All
1427726759.303199 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.56.1/32 -       -       0       600.000000      ACTION_DROP: T  Debug-All
#close    2018-12-14-18-50-55

Using the Notice::ACTION_DROP action of the notice framework also will cause the dropped column in notice.log to be set to true each time that the NetControl framework enacts a block:

$ cat notice.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     notice
#open     2018-12-14-18-50-55
#fields   ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types    time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       interval        bool    string  string  string  double  double
1427726759.303199 -       -       -       -       -       -       -       -       -       SSH::Password_Guessing  192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).     Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103        192.168.56.1    -       -       -       -       Notice::ACTION_DROP,Notice::ACTION_LOG  3600.000000     F       -       -       -       -       -
#close    2018-12-14-18-50-55
Rule API

As already mentioned in the last section, in addition to the high-level API, the NetControl framework also supports a Rule based API which allows greater flexibility while adding rules. Actually, all the high-level functions are implemented using this lower-level rule API; the high-level functions simply convert their arguments into the lower-level rules and then add the rules directly to the NetControl framework (by calling NetControl::add_rule).

The following figure shows the main components of NetControl rules:

NetControl rule overview

NetControl Rule overview (click to enlarge).

The types that are used to make up a rule are defined in base/frameworks/netcontrol/types.zeek.

Rules are defined as a NetControl::Rule record. Rules have a type, which specifies what kind of action is taken. The possible actions are to drop packets, to modify them, to redirect or to whitelist them. The target of a rule specifies if the rule is applied in the forward path, and affects packets as they are forwarded through the network, or if it affects the monitor path and only affects the packets that are sent to Zeek, but not the packets that traverse the network. The entity specifies the address, connection, etc. that the rule applies to. In addition, each rule has a timeout (which can be left empty), a priority (with higher priority rules overriding lower priority rules). Furthermore, a location string with more text information about each rule can be provided.

There are a couple more fields that are only needed for some rule types. For example, when you insert a redirect rule, you have to specify the port that packets should be redirected to. All these fields are shown in the NetControl::Rule documentation.

To give an example on how to construct your own rule, we are going to write our own version of the NetControl::drop_connection function. The only difference between our function and the one provided by NetControl is the fact that the NetControl function has additional functionality, e.g. for logging.

Once again, we are going to test our function with a simple example that simply drops all connections on the network:

netcontrol-4-drop.zeek
 1function our_drop_connection(c: conn_id, t: interval)
 2    {
 3    # As a first step, create the NetControl::Entity that we want to block
 4    local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c);
 5    # Then, use the entity to create the rule to drop the entity in the forward path
 6    local r = NetControl::Rule($ty=NetControl::DROP,
 7        $target=NetControl::FORWARD, $entity=e, $expire=t);
 8
 9    # Add the rule
10    local id = NetControl::add_rule(r);
11
12    if ( id == "" )
13        print "Error while dropping";
14    }
15
16event NetControl::init()
17    {
18    local debug_plugin = NetControl::create_debug(T);
19    NetControl::activate(debug_plugin, 0);
20    }
21
22event connection_established(c: connection)
23    {
24    our_drop_connection(c$id, 20 secs);
25    }

$ zeek -C -r tls/ecdhe.pcap netcontrol-4-drop.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=<uninitialized>, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]

$ cat netcontrol.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol
#open     2018-12-14-18-50-55
#fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
#types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
0.000000  -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
1398529018.678276 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
1398529018.678276 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::CONNECTION  192.168.18.50/56981<->74.125.239.97/443 -       -       0       20.000000       -       Debug-All
#close    2018-12-14-18-50-55

The last example shows that NetControl::add_rule returns a string identifier that is unique for each rule (uniqueness is not preserved across restarts of Zeek). This rule id can be used to later remove rules manually using NetControl::remove_rule.

Similar to NetControl::add_rule, all the high-level functions also return their rule IDs, which can be removed in the same way.

Interacting with Rules

The NetControl framework offers a number of different ways to interact with rules. Before a rule is applied by the framework, a number of different hooks allow you to either modify or discard rules before they are added. Furthermore, a number of events can be used to track the lifecycle of a rule while it is being managed by the NetControl framework. It is also possible to query and access the current set of active rules.

Rule Policy

The hook NetControl::rule_policy provides the mechanism for modifying or discarding a rule before it is sent onwards to the backends. Hooks can be thought of as multi-bodied functions and using them looks very similar to handling events. In contrast to events, they are processed immediately. Like events, hooks can have priorities to sort the order in which they are applied. Hooks can use the break keyword to show that processing should be aborted; if any NetControl::rule_policy hook uses break, the rule will be discarded before further processing.

Here is a simple example which tells Zeek to discard all rules for connections originating from the 192.168.* network:

netcontrol-5-hook.zeek
 1hook NetControl::rule_policy(r: NetControl::Rule)
 2    {
 3    if ( r$ty == NetControl::DROP &&
 4         r$entity$ty == NetControl::CONNECTION &&
 5             r$entity$conn$orig_h in 192.168.0.0/16 )
 6             {
 7             print "Ignored connection from", r$entity$conn$orig_h;
 8             break;
 9             }
10    }
11
12event NetControl::init()
13    {
14    local debug_plugin = NetControl::create_debug(T);
15    NetControl::activate(debug_plugin, 0);
16    }
17
18event connection_established(c: connection)
19    {
20    NetControl::drop_connection(c$id, 20 secs);
21    }

$ zeek -C -r tls/ecdhe.pcap netcontrol-5-hook.zeek
netcontrol debug (Debug-All): init
Ignored connection from, 192.168.18.50
NetControl Events

In addition to the hooks, the NetControl framework offers a variety of events that are raised by the framework to allow users to track rules, as well as the state of the framework.

We already encountered and used one event of the NetControl framework, NetControl::init, which is used to initialize the framework. After the framework has finished initialization and will start accepting rules, the NetControl::init_done event will be raised.

When rules are added to the framework, the following events will be called in this order:

Event

Description

NetControl::rule_new

Signals that a new rule is created by the NetControl framework due to NetControl::add_rule. At this point, the rule has not yet been added to any backend.

NetControl::rule_added

Signals that a new rule has successfully been added by a backend.

NetControl::rule_exists

This event is raised instead of NetControl::rule_added when a backend reports that a rule was already existing.

NetControl::rule_timeout

Signals that a rule timeout was reached. If the hardware does not support automatic timeouts, the NetControl framework will automatically call NetControl::remove_rule.

NetControl::rule_removed

Signals that a new rule has successfully been removed a backend.

NetControl::rule_destroyed

This event is the pendant to NetControl::rule_added, and reports that a rule is no longer being tracked by the NetControl framework. This happens, for example, when a rule was removed from all backends.

NetControl::rule_error

This event is raised whenever an error occurs during any rule operation.
Finding active rules

The NetControl framework provides two functions for finding currently active rules: NetControl::find_rules_addr finds all rules that affect a certain IP address and NetControl::find_rules_subnet finds all rules that affect a specified subnet.

Consider, for example, the case where a Zeek instance monitors the traffic at the border, before any firewall or switch rules were applied. In this case, Zeek will still be able to see connection attempts of already blocked IP addresses. In this case, NetControl::find_rules_addr could be used to check if an address already was blocked in the past.

Here is a simple example, which uses a trace that contains two connections from the same IP address. After the first connection, the script recognizes that the address is already blocked in the second connection.

netcontrol-6-find.zeek
 1event NetControl::init()
 2    {
 3    local netcontrol_debug = NetControl::create_debug(T);
 4    NetControl::activate(netcontrol_debug, 0);
 5    }
 6
 7event connection_established(c: connection)
 8    {
 9    if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 )
10        {
11        print "Rule already exists";
12        return;
13        }
14
15    NetControl::drop_connection(c$id, 20 secs);
16    print "Rule added";
17    }

$ zeek -C -r tls/google-duplicate.trace netcontrol-6-find.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]
Rule added
Rule already exists

Notice that the functions return vectors because it is possible that several rules exist simultaneously that affect one IP; either there could be rules with different priorities, or rules for the subnet that an IP address is part of.

Catch and Release

We already mentioned earlier that in addition to the NetControl::drop_connection and NetControl::drop_address functions, which drop a connection or address for a specified amount of time, NetControl also comes with a blocking function that uses an approach called catch and release.

Catch and release is a blocking scheme that conserves valuable rule space in your hardware. Instead of using long-lasting blocks, catch and release first only installs blocks for a short amount of time (typically a few minutes). After these minutes pass, the block is lifted, but the IP address is added to a watchlist and the IP address will immediately be re-blocked again (for a longer amount of time), if it is seen reappearing in any traffic, no matter if the new traffic triggers any alert or not.

This makes catch and release blocks similar to normal, longer duration blocks, while only requiring a small amount of space for the currently active rules. IP addresses that only are seen once for a short time are only blocked for a few minutes, monitored for a while and then forgotten. IP addresses that keep appearing will get re-blocked for longer amounts of time.

In contrast to the other high-level functions that we documented so far, the catch and release functionality is much more complex and adds a number of different specialized functions to NetControl. The documentation for catch and release is contained in the file policy/frameworks/netcontrol/catch-and-release.zeek.

Using catch and release in your scripts is easy; just use NetControl::drop_address_catch_release like in this example:

netcontrol-7-catch-release.zeek
 1event NetControl::init()
 2    {
 3    local debug_plugin = NetControl::create_debug(T);
 4    NetControl::activate(debug_plugin, 0);
 5    }
 6
 7event connection_established(c: connection)
 8    {
 9    NetControl::drop_address_catch_release(c$id$orig_h);
10    }

$ zeek -C -r tls/ecdhe.pcap netcontrol-7-catch-release.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], expire=10.0 mins, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]

Note that you do not have to provide the block time for catch and release; instead, catch and release uses the time intervals specified in NetControl::catch_release_intervals (by default 10 minutes, 1 hour, 24 hours, 7 days). That means when an address is first blocked, it is blocked for 10 minutes and monitored for 1 hour. If the address reappears after the first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc.

Catch and release adds its own new logfile in addition to the already existing ones (netcontrol_catch_release.log):

$ cat netcontrol_catch_release.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol_catch_release
#open     2018-12-14-18-50-58
#fields   ts      rule_id ip      action  block_interval  watch_interval  blocked_until   watched_until   num_blocked     location        message
#types    time    string  addr    enum    interval        interval        time    time    count   string  string
1398529018.678276 2       192.168.18.50   NetControl::DROP        600.000000      3600.000000     1398529618.678276       1398532618.678276       1       -       -
1398529018.678276 2       192.168.18.50   NetControl::DROPPED     600.000000      3600.000000     1398529618.678276       1398532618.678276       1       -       -
#close    2018-12-14-18-50-58

In addition to the blocking function, catch and release comes with the NetControl::get_catch_release_info function to check if an address is already blocked by catch and release (and get information about the block). The NetControl::unblock_address_catch_release function can be used to unblock addresses from catch and release.

Note

Since catch and release does its own connection tracking in addition to the tracking used by the NetControl framework, it is not sufficient to remove rules that were added by catch and release using NetControl::remove_rule. You have to use NetControl::unblock_address_catch_release in this case.

NetControl Plugins

Using the existing plugins

In the API part of the documentation, we exclusively used the debug plugin, which simply outputs its actions to the screen. In addition to this debugging plugin, Zeek ships with a small number of plugins that can be used to interface the NetControl framework with your networking hard- and software.

The plugins that currently ship with NetControl are:

Plugin name

Description

OpenFlow plugin

This is the most fully featured plugin which allows the NetControl framework to be interfaced with OpenFlow switches. The source of this plugin is contained in base/frameworks/netcontrol/plugins/openflow.zeek.

Broker plugin

This plugin provides a generic way to send NetControl commands using the new Zeek communication library (Broker). External programs can receive the rules and take action; we provide an example script that calls command-line programs triggered by NetControl. The source of this plugin is contained in base/frameworks/netcontrol/plugins/broker.zeek.

acld plugin

This plugin adds support for the acld daemon, which can interface with several switches and routers. The current version of acld is available from the LBL ftp server. The source of this plugin is contained in base/frameworks/netcontrol/plugins/acld.zeek.

PacketFilter plugin

This plugin uses the Zeek process-level packet filter (see install_src_net_filter and install_dst_net_filter). Since the functionality of the PacketFilter is limited, this plugin is mostly for demonstration purposes. The source of this plugin is contained in base/frameworks/netcontrol/plugins/packetfilter.zeek.

Debug plugin

The debug plugin simply outputs its action to the standard output. The source of this plugin is contained in base/frameworks/netcontrol/plugins/debug.zeek.
Activating plugins

In the API reference part of this document, we already used the debug plugin. To use the plugin, we first had to instantiate it by calling NetControl::create_debug and then add it to NetControl by calling NetControl::activate.

As we already hinted before, NetControl supports having several plugins that are active at the same time. The second argument to the NetControl::activate function is the priority of the backend that was just added. Each rule is sent to all plugins in order, from highest priority to lowest priority. The backend can then choose if it accepts the rule and pushes it out to the hardware that it manages. Or, it can opt to reject the rule. In this case, the NetControl framework will try to apply the rule to the backend with the next lower priority. If no backend accepts a rule, the rule insertion is marked as failed.

The choice if a rule is accepted or rejected stays completely with each plugin. The debug plugin we used so far just accepts all rules. However, for other plugins you can specify what rules they will accept. Consider, for example, a network with two OpenFlow switches. The first switch forwards packets from the network to the external world, the second switch sits in front of your Zeek cluster to provide packet shunting. In this case, you can add two OpenFlow backends to NetControl. When you create the instances using NetControl::create_openflow, you set the monitor and forward attributes of the configuration in NetControl::OfConfig appropriately. Afterwards, one of the backends will only accept rules for the monitor path; the other backend will only accept rules for the forward path.

Commonly, plugins also support predicate functions, that allow the user to specify restrictions on the rules that they will accept. This can for example be used if you have a network where certain switches are responsible for specified subnets. The predicate can examine the subnet of the rule and only accept the rule if the rule matches the subnet that the specific switch is responsible for.

To give an example, the following script adds two backends to NetControl. One backend is the NetControl debug backend, which just outputs the rules to the console. The second backend is an OpenFlow backend, which uses the OpenFlow debug mode that outputs the openflow rules to openflow.log. The OpenFlow backend uses a predicate function to only accept rules with a source address in the 192.168.17.0/24 network; all other rules will be passed on to the debug plugin. We manually block a few addresses in the NetControl::init_done event to verify the correct functionality.

netcontrol-8-multiple.zeek
 1function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool
 2    {
 3    if ( r$ty == NetControl::DROP &&
 4        r$entity$ty == NetControl::ADDRESS &&
 5        subnet_width(r$entity$ip) == 32 &&
 6        subnet_to_addr(r$entity$ip) in 192.168.17.0/24 )
 7        return F;
 8
 9    return T;
10    }
11
12event NetControl::init()
13    {
14    # Add debug plugin with low priority
15    local debug_plugin = NetControl::create_debug(T);
16    NetControl::activate(debug_plugin, 0);
17
18    # Instantiate OpenFlow debug plugin with higher priority
19    local of_controller = OpenFlow::log_new(42);
20    local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]);
21    NetControl::activate(netcontrol_of, 10);
22    }
23
24event NetControl::init_done()
25    {
26    NetControl::drop_address(10.0.0.1, 1min);
27    NetControl::drop_address(192.168.17.2, 1min);
28    NetControl::drop_address(192.168.18.2, 1min);
29    }

$ zeek netcontrol-8-multiple.zeek
netcontrol debug (Debug-All): init
netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.17.2/32, mac=<uninitialized>], expire=1.0 min, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F]

As you can see, only the single block affecting the 192.168.17.0/24 network is output to the command line. The other two lines are handled by the OpenFlow plugin. We can verify this by looking at netcontrol.log. The plugin column shows which plugin handled a rule and reveals that two rules were handled by OpenFlow:

$ cat netcontrol.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     netcontrol
#open     2018-12-14-18-50-58
#fields   ts      rule_id category        cmd     state   action  target  entity_type     entity  mod     msg     priority        expire  location        plugin
#types    time    string  enum    string  enum    string  enum    string  string  string  string  int     interval        string  string
1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 0       -       -       -       Debug-All
1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Debug-All
1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activating plugin with priority 10      -       -       -       Openflow-Log-42
1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       activation finished     -       -       -       Openflow-Log-42
1544813458.913148 -       NetControl::MESSAGE     -       -       -       -       -       -       -       plugin initialization done      -       -       -       -
1544813458.913148 2       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     10.0.0.1/32     -       -       0       60.000000       -       Openflow-Log-42
1544813458.913148 3       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.17.2/32 -       -       0       60.000000       -       Debug-All
1544813458.913148 4       NetControl::RULE        ADD     NetControl::REQUESTED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.18.2/32 -       -       0       60.000000       -       Openflow-Log-42
1544813458.913148 3       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.17.2/32 -       -       0       60.000000       -       Debug-All
1544813458.913148 2       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     10.0.0.1/32     -       -       0       60.000000       -       Openflow-Log-42
1544813458.913148 4       NetControl::RULE        ADD     NetControl::SUCCEEDED   NetControl::DROP        NetControl::FORWARD     NetControl::ADDRESS     192.168.18.2/32 -       -       0       60.000000       -       Openflow-Log-42
#close    2018-12-14-18-50-58

Furthermore, openflow.log also shows the two added rules, converted to OpenFlow flow mods:

$ cat openflow.log
#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     openflow
#open     2018-12-14-18-50-58
#fields   ts      dpid    match.in_port   match.dl_src    match.dl_dst    match.dl_vlan   match.dl_vlan_pcp       match.dl_type   match.nw_tos    match.nw_proto  match.nw_src    match.nw_dst    match.tp_src    match.tp_dst    flow_mod.cookie flow_mod.table_id       flow_mod.command        flow_mod.idle_timeout   flow_mod.hard_timeout   flow_mod.priority       flow_mod.out_port       flow_mod.out_group      flow_mod.flags  flow_mod.actions.out_ports      flow_mod.actions.vlan_vid       flow_mod.actions.vlan_pcp       flow_mod.actions.vlan_strip     flow_mod.actions.dl_src flow_mod.actions.dl_dst flow_mod.actions.nw_tos flow_mod.actions.nw_src flow_mod.actions.nw_dst flow_mod.actions.tp_src flow_mod.actions.tp_dst
#types    time    count   count   string  string  count   count   count   count   count   subnet  subnet  count   count   count   count   enum    count   count   count   count   count   count   vector[count]   count   count   bool    string  string  count   addr    addr    count   count
1544813458.913148 42      -       -       -       -       -       2048    -       -       10.0.0.1/32     -       -       -       4398046511108   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
1544813458.913148 42      -       -       -       -       -       2048    -       -       -       10.0.0.1/32     -       -       4398046511109   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
1544813458.913148 42      -       -       -       -       -       2048    -       -       192.168.18.2/32 -       -       -       4398046511112   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
1544813458.913148 42      -       -       -       -       -       2048    -       -       -       192.168.18.2/32 -       -       4398046511113   -       OpenFlow::OFPFC_ADD     0       60      0       -       -       1       (empty) -       -       F       -       -       -       -       -       -       -
#close    2018-12-14-18-50-58

Note

You might have asked yourself what happens when you add two or more with the same priority. In this case, the rule is sent to all the backends simultaneously. This can be useful, for example when you have redundant switches that should keep the same rule state.

Interfacing with external hardware

Now that we know which plugins exist, and how they can be added to NetControl, it is time to discuss how we can interface Zeek with actual hardware. The typical way to accomplish this is to use the Zeek communication library (Broker), which can be used to exchange Zeek events with external programs and scripts. The NetControl plugins can use Broker to send events to external programs, which can then take action depending on these events.

The following figure shows this architecture with the example of the OpenFlow plugin. The OpenFlow plugin uses Broker to send events to an external Python script, which uses the Ryu SDN controller to communicate with the Switch.

NetControl and OpenFlow architecture.

NetControl and OpenFlow architecture (click to enlarge).

The Python scripts that are used to interface with the available NetControl plugins are contained in the zeek-netcontrol repository (github link). The repository contains scripts for the OpenFlow as well as the acld plugin. Furthermore, it contains a script for the broker plugin which can be used to call configureable command-line programs when used with the broker plugin.

The repository also contains documentation on how to install these connectors. The netcontrol directory contains an API that allows you to write your own connectors to the broker plugin.

Writing plugins

In addition to using the plugins that are part of NetControl, you can write your own plugins to interface with hard- or software that we currently do not support out of the box.

Creating your own plugin is easy; besides a bit of boilerplate, you only need to create two functions: one that is called when a rule is added, and one that is called when a rule is removed. The following script creates a minimal plugin that just outputs a rule when it is added or removed. Note that you have to raise the NetControl::rule_added and NetControl::rule_removed events in your plugin to let NetControl know when a rule was added and removed successfully.

netcontrol-9-skeleton.zeek
 1module NetControl;
 2
 3export {
 4    ## Instantiates the plugin.
 5    global create_skeleton: function(argument: string) : PluginState;
 6}
 7
 8function skeleton_name(p: PluginState) : string
 9    {
10    return "NetControl skeleton plugin";
11    }
12
13function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool
14    {
15    print "add", r;
16    event NetControl::rule_added(r, p);
17    return T;
18    }
19
20function skeleton_remove_rule_fun(p: PluginState, r: Rule, reason: string &default="") : bool
21    {
22    print "remove", r;
23    event NetControl::rule_removed(r, p);
24    return T;
25    }
26
27global skeleton_plugin = Plugin(
28    $name = skeleton_name,
29    $can_expire = F,
30    $add_rule = skeleton_add_rule_fun,
31    $remove_rule = skeleton_remove_rule_fun
32    );
33
34function create_skeleton(argument: string) : PluginState
35    {
36    local p = PluginState($plugin=skeleton_plugin);
37
38    return p;
39    }

This example is already fully functional and we can use it with a script similar to our very first example:

netcontrol-10-use-skeleton.zeek
 1event NetControl::init()
 2    {
 3    local skeleton_plugin = NetControl::create_skeleton("");
 4    NetControl::activate(skeleton_plugin, 0);
 5    }
 6
 7event connection_established(c: connection)
 8    {
 9    NetControl::drop_connection(c$id, 20 secs);
10    }

$ zeek -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.zeek
add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=<uninitialized>, ip=<uninitialized>, mac=<uninitialized>], expire=20.0 secs, priority=0, location=, out_port=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_ids={

}, _active_plugin_ids={

}, _no_expire_plugins={

}, _added=F]

If you want to write your own plugins, it will be worthwhile to look at the plugins that ship with the NetControl framework to see how they define the predicates and interact with Broker.

Notice Framework

One of the easiest ways to customize Zeek is writing a local notice policy. Zeek can detect a large number of potentially interesting situations, and the notice policy hook identifies which of them the user wants to be acted upon in some manner. In particular, the notice policy can specify actions to be taken, such as sending an email or compiling regular alarm emails. This page gives an introduction into writing such a notice policy.

Overview

Let’s start with a little bit of background on Zeek’s philosophy on reporting things. Zeek ships with a large number of policy scripts which perform a wide variety of analyses. Most of these scripts monitor for activity which might be of interest for the user. However, none of these scripts determines the importance of what it finds itself. Instead, the scripts only flag situations as potentially interesting, leaving it to the local configuration to define which of them are in fact actionable. This decoupling of detection and reporting allows Zeek to address the different needs that different sites have. Definitions of what constitutes an attack or even a compromise differ quite a bit between environments, and activity deemed malicious at one site might be fully acceptable at another.

Whenever one of Zeek’s analysis scripts sees something potentially interesting it flags the situation by calling the NOTICE function and giving it a single Notice::Info record. A Notice has a Notice::Type, which reflects the kind of activity that has been seen, and it is usually also augmented with further context about the situation.

More information about raising notices can be found in the Raising Notices section.

Once a notice is raised, it can have any number of actions applied to it by writing Notice::policy hooks which are described in the Notice Policy section below. Such actions can for example to send a mail to the configured address(es) or to simply ignore the notice. Currently, the following actions are defined:

Action

Description

Notice::ACTION_LOG

Write the notice to the Notice::LOG logging stream.

Notice::ACTION_ALARM

Log into the Notice::ALARM_LOG stream which will rotate hourly and email the contents to the email address or addresses in the email_dest field of that notice’s Notice::Info record.

Notice::ACTION_EMAIL

Send the notice in an email to the email address or addresses in the email_dest field of that notice’s Notice::Info record.

Notice::ACTION_PAGE

Send an email to the email address or addresses in the email_dest field of that notice’s Notice::Info record.

How these notice actions are applied to notices is discussed in the Notice Policy and Notice Policy Shortcuts sections.

Processing Notices

Notice Policy

The hook Notice::policy provides the mechanism for applying actions and generally modifying the notice before it’s sent onward to the action plugins. Hooks can be thought of as multi-bodied functions and using them looks very similar to handling events. The difference is that they don’t go through the event queue like events. Users can alter notice processing by directly modifying fields in the Notice::Info record given as the argument to the hook.

Here’s a simple example which tells Zeek to send an email for all notices of type SSH::Password_Guessing if the guesser attempted to log in to the server at 192.168.56.103:

notice_ssh_guesser.zeek
@load protocols/ssh/detect-bruteforcing

redef SSH::password_guesses_limit=10;

hook Notice::policy(n: Notice::Info)
    {
    if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
        {
        add n$actions[Notice::ACTION_EMAIL];
        n$email_dest = "ssh_alerts@example.net";
        }
    }

$ zeek -C -r ssh/sshguess.pcap notice_ssh_guesser.zeek
$ cat notice.log

#separator \x09
#set_separator    ,
#empty_field      (empty)
#unset_field      -
#path     notice
#open     2018-12-13-22-56-35
#fields   ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg     sub     src     dst     p       n       peer_descr      actions email-dest   suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude
#types    time    string  addr    port    addr    port    string  string  string  enum    enum    string  string  addr    addr    port    count   string  set[enum]       set[string]   interval        bool    string  string  string  double  double
1427726759.303199 -       -       -       -       -       -       -       -       -       SSH::Password_Guessing  192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).     Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103        192.168.56.1    -       -       -       -       Notice::ACTION_EMAIL,Notice::ACTION_LOG  ssh_alerts@example.net    3600.000000     F       -       -       -       -       -
#close    2018-12-13-22-56-35

Note

Keep in mind that the semantics of the SSH::Password_Guessing notice are such that it is only raised when Zeek heuristically detects a failed login.

Hooks can also have priorities applied to order their execution like events with a default priority of 0. Greater values are executed first. Setting a hook body to run before default hook bodies might look like this:

hook Notice::policy(n: Notice::Info) &priority=5
    {
    # Insert your code here.
    }

Hooks can also abort later hook bodies with the break keyword. This is primarily useful if one wants to completely preempt processing by lower priority Notice::policy hooks.

Notice Policy Shortcuts

Although the notice framework provides a great deal of flexibility and configurability there are many times that the full expressiveness isn’t needed and actually becomes a hindrance to achieving results. The framework provides a default Notice::policy hook body as a way of giving users the shortcuts to easily apply many common actions to notices.

These are implemented as sets and tables indexed with a Notice::Type enum value. The following table shows and describes all of the variables available for shortcut configuration of the notice framework.

Variable name

Description

Notice::ignored_types

Adding a Notice::Type to this set results in the notice being ignored. It won’t have any other action applied to it, not even Notice::ACTION_LOG.

Notice::emailed_types

Adding a Notice::Type to this set results in Notice::ACTION_EMAIL being applied to the notices of that type.

Notice::alarmed_types

Adding a Notice::Type to this set results in Notice::ACTION_ALARM being applied to the notices of that type.

Notice::not_suppressed_types

Adding a Notice::Type to this set results in that notice no longer undergoing the normal notice suppression that would take place. Be careful when using this in production it could result in a dramatic increase in the number of notices being processed.

Notice::type_suppression_intervals

This is a table indexed on Notice::Type and yielding an interval. It can be used as an easy way to extend the default suppression interval for an entire Notice::Type without having to create a whole Notice::policy entry and setting the $suppress_for field.

Raising Notices

A script should raise a notice for any occurrence that a user may want to be notified about or take action on. For example, whenever the base SSH analysis script sees enough failed logins to a given host, it raises a notice of the type SSH::Password_Guessing. The code in the base SSH analysis script which raises the notice looks like this:

NOTICE([$note=Password_Guessing,
        $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
        $src=key$host,
      $identifier=cat(key$host)]);

NOTICE is a normal function in the global namespace which wraps a function within the Notice namespace. It takes a single argument of the Notice::Info record type. The most common fields used when raising notices are described in the following table:

Field name

Description

$note

This field is required and is an enum value which represents the notice type.

$msg

This is a human readable message which is meant to provide more information about this particular instance of the notice type.

$sub

This is a sub-message meant for human readability but will frequently also be used to contain data meant to be matched with the Notice::policy.

$conn

If a connection record is available when the notice is being raised and the notice represents some attribute of the connection, then the connection record can be given here. Other fields such as $id and $src will automatically be populated from this value.

$id

If a conn_id record is available when the notice is being raised and the notice represents some attribute of the connection, then the connection can be given here. Other fields such as $src will automatically be populated from this value.

$src

If the notice represents an attribute of a single host then it’s possible that only this field should be filled out to represent the host that is being “noticed”.

$n

This normally represents a number if the notice has to do with some number. It’s most frequently used for numeric tests in the Notice::policy for making policy decisions.

$identifier

This represents a unique identifier for this notice. This field is described in more detail in the Automated Suppression section.

$suppress_for

This field can be set if there is a natural suppression interval for the notice that may be different than the default value. The value set to this field can also be modified by a user’s Notice::policy so the value is not set permanently and unchangeably.

When writing Zeek scripts that raise notices, some thought should be given to what the notice represents and what data should be provided to give a consumer of the notice the best information about the notice. If the notice is representative of many connections and is an attribute of a host (e.g., a scanning host) it probably makes most sense to fill out the $src field and not give a connection or conn_id. If a notice is representative of a connection attribute (e.g. an apparent SSH login) then it makes sense to fill out either $conn or $id based on the data that is available when the notice is raised.

Using care when inserting data into a notice will make later analysis easier when only the data to fully represent the occurrence that raised the notice is available. If complete connection information is included when an SSL server certificate is expiring, for example, the logs will be very confusing because the connection that the certificate was detected on is a side topic to the fact that an expired certificate was detected. It’s possible in many cases that two or more separate notices may need to be generated. As an example, one could be for the detection of the expired SSL certificate and another could be for if the client decided to go ahead with the connection neglecting the expired certificate.

Automated Suppression

The notice framework supports suppression for notices if the author of the script that is generating the notice has indicated to the notice framework how to identify notices that are intrinsically the same. Identification of these “intrinsically duplicate” notices is implemented with an optional field in Notice::Info records named $identifier which is a simple string. If the $identifier and $note fields are the same for two notices, the notice framework actually considers them to be the same thing and can use that information to suppress duplicates for a configurable period of time.

Note

If the $identifier is left out of a notice, no notice suppression takes place due to the framework’s inability to identify duplicates. This could be completely legitimate usage if no notices could ever be considered to be duplicates.

The $identifier field typically comprises several pieces of data related to the notice that when combined represent a unique instance of that notice. Here is an example of the script policy/protocols/ssl/validate-certs.zeek raising a notice for session negotiations where the certificate or certificate chain did not validate successfully against the available certificate authority certificates.

NOTICE([$note=SSL::Invalid_Server_Cert,
        $msg=fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status),
        $sub=c$ssl$subject,
        $conn=c,
        $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status,c$ssl$cert_hash)]);

In the above example you can see that the $identifier field contains a string that is built from the responder IP address and port, the validation status message, and the MD5 sum of the server certificate. Those fields in particular are chosen because different SSL certificates could be seen on any port of a host, certificates could fail validation for different reasons, and multiple server certificates could be used on that combination of IP address and port with the server_name SSL extension (explaining the addition of the MD5 sum of the certificate). The result is that if a certificate fails validation and all four pieces of data match (IP address, port, validation status, and certificate hash) that particular notice won’t be raised again for the default suppression period.

Setting the $identifier field is left to those raising notices because it’s assumed that the script author who is raising the notice understands the full problem set and edge cases of the notice which may not be readily apparent to users. If users don’t want the suppression to take place or simply want a different interval, they can set a notice’s suppression interval to 0secs or delete the value from the $identifier field in a Notice::policy hook.

Extending Notice Framework

There are a couple of mechanisms for extending the notice framework and adding new capability.

Configuring Notice Emails

If Notice::mail_dest is set, notices with an associated e-mail action will be sent to that address. For additional customization, users can use the Notice::policy hook to modify the email_dest field. The following example would result in 3 separate e-mails:

hook Notice::policy(n: Notice::Info)
  {
  n$email_dest = set(
      "snow.white@example.net",
      "doc@example.net",
      "happy@example.net,sleepy@example.net,bashful@example.net"
  );
  }

If there is extra information that you would like to add to emails, that is possible to add by writing Notice::policy hooks.

There is a field in the Notice::Info record named $email_body_sections which will be included verbatim when email is being sent. An example of including some information from an HTTP request is included below.

hook Notice::policy(n: Notice::Info)
  {
  if ( n?$conn && n$conn?$http && n$conn$http?$host )
    n$email_body_sections[|n$email_body_sections|] = fmt("HTTP host header: %s", n$conn$http$host);
  }

Cluster Considerations

When running Zeek in a cluster, most of the information above stays the same. Notices are generated, the Notice::policy hook is evaluated, and any actions are run on the node which generated the notice (most often a worker node). Of note to users/developers of Zeek is that any files or access needed to run the notice actions must be available to the respective node(s).

The role of the manager is to receive and distribute notice suppression information, so that duplicate notices do not get generated. Bear in mind that there is some amount of latency intrinsic in this synchronization, so it’s possible that rapidly-generating notices will be repeated (and in this case, any actions would be executed multiple times, once by each notice-generating worker).

The Weird Log

A wide range of “weird” activity detected by Zeek can trigger corresponding events that inform the script layer of this activity. These events exist at various flow-level granularities, including conn_weird, flow_weird, net_weird, file_weird, and others. Built atop the notice framework, the Weird module implements event handlers that funnel the various “weirds” into the usual notice framework handlers. To get an idea of the available weird-types, take a look at the Weird::actions table, which defines default actions for the various types of activity. Weirds generally do not indicate security-relevant activity — they’re just, well, weird things that you generally wouldn’t expect to happen, such as odd TCP state machine violations, unexpected HTTP header constellations, or DNS message properties that fall outside of the relevant RFC specifications. That is, don’t consider them actionable detections in an IDS sense, though they might well provide meaningful additional clues for a security incident.

The notice type for weirds is Activity. You have a wide range of actions at your disposal for how to handle weirds: you can ignore them, log them, or have them trigger notice, all at various reduction/filtering granularities (see the Weird::Action enum values for details). For dynamic filtering, the Weird::ignore_hosts and Weird::weird_ignore sets allow exclusion of activity from reporting.

The framework provides a few additional tuning knobs. See base/frameworks/notice/weird.zeek for details.

Packet Analysis

The Packet Analysis plugin architecture handles parsing of packet headers at layers below Zeek’s existing Session analysis. In particular, this allows to add new link and network layer protocols to Zeek. This document provides an overview of the underlying architecture as well as an example-based walk-through. For further details, consider to take a look at the built-in packet analyzers as well as the packet analyzer tests.

The Flow of Packets

The basic packet flow through Zeek is as follows. First, an IOSource deals with getting the packets into Zeek. While an IOSource can be used to interface all sorts of capturing mechanisms, the default source makes use of libpcap to either read PCAP files or sniff an interface. Once acquired, a packet is handed into the packet analysis and processed layer by layer.

Nesting of Protocol Data Units (PDUs)

Nesting of Protocol Data Units (PDUs).

At the lower layers, Protocol Data Units (PDUs) typically consist of a header and a payload, where the payload is the next layer’s PDU and the header carries a numeric identifier that determines the encapsulated protocol (see figure above, where “ID” denotes the location of such a numeric protocol identifier within the header).

Each packet analyzer parses the packet’s header according to the implemented protocol, determines a suitable analyzer for the encapsulated protocol and hands its payload to that next analyzer. Once the IP layer is reached, packet analysis is finished and Zeek continues by contructing a session for the observed connection. After session analysis, which includes processing of TCP and UDP, the packet continues its journey into the land of application layer analyzers. There, Dynamic Protocol Detection is used to determine the application layer protocol and continue the analysis.

Packet Analyzer Configuration

The following script shows an example configuration of the Ethernet packet analyzer:

packet-analysis-1-ethernet.zeek
 1module PacketAnalyzer::ETHERNET;
 2
 3export {
 4    ## Default analyzer
 5    const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
 6
 7    ## IEEE 802.2 SNAP analyzer
 8    global snap_analyzer: PacketAnalyzer::Tag &redef;
 9    ## Novell raw IEEE 802.3 analyzer
10    global novell_raw_analyzer: PacketAnalyzer::Tag &redef;
11    ## IEEE 802.2 LLC analyzer
12    global llc_analyzer: PacketAnalyzer::Tag &redef;
13}
14
15event zeek_init() &priority=20
16    {
17    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
18    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
19    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x86DD, PacketAnalyzer::ANALYZER_IP);
20    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0806, PacketAnalyzer::ANALYZER_ARP);
21    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8035, PacketAnalyzer::ANALYZER_ARP);
22    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
23    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88A8, PacketAnalyzer::ANALYZER_VLAN);
24    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
25    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
26    }

Within zeek_init, various EtherType-to-PacketAnalyzer mappings are registered by using PacketAnalyzer::register_packet_analyzer. For example, for EtherType 0x8864, the packet’s payload is passed to the PPPoE analyzer.

The default_analyzer analyzer specifies which packet analyzer to use if none of the mappings matched. In case of Ethernet, we try to fall back to IP.

Furthermore, Ethernet needs to handle different types of frames, with three of them identified using the first payload bytes (see Wikipedia). As the EtherType needs to be interpreted with respect to the frame type in these cases, the Ethernet analyzer provides three additional configuration parameters, snap_analyzer, novell_raw_analyzer, and llc_analyzer. to configure analyzers that handle the different frame types.

Note

There are a few conventions involved here:

  • The name of the module is expected to be PacketAnalyzer::<analyzer's canonical name>.

  • The default analyzer is expected to be named default_analyzer.

Packet analysis starts at a root analyzer that dispatches based on the link types obtained from the IOSource. Accordingly base/packet-protocols/root/main.zeek contains the following call to integrate the Ethernet analyzer:

PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_EN10MB, PacketAnalyzer::ANALYZER_ETHERNET);

Packet Analyzer API

Just like for other parts of Zeek, a plugin may provide a packet analyzer by adding a packet analysis component that instantiates an analyzer. The packet analyzer itself is implemented by inheriting from zeek::packet_analysis::Analyzer and overriding the AnalyzePacket() method. The following is an excerpt from a test case that shows the exemplary analysis of LLC:

packet-analysis-2-llc.cc
 1bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 2    {
 3    // Rudimentary parsing of 802.2 LLC
 4    if ( 17 >= len )
 5        {
 6        packet->Weird("truncated_llc_header");
 7        return false;
 8        }
 9
10    if ( ! llc_demo_message )
11        return true;
12
13    auto dsap = data[14];
14    auto ssap = data[15];
15    auto control = data[16];
16
17    event_mgr.Enqueue(llc_demo_message,
18        val_mgr->Count(dsap),
19        val_mgr->Count(ssap),
20        val_mgr->Count(control));
21
22    return true;
23    }

First, we verify that the size of the packet matches what we expect. If that is not the case, we create a weird using the Packet object that is passed along the chain of analyzers. To signal that the analysis failed, the method returns false. For valid packets, we just read some protocol-specific values. As of now, there is no mechanism to pass extracted meta data on to other analyzers. While it is possible to trigger events that receive these values as parameters, keep in mind that handling events for every packet can be extremely expensive. However, for our test case we defined an event as follows in a separate .bif file:

event llc_demo_message%(dsap: count, ssap: count, control: count%);

Before we can expect the event to be generated, we need to integrate the analyzer. The configuration might be included in the scripts that are shipped with the packet analyzer. For example, one could add a new EtherType by adding a call to PacketAnalyzer::register_packet_analyzer from within a zeek_init event handler. For the LLC example we redefine one of the additional constants:

redef PacketAnalyzer::ETHERNET::llc_analyzer = PacketAnalyzer::ANALYZER_LLC_DEMO;

In this example, packet analysis as well as all further analysis ends with the LLC analyzer. The ForwardPacket() method can be used to pass data to another packet analyzer. The method takes a pointer to the beginning of the data to process (usually the start of the payload in the current context), the length of the data to process, a pointer to the Packet object and an identifier. The identifier would be used to lookup the next analyzer based on which other analyzers were previously associated with LLC as a parent analyzer in a call to PacketAnalyzer::register_packet_analyzer. If there is no previously-registered analyzer that matches the identifier, it will fall back to the default_analyzer if available.

In case a packet analyzer requires initialization, e.g., reading additional configuration values from script-land, this can be implemented by overriding the Initialize() method. When overriding this method, always make sure to call the base-class version to ensure proper initialization.

With the addition of the transport-layer analyzer to the packet analysis framework, it’s now possible to register for ports as the identifier. This is natural, given that a port number is just another numeric identifier for moving from one protocol to another. Packet analyzers should call PacketAnalyzer::register_for_port or PacketAnalyzer::register_for_ports to ensure that the ports are also stored in the global Analyzer::ports table for use with BPF filters.

The packet analysis framework also provides a register_protocol_detection method that is used to register a packet analyzer to use protocol detection instead of using a numeric identifier. Analyzers can use this method and then override Analyzer::DetectProtocol to search the packet data for byte strings or other markers to detect whether a protocol exists in the data. This is similar to how DPD works for non-packet analyzers, but is not limited to pattern matching.

Note

When writing your own packet analyzer, take a look into the existing code to identify idiomatic ways to handle tasks like looking up configuration values.

Signature Framework

Zeek relies primarily on its extensive scripting language for defining and analyzing detection policies, but it also provides an independent signature language for doing low-level, Snort-style pattern matching. While signatures are not Zeek’s preferred detection tool, they sometimes come in handy and are closer to what many people are familiar with from using other NIDS. This page gives a brief overview on Zeek’s signatures and covers some of their technical subtleties.

Basics

Let’s look at an example signature first:

signature my-first-sig {
    ip-proto == tcp
    dst-port == 80
    payload /.*root/
    event "Found root!"
}

This signature asks Zeek to match the regular expression .*root on all TCP connections going to port 80. When the signature triggers, Zeek will raise an event signature_match of the form:

event signature_match(state: signature_state, msg: string, data: string)

Here, state contains more information on the connection that triggered the match, msg is the string specified by the signature’s event statement (Found root!), and data is the last piece of payload which triggered the pattern match.

To turn such signature_match events into actual alarms, you can load Zeek’s base/frameworks/signatures/main.zeek script. This script contains a default event handler that raises Signatures::Sensitive_Signature Notices (as well as others; see the beginning of the script).

As signatures are independent of Zeek’s scripts, they are put into their own file(s). There are three ways to specify which files contain signatures: By using the -s flag when you invoke Zeek, or by extending the Zeek variable signature_files using the += operator, or by using the @load-sigs directive inside a Zeek script. If a signature file is given without a full path, it is searched for along the normal ZEEKPATH. Additionally, the @load-sigs directive can be used to load signature files in a path relative to the Zeek script in which it’s placed, e.g. @load-sigs ./mysigs.sig will expect that signature file in the same directory as the Zeek script. The default extension of the file name is .sig, and Zeek appends that automatically when necessary.

Signature Language for Network Traffic

Let’s look at the format of a signature more closely. Each individual signature has the format signature <id> { <attributes> }, where <id> is a unique label for the signature. There are two types of attributes: conditions and actions. The conditions define when the signature matches, while the actions declare what to do in the case of a match. Conditions can be further divided into four types: header, content, dependency, and context. We discuss these all in more detail in the following.

Conditions
Header Conditions

Header conditions limit the applicability of the signature to a subset of traffic that contains matching packet headers. This type of matching is performed only for the first packet of a connection.

There are pre-defined header conditions for some of the most used header fields. All of them generally have the format <keyword> <cmp> <value-list>, where <keyword> names the header field; cmp is one of ==, !=, <, <=, >, >=; and <value-list> is a list of comma-separated values or value-ranges to compare against (e.g. 5,7-10 for numbers 5 to 10, excluding 6). The following keywords are defined:

src-ip/dst-ip <cmp> <address-list>

Source and destination address, respectively. Addresses can be given as IPv4 or IPv6 addresses or CIDR masks. For IPv6 addresses/masks the colon-hexadecimal representation of the address must be enclosed in square brackets (e.g. [fe80::1] or [fe80::0]/16).

src-port/dst-port <cmp> <int-list>

Source and destination port, respectively.

ip-proto <cmp> tcp|udp|icmp|icmp6|ip|ip6

IPv4 header’s Protocol field or the Next Header field of the final IPv6 header (i.e. either Next Header field in the fixed IPv6 header if no extension headers are present or that field from the last extension header in the chain). Note that the IP-in-IP forms of tunneling are automatically decapsulated by default and signatures apply to only the inner-most packet, so specifying ip or ip6 is a no-op.

For lists of multiple values, they are sequentially compared against the corresponding header field. If at least one of the comparisons evaluates to true, the whole header condition matches (exception: with !=, the header condition only matches if all values differ).

In addition to these pre-defined header keywords, a general header condition can be defined either as:

header <proto>[<offset>:<size>] [& <integer>] <cmp> <value-list>

This compares the value found at the given position of the packet header with a list of values. offset defines the position of the value within the header of the protocol defined by proto (which can be ip, ip6, tcp, udp, icmp or icmp6). size is either 1, 2, or 4 and specifies the value to have a size of this many bytes. If the optional & <integer> is given, the packet’s value is first masked with the integer before it is compared to the value-list. cmp is one of ==, !=, <, <=, >, >=. value-list is a list of comma-separated integers or integer-ranges similar to those described above. The integers within the list may be followed by an additional / mask where mask is a value from 0 to 32. This corresponds to the CIDR notation for netmasks and is translated into a corresponding bitmask applied to the packet’s value prior to the comparison (similar to the optional & integer). IPv6 address values are not allowed in the value-list, though you can still inspect any 1, 2, or 4 byte section of an IPv6 header using this keyword.

Putting it all together, this is an example condition that is equivalent to dst-ip == 1.2.3.4/16, 5.6.7.8/24:

header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24

Note that the analogous example for IPv6 isn’t currently possible since 4 bytes is the max width of a value that can be compared.

Content Conditions

Content conditions are defined by regular expressions. We differentiate two kinds of content conditions: first, the expression may be declared with the payload statement, in which case it is matched against the raw payload of a connection (for reassembled TCP streams) or of each packet (for ICMP, UDP, and non-reassembled TCP). Second, it may be prefixed with an analyzer-specific label, in which case the expression is matched against the data as extracted by the corresponding analyzer.

A payload condition has the form:

payload /<regular expression>/

Currently, the following analyzer-specific content conditions are defined (note that the corresponding analyzer has to be activated by loading its policy script):

http-request /<regular expression>/

The regular expression is matched against decoded URIs of HTTP requests. Obsolete alias: http.

http-request-header /<regular expression>/

The regular expression is matched against client-side HTTP headers.

http-request-body /<regular expression>/

The regular expression is matched against client-side bodys of HTTP requests.

http-reply-header /<regular expression>/

The regular expression is matched against server-side HTTP headers.

http-reply-body /<regular expression>/

The regular expression is matched against server-side bodys of HTTP replys.

ftp /<regular expression>/

The regular expression is matched against the command line input of FTP sessions.

finger /<regular expression>/

The regular expression is matched against finger requests.

For example, http-request /.*(etc/(passwd|shadow)/ matches any URI containing either etc/passwd or etc/shadow. To filter on request types, e.g. GET, use payload /GET /.

Note that HTTP pipelining (that is, multiple HTTP transactions in a single TCP connection) has some side effects on signature matches. If multiple conditions are specified within a single signature, this signature matches if all conditions are met by any HTTP transaction (not necessarily always the same!) in a pipelined connection.

Dependency Conditions

To define dependencies between signatures, there are two conditions:

requires-signature [!] <id>

Defines the current signature to match only if the signature given by id matches for the same connection. Using ! negates the condition: The current signature only matches if id does not match for the same connection (using this defers the match decision until the connection terminates).

requires-reverse-signature [!] <id>

Similar to requires-signature, but id has to match for the opposite direction of the same connection, compared to the current signature. This allows to model the notion of requests and replies.

Context Conditions

Context conditions pass the match decision on to other components of Zeek. They are only evaluated if all other conditions have already matched. The following context conditions are defined:

eval <policy-function>

The given policy function is called and has to return a boolean confirming the match. If false is returned, no signature match is going to be triggered. The function has to be of type function cond(state: signature_state, data: string): bool. Here, data may contain the most recent content chunk available at the time the signature was matched. If no such chunk is available, data will be the empty string. See signature_state for its definition.

payload-size <cmp> <integer>

Compares the integer to the size of the payload of a packet. For reassembled TCP streams, the integer is compared to the size of the first in-order payload chunk. Note that the latter is not very well defined.

same-ip

Evaluates to true if the source address of the IP packets equals its destination address.

tcp-state <state-list>

Imposes restrictions on the current TCP state of the connection. state-list is a comma-separated list of the keywords established (the three-way handshake has already been performed), originator (the current data is send by the originator of the connection), and responder (the current data is send by the responder of the connection).

udp-state <state-list>

Imposes restrictions on which UDP flow direction to match. state-list is a comma-separated list of either originator (the current data is send by the originator of the connection) or responder (the current data is send by the responder of the connection). The established state is rejected as an error in the signature since it does not have a useful meaning like it does for TCP.

Actions

Actions define what to do if a signature matches. Currently, there are two actions defined:

event <string>

Raises a signature_match event. The event handler has the following type:

event signature_match(state: signature_state, msg: string, data: string)

The given string is passed in as msg, and data is the current part of the payload that has eventually lead to the signature match (this may be empty for signatures without content conditions).

enable <string>

Enables the protocol analyzer <string> for the matching connection ("http", "ftp", etc.). This is used by Zeek’s dynamic protocol detection to activate analyzers on the fly.

Signature Language for File Content

The signature framework can also be used to identify MIME types of files irrespective of the network protocol/connection over which the file is transferred. A special type of signature can be written for this purpose and will be used automatically by the Files Framework or by Zeek scripts that use the file_magic built-in function.

Conditions

File signatures use a single type of content condition in the form of a regular expression:

file-magic /<regular expression>/

This is analogous to the payload content condition for the network traffic signature language described above. The difference is that payload signatures are applied to payloads of network connections, but file-magic can be applied to any arbitrary data, it does not have to be tied to a network protocol/connection.

Actions

Upon matching a chunk of data, file signatures use the following action to get information about that data’s MIME type:

file-mime <string> [, <integer>]

The arguments include the MIME type string associated with the file magic regular expression and an optional “strength” as a signed integer. Since multiple file magic signatures may match against a given chunk of data, the strength value may be used to help choose a “winner”. Higher values are considered stronger.

Things to keep in mind when writing signatures

  • Each signature is reported at most once for every connection, further matches of the same signature are ignored.

  • The content conditions perform pattern matching on elements extracted from an application protocol dialogue. For example, http /.*passwd/ scans URLs requested within HTTP sessions. The thing to keep in mind here is that these conditions only perform any matching when the corresponding application analyzer is actually active for a connection. Note that by default, analyzers are not enabled if the corresponding Zeek script has not been loaded. A good way to double-check whether an analyzer “sees” a connection is checking its log file for corresponding entries. If you cannot find the connection in the analyzer’s log, very likely the signature engine has also not seen any application data.

  • As the name indicates, the payload keyword matches on packet payload only. You cannot use it to match on packet headers; use the header conditions for that.

  • For TCP connections, header conditions are only evaluated for the first packet from each endpoint. If a header condition does not match the initial packets, the signature will not trigger. Zeek optimizes for the most common application here, which is header conditions selecting the connections to be examined more closely with payload statements.

  • For UDP and ICMP flows, the payload matching is done on a per-packet basis; i.e., any content crossing packet boundaries will not be found. For TCP connections, the matching semantics depend on whether Zeek is reassembling the connection (i.e., putting all of a connection’s packets in sequence). By default, Zeek is reassembling the first 1K of every TCP connection, which means that within this window, matches will be found without regards to packet order or boundaries (i.e., stream-wise matching).

  • For performance reasons, by default Zeek stops matching on a connection after seeing 1K of payload; see the section on options below for how to change this behaviour. The default was chosen with Zeek’s main user of signatures in mind: dynamic protocol detection works well even when examining just connection heads.

  • Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above.

  • To match on non-ASCII characters, Zeek’s regular expressions support the \x<hex> operator. CRs/LFs are not treated specially by the signature engine and can be matched with \r and \n, respectively. Generally, Zeek follows flex’s regular expression syntax. See the DPD signatures in base/frameworks/dpd/dpd.sig for some examples of fairly complex payload patterns.

  • The data argument of the signature_match handler might not carry the full text matched by the regular expression. Zeek performs the matching incrementally as packets come in; when the signature eventually fires, it can only pass on the most recent chunk of data.

Options

The following options control details of Zeek’s matching process:

  • dpd_reassemble_first_packets

    If true, Zeek reassembles the beginning of every TCP connection (of up to dpd_buffer_size bytes, see below also), to facilitate reliable matching across packet boundaries. If false, only connections are reassembled for which an application-layer analyzer gets activated (e.g., by Zeek’s dynamic protocol detection).

  • dpd_match_only_beginning

    If true, Zeek performs packet matching only within the initial payload window of dpd_buffer_size. If false, it keeps matching on subsequent payload as well.

  • dpd_buffer_size

    Defines the buffer size for the two preceding options. In addition, this value determines the amount of bytes Zeek buffers for each connection in order to activate application analyzers even after parts of the payload have already passed through. This is needed by the dynamic protocol detection capability to defer the decision of which analyzers to use.

So, how about using Snort signatures with Zeek?

There was once a script, snort2bro, that converted Snort signatures automatically into Zeek’s (then called “Bro”) signature syntax. However, in our experience this didn’t turn out to be a very useful thing to do because by simply using Snort signatures, one can’t benefit from the additional capabilities that Zeek provides; the approaches of the two systems are just too different. We therefore stopped maintaining the snort2bro script, and there are now many newer Snort options which it doesn’t support. The script is now no longer part of the Zeek distribution.

Summary Statistics

Measuring aspects of network traffic is an extremely common task in Zeek. Zeek provides data structures which make this very easy as well in simplistic cases such as size limited trace file processing. In real-world deployments though, there are difficulties that arise from clusterization (many processes sniffing traffic) and unbounded data sets (traffic never stops). The Summary Statistics (otherwise referred to as SumStats) framework aims to define a mechanism for consuming unbounded data sets and making them measurable in practice on large clustered and non-clustered Zeek deployments.

Overview

The Sumstat processing flow is broken into three pieces. Observations, where some aspect of an event is observed and fed into the Sumstats framework. Reducers, where observations are collected and measured, typically by taking some sort of summary statistic measurement like average or variance (among others). Sumstats, where reducers have an epoch (time interval) that their measurements are performed over along with callbacks for monitoring thresholds or viewing the collected and measured data.

Terminology

Observation

A single point of data. Observations have a few components of their own. They are part of an arbitrarily named observation stream, they have a key that is something the observation is about, and the actual observation itself.

Reducer

Calculations are applied to an observation stream here to reduce the full unbounded set of observations down to a smaller representation. Results are collected within each reducer per-key so care must be taken to keep the total number of keys tracked down to a reasonable level.

Sumstat

The final definition of a Sumstat where one or more reducers is collected over an interval, also known as an epoch. Thresholding can be applied here along with a callback in the event that a threshold is crossed. Additionally, a callback can be provided to access each result (per-key) at the end of each epoch.

Examples

These examples may seem very simple to an experienced Zeek script developer and they’re intended to look that way. Keep in mind that these scripts will work on small single process Zeek instances as well as large many-worker clusters. The complications from dealing with flow based load balancing can be ignored by developers writing scripts that use Sumstats due to its built-in cluster transparency.

Printing the number of connections

Sumstats provides a simple way of approaching the problem of trying to count the number of connections over a given time interval. Here is a script with inline documentation that does this with the Sumstats framework:

sumstats-countconns.zeek
 1@load base/frameworks/sumstats
 2
 3event connection_established(c: connection)
 4    {
 5    # Make an observation!
 6    # This observation is global so the key is empty.
 7    # Each established connection counts as one so the observation is always 1.
 8    SumStats::observe("conn established", 
 9                      SumStats::Key(), 
10                      SumStats::Observation($num=1));
11    }
12
13event zeek_init()
14    {
15    # Create the reducer.
16    # The reducer attaches to the "conn established" observation stream
17    # and uses the summing calculation on the observations.
18    local r1 = SumStats::Reducer($stream="conn established", 
19                                 $apply=set(SumStats::SUM));
20
21    # Create the final sumstat.
22    # We give it an arbitrary name and make it collect data every minute.
23    # The reducer is then attached and a $epoch_result callback is given 
24    # to finally do something with the data collected.
25    SumStats::create([$name = "counting connections",
26                      $epoch = 1min,
27                      $reducers = set(r1),
28                      $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
29                        {
30                        # This is the body of the callback that is called when a single 
31                        # result has been collected.  We are just printing the total number
32                        # of connections that were seen.  The $sum field is provided as a 
33                        # double type value so we need to use %f as the format specifier.
34                        print fmt("Number of connections established: %.0f", result["conn established"]$sum);
35                        }]);
36    }

When run on a sample PCAP file from the Zeek test suite, the following output is created:

$ zeek -r workshop_2011_browse.trace sumstats-countconns.zeek
Number of connections established: 6
Toy scan detection

Taking the previous example even further, we can implement a simple detection to demonstrate the thresholding functionality. This example is a toy to demonstrate how thresholding works in Sumstats and is not meant to be a real-world functional example, that is left to the policy/misc/scan.zeek script that is included with Zeek.

sumstats-toy-scan.zeek
 1@load base/frameworks/sumstats
 2
 3# We use the connection_attempt event to limit our observations to those
 4# which were attempted and not successful.
 5event connection_attempt(c: connection)
 6    {
 7    # Make an observation!
 8    # This observation is about the host attempting the connection.
 9    # Each established connection counts as one so the observation is always 1.
10    SumStats::observe("conn attempted", 
11                      SumStats::Key($host=c$id$orig_h), 
12                      SumStats::Observation($num=1));
13    }
14
15event zeek_init()
16    {
17    # Create the reducer.
18    # The reducer attaches to the "conn attempted" observation stream
19    # and uses the summing calculation on the observations. Keep
20    # in mind that there will be one result per key (connection originator).
21    local r1 = SumStats::Reducer($stream="conn attempted", 
22                                 $apply=set(SumStats::SUM));
23
24    # Create the final sumstat.
25    # This is slightly different from the last example since we're providing
26    # a callback to calculate a value to check against the threshold with 
27    # $threshold_val.  The actual threshold itself is provided with $threshold.
28    # Another callback is provided for when a key crosses the threshold.
29    SumStats::create([$name = "finding scanners",
30                      $epoch = 5min,
31                      $reducers = set(r1),
32                      # Provide a threshold.
33                      $threshold = 5.0,
34                      # Provide a callback to calculate a value from the result
35                      # to check against the threshold field.
36                      $threshold_val(key: SumStats::Key, result: SumStats::Result) =
37                        {
38                        return result["conn attempted"]$sum;
39                        },
40                      # Provide a callback for when a key crosses the threshold.
41                      $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
42                        {
43                        print fmt("%s attempted %.0f or more connections", key$host, result["conn attempted"]$sum);
44                        }]);
45    }

Let’s see if there are any hosts that crossed the threshold in a PCAP file containing a host running nmap:

$ zeek -r nmap-vsn.trace sumstats-toy-scan.zeek
192.168.1.71 attempted 5 or more connections

It seems the host running nmap was detected!

Supervisor Framework

The Supervisor framework enables an entirely new mode for Zeek, one that supervises a set of Zeek processes that are meant to be persistent. A Supervisor automatically revives any process that dies or exits prematurely and also arranges for an ordered shutdown of the entire process tree upon its own termination. This Supervisor mode for Zeek provides the basic foundation for process configuration/management that could be used to deploy a Zeek cluster similar to what ZeekControl does, but is also simpler to integrate as a standard system service.

Simple Example

A simple example of using the Supervisor to monitor one Zeek process sniffing packets from an interface looks like the following:

$ zeek -j simple-supervisor.zeek
simple-supervisor.zeek
 1event zeek_init()
 2    {
 3    if ( Supervisor::is_supervisor() )
 4        {
 5        local sn = Supervisor::NodeConfig($name="foo", $interface="en0");
 6        local res = Supervisor::create(sn);
 7
 8        if ( res == "" )
 9            print "supervisor created a new node";
10        else
11            print "supervisor failed to create node", res;
12        }
13    else
14        print fmt("supervised node '%s' zeek_init()", Supervisor::node()$name);
15    }
16
17event zeek_done()
18    {
19    if ( Supervisor::is_supervised() )
20        print fmt("supervised node '%s' zeek_done()", Supervisor::node()$name);
21    else
22        print "supervisor zeek_done()";
23    }

The command-line argument of -j toggles Zeek to run in “Supervisor mode” to allow for creation and management of child processes. If you’re going to test this locally, be sure to change en0 to a real interface name you can sniff.

Notice that the simple-supervisor.zeek script is loaded and executed by both the main Supervisor process and also the child Zeek process that it spawns via Supervisor::create with Supervisor::is_supervisor or Supervisor::is_supervised being able to distinguish the Supervisor process from the supervised child process, respectively. You can also distinguish between multiple supervised child processes by inspecting the contents of Supervisor::node (e.g. comparing node names).

If you happened to be running this locally on an interface with checksum offloading and want Zeek to ignore checksums, instead simply run with the -C command-line argument like:

$ zeek -j -C simple-supervisor.zeek

Most command-line arguments to Zeek are automatically inherited by any supervised child processes that get created. The notable ones that are not inherited are the options to read pcap files and live interfaces, -r and -i, respectively.

For node-specific configuration options, see Supervisor::NodeConfig which gets passed as argument to Supervisor::create.

Supervised Cluster Example

To run a full Zeek cluster similar to what you may already know, try the following script:

$ zeek -j cluster-supervisor.zeek
cluster-supervisor.zeek
 1event zeek_init()
 2    {
 3    if ( ! Supervisor::is_supervisor() )
 4        return;
 5
 6    Broker::listen("127.0.0.1", 9999/tcp);
 7
 8    local cluster: table[string] of Supervisor::ClusterEndpoint;
 9    cluster["manager"] = [$role=Supervisor::MANAGER, $host=127.0.0.1, $p=10000/tcp];
10    cluster["logger"] = [$role=Supervisor::LOGGER, $host=127.0.0.1, $p=10001/tcp];
11    cluster["proxy"] = [$role=Supervisor::PROXY, $host=127.0.0.1, $p=10002/tcp];
12    cluster["worker"] = [$role=Supervisor::WORKER, $host=127.0.0.1, $p=10003/tcp, $interface="en0"];
13
14    for ( n, ep in cluster )
15        {
16        local sn = Supervisor::NodeConfig($name=n);
17        sn$cluster = cluster;
18        sn$directory = n;
19
20        if ( ep?$interface )
21            sn$interface = ep$interface;
22
23        local res = Supervisor::create(sn);
24
25        if ( res != "" )
26            print fmt("supervisor failed to create node '%s': %s", n, res);
27        }
28    }

This script now spawns four nodes: a cluster manager, logger, worker, and proxy. It also configures each node to use a separate working directory corresponding to the node’s name within the current working directory of the Supervisor process. Any stdout/stderr output of the nodes is automatically redirected through the Supervisor process and prefixes with relevant information, like the node name that the output came from.

The Supervisor process also listens on a port of its own for further instructions from other external/remote processes via Broker::listen. For example, you could use this other script to tell the Supervisor to restart all processes, perhaps to re-load Zeek scripts you’ve changed in the meantime:

$ zeek supervisor-control.zeek
supervisor-control.zeek
 1event zeek_init()
 2    {
 3    Broker::peer("127.0.0.1", 9999/tcp, 1sec);
 4    }
 5
 6event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 7    {
 8    Broker::publish(SupervisorControl::topic_prefix, SupervisorControl::restart_request, "", "");
 9    }
10
11event SupervisorControl::restart_response(reqid: string, result: bool)
12    {
13    print fmt("got result of supervisor restart request: %s", result);
14    terminate();
15    }

Any Supervisor instruction you can perform via an API call in a local script can also be triggered via an associated external event.

For further details, consult the Supervisor API at base/frameworks/supervisor/api.zeek and SupervisorControl API (for remote management) at base/frameworks/supervisor/control.zeek.

Internal Architecture

The following details aren’t necessarily important for most users, but instead aim to give developers a high-level overview of how the process supervision framework is implemented. The process tree in “supervisor” mode looks like:

_images/zeek-supervisor-architecture.png

The top-level “Supervisor” process does not directly manage any of the supervised nodes that are created. Instead, it spawns in intermediate process, called “Stem”, to manage the lifetime of supervised nodes. This is done for two reasons:

  1. Avoids the need to exec() the supervised processes which requires executing whatever version of the zeek binary happens to exist on the filesystem at the time of call and it may have changed in the meantime. This can help avoid potential incompatibility or race-condition pitfalls associated with system maintenance/upgrades. The one situation that does still require an exec() is if the Stem process dies prematurely, but that is expected to be a rare scenario.

  2. Zeek run-time operation generally taints global state, so creating an early fork() for use as the Stem process provides a pure baseline image to use for supervised processes.

Ultimately, there are two tiers of process supervision happening: the Supervisor will revive the Stem process if needed and the Stem process will revive any of its children when needed.

Also, either the Stem or any of its supervised children processes will automatically detect if they are orphaned from their parent process and self-terminate. The Stem checks for orphaning simply by waking up every second from its poll() loop to look if its parent PID changed. A supervised node checks for orphaning similarly, but instead does so from a recurring Timer. Other than the orphaning-check and how it establishes the desired configuration from a combination of inheriting command-line arguments and inspecting Supervisor-specific options, a supervised node does not operate differently at run-time from a traditional Zeek process.

TLS Decryption

Zeek has limited support for decrypting TLS connections, if the necessary key material is available. If decryption is possible, Zeek can forward the decrypted data to other analyzers - like the HTTP analyzer.

Note that this support is currently limited to a single version of TLS and a single cipher suite. Zeek can currently only decrypt TLS 1.2 connections that use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher. Any other TLS version or cipher will not be decrypted. We do not currently plan to extend this support to other versions of TLS, or to other ciphersuites.

Capturing and decrypting a trace file

The most common use-case for TLS decryption is to capture a trace file together with the necessary key material to allow Zeek to decrypt it. In principle, it is possible to allow Zeek to decrypt TLS connections in live traffic. However, this kind of setup is much more complex and will require the user to set up a way to transport the key material to Zeek in real-time. We will talk a bit about the possibility of this below.

Capturing a trace file with keys

To be able to decrypt the TLS connections contained in a trace file, we need access to the symmetric keys that were used to encrypt the connection. Specifically, for our supported version of TLS, we need the pre-master secret for the TLS connection.

Firefox and Chrome allow users to capture the key material of all TLS connections that they perform by setting the SSLKEYLOGFILE environment variable. For example, on Mac OS, you can instruct Firefox to record the TLS key material by starting it in the following way:

export SSLKEYLOGFILE=$HOME/keylogfile.txt
open -a firefox

After running Firefox like this, and accessing some web pages, you should end up with the file keylogfile.txt in your home directory that contains lines like this:

# SSL/TLS secrets log file, generated by NSS
CLIENT_RANDOM 47d1becb619e0851ee363c2cf37187228227ca4e680f9a7c0bd15069aa7a5970 ad03ceda4890fa581e989f5e3862023e2a4e3e8ad81325238d908066e1d35cc875979e34c08e6fdfd9d8c6f356e385c1
CLIENT_RANDOM 2095006fcb3f93d255cbb6562587f0dd010212fdee9d233aff64e6ed36cd5c45 0d36faaa2eadbda2a8095f951de1cbac46b81b008fbf391d91951b3485476bab73288a1e17cd0ce80e0fc0401dbe9e3f
CLIENT_RANDOM 8f58b32bf97e7d3856e2fccbbe80798ec2e3f515251082ad63bbc7c231d8bee0 9a7cf946a04718a19f4d20c3f80c1cf8c823c3e2b1c337ef64322d751b410543315f6ecf7dbf45ec9be194a3cc7c1a0f

These log lines contain the pre-master secrets for the connections that your browser established. The secrets are indexed with the client random of the connections. This allows applications (like Zeek) to identify which secret to use to decrypt a connection.

If you capture this key log file together with a trace-file, you will be able to decrypt the sessions using Zeek (assuming they use a supported TLS version and ciphersuite).

Decrypting a trace file

The next step is to convert the keylogfile into a format that can be ingested by the Zeek. This bash-script will perform the conversion:

#!/usr/bin/env bash

if [ $# -ne 1 ]; then
     echo "Script expects one argument (key log filename)" >/dev/stderr
     exit -1
fi

FILE=$1

if [ ! -f ${FILE} ]; then
     echo "${FILE} does not exist or is not readable" >/dev/stderr
     exit -1
fi

echo "#fields        client_random   secret"
grep CLIENT_RANDOM ${FILE} | sed 's/^CLIENT_RANDOM ........\(.*\) \(.*\)$/\1 \2/' | sed 's/[A-Za-z0-9][A-Za-z0-9]/\\x&/g'

Note that the script just converts the keylog file in a standard Zeek tsv-file. Furthermore, it removes the first 16 characters of the CLIENT_RANDOM; this is needed due to a design-choice of Zeek that makes accessing the first 8 bytes (equivalent to 16 hex-characters) of the client random inconvenient - thus these bytes are not used for matching.

If you run the bash script on the keylogfile.txt you created earlier, you will get a Zeek tsv-file.

./convert-keylog.sh ~/keylogfile.txt > ~/keylogfile.log

cat ~/keylogfile.log
#fields      client_random   secret
\x0e\x78\x2d\x35\x63\x95\x5d\x8a\x30\xa9\xcf\xb6\x4f\x47\xf3\x96\x34\x8a\x1e\x79\x1a\xa2\x32\x55\xe2\x2f\xc5\x7a     \x34\x4f\x12\x65\xbf\x43\x40\xb3\x61\x6b\xa0\x16\x5d\x2b\x4d\xb9\xb1\xe8\x4a\x3d\xa2\x42\x0e\x38\xab\x01\x50\x62\x84\xcc\x34\xcd\xe0\x34\x10\xfe\x1a\x02\x30\x49\x74\x6c\x46\x43\xa7\x0c\x67\x0d
\x24\x8c\x7e\x24\xee\xfb\x13\xcd\xee\xde\xb1\xf4\xb6\xd6\xd5\xee\x67\x8d\xd3\xff\xc7\xe7\x39\x23\x18\x3f\x99\xb4     \xe7\xed\x24\x26\x0d\x25\xd9\xfd\xf5\x0f\xc0\xf4\x56\x51\x0e\x4e\xec\x7f\x58\x9c\xaf\x39\x25\x14\x16\xa6\x71\xdd\xea\xfe\xe9\xc0\x93\xbe\x89\x4c\xab\xcc\xff\xb2\xf0\x9a\xea\x98\xf5\xb2\x53\x1e
\x57\xd7\xc7\x7a\x2d\x5e\x35\x29\x2c\xd7\xe7\x94\xee\xf8\x6f\x31\x45\xf6\xbe\x25\x08\xed\x1d\x92\xd2\x0b\x9b\x04     \xc1\x93\x17\x93\xd9\x7d\xd2\x98\xb3\xe0\xdb\x2c\x5d\xbe\x71\x31\xa7\x9a\xf5\x91\xf9\x87\x90\xee\xb7\x79\x9f\x6b\xb4\x1f\x47\xa7\x69\x62\x4b\xa3\x99\x0c\xa9\x43\xf9\xea\x3b\x4d\x5f\x2f\xfe\xfb

Now we can run Zeek on the trace-file that we recorded. We need a small additional script for this, which stops processing while the TLS keylog file is loaded. It also loads the required policy script.

tls_decryption-1-suspend-processing.zeek
 1@load protocols/ssl/decryption
 2@load base/protocols/http
 3
 4event zeek_init()
 5    {
 6    suspend_processing();
 7    }
 8
 9event Input::end_of_data(name: string, source: string)
10    {
11    if ( name == "tls-keylog-file" )
12        continue_processing();
13    }

$ export ZEEK_TLS_KEYLOG_FILE=~/keylogfile.log
$ zeek -C -r tls/tls-1.2-stream-keylog.pcap tls_decryption-1-suspend-processing.zeek

$ cat conn.log
#separator \x09
#set_separator       ,
#empty_field (empty)
#unset_field -
#path        conn
#open        2022-03-01-16-57-26
#fields      ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   service duration        orig_bytes      resp_bytes      conn_state      local_orig      local_resp      missed_bytes    history orig_pkts       orig_ip_bytes   resp_pkts       resp_ip_bytes   tunnel_parents
#types       time    string  addr    port    addr    port    enum    string  interval        count   count   string  bool    bool    count   string  count   count   count   count   set[string]
1646150638.631834    CTy5Us4OUaTOcyrPvc      192.168.20.12   60679   193.99.144.85   443     tcp     http,ssl        7.246461        10853   151695  SF      -       -       0       ShADadFf        98      15961   139     158931  -
#close       2022-03-01-16-57-26

$ cat http.log
#separator \x09
#set_separator       ,
#empty_field (empty)
#unset_field -
#path        http
#open        2022-03-01-16-57-25
#fields      ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  host    uri     referrer        version user_agent      origin  request_body_len        response_body_len       status_code     status_msg      info_code       info_msg        tags    username        password        proxied orig_fuids      orig_filenames  orig_mime_types resp_fuids      resp_filenames  resp_mime_types
#types       time    string  addr    port    addr    port    count   string  string  string  string  string  string  string  count   count   count   string  count   string  set[enum]       string  string  set[string]     vector[string]  vector[string]  vector[string]  vector[string]  vector[string]  vector[string]
1646150638.735969    CTy5Us4OUaTOcyrPvc      192.168.20.12   60679   193.99.144.85   443     1       GET     www.heise.de    /assets/akwa/v24/js/akwa.js?.ltc.c61e84978682308f631c   https://www.heise.de/   1.1     Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0      -       0       375340  200     OK      -       -       (empty) -       -       -       -       -       -       FSJiWr34wfIujxxtm3      -       text/plain
1646150638.944774    CTy5Us4OUaTOcyrPvc      192.168.20.12   60679   193.99.144.85   443     2       GET     www.heise.de    /assets/heise/images/mit_technology_review_singleline.b768.ltc.svg      https://www.heise.de/   1.1     Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0      -       0       3430    200     OK      -       -       (empty) -       -       -       -       -       -       FgivhC1pvnYeQS4u18      -       text/plain
1646150638.976118    CTy5Us4OUaTOcyrPvc      192.168.20.12   60679   193.99.144.85   443     3       GET     www.heise.de    /assets/heise/hobell/css/hobell.css?.ltc.3746e7e49abafa23b5fb   https://www.heise.de/   1.1     Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0      -       0       85280   200     OK      -       -       (empty) -       -       -       -       -       -       FyvBkl2nwRXf0hkDO1      -       text/plain
...

Now conn.log shows that the HTTP as well as the SSL analyzers were attached. http.log shows the information from the decrypted HTTP session.

If you try this yourself note that today a lot of encrypted Internet traffic uses HTTP/2. Zeek currently does not ship with an HTTP/2 parser by default. If you capture your own traffic make sure that your browser uses HTTP/1. Alternatively, you can add an HTTP/2 analyzer to Zeek, e.g. using a package.

Decrypting live traffic

In principle, it is possible to decrypt live traffic using this approach. When you want to do this, you have to supply the secrets to Zeek as the connections are happening. Note that there are timing constraints here - the secrets should arrive at the Zeek instance that will decrypt the traffic before encrypted application data is exchanged.

The policy/protocols/ssl/decryption.zeek policy script sets up a two events for this purpose. You can send key material to the Zeek worker in question via Broker, using the /zeek/tls/decryption topic. The two events used for this are SSL::add_keys and SSL::add_secret.

TLS Decryption API

If the policy script does not suit your use-case, you can use the TLS decryption API directly to decrypt a connection. You can use either the set_secret or the set_keys functions to provide the decryption keys for an ongoing SSL connection.

Note that you will have to make sure to set SSL::disable_analyzer_after_detection to false if you use this functionality directly.

Script Reference

Operators

The Zeek scripting language supports the following operators. Note that each data type only supports a subset of these operators. For more details, see the documentation about the data types.

Relational operators

The relational operators evaluate to type bool.

In addition to numeric operands, the relational operators also work with operands of type interval, time, string, port, addr, and set.

Name

Syntax

Equality

a == b

Inquality

a != b

Less than

a < b

Less than or equal

a <= b

Greater than

a > b

Greater than or equal

a >= b

Logical operators

The logical operators require operands of type bool, and evaluate to type bool.

Name

Syntax

Logical AND

a && b

Logical OR

a || b

Logical NOT

! a

Arithmetic operators

Name

Syntax

Notes

Addition

a + b

For string operands, this performs string concatenation.

Subtraction

a - b

Multiplication

a * b

Division

a / b

For int or count operands, the fractional part of the result is dropped.

Modulo

a % b

Operand types cannot be double.

Unary plus

+a

Unary minus

-a

Pre-increment

++a

Operand type cannot be double.

Pre-decrement

--a

Operand type cannot be double.

Absolute value

|a|

If operand is string, set, table, or vector, this evaluates to number of elements.

Bitwise operators

The bitwise operators work with operands of type count or vector of count, but the bitwise complement operator works with count only.

Name

Syntax

Bitwise AND

a & b

Bitwise OR

a | b

Bitwise XOR

a ^ b

Bitwise complement

~a

Set operators

Name

Syntax

Set intersection

s1 & s2

Set union

s1 | s2

Set difference

s1 - s2

Assignment operators

The assignment operators evaluate to the result of the assignment.

Name

Syntax

Assignment

a = b

Addition assignment (more generally, “add to”)

a += b

Subtraction assignment (more generally, “remove from”)

a -= b

Along with simple arithmetic, the += operator supports adding elements to table, set, vector, and pattern values, providing the righthand operand (RHS) has the same type. For table and set values, each of the RHS elements are added to the table or set. For vector, the RHS elements are appended to the end of the vector. For pattern values, the pattern is modified to include the RHS pattern as an alterantive (regular expression | operator).

The -= operator provides analogous functionality for table and set types, removing from the lefthand operand any elements it has in common with the RHS value. (Note that for tables, only the indices are used; if the RHS value has an index in common with the lefthand operand’s value, it’s removed even if the “yield” values differ.)

For all assignment operators, you can specify a comma-separated list of values within braces ({}). These are treated as constructor arguments to create a corresponding table, set, or vector value, with the type of constructor taken from the lefthand operand. For example:

local t: table[count, string] of double;
...
t += { [3, "three"] = 3.0, [9, "nine"] = 9.0 };

will add those two elements to the table t. For table and set constructors, you can embed lists in the constructor arguments to produce a cross-product expansion. For example:

local t: table[count, string] of double;
...
t += { [[3, 4], ["three", "four"]] = 3.0, [9, "nine"] = 9.0 };

results in t having five elements:

[3, three] = 3.0
[3, four] = 3.0
[4, three] = 3.0
[4, four] = 3.0
[9, nine] = 9.0

Finally, you can also use the += operator to append an element to the end of a vector. For example, v += e is equivalent to v[|v|] = e, providing that e’s type corresponds to that of one of v’s elements.

Record field operators

The record field operators take a record as the first operand, and a field name as the second operand. For both operators, the specified field name must be in the declaration of the record type.

Name

Syntax

Notes

Field access

a$b

Field value existence test

a?$b

Evaluates to type bool. True if the specified field has been assigned a value, or if not.

Pattern operators

In the table below, p is a pattern, and s is a string.

Name

Syntax

Notes

Exact matching

p == s

Evaluates to a boolean, indicating if the entire string exactly matches the pattern.

Embedded matching

p in s

Evaluates to a boolean, indicating if pattern is found somewhere in the string.

Conjunction

p1 & p2

Evaluates to a pattern that represents matching p1 followed by p2.

Disjunction

p1 | p2

Evaluates to a pattern that represents matching p1 or p2.

Type casting

The as operator performs type casting and the is operator checks if a type cast is supported or not. For both operators, the first operand is a value and the second operand is the name of a Zeek script type (either built-in or user-defined).

Name

Syntax

Notes

Type cast

v as t

Cast value v into type t. Evaluates to the value as cast to the specified type. If this is not a supported cast, then a runtime error is triggered.

Check if a cast is supported

v is t

Evaluates to bool. If true, then v as t would succeed.

Only the following kinds of type casts are supported currently:

  • Broker values (i.e., Broker::Data values returned from functions such as Broker::data) can be cast to their corresponding Zeek script types.

  • A value of declared type any can be cast to its actual underlying type.

  • All values can be cast to their declared types (i.e., this is a no-op).

The function in this example tries to cast a value to a string:

function example(a: any)
    {
    local s: string;

    if ( a is string )
        s = (a as string);
    }

Other operators

Name

Syntax

Notes

Membership test

a in b

Evaluates to type bool. Works with string, pattern, subnet, set, table, or vector operands. Do not confuse this use of in with that used in a for statement.

Non-membership test

a !in b

This is the logical NOT of the in operator. For example: a !in b is equivalent to !(a in b).

Table or vector element access

a[b]

This operator can also be used with a set, but only with the add or delete statement.

Substring extraction

a[b:c]

See the string type for more details.

Create a deep copy

copy(a)

This is relevant only for data types that are assigned by reference, such as vector, set, table, and record.

Module namespace access

a::b

The first operand is the module name, and the second operand is an identifier that refers to a global variable, enumeration constant, or user-defined type that was exported from the module.

Conditional

a ? b : c

The first operand must evaluate to type bool. If true, then the second expression is evaluated and is the result of the entire expression. Otherwise, the third expression is evaluated and is the result of the entire expression. The types of the second and third operands must be compatible. Known as the ternary operator.

Types

The Zeek scripting language supports the following built-in types:

Name(s)

Description

bool

Boolean

count, int, double

Numeric types

time, interval

Time types

string

String

pattern

Regular expression

port, addr, subnet

Network types

enum

Enumeration (user-defined type)

table, set, vector, record

Container types

function, event, hook

Executable types

file

File type (only for writing)

opaque

Opaque type (for some built-in functions)

any

Any type (for functions or containers)

Here is a more detailed description of each type:

bool

Reflects a value with one of two meanings: true or false. The two bool constants are T and F.

The bool type supports the following operators: equality/inequality (==, !=), logical and/or (&&, ||), logical negation (!), and absolute value (where |T| is 1, and |F| is 0, and in both cases the result type is count).

Type Conversions

To

Description

Example

count

Absolute value operator

|foo|

string

cat BIF

cat(T)

string

fmt BIF for additional control over the formatting

fmt("%s", F)

int

A numeric type representing a 64-bit signed integer. An int constant is a string of digits preceded by a + or - sign, e.g. -42 or +5 (the + sign is optional but see note about type inferencing below). An int constant can also be written in hexadecimal notation (in which case 0x must be between the sign and the hex digits), e.g. -0xFF or +0xabc123.

The int type supports the following operators: arithmetic operators (+, -, *, /, %), comparison operators (==, !=, <, <=, >, >=), assignment operators (=, +=, -=), pre-increment (++), pre-decrement (--), unary plus and minus (+, -), and absolute value (e.g., |-3| is 3, but the result type is count).

When using type inferencing, use care so that the intended type is inferred, e.g. local size_difference = 0 will infer count, while local size_difference = +0 will infer int.

For signed-integer arithmetic involving int types that cause overflows (results that exceed the numeric limits of representable values in either direction), Zeek’s behavior is generally undefined and one should not rely on any observed behavior being consistent across compilers, platforms, time, etc. The reason for this is that the C++ standard also deems this as undefined behavior and Zeek does not currently attempt to detect such overflows within its underlying C++ implementation (some limited cases may try to statically determine at parse-time that an overflow will definitely occur and reject them an error, but don’t rely on that).

Type Conversions

To

Description

Example

bool

Relational operator

foo != 0

count

Absolute value operator

|foo|

count

int_to_count BIF

int_to_count(42)

double

int_to_double BIF

int_to_double(foo)

double

Addition operator

foo + 0.0

double

Division operator

foo / 1.0

double

Multiplication operator

foo * 1.0

string

cat BIF

cat(-10)

string

fmt BIF for additional control over the formatting

fmt("%s", 0)

count

A numeric type representing a 64-bit unsigned integer. A count constant is a string of digits, e.g. 1234 or 0. A count can also be written in hexadecimal notation (in which case 0x must precede the hex digits), e.g. 0xff or 0xABC123.

The count type supports the same operators as the int type, but a unary plus or minus applied to a count results in an int.

In addition, count types support bitwise operations. You can use &, |, and ^ for bitwise and, or, and xor. You can also use ~ for bitwise (one’s) complement.

For unsigned arithmetic involving count types that cause overflows (results that exceed the numeric limits of representable value in either direction), Zeek’s behavior is to wrap the result modulo 2^64 back into the range of representable values (the same behavior as defined by C++).

Note

Integer literals in Zeek that are not preceded by a unary + or - are treated as the unsigned count type. This can cause unintentional surprises is some situations, like for an absolute-value operation of |5 - 9| that results in an unsigned-integer overflow to the large number of 18446744073709551612 where |+5 - +9| results in signed-integer arithmetic and (likely) more expected result of 4.

Type Conversions

To

Description

Example

addr

count_to_v4_addr BIF

count_to_v4_addr(2130706433)

bool

Relational operator

foo > 0

double

count_to_double BIF

count_to_double(42)

double

Addition operator

foo + 0.0

double

Division operator

foo / 1.0

double

Multiplication operator

foo * 1.0

double

Subtraction operator

foo - 0.0

port

count_to_port BIF

count_to_port(80, tcp)

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%x", 3735928559)

double

A numeric type representing a double-precision floating-point number. Floating-point constants are written as a string of digits with an optional decimal point, optional scale-factor in scientific notation, and optional + or - sign. Examples are -1234, -1234e0, 3.14159, and .003E-23.

The double type supports the following operators: arithmetic operators (+, -, *, /), comparison operators (==, !=, <, <=, >, >=), assignment operators (=, +=, -=), unary plus and minus (+, -), and absolute value (e.g., |-3.14| is 3.14).

When using type inferencing use care so that the intended type is inferred, e.g. local size_difference = 5 will infer count, while local size_difference = 5.0 will infer double.

Type Conversions

To

Description

Example

count

double_to_count BIF

double_to_count(1234.0)

interval

double_to_interval BIF

double_to_interval(86400.0)

time

double_to_time BIF

double_to_time(1626723410.4)

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%.2f", 3.14159265)

time

A temporal type representing an absolute time. There is currently no way to specify a time constant, but one can use the double_to_time, current_time, or network_time built-in functions to assign a value to a time-typed variable.

Time values support the comparison operators (==, !=, <, <=, >, >=). A time value can be subtracted from another time value to produce an interval value. An interval value can be added to, or subtracted from, a time value to produce a time value. The absolute value of a time value is a double with the same numeric value.

Type Conversions

To

Description

Example

double

time_to_double BIF

time_to_double(foo)

double

Absolute value operator

|foo|

interval

Subtraction operator

end_time - start_time

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

interval

A temporal type representing a relative time. An interval constant can be written as a numeric constant followed by a time unit where the time unit is one of usec, msec, sec, min, hr, or day which respectively represent microseconds, milliseconds, seconds, minutes, hours, and days. Whitespace between the numeric constant and time unit is optional. Appending the letter s to the time unit in order to pluralize it is also optional (to no semantic effect). Examples of interval constants are 3.5 min and 3.5mins. An interval can also be negated, for example -12 hr represents “twelve hours in the past”.

Intervals support addition and subtraction, the comparison operators (==, !=, <, <=, >, >=), the assignment operators (=, +=, -=), and unary plus and minus (+, -).

Intervals also support division (in which case the result is a double value). An interval can be multiplied or divided by an arithmetic type (count, int, or double) to produce an interval value. The absolute value of an interval is a double value equal to the number of seconds in the interval (e.g., |-1 min| is 60.0).

Type Conversions

To

Description

Example

double

interval_to_double BIF

interval_to_double(5mins)

double

Absolute value operator

|foo|

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

time

Addition operator

5 mins + start_time

time

Subtraction operator

start_time - 60 secs

string

A type used to hold bytes which represent text and also can hold arbitrary binary data.

String constants are created by enclosing text within a pair of double quotes ("). A string constant cannot span multiple lines in a Zeek script. The backslash character (\) introduces escape sequences. Zeek recognizes the following escape sequences: \\, \n, \t, \v, \b, \r, \f, \a, \ooo (where each ‘o’ is an octal digit), \xhh (where each ‘h’ is a hexadecimal digit). If Zeek does not recognize an escape sequence, Zeek will ignore the backslash (\\g becomes g).

Strings support concatenation (+), and assignment (=, +=). Strings also support the comparison operators (==, !=, <, <=, >, >=). The number of characters in a string can be found by enclosing the string within pipe characters (e.g., |"abc"| is 3). Substring searching can be performed using the in or !in operators (e.g., "bar" in "foobar" yields true).

The subscript operator can extract a substring of a string. To do this, specify the starting index to extract (if the starting index is omitted, then zero is assumed), followed by a colon and index one past the last character to extract (if the last index is omitted, then the extracted substring will go to the end of the original string). However, if both the colon and last index are omitted, then a string of length one is extracted. String indexing is zero-based, but an index of -1 refers to the last character in the string, and -2 refers to the second-to-last character, etc. Here are a few examples:

local orig = "0123456789";
local second_char = orig[1];         # "1"
local last_char = orig[-1];          # "9"
local first_two_chars = orig[:2];    # "01"
local last_two_chars = orig[8:];     # "89"
local no_first_and_last = orig[1:9]; # "12345678"
local no_first = orig[1:];           # "123456789"
local no_last = orig[:-1];           # "012345678"
local copy_orig = orig[:];           # "0123456789"

Note that the subscript operator cannot be used to modify a string (i.e., it cannot be on the left side of an assignment operator).

Type Conversions

To

Description

Example

addr

to_addr BIF

to_addr("127.0.0.1")

addr

raw_bytes_to_v4_addr BIF

raw_bytes_to_v4_addr("\x7f\x0\x0\x1")

addr

raw_bytes_to_v6_addr BIF

raw_bytes_to_v6_addr("\xda\xda\xbe\xef\x00\x00AAAAAAAAAA")

bool

Relational operator

foo != ""

count

to_count BIF

to_count("42")

count

bytestring_to_count BIF

bytestring_to_count("\xde\xad\xbe\xef")

double

to_double BIF

to_double("0.001")

double

bytestring_to_double BIF

bytestring_to_double("\x43\x26\x4f\xa0\x71\x30\x80\x00")

int

to_int BIF

to_int("-42")

pattern

string_to_pattern BIF

string_to_pattern("rsh .*", F)

port

to_port BIF

to_port("53/udp")

subnet

to_subnet BIF

to_subnet("::1/128")

pattern

A type representing regular-expression patterns that can be used for fast text-searching operations. Pattern constants are created by enclosing text within forward slashes (/) and use the same syntax as the patterns supported by the flex lexical analyzer. The speed of regular expression matching does not depend on the complexity or size of the patterns. Patterns support two types of matching, exact and embedded.

In exact matching the == equality relational operator is used with one pattern operand and one string operand (order of operands does not matter) to check whether the full string exactly matches the pattern. In exact matching, the ^ beginning-of-line and $ end-of-line anchors are redundant since the pattern is implicitly anchored to the beginning and end of the line to facilitate an exact match. For example:

/foo|bar/ == "foo"

yields true, while:

/foo|bar/ == "foobar"

yields false. The != operator would yield the negation of ==.

In embedded matching the in operator is used with one pattern operand (which must be on the left-hand side) and one string operand, but tests whether the pattern appears anywhere within the given string. For example:

/foo|bar/ in "foobar"

yields true, while:

/^oob/ in "foobar"

is false since "oob" does not appear at the start of "foobar". The !in operator would yield the negation of in.

You can create a disjunction (either-or) of two patterns using the | operator. For example:

/foo/ | /bar/ in "foobar"

yields true, like in the similar example above. You can also create the conjunction (concatenation) of patterns using the & operator. For example:

/foo/ & /bar/ in "foobar"

will yield true because the pattern /(foo)(bar)/ appears in the string "foobar".

When specifying a pattern, you can add a final i specifier to mark it as case-insensitive. For example, /foo|bar/i will match "foo", "Foo", "BaR", etc.

You can also introduce a case-insensitive sub-pattern by enclosing it in (?i:<pattern>). So, for example, /foo|(?i:bar)/ will match "foo" and "BaR", but not "Foo".

For both ways of specifying case-insensitivity, characters enclosed in double quotes maintain their case-sensitivity. So for example /"foo"/i will not match "Foo", but it will match "foo".

Type Conversions

To

Description

Example

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

port

A type representing transport-level port numbers (besides TCP and UDP ports, there is a concept of an ICMP port where the source port is the ICMP message type and the destination port the ICMP message code). A port constant is written as an unsigned integer followed by one of /tcp, /udp, /icmp, or /unknown.

Ports support the comparison operators (==, !=, <, <=, >, >=). When comparing order across transport-level protocols, unknown < tcp < udp < icmp, for example 65535/tcp is smaller than 0/udp.

Note that you can obtain the transport-level protocol type of a port with the get_port_transport_proto built-in function, and the numeric value of a port with the port_to_count built-in function.

Type Conversions

To

Description

Example

count

port_to_count BIF

port_to_count(53/udp)

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

addr

A type representing an IP address.

IPv4 address constants are written in “dotted quad” format, A1.A2.A3.A4, where A1-A4 all lie between 0 and 255.

IPv6 address constants are written as colon-separated hexadecimal form as described by RFC 2373 (including the mixed notation with embedded IPv4 addresses as dotted-quads in the lower 32 bits), but additionally encased in square brackets. Some examples: [2001:db8::1], [::ffff:192.168.1.100], or [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222].

Note that IPv4-mapped IPv6 addresses (i.e., addresses with the first 80 bits zero, the next 16 bits one, and the remaining 32 bits are the IPv4 address) are treated internally as IPv4 addresses (for example, [::ffff:192.168.1.100] is equal to 192.168.1.100).

Addresses can be compared for equality (==, !=), and also for ordering (<, <=, >, >=). The absolute value of an address gives the size in bits (32 for IPv4, and 128 for IPv6). Addresses can also be masked with / to produce a subnet:

local a: addr = 192.168.1.100;
local s: subnet = 192.168.0.0/16;

if ( a/16 == s )
    print "true";

And checked for inclusion within a subnet using in or !in:

local a: addr = 192.168.1.100;
local s: subnet = 192.168.0.0/16;

if ( a in s )
    print "true";

You can check if a given addr is IPv4 or IPv6 using the is_v4_addr and is_v6_addr built-in functions.

Note that hostname constants can also be used, but since a hostname can correspond to multiple IP addresses, the type of such a variable is set[addr]. For example:

local a = www.google.com;
Type Conversions

To

Description

Example

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

subnet

addr_to_subnet BIF

addr_to_subnet([::1])

subnet

A type representing a block of IP addresses in CIDR notation. A subnet constant is written as an addr followed by a slash (/) and then the network prefix size specified as a decimal number. For example, 192.168.0.0/16 or [fe80::]/64.

Subnets can be compared for equality (==, !=). An addr can be checked for inclusion in a subnet using the in or !in operators.

Type Conversions

To

Description

Example

addr

subnet_to_addr BIF

subnet_to_addr([::1]/120)

double

Absolute value operator

|1.2.3.0/24|

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

enum

A type allowing the specification of a set of related values that have no further structure. An example declaration:

type color: enum { Red, White, Blue, };

The last comma after Blue is optional. Both the type name color and the individual values (Red, etc. – not color::Red) have global scope.

Enumerations may assign count values explicitly:

type color: enum { Red = 10, White = 20, Blue = 30 };

Without explicit assignment, Zeek numbers enumerations sequentially starting from 0. You may not mix explicit and implicit assignment.

The only operations allowed on enumerations are equality comparisons (==, !=) and assignment (=). Enumerations do not automatically yield their values or provide ordering (neither Red == 10 nor Red < White works), but the enum_to_int BIF lets you retrieve an enumeration’s numeric value if you require such logic.

Note

We recommend using explicit value assignment when relying on numeric values, since it avoids sensitivity to @load sequencing when enumerations are redef’d in multiple scripts.

Type Conversions

To

Description

Example

int

enum_to_int BIF

enum_to_int(Intel::ADDR)

int

Absolute value operator

|Intel::ADDR|

string

cat BIF

cat(foo)

string

fmt BIF for additional control over the formatting

fmt("%s", foo)

table

An associate array that maps from one set of values to another. The values being mapped are termed the index or indices and the result of the mapping is called the yield. Indexing into tables is very efficient, and internally it is just a single hash table lookup.

Declaration and initialization

The table declaration syntax is:

table [ type^+ ] of type

where type^+ is one or more types, separated by commas. The index type cannot be any of the following types: file, opaque, any.

Here is an example of declaring a table indexed by count values and yielding string values:

global a: table[count] of string;

The yield type can also be more complex:

global a: table[count] of table[addr, port] of string;

which declares a table indexed by count and yielding another table which is indexed by an addr and port to yield a string.

One way to initialize a table is by enclosing a set of initializers within braces, for example:

global t: table[count] of string = {
    [11] = "eleven",
    [5] = "five",
};

A table constructor can also be used to create a table:

global t2 = table(
    [192.168.0.2, 22/tcp] = "ssh",
    [192.168.0.3, 80/tcp] = "http"
);

Table constructors can also be explicitly named by a type, which is useful when a more complex index type could otherwise be ambiguous:

type MyRec: record {
    a: count &optional;
    b: count;
};

type MyTable: table[MyRec] of string;

global t3 = MyTable([[$b=5]] = "b5", [[$b=7]] = "b7");
Insertion and removal

Add or overwrite individual table elements by assignment:

t[13] = "thirteen";

Remove individual table elements with delete:

delete t[13];

Nothing happens if the element with index value 13 isn’t present in the table.

Note

Indexing with complex types (such as records or sets) happens via hashing of the provided index value at the time of table access. Subsequent modifications to the index value do not affect the table. For example:

local t: table[set[port]] of string = table();
local s: set[port] = { 80/tcp, 8000/tcp };

t[s] = "http";

add s[8080/tcp];

print t[set(80/tcp, 8000/tcp)]; # prints "http"
print t[s]; # error: no such index
Lookup and iteration

Accessing table elements is provided by enclosing index values within square brackets ([]), for example:

print t[11];

Membership can be tested with in or !in:

if ( 13 in t )
    ...
if ( [192.168.0.2, 22/tcp] in t2 )
    ...

See the for statement for information on how to iterate over the elements in a table.

Additional operations

The number of elements in a table can be obtained by placing the table identifier between vertical pipe characters:

|t|

It’s common to extend the behavior of table lookup and membership lifetimes via attributes but note that it’s also a confusing pitfall that attributes bind to initial values instead of type or variable and do not currently propagate to any new value subsequently re-assigned to the table variable.

set

A set is like a table, but it is a collection of indices that do not map to any yield value.

Declaration and initialization

Sets are declared with the syntax:

set [ type^+ ]

where type^+ is one or more types separated by commas. The index type cannot be any of the following types: file, opaque, any.

Sets can be initialized by listing elements enclosed by curly braces:

global s: set[port] = { 21/tcp, 23/tcp, 80/tcp, 443/tcp };
global s2: set[port, string] = { [21/tcp, "ftp"], [23/tcp, "telnet"] };

A set constructor (equivalent to above example) can also be used to create a set:

global s3 = set(21/tcp, 23/tcp, 80/tcp, 443/tcp);

Set constructors can also be explicitly named by a type, which is useful when a more complex index type could otherwise be ambiguous:

type MyRec: record {
    a: count &optional;
    b: count;
};

type MySet: set[MyRec];

global s4 = MySet([$b=1], [$b=2]);
Insertion and removal

Elements are added with add:

add s[22/tcp];

Nothing happens if the element with value 22/tcp was already present in the set.

Elements are removed with delete:

delete s[21/tcp];

Nothing happens if the element with value 21/tcp isn’t present in the set.

Sets behave like tables when it comes to complex member types: indexing happens via hashing at access time. See table for details.

Lookup and iteration

Set membership is tested with in or !in:

if ( 21/tcp in s )
    ...

if ( [21/tcp, "ftp"] !in s2 )
    ...

See the for statement for info on how to iterate over the elements in a set.

Set operations

You can compute the union, intersection, or difference of two sets using the |, &, and - operators.

Note

Use += instead of | to grow an existing set. That is, say s += new_s instead of s = s | new_s. The latter requires copying both input sets and thus quickly deteriorates runtime. See Assignment operators for details.

You can compare sets for equality (they have exactly the same elements) using ==. The < operator returns T if the lefthand operand is a proper subset of the righthand operand. Similarly, <= returns T if the lefthand operator is a subset (not necessarily proper, i.e., it may be equal to the righthand operand). The operators !=, > and >= provide the expected complementary operations.

Additional operations

The number of elements in a set can be obtained by placing the set identifier between vertical pipe characters:

|s|

vector

A vector is like a table, except its indices are non-negative integers, starting from zero.

Declaration and initialization

A vector is declared as follows:

global v: vector of string;

Vectors can be initialized with the vector constructor:

local v = vector("one", "two", "three");

Vector constructors can also be explicitly named by a type, which is useful for when a more complex yield type could otherwise be ambiguous.

type MyRec: record {
    a: count &optional;
    b: count;
};

type MyVec: vector of MyRec;

global v2 = MyVec([$b=1], [$b=2], [$b=3]);
Insertion

An element can be added to a vector by assigning the value (a value that already exists at that index will be overwritten):

v[3] = "four";

A range of elements can be replaced by assigning to a vector slice:

# Note that the number of elements in the slice being replaced
# may differ from the number of elements being inserted.  This
# causes the vector to grow or shrink accordingly.
v[0:2] = vector("five", "six", "seven");

A particularly common operation on a vector is to append an element to its end. You can do so using:

v += e;

where if e’s type is X, v’s type is vector of X. Note that this expression is equivalent to:

v[|v|] = e;
Lookup and iteration

Access individual vector elements by enclosing index values within square brackets ([]), for example:

print v[2];

Access a slice of vector elements by enclosing a range of indices, delimited by a colon, within square brackets ([x:y]). For example, this will print a vector containing the first and second elements:

print v[0:2];

The slicing notation is the same as what is permitted by the string substring extraction operations.

The in operator can be used to check if a value has been assigned at a specified index value in the vector. For example, if a vector has size 4, then the expression 3 in v would yield true and 4 in v would yield false.

See the for statement for info on how to iterate over the elements in a vector.

Vectorized operations

Vectors of integral types (int or count) support the pre-increment (++) and pre-decrement operators (--), which will increment or decrement each element in the vector.

Vectors of arithmetic types (int or count, or double) can be operands of the arithmetic operators (+, -, *, /, %), but both operands must have the same number of elements (and the modulus operator % cannot be used if either operand is a vector of double). The resulting vector contains the result of the operation applied to each of the elements in the operand vectors.

Vectors of bool can be operands of the logical “and” (&&) and logical “or” (||) operators (both operands must have same number of elements). The resulting vector of bool is the logical “and” (or logical “or”) of each element of the operand vectors.

Vectors of count can also be operands for the bitwise and/or/xor operators, &, | and ^.

Vectors of string can be concatenated element-wise through the + operator, yielding a new vector of string containing the resulting values. Both operand vectors must be of the same length. A vector of type string can also be paired with a scalar operand using any operator that supports string/scalar operations (i.e., concatenation and comparisons). The resulting vector will contain the result of the operator applied to each of the elements.

Note

As a quirk of the language, for a string vector v there is a difference between v = v + "foo" and v += "foo": the former extends each element, while the latter appends a new element to the vector.)

Additional operations

The size of a vector (this is one greater than the highest index value, and is normally equal to the number of elements in the vector) can be obtained by placing the vector identifier between vertical pipe characters:

|v|

record

A record is a collection of values. Each value has a field name and a type. Values do not need to have the same type and the types have no restrictions. Field names must follow the same syntax as regular variable names (except that field names are allowed to be the same as local or global variables). An example record type definition:

type MyRecordType: record {
    c: count;
    s: string &optional;
};

Records can be initialized or assigned as a whole in three different ways. When assigning a whole record value, all fields that are not &optional or have a &default attribute must be specified. First, there’s a constructor syntax:

local r: MyRecordType = record($c = 7);

And the constructor can be explicitly named by type, too, which is arguably more readable:

local r = MyRecordType($c = 42);

And the third way is like this:

local r: MyRecordType = [$c = 13, $s = "thirteen"];

Access to a record field uses the dollar sign ($) operator, and record fields can be assigned with this:

local r: MyRecordType;
r$c = 13;

To test if a field that is &optional has been assigned a value, use the ?$ operator (it returns a bool value of T if the field has been assigned a value, or F if not):

if ( r ?$ s )
    ...

function

Function types in Zeek are declared using:

function( argument*  ): type

where argument* is a (possibly empty) comma-separated list of arguments, and type is an optional return type. For example:

global greeting: function(name: string): string;

Here greeting is an identifier with a certain function type. The function body is not defined yet and greeting could even have different function body values at different times. To define a function including a body value, the syntax is like:

function greeting(name: string): string
    {
    return "Hello, " + name;
    }

Note that in the definition above, it’s not necessary for us to have done the first (forward) declaration of greeting as a function type, but when it is, the return type and argument list (including the name of each argument) must match exactly.

Here is an example function that takes no parameters and does not return a value:

function my_func()
    {
    print "my_func";
    }

Function types don’t need to have a name and can be assigned anonymously:

greeting = function(name: string): string { return "Hi, " + name; };

And finally, the function can be called like:

print greeting("Dave");
Anonymous functions and their closures

Anonymously defined functions (lambdas) capture their closures. This means that they can use variables from their enclosing scope at the time of their creation. In older-style deprecated functionality (capture by “reference”), closure-capture happens automatically. The current style (capture by “copy”) requires explicitly listing the captured variables.

Here is an example of a simple anonymous function that automatically captures its closure in Zeek (deprecated functionality):

local make_adder = function(n: count): function(m: count): count
    {
    return function (m: count): count
        {
        return n + m;
        };
    };

print make_adder(3)(5); # prints 8

local three = make_adder(3);
print three(5); # prints 8

Here make_adder is generating a function that captures n in its closure. The same, but in current (non-deprecated, closure-by-copy) form:

local make_adder = function(n: count): function(m: count): count
    {
    return function [n] (m: count): count
        {
        return n + m;
        };
    };

print make_adder(3)(5); # prints 8

local three = make_adder(3);
print three(5); # prints 8

The only difference is that the inner anonymous function explicitly declares that n is captured, by listing all of the captured variables in [...] after the function keyword. It is a compile-time error to fail to list a captured variable (or to list the same variable more than once, or to list a global variable).

Old-style capture-by-reference closure semantics means that those anonymous functions can modify the variables in their closures. For example:

local n = 3;
local f = function() { n += 1; print n; };
f();     # prints 4
print n; # prints 4
n = 0;
f();     # prints 1, since n is shared between outer and inner functions
print n; # prints 1

The same in capture-by-copy, however, yields different results:

local n = 3;
local f = function [n] () { n += 1; print n; };
f();     # prints 4
print n; # prints 3, since n is not shared
n = 0;
f();     # prints 5, since n persists for f
print n; # prints 0

With capture-by-copy, by default variables are captured using the equivalent of = assignments. In Zeek, variable assignments use “shallow” copy, meaning that assignments of aggregates share the same aggregate rather than fully duplicating all of its members. These semantics allow you to get the equivalent of the original “reference” semantics by using record fields rather than variables for the sharing. For example:

type r: record { n: count; };
...
local var = r($n=3);
local f = function [var] () { var$n += 1; print var$n; };
f();         # prints 4
print var$n; # prints 4
var$n = 0;
f();         # prints 1, since n is shared between outer and inner functions
print var$n; # prints 1

You can specify that a given variable should instead be captured using a deep copy by preceding it with the copy keyword:

type r: record { n: count; };
...
local var = r($n=3);
local f = function [copy var] () { var$n += 1; print var$n; };
f();         # prints 4
print var$n; # prints 3, since the var aggregate is not shared
var$n = 0;
f();         # prints 5, since the function has its own deep copy of var
print var$n; # prints 0

Finally, you can intermingle both shallow and deep copying, as shown in this fragment:

type r: record { n: count; };
...
local var1 = r($n=3);
local var2 = r($n=7);
local f = function [copy var1, var2] () { ...

where var1 will be captured via deep-copy and var2 via the normal shallow-copy.

When anonymous functions are serialized over Broker they keep their closures, but they will not continue to mutate the values from the sending script (either directly, for reference semantics, or for shallow-copy aggregates, for copy semantics). At the time of serialization they create a copy of their closure. Also, anonymous functions do not capture global variables in their closures and thus will use the receiver’s global variables.

In order to serialize an anonymous function, that function must have been already declared on the receiver’s end, because Zeek does not serialize the function’s source code. See testing/btest/language/closure-sending.zeek for an example of how to serialize anonymous functions over Broker.

Default values

Function parameters may specify default values as long as they appear last in the parameter list:

global foo: function(s: string, t: string &default="abc", u: count &default=0);

If a function was previously declared with default parameters, the default expressions can be omitted when implementing the function body and they will still be used for function calls that lack those arguments.

function foo(s: string, t: string, u: count)
    {
    print s, t, u;
    }

And calls to the function may omit the defaults from the argument list:

foo("test");
Asynchronous functions

Use of the return when construct renders a function asynchronous: it will return its result at a later time, when an underlying condition becomes fulfilled. See when and the description of asynchronous returns for details.

event

Event handlers are nearly identical in both syntax and semantics to a function, with the two differences being that event handlers have no return type since they never return a value, and you cannot call an event handler.

Example:

event my_event(r: bool, s: string)
    {
    print "my_event", r, s;
    }

Instead of directly calling an event handler from a script, event handler bodies are executed when they are invoked by one of three different methods:

  • From the event engine

    When the event engine detects an event for which you have defined a corresponding event handler, it queues an event for that handler. The handler is invoked as soon as the event engine finishes processing the current packet and flushing the invocation of other event handlers that were queued first.

  • With the event statement from a script

    Immediately queuing invocation of an event handler occurs like:

    event password_exposed(user, password);

    This assumes that password_exposed was previously declared as an event handler type with compatible arguments.

  • Via the schedule expression in a script

    This delays the invocation of event handlers until some time in the future. For example:

    schedule 5 secs { password_exposed(user, password) };

Multiple event handler bodies can be defined for the same event handler identifier and the body of each will be executed in turn. Ordering of execution can be influenced with &priority.

Multiple alternate event prototype declarations are allowed, but the alternates must be some subset of the first, canonical prototype and arguments must match by name and type. This allows users to define handlers for any such prototype they may find convenient or for the core set of handlers to be extended, changed, or deprecated without breaking existing handlers a user may have written. Example:

# Event Prototype Declarations
global my_event: event(s: string, c: count);
global my_event: event(c: count);
global my_event: event();

# Event Handler Definitions
event my_event(s: string, c: count)
    {
    print "my event", s, c;
    }

event my_event(c: count)
    {
    print "my event", c;
    }

event my_event()
    {
    print "my event";
    }

By using alternate event prototypes, handlers are allowed to consume a subset of the full argument list as given by the first prototype declaration. It also even allows arguments to be ordered differently from the canonical prototype.

To use &default on event arguments, it must appear on the first, canonical prototype.

hook

A hook is another flavor of function that shares characteristics of both a function and an event. They are like events in that many handler bodies can be defined for the same hook identifier and the order of execution can be enforced with &priority. They are more like functions in the way they are invoked/called, because, unlike events, their execution is immediate and they do not get scheduled through an event queue. Also, a unique feature of a hook is that a given hook handler body can short-circuit the execution of remaining hook handlers simply by exiting from the body as a result of a break statement (as opposed to a return or just reaching the end of the body).

A hook type is declared like:

hook( argument* )

where argument* is a (possibly empty) comma-separated list of arguments. For example:

global myhook: hook(s: string, vs: vector of string);

Here myhook is the hook type identifier and no hook handler bodies have been defined for it yet. To define some hook handler bodies the syntax looks like:

hook myhook(s: string, vs: vector of string) &priority=10
    {
    print "priority 10 myhook handler", s, vs;
    s = "bye";
    vs += "modified";
    }

hook myhook(s: string, vs: vector of string)
    {
    print "break out of myhook handling", s, vs;
    break;
    }

hook myhook(s: string, vs: vector of string) &priority=-5
    {
    print "not going to happen", s, vs;
    }

Note that the first (forward) declaration of myhook as a hook type isn’t strictly required. Argument types must match for all hook handlers and any forward declaration of a given hook.

To invoke immediate execution of all hook handler bodies, they are called similarly to a function, except preceded by the hook keyword:

hook myhook("hi", vector("foo"));

or

if ( hook myhook("hi", vector("foo")) )
    print "all handlers ran";

And the output would look like:

priority 10 myhook handler, hi, [foo]
break out of myhook handling, hi, [foo, modified]

Note how the re-assigning of a hook argument (s = "bye" in the example) will not be visible to remaining hook handlers, but it’s still possible to modify values of composite/aggregate types like vector, record, set, or table.

The return value of a hook call is an implicit bool value with T meaning that all handlers for the hook were executed and F meaning that only some of the handlers may have executed due to one handler body exiting as a result of a break statement.

Hooks are also allowed to have multiple/alternate prototype declarations, just like an event.

file

Zeek supports writing to files, but not reading from them (to read from files see the Input Framework). Files can be opened using either the open or open_for_append built-in functions, and closed using the close built-in function. For example, declare, open, and write to a file and finally close it like:

local f = open("myfile");
print f, "hello, world";
close(f);

Writing to files like this for logging usually isn’t recommended, for better logging support see Logging Framework.

opaque

A data type whose actual representation/implementation is intentionally hidden, but whose values may be passed to certain built-in functions that can actually access the internal/hidden resources. Opaque types are differentiated from each other by qualifying them like opaque of md5 or opaque of sha1.

An example use of this type is the set of built-in functions which perform hashing:

local handle = md5_hash_init();
# Explicitly -> local handle : opaque of md5 = ...
md5_hash_update(handle, "test");
md5_hash_update(handle, "testing");
print md5_hash_finish(handle);

Here the opaque type is used to provide a handle to a particular resource which is calculating an MD5 hash incrementally over time, but the details of that resource aren’t relevant, it’s only necessary to have a handle as a way of identifying it and distinguishing it from other such resources.

The scripting layer implementations of these types are found primarily in base/bif/zeek.bif.zeek and a more granular look at them can be found in src/OpaqueVal.h/cc inside the Zeek repo. Opaque types are a good way to integrate functionality into Zeek without needing to add an entire new type to the scripting language.

paraglob

An opaque type for creating and using paraglob data structures inside of Zeek. A paraglob is a data structure for fast string matching against a large set of glob style patterns. It can be loaded with a vector of patterns, and then queried with input strings. Note that these patterns are just strings, and not the pattern type built in to Zeek. For a query it returns all of the patterns that it contains matching that input string.

Paraglobs offer significant performance advantages over making a pass over a vector of patterns and checking each one. Note though that initializing a paraglob can take some time for very large pattern sets (1,000,000+ patterns) and care should be taken to only initialize one with a large pattern set when there is time for the paraglob to compile. Subsequent get operations run very quickly though, even for very large pattern sets.

local v = vector("*", "d?g", "*og", "d?", "d[!wl]g");
local p : opaque of paraglob = paraglob_init(v);
print paraglob_match(p, "dog");
# out: [*, *og, d?g, d[!wl]g]

For more documentation on paraglob see Subcomponents.

See also:

any

Used to bypass strong typing. For example, a function can take an argument of type any when it may be of different types. The only operation allowed on a variable of type any is assignment.

Note that users aren’t expected to use this type. It’s provided mainly for use by some built-in functions and scripts included with Zeek. For example, passing a vector into a .bif function is best accomplished by taking any as an argument and casting it to a vector.

void

An internal Zeek type (i.e., void is not a reserved keyword in the Zeek scripting language) representing the absence of a return type for a function.

Attributes

The Zeek scripting language supports customization of many language elements via attributes. For example, attributes can ensure that a function gets invoked whenever you modify a table, automatically expire elements from a set, or tell the logging framework which record fields you’d like it to write. Zeek features the following attributes:

Name

Description

&redef

Redefine a global constant or extend a type.

&priority

Specify priority for event handler or hook.

&log

Mark a record field as to be written to a log.

&optional

Allow a record field value to be missing.

&default

Specify a default value.

&add_func

Specify a function to call for each redef +=.

&delete_func

Same as &add_func, except for redef -=.

&expire_func

Specify a function to call when container element expires.

&read_expire

Specify a read timeout interval.

&write_expire

Specify a write timeout interval.

&create_expire

Specify a creation timeout interval.

&on_change

Specify a function to call on set/table changes

&raw_output

Open file in raw mode (chars. are not escaped).

&error_handler

Used internally for reporter framework events.

&type_column

Used by input framework for port type.

&backend

Used for table persistence/synchronization.

&broker_store

Used for table persistence/synchronization.

&broker_allow_complex_type

Used for table persistence/synchronization.

&deprecated

Marks an identifier as deprecated.

&is_assigned

Suppress “used before defined” warnings from zeek -u analysis.

&is_used

Suppress “unused assignment” warnings from zeek -u analysis.

Warning

A confusing pitfall can be mistaking that attributes bind to a variable or a type, where in reality they bind to a value. Example:

global my_table: table[count] of string &create_expire=1sec;

event zeek_init()
    {
    my_table = table();
    my_table[1] = "foo";
    }

In the above, the re-assignment of my_table will also drop the original value’s &create_expire and no entries will ever be expired from my_table. The alternate way of re-assignment that creates a new table value with the expected attribute would be:

my_table = table() &create_expire=1sec;

Here is a more detailed explanation of each attribute:

&redef

Allows use of a redef to redefine initial values of global variables (i.e., variables declared either global or const). Example:

const clever = T &redef;
global cache_size = 256 &redef;

Note that a variable declared global can also have its value changed with assignment statements (doesn’t matter if it has the &redef attribute or not).

&priority

Specifies the execution priority (as a signed integer) of a hook or event handler. Higher values are executed before lower ones. The default value is 0. Example:

event zeek_init() &priority=10
    {
    print "high priority";
    }

&log

Writes a record field to the associated log stream.

&optional

Allows a record field value to be missing. Zeek allows such fields to remain uninitialized and unassigned, and to have assigned values removed via delete.

In this example, the record could be instantiated with either myrec($a=127.0.0.1) or myrec($a=127.0.0.1, $b=80/tcp):

type myrec: record { a: addr; b: port &optional; };

The ?$ operator can be used to check if a record field has a value or not (it returns a bool value of T if the field has a value, and F if not).

&default

Specifies a default value for a record field, container element, or a function/hook/event parameter.

In this example, the record could be instantiated with either myrec($a=5, $c=3.14) or myrec($a=5, $b=53/udp, $c=3.14):

type myrec: record { a: count; b: port &default=80/tcp; c: double; };

In this example, the table will return the string "foo" for any attempted access to a non-existing index:

global mytable: table[count] of string &default="foo";

When used with function/hook/event parameters, all of the parameters with the &default attribute must come after all other parameters. For example, the following function could be called either as myfunc(5) or as myfunc(5, 53/udp):

function myfunc(a: count, b: port &default=80/tcp)
    {
    print a, b;
    }

&add_func

Can be applied to an identifier with &redef to specify a function to be called any time a redef <id> += ... declaration is parsed. The function takes two arguments of the same type as the identifier, the first being the old value of the variable and the second being the new value given after the += operator in the redef declaration. The return value of the function will be the actual new value of the variable after the “redef” declaration is parsed.

&delete_func

Same as &add_func, except for redef declarations that use the -= operator.

&expire_func

Called right before a container element expires. The function’s first argument is of the same type as the container it is associated with. The function then takes a variable number of arguments equal to the number of indexes in the container. For example, for a table[string,string] of count the expire function signature is:

function(t: table[string, string] of count, s: string, s2: string): interval

The return value is an interval indicating the amount of additional time to wait before expiring the container element at the given index (which will trigger another execution of this function).

&read_expire

Specifies a read expiration timeout for container elements. That is, the element expires after the given amount of time since the last time it has been read. Note that a write also counts as a read.

&write_expire

Specifies a write expiration timeout for container elements. That is, the element expires after the given amount of time since the last time it has been written.

&create_expire

Specifies a creation expiration timeout for container elements. That is, the element expires after the given amount of time since it has been inserted into the container, regardless of any reads or writes.

Note

In order to support expiration timeouts, Zeek associates a timer with each container that weeds out stale entries. For containers with many members, Zeek needs to keep an eye on the amount of effort spent expiring elements. It does this via three configurable properties:

  • table_expire_interval specifies how frequently Zeek checks a container’s members. The interval establishes an upper bound on how long it may take Zeek to react to an element’s expiration.

  • table_incremental_step specifies how many members Zeek checks in one batch.

  • table_expire_delay interval specifies how long Zeek waits until it processes the next batch of members.

&on_change

Called right after a change has been applied to a container. The function’s first argument is of the same type as the container it is associated with, followed by a TableChange record which specifies the type of change that happened. The function then takes a variable number of arguments equal to the number of indexes in the container, followed by an argument for the value of the container (if the container has a value) For example, for a table[string,string] of count the &on_change function signature is:

function(t: table[string, string] of count, tpe: TableChange,
         s: string, s2: string, val: count)

For a set[count] the function signature is:

function(s: set[count], tpe: TableChange, c: count)

The passed value specifies the state of a value before the change, where this makes sense. In case a element is changed, removed, or expired, the passed value will be the value before the change, removal, or expiration. When an element is added, the passed value will be the value of the added element (since no old element existed).

Note that the &on_change function is only called when the container itself is modified (due to an assignment, delete operation, or expiry). When a container contains a complex element (like a record, set, or vector), changes to these complex elements are not propagated back to the parent. For example, in this example the change_function for the table will only be called once, when s is inserted, but it will not be called when s is changed:

local t: table[string] of set[string] &on_change=change_function;
local s: set[string] = set();
t["s"] = s; # change_function of t is called
add s["a"]; # change_function of t is _not_ called.

Also note that the &on_change function of a container will not be called when the container is already executing its &on_change function. Thus, writing an &on_change function like this is supported and will not lead to a infinite loop:

local t: table[string] of set[string] &on_change=change_function;

function change_function(t: table[string, int] of count, tpe: TableChange,
                         idxa: string, idxb: int, val: count)
    {
    t[idxa, idxb] = val+1;
    }

&raw_output

Opens a file in raw mode, i.e., non-ASCII characters are not escaped.

&error_handler

Internally set on the events that are associated with the reporter framework: reporter_info, reporter_warning, and reporter_error. It prevents any handlers of those events from being able to generate reporter messages that go through any of those events (i.e., it prevents an infinite event recursion). Instead, such nested reporter messages are output to stderr.

&type_column

Used by the input framework. It can be used on columns of type port (such a column only contains the port number) and specifies the name of an additional column in the input file which specifies the protocol of the port (tcp/udp/icmp).

In the following example, the input file would contain four columns named ip, srcp, proto, and msg:

type Idx: record {
    ip: addr;
};


type Val: record {
    srcp: port &type_column = "proto";
    msg: string;
};

&backend

Used for persisting tables/sets and/or synchronizing them over a cluster.

This attribute binds a table to a Broker store. Changes to the table are sent to the Broker store, and changes to the Broker store are applied back to the table.

Since Broker stores are synchronized over a cluster, this sends table changes to all other nodes in the cluster. When using a persistent Broker store backend, the content of the tables/sets will be restored on startup.

This attribute expects the type of backend you want to use for the table. For example, to bind a table to a memory-backed Broker store, use:

global t: table[string] of count &backend=Broker::MEMORY;

&broker_store

This attribute is similar to &backend in allowing a zeek table to bind to a Broker store. It differs from &backend as this attribute allows you to specify the Broker store you want to bind, without creating it.

Use this if you want to bind a table to a Broker store with special options.

Example:

global teststore: opaque of Broker::Store;

global t: table[string] of count &broker_store="teststore";

event zeek_init()
    {
    teststore = Broker::create_master("teststore");
    }

&broker_allow_complex_type

By default only tables containing atomic types can be bound to Broker stores. Specifying this attribute before &backend or &broker_store disables this safety feature and allows complex types to be stored in a Broker backed table.

Warning

Storing complex types in Broker backed store comes with severe restrictions. When you modify a stored complex type after inserting it into a table, that change in a stored complex type will not propagate to Broker. Hence to send out the new value, so that it will be persisted/synchronized over the cluster, you will have to re-insert the complex type into the local zeek table.

For example:

type testrec: record {
    a: count;
};

global t: table[string] of testrec &broker_allow_complex_type &backend=Broker::MEMORY;

event zeek_init()
    {
    local rec = testrec($a=5);
    t["test"] = rec;
    rec$a = 6; # This will not propagate to Broker! You have to re-insert.
    # Propagate new value to Broker:
    t["test"] = rec;
    }

&deprecated

The associated identifier is marked as deprecated and will be removed in a future version of Zeek. Look in the NEWS file for more instructions to migrate code that uses deprecated functionality. This attribute can be assigned an optional string literal value to print along with the deprecation warning. The preferred format of this warning message should include the version number in which the identifier will be removed:

type warned: string &deprecated="Remove in vX.Y.  This type is deprecated because of reasons, use 'foo' instead.";

&is_assigned

Zeek has static analysis capabilities for detecting locations in a script that attempt to use a local variable before it is necessarily defined/assigned. You activate this using the -u command-line flag.

However the static analysis lacks sufficient power to tell that some values are being used safely (guaranteed to have been assigned). In order to enable users to employ -u on their own scripts without being distracted by these false positives, the &is_assigned attribute can be associated with a variable to inform Zeek’s analysis that the script writer asserts the value will be set, suppressing the associated warnings.

test1.zeek
1  event zeek_init()
2      {
3      local a: count;
4      print a;
5      }

$ zeek -b -u test1.zeek

warning in ./test1.zeek, line 4: possibly used without definition (a)
expression error in ./test1.zeek, line 4: value used but not set (a)
test2.zeek
1  event zeek_init()
2      {
3      # Note this is not a real place to want to use &is_assigned since it's
4      # clearly a bug, but it demonstrates suppression of warning.
5      local a: count &is_assigned;
6      print a;
7      }

$ zeek -b -u test2.zeek

expression error in ./test2.zeek, line 6: value used but not set (a)

&is_used

Zeek has static analysis capabilities for detecting locations in a script where local variables are assigned values that are not subsequently used (i.e. “dead code”). For cases where it’s desirable to suppress the warning, the &is_used attribute may be applied, for example:

test.zeek
1  event zeek_init()
2      {
3      local please_warn: string = "test";
4      local please_no_warning: string = "test" &is_used;
5      }

$ zeek -a -b -u test.zeek

warning: please_warn assignment unused: please_warn = test; ./test.zeek, line 3

Declarations and Statements

The Zeek scripting language supports the following declarations and statements.

Declarations

Declarations cannot occur within a function, hook, or event handler.

Declarations must appear before any statements (except those statements that are in a function, hook, or event handler) in the concatenation of all loaded Zeek scripts.

Name

Description

module

Change the current module

export

Export identifiers from the current module

global

Declare a global variable

const

Declare a constant

option

Declare a configuration option

type

Declare a user-defined type

redef

Redefine a global value or extend a user-defined type

Callables: function, event, hook

Declare a function, event handler, or hook
module

The module keyword is used to change the current module. This affects the scope of any subsequently declared global identifiers.

Example:

module mymodule;

If a global identifier is declared after a module declaration, then its scope ends at the end of the current Zeek script or at the next module declaration, whichever comes first. However, if a global identifier is declared after a module declaration, but inside an export block, then its scope ends at the end of the last loaded Zeek script, but it must be referenced using the namespace operator (::) in other modules.

There can be any number of module declarations in a Zeek script. The same module declaration can appear in any number of different Zeek scripts.

The reserved module name GLOBAL switches to the default global namespace. This comes in handy if you’re working in a module context but want to define something globally, without the module’s namespacing. For example, the Notice Framework uses this approach to define the NOTICE() function.

export

An export block contains one or more declarations (no statements are allowed in an export block) that the current module is exporting. This enables these global identifiers to be visible in other modules (but not prior to their declaration) via the namespace operator (::). See the module keyword for a more detailed explanation.

Example:

export {
    redef enum Log::ID += { LOG };

    type Info: record {
        ts: time &log;
        uid: string &log;
    };

    const conntime = 30sec &redef;
}

Note that the braces in an export block are always required (they do not indicate a compound statement). Also, no semicolon is needed to terminate an export block.

global

Variables declared with the global keyword will have global scope.

If a type is not specified, then an initializer is required so that the type can be inferred. Likewise, if an initializer is not supplied, then the type must be specified. In some cases, when the type cannot be correctly inferred, the type must be specified even when an initializer is present. Example:

global pi = 3.14;
global hosts: set[addr];
global ciphers: table[string] of string = table();

Variable declarations outside of any function, hook, or event handler are required to use this keyword (unless they are declared with the const keyword instead).

Definitions of functions, hooks, and event handlers are not allowed to use the global keyword. However, function declarations (i.e., no function body is provided) can use the global keyword.

The scope of a global variable begins where the declaration is located, and extends through all remaining Zeek scripts that are loaded (however, see the module keyword for an explanation of how modules change the visibility of global identifiers).

const

A variable declared with the const keyword will be constant.

Variables declared as constant are required to be initialized at the time of declaration. Normally, the type is inferred from the initializer, but the type can be explicitly specified. Example:

const pi = 3.14;
const ssh_port: port = 22/tcp;

The value of a constant cannot be changed. The only exception is if the variable is a global constant and has the &redef attribute, but even then its value can be changed only with a redef.

The scope of a constant is local if the declaration is in a function, hook, or event handler, and global otherwise.

Note that the const keyword cannot be used with either the local or global keywords (i.e., const is an alternative to either local or global).

option

A variable declared with the option keyword is a configuration option.

Options are required to be initialized at the time of declaration. Normally, the type is inferred from the initializer, but the type can be explicitly specified. Example:

option hostname = "host-1";
option peers: set[addr] = {};

The initial value can be redefined with a redef.

The value of an option cannot be changed by an assignment statement, but it can be changed by either the Config::set_value function or by changing a config file specified in Config::config_files.

The scope of an option is global.

Note that an option declaration cannot also use the local, global, or const keywords.

type

The type keyword is used to declare a user-defined type. The name of this new type has global scope and can be used anywhere a built-in type name can occur.

The type keyword is most commonly used when defining a record or an enum, but is also useful when dealing with more complex types.

Example:

type mytype: table[count] of table[addr, port] of string;
global myvar: mytype;
redef

There are several ways that redef can be used: to redefine the initial value of a global variable or runtime option, to extend a record type or enum type, or to specify a new event handler body that replaces all those that were previously defined.

If you’re using redef to redefine the initial value of a global variable (defined using either const or global), then the variable that you want to change must have the &redef attribute. You can use redef to redefine the initial value of a runtime option (defined using option) even if it doesn’t have the &redef attribute.

If the variable you’re changing is a table, set, vector, or pattern, you can use += to add new elements, or you can use = to specify a new value (all previous contents of the object are removed). If the variable you’re changing is a set or table, then you can use the -= operator to remove the specified elements (nothing happens for specified elements that don’t exist). If the variable you are changing is not a table, set, or pattern, then you must use the = operator.

Examples:

redef pi = 3.14;
redef set_of_ports += { 22/tcp, 53/udp };

If you’re using redef to extend a record or enum, then you must use the += assignment operator. For an enum, you can add more enumeration constants, and for a record you can add more record fields (however, each record field in the redef must have either the &optional or &default attribute).

Examples:

redef enum color += { Blue, Red };
redef record MyRecord += { n2:int &optional; s2:string &optional; };

If you’re using redef to specify a new event handler body that replaces all those that were previously defined (i.e., any subsequently defined event handler body will not be affected by this redef), then the syntax is the same as a regular event handler definition except for the presence of the redef keyword.

Example:

redef event myevent(s:string) { print "Redefined", s; }
Callables

Callable types come in three flavors: function, event handler, and hook. All come with associated arguments and bodies of statements. The following table compares and contrasts:

Features

function

hook

event

Anonymity

Yes

No

No

Multiple bodies and priorities

No

Yes

Yes

Immediate invocation

Yes

Yes

No

Scheduling

No

No

Yes

Default arguments

Yes

Yes

Yes

Container argument mutability

Yes if synchronous, no if asynchronous

Yes

Yes

Alternate declarations

No

Yes

Yes

Return value

Yes

Yes

No
Anonymity

While Zeek does support the concept of anonymous functions (i.e., lambdas), hooks and events cannot be anonymous. They are referenced by their names. As an example, reducer functions in the SumStats framework are often implemented as lambda functions.

Multiple bodies and priorities

Functions cannot have multiple bodies, however, hooks and events can. This means that different scripts can add additional bodies to a hook or event associated with a unique name. When an event or hook is executed, Zeek needs a way to order the execution. This is accomplished with the numerical &priority attribute: by default, a hook’s or event’s body has a priority of zero, but any integer-range value is valid.

Immediate invocation

Functions and hook bodies are executed immediately. That means if a script is being interpreted and a line contains a function call, execution flow is immediately passed to that function (or hook). This does not happen for events. Events are pushed onto an event queue within Zeek and are handled as time passes.

Scheduling

Functions and hooks cannot be scheduled like events can. Scheduling places an event onto the event queue and is the equivalent to immediately invoking a function or hook. Attempting to schedule a function or a hook results in the same syntax error: “function invoked as an event”.

Default arguments

Functions, hooks, and events all support default values for their arguments.

Container argument mutability

When argument types are container types (such as records or tables), mutating the arguments within the body of a function, hook, or event causes the argument to retain that mutation: container types are passed by reference while atomic types are passed by value.

Asynchronous functions are an exception: the evaluation of when statements invokes such functions with copies of their arguments, causing modifications made inside the asynchronous function to be lost. Please refer to asynchronous return for possible workarounds.

Alternate declarations

Hooks and events do support alternate prototype declarations. This means that a set or scripts may define a single event (or hook) name multiple times with different argument sets. This is often referred to as overloading in other languages. Functions do not support alternate prototype declarations.

Return value

All functions must return a value. However, functions with no explicit return type implicitly return void. This can seem a bit odd as void isn’t a valid Zeek type. A hook body is allowed to return before it breaks. Hooks may return either a boolean type or void, but aren’t required to return any value. Events cannot return a value because they are scheduled through the event loop and don’t have a caller to return to.

For further details on how to declare callables, see the function, event handler, and hook documentation.

Statements

Statements (except those contained within a function, hook, or event handler) can appear only after all global declarations in the concatenation of all loaded Zeek scripts.

Each statement in a Zeek script must be terminated with a semicolon (with a few exceptions noted below). An individual statement can span multiple lines.

Here are the statements that the Zeek scripting language supports.

Name

Description

local

Declare a local variable

add, delete

Add or delete elements

print

Print to stdout or a file

for, while, next, break

Loop over each element in a container object (for), or as long as a condition evaluates to true (while).

if

Evaluate boolean and if true, execute a statement

switch, break, fallthrough

Evaluate expression and execute statement with a matching value

when

Asynchronous execution

event, schedule

Invoke or schedule an event handler

return

Return from function, hook, or event handler
add

The add statement is used to add an element to a set. Nothing happens if the specified element already exists in the set.

Example:

local myset: set[string];
add myset["test"];
break

The break statement is used to break out of a switch, for, or while statement.

delete

The delete statement is used to remove an element from a set or table, or to remove a value from a record field that has the &optional attribute. When attempting to remove an element from a set or table, nothing happens if the specified index does not exist. When attempting to remove a value from an &optional record field, nothing happens if that field doesn’t have a value.

Example:

local myset = set("this", "test");
local mytable = table(["key1"] = 80/tcp, ["key2"] = 53/udp);
local myrec = MyRecordType($a = 1, $b = 2);

delete myset["test"];
delete mytable["key1"];

# In this example, "b" must have the "&optional" attribute
delete myrec$b;
event

The event statement immediately queues invocation of an event handler.

Example:

event myevent("test", 5);
fallthrough

The fallthrough statement can be used within a case block to indicate that execution should continue at the next case or default label.

For an example, see the switch statement.

for

A for loop iterates over each element in a string, set, vector, or table and executes a statement for each iteration (note that the order in which the loop iterates over the elements in a set or a table is nondeterministic). However, no loop iterations occur if the string, set, vector, or table is empty.

For each iteration of the loop, a loop variable will be assigned to an element if the expression evaluates to a string or set, or an index if the expression evaluates to a vector or table. Then the statement is executed.

If the expression is a table or a set with more than one index, then the loop variable must be specified as a comma-separated list of different loop variables (one for each index), enclosed in brackets.

If the expression is a table, keys and values can be iterated over at the same time by specifying a key and value variable. The core exposes value variables for free, so this should be preferred to accessing the values in a separate lookup inside the loop.

Note that the loop variable in a for statement is not allowed to be a global variable, and it does not need to be declared prior to the for statement. The type will be inferred from the elements of the expression.

Currently, modifying a container’s membership while iterating over it may result in undefined behavior, so do not add or remove elements inside the loop.

A break statement will immediately terminate the for loop, and a next statement will skip to the next loop iteration.

Example:

local myset = set(80/tcp, 81/tcp);
local mytable = table([10.0.0.1, 80/tcp]="s1", [10.0.0.2, 81/tcp]="s2");

for ( p in myset )
    print p;

for ( [i,j], val in mytable )
    {
    if (val == "done")
        break;
    if (val == "skip")
        next;
    print i,j;
    }
if

Evaluates a given expression, which must yield a bool value. If true, then a specified statement is executed. If false, then the statement is not executed. Example:

if ( x == 2 ) print "x is 2";

However, if the expression evaluates to false and if an else is provided, then the statement following the else is executed. Example:

if ( x == 2 )
    print "x is 2";
else
    print "x is not 2";
local

A variable declared with the local keyword will be local. If a type is not specified, then an initializer is required so that the type can be inferred. Likewise, if an initializer is not supplied, then the type must be specified.

Examples:

local x1 = 5.7;
local x2: double;
local x3: double = 5.7;

Variable declarations inside a function, hook, or event handler are required to use this keyword (the only two exceptions are variables declared with const, and variables implicitly declared in a for statement).

The scope of a local variable starts at the location where it is declared and persists to the end of the function, hook, or event handler in which it is declared (this is true even if the local variable was declared within a compound statement or is the loop variable in a for statement).

next

The next statement can only appear within a for or while loop. It causes execution to skip to the next iteration.

print

The print statement takes a comma-separated list of one or more expressions. Each expression in the list is evaluated and then converted to a string. Then each string is printed, with each string separated by a comma in the output.

Examples:

print 3.14;
print "Results", x, y;

By default, the print statement writes to the standard output (stdout). However, if the first expression is of type file, then print writes to that file.

If a string contains non-printable characters (i.e., byte values that are not in the range 32 - 126), then the print statement converts each non-printable character to an escape sequence before it is printed.

For more control over how the strings are formatted, see the fmt function.

return

The return statement immediately exits the current function, hook, or event handler. For a function, the specified expression (if any) is evaluated and returned. A return statement in a hook or event handler cannot return a value because event handlers and hooks do not have return types.

Examples:

function my_func(): string
    {
    return "done";
    }

event my_event(n: count)
    {
    if ( n == 0 ) return;

    print n;
    }
Asynchronous return

There is a special form of the return statement that is only allowed in functions. Syntactically, it looks like a when statement immediately preceded by the return keyword. This form of the return statement is used to specify a function that delays its result: an asynchronous function. Such functions can only be called in the expression of a when statement). The function returns at the time the when statement’s condition becomes true, and the function returns the value that the when statement’s body returns (or if the condition does not become true within the specified timeout interval, then the function returns the value that the timeout block returns).

(Note that if you use the deprecated feature of not listing the captures in your return when statement, then, in contrast to regular functions, your asynchronous functions cannot make lasting modifications to arguments that have aggregate types, because those values will be deep-copied upon execution of the return when.)

Example:

global X: table[string] of count;

function a() : count
      {
      # This delays until condition becomes true.
      return when ( "a" in X )
            {
            return X["a"];
            }
      timeout 30 sec
            {
            return 0;
            }
      }

event zeek_init()
      {
      # Installs a trigger which fires if a() returns 42.
      when ( a() == 42 )
          print "expected result";

      print "Waiting for a() to return...";
      X["a"] = 42;
      }
schedule

The schedule statement is used to raise a specified event with specified parameters at a later time specified as an interval.

Example:

schedule 30sec { myevent(x, y, z) };

Note

The braces are always required here (that is, they do not indicate a compound statement). Also, schedule is actually an expression that returns a value of type timer, but in practice the return value is not used.

Note

Always specify event names with their full module namespace. For example, if the above myevent lives in the MyModule module, then say the following even when working inside the module:

schedule 30sec { MyModule::myevent(x, y, z) };

See A Reminder About Events and Module Namespaces for details.

Note

Using schedule within zeek_init does not usually have the desired behavior – since network_time is not yet initialized, the scheduled event may be dispatched upon processing the first network packet since that will update network-time from zero to the time associated with capturing that packet. A typical workaround is to ignore the first time such an event is dispatched and simply re-schedule it or to instead schedule the first event from within the network_time_init event.

switch

A switch statement evaluates a given expression and jumps to the first case label which contains a matching value (the result of the expression must be type-compatible with all of the values in all of the case labels). If there is no matching value, then execution jumps to the default label instead, and if there is no default label then execution jumps out of the switch block.

Here is an example (assuming that get_day_of_week is a function that returns a string):

switch get_day_of_week() {
    case "Sa", "Su":
        print "weekend";
        fallthrough;
    case "Mo", "Tu", "We", "Th", "Fr":
        print "valid result";
        break;
    default:
        print "invalid result";
        break;
}

A switch block can have any number of case labels, and one optional default label.

A case label can have a comma-separated list of more than one value. A value in a case label can be an expression, but it must be a constant expression (i.e., the expression can consist only of constants).

Each case and the default block must end with either a break, fallthrough, or return statement (although return is allowed only if the switch statement is inside a function, hook, or event handler).

Note that the braces in a switch statement are always required (these do not indicate the presence of a compound statement), and that no semicolon is needed at the end of a switch statement.

There is an alternative form of the switch statement that supports switching by type rather than value. This form of the switch statement uses type-based versions of case:

  • case type t: ...: Take branch if the value of the switch expression could be casted to type t (where t is the name of a Zeek script type, either built-in or user-defined).

  • case type t as x: ...: Same as above, but the casted value is available through ID x.

Multiple types can be listed per branch, separated by commas (the type keyword must be repeated for each type in the list).

Example:

function example(v: any)
    {
    switch (v) {
    case type count as c:
            print "It's a count", c;
            break;

    case type bool, type addr:
            print "It's a bool or address";
            break;
    }
    }

Note that a single switch statement switches either by type or by value, but not both.

Also note that the type-based switch statement will trigger a runtime error if any cast in any case is an unsupported cast (see the documentation of the type casting operator as).

A type-casting case block is also not allowed to use a fallthrough statement since that could generally mean entering another type-casting block. That is, the switched-upon value could get cast to at least two different types, which is not a valid possibility.

when

Evaluates a given expression, which must result in a value of type bool. When the value of the expression becomes available and if the result is true, then a specified statement is executed.

In the following example, if the expression evaluates to true, then the print statement is executed:

when ( (local x = foo()) && x == 42 )
    {
    print x;
    }

However, if a timeout is specified, and if the expression does not evaluate to true within the specified timeout interval, then the statement following the timeout keyword is executed:

when ( (local x = foo()) && x == 42 )
    {
    print x;
    }
timeout 5sec
    {
    print "timeout";
    }

Note that when a timeout is specified the braces are always required (these do not indicate a compound statement).

The expression in a when statement can contain a declaration of a local variable but only if the declaration is written in the form local *var* = *init* (example: local x = myfunction()). This form of a local declaration is actually an expression, the result of which is always a boolean true value.

The expression in a when statement can contain an asynchronous function call such as lookup_hostname (in fact, this is the only place such a function can be called), but it can also contain an ordinary function call. When an asynchronous function call is in the expression, then Zeek will continue processing statements in the script following the when statement, and when the result of the function call is available Zeek will finish evaluating the expression in the when statement. See the return statement for an explanation of how to create an asynchronous function in a Zeek script.

The elements of a when statement can include references to the local variables of the function/event/hook body in which they appear (as well as to global variables). If they do, then you need to specify the locals variables as captures, using [...] in the same manner as done for anonymous functions. By default captures are done using shallow-copying, behaving like an assignment; you can add the keyword copy to instead make a deep copy.

For example:

type r: record { x: int; y: int; };
global g = r($x=100, $y=100);

event zeek_init()
    {
    local l = r($x=1, $y=2);
    local l2 = r($x=3, $y=4);

    when [l, copy l2] ( g$x < 0 )
        {
        print l, l2;
        }

    l$x = 10;
    l2$x = 20;
    }

event zeek_init() &priority=-10
    {
    g$x = -999;
    }

will print [x=10, y=2], [x=3, y=4], because, as a shallow copy, the version of l inside the when statement will reflect the changes made to its record after execution of the when statement; while the version of l2 will not, since it holds a deep copy of the record made upon executing the when statement.

For the captures you need to list all of local variables used in the statement: those in the initial condition, as well as those appearing in the body or the timeout statement. You do not need to list new local’s introduce in the expression (such as local x = foo() in the example given earlier above).

It also works, for now, to leave off the captures entirely, but this form is deprecated. It provides old-style semantics, in which every local is automatically captured via deep-copy.

while

A while loop iterates over a body statement as long as a given condition remains true.

A break statement can be used at any time to immediately terminate the while loop, and a next statement can be used to skip to the next loop iteration.

Example:

local i = 0;

while ( i < 5 )
    print ++i;

while ( some_cond() )
    {
    local finish_up = F;

    if ( skip_ahead() )
        next;

    if ( finish_up )
        break;
    }
Compound Statement

A compound statement is created by wrapping zero or more statements in braces { }. Individual statements inside the braces need to be terminated by a semicolon, but a semicolon is not needed at the end (outside of the braces) of a compound statement.

A compound statement is required in order to execute more than one statement in the body of a for, while, if, or when statement.

Example:

if ( x == 2 )
    {
    print "x is 2";
    ++x;
    }

Note that there are other places in the Zeek scripting language that use braces, but that do not indicate the presence of a compound statement (these are noted in the documentation).

Null Statement

The null statement (executing it has no effect) consists of just a semicolon. This might be useful during testing or debugging a Zeek script in places where a statement is required, but it is probably not useful otherwise.

Example:

if ( x == 2 )
    ;

Directives

The Zeek scripting language supports a number of directives that can affect which scripts will be loaded or which lines in a script will be executed. Directives are evaluated before script execution begins.

@DIR

Expands to the directory pathname where the current script is located.

Example:

print "Directory:", @DIR;

@FILENAME

Expands to the filename of the current script.

Example:

print "File:", @FILENAME;

@deprecated

Marks the current script as deprecated. This can be placed anywhere in the script, but a good convention is to put it as the first line. You can also supply additional comments.

Example:

@deprecated "Use '@load foo' instead"

@load

Loads the specified Zeek script, specified as the relative pathname of the file (relative to one of the directories in Zeek’s file search path). If the Zeek script filename ends with .zeek, then you don’t need to specify the file extension. The filename cannot contain any whitespace.

In this example, Zeek will try to load a script policy/misc/capture-loss.zeek by looking in each directory in the file search path (the file search path can be changed by setting the ZEEKPATH environment variable):

@load policy/misc/capture-loss

If you specify the name of a directory instead of a filename, then Zeek will try to load a file in that directory called __load__.zeek (presumably that file will contain additional @load directives).

In this example, Zeek will try to load a file tuning/defaults/__load__.zeek by looking in each directory in the file search path:

@load tuning/defaults

The purpose of this directive is to ensure that all script dependencies are satisfied, and to avoid having to list every needed Zeek script on the command-line. Zeek keeps track of which scripts have been loaded, so it is not an error to load a script more than once (once a script has been loaded, any subsequent load directives for that script are ignored).

@load-plugin

Activate a dynamic plugin with the specified plugin name. The specified plugin must be located in Zeek’s plugin search path. Example:

@load-plugin Demo::Rot13

By default, Zeek will automatically activate all dynamic plugins found in the plugin search path (the search path can be changed by setting the environment variable ZEEK_PLUGIN_PATH to a colon-separated list of directories). However, in bare mode (zeek -b dynamic plugins can be activated only by using load-plugin or by specifying the full plugin name on the Zeek command-line (e.g., zeek Demo::Rot13 or by setting the environment variable ZEEK_PLUGIN_ACTIVATE to a comma-separated list of plugin names.

@load-sigs

This works similarly to load except that in this case the filename represents a signature file (not a Zeek script). If the signature filename ends with sig then you don’t need to specify the file extension in the load-sigs directive. The filename cannot contain any whitespace.

In this example, Zeek will try to load a signature file base/protocols/ssl/dpd.sig

@load-sigs base/protocols/ssl/dpd

The format for a signature file is explained in the documentation for the Signature Framework.

@unload

This specifies a Zeek script that we don’t want to load (so a subsequent attempt to load the specified script will be skipped). However, if the specified script has already been loaded, then this directive has no affect.

In the following example, if the policy/misc/capture-loss.zeek script has not been loaded yet, then Zeek will not load it:

@unload policy/misc/capture-loss

@prefixes

Specifies a filename prefix to use when looking for script files to load automatically. The prefix cannot contain any whitespace.

In the following example, the prefix cluster is used and all prefixes that were previously specified are not used:

@prefixes = cluster

In the following example, the prefix cluster-manager is used in addition to any previously-specified prefixes:

@prefixes += cluster-manager

The way this works is that after Zeek parses all script files, then for each loaded script Zeek will take the absolute path of the script and then it removes the portion of the directory path that is in Zeek’s file search path. Then it replaces each / character with a period . and then prepends the prefix (specified in the @prefixes directive) followed by a period. The resulting filename is searched for in each directory in Zeek’s file search path. If a matching file is found, then the file is automatically loaded.

For example, if a script called local.zeek has been loaded, and a prefix of test was specified, then Zeek will look for a file named test.local.zeek in each directory of Zeek’s file search path.

An alternative way to specify prefixes is to use the -p Zeek command-line option.

@if

The specified expression must evaluate to type bool. If the value is true, then the following script lines (up to the next @else or @endif) are available to be executed.

Example:

@if ( ver == 2 )
    print "version 2 detected";
@endif

@ifdef

This works like @if, except that the result is true if the specified identifier is defined.

Example:

@ifdef ( pi )
    print "pi is defined";
@endif

@ifndef

This works exactly like @ifdef, except that the result is true if the specified identifier is not defined.

Example:

@ifndef ( pi )
    print "pi is not defined";
@endif

@else

This directive is optional after an @if, @ifdef, or @ifndef. If present, it provides an else clause.

Example:

@ifdef ( pi )
    print "pi is defined";
@else
    print "pi is not defined";
@endif

@endif

This directive is required to terminate each @if, @ifdef, or @ifndef.

@DEBUG

This directive is not meant to be used directly from user scripts. Internally, it’s used by interactive-debugger features (zeek -d) that allow arbitrary expressions to be parsed and evaluated on their own rather than incorporated into the usual Zeek syntax-tree formed from parsing script files.

Log Files

Listed below are the log files generated by Zeek, including a brief description of the log file and links to descriptions of the fields for each log type.

Network Protocols

Log File

Description

Field Descriptions

conn.log

TCP/UDP/ICMP connections

Conn::Info

dce_rpc.log

Distributed Computing Environment/RPC

DCE_RPC::Info

dhcp.log

DHCP leases

DHCP::Info

dnp3.log

DNP3 requests and replies

DNP3::Info

dns.log

DNS activity

DNS::Info

ftp.log

FTP activity

FTP::Info

http.log

HTTP requests and replies

HTTP::Info

irc.log

IRC commands and responses

IRC::Info

kerberos.log

Kerberos

KRB::Info

modbus.log

Modbus commands and responses

Modbus::Info

modbus_register_change.log

Tracks changes to Modbus holding registers

Modbus::MemmapInfo

mysql.log

MySQL

MySQL::Info

ntlm.log

NT LAN Manager (NTLM)

NTLM::Info

ntp.log

Network Time Protocol

NTP::Info

radius.log

RADIUS authentication attempts

RADIUS::Info

rdp.log

RDP

RDP::Info

rfb.log

Remote Framebuffer (RFB)

RFB::Info

sip.log

SIP

SIP::Info

smb_cmd.log

SMB commands

SMB::CmdInfo

smb_files.log

SMB files

SMB::FileInfo

smb_mapping.log

SMB trees

SMB::TreeInfo

smtp.log

SMTP transactions

SMTP::Info

snmp.log

SNMP messages

SNMP::Info

socks.log

SOCKS proxy requests

SOCKS::Info

ssh.log

SSH connections

SSH::Info

ssl.log

SSL/TLS handshake info

SSL::Info

syslog.log

Syslog messages

Syslog::Info

tunnel.log

Tunneling protocol events

Tunnel::Info

Files

Log File

Description

Field Descriptions

files.log

File analysis results

Files::Info

ocsp.log

Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.

OCSP::Info

pe.log

Portable Executable (PE)

PE::Info

x509.log

X.509 certificate info

X509::Info

NetControl

Log File

Description

Field Descriptions

netcontrol.log

NetControl actions

NetControl::Info

netcontrol_drop.log

NetControl actions

NetControl::DropInfo

netcontrol_shunt.log

NetControl shunt actions

NetControl::ShuntInfo

netcontrol_catch_release.log

NetControl catch and release actions

NetControl::CatchReleaseInfo

openflow.log

OpenFlow debug log

OpenFlow::Info

Detection

Log File

Description

Field Descriptions

intel.log

Intelligence data matches

Intel::Info

notice.log

Zeek notices

Notice::Info

notice_alarm.log

The alarm stream

Notice::Info

signatures.log

Signature matches

Signatures::Info

traceroute.log

Traceroute detection

Traceroute::Info

Network Observations

Log File

Description

Field Descriptions

known_certs.log

SSL certificates

Known::CertsInfo

known_hosts.log

Hosts that have completed TCP handshakes

Known::HostsInfo

known_modbus.log

Modbus masters and slaves

Known::ModbusInfo

known_services.log

Services running on hosts

Known::ServicesInfo

software.log

Software being used on the network

Software::Info

Miscellaneous

Log File

Description

Field Descriptions

barnyard2.log

Alerts received from Barnyard2

Barnyard2::Info

dpd.log

Dynamic protocol detection failures

DPD::Info

unified2.log

Interprets Snort’s unified output

Unified2::Info

unknown_protocols.log

Information about packet protocols that Zeek doesn’t know how to process

UnknownProtocol::Info

weird.log

Unexpected network-level activity

Weird::Info

weird_stats.log

Statistics about unexpected activity

WeirdStats::Info

Zeek Diagnostics

Log File

Description

Field Descriptions

broker.log

Peering status events between Zeek or Broker-enabled processes

Broker::Info

capture_loss.log

Packet loss rate

CaptureLoss::Info

cluster.log

Zeek cluster messages

Cluster::Info

config.log

Configuration option changes

Config::Info

loaded_scripts.log

Shows all scripts loaded by Zeek

LoadedScripts::Info

packet_filter.log

List packet filters that were applied

PacketFilter::Info

print.log

Print statements that were redirected to a log stream.

Log::PrintLogInfo

prof.log

Profiling statistics (to create this log, load policy/misc/profiling.zeek)

N/A

reporter.log

Internal error/warning/info messages

Reporter::Info

stats.log

Memory/event/packet/lag statistics

Stats::Info

stderr.log

Captures standard error when Zeek is started from ZeekControl

N/A

stdout.log

Captures standard output when Zeek is started from ZeekControl

N/A

Notices

See the Zeek Notice Index.

Packet Analyzers

PacketAnalyzer::Tag
Type

enum

PacketAnalyzer::ANALYZER_ARP
PacketAnalyzer::ANALYZER_AYIYA
PacketAnalyzer::ANALYZER_ETHERNET
PacketAnalyzer::ANALYZER_FDDI
PacketAnalyzer::ANALYZER_GENEVE
PacketAnalyzer::ANALYZER_GRE
PacketAnalyzer::ANALYZER_GTPV1
PacketAnalyzer::ANALYZER_ICMP
PacketAnalyzer::ANALYZER_IEEE802_11
PacketAnalyzer::ANALYZER_IEEE802_11_RADIO
PacketAnalyzer::ANALYZER_IP
PacketAnalyzer::ANALYZER_IPTUNNEL
PacketAnalyzer::ANALYZER_LINUXSLL
PacketAnalyzer::ANALYZER_MPLS
PacketAnalyzer::ANALYZER_NFLOG
PacketAnalyzer::ANALYZER_NULL
PacketAnalyzer::ANALYZER_PPPOE
PacketAnalyzer::ANALYZER_PPPSERIAL
PacketAnalyzer::ANALYZER_ROOT
PacketAnalyzer::ANALYZER_SKIP
PacketAnalyzer::ANALYZER_TCP
PacketAnalyzer::ANALYZER_TEREDO
PacketAnalyzer::ANALYZER_UDP
PacketAnalyzer::ANALYZER_VLAN
PacketAnalyzer::ANALYZER_VNTAG
PacketAnalyzer::ANALYZER_VXLAN

Zeek::ARP

ARP packet analyzer

Components

PacketAnalyzer::ANALYZER_ARP

Events
arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src

The request’s source MAC address.

Mac_dst

The request’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also:

arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src

The reply’s source MAC address.

Mac_dst

The reply’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also:

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

Explanation

A short description of why the ARP packet is considered “bad”.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::AYIYA

AYIYA packet analyzer

Components

PacketAnalyzer::ANALYZER_AYIYA

Zeek::Ethernet

Ethernet packet analyzer

Components

PacketAnalyzer::ANALYZER_ETHERNET

Zeek::FDDI

FDDI packet analyzer

Components

PacketAnalyzer::ANALYZER_FDDI

Zeek::Geneve

Geneve packet analyzer

Components

PacketAnalyzer::ANALYZER_GENEVE

Events
geneve_packet
Type

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.

Outer

The Geneve tunnel connection.

Inner

The Geneve-encapsulated Ethernet packet header and transport header.

Vni

Geneve Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Zeek::GRE

GRE packet analyzer

Components

PacketAnalyzer::ANALYZER_GRE

Zeek::GTPv1

GTPv1 analyzer

Components

PacketAnalyzer::ANALYZER_GTPV1

Events
gtpv1_message
Type

event (c: connection, hdr: gtpv1_hdr)

Generated for any GTP message with a GTPv1 header.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

gtpv1_g_pdu_packet
Type

event (outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)

Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.

Outer

The GTP outer tunnel connection.

Inner_gtp

The GTP header.

Inner_ip

The inner IP and transport layer packet headers.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

gtpv1_create_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements)

Generated for GTPv1-C Create PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_create_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements)

Generated for GTPv1-C Create PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements)

Generated for GTPv1-C Update PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements)

Generated for GTPv1-C Update PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements)

Generated for GTPv1-C Delete PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements)

Generated for GTPv1-C Delete PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

Functions
PacketAnalyzer::GTPV1::remove_gtpv1_connection
Type

function (cid: conn_id) : bool

Zeek::IEEE802_11

IEEE 802.11 packet analyzer

Components

PacketAnalyzer::ANALYZER_IEEE802_11

Zeek::IEEE802_11_Radio

IEEE 802.11 Radiotap packet analyzer

Components

PacketAnalyzer::ANALYZER_IEEE802_11_RADIO

Zeek::IP

Packet analyzer for IP fallback (v4 or v6)

Components

PacketAnalyzer::ANALYZER_IP

Zeek::IPTunnel

IPTunnel packet analyzer

Components

PacketAnalyzer::ANALYZER_IPTUNNEL

Zeek::LinuxSLL

Linux cooked capture (SLL) packet analyzer

Components

PacketAnalyzer::ANALYZER_LINUXSLL

Zeek::MPLS

MPLS packet analyzer

Components

PacketAnalyzer::ANALYZER_MPLS

Zeek::NFLog

NFLog packet analyzer

Components

PacketAnalyzer::ANALYZER_NFLOG

Zeek::Null

Null packet analyzer

Components

PacketAnalyzer::ANALYZER_NULL

Zeek::PPPoE

PPPoE packet analyzer

Components

PacketAnalyzer::ANALYZER_PPPOE

Zeek::PPPSerial

PPPSerial packet analyzer

Components

PacketAnalyzer::ANALYZER_PPPSERIAL

Zeek::Root

Root packet analyzer

Components

PacketAnalyzer::ANALYZER_ROOT

Zeek::Skip

Skip packet analyzer

Components

PacketAnalyzer::ANALYZER_SKIP

Zeek::Teredo

Teredo packet analyzer

Components

PacketAnalyzer::ANALYZER_TEREDO

Events
teredo_packet
Type

event (outer: connection, inner: teredo_hdr)

Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_authentication
Type

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_origin_indication
Type

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_bubble
Type

event (outer: connection, inner: teredo_hdr)

Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of IPPROTO_NONE. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Functions
PacketAnalyzer::TEREDO::remove_teredo_connection
Type

function (cid: conn_id) : bool

Zeek::VLAN

VLAN packet analyzer

Components

PacketAnalyzer::ANALYZER_VLAN

Zeek::VNTag

VNTag packet analyzer

Components

PacketAnalyzer::ANALYZER_VNTAG

Zeek::VXLAN

VXLAN packet analyzer

Components

PacketAnalyzer::ANALYZER_VXLAN

Events
vxlan_packet
Type

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.

Outer

The VXLAN tunnel connection.

Inner

The VXLAN-encapsulated Ethernet packet header and transport header.

Vni

VXLAN Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

Protocol Analyzers

Analyzer::Tag
Type

enum

Analyzer::ANALYZER_BITTORRENT
Analyzer::ANALYZER_BITTORRENTTRACKER
Analyzer::ANALYZER_CONNSIZE
Analyzer::ANALYZER_DCE_RPC
Analyzer::ANALYZER_DHCP
Analyzer::ANALYZER_DNP3_TCP
Analyzer::ANALYZER_DNP3_UDP
Analyzer::ANALYZER_CONTENTS_DNS
Analyzer::ANALYZER_DNS
Analyzer::ANALYZER_FTP_DATA
Analyzer::ANALYZER_IRC_DATA
Analyzer::ANALYZER_FINGER
Analyzer::ANALYZER_FTP
Analyzer::ANALYZER_FTP_ADAT
Analyzer::ANALYZER_GNUTELLA
Analyzer::ANALYZER_GSSAPI
Analyzer::ANALYZER_HTTP
Analyzer::ANALYZER_ICMP
Analyzer::ANALYZER_IDENT
Analyzer::ANALYZER_IMAP
Analyzer::ANALYZER_IRC
Analyzer::ANALYZER_KRB
Analyzer::ANALYZER_KRB_TCP
Analyzer::ANALYZER_CONTENTS_RLOGIN
Analyzer::ANALYZER_CONTENTS_RSH
Analyzer::ANALYZER_LOGIN
Analyzer::ANALYZER_NVT
Analyzer::ANALYZER_RLOGIN
Analyzer::ANALYZER_RSH
Analyzer::ANALYZER_TELNET
Analyzer::ANALYZER_MODBUS
Analyzer::ANALYZER_MQTT
Analyzer::ANALYZER_MYSQL
Analyzer::ANALYZER_CONTENTS_NCP
Analyzer::ANALYZER_NCP
Analyzer::ANALYZER_CONTENTS_NETBIOSSSN
Analyzer::ANALYZER_NETBIOSSSN
Analyzer::ANALYZER_NTLM
Analyzer::ANALYZER_NTP
Analyzer::ANALYZER_PIA_TCP
Analyzer::ANALYZER_PIA_UDP
Analyzer::ANALYZER_POP3
Analyzer::ANALYZER_RADIUS
Analyzer::ANALYZER_RDP
Analyzer::ANALYZER_RDPEUDP
Analyzer::ANALYZER_RFB
Analyzer::ANALYZER_CONTENTS_NFS
Analyzer::ANALYZER_CONTENTS_RPC
Analyzer::ANALYZER_MOUNT
Analyzer::ANALYZER_NFS
Analyzer::ANALYZER_PORTMAPPER
Analyzer::ANALYZER_SIP
Analyzer::ANALYZER_CONTENTS_SMB
Analyzer::ANALYZER_SMB
Analyzer::ANALYZER_SMTP
Analyzer::ANALYZER_SNMP
Analyzer::ANALYZER_SOCKS
Analyzer::ANALYZER_SSH
Analyzer::ANALYZER_DTLS
Analyzer::ANALYZER_SSL
Analyzer::ANALYZER_SYSLOG
Analyzer::ANALYZER_CONTENTLINE
Analyzer::ANALYZER_CONTENTS
Analyzer::ANALYZER_TCPSTATS
Analyzer::ANALYZER_TCP
Analyzer::ANALYZER_UDP
Analyzer::ANALYZER_XMPP
Analyzer::ANALYZER_ZIP
AllAnalyzers::Tag
Type

enum

AllAnalyzers::PACKETANALYZER_ANALYZER_ARP
AllAnalyzers::PACKETANALYZER_ANALYZER_AYIYA
AllAnalyzers::ANALYZER_ANALYZER_BITTORRENT
AllAnalyzers::ANALYZER_ANALYZER_BITTORRENTTRACKER
AllAnalyzers::ANALYZER_ANALYZER_CONNSIZE
AllAnalyzers::ANALYZER_ANALYZER_DCE_RPC
AllAnalyzers::ANALYZER_ANALYZER_DHCP
AllAnalyzers::ANALYZER_ANALYZER_DNP3_TCP
AllAnalyzers::ANALYZER_ANALYZER_DNP3_UDP
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_DNS
AllAnalyzers::ANALYZER_ANALYZER_DNS
AllAnalyzers::PACKETANALYZER_ANALYZER_ETHERNET
AllAnalyzers::PACKETANALYZER_ANALYZER_FDDI
AllAnalyzers::ANALYZER_ANALYZER_FTP_DATA
AllAnalyzers::ANALYZER_ANALYZER_IRC_DATA
AllAnalyzers::FILES_ANALYZER_DATA_EVENT
AllAnalyzers::FILES_ANALYZER_ENTROPY
AllAnalyzers::FILES_ANALYZER_EXTRACT
AllAnalyzers::FILES_ANALYZER_MD5
AllAnalyzers::FILES_ANALYZER_SHA1
AllAnalyzers::FILES_ANALYZER_SHA256
AllAnalyzers::ANALYZER_ANALYZER_FINGER
AllAnalyzers::ANALYZER_ANALYZER_FTP
AllAnalyzers::ANALYZER_ANALYZER_FTP_ADAT
AllAnalyzers::PACKETANALYZER_ANALYZER_GENEVE
AllAnalyzers::ANALYZER_ANALYZER_GNUTELLA
AllAnalyzers::PACKETANALYZER_ANALYZER_GRE
AllAnalyzers::ANALYZER_ANALYZER_GSSAPI
AllAnalyzers::PACKETANALYZER_ANALYZER_GTPV1
AllAnalyzers::ANALYZER_ANALYZER_HTTP
AllAnalyzers::PACKETANALYZER_ANALYZER_ICMP
AllAnalyzers::ANALYZER_ANALYZER_ICMP
AllAnalyzers::ANALYZER_ANALYZER_IDENT
AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11
AllAnalyzers::PACKETANALYZER_ANALYZER_IEEE802_11_RADIO
AllAnalyzers::ANALYZER_ANALYZER_IMAP
AllAnalyzers::PACKETANALYZER_ANALYZER_IP
AllAnalyzers::PACKETANALYZER_ANALYZER_IPTUNNEL
AllAnalyzers::ANALYZER_ANALYZER_IRC
AllAnalyzers::ANALYZER_ANALYZER_KRB
AllAnalyzers::ANALYZER_ANALYZER_KRB_TCP
AllAnalyzers::PACKETANALYZER_ANALYZER_LINUXSLL
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RLOGIN
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RSH
AllAnalyzers::ANALYZER_ANALYZER_LOGIN
AllAnalyzers::ANALYZER_ANALYZER_NVT
AllAnalyzers::ANALYZER_ANALYZER_RLOGIN
AllAnalyzers::ANALYZER_ANALYZER_RSH
AllAnalyzers::ANALYZER_ANALYZER_TELNET
AllAnalyzers::ANALYZER_ANALYZER_MODBUS
AllAnalyzers::PACKETANALYZER_ANALYZER_MPLS
AllAnalyzers::ANALYZER_ANALYZER_MQTT
AllAnalyzers::ANALYZER_ANALYZER_MYSQL
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NCP
AllAnalyzers::ANALYZER_ANALYZER_NCP
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NETBIOSSSN
AllAnalyzers::ANALYZER_ANALYZER_NETBIOSSSN
AllAnalyzers::PACKETANALYZER_ANALYZER_NFLOG
AllAnalyzers::ANALYZER_ANALYZER_NTLM
AllAnalyzers::ANALYZER_ANALYZER_NTP
AllAnalyzers::PACKETANALYZER_ANALYZER_NULL
AllAnalyzers::FILES_ANALYZER_PE
AllAnalyzers::ANALYZER_ANALYZER_PIA_TCP
AllAnalyzers::ANALYZER_ANALYZER_PIA_UDP
AllAnalyzers::ANALYZER_ANALYZER_POP3
AllAnalyzers::PACKETANALYZER_ANALYZER_PPPOE
AllAnalyzers::PACKETANALYZER_ANALYZER_PPPSERIAL
AllAnalyzers::ANALYZER_ANALYZER_RADIUS
AllAnalyzers::ANALYZER_ANALYZER_RDP
AllAnalyzers::ANALYZER_ANALYZER_RDPEUDP
AllAnalyzers::ANALYZER_ANALYZER_RFB
AllAnalyzers::PACKETANALYZER_ANALYZER_ROOT
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_NFS
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_RPC
AllAnalyzers::ANALYZER_ANALYZER_MOUNT
AllAnalyzers::ANALYZER_ANALYZER_NFS
AllAnalyzers::ANALYZER_ANALYZER_PORTMAPPER
AllAnalyzers::ANALYZER_ANALYZER_SIP
AllAnalyzers::PACKETANALYZER_ANALYZER_SKIP
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS_SMB
AllAnalyzers::ANALYZER_ANALYZER_SMB
AllAnalyzers::ANALYZER_ANALYZER_SMTP
AllAnalyzers::ANALYZER_ANALYZER_SNMP
AllAnalyzers::ANALYZER_ANALYZER_SOCKS
AllAnalyzers::ANALYZER_ANALYZER_SSH
AllAnalyzers::ANALYZER_ANALYZER_DTLS
AllAnalyzers::ANALYZER_ANALYZER_SSL
AllAnalyzers::ANALYZER_ANALYZER_SYSLOG
AllAnalyzers::ANALYZER_ANALYZER_CONTENTLINE
AllAnalyzers::ANALYZER_ANALYZER_CONTENTS
AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS
AllAnalyzers::PACKETANALYZER_ANALYZER_TCP
AllAnalyzers::ANALYZER_ANALYZER_TCP
AllAnalyzers::PACKETANALYZER_ANALYZER_TEREDO
AllAnalyzers::PACKETANALYZER_ANALYZER_UDP
AllAnalyzers::ANALYZER_ANALYZER_UDP
AllAnalyzers::FILES_ANALYZER_UNIFIED2
AllAnalyzers::PACKETANALYZER_ANALYZER_VLAN
AllAnalyzers::PACKETANALYZER_ANALYZER_VNTAG
AllAnalyzers::PACKETANALYZER_ANALYZER_VXLAN
AllAnalyzers::FILES_ANALYZER_OCSP_REPLY
AllAnalyzers::FILES_ANALYZER_OCSP_REQUEST
AllAnalyzers::FILES_ANALYZER_X509
AllAnalyzers::ANALYZER_ANALYZER_XMPP
AllAnalyzers::ANALYZER_ANALYZER_ZIP

Zeek::BitTorrent

BitTorrent Analyzer

Components

Analyzer::ANALYZER_BITTORRENT

Analyzer::ANALYZER_BITTORRENTTRACKER

Events
bittorrent_peer_handshake
Type

event (c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_keep_alive
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_choke
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_unchoke
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_interested
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_not_interested
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_have
Type

event (c: connection, is_orig: bool, piece_index: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_bitfield
Type

event (c: connection, is_orig: bool, bitfield: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_request
Type

event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_piece
Type

event (c: connection, is_orig: bool, index: count, begin: count, piece_length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_cancel
Type

event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_port
Type

event (c: connection, is_orig: bool, listen_port: port)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_unknown
Type

event (c: connection, is_orig: bool, message_id: count, data: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_weird
Type

event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_request
Type

event (c: connection, uri: string, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_response
Type

event (c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_response_not_ok
Type

event (c: connection, status: count, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_weird
Type

event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

Zeek::ConnSize

Connection size analyzer

Components

Analyzer::ANALYZER_CONNSIZE

Events
conn_bytes_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

C

the connection

Threshold

the threshold that was set

Is_orig

true if the threshold was crossed by the originator of the connection

See also:

conn_packets_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::packets_threshold_crossed instead.

C

the connection

Threshold

the threshold that was set

Is_orig

true if the threshold was crossed by the originator of the connection

See also:

conn_duration_threshold_crossed
Type

event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::duration_threshold_crossed instead.

Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

C

the connection

Threshold

the threshold that was set

Is_orig

true if the threshold was crossed by the originator of the connection

See also:

Functions
set_current_conn_bytes_threshold
Type

function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).

Cid

The connection id.

Threshold

Threshold in bytes.

Is_orig

If true, threshold is set for bytes from originator, otherwhise for bytes from responder.

See also:

set_current_conn_packets_threshold
Type

function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).

Cid

The connection id.

Threshold

Threshold in packets.

Is_orig

If true, threshold is set for packets from originator, otherwhise for packets from responder.

See also:

set_current_conn_duration_threshold
Type

function (cid: conn_id, threshold: interval) : bool

Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_duration_threshold).

Cid

The connection id.

Threshold

Threshold in seconds.

See also:

get_current_conn_bytes_threshold
Type

function (cid: conn_id, is_orig: bool) : count

Cid

The connection id.

Is_orig

If true, threshold of originator, otherwhise threshold of responder.

Returns

0 if no threshold is set or the threshold in bytes

See also:

get_current_conn_packets_threshold
Type

function (cid: conn_id, is_orig: bool) : count

Gets the current packet threshold size for a connection.

Cid

The connection id.

Is_orig

If true, threshold of originator, otherwhise threshold of responder.

Returns

0 if no threshold is set or the threshold in packets

See also:

get_current_conn_duration_threshold
Type

function (cid: conn_id) : interval

Gets the current duration threshold size for a connection.

Cid

The connection id.

Returns

0 if no threshold is set or the threshold in seconds

See also:

Zeek::DCE_RPC

DCE-RPC analyzer

Components

Analyzer::ANALYZER_DCE_RPC

Options/Constants
DCE_RPC::max_cmd_reassembly
Type

count

Attributes

&redef

Default

20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type

count

Attributes

&redef

Default

30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

Types
DCE_RPC::PType
Type

enum

DCE_RPC::REQUEST
DCE_RPC::PING
DCE_RPC::RESPONSE
DCE_RPC::FAULT
DCE_RPC::WORKING
DCE_RPC::NOCALL
DCE_RPC::REJECT
DCE_RPC::ACK
DCE_RPC::CL_CANCEL
DCE_RPC::FACK
DCE_RPC::CANCEL_ACK
DCE_RPC::BIND
DCE_RPC::BIND_ACK
DCE_RPC::BIND_NAK
DCE_RPC::ALTER_CONTEXT
DCE_RPC::ALTER_CONTEXT_RESP
DCE_RPC::AUTH3
DCE_RPC::SHUTDOWN
DCE_RPC::CO_CANCEL
DCE_RPC::ORPHANED
DCE_RPC::RTS
DCE_RPC::IfID
Type

enum

DCE_RPC::unknown_if
DCE_RPC::epmapper
DCE_RPC::lsarpc
DCE_RPC::lsa_ds
DCE_RPC::mgmt
DCE_RPC::netlogon
DCE_RPC::samr
DCE_RPC::srvsvc
DCE_RPC::spoolss
DCE_RPC::drs
DCE_RPC::winspipe
DCE_RPC::wkssvc
DCE_RPC::oxid
DCE_RPC::ISCMActivator
Events
dce_rpc_message
Type

event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

C

The connection.

Is_orig

True if the message was sent by the originator of the TCP connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ptype_id

Numeric representation of the procedure type of the message.

Ptype

Enum representation of the prodecure type of the message.

See also:

dce_rpc_bind
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Uuid

The string interpretted uuid of the endpoint being requested.

Ver_major

The major version of the endpoint being requested.

Ver_minor

The minor version of the endpoint being requested.

See also:

dce_rpc_alter_context
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Uuid

The string interpretted uuid of the endpoint being requested.

Ver_major

The major version of the endpoint being requested.

Ver_minor

The minor version of the endpoint being requested.

See also:

dce_rpc_bind_ack
Type

event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Sec_addr

Secondary address for the ack.

See also:

dce_rpc_alter_context_resp
Type

event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

See also:

dce_rpc_request
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub_len

Length of the data for the request.

See also:

dce_rpc_response
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub_len

Length of the data for the response.

See also:

dce_rpc_request_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub

The data for the request.

See also:

dce_rpc_response_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub

The data for the response.

See also:

Zeek::DHCP

DHCP analyzer

Components

Analyzer::ANALYZER_DHCP

Types
DHCP::Msg
Type

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

secs: interval

Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

siaddr: addr

IP address of the server.

giaddr: addr

IP address of the relaying gateway.

chaddr: string

Client hardware address.

sname: string &default = "" &optional

Server host name.

file_n: string &default = "" &optional

Boot file name.

A DHCP message. .. zeek:see:: dhcp_message

DHCP::Addrs
Type

vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

See also:

DHCP::SubOpt
Type

record

code: count

value: string

DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message

DHCP::SubOpts
Type

vector of DHCP::SubOpt

DHCP::ClientFQDN
Type

record

flags: count

An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count

This field is deprecated in the standard.

rcode2: count

This field is deprecated in the standard.

domain_name: string

The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID
Type

record

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message

DHCP::Options
Type

record

options: index_vec &optional

The ordered list of all DHCP option numbers.

subnet_mask: addr &optional

Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional

Router addresses (option 3)

dns_servers: DHCP::Addrs &optional

DNS Server addresses (option 6)

host_name: string &optional

The Hostname of the client (option 12)

domain_name: string &optional

The DNS domain name of the client (option 15)

forwarding: bool &optional

Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional

Broadcast Address (option 28)

vendor: string &optional

Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional

NETBIOS name server list (option 44)

addr_request: addr &optional

Address requested by the client (option 50)

lease: interval &optional

Lease time offered by the server. (option 51)

serv_addr: addr &optional

Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional

DHCP Parameter Request list (option 55)

message: string &optional

Textual error message (option 56)

max_msg_size: count &optional

Maximum Message Size (option 57)

renewal_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional

DHCP Client Identifier (Option 61)

user_class: string &optional

User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional

DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional

DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional

Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional

URL to find a proxy.pac for auto proxy config (Option 252)

time_offset: int &optional

The offset of the client’s subnet in seconds from UTC. (Option 2)

time_servers: DHCP::Addrs &optional

A list of RFC 868 time servers available to the client. (Option 4)

name_servers: DHCP::Addrs &optional

A list of IEN 116 name servers available to the client. (Option 5)

ntp_servers: DHCP::Addrs &optional

A list of IP addresses indicating NTP servers available to the client. (Option 42)

Events
dhcp_message
Type

event (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

Generated for all DHCP messages.

C

The connection record describing the underlying UDP flow.

Is_orig

Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.

Msg

The parsed type-independent part of the DHCP message. The message type is indicated in this record.

Options

The full set of supported and parsed DHCP options.

Zeek::DNP3

DNP3 UDP/TCP analyzers

Components

Analyzer::ANALYZER_DNP3_TCP

Analyzer::ANALYZER_DNP3_UDP

Events
dnp3_application_request_header
Type

event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Fc

function code.

dnp3_application_response_header
Type

event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Fc

function code.

Iin

internal indication number.

dnp3_object_header
Type

event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Obj_type

type of object, which is classified based on an 8-bit group number and an 8-bit variation number.

Qua_field

qualifier field.

Number

TODO.

Rf_low

the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.

Rf_high

in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.

dnp3_object_prefix
Type

event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Prefix_value

The prefix.

dnp3_header_block
Type

event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Len

the “length” field in the DNP3 Pseudo Link Layer.

Ctrl

the “control” field in the DNP3 Pseudo Link Layer.

Dest_addr

the “destination” field in the DNP3 Pseudo Link Layer.

Src_addr

the “source” field in the DNP3 Pseudo Link Layer.

dnp3_response_data_object
Type

event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Data_value

The value for those objects that carry their information here directly.

dnp3_attribute_common
Type

event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_crob
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

CROB

control relay output block

dnp3_pcb
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

PCB

Pattern Control Block

dnp3_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_frozen_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_32wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_16wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_frozen_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_frozen_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time

dnp3_frozen_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_file_transport
Type

event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_debug_byte
Type

event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

Zeek::DNS

DNS analyzer

Components

Analyzer::ANALYZER_CONTENTS_DNS

Analyzer::ANALYZER_DNS

Events
dns_message
Type

event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Is_orig

True if the message was sent by the originator of the connection.

Msg

The parsed DNS message header.

Len

The length of the message’s raw representation (i.e., the DNS payload).

See also:

dns_request
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Query

The queried name (normalized to all lowercase).

Qtype

The queried resource record type.

Qclass

The queried resource record class.

Original_query

The queried name, with the original case kept intact

See also:

dns_rejected
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Query

The queried name (normalized to all lowercase).

Qtype

The queried resource record type.

Qclass

The queried resource record class.

Original_query

The queried name, with the original case kept intact

See also:

dns_query_reply
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Query

The queried name.

Qtype

The queried resource record type.

Qclass

The queried resource record class.

Original_query

The queried name, with the original case kept intact

See also:

dns_A_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

A

The address returned by the reply.

See also:

dns_AAAA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

A

The address returned by the reply.

See also:

dns_A6_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

A

The address returned by the reply.

See also:

dns_NS_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

See also:

dns_CNAME_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

See also:

dns_PTR_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

See also:

dns_SOA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Soa

The parsed SOA value.

See also:

dns_WKS_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

See also:

dns_HINFO_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)

Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

See also:

dns_MX_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

Preference

The preference for name specified by the reply.

See also:

dns_TXT_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Strs

The textual information returned by the reply.

See also:

dns_SPF_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Strs

The textual information returned by the reply.

See also:

dns_CAA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Flags

The flags byte of the CAA reply.

Tag

The property identifier of the CAA reply.

Value

The property value of the CAA reply.

dns_SRV_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Target

Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.

Priority

Priority of the SRV response – the priority of the target host, lower value means more preferred.

Weight

Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.

P

Port of the SRV response – the TCP or UDP port on which the service is to be found.

See also:

dns_unknown_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

See also:

dns_EDNS_addl
Type

event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The parsed EDNS reply.

See also:

dns_EDNS_ecs
Type

event (c: connection, msg: dns_msg, opt: dns_edns_ecs)

Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Opt

The parsed EDNS option.

See also:

dns_EDNS_tcp_keepalive
Type

event (c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Opt

The parsed EDNS Keepalive option.

See also:

Type

event (c: connection, msg: dns_msg, opt: dns_edns_cookie)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Opt

The parsed EDNS Cookie option.

See also:

dns_TSIG_addl
Type

event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The parsed TSIG reply.

See also:

dns_RRSIG
Type

event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Rrsig

The parsed RRSIG record.

dns_DNSKEY
Type

event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Dnskey

The parsed DNSKEY record.

dns_NSEC
Type

event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Next_name

The parsed next secure domain name.

Bitmaps

vector of strings in hex for the bit maps present.

dns_NSEC3
Type

event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Nsec3

The parsed RDATA of Nsec3 record.

dns_NSEC3PARAM
Type

event (c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr)

Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Nsec3param

The parsed RDATA of NSEC3PARAM record.

dns_DS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Ds

The parsed RDATA of DS record.

dns_BINDS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Binds

The parsed RDATA of BIND-Signeing state record.

dns_SSHFP
Type

event (c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Binds

The parsed RDATA of BIND-Signeing state record.

dns_LOC
Type

event (c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr)

Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Loc

The parsed RDATA of LOC type record.

dns_SVCB
Type

event (c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr)

Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Svcb

The parsed RDATA of SVCB type record.

dns_HTTPS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr)

Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Https

The parsed RDATA of HTTPS type record.

dns_end
Type

event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

See also:

Zeek::File

Generic file analyzer

Components

Analyzer::ANALYZER_FTP_DATA

Analyzer::ANALYZER_IRC_DATA

Events
file_transferred
Type

event (c: connection, prefix: string, descr: string, mime_type: string)

Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).

C

The connection over which file data is transferred.

Prefix

Up to 1024 bytes of the file data.

Descr

Deprecated/unused argument.

Mime_type

MIME type of the file or “<unknown>” if no file magic signatures matched.

Zeek::Finger

Finger analyzer

Components

Analyzer::ANALYZER_FINGER

Events
finger_request
Type

event (c: connection, full: bool, username: string, hostname: string)

Generated for Finger requests.

See Wikipedia for more information about the Finger protocol.

C

The connection.

Full

True if verbose information is requested (/W switch).

Username

The request’s user name.

Hostname

The request’s host name.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

finger_reply
Type

event (c: connection, reply_line: string)

Generated for Finger replies.

See Wikipedia for more information about the Finger protocol.

C

The connection.

Reply_line

The reply as returned by the server

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::FTP

FTP analyzer

Components

Analyzer::ANALYZER_FTP

Analyzer::ANALYZER_FTP_ADAT

Types
ftp_port
Type

record

h: addr

The host’s address.

p: port

The host’s port.

valid: bool

True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

See also:

Events
ftp_request
Type

event (c: connection, command: string, arg: string)

Generated for client-side FTP commands.

See Wikipedia for more information about the FTP protocol.

C

The connection.

Command

The FTP command issued by the client (without any arguments).

Arg

The arguments going with the command.

See also:

ftp_reply
Type

event (c: connection, code: count, msg: string, cont_resp: bool)

Generated for server-side FTP replies.

See Wikipedia for more information about the FTP protocol.

C

The connection.

Code

The numerical response code the server responded with.

Msg

The textual message of the response.

Cont_resp

True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also:

Functions
parse_ftp_port
Type

function (s: string) : ftp_port

Converts a string representation of the FTP PORT command to an ftp_port.

S

The string of the FTP PORT command, e.g., "10,0,0,1,4,31".

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

parse_eftp_port
Type

function (s: string) : ftp_port

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port. The format is "EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>", where <d> is a delimiter in the ASCII range 33-126 (usually |).

S

The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|".

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

parse_ftp_pasv
Type

function (str: string) : ftp_port

Converts the result of the FTP PASV command to an ftp_port.

Str

The string containing the result of the FTP PASV command.

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

parse_ftp_epsv
Type

function (str: string) : ftp_port

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port. The format is "<text> (<d><d><d><tcp-port><d>)", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Str

The string containing the result of the FTP EPSV command.

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

fmt_ftp_port
Type

function (a: addr, p: port) : string

Formats an IP address and TCP port as an FTP PORT command. For example, 10.0.0.1 and 1055/tcp yields "10,0,0,1,4,31".

A

The IP address.

P

The TCP port.

Returns

The FTP PORT string.

See also:

Zeek::Gnutella

Gnutella analyzer

Components

Analyzer::ANALYZER_GNUTELLA

Events
gnutella_text_msg
Type

event (c: connection, orig: bool, headers: string)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_binary_msg
Type

event (c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_partial_binary_msg
Type

event (c: connection, orig: bool, msg: string, len: count)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_establish
Type

event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_not_establish
Type

event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_http_notify
Type

event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::GSSAPI

GSSAPI analyzer

Components

Analyzer::ANALYZER_GSSAPI

Events
gssapi_neg_result
Type

event (c: connection, state: count)

Generated for GSSAPI negotiation results.

C

The connection.

State

The resulting state of the negotiation.

Zeek::HTTP

HTTP analyzer

Components

Analyzer::ANALYZER_HTTP

Events
http_request
Type

event (c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Method

The HTTP method extracted from the request (e.g., GET, POST).

Original_URI

The unprocessed URI as specified in the request.

Unescaped_URI

The URI with all percent-encodings decoded.

Version

The version number specified in the request (e.g., 1.1).

See also:

http_reply
Type

event (c: connection, version: string, code: count, reason: string)

Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Version

The version number specified in the reply (e.g., 1.1).

Code

The numerical response code returned by the server.

Reason

The textual description returned by the server along with code.

See also:

http_header
Type

event (c: connection, is_orig: bool, original_name: string, name: string, value: string)

Type

event (c: connection, is_orig: bool, name: string, value: string)

Generated for HTTP headers. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the header was sent by the originator of the TCP connection.

Original_name

The name of the header (unaltered).

Name

The name of the header (converted to all uppercase).

Value

The value of the header.

See also:

Note

This event is also raised for headers found in nested body entities.

http_all_headers
Type

event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated for HTTP headers, passing on all headers of an HTTP message at once. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the header was sent by the originator of the TCP connection.

Hlist

A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also:

Note

This event is also raised for headers found in nested body entities.

http_begin_entity
Type

event (c: connection, is_orig: bool)

Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event just before it starts parsing each entity’s content.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

See also:

http_end_entity
Type

event (c: connection, is_orig: bool)

Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event at the point when it has finished parsing an entity’s content.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

See also:

http_entity_data
Type

event (c: connection, is_orig: bool, length: count, data: string)

Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.

A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding http_end_entity event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

Length

The length of data.

Data

One chunk of raw entity data.

See also:

http_content_type
Type

event (c: connection, is_orig: bool, ty: string, subty: string)

Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the Content-Type header. If that header is missing, this event is still raised with a default value of text/plain.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

Ty

The main type.

Subty

The subtype.

See also:

Note

This event is also raised for headers found in nested body entities.

http_message_done
Type

event (c: connection, is_orig: bool, stat: http_message_stat)

Generated once at the end of parsing an HTTP message. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding http_entity_* events generated).

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

Stat

Further meta information about the message.

See also:

http_event
Type

event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding HTTP requests or replies.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Event_type

A string describing the general category of the problem found (e.g., illegal format).

Detail

Further more detailed description of the error.

See also:

http_stats
Type

event (c: connection, stats: http_stats_rec)

Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.

C

The connection.

Stats

Statistics summarizing HTTP-level properties of the finished connection.

See also:

http_connection_upgrade
Type

event (c: connection, protocol: string)

Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.

C

The connection.

Protocol

The protocol to which the connection is switching.

See also:

Functions
skip_http_entity_data
Type

function (c: connection, is_orig: bool) : any

Skips the data of the HTTP entity.

C

The HTTP connection.

Is_orig

If true, the client data is skipped, and the server data otherwise.

See also:

unescape_URI
Type

function (URI: string) : string

Unescapes all characters in a URI (decode every %xx group).

URI

The URI to unescape.

Returns

The unescaped URI with all %xx groups decoded.

Note

Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.

Zeek::Ident

Ident analyzer

Components

Analyzer::ANALYZER_IDENT

Events
ident_request
Type

event (c: connection, lport: port, rport: port)

Generated for Ident requests.

See Wikipedia for more information about the Ident protocol.

C

The connection.

Lport

The request’s local port.

Rport

The request’s remote port.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ident_reply
Type

event (c: connection, lport: port, rport: port, user_id: string, system: string)

Generated for Ident replies.

See Wikipedia for more information about the Ident protocol.

C

The connection.

Lport

The corresponding request’s local port.

Rport

The corresponding request’s remote port.

User_id

The user id returned by the reply.

System

The operating system returned by the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ident_error
Type

event (c: connection, lport: port, rport: port, line: string)

Generated for Ident error replies.

See Wikipedia for more information about the Ident protocol.

C

The connection.

Lport

The corresponding request’s local port.

Rport

The corresponding request’s remote port.

Line

The error description returned by the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::IMAP

IMAP analyzer (StartTLS only)

Components

Analyzer::ANALYZER_IMAP

Events
imap_capabilities
Type

event (c: connection, capabilities: string_vec)

Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.

C

The connection.

Capabilities

The list of IMAP capabilities as sent by the server.

imap_starttls
Type

event (c: connection)

Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.

C

The connection.

Zeek::IRC

IRC analyzer

Components

Analyzer::ANALYZER_IRC

Events
irc_request
Type

event (c: connection, is_orig: bool, prefix: string, command: string, arguments: string)

Generated for all client-side IRC commands.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

Always true.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Command

The command.

Arguments

The arguments for the command.

See also:

Note

This event is generated only for messages that originate at the client-side. Commands coming in from remote trigger the irc_message event instead.

irc_reply
Type

event (c: connection, is_orig: bool, prefix: string, code: count, params: string)

Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message.

Code

The reply code, as specified by the protocol.

Params

The reply’s parameters.

See also:

irc_message
Type

event (c: connection, is_orig: bool, prefix: string, command: string, message: string)

Generated for IRC commands forwarded from the server to the client.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

Always false.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Command

The command.

Message

TODO.

See also:

Note

This event is generated only for messages that are forwarded by the server to the client. Commands coming from client trigger the irc_request event instead.

irc_quit_message
Type

event (c: connection, is_orig: bool, nick: string, message: string)

Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname coming with the message.

Message

The text included with the message.

See also:

irc_privmsg_message
Type

event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Source

The source of the private communication.

Target

The target of the private communication.

Message

The text of communication.

See also:

irc_notice_message
Type

event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Source

The source of the private communication.

Target

The target of the private communication.

Message

The text of communication.

See also:

irc_squery_message
Type

event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Source

The source of the private communication.

Target

The target of the private communication.

Message

The text of communication.

See also:

irc_join_message
Type

event (c: connection, is_orig: bool, info_list: irc_join_list)

Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Info_list

The user information coming with the command.

See also:

irc_part_message
Type

event (c: connection, is_orig: bool, nick: string, chans: string_set, message: string)

Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname coming with the message.

Chans

The set of channels affected.

Message

The text coming with the message.

See also:

irc_nick_message
Type

event (c: connection, is_orig: bool, who: string, newnick: string)

Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Who

The user changing its nickname.

Newnick

The new nickname.

See also:

irc_invalid_nick
Type

event (c: connection, is_orig: bool)

Generated when a server rejects an IRC nickname.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

See also:

irc_network_info
Type

event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserclient.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Users

The number of users as returned in the reply.

Services

The number of services as returned in the reply.

Servers

The number of servers as returned in the reply.

See also:

irc_server_info
Type

event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserme.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Users

The number of users as returned in the reply.

Services

The number of services as returned in the reply.

Servers

The number of servers as returned in the reply.

See also:

irc_channel_info
Type

event (c: connection, is_orig: bool, chans: count)

Generated for an IRC reply of type luserchannels.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Chans

The number of channels as returned in the reply.

See also:

irc_who_line
Type

event (c: connection, is_orig: bool, target_nick: string, channel: string, user: string, host: string, server: string, nick: string, params: string, hops: count, real_name: string)

Generated for an IRC reply of type whoreply.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Target_nick

The target nickname.

Channel

The channel.

User

The user.

Host

The host.

Server

The server.

Nick

The nickname.

Params

The parameters.

Hops

The hop count.

Real_name

The real name.

See also:

irc_names_info
Type

event (c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)

Generated for an IRC reply of type namereply.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

C_type

The channel type.

Channel

The channel.

Users

The set of users.

See also:

irc_whois_operator_line
Type

event (c: connection, is_orig: bool, nick: string)

Generated for an IRC reply of type whoisoperator.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname specified in the reply.

See also:

irc_whois_channel_line
Type

event (c: connection, is_orig: bool, nick: string, chans: string_set)

Generated for an IRC reply of type whoischannels.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname specified in the reply.

Chans

The set of channels returned.

See also:

irc_whois_user_line
Type

event (c: connection, is_orig: bool, nick: string, user: string, host: string, real_name: string)

Generated for an IRC reply of type whoisuser.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname specified in the reply.

User

The user name specified in the reply.

Host

The host name specified in the reply.

Real_name

The real name specified in the reply.

See also:

irc_oper_response
Type

event (c: connection, is_orig: bool, got_oper: bool)

Generated for IRC replies of type youreoper and nooperhost.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Got_oper

True if the oper command was executed successfully (youreport) and false otherwise (nooperhost).

See also:

irc_global_users
Type

event (c: connection, is_orig: bool, prefix: string, msg: string)

Generated for an IRC reply of type globalusers.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Msg

The message coming with the reply.

See also:

irc_channel_topic
Type

event (c: connection, is_orig: bool, channel: string, topic: string)

Generated for an IRC reply of type topic.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Channel

The channel name specified in the reply.

Topic

The topic specified in the reply.

See also:

irc_who_message
Type

event (c: connection, is_orig: bool, mask: string, oper: bool)

Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Mask

The mask specified in the message.

Oper

True if the operator flag was set.

See also:

irc_whois_message
Type

event (c: connection, is_orig: bool, server: string, users: string)

Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Server

TODO.

Users

TODO.

See also:

irc_oper_message
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

User

The user specified in the message.

Password

The password specified in the message.

See also:

irc_kick_message
Type

event (c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string)

Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Chans

The channels specified in the message.

Users

The users specified in the message.

Comment

The comment specified in the message.

See also:

irc_error_message
Type

event (c: connection, is_orig: bool, prefix: string, message: string)

Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Message

The textual description specified in the message.

See also:

irc_invite_message
Type

event (c: connection, is_orig: bool, prefix: string, nickname: string, channel: string)

Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Nickname

The nickname specified in the message.

Channel

The channel specified in the message.

See also:

irc_mode_message
Type

event (c: connection, is_orig: bool, prefix: string, params: string)

Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Params

The parameters coming with the message.

See also:

irc_squit_message
Type

event (c: connection, is_orig: bool, prefix: string, server: string, message: string)

Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Server

The server specified in the message.

Message

The textual description specified in the message.

See also:

irc_dcc_message
Type

event (c: connection, is_orig: bool, prefix: string, target: string, dcc_type: string, argument: string, address: addr, dest_port: count, size: count)

Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Target

The target specified in the message.

Dcc_type

The DCC type specified in the message.

Argument

The argument specified in the message.

Address

The address specified in the message.

Dest_port

The destination port specified in the message.

Size

The size specified in the message.

See also:

irc_user_message
Type

event (c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string)

Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

User

The user specified in the message.

Host

The host name specified in the message.

Server

The server name specified in the message.

Real_name

The real name specified in the message.

See also:

irc_password_message
Type

event (c: connection, is_orig: bool, password: string)

Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Password

The password specified in the message.

See also:

irc_starttls
Type

event (c: connection)

Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

C

The connection.

Zeek::KRB

Kerberos analyzer

Components

Analyzer::ANALYZER_KRB

Analyzer::ANALYZER_KRB_TCP

Options/Constants
KRB::keytab
Type

string

Attributes

&redef

Default

""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

Types
KRB::Error_Msg
Type

record

pvno: count &optional

Protocol version number (5 for KRB5)

msg_type: count &optional

The message type (30 for ERROR_MSG)

client_time: time &optional

Current time on the client

server_time: time &optional

Current time on the server

error_code: count

The specific error code

client_realm: string &optional

Realm of the ticket

client_name: string &optional

Name on the ticket

service_realm: string &optional

Realm of the service

service_name: string &optional

Name of the service

error_text: string &optional

Additional text to explain the error

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

The data from the ERROR_MSG message. See RFC 4120.

KRB::SAFE_Msg
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (20 for SAFE_MSG)

data: string

The application-specific data that is being passed from the sender to the reciever

timestamp: time &optional

Current time from the sender of the message

seq: count &optional

Sequence number used to detect replays

sender: KRB::Host_Address &optional

Sender address

recipient: KRB::Host_Address &optional

Recipient address

The data from the SAFE message. See RFC 4120.

KRB::KDC_Options
Type

record

forwardable: bool

The ticket to be issued should have its forwardable flag set.

forwarded: bool

A (TGT) request for forwarding.

proxiable: bool

The ticket to be issued should have its proxiable flag set.

proxy: bool

A request for a proxy.

allow_postdate: bool

The ticket to be issued should have its may-postdate flag set.

postdated: bool

A request for a postdated ticket.

renewable: bool

The ticket to be issued should have its renewable flag set.

opt_hardware_auth: bool

Reserved for opt_hardware_auth

disable_transited_check: bool

Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.

renewable_ok: bool

If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable

enc_tkt_in_skey: bool

The ticket for the end server is to be encrypted in the session key from the additional TGT provided

renew: bool

The request is for a renewal

validate: bool

The request is to validate a postdated ticket.

KDC Options. See RFC 4120

KRB::AP_Options
Type

record

use_session_key: bool

Indicates that user-to-user-authentication is in use

mutual_required: bool

Mutual authentication is required

AP Options. See RFC 4120

KRB::Type_Value
Type

record

data_type: count

The data type

val: string

The data value

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Ticket
Type

record

pvno: count

Protocol version number (5 for KRB5)

realm: string

Realm

service_name: string

Name of the service

cipher: count

Cipher the ticket was encrypted with

ciphertext: string &optional

Cipher text of the ticket

authenticationinfo: string &optional

Authentication info

A Kerberos ticket. See RFC 4120.

KRB::Ticket_Vector
Type

vector of KRB::Ticket

KRB::Host_Address
Type

record

ip: addr &log &optional

IPv4 or IPv6 address

netbios: string &log &optional

NetBIOS address

unknown: KRB::Type_Value &optional

Some other type that we don’t support yet

A Kerberos host address See RFC 4120.

KRB::KDC_Request
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (10 for AS_REQ, 12 for TGS_REQ)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

kdc_options: KRB::KDC_Options &optional

Options specified in the request

client_name: string &optional

Name on the ticket

service_realm: string &optional

Realm of the service

service_name: string &optional

Name of the service

from: time &optional

Time the ticket is good from

till: time &optional

Time the ticket is good till

rtime: time &optional

The requested renew-till time

nonce: count &optional

A random nonce generated by the client

encryption_types: vector of count &optional

The desired encryption algorithms, in order of preference

host_addrs: vector of KRB::Host_Address &optional

Any additional addresses the ticket should be valid for

additional_tickets: vector of KRB::Ticket &optional

Additional tickets may be included for certain transactions

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::KDC_Response
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (11 for AS_REP, 13 for TGS_REP)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

client_realm: string &optional

Realm on the ticket

client_name: string

Name on the service

ticket: KRB::Ticket

The ticket that was issued

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

Events
krb_as_request
Type

event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120. The AS request contains a username of the client requesting authentication, and returns an AS reply with an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC request message data structure.

See also:

krb_as_response
Type

event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120. Following the AS request for a user, an AS reply contains an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC reply message data structure.

See also:

krb_tgs_request
Type

event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120. Following the Authentication Server exchange, if successful, the client now has a Ticket Granting Ticket (TGT). To authenticate to a Kerberized service, the client requests a Service Ticket, which will be returned in the TGS reply.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC request message data structure.

See also:

krb_tgs_response
Type

event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120. This message returns a Service Ticket to the client, which is encrypted with the service’s long-term key, and which the client can use to authenticate to that service.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC reply message data structure.

See also:

krb_ap_request
Type

event (c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)

A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120. This message contains authentication information that should be part of the first message in an authenticated transaction.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Ticket

The Kerberos ticket being used for authentication.

Opts

A Kerberos AP options data structure.

See also:

krb_ap_response
Type

event (c: connection)

A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120. This is used if mutual authentication is desired. All of the interesting information in here is encrypted, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

See also:

krb_priv
Type

event (c: connection, is_orig: bool)

A Kerberos 5 Private Message as defined in RFC 4120. This is a private (encrypted) application message, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Is_orig

Whether the originator of the connection sent this message.

See also:

krb_safe
Type

event (c: connection, is_orig: bool, msg: KRB::SAFE_Msg)

A Kerberos 5 Safe Message as defined in RFC 4120. This is a safe (checksummed) application message.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Is_orig

Whether the originator of the connection sent this message.

Msg

A Kerberos SAFE message data structure.

See also:

krb_cred
Type

event (c: connection, is_orig: bool, tickets: KRB::Ticket_Vector)

A Kerberos 5 Credential Message as defined in RFC 4120. This is a private (encrypted) message to forward credentials.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Is_orig

Whether the originator of the connection sent this message.

Tickets

Tickets obtained from the KDC that are being forwarded.

See also:

krb_error
Type

event (c: connection, msg: KRB::Error_Msg)

A Kerberos 5 Error Message as defined in RFC 4120.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos error message data structure.

See also:

Zeek::Login

Telnet/Rsh/Rlogin analyzers

Components

Analyzer::ANALYZER_CONTENTS_RLOGIN

Analyzer::ANALYZER_CONTENTS_RSH

Analyzer::ANALYZER_LOGIN

Analyzer::ANALYZER_NVT

Analyzer::ANALYZER_RLOGIN

Analyzer::ANALYZER_RSH

Analyzer::ANALYZER_TELNET

Events
rsh_request
Type

event (c: connection, client_user: string, server_user: string, line: string, new_session: bool)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C

The connection.

Client_user

The client-side user name as sent in the initial protocol handshake.

Server_user

The server-side user name as sent in the initial protocol handshake.

Line

The command line sent in the request.

New_session

True if this is the first command of the Rsh session.

See also:

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rsh_reply
Type

event (c: connection, client_user: string, server_user: string, line: string)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C

The connection.

Client_user

The client-side user name as sent in the initial protocol handshake.

Server_user

The server-side user name as sent in the initial protocol handshake.

Line

The command line sent in the request.

See also:

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

login_failure
Type

event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.

C

The connection.

User

The user name tried.

Client_user

For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).

Password

The password tried.

Line

The line of text that led the analyzer to conclude that the authentication had failed.

See also:

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeeks’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_success
Type

event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.

C

The connection.

User

The user name used.

Client_user

For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).

Password

The password used.

Line

The line of text that led the analyzer to conclude that the authentication had succeeded.

See also:

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_input_line
Type

event (c: connection, line: string)

Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C

The connection.

Line

The input line.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_output_line
Type

event (c: connection, line: string)

Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C

The connection.

Line

The ouput line.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused
Type

event (c: connection, msg: string, line: string)

Generated when tracking of Telnet/Rlogin authentication failed. As Zeek’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.

C

The connection.

Msg

Gives the particular problem the heuristics detected (for example, multiple_login_prompts means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)

Line

The line of text that caused the heuristics to conclude they were confused.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused_text
Type

event (c: connection, line: string)

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported login_confused for a connection.

C

The connection.

Line

The line the user typed.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_terminal
Type

event (c: connection, terminal: string)

Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C

The connection.

Terminal

The TERM value transmitted.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_display
Type

event (c: connection, display: string)

Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C

The connection.

Display

The DISPLAY transmitted.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_accepted
Type

event (name: string, c: connection)

Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name

The authenticated name.

C

The connection.

See also:

Note

This event inspects the corresponding Telnet option while login_success heuristically determines success by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_rejected
Type

event (name: string, c: connection)

Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name

The attempted authentication name.

C

The connection.

See also:

Note

This event inspects the corresponding Telnet option while login_success heuristically determines failure by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_skipped
Type

event (c: connection)

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_prompt
Type

event (c: connection, prompt: string)

Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

Prompt

The TTYPROMPT transmitted.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

activating_encryption
Type

event (c: connection)

Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

inconsistent_option
Type

event (c: connection)

Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

bad_option
Type

event (c: connection)

Generated for an ill-formed or unrecognized Telnet option.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option_termination
Type

event (c: connection)

Generated for a Telnet option that’s incorrectly terminated.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

Functions
get_login_state
Type

function (cid: conn_id) : count

Returns the state of the given login (Telnet or Rlogin) connection.

Cid

The connection ID.

Returns

False if the connection is not active or is not tagged as a login analyzer. Otherwise the function returns the state, which can be one of:

  • LOGIN_STATE_AUTHENTICATE: The connection is in its initial authentication dialog.

  • LOGIN_STATE_LOGGED_IN: The analyzer believes the user has successfully authenticated.

  • LOGIN_STATE_SKIP: The analyzer has skipped any further processing of the connection.

  • LOGIN_STATE_CONFUSED: The analyzer has concluded that it does not correctly know the state of the connection, and/or the username associated with it.

See also:

set_login_state
Type

function (cid: conn_id, new_state: count) : bool

Sets the login state of a connection with a login analyzer.

Cid

The connection ID.

New_state

The new state of the login analyzer. See get_login_state for possible values.

Returns

Returns false if cid is not an active connection or is not tagged as a login analyzer, and true otherwise.

See also:

Zeek::MIME

MIME parsing

Components
Events
mime_begin_entity
Type

event (c: connection)

Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it begins parsing a MIME entity extracted from an email protocol.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

See also:

Note

Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises http_begin_entity instead.

mime_end_entity
Type

event (c: connection)

Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it finished parsing a MIME entity extracted from an email protocol.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

See also:

Note

Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises http_end_entity instead.

mime_one_header
Type

event (c: connection, h: mime_header_rec)

Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

H

The parsed MIME header.

See also:

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_all_headers
Type

event (c: connection, hlist: mime_header_list)

Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Hlist

A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also:

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_segment_data
Type

event (c: connection, length: count, data: string)

Generated for chunks of decoded MIME data from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. As Zeek parses the data of an entity, it raises a sequence of these events, each coming as soon as a new chunk of data is available. In contrast, there is also mime_entity_data, which passes all of an entities data at once in a single block. While the latter is more convenient to handle, mime_segment_data is more efficient as Zeek does not need to buffer the data. Thus, if possible, this event should be preferred.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Length

The length of data.

Data

The raw data of one segment of the current entity.

See also:

Note

Zeek also extracts MIME data from HTTP sessions. For those, however, it raises http_entity_data (sic!) instead.

mime_entity_data
Type

event (c: connection, length: count, data: string)

Generated for data decoded from an email MIME entity. This event delivers the complete content of a single MIME entity with the quoted-printable and and base64 data decoded. In contrast, there is also mime_segment_data, which passes on a sequence of data chunks as they come in. While mime_entity_data is more convenient to handle, mime_segment_data is more efficient as Zeek does not need to buffer the data. Thus, if possible, the latter should be preferred.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Length

The length of data.

Data

The raw data of the complete entity.

See also:

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_all_data
Type

event (c: connection, length: count, data: string)

Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Length

The length of data.

Data

The raw data of all MIME entities concatenated.

See also:

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_event
Type

event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding email MIME entities.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Event_type

A string describing the general category of the problem found (e.g., illegal format).

Detail

Further more detailed description of the error.

See also:

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_event instead.

mime_content_hash
Type

event (c: connection, content_len: count, hash_value: string)

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Zeek computes the MD5 over the complete decoded data of each MIME entity.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Content_len

The length of the entity being hashed.

Hash_value

The MD5 hash.

See also:

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

Zeek::Modbus

Modbus analyzer

Components

Analyzer::ANALYZER_MODBUS

Events
modbus_message
Type

event (c: connection, headers: ModbusHeaders, is_orig: bool)

Generated for any Modbus message regardless if the particular function is further supported or not.

C

The connection.

Headers

The headers for the modbus function.

Is_orig

True if the event is raised for the originator side.

modbus_exception
Type

event (c: connection, headers: ModbusHeaders, code: count)

Generated for any Modbus exception message.

C

The connection.

Headers

The headers for the modbus function.

Code

The exception code.

modbus_read_coils_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read coils request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil to be read.

Quantity

The number of coils to be read.

modbus_read_coils_response
Type

event (c: connection, headers: ModbusHeaders, coils: ModbusCoils)

Generated for a Modbus read coils response.

C

The connection.

Headers

The headers for the modbus function.

Coils

The coil values returned from the device.

modbus_read_discrete_inputs_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read discrete inputs request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil to be read.

Quantity

The number of coils to be read.

modbus_read_discrete_inputs_response
Type

event (c: connection, headers: ModbusHeaders, coils: ModbusCoils)

Generated for a Modbus read discrete inputs response.

C

The connection.

Headers

The headers for the modbus function.

Coils

The coil values returned from the device.

modbus_read_holding_registers_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read holding registers request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register to be read.

Quantity

The number of registers to be read.

modbus_read_holding_registers_response
Type

event (c: connection, headers: ModbusHeaders, registers: ModbusRegisters)

Generated for a Modbus read holding registers response.

C

The connection.

Headers

The headers for the modbus function.

Registers

The register values returned from the device.

modbus_read_input_registers_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read input registers request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register to be read.

Quantity

The number of registers to be read.

modbus_read_input_registers_response
Type

event (c: connection, headers: ModbusHeaders, registers: ModbusRegisters)

Generated for a Modbus read input registers response.

C

The connection.

Headers

The headers for the modbus function.

Registers

The register values returned from the device.

modbus_write_single_coil_request
Type

event (c: connection, headers: ModbusHeaders, address: count, value: bool)

Generated for a Modbus write single coil request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the coil to be written.

Value

The value to be written to the coil.

modbus_write_single_coil_response
Type

event (c: connection, headers: ModbusHeaders, address: count, value: bool)

Generated for a Modbus write single coil response.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the coil that was written.

Value

The value that was written to the coil.

modbus_write_single_register_request
Type

event (c: connection, headers: ModbusHeaders, address: count, value: count)

Generated for a Modbus write single register request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register to be written.

Value

The value to be written to the register.

modbus_write_single_register_response
Type

event (c: connection, headers: ModbusHeaders, address: count, value: count)

Generated for a Modbus write single register response.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register that was written.

Value

The value that was written to the register.

modbus_write_multiple_coils_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils)

Generated for a Modbus write multiple coils request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil to be written.

Coils

The values to be written to the coils.

modbus_write_multiple_coils_response
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus write multiple coils response.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil that was written.

Quantity

The quantity of coils that were written.

modbus_write_multiple_registers_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters)

Generated for a Modbus write multiple registers request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register to be written.

Registers

The values to be written to the registers.

modbus_write_multiple_registers_response
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus write multiple registers response.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register that was written.

Quantity

The quantity of registers that were written.

modbus_read_file_record_request
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus read file record request.

C

The connection.

Headers

The headers for the modbus function.

modbus_read_file_record_response
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus read file record response.

C

The connection.

Headers

The headers for the modbus function.

modbus_write_file_record_request
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus write file record request.

C

The connection.

Headers

The headers for the modbus function.

modbus_write_file_record_response
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus write file record response.

C

The connection.

Headers

The headers for the modbus function.

modbus_mask_write_register_request
Type

event (c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)

Generated for a Modbus mask write register request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register where the masks should be applied.

And_mask

The value of the logical AND mask to apply to the register.

Or_mask

The value of the logical OR mask to apply to the register.

modbus_mask_write_register_response
Type

event (c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)

Generated for a Modbus mask write register request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register where the masks were applied.

And_mask

The value of the logical AND mask applied register.

Or_mask

The value of the logical OR mask applied to the register.

modbus_read_write_multiple_registers_request
Type

event (c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters)

Generated for a Modbus read/write multiple registers request.

C

The connection.

Headers

The headers for the modbus function.

Read_start_address

The memory address of the first register to be read.

Read_quantity

The number of registers to read.

Write_start_address

The memory address of the first register to be written.

Write_registers

The values to be written to the registers.

modbus_read_write_multiple_registers_response
Type

event (c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters)

Generated for a Modbus read/write multiple registers response.

C

The connection.

Headers

The headers for the modbus function.

Written_registers

The register values read from the registers specified in the request.

modbus_read_fifo_queue_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count)

Generated for a Modbus read FIFO queue request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The address of the FIFO queue to read.

modbus_read_fifo_queue_response
Type

event (c: connection, headers: ModbusHeaders, fifos: ModbusRegisters)

Generated for a Modbus read FIFO queue response.

C

The connection.

Headers

The headers for the modbus function.

Fifos

The register values read from the FIFO queue on the device.

Zeek::MQTT

Message Queuing Telemetry Transport v3.1.1 Protocol analyzer

Components

Analyzer::ANALYZER_MQTT

Types
MQTT::ConnectMsg
Type

record

protocol_name: string

Protocol name

protocol_version: count

Protocol version

client_id: string

Identifies the Client to the Server.

keep_alive: interval

The maximum time interval that is permitted to elapse between the point at which the Client finishes transmitting one Control Packet and the point it starts sending the next.

clean_session: bool

The clean_session flag indicates if the server should or shouldn’t use a clean session or use existing previous session state.

will_retain: bool

Specifies if the Will Message is to be retained when it is published.

will_qos: count

Specifies the QoS level to be used when publishing the Will Message.

will_topic: string &optional

Topic to publish the Will message to.

will_msg: string &optional

The actual Will message to publish.

username: string &optional

Username to use for authentication to the server.

password: string &optional

Pass to use for authentication to the server.

MQTT::ConnectAckMsg
Type

record

return_code: count

Return code from the connack message

session_present: bool

The Session present flag helps the client establish whether the Client and Server have a consistent view about whether there is already stored Session state.

MQTT::PublishMsg
Type

record

dup: bool

Indicates if this is the first attempt at publishing the message.

qos: count

Indicates what level of QoS is enabled for this message.

retain: bool

Indicates if the server should retain this message so that clients subscribing to the topic in the future will receive this message automatically.

topic: string

Name of the topic the published message is directed into.

payload: string

Payload of the published message.

payload_len: count

The actual length of the payload in the case the payload field’s contents were truncated according to MQTT::max_payload_size.

Events
mqtt_connect
Type

event (c: connection, msg: MQTT::ConnectMsg)

Generated for MQTT “client requests a connection” messages

C

The connection

Msg

MQTT connect message fields.

mqtt_connack
Type

event (c: connection, msg: MQTT::ConnectAckMsg)

Generated for MQTT acknowledge connection messages

C

The connection

Msg

MQTT connect ack message fields.

mqtt_publish
Type

event (c: connection, is_orig: bool, msg_id: count, msg: MQTT::PublishMsg)

Generated for MQTT publish messages

C

The connection

Is_orig

Direction in which the message was sent

Msg

The MQTT publish message record.

mqtt_puback
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish acknowledgement messages

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_pubrec
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish received messages (QoS 2 publish received, part 1)

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_pubrel
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish release messages (QoS 2 publish received, part 2)

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_pubcomp
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish complete messages (QoS 2 publish received, part 3)

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_subscribe
Type

event (c: connection, msg_id: count, topics: string_vec, requested_qos: index_vec)

Generated for MQTT subscribe messages

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

Topics

The topics being subscribed to

Requested_qos

The desired QoS option associated with each topic.

mqtt_suback
Type

event (c: connection, msg_id: count, granted_qos: count)

Generated for MQTT subscribe messages

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_unsubscribe
Type

event (c: connection, msg_id: count, topics: string_vec)

Generated for MQTT unsubscribe messages sent by the client

C

The connection

Msg_id

The id value for the message.

Topics

The topics being unsubscribed from

mqtt_unsuback
Type

event (c: connection, msg_id: count)

Generated for MQTT unsubscribe acknowledgements sent by the server

C

The connection

Msg_id

The id value for the message.

mqtt_pingreq
Type

event (c: connection)

Generated for MQTT ping requests sent by the client.

C

The connection

mqtt_pingresp
Type

event (c: connection)

Generated for MQTT ping responses sent by the server.

C

The connection

mqtt_disconnect
Type

event (c: connection)

Generated for MQTT disconnect messages sent by the client when it is diconnecting cleanly.

C

The connection

Zeek::MySQL

MySQL analyzer

Components

Analyzer::ANALYZER_MYSQL

Events
mysql_command_request
Type

event (c: connection, command: count, arg: string)

Generated for a command request from a MySQL client.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Command

The numerical code of the command issued.

Arg

The argument for the command (empty string if not provided).

See also:

mysql_error
Type

event (c: connection, code: count, msg: string)

Generated for an unsuccessful MySQL response.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Code

The error code.

Msg

Any extra details about the error (empty string if not provided).

See also:

mysql_ok
Type

event (c: connection, affected_rows: count)

Generated for a successful MySQL response.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Affected_rows

The number of rows that were affected.

See also:

mysql_result_row
Type

event (c: connection, row: string_vec)

Generated for each MySQL ResultsetRow response packet.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Row

The result row data.

See also:

mysql_server_version
Type

event (c: connection, ver: string)

Generated for the initial server handshake packet, which includes the MySQL server version.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Ver

The server version string.

See also:

mysql_handshake
Type

event (c: connection, username: string)

Generated for a client handshake response packet, which includes the username the client is attempting to connect as.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Username

The username supplied by the client

See also:

Zeek::NCP

NCP analyzer

Components

Analyzer::ANALYZER_CONTENTS_NCP

Analyzer::ANALYZER_NCP

Options/Constants
NCP::max_frame_size
Type

count

Attributes

&redef

Default

65536

The maximum number of bytes to allocate when parsing NCP frames.

Events
ncp_request
Type

event (c: connection, frame_type: count, length: count, func: count)

Generated for NCP requests (Netware Core Protocol).

See Wikipedia for more information about the NCP protocol.

C

The connection.

Frame_type

The frame type, as specified by the protocol.

Length

The length of the request body, excluding the frame header.

Func

The requested function, as specified by the protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ncp_reply
Type

event (c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)

Generated for NCP replies (Netware Core Protocol).

See Wikipedia for more information about the NCP protocol.

C

The connection.

Frame_type

The frame type, as specified by the protocol.

Length

The length of the request body, excluding the frame header.

Req_frame

The frame type from the corresponding request.

Req_func

The function code from the corresponding request.

Completion_code

The reply’s completion code, as specified by the protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::NetBIOS

NetBIOS analyzer support

Components

Analyzer::ANALYZER_CONTENTS_NETBIOSSSN

Analyzer::ANALYZER_NETBIOSSSN

Events
netbios_session_message
Type

event (c: connection, is_orig: bool, msg_type: count, data_len: count)

Generated for all NetBIOS SSN and DGM messages. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Is_orig

True if the message was sent by the originator of the connection.

Msg_type

The general type of message, as defined in Section 4.3.1 of RFC 1002.

Data_len

The length of the message’s payload.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_request
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type session request. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_accepted
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type positive session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_rejected
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type negative session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_raw_message
Type

event (c: connection, is_orig: bool, msg: string)

Generated for NetBIOS messages of type session message that are not carrying an SMB payload.

NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Is_orig

True if the message was sent by the originator of the connection.

Msg

The raw payload of the message sent, excluding the common NetBIOS header (i.e., the user_data).

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

This is an oddly named event. In fact, it’s probably an odd event to have to begin with.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_ret_arg_resp
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type retarget response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

This is an oddly named event.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_keepalive
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type keep-alive. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Functions
decode_netbios_name
Type

function (name: string) : string

Decode a NetBIOS name. See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.

Name

The encoded NetBIOS name, e.g., "FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF".

Returns

The decoded NetBIOS name, e.g., "THE NETBIOS NAM". An empty string is returned if the argument is not a valid NetBIOS encoding (though an encoding that would decode to something that includes only null-bytes or space-characters also yields an empty string).

See also:

decode_netbios_name_type
Type

function (name: string) : count

Converts a NetBIOS name type to its corresponding numeric value. See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.

Name

An encoded NetBIOS name.

Returns

The numeric value of name or 256 if it’s not a valid encoding.

See also:

Zeek::NTLM

NTLM analyzer

Components

Analyzer::ANALYZER_NTLM

Types
NTLM::Negotiate
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain name of the client, if known

workstation: string &optional

The machine name of the client, if known

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::Challenge
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

target_name: string &optional

The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server

version: NTLM::Version &optional

The Windows version information, if supplied

target_info: NTLM::AVs &optional

Attribute-value pairs specified by the server

NTLM::Authenticate
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain or computer name hosting the account

user_name: string &optional

The name of the user to be authenticated.

workstation: string &optional

The name of the computer to which the user was logged on.

session_key: string &optional

The session key

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::NegotiateFlags
Type

record

negotiate_56: bool

If set, requires 56-bit encryption

negotiate_key_exch: bool

If set, requests an explicit key exchange

negotiate_128: bool

If set, requests 128-bit session key negotiation

negotiate_version: bool

If set, requests the protocol version number

negotiate_target_info: bool

If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE are populated

request_non_nt_session_key: bool

If set, requests the usage of the LMOWF function

negotiate_identify: bool

If set, requests and identify level token

negotiate_extended_sessionsecurity: bool

If set, requests usage of NTLM v2 session security Note: NTML v2 session security is actually NTLM v1

target_type_server: bool

If set, TargetName must be a server name

target_type_domain: bool

If set, TargetName must be a domain name

negotiate_always_sign: bool

If set, requests the presence of a signature block on all messages

negotiate_oem_workstation_supplied: bool

If set, the workstation name is provided

negotiate_oem_domain_supplied: bool

If set, the domain name is provided

negotiate_anonymous_connection: bool

If set, the connection should be anonymous

negotiate_ntlm: bool

If set, requests usage of NTLM v1

negotiate_lm_key: bool

If set, requests LAN Manager session key computation

negotiate_datagram: bool

If set, requests connectionless authentication

negotiate_seal: bool

If set, requests session key negotiation for message confidentiality

negotiate_sign: bool

If set, requests session key negotiation for message signatures

request_target: bool

If set, the TargetName field is present

negotiate_oem: bool

If set, requests OEM character set encoding

negotiate_unicode: bool

If set, requests Unicode character set encoding

NTLM::Version
Type

record

major: count

The major version of the Windows operating system in use

minor: count

The minor version of the Windows operating system in use

build: count

The build number of the Windows operating system in use

ntlmssp: count

The current revision of NTLMSSP in use

NTLM::AVs
Type

record

nb_computer_name: string

The server’s NetBIOS computer name

nb_domain_name: string

The server’s NetBIOS domain name

dns_computer_name: string &optional

The FQDN of the computer

dns_domain_name: string &optional

The FQDN of the domain

dns_tree_name: string &optional

The FQDN of the forest

constrained_auth: bool &optional

Indicates to the client that the account authentication is constrained

timestamp: time &optional

The associated timestamp, if present

single_host_id: count &optional

Indicates that the client is providing a machine ID created at computer startup to identify the calling machine

target_name: string &optional

The SPN of the target server

Events
ntlm_negotiate
Type

event (c: connection, negotiate: NTLM::Negotiate)

Generated for NTLM messages of type negotiate.

C

The connection.

Negotiate

The parsed data of the NTLM message. See init-bare for more details.

See also:

ntlm_challenge
Type

event (c: connection, challenge: NTLM::Challenge)

Generated for NTLM messages of type challenge.

C

The connection.

Negotiate

The parsed data of the NTLM message. See init-bare for more details.

See also:

ntlm_authenticate
Type

event (c: connection, request: NTLM::Authenticate)

Generated for NTLM messages of type authenticate.

C

The connection.

Request

The parsed data of the NTLM message. See init-bare for more details.

See also:

Zeek::NTP

NTP analyzer

Components

Analyzer::ANALYZER_NTP

Types
NTP::StandardMessage
Type

record

stratum: count

This value mainly identifies the type of server (primary server, secondary server, etc.). Possible values, as in RFC 5905, are:

  • 0 -> unspecified or invalid

  • 1 -> primary server (e.g., equipped with a GPS receiver)

  • 2-15 -> secondary server (via NTP)

  • 16 -> unsynchronized

  • 17-255 -> reserved

For stratum 0, a kiss_code can be given for debugging and monitoring.

poll: interval

The maximum interval between successive messages.

precision: interval

The precision of the system clock.

root_delay: interval

Root delay. The total round-trip delay to the reference clock.

root_disp: interval

Root Dispersion. The total dispersion to the reference clock.

kiss_code: string &optional

For stratum 0, four-character ASCII string used for debugging and monitoring. Values are defined in RFC 1345.

ref_id: string &optional

Reference ID. For stratum 1, this is the ID assigned to the reference clock by IANA. For example: GOES, GPS, GAL, etc. (see RFC 5905)

ref_addr: addr &optional

Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).

ref_time: time

Reference timestamp. Time when the system clock was last set or correct.

org_time: time

Origin timestamp. Time at the client when the request departed for the NTP server.

rec_time: time

Receive timestamp. Time at the server when the request arrived from the NTP client.

xmt_time: time

Transmit timestamp. Time at the server when the response departed

key_id: count &optional

Key used to designate a secret MD5 key.

digest: string &optional

MD5 hash computed over the key followed by the NTP packet header and extension fields.

num_exts: count &default = 0 &optional

Number of extension fields (which are not currently parsed).

NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard syncronization operations.

NTP::ControlMessage
Type

record

op_code: count

An integer specifying the command function. Values currently defined:

  • 1 read status command/response

  • 2 read variables command/response

  • 3 write variables command/response

  • 4 read clock variables command/response

  • 5 write clock variables command/response

  • 6 set trap address/port command/response

  • 7 trap response

Other values are reserved.

resp_bit: bool

The response bit. Set to zero for commands, one for responses.

err_bit: bool

The error bit. Set to zero for normal response, one for error response.

more_bit: bool

The more bit. Set to zero for last fragment, one for all others.

sequence: count

The sequence number of the command or response.

status: count

The current status of the system, peer or clock.

association_id: count

A 16-bit integer identifying a valid association.

data: string &optional

Message data for the command or response + Authenticator (optional).

key_id: count &optional

This is an integer identifying the cryptographic key used to generate the message-authentication code.

crypto_checksum: string &optional

This is a crypto-checksum computed by the encryption procedure.

NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.

NTP::Mode7Message
Type

record

req_code: count

An implementation-specific code which specifies the operation to be (which has been) performed and/or the format and semantics of the data included in the packet.

auth_bit: bool

The authenticated bit. If set, this packet is authenticated.

sequence: count

For a multipacket response, contains the sequence number of this packet. 0 is the first in the sequence, 127 (or less) is the last. The More Bit must be set in all packets but the last.

implementation: count

The number of the implementation this request code is defined by. An implementation number of zero is used for requst codes/data formats which all implementations agree on. Implementation number 255 is reserved (for extensions, in case we run out).

err: count

Must be 0 for a request. For a response, holds an error code relating to the request. If nonzero, the operation requested wasn’t performed.

  • 0 - no error

  • 1 - incompatible implementation number

  • 2 - unimplemented request code

  • 3 - format error (wrong data items, data size, packet size etc.)

  • 4 - no data available (e.g. request for details on unknown peer)

  • 5 - unknown

  • 6 - unknown

  • 7 - authentication failure (i.e. permission denied)

data: string &optional

Rest of data

NTP mode 7 message. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration. For details see the documentation from the NTP official project, code v. ntp-4.2.8p13, in include/ntp_request.h.

NTP::Message
Type

record

version: count

The NTP version number (1, 2, 3, 4).

mode: count

The NTP mode being used. Possible values are:

  • 1 - symmetric active

  • 2 - symmetric passive

  • 3 - client

  • 4 - server

  • 5 - broadcast

  • 6 - NTP control message

  • 7 - reserved for private use

std_msg: NTP::StandardMessage &optional

If mode 1-5, the standard fields for syncronization operations are here. See RFC 5905

control_msg: NTP::ControlMessage &optional

If mode 6, the fields for control operations are here. See RFC 1119

mode7_msg: NTP::Mode7Message &optional

If mode 7, the fields for extra operations are here. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration.

NTP message as defined in RFC 5905. Does include fields for mode 7, reserved for private use in RFC 5905, but used in some implementation for commands such as “monlist”.

Events
ntp_message
Type

event (c: connection, is_orig: bool, msg: NTP::Message)

Generated for all NTP messages. Different from many other of Zeek’s events, this one is generated for both client-side and server-side messages.

See Wikipedia for more information about the NTP protocol.

C

The connection record describing the corresponding UDP flow.

Is_orig

True if the message was sent by the originator.

Msg

The parsed NTP message.

Zeek::PIA

Analyzers implementing Dynamic Protocol

Components

Analyzer::ANALYZER_PIA_TCP

Analyzer::ANALYZER_PIA_UDP

Zeek::POP3

POP3 analyzer

Components

Analyzer::ANALYZER_POP3

Events
pop3_request
Type

event (c: connection, is_orig: bool, command: string, arg: string)

Generated for client-side commands on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Command

The command sent.

Arg

The argument to the command.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_reply
Type

event (c: connection, is_orig: bool, cmd: string, msg: string)

Generated for server-side replies to commands on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Cmd

The success indicator sent by the server. This corresponds to the first token on the line sent, and should be either OK or ERR.

Msg

The textual description the server sent along with cmd.

See also:

Todo

This event is receiving odd parameters, should unify.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_data
Type

event (c: connection, is_orig: bool, data: string)

Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the data was sent by the originator of the TCP connection.

Data

The data sent.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_unexpected
Type

event (c: connection, is_orig: bool, msg: string, detail: string)

Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the data was sent by the originator of the TCP connection.

Msg

A textual description of the situation.

Detail

The input that triggered the event.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_starttls
Type

event (c: connection)

Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_login_success
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for successful authentications on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

Always false.

User

The user name used for authentication. The event is only generated if a non-empty user name was used.

Password

The password used for authentication.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_login_failure
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for unsuccessful authentications on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

Always false.

User

The user name attempted for authentication. The event is only generated if a non-empty user name was used.

Password

The password attempted for authentication.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::RADIUS

RADIUS analyzer

Components

Analyzer::ANALYZER_RADIUS

Types
RADIUS::AttributeList
Type

vector of string

RADIUS::Attributes
Type

table [count] of RADIUS::AttributeList

RADIUS::Message
Type

record

code: count

The type of message (Access-Request, Access-Accept, etc.).

trans_id: count

The transaction ID.

authenticator: string

The “authenticator” string.

attributes: RADIUS::Attributes &optional

Any attributes.

Events
radius_message
Type

event (c: connection, result: RADIUS::Message)

Generated for RADIUS messages.

See Wikipedia for more information about RADIUS.

C

The connection.

Result

A record containing fields parsed from a RADIUS packet.

radius_attribute
Type

event (c: connection, attr_type: count, value: string)

Generated for each RADIUS attribute.

See Wikipedia for more information about RADIUS.

C

The connection.

Attr_type

The value of the code field (1 == User-Name, 2 == User-Password, etc.).

Value

The data/value bound to the attribute.

Zeek::RDP

RDP analyzer

Components

Analyzer::ANALYZER_RDP

Analyzer::ANALYZER_RDPEUDP

Types
RDP::EarlyCapabilityFlags
Type

record

support_err_info_pdu: bool

want_32bpp_session: bool

support_statusinfo_pdu: bool

strong_asymmetric_keys: bool

support_monitor_layout_pdu: bool

support_netchar_autodetect: bool

support_dynvc_gfx_protocol: bool

support_dynamic_time_zone: bool

support_heartbeat_pdu: bool

RDP::ClientCoreData
Type

record

version_major: count

version_minor: count

desktop_width: count

desktop_height: count

color_depth: count

sas_sequence: count

keyboard_layout: count

client_build: count

client_name: string

keyboard_type: count

keyboard_sub: count

keyboard_function_key: count

ime_file_name: string

post_beta2_color_depth: count &optional

client_product_id: count &optional

serial_number: count &optional

high_color_depth: count &optional

supported_color_depths: count &optional

ec_flags: RDP::EarlyCapabilityFlags &optional

dig_product_id: string &optional

RDP::ClientSecurityData
Type

record

encryption_methods: count

Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security. Known flags:

  • 0x00000001: support for 40-bit session encryption keys

  • 0x00000002: support for 128-bit session encryption keys

  • 0x00000008: support for 56-bit session encryption keys

  • 0x00000010: support for FIPS compliant encryption and MAC methods

ext_encryption_methods: count

Only used in French locale and designates the encryption method. If non-zero, then encryption_methods should be set to 0.

The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.

RDP::ClientClusterData
Type

record

flags: count

Cluster information flags.

redir_session_id: count

If the redir_sessionid_field_valid flag is set, this field contains a valid session identifier to which the client requests to connect.

redir_supported: bool

The client can receive server session redirection packets. If this flag is set, the svr_session_redir_version_mask field MUST contain the server session redirection version that the client supports.

svr_session_redir_version_mask: count

The server session redirection version that the client supports.

redir_sessionid_field_valid: bool

Whether the redir_session_id field identifies a session on the server to associate with the connection.

redir_smartcard: bool

The client logged on with a smart card.

The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.

RDP::ClientChannelList
Type

vector of RDP::ClientChannelDef

The list of channels requested by the client.

RDP::ClientChannelDef
Type

record

name: string

A unique name for the channel

options: count

Channel Def raw options as count

initialized: bool

Absence of this flag indicates that this channel is a placeholder and that the server MUST NOT set it up.

encrypt_rdp: bool

Unused, must be ignored by the server.

encrypt_sc: bool

Unused, must be ignored by the server.

encrypt_cs: bool

Unused, must be ignored by the server.

pri_high: bool

Channel data must be sent with high MCS priority.

pri_med: bool

Channel data must be sent with medium MCS priority.

pri_low: bool

Channel data must be sent with low MCS priority.

compress_rdp: bool

Virtual channel data must be compressed if RDP data is being compressed.

compress: bool

Virtual channel data must be compressed.

show_protocol: bool

Ignored by the server.

persistent: bool

Channel must be persistent across remote control transactions.

Name and flags for a single channel requested by the client.

Events
rdpeudp_syn
Type

event (c: connection)

Generated for RDPEUDP SYN UDP Datagram

C

The connection record for the underlying transport-layer session/flow.

rdpeudp_synack
Type

event (c: connection)

Generated for RDPEUDP SYNACK UDP Datagram

C

The connection record for the underlying transport-layer session/flow.

rdpeudp_established
Type

event (c: connection, version: count)

Generated when RDPEUDP connections are established (both sides SYN)

C

The connection record for the underlying transport-layer session/flow.

Version

Whether the connection is RDPEUDP1 or RDPEUDP2

rdpeudp_data
Type

event (c: connection, is_orig: bool, version: count, data: string)

Generated when for data messages exchanged after a RDPEUDP connection establishes

C

The connection record for the underlying transport-layer session/flow.

Is_orig

Whether the data was sent by the originator or responder of the connection.

Version

Whether the connection is RDPEUDP1 or RDPEUDP2

Data

The payload of the packet. This is probably very non-performant.

rdp_native_encrypted_data
Type

event (c: connection, orig: bool, len: count)

Generated for each packet after RDP native encryption begins

C

The connection record for the underlying transport-layer session/flow.

Orig

True if the packet was sent by the originator of the connection.

Len

The length of the encrypted data.

rdp_connect_request
Type

event (c: connection, cookie: string, flags: count)

Type

event (c: connection, cookie: string)

Generated for X.224 client requests.

C

The connection record for the underlying transport-layer session/flow.

Cookie

The cookie included in the request.

Flags

The flags set by the client.

rdp_negotiation_response
Type

event (c: connection, security_protocol: count, flags: count)

Type

event (c: connection, security_protocol: count)

Generated for RDP Negotiation Response messages.

C

The connection record for the underlying transport-layer session/flow.

Security_protocol

The security protocol selected by the server.

Flags

The flags set by the server.

rdp_negotiation_failure
Type

event (c: connection, failure_code: count, flags: count)

Type

event (c: connection, failure_code: count)

Generated for RDP Negotiation Failure messages.

C

The connection record for the underlying transport-layer session/flow.

Failure_code

The failure code sent by the server.

Flags

The flags set by the server.

rdp_client_core_data
Type

event (c: connection, data: RDP::ClientCoreData)

Generated for MCS client requests.

C

The connection record for the underlying transport-layer session/flow.

Data

The data contained in the client core data structure.

rdp_client_security_data
Type

event (c: connection, data: RDP::ClientSecurityData)

Generated for client security data packets.

C

The connection record for the underlying transport-layer session/flow.

Data

The data contained in the client security data structure.

rdp_client_network_data
Type

event (c: connection, channels: RDP::ClientChannelList)

Generated for Client Network Data (TS_UD_CS_NET) packets

C

The connection record for the underlying transport-layer session/flow.

Channels

The channels that were requested

rdp_client_cluster_data
Type

event (c: connection, data: RDP::ClientClusterData)

Generated for client cluster data packets.

C

The connection record for the underlying transport-layer session/flow.

Data

The data contained in the client security data structure.

rdp_gcc_server_create_response
Type

event (c: connection, result: count)

Generated for MCS server responses.

C

The connection record for the underlying transport-layer session/flow.

Result

The 8-bit integer representing the GCC Conference Create Response result.

rdp_server_security
Type

event (c: connection, encryption_method: count, encryption_level: count)

Generated for MCS server responses.

C

The connection record for the underlying transport-layer session/flow.

Encryption_method

The 32-bit integer representing the encryption method used in the connection.

Encryption_level

The 32-bit integer representing the encryption level used in the connection.

rdp_server_certificate
Type

event (c: connection, cert_type: count, permanently_issued: bool)

Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.

C

The connection record for the underlying transport-layer session/flow.

Cert_type

Indicates the type of certificate.

Permanently_issued

Value will be true is the certificate(s) is permanent on the server.

rdp_begin_encryption
Type

event (c: connection, security_protocol: count)

Generated when an RDP session becomes encrypted.

C

The connection record for the underlying transport-layer session/flow.

Security_protocol

The security protocol being used for the session.

Zeek::RFB

Parser for rfb (VNC) analyzer

Components

Analyzer::ANALYZER_RFB

Events
rfb_authentication_type
Type

event (c: connection, authtype: count)

Generated for RFB event authentication mechanism selection

C

The connection record for the underlying transport-layer session/flow.

Authtype

the value of the chosen authentication mechanism

rfb_auth_result
Type

event (c: connection, result: bool)

Generated for RFB event authentication result message

C

The connection record for the underlying transport-layer session/flow.

Result

whether or not authentication was succesful

rfb_share_flag
Type

event (c: connection, flag: bool)

Generated for RFB event share flag messages

C

The connection record for the underlying transport-layer session/flow.

Flag

whether or not the share flag was set

rfb_client_version
Type

event (c: connection, major_version: string, minor_version: string)

Generated for RFB event client banner message

C

The connection record for the underlying transport-layer session/flow.

Version

of the client’s rfb library

rfb_server_version
Type

event (c: connection, major_version: string, minor_version: string)

Generated for RFB event server banner message

C

The connection record for the underlying transport-layer session/flow.

Version

of the server’s rfb library

rfb_server_parameters
Type

event (c: connection, name: string, width: count, height: count)

Generated for RFB event server parameter message

C

The connection record for the underlying transport-layer session/flow.

Name

name of the shared screen

Width

width of the shared screen

Height

height of the shared screen

Zeek::RPC

Analyzers for RPC-based protocols

Components

Analyzer::ANALYZER_CONTENTS_NFS

Analyzer::ANALYZER_CONTENTS_RPC

Analyzer::ANALYZER_MOUNT

Analyzer::ANALYZER_NFS

Analyzer::ANALYZER_PORTMAPPER

Events
nfs_proc_null
Type

event (c: connection, info: NFS3::info_t)

Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_getattr
Type

event (c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t)

Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Fh

TODO.

Attrs

The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_sattr
Type

event (c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)

Generated for NFSv3 request/reply dialogues of type sattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_lookup
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t)

Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_read
Type

event (c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t)

Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type

event (c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t)

Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Fh

The file handle passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type

event (c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type symlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type

event (c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)

Generated for NFSv3 request/reply dialogues of type link. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_write
Type

event (c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t)

Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_create
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_mkdir
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_remove
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rmdir
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rename
Type

event (c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rename. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_readdir
Type

event (c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t)

Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_not_implemented
Type

event (c: connection, info: NFS3::info_t, proc: NFS3::proc_t)

Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Proc

The procedure called that Zeek does not implement.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_reply_status
Type

event (n: connection, info: NFS3::info_t)

Generated for each NFSv3 reply message received, reporting just the status included.

N

The connection.

Info

Reports the status included in the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_null
Type

event (r: connection)

Generated for Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_set
Type

event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

M

The argument to the request.

Success

True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_unset
Type

event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

M

The argument to the request.

Success

True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_getport
Type

event (r: connection, pr: pm_port_request, p: port)

Generated for Portmapper request/reply dialogues of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Pr

The argument to the request.

P

The port returned by the server.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_dump
Type

event (r: connection, m: pm_mappings)

Generated for Portmapper request/reply dialogues of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

M

The mappings returned by the server.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_callit
Type

event (r: connection, call: pm_callit_request, p: port)

Generated for Portmapper request/reply dialogues of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Call

The argument to the request.

P

The port value returned by the call.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_null
Type

event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_set
Type

event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

M

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_unset
Type

event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

M

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_getport
Type

event (r: connection, status: rpc_status, pr: pm_port_request)

Generated for failed Portmapper requests of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

Pr

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_dump
Type

event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_callit
Type

event (r: connection, status: rpc_status, call: pm_callit_request)

Generated for failed Portmapper requests of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

Call

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_bad_port
Type

event (r: connection, bad_p: count)

Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Bad_p

The invalid port value.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rpc_dialogue
Type

event (c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count)

Generated for RPC request/reply pairs. The RPC analyzer associates request and reply by their transaction identifiers and raises this event once both have been seen. If there’s not a reply, this event will still be generated eventually on timeout. In that case, status will be set to RPC_TIMEOUT.

See Wikipedia for more information about the ONC RPC protocol.

C

The connection.

Prog

The remote program to call.

Ver

The version of the remote program to call.

Proc

The procedure of the remote program to call.

Status

The status of the reply, which should be one of the index values of RPC_status.

Start_time

The time when the call was seen.

Call_len

The size of the call_body PDU.

Reply_len

The size of the reply_body PDU.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_call
Type

event (c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count)

Generated for RPC call messages.

See Wikipedia for more information about the ONC RPC protocol.

C

The connection.

Xid

The transaction identifier allowing to match requests with replies.

Prog

The remote program to call.

Ver

The version of the remote program to call.

Proc

The procedure of the remote program to call.

Call_len

The size of the call_body PDU.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_reply
Type

event (c: connection, xid: count, status: rpc_status, reply_len: count)

Generated for RPC reply messages.

See Wikipedia for more information about the ONC RPC protocol.

C

The connection.

Xid

The transaction identifier allowing to match requests with replies.

Status

The status of the reply, which should be one of the index values of RPC_status.

Reply_len

The size of the reply_body PDU.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

mount_proc_null
Type

event (c: connection, info: MOUNT3::info_t)

Generated for MOUNT3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_mnt
Type

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)

Generated for MOUNT3 request/reply dialogues of type mnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt
Type

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt_all
Type

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt_all. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_not_implemented
Type

event (c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)

Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Proc

The procedure called that Zeek does not implement.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_reply_status
Type

event (n: connection, info: MOUNT3::info_t)

Generated for each MOUNT3 reply message received, reporting just the status included.

N

The connection.

Info

Reports the status included in the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Zeek::SIP

SIP analyzer UDP-only

Components

Analyzer::ANALYZER_SIP

Events
sip_request
Type

event (c: connection, method: string, original_URI: string, version: string)

Generated for SIP requests, used in Voice over IP (VoIP).

This event is generated as soon as a request’s initial line has been parsed.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Method

The SIP method extracted from the request (e.g., REGISTER, NOTIFY).

Original_URI

The unprocessed URI as specified in the request.

Version

The version number specified in the request (e.g., 2.0).

See also:

sip_reply
Type

event (c: connection, version: string, code: count, reason: string)

Generated for SIP replies, used in Voice over IP (VoIP).

This event is generated as soon as a reply’s initial line has been parsed.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Version

The SIP version in use.

Code

The response code.

Reason

Textual details for the response code.

See also:

sip_header
Type

event (c: connection, is_orig: bool, name: string, value: string)

Generated for each SIP header.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the header came from the originator.

Name

Header name.

Value

Header value.

See also:

sip_all_headers
Type

event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated once for all SIP headers from the originator or responder.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the headers came from the originator.

Hlist

All the headers, and their values

See also:

sip_begin_entity
Type

event (c: connection, is_orig: bool)

Generated at the beginning of a SIP message.

This event is generated as soon as a message’s initial line has been parsed.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the message came from the originator.

See also:

sip_end_entity
Type

event (c: connection, is_orig: bool)

Generated at the end of a SIP message.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the message came from the originator.

See also:

Zeek::SMB

SMB analyzer

Components

Analyzer::ANALYZER_CONTENTS_SMB

Analyzer::ANALYZER_SMB

Options/Constants
SMB::pipe_filenames
Type

set [string]

Attributes

&redef

Default

{}

Redefinition

from base/protocols/smb/consts.zeek

=:

spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds

A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.

See also:

Types
SMB1::NegotiateResponse
Type

record

core: SMB1::NegotiateResponseCore &optional

If the server does not understand any of the dialect strings, or if PC NETWORK PROGRAM 1.0 is the chosen dialect.

lanman: SMB1::NegotiateResponseLANMAN &optional

If the chosen dialect is greater than core up to and including LANMAN 2.1.

ntlm: SMB1::NegotiateResponseNTLM &optional

If the chosen dialect is NT LM 0.12.

SMB1::NegotiateResponseCore
Type

record

dialect_index: count

Index of selected dialect

SMB1::NegotiateResponseLANMAN
Type

record

word_count: count

Count of parameter words (should be 13)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size (>= 1024)

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

raw_mode: SMB1::NegotiateRawMode

Raw mode

session_key: count

Unique token identifying this session

server_time: time

Current date and time at server

encryption_key: string

The challenge encryption key

primary_domain: string

The server’s primary domain

SMB1::NegotiateResponseNTLM
Type

record

word_count: count

Count of parameter words (should be 17)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

max_raw_size: count

Max raw buffer size

session_key: count

Unique token identifying this session

capabilities: SMB1::NegotiateCapabilities

Server capabilities

server_time: time

Current date and time at server

encryption_key: string &optional

The challenge encryption key. Present only for non-extended security (i.e. capabilities$extended_security = F)

domain_name: string &optional

The name of the domain. Present only for non-extended security (i.e. capabilities$extended_security = F)

guid: string &optional

A globally unique identifier assigned to the server. Present only for extended security (i.e. capabilities$extended_security = T)

security_blob: string

Opaque security blob associated with the security package if capabilities$extended_security = T Otherwise, the challenge for challenge/response authentication.

SMB1::NegotiateResponseSecurity
Type

record

user_level: bool

This indicates whether the server, as a whole, is operating under Share Level or User Level security.

challenge_response: bool

This indicates whether or not the server supports Challenge/Response authentication. If the bit is false, then plaintext passwords must be used.

signatures_enabled: bool &optional

This indicates if the server is capable of performing MAC message signing. Note: Requires NT LM 0.12 or later.

signatures_required: bool &optional

This indicates if the server is requiring the use of a MAC in each packet. If false, message signing is optional. Note: Requires NT LM 0.12 or later.

SMB1::NegotiateRawMode
Type

record

read_raw: bool

Read raw supported

write_raw: bool

Write raw supported

SMB1::NegotiateCapabilities
Type

record

raw_mode: bool

The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW

mpx_mode: bool

The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX

unicode: bool

The server supports unicode strings

large_files: bool

The server supports large files with 64 bit offsets

nt_smbs: bool

The server supports the SMBs particilar to the NT LM 0.12 dialect. Implies nt_find.

rpc_remote_apis: bool

The server supports remote admin API requests via DCE-RPC

status32: bool

The server can respond with 32 bit status codes in Status.Status

level_2_oplocks: bool

The server supports level 2 oplocks

lock_and_read: bool

The server supports SMB_COM_LOCK_AND_READ

nt_find: bool

Reserved

dfs: bool

The server is DFS aware

infolevel_passthru: bool

The server supports NT information level requests passing through

large_readx: bool

The server supports large SMB_COM_READ_ANDX (up to 64k)

large_writex: bool

The server supports large SMB_COM_WRITE_ANDX (up to 64k)

unix: bool

The server supports CIFS Extensions for UNIX

bulk_transfer: bool

The server supports SMB_BULK_READ, SMB_BULK_WRITE Note: No known implementations support this

compressed_data: bool

The server supports compressed data transfer. Requires bulk_transfer. Note: No known implementations support this

extended_security: bool

The server supports extended security exchanges

SMB1::SessionSetupAndXRequest
Type

record

word_count: count
Count of parameter words

  • 10 for pre NT LM 0.12

  • 12 for NT LM 0.12 with extended security

  • 13 for NT LM 0.12 without extended security

max_buffer_size: count

Client maximum buffer size

max_mpx_count: count

Actual maximum multiplexed pending request

vc_number: count

Virtual circuit number. First VC == 0

session_key: count

Session key (valid iff vc_number > 0)

native_os: string

Client’s native operating system

native_lanman: string

Client’s native LAN Manager type

account_name: string &optional

Account name Note: not set for NT LM 0.12 with extended security

account_password: string &optional

If challenge/response auth is not being used, this is the password. Otherwise, it’s the response to the server’s challenge. Note: Only set for pre NT LM 0.12

primary_domain: string &optional

Client’s primary domain, if known Note: not set for NT LM 0.12 with extended security

case_insensitive_password: string &optional

Case insensitive password Note: only set for NT LM 0.12 without extended security

case_sensitive_password: string &optional

Case sensitive password Note: only set for NT LM 0.12 without extended security

security_blob: string &optional

Security blob Note: only set for NT LM 0.12 with extended security

capabilities: SMB1::SessionSetupAndXCapabilities &optional

Client capabilities Note: only set for NT LM 0.12

SMB1::SessionSetupAndXResponse
Type

record

word_count: count

Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)

is_guest: bool &optional

Were we logged in as a guest user?

native_os: string &optional

Server’s native operating system

native_lanman: string &optional

Server’s native LAN Manager type

primary_domain: string &optional

Server’s primary domain

security_blob: string &optional

Security blob if NTLM

SMB1::SessionSetupAndXCapabilities
Type

record

unicode: bool

The client can use unicode strings

large_files: bool

The client can deal with files having 64 bit offsets

nt_smbs: bool

The client understands the SMBs introduced with NT LM 0.12 Implies nt_find

status32: bool

The client can receive 32 bit errors encoded in Status.Status

level_2_oplocks: bool

The client understands Level II oplocks

nt_find: bool

Reserved. Implied by nt_smbs.

SMB1::Trans_Sec_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

SMB1::Find_First2_Request_Args
Type

record

search_attrs: count

File attributes to apply as a constraint to the search

search_count: count

Max search results

flags: count

Misc. flags for how the server should manage the transaction once results are returned

info_level: count

How detailed the information returned in the results should be

search_storage_type: count

Specify whether to search for directories or files

file_name: string

The string to serch for (note: may contain wildcards)

SMB1::Find_First2_Response_Args
Type

record

sid: count

The server generated search identifier

search_count: count

Number of results returned by the search

end_of_search: bool

Whether or not the search can be continued using the TRANS2_FIND_NEXT2 transaction

ext_attr_error: string &optional

An extended attribute name that couldn’t be retrieved

SMB1::Trans2_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

max_param_count: count

Max parameter count

max_data_count: count

Max data count

max_setup_count: count

Max setup count

flags: count

Flags

trans_timeout: count

Timeout

param_count: count

Parameter count

param_offset: count

Parameter offset

data_count: count

Data count

data_offset: count

Data offset

setup_count: count

Setup count

SMB1::Trans2_Sec_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

FID: count

File ID

SMB2::CloseResponse
Type

record

alloc_size: count

The size, in bytes of the data that is allocated to the file.

eof: count

The size, in bytes, of the file.

times: SMB::MACTimes

The creation, last access, last write, and change times.

attrs: SMB2::FileAttrs

The attributes of the file.

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

For more information, see MS-SMB2:2.2.16

See also:

SMB2::CreateRequest
Type

record

filename: string

Name of the file

disposition: count

Defines the action the server MUST take if the file that is specified already exists.

create_options: count

Specifies the options to be applied when creating or opening the file.

The request sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.13

See also:

SMB2::CreateResponse
Type

record

file_id: SMB2::GUID

The SMB2 GUID for the file.

size: count

Size of the file.

times: SMB::MACTimes

Timestamps associated with the file in question.

attrs: SMB2::FileAttrs

File attributes.

create_action: count

The action taken in establishing the open.

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.14

See also:

SMB2::NegotiateResponse
Type

record

dialect_revision: count

The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 NEGOTIATE Request.

security_mode: count

The security mode field specifies whether SMB signing is enabled, required at the server, or both.

server_guid: SMB2::GUID

A globally unique identifier that is generate by the server to uniquely identify the server.

system_time: time

The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.

server_start_time: time

The SMB2 server start time.

negotiate_context_count: count

The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.

negotiate_context_values: SMB2::NegotiateContextValues

An array of context values in SMB v. 3.1.1.

The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.

For more information, see MS-SMB2:2.2.4

See also:

SMB2::SessionSetupRequest
Type

record

security_mode: count

The security mode field specifies whether SMB signing is enabled or required at the client.

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.5

See also:

SMB2::SessionSetupResponse
Type

record

flags: SMB2::SessionSetupFlags

Additional information about the session

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.6

See also:

SMB2::SessionSetupFlags
Type

record

guest: bool

If set, the client has been authenticated as a guest user.

anonymous: bool

If set, the client has been authenticated as an anonymous user.

encrypt: bool

If set, the server requires encryption of messages on this session.

A flags field that indicates additional information about the session that’s sent in the session_setup response.

For more information, see MS-SMB2:2.2.6

See also:

SMB2::TreeConnectResponse
Type

record

share_type: count

The type of share being accessed. Physical disk, named pipe, or printer.

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

For more information, see MS-SMB2:2.2.9

See also:

SMB2::Transform_header
Type

record

signature: string

The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.

nonce: string

An implementation specific value assigned for every encrypted message.

orig_msg_size: count

The size, in bytes, of the SMB2 message.

flags: count

A flags field, interpreted in different ways depending of the SMB2 dialect.

session_id: count

A value that uniquely identifies the established session for the command.

An SMB2 transform header (for SMB 3.x dialects with encryption enabled).

For more information, see MS-SMB2:2.2.41

See also:

SMB::MACTimes
Type

record

modified: time &log

The time when data was last written to the file.

modified_raw: count

Same as modified but in SMB’s original FILETIME integer format.

accessed: time &log

The time when the file was last accessed.

accessed_raw: count

Same as accessed but in SMB’s original FILETIME integer format.

created: time &log

The time the file was created.

created_raw: count

Same as created but in SMB’s original FILETIME integer format.

changed: time &log

The time when the file was last modified.

changed_raw: count

Same as changed but in SMB’s original FILETIME integer format.

MAC times for a file.

For more information, see MS-SMB2:2.2.16

See also:

SMB1::Header
Type

record

command: count

The command number

status: count

The status code

flags: count

Flag set 1

flags2: count

Flag set 2

tid: count

Tree ID

pid: count

Process ID

uid: count

User ID

mid: count

Multiplex ID

An SMB1 header.

See also:

SMB2::Header
Type

record

credit_charge: count

The number of credits that this request consumes

status: count

In a request, this is an indication to the server about the client’s channel change. In a response, this is the status field

command: count

The command code of the packet

credits: count

The number of credits the client is requesting, or the number of credits granted to the client in a response.

flags: count

A flags field, which indicates how to process the operation (e.g. asynchronously)

message_id: count

A value that uniquely identifies the message request/response pair across all messages that are sent on the same transport protocol connection

process_id: count

A value that uniquely identifies the process that generated the event.

tree_id: count

A value that uniquely identifies the tree connect for the command.

session_id: count

A value that uniquely identifies the established session for the command.

signature: string

The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the flags field.

An SMB2 header.

For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2

See also:

SMB2::GUID
Type

record

persistent: count

A file handle that remains persistent when reconnected after a disconnect

volatile: count

A file handle that can be changed when reconnected after a disconnect

An SMB2 globally unique identifier which identifies a file.

For more information, see MS-SMB2:2.2.14.1

See also:

SMB2::FileAttrs
Type

record

read_only: bool

The file is read only. Applications can read the file but cannot write to it or delete it.

hidden: bool

The file is hidden. It is not to be included in an ordinary directory listing.

system: bool

The file is part of or is used exclusively by the operating system.

directory: bool

The file is a directory.

archive: bool

The file has not been archived since it was last modified. Applications use this attribute to mark files for backup or removal.

normal: bool

The file has no other attributes set. This attribute is valid only if used alone.

temporary: bool

The file is temporary. This is a hint to the cache manager that it does not need to flush the file to backing storage.

sparse_file: bool

A file that is a sparse file.

reparse_point: bool

A file or directory that has an associated reparse point.

compressed: bool

The file or directory is compressed. For a file, this means that all of the data in the file is compressed. For a directory, this means that compression is the default for newly created files and subdirectories.

offline: bool

The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.

not_content_indexed: bool

A file or directory that is not indexed by the content indexing service.

encrypted: bool

A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.

integrity_stream: bool

A file or directory that is configured with integrity support. For a file, all data streams in the file have integrity support. For a directory, integrity support is the default for newly created files and subdirectories, unless the caller specifies otherwise.

no_scrub_data: bool

A file or directory that is configured to be excluded from the data integrity scan.

A series of boolean flags describing basic and extended file attributes for SMB2.

For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6

See also:

SMB2::Fscontrol
Type

record

free_space_start_filtering: int

minimum amount of free disk space required to begin document filtering

free_space_threshold: int

minimum amount of free disk space required to continue filtering documents and merging word lists

free_space_stop_filtering: int

minimum amount of free disk space required to continue content filtering

delete_quota_threshold: count

default per-user disk quota

default_quota_limit: count

default per-user disk limit

fs_control_flags: count

file systems control flags passed as unsigned int

A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.

For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2

SMB2::FileEA
Type

record

ea_name: string

Specifies the extended attribute name

ea_value: string

Contains the extended attribute value

This information class is used to query or set extended attribute (EA) information for a file.

For more infomation, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15

SMB2::FileEAs
Type

vector of SMB2::FileEA

A vector of extended attribute (EA) information for a file.

For more infomation, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15

SMB2::PreAuthIntegrityCapabilities
Type

record

hash_alg_count: count

The number of hash algorithms.

salt_length: count

The salt length.

hash_alg: vector of count

An array of hash algorithms (counts).

salt: string

The salt.

Preauthentication information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.1

SMB2::EncryptionCapabilities
Type

record

cipher_count: count

The number of ciphers.

ciphers: vector of count

An array of ciphers.

Encryption information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.2

SMB2::CompressionCapabilities
Type

record

alg_count: count

The number of algorithms.

algs: vector of count

An array of compression algorithms.

Compression information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.3

SMB2::NegotiateContextValue
Type

record

context_type: count

Specifies the type of context (preauth or encryption).

data_length: count

The length in byte of the data field.

preauth_info: SMB2::PreAuthIntegrityCapabilities &optional

The preauthentication information.

encryption_info: SMB2::EncryptionCapabilities &optional

The encryption information.

compression_info: SMB2::CompressionCapabilities &optional

The compression information.

netname: string &optional

Indicates the server name the client must connect to.

The context type information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1

SMB2::NegotiateContextValues
Type

vector of SMB2::NegotiateContextValue

Events
smb1_check_directory_request
Type

event (c: connection, hdr: SMB1::Header, directory_name: string)

Generated for SMB/CIFS version 1 requests of type check directory. This is used by the client to verify that a specified path resolves to a valid directory on the server.

For more information, see MS-CIFS:2.2.4.17

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Directory_name

The directory name to check for existence.

See also:

smb1_check_directory_response
Type

event (c: connection, hdr: SMB1::Header)

Generated for SMB/CIFS version 1 responses of type check directory. This is the server response to the check directory request.

For more information, see MS-CIFS:2.2.4.17

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

See also:

smb1_close_request
Type

event (c: connection, hdr: SMB1::Header, file_id: count)

Generated for SMB/CIFS version 1 requests of type close. This is used by the client to close an instance of an object associated with a valid file ID.

For more information, see MS-CIFS:2.2.4.5

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_id

The file identifier being closed.

See also:

smb1_create_directory_request
Type

event (c: connection, hdr: SMB1::Header, directory_name: string)

Generated for SMB/CIFS version 1 requests of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is used by the client to create a new directory on the server, relative to a connected share.

For more information, see MS-CIFS:2.2.4.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Directory_name

The name of the directory to create.

See also:

smb1_create_directory_response
Type

event (c: connection, hdr: SMB1::Header)

Generated for SMB/CIFS version 1 responses of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is the server response to the create directory request.

For more information, see MS-CIFS:2.2.4.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

See also:

smb1_echo_request
Type

event (c: connection, echo_count: count, data: string)

Generated for SMB/CIFS version 1 requests of type echo. This is sent by the client to test the transport layer connection with the server.

For more information, see MS-CIFS:2.2.4.39

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Echo_count

The number of times the server should echo the data back.

Data

The data for the server to echo.

See also:

smb1_echo_response
Type

event (c: connection, seq_num: count, data: string)

Generated for SMB/CIFS version 1 responses of type echo. This is the server response to the echo request.

For more information, see MS-CIFS:2.2.4.39

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Seq_num

The sequence number of this echo reply.

Data

The data echoed back from the client.

See also:

smb1_logoff_andx
Type

event (c: connection, is_orig: bool)

Generated for SMB/CIFS version 1 requests of type logoff andx. This is used by the client to logoff the user connection represented by UID in the SMB Header. The server releases all locks and closes all files currently open by this user, disconnects all tree connects, cancels any outstanding requests for this UID, and invalidates the UID.

For more information, see MS-CIFS:2.2.4.54

C

The connection.

Is_orig

Indicates which host sent the logoff message.

See also:

smb1_negotiate_request
Type

event (c: connection, hdr: SMB1::Header, dialects: string_vec)

Generated for SMB/CIFS version 1 requests of type negotiate. This is sent by the client to initiate an SMB connection between the client and the server. A negotiate exchange MUST be completed before any other SMB messages are sent to the server.

For more information, see MS-CIFS:2.2.4.52

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Dialects

The SMB dialects supported by the client.

See also:

smb1_negotiate_response
Type

event (c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse)

Generated for SMB/CIFS version 1 responses of type negotiate. This is the server response to the negotiate request.

For more information, see MS-CIFS:2.2.4.52

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Response

A record structure containing more information from the response.

See also:

smb1_nt_create_andx_request
Type

event (c: connection, hdr: SMB1::Header, file_name: string)

Generated for SMB/CIFS version 1 requests of type nt create andx. This is sent by the client to create and open a new file, or to open an existing file, or to open and truncate an existing file to zero length, or to create a directory, or to create a connection to a named pipe.

For more information, see MS-CIFS:2.2.4.64

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Name

The name attribute specified in the message.

See also:

smb1_nt_create_andx_response
Type

event (c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes)

Generated for SMB/CIFS version 1 responses of type nt create andx. This is the server response to the nt create andx request.

For more information, see MS-CIFS:2.2.4.64

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_id

The SMB2 GUID for the file.

File_size

Size of the file.

Times

Timestamps associated with the file in question.

See also:

smb1_nt_cancel_request
Type

event (c: connection, hdr: SMB1::Header)

Generated for SMB/CIFS version 1 requests of type nt cancel. This is sent by the client to request that a currently pending request be cancelled.

For more information, see MS-CIFS:2.2.4.65

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

See also:

smb1_query_information_request
Type

event (c: connection, hdr: SMB1::Header, filename: string)

Generated for SMB/CIFS version 1 requests of type query information. This is a deprecated command which has been replaced by the trans2_query_path_information subcommand. This is used by the client to obtain attribute information about a file.

For more information, see MS-CIFS:2.2.4.9

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Filename

The filename that the client is querying.

See also:

smb1_read_andx_request
Type

event (c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count)

Generated for SMB/CIFS version 1 requests of type read andx. This is sent by the client to read bytes from a regular file, a named pipe, or a directly accessible device such as a serial port (COM) or printer port (LPT).

For more information, see MS-CIFS:2.2.4.42

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_id

The file identifier being written to.

Offset

The byte offset the requested read begins at.

Length

The number of bytes being requested.

See also:

smb1_read_andx_response
Type

event (c: connection, hdr: SMB1::Header, data_len: count)

Generated for SMB/CIFS version 1 responses of type read andx. This is the server response to the read andx request.

For more information, see MS-CIFS:2.2.4.42

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Data_len

The length of data from the requested file.

See also:

smb1_session_setup_andx_request
Type

event (c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest)

Generated for SMB/CIFS version 1 requests of type setup andx. This is sent by the client to configure an SMB session.

For more information, see MS-CIFS:2.2.4.53

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Request

The parsed request data of the SMB message. See init-bare for more details.

See also:

smb1_session_setup_andx_response
Type

event (c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse)

Generated for SMB/CIFS version 1 responses of type setup andx. This is the server response to the setup andx request.

For more information, see MS-CIFS:2.2.4.53

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Response

The parsed response data of the SMB message. See init-bare for more details.

See also:

smb1_transaction_request
Type

event (c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.

For more information, see MS-CIFS:2.2.4.33.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Name

A name string that MAY identify the resource (a specific Mailslot or Named Pipe) against which the operation is performed.

Sub_cmd

The sub command, some may be parsed and have their own events.

Parameters

content of the SMB_Data.Trans_Parameters field

Data

content of the SMB_Data.Trans_Data field

See also:

smb1_transaction_response
Type

event (c: connection, hdr: SMB1::Header, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.

For more information, see MS-CIFS:2.2.4.33.2

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Parameters

content of the SMB_Data.Trans_Parameters field

Data

content of the SMB_Data.Trans_Data field

smb1_transaction_secondary_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction_secondary. This command serves as an additional request data container for the Transaction Subprotocol Commands (carried by transaction requests).

For more information, see MS-CIFS:2.2.4.34

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Parameters

the SMB_Data.Trans_Parameters field content

Data

the SMB_Data.Trans_Data field content

smb1_transaction2_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)

Generated for SMB/CIFS version 1 requests of type transaction2. This command serves as the transport for the Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system. Compared to the Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended Attribute key/value pairs, make use of long file names (longer than the original 8.3 format names), and perform directory searches, among other tasks.

For more information, see MS-CIFS:2.2.4.46

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Sub_cmd

The sub command, some are parsed and have their own events.

See also:

smb1_trans2_find_first2_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args)

Generated for SMB/CIFS version 1 transaction2 requests of subtype find first2. This transaction is used to begin a search for file(s) within a directory or for a directory

For more information, see MS-CIFS:2.2.6.2

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Args

A record data structure with arguments given to the command.

See also:

smb1_trans2_query_path_info_request
Type

event (c: connection, hdr: SMB1::Header, file_name: string)

Generated for SMB/CIFS version 1 transaction2 requests of subtype query path info. This transaction is used to get information about a specific file or directory.

For more information, see MS-CIFS:2.2.6.6

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_name

File name the request is in reference to.

See also:

smb1_trans2_get_dfs_referral_request
Type

event (c: connection, hdr: SMB1::Header, file_name: string)

Generated for SMB/CIFS version 1 transaction2 requests of subtype get DFS referral. This transaction is used to request a referral for a disk object in DFS.

For more information, see MS-CIFS:2.2.6.16

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_name

File name the request is in reference to.

See also:

smb1_transaction2_secondary_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction2 secondary.

For more information, see MS-CIFS:2.2.4.47.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Args

arguments of the message (SMB_Parameters.Words)

Parameters

content of the SMB_Data.Trans_Parameters field

Data

content of the SMB_Data.Trans_Data field

smb1_tree_connect_andx_request
Type

event (c: connection, hdr: SMB1::Header, path: string, service: string)

Generated for SMB/CIFS version 1 requests of type tree connect andx. This is sent by the client to establish a connection to a server share.

For more information, see MS-CIFS:2.2.4.55

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Path

The path attribute specified in the message.

Service

The service attribute specified in the message.

See also:

smb1_tree_connect_andx_response
Type

event (c: connection, hdr: SMB1::Header, service: string, native_file_system: string)

Generated for SMB/CIFS version 1 responses of type tree connect andx. This is the server reply to the tree connect andx request.

For more information, see MS-CIFS:2.2.4.55

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Service

The service attribute specified in the message.

Native_file_system

The file system of the remote server as indicate by the server.

See also:

smb1_tree_disconnect
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for SMB/CIFS version 1 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.

For more information, see MS-CIFS:2.2.4.51

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Is_orig

True if the message was from the originator.

See also:

smb1_write_andx_request
Type

event (c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count)

Generated for SMB/CIFS version 1 requests of type write andx. This is sent by the client to write bytes to a regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) or printer port (LPT).

For more information, see MS-CIFS:2.2.4.43

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Offset

The byte offset into the referenced file data is being written.

Data

The data being written.

See also:

smb1_write_andx_response
Type

event (c: connection, hdr: SMB1::Header, written_bytes: count)

Generated for SMB/CIFS version 1 responses of type write andx. This is the server response to the write andx request.

For more information, see MS-CIFS:2.2.4.43

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Written_bytes

The number of bytes the server reported having actually written.

See also:

smb1_message
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for all SMB/CIFS version 1 messages.

See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Is_orig

True if the message was sent by the originator of the underlying transport-level connection.

See also:

smb1_empty_response
Type

event (c: connection, hdr: SMB1::Header)

Generated when there is an SMB version 1 response with no message body.

C

The connection.

Hdr

The parsed header of the SMB message.

See also:

smb1_error
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for SMB version 1 messages that indicate an error. This event is triggered by an SMB header including a status that signals an error.

C

The connection.

Hdr

The parsed header of the SMB message.

Is_orig

True if the message was sent by the originator of the underlying transport-level connection.

See also:

smb2_close_request
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)

Generated for SMB/CIFS version 2 requests of type close. This is used by the client to close an instance of a file that was opened previously with a successful SMB2 CREATE Request.

For more information, see MS-SMB2:2.2.15

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_name

The SMB2 GUID of the file being closed.

See also:

smb2_close_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse)

Generated for SMB/CIFS version 2 responses of type close. This is sent by the server to indicate that an SMB2 CLOSE request was processed successfully.

For more information, see MS-SMB2:2.2.16

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record of attributes returned from the server from the close.

See also:

smb2_create_request
Type

event (c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)

Generated for SMB/CIFS version 2 requests of type create. This is sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.13

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Request

A record with more information related to the request.

See also:

smb2_create_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)

Generated for SMB/CIFS version 2 responses of type create. This is sent by the server to notify the client of the status of its SMB2 CREATE request.

For more information, see MS-SMB2:2.2.14

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record with more information related to the response.

See also:

smb2_negotiate_request
Type

event (c: connection, hdr: SMB2::Header, dialects: index_vec)

Generated for SMB/CIFS version 2 requests of type negotiate. This is used by the client to notify the server what dialects of the SMB2 Protocol the client understands.

For more information, see MS-SMB2:2.2.3

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Dialects

A vector of the client’s supported dialects.

See also:

smb2_negotiate_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse)

Generated for SMB/CIFS version 2 responses of type negotiate. This is sent by the server to notify the client of the preferred common dialect.

For more information, see MS-SMB2:2.2.4

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

The negotiate response data structure.

See also:

smb2_read_request
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)

Generated for SMB/CIFS version 2 requests of type read. This is sent by the client to request a read operation on the specified file.

For more information, see MS-SMB2:2.2.19

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The GUID being used for the file.

Offset

How far into the file this read should be taking place.

Length

The number of bytes of the file being read.

See also:

smb2_session_setup_request
Type

event (c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest)

Generated for SMB/CIFS version 2 requests of type session_setup. This is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.5

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Request

A record containing more information related to the request.

See also:

smb2_session_setup_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse)

Generated for SMB/CIFS version 2 responses of type session_setup. This is sent by the server in response to a session_setup request.

For more information, see MS-SMB2:2.2.6

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record containing more information related to the response.

See also:

smb2_file_rename
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string)

Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype.

For more information, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

A GUID to identify the file.

Dst_filename

The filename to rename the file into.

See also:

smb2_file_delete
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool)

Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype.

For more information, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Delete_pending

A boolean value to indicate that a file should be deleted when it’s closed if set to T.

See also:

smb2_file_sattr
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs)

Generated for SMB/CIFS version 2 requests of type set_info of the file subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Times

Timestamps associated with the file in question.

Attrs

File attributes.

See also:

smb2_file_allocation
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, alloc_size: int)

Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Alloc_size

desired allocation size.

See also:

smb2_file_endoffile
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, end_of_file: int)

Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

End_of_file

the absolute new end of file position as a byte offset from the start of the file

See also:

smb2_file_mode
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, mode: count)

Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Mode

specifies how the file will subsequently be accessed.

See also:

smb2_file_pipe
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, read_mode: count, completion_mode: count)

Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Read_mode

specifies if data must be read as a stream of bytes or messages

Completion_mode

specifies if blocking mode must be enabled or not

See also:

smb2_file_position
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, current_byte_offset: int)

Generated for SMB/CIFS version 2 requests of type set_info of the position subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Current_byte_offset

specifies the offset, in bytes, of the file pointer from the beginning of the file

See also:

smb2_file_shortname
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_name: string)

Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

File_name

specifies the name of the file to be changed

See also:

smb2_file_validdatalength
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, valid_data_length: int)

Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Valid_data_length

specifies the new valid data length for the file

See also:

smb2_file_fullea
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_eas: SMB2::FileEAs)

Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

FileEAs

a vector of extended file attributes as defined in MS-FSCC:2.4.15

See also:

Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, root_directory: count, file_name: string)

Generated for SMB/CIFS version 2 requests of type set_info of the link subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Root_directory

contains the file handle for the directory where the link is to be created

File_name

contains the name to be assigned to the newly created link

See also:

smb2_file_fscontrol
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol)

Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Fs_control

contains fs_control info (see MS-FCC 2.5.2)

See also:

smb2_file_fsobjectid
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, object_id: SMB2::GUID, extended_info: string)

Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Object_id

contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)

Extended_info

contains extended information on the file system volume

See also:

smb2_tree_connect_request
Type

event (c: connection, hdr: SMB2::Header, path: string)

Generated for SMB/CIFS version 2 requests of type tree_connect. This is sent by a client to request access to a particular share on the server.

For more information, see MS-SMB2:2.2.9

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Path

Path of the requested tree.

See also:

smb2_tree_connect_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse)

Generated for SMB/CIFS version 2 responses of type tree_connect. This is sent by the server when a tree_connect request is successfully processed by the server.

For more information, see MS-SMB2:2.2.10

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record with more information related to the response.

See also:

smb2_tree_disconnect_request
Type

event (c: connection, hdr: SMB2::Header)

Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

See also:

smb2_tree_disconnect_response
Type

event (c: connection, hdr: SMB2::Header)

Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the server to logically disconnect client access to a server resource.

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

See also:

smb2_write_request
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)

Generated for SMB/CIFS version 2 requests of type write. This is sent by the client to write data to the file or named pipe on the server.

For more information, see MS-SMB2:2.2.21

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The GUID being used for the file.

Offset

How far into the file this write should be taking place.

Length

The number of bytes of the file being written.

See also:

smb2_write_response
Type

event (c: connection, hdr: SMB2::Header, length: count)

Generated for SMB/CIFS version 2 requests of type write. This is sent by the server in response to a write request or named pipe on the server.

For more information, see MS-SMB2:2.2.22

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Length

The number of bytes of the file being written.

See also:

smb2_transform_header
Type

event (c: connection, hdr: SMB2::Transform_header)

Generated for SMB/CIFS version 3.x transform_header. This is used by the client or server when sending encrypted messages.

For more information, see MS-SMB2:2.2.41

C

The connection.

Hdr

The parsed transformed header message, which is starting with xfdSMB and different from SMB1 and SMB2 headers.

See also:

smb2_message
Type

event (c: connection, hdr: SMB2::Header, is_orig: bool)

Generated for SMB/CIFS version 2 messages.

See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Is_orig

True if the message came from the originator side.

See also:

smb_pipe_connect_heuristic
Type

event (c: connection)

Generated for SMB connections when a named pipe has been detected heuristically. The case when this comes up is when the drive mapping isn’t seen so the analyzer is not able to determine whether to send the data to the files framework or to the DCE_RPC analyzer. This heuristic can be tuned by adding or removing “named pipe” names from the SMB::pipe_filenames const.

C

The connection.

Zeek::SMTP

SMTP analyzer

Components

Analyzer::ANALYZER_SMTP

Events
smtp_request
Type

event (c: connection, is_orig: bool, command: string, arg: string)

Generated for client-side SMTP commands.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP TURN command allows client and server to flip roles on established SMTP sessions, and hence a “request” might still come from the TCP-level responder. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.

Command

The request’s command, without any arguments.

Arg

The request command’s arguments.

See also:

Note

Zeek does not support the newer ETRN extension yet.

smtp_reply
Type

event (c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool)

Generated for server-side SMTP commands.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP TURN command allows client and server to flip roles on established SMTP sessions, and hence a “reply” might still come from the TCP-level originator. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.

Code

The reply’s numerical code.

Cmd

TODO.

Msg

The reply’s textual description.

Cont_resp

True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also:

Note

Zeek doesn’t support the newer ETRN extension yet.

smtp_data
Type

event (c: connection, is_orig: bool, data: string)

Generated for DATA transmitted on SMTP sessions. This event is raised for subsequent chunks of raw data following the DATA SMTP command until the corresponding end marker . is seen. A handler may want to reassemble the pieces as they come in if stream-analysis is required.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the data is the originator of the TCP connection.

Data

The raw data. Note that the size of each chunk is undefined and depends on specifics of the underlying TCP connection.

See also:

Note

This event receives the unprocessed raw data. There is a separate set of mime_* events that strip out the outer MIME-layer of emails and provide structured access to their content.

smtp_unexpected
Type

event (c: connection, is_orig: bool, msg: string, detail: string)

Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the state of SMTP sessions and reports commands and other activity with this event that it sees even though it would not expect so at the current point of the communication.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the unexpected activity is the originator of the TCP connection.

Msg

A descriptive message of what was unexpected.

Detail

The actual SMTP line triggering the event.

See also:

smtp_starttls
Type

event (c: connection)

Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. After this event no more SMTP events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

C

The connection.

Functions
skip_smtp_data
Type

function (c: connection) : any

Skips SMTP data until the next email in a connection.

C

The SMTP connection.

See also:

Zeek::SNMP

SNMP analyzer

Components

Analyzer::ANALYZER_SNMP

Types
SNMP::Header
Type

record

version: count

v1: SNMP::HeaderV1 &optional

Set when version is 0.

v2: SNMP::HeaderV2 &optional

Set when version is 1.

v3: SNMP::HeaderV3 &optional

Set when version is 3.

A generic SNMP header data structure that may include data from any version of SNMP. The value of the version field determines what header field is initialized.

SNMP::HeaderV1
Type

record

community: string

The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.

SNMP::HeaderV2
Type

record

community: string

The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.

SNMP::HeaderV3
Type

record

id: count

max_size: count

flags: count

auth_flag: bool

priv_flag: bool

reportable_flag: bool

security_model: count

security_params: string

pdu_context: SNMP::ScopedPDU_Context &optional

The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.

SNMP::PDU
Type

record

request_id: int

error_status: int

error_index: int

bindings: SNMP::Bindings

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::TrapPDU
Type

record

enterprise: string

agent: addr

generic_trap: int

specific_trap: int

time_stamp: count

bindings: SNMP::Bindings

A Trap-PDU data structure from RFC 1157.

SNMP::BulkPDU
Type

record

request_id: int

non_repeaters: count

max_repititions: count

bindings: SNMP::Bindings

A BulkPDU data structure from RFC 3416.

SNMP::ScopedPDU_Context
Type

record

engine_id: string

name: string

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.

SNMP::ObjectValue
Type

record

tag: count

oid: string &optional

signed: int &optional

unsigned: count &optional

address: addr &optional

octets: string &optional

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of the tag field. For tags that can’t be mapped to an appropriate type, the octets field holds the BER encoded ASN.1 content if there is any (though, octets is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.

SNMP::Binding
Type

record

oid: string

value: SNMP::ObjectValue

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings
Type

vector of SNMP::Binding

A VarBindList data structure from either RFC 1157 or RFC 3416. A sequences of SNMP::Binding, which maps an OIDs to values.

Events
snmp_get_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_get_next_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_response
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_set_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_trap
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU)

An SNMP Trap-PDU message from RFC 1157.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_get_bulk_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU)

An SNMP GetBulkRequest-PDU message from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_inform_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP InformRequest-PDU message from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_trapV2
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP SNMPv2-Trap-PDU message from RFC 1157.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_report
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP Report-PDU message from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_unknown_pdu
Type

event (c: connection, is_orig: bool, header: SNMP::Header, tag: count)

An SNMP PDU message of unknown type.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Tag

The tag of the unknown SNMP PDU.

snmp_unknown_scoped_pdu
Type

event (c: connection, is_orig: bool, header: SNMP::Header, tag: count)

An SNMPv3 ScopedPDUData of unknown type (neither plaintext or an encrypted PDU was in the datagram).

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Tag

The tag of the unknown SNMP PDU scope.

snmp_encrypted_pdu
Type

event (c: connection, is_orig: bool, header: SNMP::Header)

An SNMPv3 encrypted PDU message.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

snmp_unknown_header_version
Type

event (c: connection, is_orig: bool, version: count)

A datagram with an unknown SNMP version.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Version

The value of the unknown SNMP version.

Zeek::SOCKS

SOCKS analyzer

Components

Analyzer::ANALYZER_SOCKS

Events
socks_request
Type

event (c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string)

Generated when a SOCKS request is analyzed.

C

The parent connection of the proxy.

Version

The version of SOCKS this message used.

Request_type

The type of the request.

Sa

Address that the tunneled traffic should be sent to.

P

The destination port for the proxied traffic.

User

Username given for the SOCKS connection. This is not yet implemented for SOCKSv5.

socks_reply
Type

event (c: connection, version: count, reply: count, sa: SOCKS::Address, p: port)

Generated when a SOCKS reply is analyzed.

C

The parent connection of the proxy.

Version

The version of SOCKS this message used.

Reply

The status reply from the server.

Sa

The address that the server sent the traffic to.

P

The destination port for the proxied traffic.

socks_login_userpass_request
Type

event (c: connection, user: string, password: string)

Generated when a SOCKS client performs username and password based login.

C

The parent connection of the proxy.

User

The given username.

Password

The given password.

socks_login_userpass_reply
Type

event (c: connection, code: count)

Generated when a SOCKS server replies to a username/password login attempt.

C

The parent connection of the proxy.

Code

The response code for the attempted login.

Zeek::SSH

Secure Shell analyzer

Components

Analyzer::ANALYZER_SSH

Types
SSH::Algorithm_Prefs
Type

record

client_to_server: vector of string &optional

The algorithm preferences for client to server communication

server_to_client: vector of string &optional

The algorithm preferences for server to client communication

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities
Type

record

kex_algorithms: string_vec

Key exchange algorithms

server_host_key_algorithms: string_vec

The algorithms supported for the server host key

encryption_algorithms: SSH::Algorithm_Prefs

Symmetric encryption algorithm preferences

mac_algorithms: SSH::Algorithm_Prefs

Symmetric MAC algorithm preferences

compression_algorithms: SSH::Algorithm_Prefs

Compression algorithm preferences

languages: SSH::Algorithm_Prefs &optional

Language preferences

is_server: bool

Are these the capabilities of the server?

This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.

Events
ssh_server_version
Type

event (c: connection, version: string)

An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C

The connection over which the message was sent.

Version

The identification string

See also:

ssh_client_version
Type

event (c: connection, version: string)

An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C

The connection over which the message was sent.

Version

The identification string

See also:

ssh_auth_successful
Type

event (c: connection, auth_method_none: bool)

This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.

C

The connection over which the SSH connection took place.

Auth_method_none

This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.

See also:

ssh_auth_attempted
Type

event (c: connection, authenticated: bool)

This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authenication attempt occured, this event is not raised.

At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.

This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless

C

The connection over which the SSH connection took place.

Authenticated

This is true if the analyzer detected a successful connection from the authentication attempt.

See also:

ssh_capabilities
Type

event (c: connection, cookie: string, capabilities: SSH::Capabilities)

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.

C

The connection over which the SSH connection took place.

Cookie

The SSH_MSG_KEXINIT cookie - a random value generated by the sender.

Capabilities

The list of algorithms and languages that the sender advertises support for, in order of preference.

See also:

ssh2_server_host_key
Type

event (c: connection, key: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.

C

The connection over which the SSH connection took place.

Key

The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.

See also:

ssh1_server_host_key
Type

event (c: connection, modulus: string, exponent: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.

C

The connection over which the SSH connection took place.

P

The exponent for the server’s public host key (note this parameter is truly the exponent even though named p and the exponent parameter will eventually replace it).

E

The prime modulus for the server’s public host key (note this parameter is truly the modulus even though named e and the modulus parameter will eventually replace it).

Modulus

The prime modulus of the server’s public host key.

Exponent

The exponent of the server’s public host key.

See also:

ssh_server_host_key
Type

event (c: connection, hash: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1 or SSH2 and provides a fingerprint of the server’s host key.

C

The connection over which the SSH connection took place.

Hash

an MD5 hash fingerprint associated with the server’s host key. For SSH2, this is the hash of the “server public host key” string as seen on the wire in the Diffie-Hellman key exchange reply message (the string itself, excluding the 4-byte length associated with it), which is also the key parameter of ssh2_server_host_key For SSH1, this is the hash of the combined multiprecision integer strings representing the RSA1 key’s prime modulus and public exponent (concatenated in that order) as seen on the wire, which are also the parameters of ssh1_server_host_key. In either case, the hash is the same “fingerprint” string as presented by other traditional tools, ssh, ssh-keygen, etc, and is the hexadecimal representation of all 16 MD5 hash bytes delimited by colons.

See also:

ssh_encrypted_packet
Type

event (c: connection, orig: bool, len: count)

This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set SSH::disable_analyzer_after_detection to false to use this event. This carries a performance penalty.

C

The connection over which the SSH connection took place.

Orig

Whether the packet was sent by the originator of the TCP connection.

Len

The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.

See also:

ssh2_dh_server_params
Type

event (c: connection, p: string, q: string)

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.

C

The connection.

P

The DH prime modulus.

Q

The DH generator.

See also:

ssh2_gss_error
Type

event (c: connection, major_status: count, minor_status: count, err_msg: string)

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.

C

The connection.

Major_status

GSS-API major status code.

Minor_status

GSS-API minor status code.

Err_msg

Detailed human-readable error message

See also:

ssh2_ecc_key
Type

event (c: connection, is_orig: bool, q: string)

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.

C

The connection

Is_orig

Did this message come from the originator?

Q

The ephemeral public key

See also:

Zeek::SSL

SSL/TLS and DTLS analyzers

Components

Analyzer::ANALYZER_DTLS

Analyzer::ANALYZER_SSL

Options/Constants
SSL::dtls_max_version_errors
Type

count

Attributes

&redef

Default

10

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.

SSL::dtls_max_reported_version_errors
Type

count

Attributes

&redef

Default

1

Maximum number of invalid version errors to report in one DTLS connection.

Types
SSL::SignatureAndHashAlgorithm
Type

record

HashAlgorithm: count

Hash algorithm number

SignatureAlgorithm: count

Signature algorithm number

SSL::PSKIdentity
Type

record

identity: string

PSK identity

obfuscated_ticket_age: count

Events
ssl_client_hello
Type

event (c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)

Generated for an SSL/TLS client’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to the initial information sent by the client.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Version

The protocol version as extracted from the client’s message. The values are standardized as part of the SSL/TLS protocol. The SSL::version_strings table maps them to descriptive names.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Possible_ts

The current time as sent by the client. Note that SSL/TLS does not require clocks to be set correctly, so treat with care.

Session_id

The session ID sent by the client (if any).

Client_random

The random value sent by the client. For version 2 connections, the client challenge is returned.

Ciphers

The list of ciphers the client offered to use. The values are standardized as part of the SSL/TLS protocol. The SSL::cipher_desc table maps them to descriptive names.

Comp_methods

The list of compression methods that the client offered to use. This value is not sent in TLSv1.3 or SSLv2.

See also:

ssl_server_hello
Type

event (c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)

Generated for an SSL/TLS server’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to the initial information sent by the client.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Version

The protocol version as extracted from the server’s message. The values are standardized as part of the SSL/TLS protocol. The SSL::version_strings table maps them to descriptive names.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Possible_ts

The current time as sent by the server. Note that SSL/TLS does not require clocks to be set correctly, so treat with care. This value is meaningless in SSLv2 and TLSv1.3.

Session_id

The session ID as sent back by the server (if any). This value is not sent in TLSv1.3.

Server_random

The random value sent by the server. For version 2 connections, the connection-id is returned. Note - the full 32 bytes are included in server_random. This means that the 4 bytes present in possible_ts are repeated; if you do not want this behavior ignore the first 4 bytes.

Cipher

The cipher chosen by the server. The values are standardized as part of the SSL/TLS protocol. The SSL::cipher_desc table maps them to descriptive names.

Comp_method

The compression method chosen by the client. The values are standardized as part of the SSL/TLS protocol. This value is not sent in TLSv1.3 or SSLv2.

See also:

ssl_extension
Type

event (c: connection, is_orig: bool, code: count, val: string)

Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to any extensions either side sends as part of an extended hello message.

Note that Zeek offers more specialized events for a few extensions.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Code

The numerical code of the extension. The values are standardized as part of the SSL/TLS protocol. The SSL::extensions table maps them to descriptive names.

Val

The raw extension value that was sent in the message.

See also:

ssl_extension_elliptic_curves
Type

event (c: connection, is_orig: bool, curves: index_vec)

Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is defined in RFC 4492 and sent by the client in the initial handshake. It gives the list of elliptic curves supported by the client.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Curves

List of supported elliptic curves.

See also:

ssl_extension_ec_point_formats
Type

event (c: connection, is_orig: bool, point_formats: index_vec)

Generated for an SSL/TLS Supported Point Formats extension. This TLS extension is defined in RFC 4492 and sent by the client and/or server in the initial handshake. It gives the list of elliptic curve point formats supported by the client.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Point_formats

List of supported point formats.

See also:

ssl_extension_signature_algorithm
Type

event (c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec)

Generated for an Signature Algorithms extension. This TLS extension is defined in RFC 5246 and sent by the client in the initial handshake. It gives the list of signature and hash algorithms supported by the client.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Signature_algorithms

List of supported signature and hash algorithm pairs.

See also:

ssl_extension_key_share
Type

event (c: connection, is_orig: bool, curves: index_vec)

Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 and sent by the client and the server in the initial handshake. It gives the list of named groups supported by the client and chosen by the server.

C

The connection.

Is_orig

True if event is raised for the originator side of the connection.

Curves

List of supported/chosen named groups.

See also:

ssl_extension_pre_shared_key_client_hello
Type

event (c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)

Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.

The extension lists the identities the client is willing to negotiate with the server; they can either be pre-shared or be based on previous handshakes.

C

The connection.

Is_orig

True if event is raised for the originator side of the connection

Identities

A list of the identities the client is willing to negotiate with the server.

Binders

A series of HMAC values; for computation, see the TLS 1.3 RFC.

See also:

ssl_extension_pre_shared_key_server_hello
Type

event (c: connection, is_orig: bool, selected_identity: count)

Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.

C

The connection.

Is_orig

True if event is raised for the originator side of the connection

Selected_identity

The identity the server chose as a 0-based index into the identities the client sent.

See also:

ssl_ecdh_server_params
Type

event (c: connection, curve: count, point: string)

Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492.

C

The connection.

Curve

The curve parameters.

Point

The server’s ECDH public key.

See also:

ssl_dh_server_params
Type

event (c: connection, p: string, q: string, Ys: string)

Generated if a server uses a DH-anon or DHE cipher suite. This event contains the server DH parameters, contained in the ServerKeyExchange message as defined in RFC 5246.

C

The connection.

P

The DH prime modulus.

Q

The DH generator.

Ys

The server’s DH public key.

See also:

ssl_server_signature
Type

event (c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)

Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event contains the server signature over the key exchange parameters contained in the ServerKeyExchange message as defined in RFC 4492 and RFC 5246.

C

The connection.

Signature_and_hashalgorithm

signature and hash algorithm used for the digitally_signed struct. This field is only present starting with TLSv1.2 and DTLSv1.2. Earlier versions used a hardcoded hash algorithm. For protocol versions below D(TLS)v1.2 this field is filled with an dummy value of 256.

Signature

Signature part of the digitally_signed struct. The private key corresponding to the certified public key in the server’s certificate message is used for signing.

See also:

ssl_ecdh_client_params
Type

event (c: connection, point: string)

Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event contains the client ECDH public value contained in the ClientKeyExchange message as defined in RFC 4492.

C

The connection.

Point

The client’s ECDH public key.

See also:

ssl_dh_client_params
Type

event (c: connection, Yc: string)

Generated if a client uses a DH-anon or DHE cipher suite. This event contains the client DH parameters contained in the ClientKeyExchange message as defined in RFC 5246.

C

The connection.

Yc

The client’s DH public key.

See also:

ssl_rsa_client_pms
Type

event (c: connection, pms: string)

Generated if a client uses RSA key exchange. This event contains the client encrypted pre-master secret which is encrypted using the public key of the server’s certificate as defined in RFC 5246.

C

The connection.

Pms

The encrypted pre-master secret.

See also:

ssl_extension_application_layer_protocol_negotiation
Type

event (c: connection, is_orig: bool, protocols: string_vec)

Generated for an SSL/TLS Application-Layer Protocol Negotiation extension. This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in the initial handshake. It contains the list of client supported application protocols by the client or the server, respectively.

At the moment it is mostly used to negotiate the use of SPDY / HTTP2.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Protocols

List of supported application layer protocols.

See also:

ssl_extension_server_name
Type

event (c: connection, is_orig: bool, names: string_vec)

Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is defined in RFC 3546 and sent by the client in the initial handshake. It contains the name of the server it is contacting. This information can be used by the server to choose the correct certificate for the host the client wants to contact.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Names

A list of server names (DNS hostnames).

See also:

ssl_extension_signed_certificate_timestamp
Type

event (c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)

Generated for the signed_certificate_timestamp TLS extension as defined in RFC 6962. The extension is used to transmit signed proofs that are used for Certificate Transparency.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Version

the version of the protocol to which the SCT conforms. Always should be 0 (representing version 1)

Logid

32 bit key id

Timestamp

the NTP Time when the entry was logged measured since the epoch, ignoring leap seconds, in milliseconds.

Signature_and_hashalgorithm

signature and hash algorithm used for the digitally_signed struct

Signature

signature part of the digitally_signed struct

See also:

ssl_extension_supported_versions
Type

event (c: connection, is_orig: bool, versions: index_vec)

Generated for an TLS Supported Versions extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the TLS versions that it supports. This informaion can be used by the server to choose the best TLS version o use.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Versions

List of supported TLS versions.

See also:

ssl_extension_psk_key_exchange_modes
Type

event (c: connection, is_orig: bool, modes: index_vec)

Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the list of Pre-Shared Key Exchange Modes that it supports.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Versions

List of supported Pre-Shared Key Exchange Modes.

See also:

ssl_established
Type

event (c: connection)

Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event signals the time when an SSL/TLS has finished the handshake and its endpoints consider it as fully established. Typically, everything from now on will be encrypted.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

See also:

ssl_alert
Type

event (c: connection, is_orig: bool, level: count, desc: count)

Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. If during that handshake, an endpoint encounters a fatal error, it sends an alert record, that in turn triggers this event. After an alert, any endpoint may close the connection immediately.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Level

The severity level, as sent in the alert. The values are defined as part of the SSL/TLS protocol.

Desc

A numerical value identifying the cause of the alert. The values are defined as part of the SSL/TLS protocol.

See also:

ssl_session_ticket_handshake
Type

event (c: connection, ticket_lifetime_hint: count, ticket: string)

Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event is raised when an SSL/TLS server passes a session ticket to the client that can later be used for resuming the session. The mechanism is described in RFC 4507.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Ticket_lifetime_hint

A hint from the server about how long the ticket should be stored by the client.

Ticket

The raw ticket data.

See also:

ssl_heartbeat
Type

event (c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)

Generated for SSL/TLS heartbeat messages that are sent before session encryption starts. Generally heartbeat messages should rarely be seen in normal TLS traffic. Heartbeats are described in RFC 6520.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Length

length of the entire heartbeat message.

Heartbeat_type

type of the heartbeat message. Per RFC, 1 = request, 2 = response.

Payload_length

length of the payload of the heartbeat message, according to packet field.

Payload

payload contained in the heartbeat message. Size can differ from payload_length, if payload_length and actual packet length disagree.

See also:

ssl_plaintext_data
Type

event (c: connection, is_orig: bool, record_version: count, content_type: count, length: count)

Generated for SSL/TLS messages that are sent before full session encryption starts. Note that “full encryption” is a bit fuzzy, especially for TLSv1.3; here this event will be raised for early packets that are already using pre-encryption. # This event is also used by Zeek internally to determine if the connection has been completely setup. This is necessary as TLS 1.3 does not have CCS anymore.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Content_type

message type as reported by TLS session layer. Not populated for SSLv2.

Length

length of the entire message.

See also:

ssl_encrypted_data
Type

event (c: connection, is_orig: bool, record_version: count, content_type: count, length: count)

Generated for SSL/TLS messages that are sent after session encryption started.

Note that SSL::disable_analyzer_after_detection has to be changed from its default to false for this event to be generated.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Content_type

message type as reported by TLS session layer. Not populated for SSLv2.

Length

length of the entire message.

See also:

ssl_probable_encrypted_handshake_message
Type

event (c: connection, is_orig: bool, length: count)

This event is generated for application data records of TLS 1.3 connections of which we suspect that they contain handshake messages.

In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets typically exchanged are the client hello and the server hello. The first few packets after the client and server hello, however, are a continuation of the handshake and still include handshake data.

This event is raised for these packets of which we suspect that they are handshake records, including the finished record.

The heuristic for this is: all application data record after the server hello are handshake records until at least one application data record has been received from both the server and the client. Typically, the server will send more records before the client sends the first application data record; and the first application data record of the client will typically include the finished message.

Given the encrypted nature of the protocol, in some cases this determination is not correct; the client can send more handshake packets before the finished message, e.g., when client certificates are used.

Note that :zeek:see::ssl_encrypted_data is also raised for these messages.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Length

length of the entire message.

See also:

ssl_stapled_ocsp
Type

event (c: connection, is_orig: bool, response: string)

This event contains the OCSP response contained in a Certificate Status Request message, when the client requested OCSP stapling and the server supports it. See description in RFC 6066.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Response

OCSP data.

ssl_handshake_message
Type

event (c: connection, is_orig: bool, msg_type: count, length: count)

This event is raised for each unencrypted SSL/TLS handshake message.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Msg_type

Type of the handshake message that was seen.

Length

Length of the handshake message that was seen.

See also:

ssl_change_cipher_spec
Type

event (c: connection, is_orig: bool)

This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins. Traffic will be encrypted following this message.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

See also:

Functions
set_ssl_established
Type

function (c: connection) : bool

Sets if the SSL analyzer should consider the connection established (handshake finished succesfully).

C

The SSL connection.

Returns

T on success, F on failure.

set_secret
Type

function (c: connection, secret: string) : bool

Set the secret that should be used to derive keys for the connection. (For TLS 1.2 this is the pre-master secret).

C

The affected connection

Secret

secret to set

Returns

T on success, F on failure.

set_keys
Type

function (c: connection, keys: string) : bool

Set the decryption keys that should be used to decrypt TLS application data in the connection.

C

The affected connection

Keys

The key buffer as derived via TLS PRF.

Returns

T on success, F on failure.

Zeek::Syslog

Syslog analyzer UDP-only

Components

Analyzer::ANALYZER_SYSLOG

Events
syslog_message
Type

event (c: connection, facility: count, severity: count, msg: string)

Generated for monitored Syslog messages.

See Wikipedia for more information about the Syslog protocol.

C

The connection record for the underlying transport-layer session/flow.

Facility

The “facility” included in the message.

Severity

The “severity” included in the message.

Msg

The message logged.

Note

Zeek currently parses only UDP syslog traffic. Support for TCP syslog will be added soon.

Zeek::TCP

TCP analyzer

Components

Analyzer::ANALYZER_CONTENTLINE

Analyzer::ANALYZER_CONTENTS

Analyzer::ANALYZER_TCPSTATS

Types
TCP::Option
Type

record

kind: count

The kind number associated with the option. Other optional fields of this record may be set depending on this value.

length: count

The total length of the option in bytes, including the kind byte and length byte (if present).

data: string &optional

This field is set to the raw option bytes if the kind is not otherwise known/parsed. It’s also set for known kinds whose length was invalid.

mss: count &optional

Kind 2: Maximum Segment Size.

window_scale: count &optional

Kind 3: Window scale.

sack: index_vec &optional

Kind 5: Selective ACKnowledgement (SACK). This is a list of 2, 4, 6, or 8 numbers with each consecutive pair being a 32-bit begin-pointer and 32-bit end pointer.

send_timestamp: count &optional

Kind 8: 4-byte sender timestamp value.

echo_timestamp: count &optional

Kind 8: 4-byte echo reply timestamp value.

A TCP Option field parsed from a TCP header.

TCP::OptionList
Type

vector of TCP::Option

The full list of TCP Option fields parsed from a TCP header.

Events
new_connection_contents
Type

event (c: connection)

Generated when reassembly starts for a TCP connection. This event is raised at the moment when Zeek’s TCP analyzer enables stream reassembly for a connection.

C

The connection.

See also:

connection_attempt
Type

event (c: connection)

Generated for an unsuccessful connection attempt. This event is raised when an originator unsuccessfully attempted to establish a connection. “Unsuccessful” is defined as at least tcp_attempt_delay seconds having elapsed since the originator first sent a connection establishment packet to the destination without seeing a reply.

C

The connection.

See also:

connection_established
Type

event (c: connection)

Generated when seeing a SYN-ACK packet from the responder in a TCP handshake. An associated SYN packet was not seen from the originator side if its state is not set to TCP_ESTABLISHED. The final ACK of the handshake in response to SYN-ACK may or may not occur later, one way to tell is to check the history field of connection to see if the originator sent an ACK, indicated by ‘A’ in the history string.

C

The connection.

See also:

partial_connection
Type

event (c: connection)

Generated for a new active TCP connection if Zeek did not see the initial handshake. This event is raised when Zeek has observed traffic from each endpoint, but the activity did not begin with the usual connection establishment.

C

The connection.

See also:

connection_partial_close
Type

event (c: connection)

Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence. When the endpoint sent one of these packets, Zeek waits tcp_partial_close_delay prior to generating the event, to give the other endpoint a chance to close the connection normally.

C

The connection.

See also:

connection_finished
Type

event (c: connection)

Generated for a TCP connection that finished normally. The event is raised when a regular FIN handshake from both endpoints was observed.

C

The connection.

See also:

connection_half_finished
Type

event (c: connection)

Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state. This can happen due to split routing, in which Zeek only sees one side of a connection.

C

The connection.

See also:

connection_rejected
Type

event (c: connection)

Generated for a rejected TCP connection. This event is raised when an originator attempted to setup a TCP connection but the responder replied with a RST packet denying it.

C

The connection.

See also:

Note

If the responder does not respond at all, connection_attempt is raised instead. If the responder initially accepts the connection but aborts it later, Zeek first generates connection_established and then connection_reset.

connection_reset
Type

event (c: connection)

Generated when an endpoint aborted a TCP connection. The event is raised when one endpoint of an established TCP connection aborted by sending a RST packet.

C

The connection.

See also:

connection_pending
Type

event (c: connection)

Generated for each still-open TCP connection when Zeek terminates.

C

The connection.

See also:

connection_SYN_packet
Type

event (c: connection, pkt: SYN_packet)

Generated for a SYN packet. Zeek raises this event for every SYN packet seen by its TCP analyzer.

C

The connection.

Pkt

Information extracted from the SYN packet.

See also:

Note

This event has quite low-level semantics and can potentially be expensive to generate. It should only be used if one really needs the specific information passed into the handler via the pkt argument. If not, handling one of the other connection_* events is typically the better approach.

connection_first_ACK
Type

event (c: connection)

Generated for the first ACK packet seen for a TCP connection from its originator.

C

The connection.

See also:

Note

This event has quite low-level semantics and should be used only rarely.

connection_EOF
Type

event (c: connection, is_orig: bool)

Generated at the end of reassembled TCP connections. The TCP reassembler raised the event once for each endpoint of a connection when it finished reassembling the corresponding side of the communication.

C

The connection.

Is_orig

True if the event is raised for the originator side.

See also:

tcp_packet
Type

event (c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string)

Generated for every TCP packet. This is a very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. It’s slightly better than new_packet because it affects only TCP, but not much. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Flags

A string with the packet’s TCP flags. In the string, each character corresponds to one set flag, as follows: S -> SYN; F -> FIN; R -> RST; A -> ACK; P -> PUSH; U -> URGENT.

Seq

The packet’s relative TCP sequence number.

Ack

If the ACK flag is set for the packet, the packet’s relative ACK number, else zero.

Len

The length of the TCP payload, as specified in the packet header.

Payload

The raw TCP payload. Note that this may be shorter than len if the packet was not fully captured.

See also:

tcp_option
Type

event (c: connection, is_orig: bool, opt: count, optlen: count)

Generated for each option found in a TCP header. Like many of the tcp_* events, this is a very low-level event and potentially expensive as it may be raised very often.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Opt

The numerical option number, as found in the TCP header.

Optlen

The length of the options value.

See also:

Note

To inspect the actual option values, if any, use tcp_options.

tcp_options
Type

event (c: connection, is_orig: bool, options: TCP::OptionList)

Generated for each TCP header that contains TCP options. This is a very low-level event and potentially expensive as it may be raised very often.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Options

The list of options parsed out of the TCP header.

See also:

tcp_contents
Type

event (c: connection, is_orig: bool, seq: count, contents: string)

Generated for each chunk of reassembled TCP payload. When content delivery is enabled for a TCP connection (via tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp), this event is raised for each chunk of in-order payload reconstructed from the packet stream. Note that this event is potentially expensive if many connections carry significant amounts of data as then all that data needs to be passed on to the scripting layer.

C

The connection the payload is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Seq

The sequence number corresponding to the first byte of the payload chunk.

Contents

The raw payload, which will be non-empty.

See also:

Note

The payload received by this event is the same that is also passed into application-layer protocol analyzers internally. Subsequent invocations of this event for the same connection receive non-overlapping in-order chunks of its TCP payload stream. It is however undefined what size each chunk has; while Zeek passes the data on as soon as possible, specifics depend on network-level effects such as latency, acknowledgements, reordering, etc.

tcp_rexmit
Type

event (c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count)

Generated for each detected TCP segment retransmission.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Seq

The segment’s relative TCP sequence number.

Len

The length of the TCP segment, as specified in the packet header.

Data_in_flight

The number of bytes corresponding to the difference between the last sequence number and last acknowledgement number we’ve seen for a given endpoint.

Window

the TCP window size.

tcp_multiple_checksum_errors
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a checksum-error threshold, per ‘C’/’c’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_multiple_zero_windows
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a zero-window threshold, per ‘W’/’w’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_multiple_retransmissions
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a retransmission threshold, per ‘T’/’t’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_multiple_gap
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a gap threshold, per ‘G’/’g’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

contents_file_write_failure
Type

event (c: connection, is_orig: bool, msg: string)

Generated when failing to write contents of a TCP stream to a file.

C

The connection whose contents are being recorded.

Is_orig

Which side of the connection encountered a failure to write.

Msg

A reason or description for the failure.

See also:

Functions
get_orig_seq
Type

function (cid: conn_id) : count

Get the originator sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).

Cid

The connection ID.

Returns

The highest sequence number sent by a connection’s originator, or 0 if cid does not point to an active TCP connection.

See also:

get_resp_seq
Type

function (cid: conn_id) : count

Get the responder sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).

Cid

The connection ID.

Returns

The highest sequence number sent by a connection’s responder, or 0 if cid does not point to an active TCP connection.

See also:

set_contents_file
Type

function (cid: conn_id, direction: count, f: file) : bool

Associates a file handle with a connection for writing TCP byte stream contents.

Cid

The connection ID.

Direction

Controls what sides of the connection to record. The argument can take one of the four values:

  • CONTENTS_NONE: Stop recording the connection’s content.

  • CONTENTS_ORIG: Record the data sent by the connection originator (often the client).

  • CONTENTS_RESP: Record the data sent by the connection responder (often the server).

  • CONTENTS_BOTH: Record the data sent in both directions. Results in the two directions being intermixed in the file, in the order the data was seen by Zeek.

F

The file handle of the file to write the contents to.

Returns

Returns false if cid does not point to an active connection, and true otherwise.

Note

The data recorded to the file reflects the byte stream, not the contents of individual packets. Reordering and duplicates are removed. If any data is missing, the recording stops at the missing data; this can happen, e.g., due to an content_gap event.

See also:

get_contents_file
Type

function (cid: conn_id, direction: count) : file

Returns the file handle of the contents file of a connection.

Cid

The connection ID.

Direction

Controls what sides of the connection to record. See set_contents_file for possible values.

Returns

The file handle for the contents file of the connection identified by cid. If the connection exists but there is no contents file for direction, then the function generates an error and returns a file handle to stderr.

See also:

Zeek::XMPP

XMPP analyzer (StartTLS only)

Components

Analyzer::ANALYZER_XMPP

Events
xmpp_starttls
Type

event (c: connection)

Generated when a XMPP connection goes encrypted after a successful StartTLS exchange between the client and the server.

C

The connection.

Zeek::ZIP

Generic ZIP support analyzer

Components

Analyzer::ANALYZER_ZIP

File Analyzers

Files::Tag
Type

enum

Files::ANALYZER_DATA_EVENT
Files::ANALYZER_ENTROPY
Files::ANALYZER_EXTRACT
Files::ANALYZER_MD5
Files::ANALYZER_SHA1
Files::ANALYZER_SHA256
Files::ANALYZER_PE
Files::ANALYZER_UNIFIED2
Files::ANALYZER_OCSP_REPLY
Files::ANALYZER_OCSP_REQUEST
Files::ANALYZER_X509

Zeek::FileDataEvent

Delivers file content

Components

Files::ANALYZER_DATA_EVENT

Zeek::FileEntropy

Entropy test file content

Components

Files::ANALYZER_ENTROPY

Events
file_entropy
Type

event (f: fa_file, ent: entropy_test_result)

This event is generated each time file analysis performs entropy testing on a file.

F

The file.

Ent

The results of the entropy testing.

Zeek::FileExtract

Extract file content

Components

Files::ANALYZER_EXTRACT

Events
file_extraction_limit
Type

event (f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count)

This event is generated when a file extraction analyzer is about to exceed the maximum permitted file size allowed by the extract_limit field of Files::AnalyzerArgs. The analyzer is automatically removed from file f.

F

The file.

Args

Arguments that identify a particular file extraction analyzer. This is only provided to be able to pass along to FileExtract::set_limit.

Limit

The limit, in bytes, the extracted file is about to breach.

Len

The length of the file chunk about to be written.

See also:

Functions
FileExtract::__set_limit
Type

function (file_id: string, args: any, n: count) : bool

FileExtract::set_limit.

Zeek::FileHash

Hash file content

Components

Files::ANALYZER_MD5

Files::ANALYZER_SHA1

Files::ANALYZER_SHA256

Events
file_hash
Type

event (f: fa_file, kind: string, hash: string)

This event is generated each time file analysis generates a digest of the file contents.

F

The file.

Kind

The type of digest algorithm.

Hash

The result of the hashing.

See also:

Zeek::PE

Portable Executable analyzer

Components

Files::ANALYZER_PE

Events
pe_dos_header
Type

event (f: fa_file, h: PE::DOSHeader)

A PE file DOS header was parsed. This is the top-level header and contains information like the size of the file, initial value of registers, etc.

F

The file.

H

The parsed DOS header information.

See also:

pe_dos_code
Type

event (f: fa_file, code: string)

A PE file DOS stub was parsed. The stub is a valid application that runs under MS-DOS, by default to inform the user that the program can’t be run in DOS mode.

F

The file.

Code

The DOS stub

See also:

pe_file_header
Type

event (f: fa_file, h: PE::FileHeader)

A PE file file header was parsed. This header contains information like the target machine, the timestamp when the file was created, the number of sections, and pointers to other parts of the file.

F

The file.

H

The parsed file header information.

See also:

pe_optional_header
Type

event (f: fa_file, h: PE::OptionalHeader)

A PE file optional header was parsed. This header is required for executable files, but not for object files. It contains information like OS requirements to execute the file, the original entry point address, and information needed to load the file into memory.

F

The file.

H

The parsed optional header information.

See also:

pe_section_header
Type

event (f: fa_file, h: PE::SectionHeader)

A PE file section header was parsed. This header contains information like the section name, size, address, and characteristics.

F

The file.

H

The parsed section header information.

See also:

Zeek::Unified2

Analyze Unified2 alert files.

Components

Files::ANALYZER_UNIFIED2

Types
Unified2::IDSEvent
Type

record

sensor_id: count

event_id: count

ts: time

signature_id: count

generator_id: count

signature_revision: count

classification_id: count

priority_id: count

src_ip: addr

dst_ip: addr

src_p: port

dst_p: port

impact_flag: count

impact: count

blocked: count

mpls_label: count &optional

Not available in “legacy” IDS events.

vlan_id: count &optional

Not available in “legacy” IDS events.

packet_action: count &optional

Only available in “legacy” IDS events.

Unified2::Packet
Type

record

sensor_id: count

event_id: count

event_second: count

packet_ts: time

link_type: count

data: string

Events
unified2_event
Type

event (f: fa_file, ev: Unified2::IDSEvent)

Abstract all of the various Unified2 event formats into a single event.

F

The file.

Ev

TODO.

unified2_packet
Type

event (f: fa_file, pkt: Unified2::Packet)

The Unified2 packet format event.

F

The file.

Pkt

TODO.

Zeek::X509

X509 and OCSP analyzer

Components

Files::ANALYZER_OCSP_REPLY

Files::ANALYZER_OCSP_REQUEST

Files::ANALYZER_X509

Types
X509::Certificate
Type

record

version: count &log

Version number.

serial: string &log

Serial number.

subject: string &log

Subject.

issuer: string &log

Issuer.

cn: string &optional

Last (most specific) common name.

not_valid_before: time &log

Timestamp before when certificate is not valid.

not_valid_after: time &log

Timestamp after when certificate is not valid.

key_alg: string &log

Name of the key algorithm

sig_alg: string &log

Name of the signature algorithm

key_type: string &optional &log

Key type, if key parseable by openssl (either rsa, dsa or ec)

key_length: count &optional &log

Key length in bits

exponent: string &optional &log

Exponent, if RSA-certificate

curve: string &optional &log

Curve, if EC-certificate

X509::Extension
Type

record

name: string

Long name of extension. oid if name not known

short_name: string &optional

Short name of extension if known

oid: string

Oid of extension

critical: bool

True if extension is critical

value: string

Extension content parsed to string for known extensions. Raw data otherwise.

X509::BasicConstraints
Type

record

ca: bool &log

CA flag set?

path_len: count &optional &log

Maximum path length

Attributes

&log

X509::SubjectAlternativeName
Type

record

dns: string_vec &optional &log

List of DNS entries in SAN

uri: string_vec &optional &log

List of URI entries in SAN

email: string_vec &optional &log

List of email entries in SAN

ip: addr_vec &optional &log

List of IP entries in SAN

other_fields: bool

True if the certificate contained other, not recognized or parsed name fields

X509::Result
Type

record

result: int

OpenSSL result code

result_string: string

Result as string

chain_certs: vector of opaque of x509 &optional

References to the final certificate chain, if verification successful. End-host certificate is first.

Result of an X509 certificate chain verification

Events
x509_certificate
Type

event (f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)

Generated for encountered X509 certificates, e.g., in the clear SSL/TLS connection handshake.

See Wikipedia for more information about the X.509 format.

F

The file.

Cert_ref

An opaque pointer to the underlying OpenSSL data structure of the certificate.

Cert

The parsed certificate information.

See also:

x509_extension
Type

event (f: fa_file, ext: X509::Extension)

Generated for X509 extensions seen in a certificate.

See Wikipedia for more information about the X.509 format.

F

The file.

Ext

The parsed extension.

See also:

x509_ext_basic_constraints
Type

event (f: fa_file, ext: X509::BasicConstraints)

Generated for the X509 basic constraints extension seen in a certificate. This extension can be used to identify the subject of a certificate as a CA.

F

The file.

Ext

The parsed basic constraints extension.

See also:

x509_ext_subject_alternative_name
Type

event (f: fa_file, ext: X509::SubjectAlternativeName)

Generated for the X509 subject alternative name extension seen in a certificate. This extension can be used to allow additional entities to be bound to the subject of the certificate. Usually it is used to specify one or multiple DNS names for which a certificate is valid.

F

The file.

Ext

The parsed subject alternative name extension.

See also:

x509_ocsp_ext_signed_certificate_timestamp
Type

event (f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)

Generated for the signed_certificate_timestamp X509 extension as defined in RFC 6962. The extension is used to transmit signed proofs that are used for Certificate Transparency. Raised when the extension is encountered in an X.509 certificate or in an OCSP reply.

F

The file.

Version

the version of the protocol to which the SCT conforms. Always should be 0 (representing version 1)

Logid

32 bit key id

Timestamp

the NTP Time when the entry was logged measured since the epoch, ignoring leap seconds, in milliseconds.

Signature_and_hashalgorithm

signature and hash algorithm used for the digitally_signed struct

Signature

signature part of the digitally_signed struct

See also:

ocsp_request
Type

event (f: fa_file, version: count)

Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.

This event is raised exactly once for each OCSP Request.

F

The file.

Req

version: the version of the OCSP request. Typically 0 (Version 1).

See also:

ocsp_request_certificate
Type

event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)

Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.

Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.

F

The file.

HashAlgorithm

The hash algorithm used for the issuerKeyHash.

IssuerKeyHash

Hash of the issuers public key.

SerialNumber

Serial number of the certificate for which the status is requested.

See also:

ocsp_response_status
Type

event (f: fa_file, status: string)

This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.

This event is raised exactly once for each OCSP reply.

F

The file.

Status

The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

See also:

ocsp_response_bytes
Type

event (f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)

This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.

F

The file.

Status

The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

Version

Version of the OCSP response (typically - for version 1).

ResponderId

The id of the OCSP responder; either a public key hash or a distinguished name.

ProducedAt

Time at which the reply was produced.

SignatureAlgorithm

Algorithm used for the OCSP signature.

Certs

Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply.

See also:

ocsp_response_certificate
Type

event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time)

This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.

F

The file.

HashAlgorithm

The hash algorithm used for issuerNameHash and issuerKeyHash.

IssuerNameHash

Hash of the issuer’s distinguished name.

IssuerKeyHash

Hash of the issuer’s public key.

SerialNumber

Serial number of the affected certificate.

CertStatus

Status of the certificate.

RevokeTime

Time the certificate was revoked, 0 if not revoked.

RevokeTeason

Reason certificate was revoked; empty string if not revoked or not specified.

ThisUpdate

Time this response was generated.

NextUpdate

Time next response will be ready; 0 if not supploed.

See also:

ocsp_extension
Type

event (f: fa_file, ext: X509::Extension, global_resp: bool)

This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.

F

The file.

Ext

The parsed extension (same format as X.509 extensions).

Global_resp

T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse.

See also:

Functions
x509_parse
Type

function (cert: opaque of x509) : X509::Certificate

Parses a certificate into an X509::Certificate structure.

Cert

The X509 certificate opaque handle.

Returns

A X509::Certificate structure.

See also:

x509_from_der
Type

function (der: string) : opaque of x509

Constructs an opaque of X509 from a der-formatted string.

Note

this function is mostly meant for testing purposes

See also:

x509_get_certificate_string
Type

function (cert: opaque of x509, pem: bool &default = F &optional) : string

Returns the string form of a certificate.

Cert

The X509 certificate opaque handle.

Pem

A boolean that specifies if the certificate is returned in pem-form (true), or as the raw ASN1 encoded binary (false).

Returns

X509 certificate as a string.

See also:

x509_ocsp_verify
Type

function (certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default = 0.0 &optional) : X509::Result

Verifies an OCSP reply.

Certs

Specifies the certificate chain to use. Server certificate first.

Ocsp_reply

the ocsp reply to validate.

Root_certs

A list of root certificates to validate the certificate chain.

Verify_time

Time for the validity check of the certificates.

Returns

A record of type X509::Result containing the result code of the verify operation.

See also:

x509_verify
Type

function (certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default = 0.0 &optional) : X509::Result

Verifies a certificate.

Certs

Specifies a certificate chain that is being used to validate the given certificate against the root store given in root_certs. The host certificate has to be at index 0.

Root_certs

A list of root certificates to validate the certificate chain.

Verify_time

Time for the validity check of the certificates.

Returns

A record of type X509::Result containing the result code of the verify operation. In case of success also returns the full certificate chain.

See also:

sct_verify
Type

function (cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default = "" &optional) : bool

Verifies a Signed Certificate Timestamp as used for Certificate Transparency. See RFC6962 for more details.

Cert

Certificate against which the SCT should be validated.

Logid

Log id of the SCT.

Log_key

Public key of the Log that issued the SCT proof.

Timestamp

Timestamp at which the proof was generated.

Hash_algorithm

Hash algorithm that was used for the SCT proof.

Issuer_key_hash

The SHA-256 hash of the certificate issuer’s public key. This only has to be provided if the SCT was encountered in an X.509 certificate extension; in that case, it is necessary for validation.

Returns

T if the validation could be performed succesfully, F otherwhise.

See also:

x509_subject_name_hash
Type

function (cert: opaque of x509, hash_alg: count) : string

Get the hash of the subject’s distinguished name.

Cert

The X509 certificate opaque handle.

Hash_alg

the hash algorithm to use, according to the IANA mapping at

:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

Returns

The hash as a string.

See also:

x509_issuer_name_hash
Type

function (cert: opaque of x509, hash_alg: count) : string

Get the hash of the issuer’s distinguished name.

Cert

The X509 certificate opaque handle.

Hash_alg

the hash algorithm to use, according to the IANA mapping at

:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

Returns

The hash as a string.

See also:

x509_spki_hash
Type

function (cert: opaque of x509, hash_alg: count) : string

Get the hash of the Subject Public Key Information of the certificate.

Cert

The X509 certificate opaque handle.

Hash_alg

the hash algorithm to use, according to the IANA mapping at

:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

Returns

The hash as a string.

See also:

x509_set_certificate_cache
Type

function (tbl: string_any_table) : bool

This function can be used to set up certificate caching. It has to be passed a table[string] which can contain any type.

After this is set up, for each certificate encountered, the X509 analyzer will check if the entry tbl[sha256 of certificate] is set. If this is the case, the X509 analyzer will skip all further processing, and instead just call the callback that is set with

x509_set_certificate_cache_hit_callback.

Tbl

Table to use as the certificate cache.

Returns

Always returns true.

Note

The base scripts use this function to set up certificate caching. You should only change the cache table if you are sure you will not conflict with the base scripts.

See also:

x509_set_certificate_cache_hit_callback
Type

function (f: string_any_file_hook) : bool

This function sets up the callback that is called when an entry is matched against the table set by x509_set_certificate_cache.

F

The callback that will be called when encountering a certificate in the cache table.

Returns

Always returns true.

Note

The base scripts use this function to set up certificate caching. You should only change the callback function if you are sure you will not conflict with the base scripts.

See also:

x509_check_hostname
Type

function (hostname: string, certname: string) : bool

This function checks a hostname against the name given in a certificate subject/SAN, including our interpretation of RFC6128 wildcard expansions. This specifically means that wildcards are only allowed in the leftmost label, wildcards only span one label, the wildcard has to be the last character before the label-separator, but additional characters are allowed before it, and the wildcard has to be at least at the third level (so *.a.b).

Hostname

Hostname to test

Certname

Name given in the CN/SAN of a certificate; wildcards will be expanded

Returns

True if the hostname matches.

See also:

x509_check_cert_hostname
Type

function (cert_opaque: opaque of x509, hostname: string) : string

This function checks if a hostname matches one of the hostnames given in the certificate.

For our matching we adhere to RFC6128 for the labels (see x509_check_hostname). Furthermore we adhere to RFC2818 and check only the names given in the SAN, if a SAN is present, ignoring CNs in the Subject. If no SAN is present, we will use the last CN in the subject for our tests.

Cert

The X509 certificate opaque handle.

Hostname

Hostname to check

Returns

empty string if the hostname does not match; matched name (which can contain wildcards) if it did.

See also:

Zeek Package Index

Zeek has the following script packages (e.g. collections of related scripts in a common directory). If the package directory contains a __load__.zeek script, it supports being loaded in mass as a whole directory for convenience.

Packages/scripts in the base/ directory are all loaded by default, while ones in policy/ provide functionality and customization options that are more appropriate for users to decide whether they’d like to load it or not.

base/packet-protocols

base/packet-protocols/root

base/packet-protocols/ip

base/packet-protocols/skip

base/packet-protocols/ethernet

base/packet-protocols/fddi

base/packet-protocols/ieee802_11

base/packet-protocols/ieee802_11_radio

base/packet-protocols/linux_sll

base/packet-protocols/nflog

base/packet-protocols/null

base/packet-protocols/ppp_serial

base/packet-protocols/pppoe

base/packet-protocols/vlan

base/packet-protocols/mpls

base/packet-protocols/vntag

base/packet-protocols/udp

base/packet-protocols/tcp

base/packet-protocols/icmp

base/packet-protocols/gre

base/packet-protocols/iptunnel

base/packet-protocols/ayiya

base/packet-protocols/geneve

base/packet-protocols/vxlan

base/packet-protocols/teredo

base/packet-protocols/gtpv1

base/frameworks/logging

The logging framework provides a flexible key-value based logging interface.

base/frameworks/logging/postprocessors

Support for postprocessors in the logging framework.

base/frameworks/broker

The Broker communication framework facilitates connecting to remote Zeek instances to share state and transfer events.

base/frameworks/supervisor

base/frameworks/input

The input framework provides a way to read previously stored data either as an event stream or into a Zeek table.

base/frameworks/analyzer

The analyzer framework allows to dynamically enable or disable Zeek’s protocol analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.

base/frameworks/files

The file analysis framework provides an interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.

base/frameworks/files/magic

base/bif

base/bif/plugins

base/frameworks/reporter

This framework is intended to create an output and filtering path for internally generated messages/warnings/errors.

base/frameworks/notice

The notice framework enables Zeek to “notice” things which are odd or potentially bad, leaving it to the local configuration to define which of them are actionable. This decoupling of detection and reporting allows Zeek to be customized to the different needs that sites have.

base/frameworks/cluster

The cluster framework provides for establishing and controlling a cluster of Zeek instances.

base/frameworks/control

The control framework provides the foundation for providing “commands” that can be taken remotely at runtime to modify a running Zeek instance or collect information from the running instance.

base/frameworks/dpd

The DPD (dynamic protocol detection) activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

base/frameworks/signatures

The signature framework provides for doing low-level pattern matching. While signatures are not Zeek’s preferred detection tool, they sometimes come in handy and are closer to what many people are familiar with from using other NIDS.

base/frameworks/packet-filter

The packet filter framework supports how Zeek sets its BPF capture filter.

base/frameworks/software

The software framework provides infrastructure for maintaining a table of software versions seen on the network. The version parsing itself is carried out by external protocol-specific scripts that feed into this framework.

base/frameworks/intel

The intelligence framework provides a way to store and query intelligence data (such as IP addresses or strings). Metadata can also be associated with the intelligence.

base/frameworks/config

The configuration framework provides a way to change the Zeek configuration in “option” values at run-time.

base/frameworks/sumstats

The summary statistics framework provides a way to summarize large streams of data into simple reduced measurements.

base/frameworks/sumstats/plugins

Plugins for the summary statistics framework.

base/frameworks/tunnels

The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo, AYIYA, or IP-in-IP such as 6to4 where “IP” is either IPv4 or IPv6).

base/frameworks/openflow

The OpenFlow framework exposes the data structures and functions necessary to interface to OpenFlow capable hardware.

base/frameworks/openflow/plugins

Plugins for the OpenFlow framework.

base/frameworks/netcontrol

The NetControl framework provides a way for Zeek to interact with networking hard- and software, e.g. for dropping and shunting IP addresses/connections, etc.

base/frameworks/netcontrol/plugins

Plugins for the NetControl framework.

base/protocols/conn

Support for connection (TCP, UDP, or ICMP) analysis.

base/protocols/dce-rpc

Support for DCE/RPC (Distributed Computing Environment/Remote Procedure Calls) protocol analysis.

base/protocols/dhcp

Support for Dynamic Host Configuration Protocol (DHCP) analysis.

base/protocols/dnp3

Support for Distributed Network Protocol (DNP3) analysis.

base/protocols/dns

Support for Domain Name System (DNS) protocol analysis.

base/protocols/ftp

Support for File Transfer Protocol (FTP) analysis.

base/protocols/ssl

Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.

base/files/x509

Support for X509 certificates with the file analysis framework. Also supports parsing OCSP requests and responses.

base/files/hash

Support for file hashes with the file analysis framework.

base/protocols/http

Support for Hypertext Transfer Protocol (HTTP) analysis.

base/protocols/imap

Support for the Internet Message Access Protocol (IMAP).

Note that currently the IMAP analyzer only supports analyzing IMAP sessions until they do or do not switch to TLS using StartTLS. Hence, we do not get mails from IMAP sessions, only X509 certificates.

base/protocols/irc

Support for Internet Relay Chat (IRC) protocol analysis.

base/protocols/krb

Support for Kerberos protocol analysis.

base/protocols/modbus

Support for Modbus protocol analysis.

base/protocols/mqtt

Definitions of constants used by the MQTT protocol

base/protocols/mysql

Support for MySQL protocol analysis.

base/protocols/ntlm

Support for NT LAN Manager (NTLM) protocol analysis.

base/protocols/ntp

base/protocols/pop3

Support for POP3 (Post Office Protocol) protocol analysis.

base/protocols/radius

Support for RADIUS protocol analysis.

base/protocols/rdp

Support for Remote Desktop Protocol (RDP) analysis.

base/protocols/rfb

Support for Remote FrameBuffer analysis. This includes all VNC servers.

base/protocols/sip

Support for Session Initiation Protocol (SIP) analysis.

base/protocols/snmp

Support for Simple Network Management Protocol (SNMP) analysis.

base/protocols/smb

Support for SMB protocol analysis.

base/protocols/smtp

Support for Simple Mail Transfer Protocol (SMTP) analysis.

base/protocols/socks

Support for Socket Secure (SOCKS) protocol analysis.

base/protocols/ssh

Support for SSH protocol analysis.

base/protocols/syslog

Support for Syslog protocol analysis.

base/protocols/tunnels

Provides DPD signatures for tunneling protocols that otherwise wouldn’t be detected at all.

base/protocols/xmpp

Support for the Extensible Messaging and Presence Protocol (XMPP).

Note that currently the XMPP analyzer only supports analyzing XMPP sessions until they do or do not switch to TLS using StartTLS. Hence, we do not get actual chat information from XMPP sessions, only X509 certificates.

base/files/pe

Support for Portable Executable (PE) file analysis.

base/files/extract

Support for extracting files with the file analysis framework.

builtin-plugins

zeekygen

This package is loaded during the process which automatically generates reference documentation for all Zeek scripts (i.e. “Zeekygen”). Its only purpose is to provide an easy way to load all known Zeek scripts plus any extra scripts needed or used by the documentation process.

policy/frameworks/management/agent

policy/frameworks/management

policy/frameworks/management/controller

policy/frameworks/management/supervisor

policy/frameworks/intel/seen

Scripts that send data to the intelligence framework.

policy/frameworks/notice

policy/files/unified2

Support for Unified2 files in the file analysis framework.

policy/integration/barnyard2

Integration with Barnyard2.

policy/integration/collective-intel

The scripts in this module are for deeper integration with the Collective Intelligence Framework (CIF) since Zeek’s Intel framework doesn’t natively behave the same as CIF nor does it store and maintain the same data in all cases.

policy/misc/detect-traceroute

Detect hosts that are running traceroute.

policy/protocols/mqtt

Support for MQTT protocol analysis.

policy/tuning

Miscellaneous tuning parameters.

policy/tuning/defaults

Sets various defaults, and prints warning messages to stdout under certain conditions.

policy/frameworks/management/node

Zeek Script Index

base/init-bare.zeek

BinPAC
Cluster
DCE_RPC
DHCP
FTP
GLOBAL
JSON
KRB
MOUNT3
MQTT
NCP
NFS3
NTLM
NTP
PE
Pcap
RADIUS
RDP
Reporter
SMB
SMB1
SMB2
SNMP
SOCKS
SSH
SSL
TCP
Threading
Tunnel
Unified2
UnknownProtocol
Weird
X509
Namespaces

BinPAC, Cluster, DCE_RPC, DHCP, FTP, GLOBAL, JSON, KRB, MOUNT3, MQTT, NCP, NFS3, NTLM, NTP, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SNMP, SOCKS, SSH, SSL, TCP, Threading, Tunnel, Unified2, UnknownProtocol, Weird, X509

Imports

base/bif/CPP-load.bif.zeek, base/bif/const.bif.zeek, base/bif/event.bif.zeek, base/bif/option.bif.zeek, base/bif/packet_analysis.bif.zeek, base/bif/plugins/Zeek_KRB.types.bif.zeek, base/bif/plugins/Zeek_SNMP.types.bif.zeek, base/bif/reporter.bif.zeek, base/bif/stats.bif.zeek, base/bif/strings.bif.zeek, base/bif/supervisor.bif.zeek, base/bif/types.bif.zeek, base/bif/zeek.bif.zeek, base/frameworks/supervisor/api.zeek, base/packet-protocols

Summary
Runtime Options

MQTT::max_payload_size: count &redef

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration: interval &redef

How long a weird of a given type is allowed to keep state/counters in memory.

Weird::sampling_global_list: set &redef

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate: count &redef

The rate-limiting sampling rate.

Weird::sampling_threshold: count &redef

How many weirds of a given type to tolerate before sampling begins.

Weird::sampling_whitelist: set &redef

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size: count &redef

Default amount of bytes that file analysis will buffer in order to use for mime type matching.

default_file_timeout_interval: interval &redef

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets: set &redef

Checksums are ignored for all packets with a src address within this set of networks.

udp_content_delivery_ports_use_resp: bool &redef

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports: set &redef

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.
Redefinable Options

BinPAC::flowbuffer_capacity_max: count &redef

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min: count &redef

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer.

BinPAC::flowbuffer_contract_threshold: count &redef

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit.

DCE_RPC::max_cmd_reassembly: count &redef

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data: count &redef

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

KRB::keytab: string &redef

Kerberos keytab file name.

NCP::max_frame_size: count &redef

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data: bool &redef

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

NFS3::return_data_first_only: bool &redef

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max: count &redef

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize: count &redef

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::non_fd_timeout: interval &redef

Default timeout for packet sources without file descriptors.

Pcap::snaplen: count &redef

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr: bool &redef

Tunable for sending reporter error messages to STDERR.

Reporter::info_to_stderr: bool &redef

Tunable for sending reporter info messages to STDERR.

Reporter::warnings_to_stderr: bool &redef

Tunable for sending reporter warning messages to STDERR.

SMB::pipe_filenames: set &redef

A set of file names used as named pipes over SMB.

SSL::dtls_max_reported_version_errors: count &redef

Maximum number of invalid version errors to report in one DTLS connection.

SSL::dtls_max_version_errors: count &redef

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended.

Threading::heartbeat_interval: interval &redef

The heartbeat interval used by the threading framework.

Tunnel::delay_gtp_confirmation: bool &redef

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing analyzer_confirmation.

Tunnel::delay_teredo_confirmation: bool &redef

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a analyzer_confirmation.

Tunnel::enable_ayiya: bool &redef

Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.

Tunnel::enable_gre: bool &redef

Toggle whether to do GRE decapsulation.

Tunnel::enable_gtpv1: bool &redef

Toggle whether to do GTPv1 decapsulation.

Tunnel::enable_ip: bool &redef

Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.

Tunnel::enable_teredo: bool &redef

Toggle whether to do IPv6-in-Teredo decapsulation.

Tunnel::ip_tunnel_timeout: interval &redef

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_changes_per_connection: count &redef

The number of tunnel_changed events that will be sent for a connection.

Tunnel::max_depth: count &redef

The maximum depth of a tunnel to decapsulate until giving up.

Tunnel::validate_vxlan_checksums: bool &redef

Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation.

UnknownProtocol::first_bytes_count: count &redef

The number of bytes to extract from the next header and log in the first bytes field.

UnknownProtocol::sampling_duration: interval &redef

How long an analyzer/protocol pair is allowed to keep state/counters in in memory.

UnknownProtocol::sampling_rate: count &redef

The rate-limiting sampling rate.

UnknownProtocol::sampling_threshold: count &redef

How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.

bits_per_uid: count &redef

Number of bits in UIDs that are generated to identify connections and files.

check_for_unused_event_handlers: bool &redef

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter: string &redef

BPF filter the user has set via the -f command line options.

detect_filtered_trace: bool &redef

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.

digest_salt: string &redef

This salt value is used for several message digests in Zeek.

dns_session_timeout: interval &redef

Time to wait before timing out a DNS request.

dpd_buffer_size: count &redef

Size of per-connection buffer used for dynamic protocol detection.

dpd_ignore_ports: bool &redef

If true, don’t consider any ports for deciding which protocol analyzer to use.

dpd_late_match_stop: bool &redef

If true, stops signature matching after a late match.

dpd_match_only_beginning: bool &redef

If true, stops signature matching if dpd_buffer_size has been reached.

dpd_max_packets: count &redef

Maximum number of per-connection packets that will be buffered for dynamic protocol detection.

dpd_reassemble_first_packets: bool &redef

Reassemble the beginning of all TCP connections before doing signature matching.

exit_only_after_terminate: bool &redef

Flag to prevent Zeek from exiting automatically when input is exhausted.

expensive_profiling_multiple: count &redef

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

frag_timeout: interval &redef

How long to hold onto fragments for possible reassembly.

global_hash_seed: string &redef

Seed for hashes computed internally for probabilistic data structures.

icmp_inactivity_timeout: interval &redef

If an ICMP flow is inactive, time it out after this interval.

ignore_checksums: bool &redef

If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header.

ignore_keep_alive_rexmit: bool &redef

Ignore certain TCP retransmissions for conn_stats.

likely_server_ports: set &redef

Ports which the core considers being likely used by servers.

log_rotate_base_time: string &redef

Base time of log rotations in 24-hour time format (%H:%M), e.g.

max_analyzer_violations: count &redef

The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance.

max_find_all_string_length: int &redef

Maximum string length allowed for calls to the find_all and find_all_ordered BIFs.

max_timer_expires: count &redef

The maximum number of timers to expire after processing each new packet.

mmdb_dir: string &redef

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

non_analyzed_lifetime: interval &redef

If a connection belongs to an application that we don’t analyze, time it out after this interval.

packet_filter_default: bool &redef

Default mode for Zeek’s user-space dynamic packet filter.

partial_connection_ok: bool &redef

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

peer_description: string &redef

Description transmitted to remote communication peers for identification.

pkt_profile_freq: double &redef

Frequency associated with packet profiling.

pkt_profile_mode: pkt_profile_modes &redef

Output mode for packet profiling information.

profiling_interval: interval &redef

Update interval for profiling (0 disables).

record_all_packets: bool &redef

If a trace file is given with -w, dump all packets seen by Zeek into it.

report_gaps_for_partial: bool &redef

Whether we want content_gap for partial connections.

rpc_timeout: interval &redef

Time to wait before timing out an RPC request.

segment_profiling: bool &redef

If true, then write segment profiling information (very high volume!) in addition to profiling statistics.

sig_max_group_size: count &redef

Maximum size of regular expression groups for signature matching.

skip_http_data: bool &redef

Skip HTTP data for performance considerations.

table_expire_delay: interval &redef

When expiring table entries, wait this amount of time before checking the next chunk of entries.

table_expire_interval: interval &redef

Check for expired table entries after this amount of time.

table_incremental_step: count &redef

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

tcp_SYN_ack_ok: bool &redef

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout: interval &redef

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay: interval &redef

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay: interval &redef

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger: interval &redef

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.

tcp_content_deliver_all_orig: bool &redef

If true, all TCP originator-side traffic is reported via tcp_contents.

tcp_content_deliver_all_resp: bool &redef

If true, all TCP responder-side traffic is reported via tcp_contents.

tcp_content_delivery_ports_orig: table &redef

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

tcp_content_delivery_ports_resp: table &redef

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

tcp_excessive_data_without_further_acks: count &redef

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.

tcp_inactivity_timeout: interval &redef

If a TCP connection is inactive, time it out after this interval.

tcp_match_undelivered: bool &redef

If true, pass any undelivered to the signature engine before flushing the state.

tcp_max_above_hole_without_any_acks: count &redef

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.

tcp_max_initial_window: count &redef

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).

tcp_max_old_segments: count &redef

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies.

tcp_partial_close_delay: interval &redef

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig: set &redef

For services without a handler, these sets define originator-side ports that still trigger reassembly.

tcp_reassembler_ports_resp: set &redef

For services without a handler, these sets define responder-side ports that still trigger reassembly.

tcp_reset_delay: interval &redef

Upon seeing a RST, flush state after this much time.

tcp_session_timer: interval &redef

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh: interval &redef

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

tcp_storm_thresh: count &redef

Number of FINs/RSTs in a row that constitute a “storm”.

time_machine_profiling: bool &redef

If true, output profiling for Time-Machine queries.

truncate_http_URI: int &redef

Maximum length of HTTP URIs passed to events.

udp_content_deliver_all_orig: bool &redef

If true, all UDP originator-side traffic is reported via udp_contents.

udp_content_deliver_all_resp: bool &redef

If true, all UDP responder-side traffic is reported via udp_contents.

udp_content_delivery_ports_orig: table &redef

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

udp_content_delivery_ports_resp: table &redef

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

udp_inactivity_timeout: interval &redef

If a UDP flow is inactive, time it out after this interval.

use_conn_size_analyzer: bool &redef

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint.

watchdog_interval: interval &redef

Zeek’s watchdog interval.
Constants

CONTENTS_BOTH: count

Record both originator and responder contents.

CONTENTS_NONE: count

Turn off recording of contents.

CONTENTS_ORIG: count

Record originator contents.

CONTENTS_RESP: count

Record responder contents.

DNS_ADDL: count

An additional record.

DNS_ANS: count

An answer record.

DNS_AUTH: count

An authoritative record.

DNS_QUERY: count

A query.

ENDIAN_BIG: count

Big endian.

ENDIAN_CONFUSED: count

Tried to determine endian, but failed.

ENDIAN_LITTLE: count

Little endian.

ENDIAN_UNKNOWN: count

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB: count

Administratively prohibited.

ICMP_UNREACH_HOST: count

Host unreachable.

ICMP_UNREACH_NEEDFRAG: count

Fragment needed.

ICMP_UNREACH_NET: count

Network unreachable.

ICMP_UNREACH_PORT: count

Port unreachable.

ICMP_UNREACH_PROTOCOL: count

Protocol unreachable.

IPPROTO_AH: count

IPv6 authentication header.

IPPROTO_DSTOPTS: count

IPv6 destination options header.

IPPROTO_ESP: count

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT: count

IPv6 fragment header.

IPPROTO_HOPOPTS: count

IPv6 hop-by-hop-options header.

IPPROTO_ICMP: count

Control message protocol.

IPPROTO_ICMPV6: count

ICMP for IPv6.

IPPROTO_IGMP: count

Group management protocol.

IPPROTO_IP: count

Dummy for IP.

IPPROTO_IPIP: count

IP encapsulation in IP.

IPPROTO_IPV6: count

IPv6 header.

IPPROTO_MOBILITY: count

IPv6 mobility header.

IPPROTO_NONE: count

IPv6 no next header.

IPPROTO_RAW: count

Raw IP packet.

IPPROTO_ROUTING: count

IPv6 routing header.

IPPROTO_TCP: count

TCP.

IPPROTO_UDP: count

User datagram protocol.

LOGIN_STATE_AUTHENTICATE: count

LOGIN_STATE_CONFUSED: count

LOGIN_STATE_LOGGED_IN: count

LOGIN_STATE_SKIP: count

RPC_status: table

Mapping of numerical RPC status codes to readable messages.

SNMP::OBJ_COUNTER32_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG: count

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG: count

A NULL value.

SNMP::OBJ_INTEGER_TAG: count

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG: count

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG: count

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG: count

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG: count

An octet string.

SNMP::OBJ_OID_TAG: count

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG: count

An octet string.

SNMP::OBJ_TIMETICKS_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG: count

A NULL value.

TCP_CLOSED: count

Endpoint has closed connection.

TCP_ESTABLISHED: count

Endpoint has finished initial handshake regularly.

TCP_INACTIVE: count

Endpoint is still inactive.

TCP_PARTIAL: count

Endpoint has sent data but no initial SYN.

TCP_RESET: count

Endpoint has sent RST.

TCP_SYN_ACK_SENT: count

Endpoint has sent SYN/ACK.

TCP_SYN_SENT: count

Endpoint has sent SYN.

TH_ACK: count

ACK.

TH_FIN: count

FIN.

TH_FLAGS: count

Mask combining all flags.

TH_PUSH: count

PUSH.

TH_RST: count

RST.

TH_SYN: count

SYN.

TH_URG: count

URG.

UDP_ACTIVE: count

Endpoint has sent something.

UDP_INACTIVE: count

Endpoint is still inactive.

trace_output_file: string

Holds the filename of the trace file given with -w (empty if none).

zeek_script_args: vector

Arguments given to Zeek from the command line.
State Variables

capture_filters: table &redef

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).

direct_login_prompts: set &redef

TODO.

discarder_maxlen: count &redef

Maximum length of payload passed to discarder functions.

dns_max_queries: count &redef

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.

dns_skip_addl: set &redef

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

dns_skip_all_addl: bool &redef

If true, all DNS ADDL records are skipped.

dns_skip_all_auth: bool &redef

If true, all DNS AUTH records are skipped.

dns_skip_auth: set &redef

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

done_with_network: bool

http_entity_data_delivery_size: count &redef

Maximum number of HTTP entity data delivered to events.

interfaces: string &add_func = add_interface &redef

Network interfaces to listen on.

load_sample_freq: count &redef

Rate at which to generate load_sample events.

login_failure_msgs: set &redef

TODO.

login_non_failure_msgs: set &redef

TODO.

login_prompts: set &redef

TODO.

login_success_msgs: set &redef

TODO.

login_timeouts: set &redef

TODO.

mime_segment_length: count &redef

The length of MIME data segments delivered to handlers of mime_segment_data.

mime_segment_overlap_length: count &redef

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file: file &redef

File where packet profiles are logged.

profiling_file: file &redef

Write profiling info into this file in regular intervals.

restrict_filters: table &redef

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

secondary_filters: table &redef

Definition of “secondary filters”.

signature_files: string &add_func = add_signature_file &redef

Signature files to read.

skip_authentication: set &redef

TODO.
Types

Backtrace: vector

A representation of a Zeek script’s call stack.

BacktraceElement: record

A representation of an element in a Zeek script’s call stack.

BrokerStats: record

Statistics about Broker communication.

Cluster::Pool: record

A pool used for distributing data/work among a set of cluster nodes.

ConnStats: record

DHCP::Addrs: vector

A list of addresses offered by a DHCP server.

DHCP::ClientFQDN: record

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID: record

DHCP Client Identifier (Option 61) ..

DHCP::Msg: record

A DHCP message.

DHCP::Options: record

DHCP::SubOpt: record

DHCP Relay Agent Information Option (Option 82) ..

DHCP::SubOpts: vector

DNSStats: record

Statistics related to Zeek’s active use of DNS.

EncapsulatingConnVector: vector

A type alias for a vector of encapsulating “connections”, i.e.

EventStats: record

FileAnalysisStats: record

Statistics of file analysis.

GapStats: record

Statistics about number of gaps in TCP connections.

IPAddrAnonymization: enum

IPAddrAnonymizationClass: enum

JSON::TimestampFormat: enum

KRB::AP_Options: record

AP Options.

KRB::Error_Msg: record

The data from the ERROR_MSG message.

KRB::Host_Address: record

A Kerberos host address See RFC 4120.

KRB::Host_Address_Vector: vector

KRB::KDC_Options: record

KDC Options.

KRB::KDC_Request: record

The data from the AS_REQ and TGS_REQ messages.

KRB::KDC_Response: record

The data from the AS_REQ and TGS_REQ messages.

KRB::SAFE_Msg: record

The data from the SAFE message.

KRB::Ticket: record

A Kerberos ticket.

KRB::Ticket_Vector: vector

KRB::Type_Value: record

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Type_Value_Vector: vector

MOUNT3::dirmntargs_t: record

MOUNT mnt arguments.

MOUNT3::info_t: record

Record summarizing the general results and status of MOUNT3 request/reply pairs.

MOUNT3::mnt_reply_t: record

MOUNT lookup reply.

MQTT::ConnectAckMsg: record

MQTT::ConnectMsg: record

MQTT::PublishMsg: record

MatcherStats: record

Statistics of all regular expression matchers.

ModbusCoils: vector

A vector of boolean values that indicate the setting for a range of modbus coils.

ModbusHeaders: record

ModbusRegisters: vector

A vector of count values that represent 16bit modbus register values.

NFS3::delobj_reply_t: record

NFS reply for remove, rmdir.

NFS3::direntry_t: record

NFS direntry.

NFS3::direntry_vec_t: vector

Vector of NFS direntry.

NFS3::diropargs_t: record

NFS readdir arguments.

NFS3::fattr_t: record

NFS file attributes.

NFS3::fsstat_t: record

NFS fsstat.

NFS3::info_t: record

Record summarizing the general results and status of NFSv3 request/reply pairs.

NFS3::link_reply_t: record

NFS link reply.

NFS3::linkargs_t: record

NFS link arguments.

NFS3::lookup_reply_t: record

NFS lookup reply.

NFS3::newobj_reply_t: record

NFS reply for create, mkdir, and symlink.

NFS3::read_reply_t: record

NFS read reply.

NFS3::readargs_t: record

NFS read arguments.

NFS3::readdir_reply_t: record

NFS readdir reply.

NFS3::readdirargs_t: record

NFS readdir arguments.

NFS3::readlink_reply_t: record

NFS readline reply.

NFS3::renameobj_reply_t: record

NFS reply for rename.

NFS3::renameopargs_t: record

NFS rename arguments.

NFS3::sattr_reply_t: record

NFS sattr reply.

NFS3::sattr_t: record

NFS file attributes.

NFS3::sattrargs_t: record

NFS sattr arguments.

NFS3::symlinkargs_t: record

NFS symlink arguments.

NFS3::symlinkdata_t: record

NFS symlinkdata attributes.

NFS3::wcc_attr_t: record

NFS wcc attributes.

NFS3::write_reply_t: record

NFS write reply.

NFS3::writeargs_t: record

NFS write arguments.

NTLM::AVs: record

NTLM::Authenticate: record

NTLM::Challenge: record

NTLM::Negotiate: record

NTLM::NegotiateFlags: record

NTLM::Version: record

NTP::ControlMessage: record

NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.

NTP::Message: record

NTP message as defined in RFC 5905.

NTP::Mode7Message: record

NTP mode 7 message.

NTP::StandardMessage: record

NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard syncronization operations.

NetStats: record

Packet capture statistics.

PE::DOSHeader: record

PE::FileHeader: record

PE::OptionalHeader: record

PE::SectionHeader: record

Record for Portable Executable (PE) section headers.

PacketSource: record

Properties of an I/O packet source being read by Zeek.

Pcap::Interface: record

The definition of a “pcap interface”.

Pcap::Interfaces: set

PcapFilterID: enum

Enum type identifying dynamic BPF filters.

ProcStats: record

Statistics about Zeek’s process.

RADIUS::AttributeList: vector

RADIUS::Attributes: table

RADIUS::Message: record

RDP::ClientChannelDef: record

Name and flags for a single channel requested by the client.

RDP::ClientChannelList: vector

The list of channels requested by the client.

RDP::ClientClusterData: record

The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.

RDP::ClientCoreData: record

RDP::ClientSecurityData: record

The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.

RDP::EarlyCapabilityFlags: record

ReassemblerStats: record

Holds statistics for all types of reassembly.

ReporterStats: record

Statistics about reporter messages and weirds.

SMB1::Find_First2_Request_Args: record

SMB1::Find_First2_Response_Args: record

SMB1::Header: record

An SMB1 header.

SMB1::NegotiateCapabilities: record

SMB1::NegotiateRawMode: record

SMB1::NegotiateResponse: record

SMB1::NegotiateResponseCore: record

SMB1::NegotiateResponseLANMAN: record

SMB1::NegotiateResponseNTLM: record

SMB1::NegotiateResponseSecurity: record

SMB1::SessionSetupAndXCapabilities: record

SMB1::SessionSetupAndXRequest: record

SMB1::SessionSetupAndXResponse: record

SMB1::Trans2_Args: record

SMB1::Trans2_Sec_Args: record

SMB1::Trans_Sec_Args: record

SMB2::CloseResponse: record

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

SMB2::CompressionCapabilities: record

Compression information as defined in SMB v.

SMB2::CreateRequest: record

The request sent by the client to request either creation of or access to a file.

SMB2::CreateResponse: record

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

SMB2::EncryptionCapabilities: record

Encryption information as defined in SMB v.

SMB2::FileAttrs: record

A series of boolean flags describing basic and extended file attributes for SMB2.

SMB2::FileEA: record

This information class is used to query or set extended attribute (EA) information for a file.

SMB2::FileEAs: vector

A vector of extended attribute (EA) information for a file.

SMB2::Fscontrol: record

A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.

SMB2::GUID: record

An SMB2 globally unique identifier which identifies a file.

SMB2::Header: record

An SMB2 header.

SMB2::NegotiateContextValue: record

The context type information as defined in SMB v.

SMB2::NegotiateContextValues: vector

SMB2::NegotiateResponse: record

The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.

SMB2::PreAuthIntegrityCapabilities: record

Preauthentication information as defined in SMB v.

SMB2::SessionSetupFlags: record

A flags field that indicates additional information about the session that’s sent in the session_setup response.

SMB2::SessionSetupRequest: record

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

SMB2::SessionSetupResponse: record

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

SMB2::Transform_header: record

An SMB2 transform header (for SMB 3.x dialects with encryption enabled).

SMB2::TreeConnectResponse: record

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

SMB::MACTimes: record

MAC times for a file.

SNMP::Binding: record

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings: vector

A VarBindList data structure from either RFC 1157 or RFC 3416.

SNMP::BulkPDU: record

A BulkPDU data structure from RFC 3416.

SNMP::Header: record

A generic SNMP header data structure that may include data from any version of SNMP.

SNMP::HeaderV1: record

The top-level message data structure of an SNMPv1 datagram, not including the PDU data.

SNMP::HeaderV2: record

The top-level message data structure of an SNMPv2 datagram, not including the PDU data.

SNMP::HeaderV3: record

The top-level message data structure of an SNMPv3 datagram, not including the PDU data.

SNMP::ObjectValue: record

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416.

SNMP::PDU: record

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context: record

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e.

SNMP::TrapPDU: record

A Trap-PDU data structure from RFC 1157.

SOCKS::Address: record &log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SSH::Algorithm_Prefs: record

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities: record

This record lists the preferences of an SSH endpoint for algorithm selection.

SSL::PSKIdentity: record

SSL::SignatureAndHashAlgorithm: record

SYN_packet: record

Fields of a SYN packet.

TCP::Option: record

A TCP Option field parsed from a TCP header.

TCP::OptionList: vector

The full list of TCP Option fields parsed from a TCP header.

ThreadStats: record

Statistics about threads.

TimerStats: record

Statistics of timers.

Tunnel::EncapsulatingConn: record &log

Records the identity of an encapsulating parent of a tunneled connection.

Unified2::IDSEvent: record

Unified2::Packet: record

X509::BasicConstraints: record &log

X509::Certificate: record

X509::Extension: record

X509::Result: record

Result of an X509 certificate chain verification

X509::SubjectAlternativeName: record

addr_set: set

A set of addresses.

addr_vec: vector

A vector of addresses.

any_vec: vector

A vector of any, used by some builtin functions to store a list of varying types.

bittorrent_benc_dir: table

A table of BitTorrent “benc” values.

bittorrent_benc_value: record

BitTorrent “benc” value.

bittorrent_peer: record

A BitTorrent peer.

bittorrent_peer_set: set

A set of BitTorrent peers.

bt_tracker_headers: table

Header table type used by BitTorrent analyzer.

call_argument: record

Meta-information about a parameter to a function/event.

call_argument_vector: vector

Vector type used to capture parameters of a function/event call.

conn_id: record &log

A connection’s identifying 4-tuple of endpoints and ports.

connection: record

A connection.

count_set: set

A set of counts.

dns_answer: record

The general part of a DNS reply.

dns_binds_rr: record

A Private RR type BINDS record.

dns_dnskey_rr: record

A DNSSEC DNSKEY record.

dns_ds_rr: record

A DNSSEC DS record.

dns_edns_additional: record

An additional DNS EDNS record.

dns_edns_cookie: record

An DNS EDNS COOKIE (COOKIE) record.

dns_edns_ecs: record

An DNS EDNS Client Subnet (ECS) record.

dns_edns_tcp_keepalive: record

An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.

dns_loc_rr: record

A Private RR type LOC record.

dns_mapping: record

dns_msg: record

A DNS message.

dns_nsec3_rr: record

A DNSSEC NSEC3 record.

dns_nsec3param_rr: record

A DNSSEC NSEC3PARAM record.

dns_rrsig_rr: record

A DNSSEC RRSIG record.

dns_soa: record

A DNS SOA record.

dns_svcb_rr: record

DNS SVCB and HTTPS RRs

dns_tsig_additional: record

An additional DNS TSIG record.

double_vec: vector

A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.

endpoint: record

Statistics about a connection endpoint.

endpoint_stats: record

Statistics about what a TCP endpoint sent.

entropy_test_result: record

Computed entropy values.

fa_file: record &redef

File Analysis handle for a file that Zeek is analyzing.

fa_metadata: record

File Analysis metadata that’s been inferred about a particular file.

files_tag_set: set

A set of file analyzer tags.

flow_id: record &log

The identifying 4-tuple of a uni-directional flow.

ftp_port: record

A parsed host/port combination describing server endpoint for an upcoming data transfer.

geo_autonomous_system: record &log

GeoIP autonomous system information.

geo_location: record &log

GeoIP location information.

gtp_access_point_name: string

gtp_cause: count

gtp_charging_characteristics: count

gtp_charging_gateway_addr: addr

gtp_charging_id: count

gtp_create_pdp_ctx_request_elements: record

gtp_create_pdp_ctx_response_elements: record

gtp_delete_pdp_ctx_request_elements: record

gtp_delete_pdp_ctx_response_elements: record

gtp_end_user_addr: record

gtp_gsn_addr: record

gtp_imsi: count

gtp_msisdn: string

gtp_nsapi: count

gtp_omc_id: string

gtp_private_extension: record

gtp_proto_config_options: string

gtp_qos_profile: record

gtp_rai: record

gtp_recovery: count

gtp_reordering_required: bool

gtp_selection_mode: count

gtp_teardown_ind: bool

gtp_teid1: count

gtp_teid_control_plane: count

gtp_tft: string

gtp_trace_reference: count

gtp_trace_type: count

gtp_trigger_id: string

gtp_update_pdp_ctx_request_elements: record

gtp_update_pdp_ctx_response_elements: record

gtpv1_hdr: record

A GTPv1 (GPRS Tunneling Protocol) header.

http_message_stat: record

HTTP message statistics.

http_stats_rec: record

HTTP session statistics.

icmp6_nd_option: record

Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.

icmp6_nd_options: vector

A type alias for a vector of ICMPv6 neighbor discovery message options.

icmp6_nd_prefix_info: record

Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.

icmp_conn: record

Specifics about an ICMP conversation.

icmp_context: record

Packet context part of an ICMP message.

icmp_hdr: record

Values extracted from an ICMP header.

icmp_info: record

Specifics about an ICMP conversation/packet.

id_table: table

Table type used to map script-level identifiers to meta-information describing them.

index_vec: vector

A vector of counts, used by some builtin functions to store a list of indices.

int_vec: vector

A vector of integers, used by telemetry builtin functions to store histogram bounds.

interval_set: set

A set of intervals.

ip4_hdr: record

Values extracted from an IPv4 header.

ip6_ah: record

Values extracted from an IPv6 Authentication extension header.

ip6_dstopts: record

Values extracted from an IPv6 Destination options extension header.

ip6_esp: record

Values extracted from an IPv6 ESP extension header.

ip6_ext_hdr: record

A general container for a more specific IPv6 extension header.

ip6_ext_hdr_chain: vector

A type alias for a vector of IPv6 extension headers.

ip6_fragment: record

Values extracted from an IPv6 Fragment extension header.

ip6_hdr: record

Values extracted from an IPv6 header.

ip6_hopopts: record

Values extracted from an IPv6 Hop-by-Hop options extension header.

ip6_mobility_back: record

Values extracted from an IPv6 Mobility Binding Acknowledgement message.

ip6_mobility_be: record

Values extracted from an IPv6 Mobility Binding Error message.

ip6_mobility_brr: record

Values extracted from an IPv6 Mobility Binding Refresh Request message.

ip6_mobility_bu: record

Values extracted from an IPv6 Mobility Binding Update message.

ip6_mobility_cot: record

Values extracted from an IPv6 Mobility Care-of Test message.

ip6_mobility_coti: record

Values extracted from an IPv6 Mobility Care-of Test Init message.

ip6_mobility_hdr: record

Values extracted from an IPv6 Mobility header.

ip6_mobility_hot: record

Values extracted from an IPv6 Mobility Home Test message.

ip6_mobility_hoti: record

Values extracted from an IPv6 Mobility Home Test Init message.

ip6_mobility_msg: record

Values extracted from an IPv6 Mobility header’s message data.

ip6_option: record

Values extracted from an IPv6 extension header’s (e.g.

ip6_options: vector

A type alias for a vector of IPv6 options.

ip6_routing: record

Values extracted from an IPv6 Routing extension header.

irc_join_info: record

IRC join information.

irc_join_list: set

Set of IRC join information.

l2_hdr: record

Values extracted from the layer 2 header.

load_sample_info: set

mime_header_list: table

A list of MIME headers.

mime_header_rec: record

A MIME header key/value pair.

mime_match: record

A structure indicating a MIME type and strength of a match against file magic signatures.

mime_matches: vector

A vector of file magic signature matches, ordered by strength of the signature, strongest first.

pcap_packet: record

Policy-level representation of a packet passed on by libpcap.

pkt_hdr: record

A packet header, consisting of an IP header and transport-layer header.

pkt_profile_modes: enum

Output modes for packet profiling information.

pm_callit_request: record

An RPC portmapper callit request.

pm_mapping: record

An RPC portmapper mapping.

pm_mappings: table

Table of RPC portmapper mappings.

pm_port_request: record

An RPC portmapper request.

psk_identity_vec: vector

raw_pkt_hdr: record

A raw packet header, consisting of L2 header and everything in pkt_hdr.

record_field: record

Meta-information about a record field.

record_field_table: table

Table type used to map record field declarations to meta-information describing them.

rotate_info: record

script_id: record

Meta-information about a script-level identifier.

signature_and_hashalgorithm_vec: vector

A vector of Signature and Hash Algorithms.

signature_state: record

Description of a signature match.

string_any_file_hook: hook

A hook taking a fa_file, an any, and a string.

string_any_table: table

A string-table of any.

string_array: table

An ordered array of strings.

string_set: set

A set of strings.

string_vec: vector

A vector of strings.

subnet_set: set

A set of subnets.

subnet_vec: vector

A vector of subnets.

sw_align: record

Helper type for return value of Smith-Waterman algorithm.

sw_align_vec: vector

Helper type for return value of Smith-Waterman algorithm.

sw_params: record

Parameters for the Smith-Waterman algorithm.

sw_substring: record

Helper type for return value of Smith-Waterman algorithm.

sw_substring_vec: vector

Return type for Smith-Waterman algorithm.

table_string_of_count: table

A table of counts indexed by strings.

table_string_of_string: table

A table of strings indexed by strings.

tcp_hdr: record

Values extracted from a TCP header.

teredo_auth: record

A Teredo origin indication header.

teredo_hdr: record

A Teredo packet header.

teredo_origin: record

A Teredo authentication header.

transport_proto: enum

A connection’s transport-layer protocol.

udp_hdr: record

Values extracted from a UDP header.

var_sizes: table

Table type used to map variable names to their memory allocation.

x509_opaque_vector: vector

A vector of x509 opaques.
Functions

add_interface: function

Internal function.

add_signature_file: function

Internal function.

discarder_check_icmp: function

Function for skipping packets based on their ICMP header.

discarder_check_ip: function

Function for skipping packets based on their IP header.

discarder_check_tcp: function

Function for skipping packets based on their TCP header.

discarder_check_udp: function

Function for skipping packets based on their UDP header.

max_count: function

Returns maximum of two count values.

max_double: function

Returns maximum of two double values.

max_interval: function

Returns maximum of two interval values.

min_count: function

Returns minimum of two count values.

min_double: function

Returns minimum of two double values.

min_interval: function

Returns minimum of two interval values.
Detailed Interface
Runtime Options
MQTT::max_payload_size
Type

count

Attributes

&redef

Default

100

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration
Type

interval

Attributes

&redef

Default

10.0 mins

How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than Weird::sampling_threshold times, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.

Weird::sampling_global_list
Type

set [string]

Attributes

&redef

Default

{}

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate
Type

count

Attributes

&redef

Default

1000

The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.

Weird::sampling_threshold
Type

count

Attributes

&redef

Default

25

How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.

Weird::sampling_whitelist
Type

set [string]

Attributes

&redef

Default

{}

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size
Type

count

Attributes

&redef

Default

4096

Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.

default_file_timeout_interval
Type

interval

Attributes

&redef

Default

2.0 mins

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Checksums are ignored for all packets with a src address within this set of networks. Useful for cases where a host might be seeing packets collected from local hosts before checksums were applied by hardware. This frequently manifests when sniffing a local management interface on a host and Zeek sees packets before the hardware has had a chance to apply the checksums.

udp_content_delivery_ports_use_resp
Type

bool

Attributes

&redef

Default

F

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports
Type

set [port]

Attributes

&redef

Default

{}

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.

See also:

Redefinable Options
BinPAC::flowbuffer_capacity_max
Type

count

Attributes

&redef

Default

10485760

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min
Type

count

Attributes

&redef

Default

512

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. If the buffer buffer is later contracted, its capacity is also reduced to this size.

BinPAC::flowbuffer_contract_threshold
Type

count

Attributes

&redef

Default

2097152

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit. I.e. this is the maximum capacity to reserve in between the parsing of units. If, after parsing a unit, the flowbuffer capacity is greater than this value, it will be contracted.

DCE_RPC::max_cmd_reassembly
Type

count

Attributes

&redef

Default

20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type

count

Attributes

&redef

Default

30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

KRB::keytab
Type

string

Attributes

&redef

Default

""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

NCP::max_frame_size
Type

count

Attributes

&redef

Default

65536

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data
Type

bool

Attributes

&redef

Default

F

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

See also:

NFS3::return_data_first_only
Type

bool

Attributes

&redef

Default

T

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max
Type

count

Attributes

&redef

Default

512

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize
Type

count

Attributes

&redef

Default

128

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::non_fd_timeout
Type

interval

Attributes

&redef

Default

20.0 usecs

Default timeout for packet sources without file descriptors.

For libpcap based packet sources that do not provide a usable file descriptor for select(), the timeout provided to the IO loop is either zero if a packet was most recently available or else this value.

Depending on the expected packet rate per-worker and the amount of available packet buffer, raising this value can significantly reduce Zeek’s CPU usage at the cost of a small delay before processing packets. Setting this value too high may cause packet drops due to running out of available buffer space.

Increasing this value to 200usec on low-traffic Myricom based systems (5 kpps per Zeek worker) has shown a 50% reduction in CPU usage.

This is an advanced setting. Do monitor dropped packets and capture loss information when changing it.

Note

Packet sources that override GetNextTimeout() method may not respect this value.

Pcap::snaplen
Type

count

Attributes

&redef

Default

9216

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

Reporter::info_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

Reporter::warnings_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

SMB::pipe_filenames
Type

set [string]

Attributes

&redef

Default

{}

Redefinition

from base/protocols/smb/consts.zeek

=:

spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds

A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.

See also:

SSL::dtls_max_reported_version_errors
Type

count

Attributes

&redef

Default

1

Maximum number of invalid version errors to report in one DTLS connection.

SSL::dtls_max_version_errors
Type

count

Attributes

&redef

Default

10

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.

Threading::heartbeat_interval
Type

interval

Attributes

&redef

Default

1.0 sec

The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.

Tunnel::delay_gtp_confirmation
Type

bool

Attributes

&redef

Default

F

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing analyzer_confirmation. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.

Tunnel::delay_teredo_confirmation
Type

bool

Attributes

&redef

Default

T

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a analyzer_confirmation. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation.

Tunnel::enable_ayiya
Type

bool

Attributes

&redef

Default

T

Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.

Tunnel::enable_gre
Type

bool

Attributes

&redef

Default

T

Toggle whether to do GRE decapsulation.

Tunnel::enable_gtpv1
Type

bool

Attributes

&redef

Default

T

Toggle whether to do GTPv1 decapsulation.

Tunnel::enable_ip
Type

bool

Attributes

&redef

Default

T

Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.

Tunnel::enable_teredo
Type

bool

Attributes

&redef

Default

T

Toggle whether to do IPv6-in-Teredo decapsulation.

Tunnel::ip_tunnel_timeout
Type

interval

Attributes

&redef

Default

1.0 day

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_changes_per_connection
Type

count

Attributes

&redef

Default

5

The number of tunnel_changed events that will be sent for a connection. Once this limit is hit, no more of those events will be sent to avoid a large number of events being sent for connections that regularly swap. This can be set to zero to disable this limiting.

Tunnel::max_depth
Type

count

Attributes

&redef

Default

2

The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.

Tunnel::validate_vxlan_checksums
Type

bool

Attributes

&redef

Default

T

Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. The spec says the checksum should be transmitted as zero, but if not, then the decapsulating destination may choose whether to perform the validation.

UnknownProtocol::first_bytes_count
Type

count

Attributes

&redef

Default

10

The number of bytes to extract from the next header and log in the first bytes field.

UnknownProtocol::sampling_duration
Type

interval

Attributes

&redef

Default

1.0 hr

How long an analyzer/protocol pair is allowed to keep state/counters in in memory. Once the threshold has been hit, this is the amount of time before the rate-limiting for a pair expires and is reset.

UnknownProtocol::sampling_rate
Type

count

Attributes

&redef

Default

100000

The rate-limiting sampling rate. One out of every of this number of rate-limited pairs of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited pairs.

UnknownProtocol::sampling_threshold
Type

count

Attributes

&redef

Default

3

How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.

bits_per_uid
Type

count

Attributes

&redef

Default

96

Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.

check_for_unused_event_handlers
Type

bool

Attributes

&redef

Default

F

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter
Type

string

Attributes

&redef

Default

""

BPF filter the user has set via the -f command line options. Empty if none.

detect_filtered_trace
Type

bool

Attributes

&redef

Default

F

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via content_gap.

digest_salt
Type

string

Attributes

&redef

Default

"Please change this value."

This salt value is used for several message digests in Zeek. We use a salt to help mitigate the possibility of an attacker manipulating source data to, e.g., mount complexity attacks or cause ID collisions. This salt is, for example, used by get_file_handle to generate installation-unique file IDs (the id field of fa_file).

dns_session_timeout
Type

interval

Attributes

&redef

Default

10.0 secs

Time to wait before timing out a DNS request.

dpd_buffer_size
Type

count

Attributes

&redef

Default

1024

Size of per-connection buffer used for dynamic protocol detection. For each connection, Zeek buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also:

dpd_ignore_ports
Type

bool

Attributes

&redef

Default

F

If true, don’t consider any ports for deciding which protocol analyzer to use.

See also:

dpd_late_match_stop
Type

bool

Attributes

&redef

Default

F

Redefinition

from policy/protocols/conn/speculative-service.zeek

=:

T

If true, stops signature matching after a late match. A late match may occur in case the DPD buffer is exhausted but a protocol signature matched. To allow late matching, dpd_match_only_beginning must be disabled.

See also:

Note

Despite the name, this option stops all signature matching, not only signatures used for dynamic protocol detection but is triggered by DPD signatures only.

dpd_match_only_beginning
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/conn/speculative-service.zeek

=:

F

If true, stops signature matching if dpd_buffer_size has been reached.

See also:

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

dpd_max_packets
Type

count

Attributes

&redef

Default

100

Maximum number of per-connection packets that will be buffered for dynamic protocol detection. For each connection, Zeek buffers up to this amount of packets in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also:

dpd_reassemble_first_packets
Type

bool

Attributes

&redef

Default

T

Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.

See also:

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

exit_only_after_terminate
Type

bool

Attributes

&redef

Default

F

Flag to prevent Zeek from exiting automatically when input is exhausted. Normally Zeek terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Zeek’s main loop will instead keep idling until terminate is explicitly called.

This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.

expensive_profiling_multiple
Type

count

Attributes

&redef

Default

0

Redefinition

from policy/misc/profiling.zeek

=:

20

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

See also:

frag_timeout
Type

interval

Attributes

&redef

Default

0 secs

Redefinition

from policy/tuning/defaults/packet-fragments.zeek

=:

5.0 mins

How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.

global_hash_seed
Type

string

Attributes

&redef

Default

""

Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Zeek instances. If left unset, Zeek will use a temporary local seed.

icmp_inactivity_timeout
Type

interval

Attributes

&redef

Default

1.0 min

If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also:

ignore_checksums
Type

bool

Attributes

&redef

Default

F

If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header. This is useful when running against traces of local traffic and the NIC checksum offloading feature is enabled. It can also be useful for running on altered trace files, and for saving a few cycles at the risk of analyzing invalid data. With this option, packets that have a value of zero in the total-length field of the IPv4 header are also accepted, and the capture-length is used instead. The total-length field is commonly set to zero when the NIC sequence offloading feature is enabled. Note that the -C command-line option overrides the setting of this variable.

ignore_keep_alive_rexmit
Type

bool

Attributes

&redef

Default

F

Ignore certain TCP retransmissions for conn_stats. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter in conn_stats.

See also:

likely_server_ports
Type

set [port]

Attributes

&redef

Default

{}

Redefinition

from base/packet-protocols/ayiya/main.zeek

+=:

PacketAnalyzer::AYIYA::ayiya_ports
Redefinition

from base/packet-protocols/geneve/main.zeek

+=:

PacketAnalyzer::Geneve::geneve_ports
Redefinition

from base/packet-protocols/vxlan/main.zeek

+=:

PacketAnalyzer::VXLAN::vxlan_ports
Redefinition

from base/packet-protocols/teredo/main.zeek

+=:

PacketAnalyzer::TEREDO::teredo_ports
Redefinition

from base/packet-protocols/gtpv1/main.zeek

+=:

PacketAnalyzer::GTPV1::gtpv1_ports
Redefinition

from base/protocols/dce-rpc/main.zeek

+=:

DCE_RPC::ports
Redefinition

from base/protocols/dhcp/main.zeek

+=:

67/udp
Redefinition

from base/protocols/dnp3/main.zeek

+=:

DNP3::ports
Redefinition

from base/protocols/dns/main.zeek

+=:

DNS::ports
Redefinition

from base/protocols/ftp/main.zeek

+=:

FTP::ports
Redefinition

from base/protocols/ssl/main.zeek

+=:

SSL::ssl_ports, SSL::dtls_ports
Redefinition

from base/protocols/http/main.zeek

+=:

HTTP::ports
Redefinition

from base/protocols/imap/main.zeek

+=:

IMAP::ports
Redefinition

from base/protocols/irc/main.zeek

+=:

IRC::ports
Redefinition

from base/protocols/krb/main.zeek

+=:

KRB::tcp_ports, KRB::udp_ports
Redefinition

from base/protocols/modbus/main.zeek

+=:

Modbus::ports
Redefinition

from base/protocols/ntp/main.zeek

+=:

NTP::ports
Redefinition

from base/protocols/radius/main.zeek

+=:

RADIUS::ports
Redefinition

from base/protocols/rdp/main.zeek

+=:

RDP::rdp_ports, RDP::rdpeudp_ports
Redefinition

from base/protocols/sip/main.zeek

+=:

SIP::ports
Redefinition

from base/protocols/snmp/main.zeek

+=:

SNMP::ports
Redefinition

from base/protocols/smb/main.zeek

+=:

SMB::ports
Redefinition

from base/protocols/smtp/main.zeek

+=:

SMTP::ports
Redefinition

from base/protocols/socks/main.zeek

+=:

SOCKS::ports
Redefinition

from base/protocols/ssh/main.zeek

+=:

SSH::ports
Redefinition

from base/protocols/syslog/main.zeek

+=:

Syslog::ports
Redefinition

from base/protocols/xmpp/main.zeek

+=:

XMPP::ports
Redefinition

from policy/protocols/mqtt/main.zeek

+=:

MQTT::ports

Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.

log_rotate_base_time
Type

string

Attributes

&redef

Default

"0:00"

Base time of log rotations in 24-hour time format (%H:%M), e.g. “12:00”.

max_analyzer_violations
Type

count

Attributes

&redef

Default

1000

The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance. A weird providing information about the analyzer and connection is generated once the limit is reached.

An analyzer generating this many violations is unlikely parsing the right protocol or potentially buggy.

See also DPD::max_violations which controls disabling analyzers through script logic after a certain number of violations was observed.

max_find_all_string_length
Type

int

Attributes

&redef

Default

10000

Maximum string length allowed for calls to the find_all and find_all_ordered BIFs.

max_timer_expires
Type

count

Attributes

&redef

Default

300

The maximum number of timers to expire after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.

mmdb_dir
Type

string

Attributes

&redef

Default

""

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

non_analyzed_lifetime
Type

interval

Attributes

&redef

Default

0 secs

If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but tcp_inactivity_timeout, udp_inactivity_timeout, and icmp_inactivity_timeout still apply).

packet_filter_default
Type

bool

Attributes

&redef

Default

F

Default mode for Zeek’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.

Note

This is not the BPF packet filter but an additional dynamic filter that Zeek optionally applies just before normal processing starts.

See also:

partial_connection_ok
Type

bool

Attributes

&redef

Default

T

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

peer_description
Type

string

Attributes

&redef

Default

"zeek"

Description transmitted to remote communication peers for identification.

pkt_profile_freq
Type

double

Attributes

&redef

Default

0.0

Frequency associated with packet profiling.

See also:

pkt_profile_mode
Type

pkt_profile_modes

Attributes

&redef

Default

PKT_PROFILE_MODE_NONE

Output mode for packet profiling information.

See also:

profiling_interval
Type

interval

Attributes

&redef

Default

0 secs

Redefinition

from policy/misc/profiling.zeek

=:

15.0 secs

Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.zeek.

See also:

record_all_packets
Type

bool

Attributes

&redef

Default

F

If a trace file is given with -w, dump all packets seen by Zeek into it. By default, Zeek applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.

See also:

report_gaps_for_partial
Type

bool

Attributes

&redef

Default

F

Whether we want content_gap for partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.

See also:

rpc_timeout
Type

interval

Attributes

&redef

Default

24.0 secs

Time to wait before timing out an RPC request.

segment_profiling
Type

bool

Attributes

&redef

Default

F

If true, then write segment profiling information (very high volume!) in addition to profiling statistics.

See also:

sig_max_group_size
Type

count

Attributes

&redef

Default

50

Maximum size of regular expression groups for signature matching.

skip_http_data
Type

bool

Attributes

&redef

Default

F

Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.

See also:

table_expire_delay
Type

interval

Attributes

&redef

Default

10.0 msecs

When expiring table entries, wait this amount of time before checking the next chunk of entries.

See also:

table_expire_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Redefinition

from policy/frameworks/management/agent/main.zeek

=:

2.0 secs
Redefinition

from policy/frameworks/management/controller/main.zeek

=:

2.0 secs

Check for expired table entries after this amount of time.

See also:

table_incremental_step
Type

count

Attributes

&redef

Default

5000

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

See also:

tcp_SYN_ack_ok
Type

bool

Attributes

&redef

Default

T

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout
Type

interval

Attributes

&redef

Default

5.0 secs

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger
Type

interval

Attributes

&redef

Default

5.0 secs

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.

tcp_content_deliver_all_orig
Type

bool

Attributes

&redef

Default

F

If true, all TCP originator-side traffic is reported via tcp_contents.

See also:

tcp_content_deliver_all_resp
Type

bool

Attributes

&redef

Default

F

If true, all TCP responder-side traffic is reported via tcp_contents.

See also:

tcp_content_delivery_ports_orig
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

See also:

tcp_content_delivery_ports_resp
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

See also:

tcp_excessive_data_without_further_acks
Type

count

Attributes

&redef

Default

10485760

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Zeek would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.

See also:

tcp_inactivity_timeout
Type

interval

Attributes

&redef

Default

5.0 mins

If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also:

tcp_match_undelivered
Type

bool

Attributes

&redef

Default

T

If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.

tcp_max_above_hole_without_any_acks
Type

count

Attributes

&redef

Default

16384

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.

See also:

tcp_max_initial_window
Type

count

Attributes

&redef

Default

16384

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.

See also:

tcp_max_old_segments
Type

count

Attributes

&redef

Default

0

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additonal buffering.

tcp_partial_close_delay
Type

interval

Attributes

&redef

Default

3.0 secs

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig
Type

set [port]

Attributes

&redef

Default

{}

For services without a handler, these sets define originator-side ports that still trigger reassembly.

See also:

tcp_reassembler_ports_resp
Type

set [port]

Attributes

&redef

Default

{}

For services without a handler, these sets define responder-side ports that still trigger reassembly.

See also:

tcp_reset_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Upon seeing a RST, flush state after this much time.

tcp_session_timer
Type

interval

Attributes

&redef

Default

6.0 secs

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh
Type

interval

Attributes

&redef

Default

1.0 sec

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

See also:

tcp_storm_thresh
Type

count

Attributes

&redef

Default

1000

Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as weird via the notice framework, and they must also come within intervals of at most tcp_storm_interarrival_thresh.

See also:

time_machine_profiling
Type

bool

Attributes

&redef

Default

F

If true, output profiling for Time-Machine queries.

truncate_http_URI
Type

int

Attributes

&redef

Default

-1

Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.

See also:

udp_content_deliver_all_orig
Type

bool

Attributes

&redef

Default

F

If true, all UDP originator-side traffic is reported via udp_contents.

See also:

udp_content_deliver_all_resp
Type

bool

Attributes

&redef

Default

F

If true, all UDP responder-side traffic is reported via udp_contents.

See also:

udp_content_delivery_ports_orig
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

See also:

udp_content_delivery_ports_resp
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

See also:

udp_inactivity_timeout
Type

interval

Attributes

&redef

Default

1.0 min

If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also:

use_conn_size_analyzer
Type

bool

Attributes

&redef

Default

T

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’s endpoint record value.

watchdog_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Zeek’s watchdog interval.

Constants
CONTENTS_BOTH
Type

count

Default

3

Record both originator and responder contents.

CONTENTS_NONE
Type

count

Default

0

Turn off recording of contents.

CONTENTS_ORIG
Type

count

Default

1

Record originator contents.

CONTENTS_RESP
Type

count

Default

2

Record responder contents.

DNS_ADDL
Type

count

Default

3

An additional record.

DNS_ANS
Type

count

Default

1

An answer record.

DNS_AUTH
Type

count

Default

2

An authoritative record.

DNS_QUERY
Type

count

Default

0

A query. This shouldn’t occur, just for completeness.

ENDIAN_BIG
Type

count

Default

2

Big endian.

ENDIAN_CONFUSED
Type

count

Default

3

Tried to determine endian, but failed.

ENDIAN_LITTLE
Type

count

Default

1

Little endian.

ENDIAN_UNKNOWN
Type

count

Default

0

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB
Type

count

Default

13

Administratively prohibited.

ICMP_UNREACH_HOST
Type

count

Default

1

Host unreachable.

ICMP_UNREACH_NEEDFRAG
Type

count

Default

4

Fragment needed.

ICMP_UNREACH_NET
Type

count

Default

0

Network unreachable.

ICMP_UNREACH_PORT
Type

count

Default

3

Port unreachable.

ICMP_UNREACH_PROTOCOL
Type

count

Default

2

Protocol unreachable.

IPPROTO_AH
Type

count

Default

51

IPv6 authentication header.

IPPROTO_DSTOPTS
Type

count

Default

60

IPv6 destination options header.

IPPROTO_ESP
Type

count

Default

50

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT
Type

count

Default

44

IPv6 fragment header.

IPPROTO_HOPOPTS
Type

count

Default

0

IPv6 hop-by-hop-options header.

IPPROTO_ICMP
Type

count

Default

1

Control message protocol.

IPPROTO_ICMPV6
Type

count

Default

58

ICMP for IPv6.

IPPROTO_IGMP
Type

count

Default

2

Group management protocol.

IPPROTO_IP
Type

count

Default

0

Dummy for IP.

IPPROTO_IPIP
Type

count

Default

4

IP encapsulation in IP.

IPPROTO_IPV6
Type

count

Default

41

IPv6 header.

IPPROTO_MOBILITY
Type

count

Default

135

IPv6 mobility header.

IPPROTO_NONE
Type

count

Default

59

IPv6 no next header.

IPPROTO_RAW
Type

count

Default

255

Raw IP packet.

IPPROTO_ROUTING
Type

count

Default

43

IPv6 routing header.

IPPROTO_TCP
Type

count

Default

6

TCP.

IPPROTO_UDP
Type

count

Default

17

User datagram protocol.

LOGIN_STATE_AUTHENTICATE
Type

count

Default

0

LOGIN_STATE_CONFUSED
Type

count

Default

3

LOGIN_STATE_LOGGED_IN
Type

count

Default

1

LOGIN_STATE_SKIP
Type

count

Default

2

RPC_status
Type

table [rpc_status] of string

Default
{
   [RPC_PROG_MISMATCH] = "mismatch",
   [RPC_AUTH_ERROR] = "auth error",
   [RPC_SYSTEM_ERR] = "system err",
   [RPC_PROC_UNAVAIL] = "proc unavail",
   [RPC_SUCCESS] = "ok",
   [RPC_UNKNOWN_ERROR] = "unknown",
   [RPC_TIMEOUT] = "timeout",
   [RPC_GARBAGE_ARGS] = "garbage args",
   [RPC_PROG_UNAVAIL] = "prog unavail"
}

Mapping of numerical RPC status codes to readable messages.

See also:

SNMP::OBJ_COUNTER32_TAG
Type

count

Default

65

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG
Type

count

Default

70

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG
Type

count

Default

130

A NULL value.

SNMP::OBJ_INTEGER_TAG
Type

count

Default

2

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG
Type

count

Default

64

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG
Type

count

Default

129

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG
Type

count

Default

128

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG
Type

count

Default

4

An octet string.

SNMP::OBJ_OID_TAG
Type

count

Default

6

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG
Type

count

Default

68

An octet string.

SNMP::OBJ_TIMETICKS_TAG
Type

count

Default

67

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG
Type

count

Default

66

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG
Type

count

Default

5

A NULL value.

TCP_CLOSED
Type

count

Default

5

Endpoint has closed connection.

TCP_ESTABLISHED
Type

count

Default

4

Endpoint has finished initial handshake regularly.

TCP_INACTIVE
Type

count

Default

0

Endpoint is still inactive.

TCP_PARTIAL
Type

count

Default

3

Endpoint has sent data but no initial SYN.

TCP_RESET
Type

count

Default

6

Endpoint has sent RST.

TCP_SYN_ACK_SENT
Type

count

Default

2

Endpoint has sent SYN/ACK.

TCP_SYN_SENT
Type

count

Default

1

Endpoint has sent SYN.

TH_ACK
Type

count

Default

16

ACK.

TH_FIN
Type

count

Default

1

FIN.

TH_FLAGS
Type

count

Default

63

Mask combining all flags.

TH_PUSH
Type

count

Default

8

PUSH.

TH_RST
Type

count

Default

4

RST.

TH_SYN
Type

count

Default

2

SYN.

TH_URG
Type

count

Default

32

URG.

UDP_ACTIVE
Type

count

Default

1

Endpoint has sent something.

UDP_INACTIVE
Type

count

Default

0

Endpoint is still inactive.

trace_output_file
Type

string

Default

""

Holds the filename of the trace file given with -w (empty if none).

See also:

zeek_script_args
Type

vector of string

Default
[]

Arguments given to Zeek from the command line. In order to use this, Zeek must use a -- command line argument immediately followed by a script file and additional arguments after that. For example:

zeek --bare-mode -- myscript.zeek -a -b -c

To use Zeek as an executable interpreter, include a line at the top of a script like the following and make the script executable:

#!/usr/local/zeek/bin/zeek --
State Variables
capture_filters
Type

table [string] of string

Attributes

&redef

Default

{}

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Zeek is not configured with PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all in restrict_filters) will be analyzed.

See also:

direct_login_prompts
Type

set [string]

Attributes

&redef

Default

{}

TODO.

discarder_maxlen
Type

count

Attributes

&redef

Default

128

Maximum length of payload passed to discarder functions.

See also:

dns_max_queries
Type

count

Attributes

&redef

Default

25

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.

dns_skip_addl
Type

set [addr]

Attributes

&redef

Default

{}

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

See also:

dns_skip_all_addl
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/dns/auth-addl.zeek

=:

F

If true, all DNS ADDL records are skipped.

See also:

dns_skip_all_auth
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/dns/auth-addl.zeek

=:

F

If true, all DNS AUTH records are skipped.

See also:

dns_skip_auth
Type

set [addr]

Attributes

&redef

Default

{}

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

See also:

done_with_network
Type

bool

Default

F

http_entity_data_delivery_size
Type

count

Attributes

&redef

Default

1500

Maximum number of HTTP entity data delivered to events.

See also:

interfaces
Type

string

Attributes

&add_func = add_interface &redef

Default

""

Network interfaces to listen on. Use redef interfaces += "eth0" to extend.

load_sample_freq
Type

count

Attributes

&redef

Default

20

Rate at which to generate load_sample events. As all events, the event is only generated if you’ve also defined a load_sample handler. Units are inverse number of packets; e.g., a value of 20 means “roughly one in every 20 packets”.

See also:

login_failure_msgs
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_non_failure_msgs
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_prompts
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_success_msgs
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_timeouts
Type

set [string]

Attributes

&redef

Default

{}

TODO.

mime_segment_length
Type

count

Attributes

&redef

Default

1024

The length of MIME data segments delivered to handlers of mime_segment_data.

See also:

mime_segment_overlap_length
Type

count

Attributes

&redef

Default

0

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file
Type

file

Attributes

&redef

File where packet profiles are logged.

See also:

profiling_file
Type

file

Attributes

&redef

Default
file "prof.log" of string
Redefinition

from policy/misc/profiling.zeek

=:

open(fmt(prof.%s, Profiling::log_suffix()))

Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.zeek.

See also:

restrict_filters
Type

table [string] of string

Attributes

&redef

Default

{}

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

See also:

secondary_filters
Type

table [string] of event (filter: string, pkt: pkt_hdr)

Attributes

&redef

Default

{}

Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.

signature_files
Type

string

Attributes

&add_func = add_signature_file &redef

Default

""

Signature files to read. Use redef signature_files  += "foo.sig" to extend. Signature files added this way will be searched relative to ZEEKPATH. Using the @load-sigs directive instead is preferred since that can search paths relative to the current script.

skip_authentication
Type

set [string]

Attributes

&redef

Default

{}

TODO.

Types
Backtrace
Type

vector of BacktraceElement

A representation of a Zeek script’s call stack.

See also:

BacktraceElement
Type

record

function_name: string

The name of the function being called at this point in the call stack.

function_args: call_argument_vector

The arguments passed to the function being called.

file_location: string &optional

The file in which the function call is being made.

line_location: count &optional

The line number at which the function call is being made.

A representation of an element in a Zeek script’s call stack.

See also:

BrokerStats
Type

record

num_peers: count

num_stores: count

Number of active data stores.

num_pending_queries: count

Number of pending data store queries.

num_events_incoming: count

Number of total log messages received.

num_events_outgoing: count

Number of total log messages sent.

num_logs_incoming: count

Number of total log records received.

num_logs_outgoing: count

Number of total log records sent.

num_ids_incoming: count

Number of total identifiers received.

num_ids_outgoing: count

Number of total identifiers sent.

Statistics about Broker communication.

See also:

Cluster::Pool
Type

record

spec: Cluster::PoolSpec &default = [topic=, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F] &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

The specification of the pool that was used when registering it.

nodes: Cluster::PoolNodeTable &default = {  } &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

Nodes in the pool, indexed by their name (e.g. “manager”).

node_list: vector of Cluster::PoolNode &default = [] &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

A list of nodes in the pool in a deterministic order.

hrw_pool: HashHRW::Pool &default = [sites={  }] &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

The Rendezvous hashing structure.

rr_key_seq: Cluster::RoundRobinTable &default = {  } &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

Round-Robin table indexed by arbitrary key and storing the next index of node_list that will be eligible to receive work (if it’s alive at the time of next request).

alive_count: count &default = 0 &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

Number of pool nodes that are currently alive.

A pool used for distributing data/work among a set of cluster nodes.

ConnStats
Type

record

total_conns: count

current_conns: count

sess_current_conns: count

num_packets: count

num_fragments: count

max_fragments: count

num_tcp_conns: count

Current number of TCP connections in memory.

max_tcp_conns: count

Maximum number of concurrent TCP connections so far.

cumulative_tcp_conns: count

Total number of TCP connections so far.

num_udp_conns: count

Current number of UDP flows in memory.

max_udp_conns: count

Maximum number of concurrent UDP flows so far.

cumulative_udp_conns: count

Total number of UDP flows so far.

num_icmp_conns: count

Current number of ICMP flows in memory.

max_icmp_conns: count

Maximum number of concurrent ICMP flows so far.

cumulative_icmp_conns: count

Total number of ICMP flows so far.

killed_by_inactivity: count

DHCP::Addrs
Type

vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

See also:

DHCP::ClientFQDN
Type

record

flags: count

An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count

This field is deprecated in the standard.

rcode2: count

This field is deprecated in the standard.

domain_name: string

The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID
Type

record

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message

DHCP::Msg
Type

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

secs: interval

Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

siaddr: addr

IP address of the server.

giaddr: addr

IP address of the relaying gateway.

chaddr: string

Client hardware address.

sname: string &default = "" &optional

Server host name.

file_n: string &default = "" &optional

Boot file name.

A DHCP message. .. zeek:see:: dhcp_message

DHCP::Options
Type

record

options: index_vec &optional

The ordered list of all DHCP option numbers.

subnet_mask: addr &optional

Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional

Router addresses (option 3)

dns_servers: DHCP::Addrs &optional

DNS Server addresses (option 6)

host_name: string &optional

The Hostname of the client (option 12)

domain_name: string &optional

The DNS domain name of the client (option 15)

forwarding: bool &optional

Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional

Broadcast Address (option 28)

vendor: string &optional

Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional

NETBIOS name server list (option 44)

addr_request: addr &optional

Address requested by the client (option 50)

lease: interval &optional

Lease time offered by the server. (option 51)

serv_addr: addr &optional

Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional

DHCP Parameter Request list (option 55)

message: string &optional

Textual error message (option 56)

max_msg_size: count &optional

Maximum Message Size (option 57)

renewal_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional

DHCP Client Identifier (Option 61)

user_class: string &optional

User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional

DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional

DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional

Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional

URL to find a proxy.pac for auto proxy config (Option 252)

time_offset: int &optional

The offset of the client’s subnet in seconds from UTC. (Option 2)

time_servers: DHCP::Addrs &optional

A list of RFC 868 time servers available to the client. (Option 4)

name_servers: DHCP::Addrs &optional

A list of IEN 116 name servers available to the client. (Option 5)

ntp_servers: DHCP::Addrs &optional

A list of IP addresses indicating NTP servers available to the client. (Option 42)

DHCP::SubOpt
Type

record

code: count

value: string

DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message

DHCP::SubOpts
Type

vector of DHCP::SubOpt

DNSStats
Type

record

requests: count

Number of DNS requests made

successful: count

Number of successful DNS replies.

failed: count

Number of DNS reply failures.

pending: count

Current pending queries.

cached_hosts: count

Number of cached hosts.

cached_addresses: count

Number of cached addresses.

Statistics related to Zeek’s active use of DNS. These numbers are about Zeek performing DNS queries on it’s own, not traffic being seen.

See also:

EncapsulatingConnVector
Type

vector of Tunnel::EncapsulatingConn

A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

EventStats
Type

record

queued: count

Total number of events queued so far.

dispatched: count

Total number of events dispatched so far.

FileAnalysisStats
Type

record

current: count

Current number of files being analyzed.

max: count

Maximum number of concurrent files so far.

cumulative: count

Cumulative number of files analyzed.

Statistics of file analysis.

See also:

GapStats
Type

record

ack_events: count

How many ack events could have had gaps.

ack_bytes: count

How many bytes those covered.

gap_events: count

How many did have gaps.

gap_bytes: count

How many bytes were missing in the gaps.

Statistics about number of gaps in TCP connections.

See also:

IPAddrAnonymization
Type

enum

KEEP_ORIG_ADDR
SEQUENTIALLY_NUMBERED
RANDOM_MD5
PREFIX_PRESERVING_A50
PREFIX_PRESERVING_MD5

See also:

IPAddrAnonymizationClass
Type

enum

ORIG_ADDR
RESP_ADDR
OTHER_ADDR

See also:

JSON::TimestampFormat
Type

enum

JSON::TS_EPOCH

Timestamps will be formatted as UNIX epoch doubles. This is the format that Zeek typically writes out timestamps.

JSON::TS_MILLIS

Timestamps will be formatted as unsigned integers that represent the number of milliseconds since the UNIX epoch.

JSON::TS_ISO8601

Timestamps will be formatted in the ISO8601 DateTime format. Subseconds are also included which isn’t actually part of the standard but most consumers that parse ISO8601 seem to be able to cope with that.

KRB::AP_Options
Type

record

use_session_key: bool

Indicates that user-to-user-authentication is in use

mutual_required: bool

Mutual authentication is required

AP Options. See RFC 4120

KRB::Error_Msg
Type

record

pvno: count &optional

Protocol version number (5 for KRB5)

msg_type: count &optional

The message type (30 for ERROR_MSG)

client_time: time &optional

Current time on the client

server_time: time &optional

Current time on the server

error_code: count

The specific error code

client_realm: string &optional

Realm of the ticket

client_name: string &optional

Name on the ticket

service_realm: string &optional

Realm of the service

service_name: string &optional

Name of the service

error_text: string &optional

Additional text to explain the error

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

The data from the ERROR_MSG message. See RFC 4120.

KRB::Host_Address
Type

record

ip: addr &log &optional

IPv4 or IPv6 address

netbios: string &log &optional

NetBIOS address

unknown: KRB::Type_Value &optional

Some other type that we don’t support yet

A Kerberos host address See RFC 4120.

KRB::Host_Address_Vector
Type

vector of KRB::Host_Address

KRB::KDC_Options
Type

record

forwardable: bool

The ticket to be issued should have its forwardable flag set.

forwarded: bool

A (TGT) request for forwarding.

proxiable: bool

The ticket to be issued should have its proxiable flag set.

proxy: bool

A request for a proxy.

allow_postdate: bool

The ticket to be issued should have its may-postdate flag set.

postdated: bool

A request for a postdated ticket.

renewable: bool

The ticket to be issued should have its renewable flag set.

opt_hardware_auth: bool

Reserved for opt_hardware_auth

disable_transited_check: bool

Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.

renewable_ok: bool

If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable

enc_tkt_in_skey: bool

The ticket for the end server is to be encrypted in the session key from the additional TGT provided

renew: bool

The request is for a renewal

validate: bool

The request is to validate a postdated ticket.

KDC Options. See RFC 4120

KRB::KDC_Request
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (10 for AS_REQ, 12 for TGS_REQ)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

kdc_options: KRB::KDC_Options &optional

Options specified in the request

client_name: string &optional

Name on the ticket

service_realm: string &optional

Realm of the service

service_name: string &optional

Name of the service

from: time &optional

Time the ticket is good from

till: time &optional

Time the ticket is good till

rtime: time &optional

The requested renew-till time

nonce: count &optional

A random nonce generated by the client

encryption_types: vector of count &optional

The desired encryption algorithms, in order of preference

host_addrs: vector of KRB::Host_Address &optional

Any additional addresses the ticket should be valid for

additional_tickets: vector of KRB::Ticket &optional

Additional tickets may be included for certain transactions

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::KDC_Response
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (11 for AS_REP, 13 for TGS_REP)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

client_realm: string &optional

Realm on the ticket

client_name: string

Name on the service

ticket: KRB::Ticket

The ticket that was issued

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::SAFE_Msg
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (20 for SAFE_MSG)

data: string

The application-specific data that is being passed from the sender to the reciever

timestamp: time &optional

Current time from the sender of the message

seq: count &optional

Sequence number used to detect replays

sender: KRB::Host_Address &optional

Sender address

recipient: KRB::Host_Address &optional

Recipient address

The data from the SAFE message. See RFC 4120.

KRB::Ticket
Type

record

pvno: count

Protocol version number (5 for KRB5)

realm: string

Realm

service_name: string

Name of the service

cipher: count

Cipher the ticket was encrypted with

ciphertext: string &optional

Cipher text of the ticket

authenticationinfo: string &optional

Authentication info

A Kerberos ticket. See RFC 4120.

KRB::Ticket_Vector
Type

vector of KRB::Ticket

KRB::Type_Value
Type

record

data_type: count

The data type

val: string

The data value

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Type_Value_Vector
Type

vector of KRB::Type_Value

MOUNT3::dirmntargs_t
Type

record

dirname: string

Name of directory to mount

MOUNT mnt arguments.

See also:

MOUNT3::info_t
Type

record

rpc_stat: rpc_status

The RPC status.

mnt_stat: MOUNT3::status_t

The MOUNT status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

rpc_uid: count

The user id of the reply.

rpc_gid: count

The group id of the reply.

rpc_stamp: count

The stamp of the reply.

rpc_machine_name: string

The machine name of the reply.

rpc_auxgids: index_vec

The auxiliary ids of the reply.

Record summarizing the general results and status of MOUNT3 request/reply pairs.

Note that when rpc_stat or mount_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time

MOUNT3::mnt_reply_t
Type

record

dirfh: string &optional

Dir handle

auth_flavors: vector of MOUNT3::auth_flavor_t &optional

Returned authentication flavors

MOUNT lookup reply. If the mount failed, dir_attr may be set. If the mount succeeded, fh is always set.

See also:

MQTT::ConnectAckMsg
Type

record

return_code: count

Return code from the connack message

session_present: bool

The Session present flag helps the client establish whether the Client and Server have a consistent view about whether there is already stored Session state.

MQTT::ConnectMsg
Type

record

protocol_name: string

Protocol name

protocol_version: count

Protocol version

client_id: string

Identifies the Client to the Server.

keep_alive: interval

The maximum time interval that is permitted to elapse between the point at which the Client finishes transmitting one Control Packet and the point it starts sending the next.

clean_session: bool

The clean_session flag indicates if the server should or shouldn’t use a clean session or use existing previous session state.

will_retain: bool

Specifies if the Will Message is to be retained when it is published.

will_qos: count

Specifies the QoS level to be used when publishing the Will Message.

will_topic: string &optional

Topic to publish the Will message to.

will_msg: string &optional

The actual Will message to publish.

username: string &optional

Username to use for authentication to the server.

password: string &optional

Pass to use for authentication to the server.

MQTT::PublishMsg
Type

record

dup: bool

Indicates if this is the first attempt at publishing the message.

qos: count

Indicates what level of QoS is enabled for this message.

retain: bool

Indicates if the server should retain this message so that clients subscribing to the topic in the future will receive this message automatically.

topic: string

Name of the topic the published message is directed into.

payload: string

Payload of the published message.

payload_len: count

The actual length of the payload in the case the payload field’s contents were truncated according to MQTT::max_payload_size.

MatcherStats
Type

record

matchers: count

Number of distinct RE matchers.

nfa_states: count

Number of NFA states across all matchers.

dfa_states: count

Number of DFA states across all matchers.

computed: count

Number of computed DFA state transitions.

mem: count

Number of bytes used by DFA states.

hits: count

Number of cache hits.

misses: count

Number of cache misses.

Statistics of all regular expression matchers.

See also:

ModbusCoils
Type

vector of bool

A vector of boolean values that indicate the setting for a range of modbus coils.

ModbusHeaders
Type

record

tid: count

Transaction identifier

pid: count

Protocol identifier

uid: count

Unit identifier (previously ‘slave address’)

function_code: count

MODBUS function code

ModbusRegisters
Type

vector of count

A vector of count values that represent 16bit modbus register values.

NFS3::delobj_reply_t
Type

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.

See also:

NFS3::direntry_t
Type

record

fileid: count

E.g., inode number.

fname: string

Filename.

cookie: count

Cookie value.

attr: NFS3::fattr_t &optional

readdirplus: the fh attributes for the entry.

fh: string &optional

readdirplus: the fh for the entry

NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.

See also:

NFS3::direntry_vec_t
Type

vector of NFS3::direntry_t

Vector of NFS direntry.

See also:

NFS3::diropargs_t
Type

record

dirfh: string

The file handle of the directory.

fname: string

The name of the file we are interested in.

NFS readdir arguments.

See also:

NFS3::fattr_t
Type

record

ftype: NFS3::file_type_t

File type.

mode: count

Mode

nlink: count

Number of links.

uid: count

User ID.

gid: count

Group ID.

size: count

Size.

used: count

TODO.

rdev1: count

TODO.

rdev2: count

TODO.

fsid: count

TODO.

fileid: count

TODO.

atime: time

Time of last access.

mtime: time

Time of last modification.

ctime: time

Time of creation.

NFS file attributes. Field names are based on RFC 1813.

See also:

NFS3::fsstat_t
Type

record

attrs: NFS3::fattr_t &optional

Attributes.

tbytes: double

TODO.

fbytes: double

TODO.

abytes: double

TODO.

tfiles: double

TODO.

ffiles: double

TODO.

afiles: double

TODO.

invarsec: interval

TODO.

NFS fsstat.

NFS3::info_t
Type

record

rpc_stat: rpc_status

The RPC status.

nfs_stat: NFS3::status_t

The NFS status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

rpc_uid: count

The user id of the reply.

rpc_gid: count

The group id of the reply.

rpc_stamp: count

The stamp of the reply.

rpc_machine_name: string

The machine name of the reply.

rpc_auxgids: index_vec

The auxiliary ids of the reply.

Record summarizing the general results and status of NFSv3 request/reply pairs.

Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.

See also:

Type

record

post_attr: NFS3::fattr_t &optional

Optional post-operation attributes of the file system object identified by file

preattr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ file.

postattr: NFS3::fattr_t &optional

Optional attributes associated w/ file.

NFS link reply.

See also:

NFS3::linkargs_t
Type

record

fh: string

The file handle for the existing file system object.

link: NFS3::diropargs_t

The location of the link to be created.

NFS link arguments.

See also:

NFS3::lookup_reply_t
Type

record

fh: string &optional

File handle of object looked up.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ file

dir_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.

See also:

NFS3::newobj_reply_t
Type

record

fh: string &optional

File handle of object created.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ new object.

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr’s may be set. Note: no guarantee that fh is set after success.

See also:

NFS3::read_reply_t
Type

record

attr: NFS3::fattr_t &optional

Attributes.

size: count &optional

Number of bytes read.

eof: bool &optional

Sid the read end at EOF.

data: string &optional

The actual data; not yet implemented.

NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.

NFS3::readargs_t
Type

record

fh: string

File handle to read from.

offset: count

Offset in file.

size: count

Number of bytes to read.

NFS read arguments.

See also:

NFS3::readdir_reply_t
Type

record

isplus: bool

True if the reply for a readdirplus request.

dir_attr: NFS3::fattr_t &optional

Directory attributes.

cookieverf: count &optional

TODO.

entries: NFS3::direntry_vec_t &optional

Returned directory entries.

eof: bool

If true, no more entries in directory.

NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.

NFS3::readdirargs_t
Type

record

isplus: bool

Is this a readdirplus request?

dirfh: string

The directory filehandle.

cookie: count

Cookie / pos in dir; 0 for first call.

cookieverf: count

The cookie verifier.

dircount: count

“count” field for readdir; maxcount otherwise (in bytes).

maxcount: count &optional

Only used for readdirplus. in bytes.

NFS readdir arguments. Used for both readdir and readdirplus.

See also:

Type

record

attr: NFS3::fattr_t &optional

Attributes.

nfspath: string &optional

Contents of the symlink; in general a pathname as text.

NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.

See also:

NFS3::renameobj_reply_t
Type

record

src_dir_pre_attr: NFS3::wcc_attr_t

src_dir_post_attr: NFS3::fattr_t

dst_dir_pre_attr: NFS3::wcc_attr_t

dst_dir_post_attr: NFS3::fattr_t

NFS reply for rename. Corresponds to wcc_data in the spec.

See also:

NFS3::renameopargs_t
Type

record

src_dirfh: string

src_fname: string

dst_dirfh: string

dst_fname: string

NFS rename arguments.

See also:

NFS3::sattr_reply_t
Type

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS sattr reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr are set.

NFS3::sattr_t
Type

record

mode: count &optional

Mode

uid: count &optional

User ID.

gid: count &optional

Group ID.

size: count &optional

Size.

atime: NFS3::time_how_t &optional

Time of last access.

mtime: NFS3::time_how_t &optional

Time of last modification.

NFS file attributes. Field names are based on RFC 1813.

See also:

NFS3::sattrargs_t
Type

record

fh: string

The file handle for the existing file system object.

new_attributes: NFS3::sattr_t

The new attributes for the file.

NFS sattr arguments.

See also:

NFS3::symlinkargs_t
Type

record

link: NFS3::diropargs_t

The location of the link to be created.

symlinkdata: NFS3::symlinkdata_t

The symbolic link to be created.

NFS symlink arguments.

See also:

NFS3::symlinkdata_t
Type

record

symlink_attributes: NFS3::sattr_t

The initial attributes for the symbolic link

nfspath: string &optional

The string containing the symbolic link data.

NFS symlinkdata attributes. Field names are based on RFC 1813

See also:

NFS3::wcc_attr_t
Type

record

size: count

The size.

atime: time

Access time.

mtime: time

Modification time.

NFS wcc attributes.

See also:

NFS3::write_reply_t
Type

record

preattr: NFS3::wcc_attr_t &optional

Pre operation attributes.

postattr: NFS3::fattr_t &optional

Post operation attributes.

size: count &optional

Size.

commited: NFS3::stable_how_t &optional

TODO.

verf: count &optional

Write verifier cookie.

NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.

See also:

NFS3::writeargs_t
Type

record

fh: string

File handle to write to.

offset: count

Offset in file.

size: count

Number of bytes to write.

stable: NFS3::stable_how_t

How and when data is commited.

data: string &optional

The actual data; not implemented yet.

NFS write arguments.

See also:

NTLM::AVs
Type

record

nb_computer_name: string

The server’s NetBIOS computer name

nb_domain_name: string

The server’s NetBIOS domain name

dns_computer_name: string &optional

The FQDN of the computer

dns_domain_name: string &optional

The FQDN of the domain

dns_tree_name: string &optional

The FQDN of the forest

constrained_auth: bool &optional

Indicates to the client that the account authentication is constrained

timestamp: time &optional

The associated timestamp, if present

single_host_id: count &optional

Indicates that the client is providing a machine ID created at computer startup to identify the calling machine

target_name: string &optional

The SPN of the target server

NTLM::Authenticate
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain or computer name hosting the account

user_name: string &optional

The name of the user to be authenticated.

workstation: string &optional

The name of the computer to which the user was logged on.

session_key: string &optional

The session key

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::Challenge
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

target_name: string &optional

The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server

version: NTLM::Version &optional

The Windows version information, if supplied

target_info: NTLM::AVs &optional

Attribute-value pairs specified by the server

NTLM::Negotiate
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain name of the client, if known

workstation: string &optional

The machine name of the client, if known

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::NegotiateFlags
Type

record

negotiate_56: bool

If set, requires 56-bit encryption

negotiate_key_exch: bool

If set, requests an explicit key exchange

negotiate_128: bool

If set, requests 128-bit session key negotiation

negotiate_version: bool

If set, requests the protocol version number

negotiate_target_info: bool

If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE are populated

request_non_nt_session_key: bool

If set, requests the usage of the LMOWF function

negotiate_identify: bool

If set, requests and identify level token

negotiate_extended_sessionsecurity: bool

If set, requests usage of NTLM v2 session security Note: NTML v2 session security is actually NTLM v1

target_type_server: bool

If set, TargetName must be a server name

target_type_domain: bool

If set, TargetName must be a domain name

negotiate_always_sign: bool

If set, requests the presence of a signature block on all messages

negotiate_oem_workstation_supplied: bool

If set, the workstation name is provided

negotiate_oem_domain_supplied: bool

If set, the domain name is provided

negotiate_anonymous_connection: bool

If set, the connection should be anonymous

negotiate_ntlm: bool

If set, requests usage of NTLM v1

negotiate_lm_key: bool

If set, requests LAN Manager session key computation

negotiate_datagram: bool

If set, requests connectionless authentication

negotiate_seal: bool

If set, requests session key negotiation for message confidentiality

negotiate_sign: bool

If set, requests session key negotiation for message signatures

request_target: bool

If set, the TargetName field is present

negotiate_oem: bool

If set, requests OEM character set encoding

negotiate_unicode: bool

If set, requests Unicode character set encoding

NTLM::Version
Type

record

major: count

The major version of the Windows operating system in use

minor: count

The minor version of the Windows operating system in use

build: count

The build number of the Windows operating system in use

ntlmssp: count

The current revision of NTLMSSP in use

NTP::ControlMessage
Type

record

op_code: count

An integer specifying the command function. Values currently defined:

  • 1 read status command/response

  • 2 read variables command/response

  • 3 write variables command/response

  • 4 read clock variables command/response

  • 5 write clock variables command/response

  • 6 set trap address/port command/response

  • 7 trap response

Other values are reserved.

resp_bit: bool

The response bit. Set to zero for commands, one for responses.

err_bit: bool

The error bit. Set to zero for normal response, one for error response.

more_bit: bool

The more bit. Set to zero for last fragment, one for all others.

sequence: count

The sequence number of the command or response.

status: count

The current status of the system, peer or clock.

association_id: count

A 16-bit integer identifying a valid association.

data: string &optional

Message data for the command or response + Authenticator (optional).

key_id: count &optional

This is an integer identifying the cryptographic key used to generate the message-authentication code.

crypto_checksum: string &optional

This is a crypto-checksum computed by the encryption procedure.

NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.

NTP::Message
Type

record

version: count

The NTP version number (1, 2, 3, 4).

mode: count

The NTP mode being used. Possible values are:

  • 1 - symmetric active

  • 2 - symmetric passive

  • 3 - client

  • 4 - server

  • 5 - broadcast

  • 6 - NTP control message

  • 7 - reserved for private use

std_msg: NTP::StandardMessage &optional

If mode 1-5, the standard fields for syncronization operations are here. See RFC 5905

control_msg: NTP::ControlMessage &optional

If mode 6, the fields for control operations are here. See RFC 1119

mode7_msg: NTP::Mode7Message &optional

If mode 7, the fields for extra operations are here. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration.

NTP message as defined in RFC 5905. Does include fields for mode 7, reserved for private use in RFC 5905, but used in some implementation for commands such as “monlist”.

NTP::Mode7Message
Type

record

req_code: count

An implementation-specific code which specifies the operation to be (which has been) performed and/or the format and semantics of the data included in the packet.

auth_bit: bool

The authenticated bit. If set, this packet is authenticated.

sequence: count

For a multipacket response, contains the sequence number of this packet. 0 is the first in the sequence, 127 (or less) is the last. The More Bit must be set in all packets but the last.

implementation: count

The number of the implementation this request code is defined by. An implementation number of zero is used for requst codes/data formats which all implementations agree on. Implementation number 255 is reserved (for extensions, in case we run out).

err: count

Must be 0 for a request. For a response, holds an error code relating to the request. If nonzero, the operation requested wasn’t performed.

  • 0 - no error

  • 1 - incompatible implementation number

  • 2 - unimplemented request code

  • 3 - format error (wrong data items, data size, packet size etc.)

  • 4 - no data available (e.g. request for details on unknown peer)

  • 5 - unknown

  • 6 - unknown

  • 7 - authentication failure (i.e. permission denied)

data: string &optional

Rest of data

NTP mode 7 message. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration. For details see the documentation from the NTP official project, code v. ntp-4.2.8p13, in include/ntp_request.h.

NTP::StandardMessage
Type

record

stratum: count

This value mainly identifies the type of server (primary server, secondary server, etc.). Possible values, as in RFC 5905, are:

  • 0 -> unspecified or invalid

  • 1 -> primary server (e.g., equipped with a GPS receiver)

  • 2-15 -> secondary server (via NTP)

  • 16 -> unsynchronized

  • 17-255 -> reserved

For stratum 0, a kiss_code can be given for debugging and monitoring.

poll: interval

The maximum interval between successive messages.

precision: interval

The precision of the system clock.

root_delay: interval

Root delay. The total round-trip delay to the reference clock.

root_disp: interval

Root Dispersion. The total dispersion to the reference clock.

kiss_code: string &optional

For stratum 0, four-character ASCII string used for debugging and monitoring. Values are defined in RFC 1345.

ref_id: string &optional

Reference ID. For stratum 1, this is the ID assigned to the reference clock by IANA. For example: GOES, GPS, GAL, etc. (see RFC 5905)

ref_addr: addr &optional

Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).

ref_time: time

Reference timestamp. Time when the system clock was last set or correct.

org_time: time

Origin timestamp. Time at the client when the request departed for the NTP server.

rec_time: time

Receive timestamp. Time at the server when the request arrived from the NTP client.

xmt_time: time

Transmit timestamp. Time at the server when the response departed

key_id: count &optional

Key used to designate a secret MD5 key.

digest: string &optional

MD5 hash computed over the key followed by the NTP packet header and extension fields.

num_exts: count &default = 0 &optional

Number of extension fields (which are not currently parsed).

NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard syncronization operations.

NetStats
Type

record

pkts_recvd: count &default = 0 &optional

Packets received by Zeek.

pkts_dropped: count &default = 0 &optional

Packets reported dropped by the system.

pkts_link: count &default = 0 &optional

Packets seen on the link. Note that this may differ from pkts_recvd because of a potential capture_filter. See base/frameworks/packet-filter/main.zeek. Depending on the packet capture system, this value may not be available and will then be always set to zero.

bytes_recvd: count &default = 0 &optional

Bytes received by Zeek.

Packet capture statistics. All counts are cumulative.

See also:

PE::DOSHeader
Type

record

signature: string

The magic number of a portable executable file (“MZ”).

used_bytes_in_last_page: count

The number of bytes in the last page that are used.

file_in_pages: count

The number of pages in the file that are part of the PE file itself.

num_reloc_items: count

Number of relocation entries stored after the header.

header_in_paragraphs: count

Number of paragraphs in the header.

min_extra_paragraphs: count

Number of paragraps of additional memory that the program will need.

max_extra_paragraphs: count

Maximum number of paragraphs of additional memory.

init_relative_ss: count

Relative value of the stack segment.

init_sp: count

Initial value of the SP register.

checksum: count

Checksum. The 16-bit sum of all words in the file should be 0. Normally not set.

init_ip: count

Initial value of the IP register.

init_relative_cs: count

Initial value of the CS register (relative to the initial segment).

addr_of_reloc_table: count

Offset of the first relocation table.

overlay_num: count

Overlays allow you to append data to the end of the file. If this is the main program, this will be 0.

oem_id: count

OEM identifier.

oem_info: count

Additional OEM info, specific to oem_id.

addr_of_new_exe_header: count

Address of the new EXE header.

PE::FileHeader
Type

record

machine: count

The target machine that the file was compiled for.

ts: time

The time that the file was created at.

sym_table_ptr: count

Pointer to the symbol table.

num_syms: count

Number of symbols.

optional_header_size: count

The size of the optional header.

characteristics: set [count]

Bit flags that determine if this file is executable, non-relocatable, and/or a DLL.

PE::OptionalHeader
Type

record

magic: count

PE32 or PE32+ indicator.

major_linker_version: count

The major version of the linker used to create the PE.

minor_linker_version: count

The minor version of the linker used to create the PE.

size_of_code: count

Size of the .text section.

size_of_init_data: count

Size of the .data section.

size_of_uninit_data: count

Size of the .bss section.

addr_of_entry_point: count

The relative virtual address (RVA) of the entry point.

base_of_code: count

The relative virtual address (RVA) of the .text section.

base_of_data: count &optional

The relative virtual address (RVA) of the .data section.

image_base: count

Preferred memory location for the image to be based at.

section_alignment: count

The alignment (in bytes) of sections when they’re loaded in memory.

file_alignment: count

The alignment (in bytes) of the raw data of sections.

os_version_major: count

The major version of the required OS.

os_version_minor: count

The minor version of the required OS.

major_image_version: count

The major version of this image.

minor_image_version: count

The minor version of this image.

major_subsys_version: count

The major version of the subsystem required to run this file.

minor_subsys_version: count

The minor version of the subsystem required to run this file.

size_of_image: count

The size (in bytes) of the iamge as the image is loaded in memory.

size_of_headers: count

The size (in bytes) of the headers, rounded up to file_alignment.

checksum: count

The image file checksum.

subsystem: count

The subsystem that’s required to run this image.

dll_characteristics: set [count]

Bit flags that determine how to execute or load this file.

table_sizes: vector of count

A vector with the sizes of various tables and strings that are defined in the optional header data directories. Examples include the import table, the resource table, and debug information.

PE::SectionHeader
Type

record

name: string

The name of the section

virtual_size: count

The total size of the section when loaded into memory.

virtual_addr: count

The relative virtual address (RVA) of the section.

size_of_raw_data: count

The size of the initialized data for the section, as it is in the file on disk.

ptr_to_raw_data: count

The virtual address of the initialized dat for the section, as it is in the file on disk.

ptr_to_relocs: count

The file pointer to the beginning of relocation entries for the section.

ptr_to_line_nums: count

The file pointer to the beginning of line-number entries for the section.

num_of_relocs: count

The number of relocation entries for the section.

num_of_line_nums: count

The number of line-number entrie for the section.

characteristics: set [count]

Bit-flags that describe the characteristics of the section.

Record for Portable Executable (PE) section headers.

PacketSource
Type

record

live: bool

Whether the packet source is a live interface or offline pcap file.

path: string

The interface name for a live interface or filesystem path of an offline pcap file.

link_type: int

The data link-layer type of the packet source.

netmask: count

The netmask assoicated with the source or NETMASK_UNKNOWN.

Properties of an I/O packet source being read by Zeek.

Pcap::Interface
Type

record

name: string

The interface/device name.

description: string &optional

A human-readable description of the device.

addrs: set [addr]

The network addresses associated with the device.

is_loopback: bool

Whether the device is a loopback interface. E.g. addresses of 127.0.0.1 or [::1] are used by loopback interfaces.

is_up: bool &optional

Whether the device is up. Not set when that info is unavailable.

is_running: bool &optional

Whether the device is running. Not set when that info is unavailable.

The definition of a “pcap interface”.

Pcap::Interfaces
Type

set [Pcap::Interface]

PcapFilterID
Type

enum

None
PacketFilter::DefaultPcapFilter

(present if base/frameworks/packet-filter/main.zeek is loaded)

PacketFilter::FilterTester

(present if base/frameworks/packet-filter/main.zeek is loaded)

Enum type identifying dynamic BPF filters. These are used by Pcap::precompile_pcap_filter and Pcap::precompile_pcap_filter.

ProcStats
Type

record

debug: bool

True if compiled with –enable-debug.

start_time: time

Start time of process.

real_time: interval

Elapsed real time since Zeek started running.

user_time: interval

User CPU seconds.

system_time: interval

System CPU seconds.

mem: count

Maximum memory consumed, in bytes.

minor_faults: count

Page faults not requiring actual I/O.

major_faults: count

Page faults requiring actual I/O.

num_swap: count

Times swapped out.

blocking_input: count

Blocking input operations.

blocking_output: count

Blocking output operations.

num_context: count

Number of involuntary context switches.

Statistics about Zeek’s process.

See also:

Note

All process-level values refer to Zeek’s main process only, not to the child process it spawns for doing communication.

RADIUS::AttributeList
Type

vector of string

RADIUS::Attributes
Type

table [count] of RADIUS::AttributeList

RADIUS::Message
Type

record

code: count

The type of message (Access-Request, Access-Accept, etc.).

trans_id: count

The transaction ID.

authenticator: string

The “authenticator” string.

attributes: RADIUS::Attributes &optional

Any attributes.

RDP::ClientChannelDef
Type

record

name: string

A unique name for the channel

options: count

Channel Def raw options as count

initialized: bool

Absence of this flag indicates that this channel is a placeholder and that the server MUST NOT set it up.

encrypt_rdp: bool

Unused, must be ignored by the server.

encrypt_sc: bool

Unused, must be ignored by the server.

encrypt_cs: bool

Unused, must be ignored by the server.

pri_high: bool

Channel data must be sent with high MCS priority.

pri_med: bool

Channel data must be sent with medium MCS priority.

pri_low: bool

Channel data must be sent with low MCS priority.

compress_rdp: bool

Virtual channel data must be compressed if RDP data is being compressed.

compress: bool

Virtual channel data must be compressed.

show_protocol: bool

Ignored by the server.

persistent: bool

Channel must be persistent across remote control transactions.

Name and flags for a single channel requested by the client.

RDP::ClientChannelList
Type

vector of RDP::ClientChannelDef

The list of channels requested by the client.

RDP::ClientClusterData
Type

record

flags: count

Cluster information flags.

redir_session_id: count

If the redir_sessionid_field_valid flag is set, this field contains a valid session identifier to which the client requests to connect.

redir_supported: bool

The client can receive server session redirection packets. If this flag is set, the svr_session_redir_version_mask field MUST contain the server session redirection version that the client supports.

svr_session_redir_version_mask: count

The server session redirection version that the client supports.

redir_sessionid_field_valid: bool

Whether the redir_session_id field identifies a session on the server to associate with the connection.

redir_smartcard: bool

The client logged on with a smart card.

The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.

RDP::ClientCoreData
Type

record

version_major: count

version_minor: count

desktop_width: count

desktop_height: count

color_depth: count

sas_sequence: count

keyboard_layout: count

client_build: count

client_name: string

keyboard_type: count

keyboard_sub: count

keyboard_function_key: count

ime_file_name: string

post_beta2_color_depth: count &optional

client_product_id: count &optional

serial_number: count &optional

high_color_depth: count &optional

supported_color_depths: count &optional

ec_flags: RDP::EarlyCapabilityFlags &optional

dig_product_id: string &optional

RDP::ClientSecurityData
Type

record

encryption_methods: count

Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security. Known flags:

  • 0x00000001: support for 40-bit session encryption keys

  • 0x00000002: support for 128-bit session encryption keys

  • 0x00000008: support for 56-bit session encryption keys

  • 0x00000010: support for FIPS compliant encryption and MAC methods

ext_encryption_methods: count

Only used in French locale and designates the encryption method. If non-zero, then encryption_methods should be set to 0.

The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.

RDP::EarlyCapabilityFlags
Type

record

support_err_info_pdu: bool

want_32bpp_session: bool

support_statusinfo_pdu: bool

strong_asymmetric_keys: bool

support_monitor_layout_pdu: bool

support_netchar_autodetect: bool

support_dynvc_gfx_protocol: bool

support_dynamic_time_zone: bool

support_heartbeat_pdu: bool

ReassemblerStats
Type

record

file_size: count

Byte size of File reassembly tracking.

frag_size: count

Byte size of Fragment reassembly tracking.

tcp_size: count

Byte size of TCP reassembly tracking.

unknown_size: count

Byte size of reassembly tracking for unknown purposes.

Holds statistics for all types of reassembly.

See also:

ReporterStats
Type

record

weirds: count

Number of total weirds encountered, before any rate-limiting.

weirds_by_type: table [string] of count

Number of times each individual weird is encountered, before any rate-limiting is applied.

Statistics about reporter messages and weirds.

See also:

SMB1::Find_First2_Request_Args
Type

record

search_attrs: count

File attributes to apply as a constraint to the search

search_count: count

Max search results

flags: count

Misc. flags for how the server should manage the transaction once results are returned

info_level: count

How detailed the information returned in the results should be

search_storage_type: count

Specify whether to search for directories or files

file_name: string

The string to serch for (note: may contain wildcards)

SMB1::Find_First2_Response_Args
Type

record

sid: count

The server generated search identifier

search_count: count

Number of results returned by the search

end_of_search: bool

Whether or not the search can be continued using the TRANS2_FIND_NEXT2 transaction

ext_attr_error: string &optional

An extended attribute name that couldn’t be retrieved

SMB1::Header
Type

record

command: count

The command number

status: count

The status code

flags: count

Flag set 1

flags2: count

Flag set 2

tid: count

Tree ID

pid: count

Process ID

uid: count

User ID

mid: count

Multiplex ID

An SMB1 header.

See also:

SMB1::NegotiateCapabilities
Type

record

raw_mode: bool

The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW

mpx_mode: bool

The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX

unicode: bool

The server supports unicode strings

large_files: bool

The server supports large files with 64 bit offsets

nt_smbs: bool

The server supports the SMBs particilar to the NT LM 0.12 dialect. Implies nt_find.

rpc_remote_apis: bool

The server supports remote admin API requests via DCE-RPC

status32: bool

The server can respond with 32 bit status codes in Status.Status

level_2_oplocks: bool

The server supports level 2 oplocks

lock_and_read: bool

The server supports SMB_COM_LOCK_AND_READ

nt_find: bool

Reserved

dfs: bool

The server is DFS aware

infolevel_passthru: bool

The server supports NT information level requests passing through

large_readx: bool

The server supports large SMB_COM_READ_ANDX (up to 64k)

large_writex: bool

The server supports large SMB_COM_WRITE_ANDX (up to 64k)

unix: bool

The server supports CIFS Extensions for UNIX

bulk_transfer: bool

The server supports SMB_BULK_READ, SMB_BULK_WRITE Note: No known implementations support this

compressed_data: bool

The server supports compressed data transfer. Requires bulk_transfer. Note: No known implementations support this

extended_security: bool

The server supports extended security exchanges

SMB1::NegotiateRawMode
Type

record

read_raw: bool

Read raw supported

write_raw: bool

Write raw supported

SMB1::NegotiateResponse
Type

record

core: SMB1::NegotiateResponseCore &optional

If the server does not understand any of the dialect strings, or if PC NETWORK PROGRAM 1.0 is the chosen dialect.

lanman: SMB1::NegotiateResponseLANMAN &optional

If the chosen dialect is greater than core up to and including LANMAN 2.1.

ntlm: SMB1::NegotiateResponseNTLM &optional

If the chosen dialect is NT LM 0.12.

SMB1::NegotiateResponseCore
Type

record

dialect_index: count

Index of selected dialect

SMB1::NegotiateResponseLANMAN
Type

record

word_count: count

Count of parameter words (should be 13)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size (>= 1024)

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

raw_mode: SMB1::NegotiateRawMode

Raw mode

session_key: count

Unique token identifying this session

server_time: time

Current date and time at server

encryption_key: string

The challenge encryption key

primary_domain: string

The server’s primary domain

SMB1::NegotiateResponseNTLM
Type

record

word_count: count

Count of parameter words (should be 17)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

max_raw_size: count

Max raw buffer size

session_key: count

Unique token identifying this session

capabilities: SMB1::NegotiateCapabilities

Server capabilities

server_time: time

Current date and time at server

encryption_key: string &optional

The challenge encryption key. Present only for non-extended security (i.e. capabilities$extended_security = F)

domain_name: string &optional

The name of the domain. Present only for non-extended security (i.e. capabilities$extended_security = F)

guid: string &optional

A globally unique identifier assigned to the server. Present only for extended security (i.e. capabilities$extended_security = T)

security_blob: string

Opaque security blob associated with the security package if capabilities$extended_security = T Otherwise, the challenge for challenge/response authentication.

SMB1::NegotiateResponseSecurity
Type

record

user_level: bool

This indicates whether the server, as a whole, is operating under Share Level or User Level security.

challenge_response: bool

This indicates whether or not the server supports Challenge/Response authentication. If the bit is false, then plaintext passwords must be used.

signatures_enabled: bool &optional

This indicates if the server is capable of performing MAC message signing. Note: Requires NT LM 0.12 or later.

signatures_required: bool &optional

This indicates if the server is requiring the use of a MAC in each packet. If false, message signing is optional. Note: Requires NT LM 0.12 or later.

SMB1::SessionSetupAndXCapabilities
Type

record

unicode: bool

The client can use unicode strings

large_files: bool

The client can deal with files having 64 bit offsets

nt_smbs: bool

The client understands the SMBs introduced with NT LM 0.12 Implies nt_find

status32: bool

The client can receive 32 bit errors encoded in Status.Status

level_2_oplocks: bool

The client understands Level II oplocks

nt_find: bool

Reserved. Implied by nt_smbs.

SMB1::SessionSetupAndXRequest
Type

record

word_count: count
Count of parameter words

  • 10 for pre NT LM 0.12

  • 12 for NT LM 0.12 with extended security

  • 13 for NT LM 0.12 without extended security

max_buffer_size: count

Client maximum buffer size

max_mpx_count: count

Actual maximum multiplexed pending request

vc_number: count

Virtual circuit number. First VC == 0

session_key: count

Session key (valid iff vc_number > 0)

native_os: string

Client’s native operating system

native_lanman: string

Client’s native LAN Manager type

account_name: string &optional

Account name Note: not set for NT LM 0.12 with extended security

account_password: string &optional

If challenge/response auth is not being used, this is the password. Otherwise, it’s the response to the server’s challenge. Note: Only set for pre NT LM 0.12

primary_domain: string &optional

Client’s primary domain, if known Note: not set for NT LM 0.12 with extended security

case_insensitive_password: string &optional

Case insensitive password Note: only set for NT LM 0.12 without extended security

case_sensitive_password: string &optional

Case sensitive password Note: only set for NT LM 0.12 without extended security

security_blob: string &optional

Security blob Note: only set for NT LM 0.12 with extended security

capabilities: SMB1::SessionSetupAndXCapabilities &optional

Client capabilities Note: only set for NT LM 0.12

SMB1::SessionSetupAndXResponse
Type

record

word_count: count

Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)

is_guest: bool &optional

Were we logged in as a guest user?

native_os: string &optional

Server’s native operating system

native_lanman: string &optional

Server’s native LAN Manager type

primary_domain: string &optional

Server’s primary domain

security_blob: string &optional

Security blob if NTLM

SMB1::Trans2_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

max_param_count: count

Max parameter count

max_data_count: count

Max data count

max_setup_count: count

Max setup count

flags: count

Flags

trans_timeout: count

Timeout

param_count: count

Parameter count

param_offset: count

Parameter offset

data_count: count

Data count

data_offset: count

Data offset

setup_count: count

Setup count

SMB1::Trans2_Sec_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

FID: count

File ID

SMB1::Trans_Sec_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

SMB2::CloseResponse
Type

record

alloc_size: count

The size, in bytes of the data that is allocated to the file.

eof: count

The size, in bytes, of the file.

times: SMB::MACTimes

The creation, last access, last write, and change times.

attrs: SMB2::FileAttrs

The attributes of the file.

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

For more information, see MS-SMB2:2.2.16

See also:

SMB2::CompressionCapabilities
Type

record

alg_count: count

The number of algorithms.

algs: vector of count

An array of compression algorithms.

Compression information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.3

SMB2::CreateRequest
Type

record

filename: string

Name of the file

disposition: count

Defines the action the server MUST take if the file that is specified already exists.

create_options: count

Specifies the options to be applied when creating or opening the file.

The request sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.13

See also:

SMB2::CreateResponse
Type

record

file_id: SMB2::GUID

The SMB2 GUID for the file.

size: count

Size of the file.

times: SMB::MACTimes

Timestamps associated with the file in question.

attrs: SMB2::FileAttrs

File attributes.

create_action: count

The action taken in establishing the open.

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.14

See also:

SMB2::EncryptionCapabilities
Type

record

cipher_count: count

The number of ciphers.

ciphers: vector of count

An array of ciphers.

Encryption information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.2

SMB2::FileAttrs
Type

record

read_only: bool

The file is read only. Applications can read the file but cannot write to it or delete it.

hidden: bool

The file is hidden. It is not to be included in an ordinary directory listing.

system: bool

The file is part of or is used exclusively by the operating system.

directory: bool

The file is a directory.

archive: bool

The file has not been archived since it was last modified. Applications use this attribute to mark files for backup or removal.

normal: bool

The file has no other attributes set. This attribute is valid only if used alone.

temporary: bool

The file is temporary. This is a hint to the cache manager that it does not need to flush the file to backing storage.

sparse_file: bool

A file that is a sparse file.

reparse_point: bool

A file or directory that has an associated reparse point.

compressed: bool

The file or directory is compressed. For a file, this means that all of the data in the file is compressed. For a directory, this means that compression is the default for newly created files and subdirectories.

offline: bool

The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.

not_content_indexed: bool

A file or directory that is not indexed by the content indexing service.

encrypted: bool

A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.

integrity_stream: bool

A file or directory that is configured with integrity support. For a file, all data streams in the file have integrity support. For a directory, integrity support is the default for newly created files and subdirectories, unless the caller specifies otherwise.

no_scrub_data: bool

A file or directory that is configured to be excluded from the data integrity scan.

A series of boolean flags describing basic and extended file attributes for SMB2.

For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6

See also:

SMB2::FileEA
Type

record

ea_name: string

Specifies the extended attribute name

ea_value: string

Contains the extended attribute value

This information class is used to query or set extended attribute (EA) information for a file.

For more infomation, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15

SMB2::FileEAs
Type

vector of SMB2::FileEA

A vector of extended attribute (EA) information for a file.

For more infomation, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15

SMB2::Fscontrol
Type

record

free_space_start_filtering: int

minimum amount of free disk space required to begin document filtering

free_space_threshold: int

minimum amount of free disk space required to continue filtering documents and merging word lists

free_space_stop_filtering: int

minimum amount of free disk space required to continue content filtering

delete_quota_threshold: count

default per-user disk quota

default_quota_limit: count

default per-user disk limit

fs_control_flags: count

file systems control flags passed as unsigned int

A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.

For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2

SMB2::GUID
Type

record

persistent: count

A file handle that remains persistent when reconnected after a disconnect

volatile: count

A file handle that can be changed when reconnected after a disconnect

An SMB2 globally unique identifier which identifies a file.

For more information, see MS-SMB2:2.2.14.1

See also:

SMB2::Header
Type

record

credit_charge: count

The number of credits that this request consumes

status: count

In a request, this is an indication to the server about the client’s channel change. In a response, this is the status field

command: count

The command code of the packet

credits: count

The number of credits the client is requesting, or the number of credits granted to the client in a response.

flags: count

A flags field, which indicates how to process the operation (e.g. asynchronously)

message_id: count

A value that uniquely identifies the message request/response pair across all messages that are sent on the same transport protocol connection

process_id: count

A value that uniquely identifies the process that generated the event.

tree_id: count

A value that uniquely identifies the tree connect for the command.

session_id: count

A value that uniquely identifies the established session for the command.

signature: string

The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the flags field.

An SMB2 header.

For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2

See also:

SMB2::NegotiateContextValue
Type

record

context_type: count

Specifies the type of context (preauth or encryption).

data_length: count

The length in byte of the data field.

preauth_info: SMB2::PreAuthIntegrityCapabilities &optional

The preauthentication information.

encryption_info: SMB2::EncryptionCapabilities &optional

The encryption information.

compression_info: SMB2::CompressionCapabilities &optional

The compression information.

netname: string &optional

Indicates the server name the client must connect to.

The context type information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1

SMB2::NegotiateContextValues
Type

vector of SMB2::NegotiateContextValue

SMB2::NegotiateResponse
Type

record

dialect_revision: count

The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 NEGOTIATE Request.

security_mode: count

The security mode field specifies whether SMB signing is enabled, required at the server, or both.

server_guid: SMB2::GUID

A globally unique identifier that is generate by the server to uniquely identify the server.

system_time: time

The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.

server_start_time: time

The SMB2 server start time.

negotiate_context_count: count

The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.

negotiate_context_values: SMB2::NegotiateContextValues

An array of context values in SMB v. 3.1.1.

The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.

For more information, see MS-SMB2:2.2.4

See also:

SMB2::PreAuthIntegrityCapabilities
Type

record

hash_alg_count: count

The number of hash algorithms.

salt_length: count

The salt length.

hash_alg: vector of count

An array of hash algorithms (counts).

salt: string

The salt.

Preauthentication information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.1

SMB2::SessionSetupFlags
Type

record

guest: bool

If set, the client has been authenticated as a guest user.

anonymous: bool

If set, the client has been authenticated as an anonymous user.

encrypt: bool

If set, the server requires encryption of messages on this session.

A flags field that indicates additional information about the session that’s sent in the session_setup response.

For more information, see MS-SMB2:2.2.6

See also:

SMB2::SessionSetupRequest
Type

record

security_mode: count

The security mode field specifies whether SMB signing is enabled or required at the client.

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.5

See also:

SMB2::SessionSetupResponse
Type

record

flags: SMB2::SessionSetupFlags

Additional information about the session

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.6

See also:

SMB2::Transform_header
Type

record

signature: string

The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.

nonce: string

An implementation specific value assigned for every encrypted message.

orig_msg_size: count

The size, in bytes, of the SMB2 message.

flags: count

A flags field, interpreted in different ways depending of the SMB2 dialect.

session_id: count

A value that uniquely identifies the established session for the command.

An SMB2 transform header (for SMB 3.x dialects with encryption enabled).

For more information, see MS-SMB2:2.2.41

See also:

SMB2::TreeConnectResponse
Type

record

share_type: count

The type of share being accessed. Physical disk, named pipe, or printer.

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

For more information, see MS-SMB2:2.2.9

See also:

SMB::MACTimes
Type

record

modified: time &log

The time when data was last written to the file.

modified_raw: count

Same as modified but in SMB’s original FILETIME integer format.

accessed: time &log

The time when the file was last accessed.

accessed_raw: count

Same as accessed but in SMB’s original FILETIME integer format.

created: time &log

The time the file was created.

created_raw: count

Same as created but in SMB’s original FILETIME integer format.

changed: time &log

The time when the file was last modified.

changed_raw: count

Same as changed but in SMB’s original FILETIME integer format.

MAC times for a file.

For more information, see MS-SMB2:2.2.16

See also:

SNMP::Binding
Type

record

oid: string

value: SNMP::ObjectValue

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings
Type

vector of SNMP::Binding

A VarBindList data structure from either RFC 1157 or RFC 3416. A sequences of SNMP::Binding, which maps an OIDs to values.

SNMP::BulkPDU
Type

record

request_id: int

non_repeaters: count

max_repititions: count

bindings: SNMP::Bindings

A BulkPDU data structure from RFC 3416.

SNMP::Header
Type

record

version: count

v1: SNMP::HeaderV1 &optional

Set when version is 0.

v2: SNMP::HeaderV2 &optional

Set when version is 1.

v3: SNMP::HeaderV3 &optional

Set when version is 3.

A generic SNMP header data structure that may include data from any version of SNMP. The value of the version field determines what header field is initialized.

SNMP::HeaderV1
Type

record

community: string

The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.

SNMP::HeaderV2
Type

record

community: string

The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.

SNMP::HeaderV3
Type

record

id: count

max_size: count

flags: count

auth_flag: bool

priv_flag: bool

reportable_flag: bool

security_model: count

security_params: string

pdu_context: SNMP::ScopedPDU_Context &optional

The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.

SNMP::ObjectValue
Type

record

tag: count

oid: string &optional

signed: int &optional

unsigned: count &optional

address: addr &optional

octets: string &optional

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of the tag field. For tags that can’t be mapped to an appropriate type, the octets field holds the BER encoded ASN.1 content if there is any (though, octets is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.

SNMP::PDU
Type

record

request_id: int

error_status: int

error_index: int

bindings: SNMP::Bindings

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context
Type

record

engine_id: string

name: string

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.

SNMP::TrapPDU
Type

record

enterprise: string

agent: addr

generic_trap: int

specific_trap: int

time_stamp: count

bindings: SNMP::Bindings

A Trap-PDU data structure from RFC 1157.

SOCKS::Address
Type

record

host: addr &optional &log

name: string &optional &log

Attributes

&log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SSH::Algorithm_Prefs
Type

record

client_to_server: vector of string &optional

The algorithm preferences for client to server communication

server_to_client: vector of string &optional

The algorithm preferences for server to client communication

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities
Type

record

kex_algorithms: string_vec

Key exchange algorithms

server_host_key_algorithms: string_vec

The algorithms supported for the server host key

encryption_algorithms: SSH::Algorithm_Prefs

Symmetric encryption algorithm preferences

mac_algorithms: SSH::Algorithm_Prefs

Symmetric MAC algorithm preferences

compression_algorithms: SSH::Algorithm_Prefs

Compression algorithm preferences

languages: SSH::Algorithm_Prefs &optional

Language preferences

is_server: bool

Are these the capabilities of the server?

This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.

SSL::PSKIdentity
Type

record

identity: string

PSK identity

obfuscated_ticket_age: count

SSL::SignatureAndHashAlgorithm
Type

record

HashAlgorithm: count

Hash algorithm number

SignatureAlgorithm: count

Signature algorithm number

SYN_packet
Type

record

is_orig: bool

True if the packet was sent the connection’s originator.

DF: bool

True if the don’t fragment is set in the IP header.

ttl: count

The IP header’s time-to-live.

size: count

The size of the packet’s payload as specified in the IP header.

win_size: count

The window size from the TCP header.

win_scale: int

The window scale option if present, or -1 if not.

MSS: count

The maximum segment size if present, or 0 if not.

SACK_OK: bool

True if the SACK option is present.

TSval: count &optional

The TCP TS value if present.

TSecr: count &optional

The TCP TS echo reply if present.

Fields of a SYN packet.

See also:

TCP::Option
Type

record

kind: count

The kind number associated with the option. Other optional fields of this record may be set depending on this value.

length: count

The total length of the option in bytes, including the kind byte and length byte (if present).

data: string &optional

This field is set to the raw option bytes if the kind is not otherwise known/parsed. It’s also set for known kinds whose length was invalid.

mss: count &optional

Kind 2: Maximum Segment Size.

window_scale: count &optional

Kind 3: Window scale.

sack: index_vec &optional

Kind 5: Selective ACKnowledgement (SACK). This is a list of 2, 4, 6, or 8 numbers with each consecutive pair being a 32-bit begin-pointer and 32-bit end pointer.

send_timestamp: count &optional

Kind 8: 4-byte sender timestamp value.

echo_timestamp: count &optional

Kind 8: 4-byte echo reply timestamp value.

A TCP Option field parsed from a TCP header.

TCP::OptionList
Type

vector of TCP::Option

The full list of TCP Option fields parsed from a TCP header.

ThreadStats
Type

record

num_threads: count

Statistics about threads.

See also:

TimerStats
Type

record

current: count

Current number of pending timers.

max: count

Maximum number of concurrent timers pending so far.

cumulative: count

Cumulative number of timers scheduled.

Statistics of timers.

See also:

Tunnel::EncapsulatingConn
Type

record

cid: conn_id &log

The 4-tuple of the encapsulating “connection”. In case of an IP-in-IP tunnel the ports will be set to 0. The direction (i.e., orig and resp) are set according to the first tunneled packet seen and not according to the side that established the tunnel.

tunnel_type: Tunnel::Type &log

The type of tunnel.

uid: string &optional &log

A globally unique identifier that, for non-IP-in-IP tunnels, cross-references the uid field of connection.

Attributes

&log

Records the identity of an encapsulating parent of a tunneled connection.

Unified2::IDSEvent
Type

record

sensor_id: count

event_id: count

ts: time

signature_id: count

generator_id: count

signature_revision: count

classification_id: count

priority_id: count

src_ip: addr

dst_ip: addr

src_p: port

dst_p: port

impact_flag: count

impact: count

blocked: count

mpls_label: count &optional

Not available in “legacy” IDS events.

vlan_id: count &optional

Not available in “legacy” IDS events.

packet_action: count &optional

Only available in “legacy” IDS events.

Unified2::Packet
Type

record

sensor_id: count

event_id: count

event_second: count

packet_ts: time

link_type: count

data: string

X509::BasicConstraints
Type

record

ca: bool &log

CA flag set?

path_len: count &optional &log

Maximum path length

Attributes

&log

X509::Certificate
Type

record

version: count &log

Version number.

serial: string &log

Serial number.

subject: string &log

Subject.

issuer: string &log

Issuer.

cn: string &optional

Last (most specific) common name.

not_valid_before: time &log

Timestamp before when certificate is not valid.

not_valid_after: time &log

Timestamp after when certificate is not valid.

key_alg: string &log

Name of the key algorithm

sig_alg: string &log

Name of the signature algorithm

key_type: string &optional &log

Key type, if key parseable by openssl (either rsa, dsa or ec)

key_length: count &optional &log

Key length in bits

exponent: string &optional &log

Exponent, if RSA-certificate

curve: string &optional &log

Curve, if EC-certificate

X509::Extension
Type

record

name: string

Long name of extension. oid if name not known

short_name: string &optional

Short name of extension if known

oid: string

Oid of extension

critical: bool

True if extension is critical

value: string

Extension content parsed to string for known extensions. Raw data otherwise.

X509::Result
Type

record

result: int

OpenSSL result code

result_string: string

Result as string

chain_certs: vector of opaque of x509 &optional

References to the final certificate chain, if verification successful. End-host certificate is first.

Result of an X509 certificate chain verification

X509::SubjectAlternativeName
Type

record

dns: string_vec &optional &log

List of DNS entries in SAN

uri: string_vec &optional &log

List of URI entries in SAN

email: string_vec &optional &log

List of email entries in SAN

ip: addr_vec &optional &log

List of IP entries in SAN

other_fields: bool

True if the certificate contained other, not recognized or parsed name fields

addr_set
Type

set [addr]

A set of addresses.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

addr_vec
Type

vector of addr

A vector of addresses.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

any_vec
Type

vector of any

A vector of any, used by some builtin functions to store a list of varying types.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

bittorrent_benc_dir
Type

table [string] of bittorrent_benc_value

A table of BitTorrent “benc” values.

See also:

bittorrent_benc_value
Type

record

i: int &optional

TODO.

s: string &optional

TODO.

d: string &optional

TODO.

l: string &optional

TODO.

BitTorrent “benc” value. Note that “benc” = Bencode (“Bee-Encode”), per http://en.wikipedia.org/wiki/Bencode.

See also:

bittorrent_peer
Type

record

h: addr

The peer’s address.

p: port

The peer’s port.

A BitTorrent peer.

See also:

bittorrent_peer_set
Type

set [bittorrent_peer]

A set of BitTorrent peers.

See also:

bt_tracker_headers
Type

table [string] of string

Header table type used by BitTorrent analyzer.

See also:

call_argument
Type

record

name: string

The name of the parameter.

type_name: string

The name of the parameters’s type.

default_val: any &optional

The value of the &default attribute if defined.

value: any &optional

The value of the parameter as passed into a given call instance. Might be unset in the case a &default attribute is defined.

Meta-information about a parameter to a function/event.

See also:

call_argument_vector
Type

vector of call_argument

Vector type used to capture parameters of a function/event call.

See also:

conn_id
Type

record

orig_h: addr &log

The originator’s IP address.

orig_p: port &log

The originator’s port number.

resp_h: addr &log

The responder’s IP address.

resp_p: port &log

The responder’s port number.

Attributes

&log

A connection’s identifying 4-tuple of endpoints and ports.

Note

It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, orig_p and resp_p, and can be extracted from them with get_port_transport_proto.

Note

For explanation of Zeek’s “originator” and “responder” terminology, see the manual’s description of the connection record.

connection
Type

record

id: conn_id

The connection’s identifying 4-tuple.

orig: endpoint

Statistics about originator side.

resp: endpoint

Statistics about responder side.

start_time: time

The timestamp of the connection’s first packet.

duration: interval

The duration of the conversation. Roughly speaking, this is the interval between first and last data packet (low-level TCP details may adjust it somewhat in ambiguous cases).

service: set [string]

The set of services the connection is using as determined by Zeek’s dynamic protocol detection. Each entry is the label of an analyzer that confirmed that it could parse the connection payload. While typically, there will be at most one entry for each connection, in principle it is possible that more than one protocol analyzer is able to parse the same data. If so, all will be recorded. Also note that the recorded services are independent of any transport-level protocols.

history: string

State history of connections. See history in Conn::Info.

uid: string

A globally unique connection identifier. For each connection, Zeek creates an ID that is very likely unique across independent Zeek runs. These IDs can thus be used to tag and locate information associated with that connection.

tunnel: EncapsulatingConnVector &optional

If the connection is tunneled, this field contains information about the encapsulating “connection(s)” with the outermost one starting at index zero. It’s also always the first such encapsulation seen for the connection unless the tunnel_changed event is handled and reassigns this field to the new encapsulation.

vlan: int &optional

The outer VLAN, if applicable for this connection.

inner_vlan: int &optional

The inner VLAN, if applicable for this connection.

dpd: DPD::Info &optional

(present if base/frameworks/dpd/main.zeek is loaded)

dpd_state: DPD::State &optional

(present if base/frameworks/dpd/main.zeek is loaded)

removal_hooks: set [Conn::RemovalHook] &optional

(present if base/protocols/conn/removal-hooks.zeek is loaded)

conn: Conn::Info &optional

(present if base/protocols/conn/main.zeek is loaded)

extract_orig: bool &default = Conn::default_extract &optional

(present if base/protocols/conn/contents.zeek is loaded)

extract_resp: bool &default = Conn::default_extract &optional

(present if base/protocols/conn/contents.zeek is loaded)

thresholds: ConnThreshold::Thresholds &optional

(present if base/protocols/conn/thresholds.zeek is loaded)

dce_rpc: DCE_RPC::Info &optional

(present if base/protocols/dce-rpc/main.zeek is loaded)

dce_rpc_state: DCE_RPC::State &optional

(present if base/protocols/dce-rpc/main.zeek is loaded)

dce_rpc_backing: table [count] of DCE_RPC::BackingState &optional

(present if base/protocols/dce-rpc/main.zeek is loaded)

dhcp: DHCP::Info &optional

(present if base/protocols/dhcp/main.zeek is loaded)

dnp3: DNP3::Info &optional

(present if base/protocols/dnp3/main.zeek is loaded)

dns: DNS::Info &optional

(present if base/protocols/dns/main.zeek is loaded)

dns_state: DNS::State &optional

(present if base/protocols/dns/main.zeek is loaded)

ftp: FTP::Info &optional

(present if base/protocols/ftp/main.zeek is loaded)

ftp_data_reuse: bool &default = F &optional

(present if base/protocols/ftp/main.zeek is loaded)

ssl: SSL::Info &optional

(present if base/protocols/ssl/main.zeek is loaded)

http: HTTP::Info &optional

(present if base/protocols/http/main.zeek is loaded)

http_state: HTTP::State &optional

(present if base/protocols/http/main.zeek is loaded)

irc: IRC::Info &optional

(present if base/protocols/irc/main.zeek is loaded)

IRC session information.

krb: KRB::Info &optional

(present if base/protocols/krb/main.zeek is loaded)

modbus: Modbus::Info &optional

(present if base/protocols/modbus/main.zeek is loaded)

mysql: MySQL::Info &optional

(present if base/protocols/mysql/main.zeek is loaded)

ntlm: NTLM::Info &optional

(present if base/protocols/ntlm/main.zeek is loaded)

ntp: NTP::Info &optional

(present if base/protocols/ntp/main.zeek is loaded)

radius: RADIUS::Info &optional

(present if base/protocols/radius/main.zeek is loaded)

rdp: RDP::Info &optional

(present if base/protocols/rdp/main.zeek is loaded)

rfb: RFB::Info &optional

(present if base/protocols/rfb/main.zeek is loaded)

sip: SIP::Info &optional

(present if base/protocols/sip/main.zeek is loaded)

sip_state: SIP::State &optional

(present if base/protocols/sip/main.zeek is loaded)

snmp: SNMP::Info &optional

(present if base/protocols/snmp/main.zeek is loaded)

smb_state: SMB::State &optional

(present if base/protocols/smb/main.zeek is loaded)

smtp: SMTP::Info &optional

(present if base/protocols/smtp/main.zeek is loaded)

smtp_state: SMTP::State &optional

(present if base/protocols/smtp/main.zeek is loaded)

socks: SOCKS::Info &optional

(present if base/protocols/socks/main.zeek is loaded)

ssh: SSH::Info &optional

(present if base/protocols/ssh/main.zeek is loaded)

syslog: Syslog::Info &optional

(present if base/protocols/syslog/main.zeek is loaded)

known_services_done: bool &default = F &optional

(present if policy/protocols/conn/known-services.zeek is loaded)

mqtt: MQTT::ConnectInfo &optional

(present if policy/protocols/mqtt/main.zeek is loaded)

mqtt_state: MQTT::State &optional

(present if policy/protocols/mqtt/main.zeek is loaded)

speculative_service: set [string] &default = {  } &optional

(present if policy/protocols/conn/speculative-service.zeek is loaded)

A connection. This is Zeek’s basic connection type describing IP- and transport-layer information about the conversation. Note that Zeek uses a liberal interpretation of “connection” and associates instances of this type also with UDP and ICMP flows.

count_set
Type

set [count]

A set of counts.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

dns_answer
Type

record

answer_type: count

Answer type. One of DNS_QUERY, DNS_ANS, DNS_AUTH and DNS_ADDL.

query: string

Query.

qtype: count

Query type.

qclass: count

Query class.

TTL: interval

Time-to-live.

The general part of a DNS reply.

See also:

dns_binds_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

algorithm: count

Algorithm for Public Key.

key_id: count

key tag.

removal_flag: count

rm flag.

complte_flag: string

complete flag.

is_query: count

The RR is a query/Response.

A Private RR type BINDS record.

See also:

dns_dnskey_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

flags: count

flags filed.

protocol: count

Protocol, should be always 3 for DNSSEC.

algorithm: count

Algorithm for Public Key.

public_key: string

Public Key

is_query: count

The RR is a query/Response.

A DNSSEC DNSKEY record.

See also:

dns_ds_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

key_tag: count

flags filed.

algorithm: count

Algorithm for Public Key.

digest_type: count

Digest Type.

digest_val: string

Digest Value.

is_query: count

The RR is a query/Response.

A DNSSEC DS record.

See also:

dns_edns_additional
Type

record

query: string

Query.

qtype: count

Query type.

t: count

TODO.

payload_size: count

TODO.

extended_rcode: count

Extended return code.

version: count

Version.

z_field: count

TODO.

TTL: interval

Time-to-live.

is_query: count

TODO.

An additional DNS EDNS record.

See also:

Type

record

client_cookie: string

Cookie from the client (fixed 8 bytes).

server_cookie: string &default = "" &optional

Cookie from the server (0 bytes if missing, or 8 to 32 bytes).

An DNS EDNS COOKIE (COOKIE) record.

See also:

dns_edns_ecs
Type

record

family: string

IP Family

source_prefix_len: count

Source Prefix Length.

scope_prefix_len: count

Scope Prefix Length.

address: addr

Client Subnet Address.

An DNS EDNS Client Subnet (ECS) record.

See also:

dns_edns_tcp_keepalive
Type

record

keepalive_timeout_omitted: bool

Whether timeout value is omitted.

keepalive_timeout: count

Timeout value, in 100ms.

An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.

See also:

dns_loc_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

version: count

version number of the representation.

size: count

Diameter of a sphere enclosing the entity.

horiz_pre: count

The horizontal precision of the data, in centimeters.

vert_pre: count

The vertical precision of the data, in centimeters.

latitude: count

The latitude of the center of the sphere.

longitude: count

The longitude of the center of the sphere.

altitude: count

The altitude of the center of the sphere.

is_query: count

The RR is a query/Response.

A Private RR type LOC record.

See also:

dns_mapping
Type

record

creation_time: time

The time when the mapping was created, which corresponds to when the DNS query was sent out.

req_host: string

If the mapping is the result of a name lookup, the queried host name; otherwise empty.

req_addr: addr

If the mapping is the result of a pointer lookup, the queried address; otherwise null.

valid: bool

True if the lookup returned success. Only then are the result fields valid.

hostname: string

If the mapping is the result of a pointer lookup, the resolved hostname; otherwise empty.

addrs: addr_set

If the mapping is the result of an address lookup, the resolved address(es); otherwise empty.

dns_msg
Type

record

id: count

Transaction ID.

opcode: count

Operation code.

rcode: count

Return code.

QR: bool

Query response flag.

AA: bool

Authoritative answer flag.

TC: bool

Truncated packet flag.

RD: bool

Recursion desired flag.

RA: bool

Recursion available flag.

Z: count

TODO.

num_queries: count

Number of query records.

num_answers: count

Number of answer records.

num_auth: count

Number of authoritative records.

num_addl: count

Number of additional records.

A DNS message.

See also:

dns_nsec3_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

nsec_flags: count

flags field.

nsec_hash_algo: count

Hash algorithm.

nsec_iter: count

Iterations.

nsec_salt_len: count

Salt length.

nsec_salt: string

Salt value

nsec_hlen: count

Hash length.

nsec_hash: string

Hash value.

bitmaps: string_vec

Type Bit Maps.

is_query: count

The RR is a query/Response.

A DNSSEC NSEC3 record.

See also:

dns_nsec3param_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

nsec_flags: count

flags field.

nsec_hash_algo: count

Hash algorithm.

nsec_iter: count

Iterations.

nsec_salt_len: count

Salt length.

nsec_salt: string

Salt value

is_query: count

The RR is a query/Response.

A DNSSEC NSEC3PARAM record.

See also:

dns_rrsig_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

type_covered: count

qtype covered by RRSIG RR.

algorithm: count

Algorithm.

labels: count

Labels in the owner’s name.

orig_ttl: interval

Original TTL.

sig_exp: time

Time when signed RR expires.

sig_incep: time

Time when signed.

key_tag: count

Key tag value.

signer_name: string

Signature.

signature: string

Hash of the RRDATA.

is_query: count

The RR is a query/Response.

A DNSSEC RRSIG record.

See also:

dns_soa
Type

record

mname: string

Primary source of data for zone.

rname: string

Mailbox for responsible person.

serial: count

Version number of zone.

refresh: interval

Seconds before refreshing.

retry: interval

How long before retrying failed refresh.

expire: interval

When zone no longer authoritative.

minimum: interval

Minimum TTL to use when exporting.

A DNS SOA record.

See also:

dns_svcb_rr
Type

record

svc_priority: count

Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params

target_name: string

Target name, the hostname of the service endpoint.

DNS SVCB and HTTPS RRs

See also:

dns_tsig_additional
Type

record

query: string

Query.

qtype: count

Query type.

alg_name: string

Algorithm name.

sig: string

Signature.

time_signed: time

Time when signed.

fudge: time

TODO.

orig_id: count

TODO.

rr_error: count

TODO.

is_query: count

TODO.

An additional DNS TSIG record.

See also:

double_vec
Type

vector of double

A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

endpoint
Type

record

size: count

Logical size of data sent (for TCP: derived from sequence numbers).

state: count

Endpoint state. For a TCP connection, one of the constants: TCP_INACTIVE TCP_SYN_SENT TCP_SYN_ACK_SENT TCP_PARTIAL TCP_ESTABLISHED TCP_CLOSED TCP_RESET. For UDP, one of UDP_ACTIVE and UDP_INACTIVE.

num_pkts: count &optional

Number of packets sent. Only set if use_conn_size_analyzer is true.

num_bytes_ip: count &optional

Number of IP-level bytes sent. Only set if use_conn_size_analyzer is true.

flow_label: count

The current IPv6 flow label that the connection endpoint is using. Always 0 if the connection is over IPv4.

l2_addr: string &optional

The link-layer address seen in the first packet (if available).

Statistics about a connection endpoint.

See also:

endpoint_stats
Type

record

num_pkts: count

Number of packets.

num_rxmit: count

Number of retransmissions.

num_rxmit_bytes: count

Number of retransmitted bytes.

num_in_order: count

Number of in-order packets.

num_OO: count

Number of out-of-order packets.

num_repl: count

Number of replicated packets (last packet was sent again).

endian_type: count

Endian type used by the endpoint, if it could be determined from the sequence numbers used. This is one of ENDIAN_UNKNOWN, ENDIAN_BIG, ENDIAN_LITTLE, and ENDIAN_CONFUSED.

Statistics about what a TCP endpoint sent.

See also:

entropy_test_result
Type

record

entropy: double

Information density.

chi_square: double

Chi-Square value.

mean: double

Arithmetic Mean.

monte_carlo_pi: double

Monte-carlo value for pi.

serial_correlation: double

Serial correlation coefficient.

Computed entropy values. The record captures a number of measures that are computed in parallel. See A Pseudorandom Number Sequence Test Program for more information, Zeek uses the same code.

See also:

fa_file
Type

record

id: string

A hash serving as the identifier associated with a single file.

parent_id: string &optional

Identifier associated with a container file from which this one was extracted as part of the file analysis.

source: string

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path including filename which was read, or some other input source. Examples are: “HTTP”, “SMTP”, “IRC_DATA”, or the filename, or even the full path and filename.

is_orig: bool &optional

If the source of this file is a network connection, this field may be set to indicate the directionality.

conns: table [conn_id] of connection &optional

The set of connections over which the file was transferred.

last_active: time

The time at which the last activity for the file was seen.

seen_bytes: count &default = 0 &optional

Number of bytes provided to the file analysis engine for the file.

total_bytes: count &optional

Total number of bytes that are supposed to comprise the full file.

missing_bytes: count &default = 0 &optional

The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.

overflow_bytes: count &default = 0 &optional

The number of bytes in the file stream that were not delivered to stream file analyzers. Generally, this consists of bytes that couldn’t be reassembled, either because reassembly simply isn’t enabled, or due to size limitations of the reassembly buffer.

timeout_interval: interval &default = default_file_timeout_interval &optional

The amount of time between receiving new data for this file that the analysis engine will wait before giving up on it.

bof_buffer_size: count &default = default_file_bof_buffer_size &optional

The number of bytes at the beginning of a file to save for later inspection in the bof_buffer field.

bof_buffer: string &optional

The content of the beginning of a file up to bof_buffer_size bytes. This is also the buffer that’s used for file/mime type detection.

info: Files::Info &optional

(present if base/frameworks/files/main.zeek is loaded)

ftp: FTP::Info &optional

(present if base/protocols/ftp/files.zeek is loaded)

http: HTTP::Info &optional

(present if base/protocols/http/entities.zeek is loaded)

irc: IRC::Info &optional

(present if base/protocols/irc/files.zeek is loaded)

pe: PE::Info &optional

(present if base/files/pe/main.zeek is loaded)

u2_events: table [count] of Unified2::IDSEvent &optional &create_expire = 5.0 secs &expire_func = function

(present if policy/files/unified2/main.zeek is loaded)

Recently received IDS events. This is primarily used for tying together Unified2 events and packets.

Attributes

&redef

File Analysis handle for a file that Zeek is analyzing. This holds information about, but not the content of, a conceptual “file”; essentially any byte stream that is e.g. pulled from a network connection or possibly some other input source. Note that fa_file is also used in cases where there isn’t a filename to be had.

fa_metadata
Type

record

mime_type: string &optional

The strongest matching MIME type if one was discovered.

mime_types: mime_matches &optional

All matching MIME types if any were discovered.

inferred: bool &default = T &optional

Specifies whether the MIME type was inferred using signatures, or provided directly by the protocol the file appeared in.

File Analysis metadata that’s been inferred about a particular file.

files_tag_set
Type

set [Files::Tag]

A set of file analyzer tags.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

flow_id
Type

record

src_h: addr &log

The source IP address.

src_p: port &log

The source port number.

dst_h: addr &log

The destination IP address.

dst_p: port &log

The desintation port number.

Attributes

&log

The identifying 4-tuple of a uni-directional flow.

Note

It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, src_p and dst_p, and can be extracted from them with get_port_transport_proto.

ftp_port
Type

record

h: addr

The host’s address.

p: port

The host’s port.

valid: bool

True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

See also:

geo_autonomous_system
Type

record

number: count &optional &log

The autonomous system number.

organization: string &optional &log

Associated organization.

Attributes

&log

GeoIP autonomous system information.

See also:

geo_location
Type

record

country_code: string &optional &log

The country code.

region: string &optional &log

The region.

city: string &optional &log

The city.

latitude: double &optional &log

Latitude.

longitude: double &optional &log

Longitude.

Attributes

&log

GeoIP location information.

See also:

gtp_access_point_name
Type

string

gtp_cause
Type

count

gtp_charging_characteristics
Type

count

gtp_charging_gateway_addr
Type

addr

gtp_charging_id
Type

count

gtp_create_pdp_ctx_request_elements
Type

record

imsi: gtp_imsi &optional

rai: gtp_rai &optional

recovery: gtp_recovery &optional

select_mode: gtp_selection_mode &optional

data1: gtp_teid1

cp: gtp_teid_control_plane &optional

nsapi: gtp_nsapi

linked_nsapi: gtp_nsapi &optional

charge_character: gtp_charging_characteristics &optional

trace_ref: gtp_trace_reference &optional

trace_type: gtp_trace_type &optional

end_user_addr: gtp_end_user_addr &optional

ap_name: gtp_access_point_name &optional

opts: gtp_proto_config_options &optional

signal_addr: gtp_gsn_addr

user_addr: gtp_gsn_addr

msisdn: gtp_msisdn &optional

qos_prof: gtp_qos_profile

tft: gtp_tft &optional

trigger_id: gtp_trigger_id &optional

omc_id: gtp_omc_id &optional

ext: gtp_private_extension &optional

gtp_create_pdp_ctx_response_elements
Type

record

cause: gtp_cause

reorder_req: gtp_reordering_required &optional

recovery: gtp_recovery &optional

data1: gtp_teid1 &optional

cp: gtp_teid_control_plane &optional

charging_id: gtp_charging_id &optional

end_user_addr: gtp_end_user_addr &optional

opts: gtp_proto_config_options &optional

cp_addr: gtp_gsn_addr &optional

user_addr: gtp_gsn_addr &optional

qos_prof: gtp_qos_profile &optional

charge_gateway: gtp_charging_gateway_addr &optional

ext: gtp_private_extension &optional

gtp_delete_pdp_ctx_request_elements
Type

record

teardown_ind: gtp_teardown_ind &optional

nsapi: gtp_nsapi

ext: gtp_private_extension &optional

gtp_delete_pdp_ctx_response_elements
Type

record

cause: gtp_cause

ext: gtp_private_extension &optional

gtp_end_user_addr
Type

record

pdp_type_org: count

pdp_type_num: count

pdp_ip: addr &optional

Set if the End User Address information element is IPv4/IPv6.

pdp_other_addr: string &optional

Set if the End User Address information element isn’t IPv4/IPv6.

gtp_gsn_addr
Type

record

ip: addr &optional

If the GSN Address information element has length 4 or 16, then this field is set to be the informational element’s value interpreted as an IPv4 or IPv6 address, respectively.

other: string &optional

This field is set if it’s not an IPv4 or IPv6 address.

gtp_imsi
Type

count

gtp_msisdn
Type

string

gtp_nsapi
Type

count

gtp_omc_id
Type

string

gtp_private_extension
Type

record

id: count

value: string

gtp_proto_config_options
Type

string

gtp_qos_profile
Type

record

priority: count

data: string

gtp_rai
Type

record

mcc: count

mnc: count

lac: count

rac: count

gtp_recovery
Type

count

gtp_reordering_required
Type

bool

gtp_selection_mode
Type

count

gtp_teardown_ind
Type

bool

gtp_teid1
Type

count

gtp_teid_control_plane
Type

count

gtp_tft
Type

string

gtp_trace_reference
Type

count

gtp_trace_type
Type

count

gtp_trigger_id
Type

string

gtp_update_pdp_ctx_request_elements
Type

record

imsi: gtp_imsi &optional

rai: gtp_rai &optional

recovery: gtp_recovery &optional

data1: gtp_teid1

cp: gtp_teid_control_plane &optional

nsapi: gtp_nsapi

trace_ref: gtp_trace_reference &optional

trace_type: gtp_trace_type &optional

cp_addr: gtp_gsn_addr

user_addr: gtp_gsn_addr

qos_prof: gtp_qos_profile

tft: gtp_tft &optional

trigger_id: gtp_trigger_id &optional

omc_id: gtp_omc_id &optional

ext: gtp_private_extension &optional

end_user_addr: gtp_end_user_addr &optional

gtp_update_pdp_ctx_response_elements
Type

record

cause: gtp_cause

recovery: gtp_recovery &optional

data1: gtp_teid1 &optional

cp: gtp_teid_control_plane &optional

charging_id: gtp_charging_id &optional

cp_addr: gtp_gsn_addr &optional

user_addr: gtp_gsn_addr &optional

qos_prof: gtp_qos_profile &optional

charge_gateway: gtp_charging_gateway_addr &optional

ext: gtp_private_extension &optional

gtpv1_hdr
Type

record

version: count

The 3-bit version field, which for GTPv1 should be 1.

pt_flag: bool

Protocol Type value differentiates GTP (value 1) from GTP’ (value 0).

rsv: bool

Reserved field, should be 0.

e_flag: bool

Extension Header flag. When 0, the next_type field may or may not be present, but shouldn’t be meaningful. When 1, next_type is present and meaningful.

s_flag: bool

Sequence Number flag. When 0, the seq field may or may not be present, but shouldn’t be meaningful. When 1, seq is present and meaningful.

pn_flag: bool

N-PDU flag. When 0, the n_pdu field may or may not be present, but shouldn’t be meaningful. When 1, n_pdu is present and meaningful.

msg_type: count

Message Type. A value of 255 indicates user-plane data is encapsulated.

length: count

Length of the GTP packet payload (the rest of the packet following the mandatory 8-byte GTP header).

teid: count

Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint in receiving GTP-U or GTP-C protocol entity.

seq: count &optional

Sequence Number. Set if any e_flag, s_flag, or pn_flag field is set.

n_pdu: count &optional

N-PDU Number. Set if any e_flag, s_flag, or pn_flag field is set.

next_type: count &optional

Next Extension Header Type. Set if any e_flag, s_flag, or pn_flag field is set.

A GTPv1 (GPRS Tunneling Protocol) header.

http_message_stat
Type

record

start: time

When the request/reply line was complete.

interrupted: bool

Whether the message was interrupted.

finish_msg: string

Reason phrase if interrupted.

body_length: count

Length of body processed (before finished/interrupted).

content_gap_length: count

Total length of gaps within body_length.

header_length: count

Length of headers (including the req/reply line, but not CR/LF’s).

HTTP message statistics.

See also:

http_stats_rec
Type

record

num_requests: count

Number of requests.

num_replies: count

Number of replies.

request_version: double

HTTP version of the requests.

reply_version: double

HTTP Version of the replies.

HTTP session statistics.

See also:

icmp6_nd_option
Type

record

otype: count

8-bit identifier of the type of option.

len: count

8-bit integer representing the length of the option (including the type and length fields) in units of 8 octets.

link_address: string &optional

Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2). Byte ordering of this is dependent on the actual link-layer.

prefix: icmp6_nd_prefix_info &optional

Prefix Information (Type 3).

redirect: icmp_context &optional

Redirected header (Type 4). This field contains the context of the original, redirected packet.

mtu: count &optional

Recommended MTU for the link (Type 5).

payload: string &optional

The raw data of the option (everything after type & length fields), useful for unknown option types or when the full option payload is truncated in the captured packet. In those cases, option fields won’t be pre-extracted into the fields above.

Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.

See also:

icmp6_nd_options
Type

vector of icmp6_nd_option

A type alias for a vector of ICMPv6 neighbor discovery message options.

icmp6_nd_prefix_info
Type

record

prefix_len: count

Number of leading bits of the prefix that are valid.

L_flag: bool

Flag indicating the prefix can be used for on-link determination.

A_flag: bool

Autonomous address-configuration flag.

valid_lifetime: interval

Length of time in seconds that the prefix is valid for purpose of on-link determination (0xffffffff represents infinity).

preferred_lifetime: interval

Length of time in seconds that the addresses generated from the prefix via stateless address autoconfiguration remain preferred (0xffffffff represents infinity).

prefix: addr

An IP address or prefix of an IP address. Use the prefix_len field to convert this into a subnet.

Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.

See also:

icmp_conn
Type

record

orig_h: addr

The originator’s IP address.

resp_h: addr

The responder’s IP address.

itype: count

The ICMP type of the packet that triggered the instantiation of the record.

icode: count

The ICMP code of the packet that triggered the instantiation of the record.

len: count

The length of the ICMP payload of the packet that triggered the instantiation of the record.

hlim: count

The encapsulating IP header’s Hop Limit value.

v6: bool

True if it’s an ICMPv6 packet.

Specifics about an ICMP conversation. ICMP events typically pass this in addition to conn_id.

See also:

icmp_context
Type

record

id: conn_id

The packet’s 4-tuple.

len: count

The length of the IP packet (headers + payload).

proto: count

The packet’s transport-layer protocol.

frag_offset: count

The packet’s fragmentation offset.

bad_hdr_len: bool

True if the packet’s IP header is not fully included in the context or if there is not enough of the transport header to determine source and destination ports. If that is the case, the appropriate fields of this record will be set to null values.

bad_checksum: bool

True if the packet’s IP checksum is not correct.

MF: bool

True if the packet’s more fragments flag is set.

DF: bool

True if the packet’s don’t fragment flag is set.

Packet context part of an ICMP message. The fields of this record reflect the packet that is described by the context.

See also:

icmp_hdr
Type

record

icmp_type: count

type of message

Values extracted from an ICMP header.

See also:

icmp_info
Type

record

v6: bool

True if it’s an ICMPv6 packet.

itype: count

The ICMP type of the current packet.

icode: count

The ICMP code of the current packet.

len: count

The length of the ICMP payload.

ttl: count

The encapsulating IP header’s TTL (IPv4) or Hop Limit (IPv6).

Specifics about an ICMP conversation/packet. ICMP events typically pass this in addition to conn_id.

See also:

id_table
Type

table [string] of script_id

Table type used to map script-level identifiers to meta-information describing them.

See also:

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

index_vec
Type

vector of count

A vector of counts, used by some builtin functions to store a list of indices.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

int_vec
Type

vector of int

A vector of integers, used by telemetry builtin functions to store histogram bounds.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

interval_set
Type

set [interval]

A set of intervals.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

ip4_hdr
Type

record

hl: count

Header length in bytes.

tos: count

Type of service.

len: count

Total length.

id: count

Identification.

ttl: count

Time to live.

p: count

Protocol.

src: addr

Source address.

dst: addr

Destination address.

Values extracted from an IPv4 header.

See also:

ip6_ah
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 4-octet units, excluding first two units.

rsv: count

Reserved field.

spi: count

Security Parameter Index.

seq: count &optional

Sequence number, unset in the case that len field is zero.

data: string &optional

Authentication data, unset in the case that len field is zero.

Values extracted from an IPv6 Authentication extension header.

See also:

ip6_dstopts
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

options: ip6_options

The TLV encoded options;

Values extracted from an IPv6 Destination options extension header.

See also:

ip6_esp
Type

record

spi: count

Security Parameters Index.

seq: count

Sequence number.

Values extracted from an IPv6 ESP extension header.

See also:

ip6_ext_hdr
Type

record

id: count

The RFC 1700 et seq. IANA assigned number identifying the type of the extension header.

hopopts: ip6_hopopts &optional

Hop-by-hop option extension header.

dstopts: ip6_dstopts &optional

Destination option extension header.

routing: ip6_routing &optional

Routing extension header.

fragment: ip6_fragment &optional

Fragment header.

ah: ip6_ah &optional

Authentication extension header.

esp: ip6_esp &optional

Encapsulating security payload header.

mobility: ip6_mobility_hdr &optional

Mobility header.

A general container for a more specific IPv6 extension header.

See also:

ip6_ext_hdr_chain
Type

vector of ip6_ext_hdr

A type alias for a vector of IPv6 extension headers.

ip6_fragment
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

rsv1: count

8-bit reserved field.

offset: count

Fragmentation offset.

rsv2: count

2-bit reserved field.

more: bool

More fragments.

id: count

Fragment identification.

Values extracted from an IPv6 Fragment extension header.

See also:

ip6_hdr
Type

record

class: count

Traffic class.

flow: count

Flow label.

len: count

Payload length.

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number) e.g. IPPROTO_ICMP.

hlim: count

Hop limit.

src: addr

Source address.

dst: addr

Destination address.

exts: ip6_ext_hdr_chain

Extension header chain.

Values extracted from an IPv6 header.

See also:

ip6_hopopts
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

options: ip6_options

The TLV encoded options;

Values extracted from an IPv6 Hop-by-Hop options extension header.

See also:

ip6_mobility_back
Type

record

status: count

Status.

k: bool

Key Management Mobility Capability.

seq: count

Sequence number.

life: count

Lifetime.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Acknowledgement message.

See also:

ip6_mobility_be
Type

record

status: count

Status.

hoa: addr

Home Address.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Error message.

See also:

ip6_mobility_brr
Type

record

rsv: count

Reserved.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Refresh Request message.

See also:

ip6_mobility_bu
Type

record

seq: count

Sequence number.

a: bool

Acknowledge bit.

h: bool

Home Registration bit.

l: bool

Link-Local Address Compatibility bit.

k: bool

Key Management Mobility Capability bit.

life: count

Lifetime.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Update message.

See also:

ip6_mobility_cot
Type

record

nonce_idx: count

Care-of Nonce Index.

cookie: count

Care-of Init Cookie.

token: count

Care-of Keygen Token.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Care-of Test message.

See also:

ip6_mobility_coti
Type

record

rsv: count

Reserved.

cookie: count

Care-of Init Cookie.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Care-of Test Init message.

See also:

ip6_mobility_hdr
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

mh_type: count

Mobility header type used to identify header’s the message.

rsv: count

Reserved field.

chksum: count

Mobility header checksum.

msg: ip6_mobility_msg

Mobility header message

Values extracted from an IPv6 Mobility header.

See also:

ip6_mobility_hot
Type

record

nonce_idx: count

Home Nonce Index.

cookie: count

Home Init Cookie.

token: count

Home Keygen Token.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Home Test message.

See also:

ip6_mobility_hoti
Type

record

rsv: count

Reserved.

cookie: count

Home Init Cookie.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Home Test Init message.

See also:

ip6_mobility_msg
Type

record

id: count

The type of message from the header’s MH Type field.

brr: ip6_mobility_brr &optional

Binding Refresh Request.

hoti: ip6_mobility_hoti &optional

Home Test Init.

coti: ip6_mobility_coti &optional

Care-of Test Init.

hot: ip6_mobility_hot &optional

Home Test.

cot: ip6_mobility_cot &optional

Care-of Test.

bu: ip6_mobility_bu &optional

Binding Update.

back: ip6_mobility_back &optional

Binding Acknowledgement.

be: ip6_mobility_be &optional

Binding Error.

Values extracted from an IPv6 Mobility header’s message data.

See also:

ip6_option
Type

record

otype: count

Option type.

len: count

Option data length.

data: string

Option data.

Values extracted from an IPv6 extension header’s (e.g. hop-by-hop or destination option headers) option field.

See also:

ip6_options
Type

vector of ip6_option

A type alias for a vector of IPv6 options.

ip6_routing
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

rtype: count

Routing type.

segleft: count

Segments left.

data: string

Type-specific data.

Values extracted from an IPv6 Routing extension header.

See also:

irc_join_info
Type

record

nick: string

channel: string

password: string

usermode: string

IRC join information.

See also:

irc_join_list
Type

set [irc_join_info]

Set of IRC join information.

See also:

l2_hdr
Type

record

encap: link_encap

L2 link encapsulation.

len: count

Total frame length on wire.

cap_len: count

Captured length.

src: string &optional

L2 source (if Ethernet).

dst: string &optional

L2 destination (if Ethernet).

vlan: count &optional

Outermost VLAN tag if any (and Ethernet).

inner_vlan: count &optional

Innermost VLAN tag if any (and Ethernet).

eth_type: count &optional

Innermost Ethertype (if Ethernet).

proto: layer3_proto

L3 protocol.

Values extracted from the layer 2 header.

See also:

load_sample_info
Type

set [string]

mime_header_list
Type

table [count] of mime_header_rec

A list of MIME headers.

See also:

mime_header_rec
Type

record

original_name: string

The header name (unaltered).

name: string

The header name (converted to all upper-case).

value: string

The header value.

A MIME header key/value pair.

See also:

mime_match
Type

record

strength: int

How strongly the signature matched. Used for prioritization when multiple file magic signatures match.

mime: string

The MIME type of the file magic signature match.

A structure indicating a MIME type and strength of a match against file magic signatures.

file_magic

mime_matches
Type

vector of mime_match

A vector of file magic signature matches, ordered by strength of the signature, strongest first.

file_magic

pcap_packet
Type

record

ts_sec: count

The non-fractional part of the packet’s timestamp (i.e., full seconds since the epoch).

ts_usec: count

The fractional part of the packet’s timestamp.

caplen: count

The number of bytes captured (<= len).

len: count

The length of the packet in bytes, including link-level header.

data: string

The payload of the packet, including link-level header.

link_type: link_encap

Layer 2 link encapsulation type.

Policy-level representation of a packet passed on by libpcap. The data includes the complete packet as returned by libpcap, including the link-layer header.

See also:

pkt_hdr
Type

record

ip: ip4_hdr &optional

The IPv4 header if an IPv4 packet.

ip6: ip6_hdr &optional

The IPv6 header if an IPv6 packet.

tcp: tcp_hdr &optional

The TCP header if a TCP packet.

udp: udp_hdr &optional

The UDP header if a UDP packet.

icmp: icmp_hdr &optional

The ICMP header if an ICMP packet.

A packet header, consisting of an IP header and transport-layer header.

See also:

pkt_profile_modes
Type

enum

PKT_PROFILE_MODE_NONE

No output.

PKT_PROFILE_MODE_SECS

Output every pkt_profile_freq seconds.

PKT_PROFILE_MODE_PKTS

Output every pkt_profile_freq packets.

PKT_PROFILE_MODE_BYTES

Output every pkt_profile_freq bytes.

Output modes for packet profiling information.

See also:

pm_callit_request
Type

record

program: count

The RPC program.

version: count

The program version.

proc: count

The procedure being called.

arg_size: count

The size of the argument.

An RPC portmapper callit request.

See also:

pm_mapping
Type

record

program: count

The RPC program.

version: count

The program version.

p: port

The port.

An RPC portmapper mapping.

See also:

pm_mappings
Type

table [count] of pm_mapping

Table of RPC portmapper mappings.

See also:

pm_port_request
Type

record

program: count

The RPC program.

version: count

The program version.

is_tcp: bool

True if using TCP.

An RPC portmapper request.

See also:

psk_identity_vec
Type

vector of SSL::PSKIdentity

raw_pkt_hdr
Type

record

l2: l2_hdr

The layer 2 header.

ip: ip4_hdr &optional

The IPv4 header if an IPv4 packet.

ip6: ip6_hdr &optional

The IPv6 header if an IPv6 packet.

tcp: tcp_hdr &optional

The TCP header if a TCP packet.

udp: udp_hdr &optional

The UDP header if a UDP packet.

icmp: icmp_hdr &optional

The ICMP header if an ICMP packet.

A raw packet header, consisting of L2 header and everything in pkt_hdr. .

See also:

record_field
Type

record

type_name: string

The name of the field’s type.

log: bool

True if the field is declared with &log attribute.

value: any &optional

The current value of the field in the record instance passed into record_fields (if it has one).

default_val: any &optional

The value of the &default attribute if defined.

Meta-information about a record field.

See also:

record_field_table
Type

table [string] of record_field

Table type used to map record field declarations to meta-information describing them.

See also:

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

rotate_info
Type

record

old_name: string

Original filename.

new_name: string

File name after rotation.

open: time

Time when opened.

close: time

Time when closed.

See also:

script_id
Type

record

type_name: string

The name of the identifier’s type.

exported: bool

True if the identifier is exported.

constant: bool

True if the identifier is a constant.

enum_constant: bool

True if the identifier is an enum value.

option_value: bool

True if the identifier is an option.

redefinable: bool

True if the identifier is declared with the &redef attribute.

broker_backend: bool

True if the identifier has a Broker backend defined using the &backend attribute.

value: any &optional

The current value of the identifier.

Meta-information about a script-level identifier.

See also:

signature_and_hashalgorithm_vec
Type

vector of SSL::SignatureAndHashAlgorithm

A vector of Signature and Hash Algorithms.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

signature_state
Type

record

sig_id: string

ID of the matching signature.

conn: connection

Matching connection.

is_orig: bool

True if matching endpoint is originator.

payload_size: count

Payload size of the first matching packet of current endpoint.

Description of a signature match.

See also:

string_any_file_hook
Type

hook (f: fa_file, e: any, str: string) : bool

A hook taking a fa_file, an any, and a string. Used by the X509 analyzer as callback.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_any_table
Type

table [string] of any

A string-table of any.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_array
Type

table [count] of string

An ordered array of strings. The entries are indexed by successive numbers. Note that it depends on the usage whether the first index is zero or one.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_set
Type

set [string]

A set of strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_vec
Type

vector of string

A vector of strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

subnet_set
Type

set [subnet]

A set of subnets.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

subnet_vec
Type

vector of subnet

A vector of subnets.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

sw_align
Type

record

str: string

String a substring is part of.

index: count

Offset substring is located.

Helper type for return value of Smith-Waterman algorithm.

See also:

sw_align_vec
Type

vector of sw_align

Helper type for return value of Smith-Waterman algorithm.

See also:

sw_params
Type

record

min_strlen: count &default = 3 &optional

Minimum size of a substring, minimum “granularity”.

sw_variant: count &default = 0 &optional

Smith-Waterman flavor to use.

Parameters for the Smith-Waterman algorithm.

See also:

sw_substring
Type

record

str: string

A substring.

aligns: sw_align_vec

All strings of which it’s a substring.

new: bool

True if start of new alignment.

Helper type for return value of Smith-Waterman algorithm.

See also:

sw_substring_vec
Type

vector of sw_substring

Return type for Smith-Waterman algorithm.

See also:

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

table_string_of_count
Type

table [string] of count

A table of counts indexed by strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

table_string_of_string
Type

table [string] of string

A table of strings indexed by strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

tcp_hdr
Type

record

sport: port

source port.

dport: port

destination port

seq: count

sequence number

ack: count

acknowledgement number

hl: count

header length (in bytes)

dl: count

data length (xxx: not in original tcphdr!)

reserved: count

The “reserved” 4 bits after the “data offset” field.

flags: count

The 8 bits of flags after the “reserved” field.

win: count

window

Values extracted from a TCP header.

See also:

teredo_auth
Type

record

id: string

Teredo client identifier.

value: string

HMAC-SHA1 over shared secret key between client and server, nonce, confirmation byte, origin indication (if present), and the IPv6 packet.

nonce: count

Nonce chosen by Teredo client to be repeated by Teredo server.

confirm: count

Confirmation byte to be set to 0 by Teredo client and non-zero by server if client needs new key.

A Teredo origin indication header. See RFC 4380 for more information about the Teredo protocol.

See also:

teredo_hdr
Type

record

auth: teredo_auth &optional

Teredo authentication header.

origin: teredo_origin &optional

Teredo origin indication header.

hdr: pkt_hdr

IPv6 and transport protocol headers.

A Teredo packet header. See RFC 4380 for more information about the Teredo protocol.

See also:

teredo_origin
Type

record

p: port

Unobfuscated UDP port of Teredo client.

a: addr

Unobfuscated IPv4 address of Teredo client.

A Teredo authentication header. See RFC 4380 for more information about the Teredo protocol.

See also:

transport_proto
Type

enum

unknown_transport

An unknown transport-layer protocol.

tcp

TCP.

udp

UDP.

icmp

ICMP.

A connection’s transport-layer protocol. Note that Zeek uses the term “connection” broadly, using flow semantics for ICMP and UDP.

udp_hdr
Type

record

sport: port

source port

dport: port

destination port

ulen: count

udp length

Values extracted from a UDP header.

See also:

var_sizes
Type

table [string] of count

Table type used to map variable names to their memory allocation.

See also:

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

x509_opaque_vector
Type

vector of opaque of x509

A vector of x509 opaques.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

Functions
add_interface
Type

function (iold: string, inew: string) : string

Internal function.

add_signature_file
Type

function (sold: string, snew: string) : string

Internal function.

discarder_check_icmp
Type

function (p: pkt_hdr) : bool

Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P

The IP and ICMP headers of the considered packet.

Returns

True if the packet should not be analyzed any further.

See also:

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_ip
Type

function (p: pkt_hdr) : bool

Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P

The IP header of the considered packet.

Returns

True if the packet should not be analyzed any further.

See also:

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_tcp
Type

function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P

The IP and TCP headers of the considered packet.

D

Up to discarder_maxlen bytes of the TCP payload.

Returns

True if the packet should not be analyzed any further.

See also:

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_udp
Type

function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P

The IP and UDP headers of the considered packet.

D

Up to discarder_maxlen bytes of the UDP payload.

Returns

True if the packet should not be analyzed any further.

See also:

Note

This is very low-level functionality and potentially expensive. Avoid using it.

max_count
Type

function (a: count, b: count) : count

Returns maximum of two count values.

A

First value.

B

Second value.

Returns

The maximum of a and b.

max_double
Type

function (a: double, b: double) : double

Returns maximum of two double values.

A

First value.

B

Second value.

Returns

The maximum of a and b.

max_interval
Type

function (a: interval, b: interval) : interval

Returns maximum of two interval values.

A

First value.

B

Second value.

Returns

The maximum of a and b.

min_count
Type

function (a: count, b: count) : count

Returns minimum of two count values.

A

First value.

B

Second value.

Returns

The minimum of a and b.

min_double
Type

function (a: double, b: double) : double

Returns minimum of two double values.

A

First value.

B

Second value.

Returns

The minimum of a and b.

min_interval
Type

function (a: interval, b: interval) : interval

Returns minimum of two interval values.

A

First value.

B

Second value.

Returns

The minimum of a and b.

base/bif/const.bif.zeek

GLOBAL

Declaration of various scripting-layer constants that the Zeek core uses internally. Documentation and default values for the scripting-layer variables themselves are found in base/init-bare.zeek.

Namespace

GLOBAL

Summary
Detailed Interface

base/bif/types.bif.zeek

GLOBAL
MOUNT3
NFS3
Reporter
Tunnel

Declaration of various types that the Zeek core uses internally.

Namespaces

GLOBAL, MOUNT3, NFS3, Reporter, Tunnel

Summary
Types

MOUNT3::auth_flavor_t: enum

MOUNT3::proc_t: enum

MOUNT3::status_t: enum

NFS3::createmode_t: enum

NFS3::file_type_t: enum

NFS3::proc_t: enum

NFS3::stable_how_t: enum

NFS3::status_t: enum

NFS3::time_how_t: enum

Reporter::Level: enum

TableChange: enum

Tunnel::Type: enum

layer3_proto: enum

link_encap: enum

rpc_status: enum
Detailed Interface
Types
MOUNT3::auth_flavor_t
Type

enum

MOUNT3::AUTH_NULL
MOUNT3::AUTH_UNIX
MOUNT3::AUTH_SHORT
MOUNT3::AUTH_DES
MOUNT3::proc_t
Type

enum

MOUNT3::PROC_NULL
MOUNT3::PROC_MNT
MOUNT3::PROC_DUMP
MOUNT3::PROC_UMNT
MOUNT3::PROC_UMNT_ALL
MOUNT3::PROC_EXPORT
MOUNT3::PROC_END_OF_PROCS
MOUNT3::status_t
Type

enum

MOUNT3::MNT3_OK
MOUNT3::MNT3ERR_PERM
MOUNT3::MNT3ERR_NOENT
MOUNT3::MNT3ERR_IO
MOUNT3::MNT3ERR_ACCES
MOUNT3::MNT3ERR_NOTDIR
MOUNT3::MNT3ERR_INVAL
MOUNT3::MNT3ERR_NAMETOOLONG
MOUNT3::MNT3ERR_NOTSUPP
MOUNT3::MNT3ERR_SERVERFAULT
MOUNT3::MOUNT3ERR_UNKNOWN
NFS3::createmode_t
Type

enum

NFS3::UNCHECKED
NFS3::GUARDED
NFS3::EXCLUSIVE
NFS3::file_type_t
Type

enum

NFS3::FTYPE_REG
NFS3::FTYPE_DIR
NFS3::FTYPE_BLK
NFS3::FTYPE_CHR
NFS3::FTYPE_LNK
NFS3::FTYPE_SOCK
NFS3::FTYPE_FIFO
NFS3::proc_t
Type

enum

NFS3::PROC_NULL
NFS3::PROC_GETATTR
NFS3::PROC_SETATTR
NFS3::PROC_LOOKUP
NFS3::PROC_ACCESS
NFS3::PROC_READ
NFS3::PROC_WRITE
NFS3::PROC_CREATE
NFS3::PROC_MKDIR
NFS3::PROC_MKNOD
NFS3::PROC_REMOVE
NFS3::PROC_RMDIR
NFS3::PROC_RENAME
NFS3::PROC_READDIR
NFS3::PROC_READDIRPLUS
NFS3::PROC_FSSTAT
NFS3::PROC_FSINFO
NFS3::PROC_PATHCONF
NFS3::PROC_COMMIT
NFS3::PROC_END_OF_PROCS
NFS3::stable_how_t
Type

enum

NFS3::UNSTABLE
NFS3::DATA_SYNC
NFS3::FILE_SYNC
NFS3::status_t
Type

enum

NFS3::NFS3ERR_OK
NFS3::NFS3ERR_PERM
NFS3::NFS3ERR_NOENT
NFS3::NFS3ERR_IO
NFS3::NFS3ERR_NXIO
NFS3::NFS3ERR_ACCES
NFS3::NFS3ERR_EXIST
NFS3::NFS3ERR_XDEV
NFS3::NFS3ERR_NODEV
NFS3::NFS3ERR_NOTDIR
NFS3::NFS3ERR_ISDIR
NFS3::NFS3ERR_INVAL
NFS3::NFS3ERR_FBIG
NFS3::NFS3ERR_NOSPC
NFS3::NFS3ERR_ROFS
NFS3::NFS3ERR_NAMETOOLONG
NFS3::NFS3ERR_NOTEMPTY
NFS3::NFS3ERR_DQUOT
NFS3::NFS3ERR_STALE
NFS3::NFS3ERR_REMOTE
NFS3::NFS3ERR_BADHANDLE
NFS3::NFS3ERR_NOT_SYNC
NFS3::NFS3ERR_NOTSUPP
NFS3::NFS3ERR_TOOSMALL
NFS3::NFS3ERR_SERVERFAULT
NFS3::NFS3ERR_BADTYPE
NFS3::NFS3ERR_JUKEBOX
NFS3::NFS3ERR_UNKNOWN
NFS3::time_how_t
Type

enum

NFS3::DONT_CHANGE
NFS3::SET_TO_SERVER_TIME
NFS3::SET_TO_CLIENT_TIME
Reporter::Level
Type

enum

Reporter::INFO
Reporter::WARNING
Reporter::ERROR
TableChange
Type

enum

TABLE_ELEMENT_NEW
TABLE_ELEMENT_CHANGED
TABLE_ELEMENT_REMOVED
TABLE_ELEMENT_EXPIRED
Tunnel::Type
Type

enum

Tunnel::NONE
Tunnel::IP
Tunnel::AYIYA
Tunnel::TEREDO
Tunnel::SOCKS
Tunnel::GTPv1
Tunnel::HTTP
Tunnel::GRE
Tunnel::VXLAN
Tunnel::GENEVE
layer3_proto
Type

enum

L3_IPV4
L3_IPV6
L3_ARP
L3_UNKNOWN
Type

enum

rpc_status
Type

enum

RPC_SUCCESS
RPC_PROG_UNAVAIL
RPC_PROG_MISMATCH
RPC_PROC_UNAVAIL
RPC_GARBAGE_ARGS
RPC_SYSTEM_ERR
RPC_TIMEOUT
RPC_VERS_MISMATCH
RPC_AUTH_ERROR
RPC_UNKNOWN_ERROR

base/bif/zeek.bif.zeek

GLOBAL

A collection of built-in functions that implement a variety of things such as general programming algorithms, string processing, math functions, introspection, type conversion, file/directory manipulation, packet filtering, interprocess communication and controlling protocol analyzer behavior.

You’ll find most of Zeek’s built-in functions that aren’t protocol-specific in this file.

Namespace

GLOBAL

Summary
Functions

__init_secondary_bifs: function

An internal function that helps initialize BIFs.

active_file: function

Checks whether a given file is open.

addr_to_counts: function

Converts an addr to an index_vec.

addr_to_ptr_name: function

Converts an IP address to a reverse pointer name.

addr_to_subnet: function

Converts a addr to a subnet.

all_set: function

Tests whether all elements of a boolean vector (vector of bool) are true.

anonymize_addr: function

Anonymizes an IP address.

any_set: function

Tests whether a boolean vector (vector of bool) has any true element.

backtrace: function

Returns a representation of the call stack as a vector of call stack elements, each containing call location information.

bare_mode: function

Returns whether Zeek was started in bare mode.

bytestring_to_count: function

Converts a string of bytes to a count.

bytestring_to_double: function

Converts a string of bytes (in network byte order) to a double.

bytestring_to_hexstr: function

Converts a string of bytes into its hexadecimal representation.

calc_next_rotate: function

Calculates the duration until the next time a file is to be rotated, based on a given rotate interval.

cat: function

Returns the concatenation of the string representation of its arguments.

cat_sep: function

Concatenates all arguments, with a separator placed between each one.

check_subnet: function

Checks if a specific subnet is a member of a set/table[subnet].

clear_table: function

Removes all elements from a set or table.

close: function

Closes an open file and flushes any buffered content.

compress_path: function

Compresses a given path by removing ‘..’s and the parent directory it references and also removing dual ‘/’s and extraneous ‘/./’s.

connection_exists: function

Checks whether a connection is (still) active.

continue_processing: function

Resumes Zeek’s packet processing.

convert_for_pattern: function

Escapes a string so that it becomes a valid pattern and can be used with the string_to_pattern.

count_to_double: function

Converts a count to a double.

count_to_port: function

Converts a count and transport_proto to a port.

count_to_v4_addr: function

Converts a count to an addr.

counts_to_addr: function

Converts an index_vec to an addr.

current_analyzer: function

Returns the ID of the analyzer which raised the current event.

current_time: function

Returns the current wall-clock time.

decode_base64: function

Decodes a Base64-encoded string.

decode_base64_conn: function

Decodes a Base64-encoded string that was derived from processing a connection.

disable_analyzer: function

Disables the analyzer which raised the current event (if the analyzer belongs to the given connection).

do_profiling: function

Enables detailed collection of profiling statistics.

double_to_count: function

Converts a double to a int.

double_to_int: function

Converts a double to a count.

double_to_interval: function

Converts a double to an interval.

double_to_time: function

Converts a double value to a time.

dump_current_packet: function

Writes the current packet to a file.

dump_packet: function

Writes a given packet to a file.

dump_rule_stats: function

Write rule matcher statistics (DFA states, transitions, memory usage, cache hits/misses) to a file.

enable_raw_output: function

Prevents escaping of non-ASCII characters when writing to a file.

encode_base64: function

Encodes a Base64-encoded string.

entropy_test_add: function

Adds data to an incremental entropy calculation.

entropy_test_finish: function

Finishes an incremental entropy calculation.

entropy_test_init: function

Initializes data structures for incremental entropy calculation.

enum_names: function

Returns all value names associated with an enum type.

enum_to_int: function

Converts an enum to an int.

exit: function

Shuts down the Zeek process immediately.

exp: function

Computes the exponential function.

file_magic: function

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

file_mode: function

Converts UNIX file permissions given by a mode to an ASCII string.

file_size: function

Returns the size of a given file.

filter_subnet_table: function

For a set[subnet]/table[subnet], create a new table that contains all entries that contain a given subnet.

find_entropy: function

Performs an entropy test on the given data.

floor: function

Computes the greatest integer less than the given double value.

flush_all: function

Flushes all open files to disk.

fmt: function

Produces a formatted string à la printf.

fnv1a32: function

Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm.

generate_all_events: function

By default, zeek does not generate (raise) events that have not handled by any scripts.

get_conn_transport_proto: function

Extracts the transport protocol from a connection.

get_current_packet: function

Returns the currently processed PCAP packet.

get_current_packet_header: function

Function to get the raw headers of the currently processed packet.

get_file_name: function

Gets the filename associated with a file handle.

get_port_transport_proto: function

Extracts the transport protocol from a port.

getenv: function

Returns a system environment variable.

gethostname: function

Returns the hostname of the machine Zeek runs on.

getpid: function

Returns Zeek’s process ID.

global_container_footprints: function

Generates a table of the “footprint” of all global container variables.

global_ids: function

Generates a table with information about all global identifiers.

global_options: function

Returns a set giving the names of all global options.

global_sizes: function &deprecated =

Generates a table of the size of all global variables.

haversine_distance: function

Calculates distance between two geographic locations using the haversine formula.

hexstr_to_bytestring: function

Converts a hex-string into its binary representation.

hrw_weight: function

Calculates a weight value for use in a Rendezvous Hashing algorithm.

identify_data: function

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

install_dst_addr_filter: function

Installs a filter to drop packets destined to a given IP address with a certain probability if none of a given set of TCP flags are set.

install_dst_net_filter: function

Installs a filter to drop packets destined to a given subnet with a certain probability if none of a given set of TCP flags are set.

install_src_addr_filter: function

Installs a filter to drop packets from a given IP source address with a certain probability if none of a given set of TCP flags are set.

install_src_net_filter: function

Installs a filter to drop packets originating from a given subnet with a certain probability if none of a given set of TCP flags are set.

int_to_count: function

Converts a (positive) int to a count.

int_to_double: function

Converts an int to a double.

interval_to_double: function

Converts an interval to a double.

is_icmp_port: function

Checks whether a given port has ICMP as transport protocol.

is_local_interface: function

Checks whether a given IP address belongs to a local interface.

is_processing_suspended: function

Returns whether or not processing is currently suspended.

is_remote_event: function

Checks whether the last raised event came from a remote peer.

is_tcp_port: function

Checks whether a given port has TCP as transport protocol.

is_udp_port: function

Checks whether a given port has UDP as transport protocol.

is_v4_addr: function

Returns whether an address is IPv4 or not.

is_v4_subnet: function

Returns whether a subnet specification is IPv4 or not.

is_v6_addr: function

Returns whether an address is IPv6 or not.

is_v6_subnet: function

Returns whether a subnet specification is IPv6 or not.

is_valid_ip: function

Checks if a string is a valid IPv4 or IPv6 address.

ln: function

Computes the natural logarithm of a number.

log10: function

Computes the common logarithm of a number.

lookup_ID: function

Returns the value of a global identifier.

lookup_addr: function

Issues an asynchronous reverse DNS lookup and delays the function result.

lookup_asn: function &deprecated =

Performs an ASN lookup of an IP address.

lookup_autonomous_system: function

Performs an lookup of AS numbe & organization of an IP address.

lookup_connection: function

Returns the connection record for a given connection identifier.

lookup_hostname: function

Issues an asynchronous DNS lookup and delays the function result.

lookup_hostname_txt: function

Issues an asynchronous TEXT DNS lookup and delays the function result.

lookup_location: function

Performs a geo-lookup of an IP address.

mask_addr: function

Masks an address down to the number of given upper bits.

match_signatures: function

Manually triggers the signature engine for a given connection.

matching_subnets: function

Gets all subnets that contain a given subnet from a set/table[subnet].

md5_hash: function

Computes the MD5 hash value of the provided list of arguments.

md5_hash_finish: function

Returns the final MD5 digest of an incremental hash computation.

md5_hash_init: function

Constructs an MD5 handle to enable incremental hash computation.

md5_hash_update: function

Updates the MD5 value associated with a given index.

md5_hmac: function

Computes an HMAC-MD5 hash value of the provided list of arguments.

mkdir: function

Creates a new directory.

mmdb_open_asn_db: function

Initializes MMDB for later use of lookup_asn or lookup_autonomous_system.

mmdb_open_location_db: function

Initializes MMDB for later use of lookup_location.

network_time: function

Returns the timestamp of the last packet processed.

open: function

Opens a file for writing.

open_for_append: function

Opens a file for writing or appending.

order: function

Returns the order of the elements in a vector according to some comparison function.

packet_source: function

Returns: the packet source being read by Zeek.

paraglob_equals: function

Compares two paraglobs for equality.

paraglob_init: function

Initializes and returns a new paraglob.

paraglob_match: function

Gets all the patterns inside the handle associated with an input string.

piped_exec: function

Opens a program with popen and writes a given string to the returned stream to send it to the opened process’s stdin.

port_to_count: function

Converts a port to a count.

preserve_prefix: function

Preserves the prefix of an IP address in anonymization.

preserve_subnet: function

Preserves the prefix of a subnet in anonymization.

print_raw: function

Renders a sequence of values to a string of bytes and outputs them directly to stdout with no additional escape sequences added.

ptr_name_to_addr: function

Converts a reverse pointer name to an address.

rand: function

Generates a random number.

raw_bytes_to_v4_addr: function

Converts a string of bytes into an IPv4 address.

raw_bytes_to_v6_addr: function

Converts a string of bytes into an IPv6 address.

reading_live_traffic: function

Checks whether Zeek reads traffic from one or more network interfaces (as opposed to from a network trace in a file).

reading_traces: function

Checks whether Zeek reads traffic from a trace file (as opposed to from a network interface).

record_fields: function

Generates metadata about a record’s fields.

record_type_to_vector: function

Converts a record type name to a vector of strings, where each element is the name of a record field.

remask_addr: function

Takes some top bits (such as a subnet address) from one address and the other bits (intra-subnet part) from a second address and merges them to get a new address.

rename: function

Renames a file from src_f to dst_f.

resize: function

Resizes a vector.

rmdir: function

Removes a directory.

rotate_file: function

Rotates a file.

rotate_file_by_name: function

Rotates a file identified by its name.

routing0_data_to_addrs: function

Converts the data field of ip6_routing records that have rtype of 0 into a vector of addresses.

same_object: function

Checks whether two objects reference the same internal object.

set_buf: function

Alters the buffering behavior of a file.

set_inactivity_timeout: function

Sets an individual inactivity timeout for a connection and thus overrides the global inactivity timeout.

set_network_time: function

Sets the timestamp associated with the last packet processed.

set_record_packets: function

Controls whether packet contents belonging to a connection should be recorded (when -w option is provided on the command line).

setenv: function

Sets a system environment variable.

sha1_hash: function

Computes the SHA1 hash value of the provided list of arguments.

sha1_hash_finish: function

Returns the final SHA1 digest of an incremental hash computation.

sha1_hash_init: function

Constructs an SHA1 handle to enable incremental hash computation.

sha1_hash_update: function

Updates the SHA1 value associated with a given index.

sha256_hash: function

Computes the SHA256 hash value of the provided list of arguments.

sha256_hash_finish: function

Returns the final SHA256 digest of an incremental hash computation.

sha256_hash_init: function

Constructs an SHA256 handle to enable incremental hash computation.

sha256_hash_update: function

Updates the SHA256 value associated with a given index.

skip_further_processing: function

Informs Zeek that it should skip any further processing of the contents of a given connection.

sort: function

Sorts a vector in place.

sqrt: function

Computes the square root of a double.

srand: function

Sets the seed for subsequent rand calls.

strftime: function

Formats a given time value according to a format string.

string_to_pattern: function

Converts a string into a pattern.

strptime: function

Parse a textual representation of a date/time value into a time type value.

subnet_to_addr: function

Converts a subnet to an addr by extracting the prefix.

subnet_width: function

Returns the width of a subnet.

suspend_processing: function

Stops Zeek’s packet processing.

syslog: function

Send a string to syslog.

system: function

Invokes a command via the system function of the OS.

system_env: function

Invokes a command via the system function of the OS with a prepared environment.

terminate: function

Gracefully shut down Zeek by terminating outstanding processing.

time_to_double: function

Converts a time value to a double.

to_addr: function

Converts a string to an addr.

to_count: function

Converts a string to a count.

to_double: function

Converts a string to a double.

to_int: function

Converts a string to an int.

to_json: function

A function to convert arbitrary Zeek data into a JSON string.

to_port: function

Converts a string to a port.

to_subnet: function

Converts a string to a subnet.

type_aliases: function

Returns all type name aliases of a value or type.

type_name: function

Returns the type name of an arbitrary Zeek variable.

uninstall_dst_addr_filter: function

Removes a destination address filter.

uninstall_dst_net_filter: function

Removes a destination subnet filter.

uninstall_src_addr_filter: function

Removes a source address filter.

uninstall_src_net_filter: function

Removes a source subnet filter.

unique_id: function

Creates an identifier that is unique with high probability.

unique_id_from: function

Creates an identifier that is unique with high probability.

unlink: function

Removes a file from a directory.

uuid_to_string: function

Converts a bytes representation of a UUID into its string form.

val_footprint: function

Computes a value’s “footprint”: the number of objects the value contains either directly or indirectly.

val_size: function &deprecated =

Returns the number of bytes that a value occupies in memory.

write_file: function

Writes data to an open file.

zeek_args: function

Returns: list of command-line arguments (argv) used to run Zeek.

zeek_is_terminating: function

Checks if Zeek is terminating.

zeek_version: function

Returns the Zeek version string.
Detailed Interface
Functions
__init_secondary_bifs
Type

function () : bool

An internal function that helps initialize BIFs.

active_file
Type

function (f: file) : bool

Checks whether a given file is open.

F

The file to check.

Returns

True if f is an open file.

Todo

Rename to is_open.

addr_to_counts
Type

function (a: addr) : index_vec

Converts an addr to an index_vec.

A

The address to convert into a vector of counts.

Returns

A vector containing the host-order address representation, four elements in size for IPv6 addresses, or one element for IPv4.

See also:

addr_to_ptr_name
Type

function (a: addr) : string

Converts an IP address to a reverse pointer name. For example, 192.168.0.1 to 1.0.168.192.in-addr.arpa.

A

The IP address to convert to a reverse pointer name.

Returns

The reverse pointer representation of a.

See also:

addr_to_subnet
Type

function (a: addr) : subnet

Converts a addr to a subnet.

A

The address to convert.

Returns

The address as a subnet.

See also:

all_set
Type

function (v: any) : bool

Tests whether all elements of a boolean vector (vector of bool) are true.

V

The boolean vector instance.

Returns

True iff all elements in v are true or there are no elements.

See also:

Note

Missing elements count as false.

anonymize_addr
Type

function (a: addr, cl: IPAddrAnonymizationClass) : addr

Anonymizes an IP address.

A

The address to anonymize.

Cl

The anonymization class, which can take on three different values:

  • ORIG_ADDR: Tag a as an originator address.

  • RESP_ADDR: Tag a as an responder address.

  • OTHER_ADDR: Tag a as an arbitrary address.

Returns

An anonymized version of a.

See also:

Todo

Currently dysfunctional.

any_set
Type

function (v: any) : bool

Tests whether a boolean vector (vector of bool) has any true element.

V

The boolean vector instance.

Returns

True if any element in v is true.

See also:

backtrace
Type

function () : Backtrace

Returns a representation of the call stack as a vector of call stack elements, each containing call location information.

Returns

the call stack information, including function, file, and line location information.

bare_mode
Type

function () : bool

Returns whether Zeek was started in bare mode.

Returns

True if Zeek was started in bare mode, false otherwise.

bytestring_to_count
Type

function (s: string, is_le: bool &default = F &optional) : count

Converts a string of bytes to a count.

S

A string of bytes containing the binary representation of the value.

Is_le

If true, s is assumed to be in little endian format, else it’s big endian.

Returns

The value contained in s, or 0 if the conversion failed.

bytestring_to_double
Type

function (s: string) : double

Converts a string of bytes (in network byte order) to a double.

S

A string of bytes containing the binary representation of a double value.

Returns

The double value contained in s, or 0 if the conversion failed.

bytestring_to_hexstr
Type

function (bytestring: string) : string

Converts a string of bytes into its hexadecimal representation. For example, "04" would be converted to "3034".

Bytestring

The string of bytes.

Returns

The hexadecimal representation of bytestring.

See also:

calc_next_rotate
Type

function (i: interval) : interval

Calculates the duration until the next time a file is to be rotated, based on a given rotate interval.

I

The rotate interval to base the calculation on.

Returns

The duration until the next file rotation time.

See also:

cat
Type

function (…) : string

Returns the concatenation of the string representation of its arguments. The arguments can be of any type. For example, cat("foo", 3, T) returns "foo3T".

Returns

A string concatentation of all arguments.

cat_sep
Type

function (…) : string

Concatenates all arguments, with a separator placed between each one. This function is similar to cat, but places a separator between each given argument. If any of the variable arguments is an empty string it is replaced by a given default string instead.

Sep

The separator to place between each argument.

Def

The default string to use when an argument is the empty string.

Returns

A concatenation of all arguments with sep between each one and empty strings replaced with def.

See also:

check_subnet
Type

function (search: subnet, t: any) : bool

Checks if a specific subnet is a member of a set/table[subnet]. In contrast to the in operator, this performs an exact match, not a longest prefix match.

Search

the subnet to search for.

T

the set[subnet] or table[subnet].

Returns

True if the exact subnet is a member, false otherwise.

clear_table
Type

function (v: any) : any

Removes all elements from a set or table.

V

The set or table

close
Type

function (f: file) : bool

Closes an open file and flushes any buffered content.

F

A file handle to an open file.

Returns

True on success.

See also:

compress_path
Type

function (dir: string) : string

Compresses a given path by removing ‘..’s and the parent directory it references and also removing dual ‘/’s and extraneous ‘/./’s.

Dir

a path string, either relative or absolute.

Returns

a compressed version of the input path.

connection_exists
Type

function (c: conn_id) : bool

Checks whether a connection is (still) active.

C

The connection id to check.

Returns

True if the connection identified by c exists.

See also:

continue_processing
Type

function () : any

Resumes Zeek’s packet processing.

See also:

convert_for_pattern
Type

function (s: string) : string

Escapes a string so that it becomes a valid pattern and can be used with the string_to_pattern. Any character from the set ^$-:"\/|*+?.(){}[] is prefixed with a \.

S

The string to escape.

Returns

An escaped version of s that has the structure of a valid pattern.

See also:

count_to_double
Type

function (c: count) : double

Converts a count to a double.

C

The count to convert.

Returns

The count c as double.

See also:

count_to_port
Type

function (num: count, proto: transport_proto) : port

Converts a count and transport_proto to a port.

Num

The port number.

Proto

The transport protocol.

Returns

The count num as port.

See also:

count_to_v4_addr
Type

function (ip: count) : addr

Converts a count to an addr.

Ip

The count to convert.

Returns

The count ip as addr.

See also:

counts_to_addr
Type

function (v: index_vec) : addr

Converts an index_vec to an addr.

V

The vector containing host-order IP address representation, one element for IPv4 addresses, four elements for IPv6 addresses.

Returns

An IP address.

See also:

current_analyzer
Type

function () : count

Returns the ID of the analyzer which raised the current event.

Returns

The ID of the analyzer which raised the current event, or 0 if none.

current_time
Type

function () : time

Returns the current wall-clock time.

In general, you should use network_time instead unless you are using Zeek for non-networking uses (such as general scripting; not particularly recommended), because otherwise your script may behave very differently on live traffic versus played-back traffic from a save file.

Returns

The wall-clock time.

See also:

decode_base64
Type

function (s: string, a: string &default = "" &optional) : string

Decodes a Base64-encoded string.

S

The Base64-encoded string.

A

An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.

Returns

The decoded version of s.

See also:

decode_base64_conn
Type

function (cid: conn_id, s: string, a: string &default = "" &optional) : string

Decodes a Base64-encoded string that was derived from processing a connection. If an error is encountered decoding the string, that will be logged to weird.log with the associated connection.

Cid

The identifier of the connection that the encoding originates from.

S

The Base64-encoded string.

A

An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.

Returns

The decoded version of s.

See also:

disable_analyzer
Type

function (cid: conn_id, aid: count, err_if_no_conn: bool &default = T &optional, prevent: bool &default = F &optional) : bool

Disables the analyzer which raised the current event (if the analyzer belongs to the given connection).

Cid

The connection identifier.

Aid

The analyzer ID.

Err_if_no_conn

Emit an error message if the connection does not exit.

Prevent

Prevent the same analyzer type from being attached in the future. This is useful for preventing the same analyzer from being automatically reattached in the future, e.g. as a result of a DPD signature suddenly matching.

Returns

True if the connection identified by cid exists and has analyzer aid and it is scheduled for removal.

See also:

do_profiling
Type

function () : any

Enables detailed collection of profiling statistics. Statistics include CPU/memory usage, connections, TCP states/reassembler, DNS lookups, timers, and script-level state. The script variable profiling_file holds the name of the file.

See also:

double_to_count
Type

function (d: double) : count

Converts a double to a int.

D

The double to convert.

Returns

The double d as signed integer. The value returned follows typical rounding rules, as implemented by rint().

See also:

double_to_int
Type

function (d: double) : int

Converts a double to a count.

D

The double to convert.

Returns

The double d as unsigned integer, or 0 if d < 0.0. The value returned follows typical rounding rules, as implemented by rint().

double_to_interval
Type

function (d: double) : interval

Converts a double to an interval.

D

The double to convert.

Returns

The double d as interval.

See also:

double_to_time
Type

function (d: double) : time

Converts a double value to a time.

D

The double to convert.

Returns

The double value d as time.

See also:

dump_current_packet
Type

function (file_name: string) : bool

Writes the current packet to a file.

File_name

The name of the file to write the packet to.

Returns

True on success.

See also:

dump_packet
Type

function (pkt: pcap_packet, file_name: string) : bool

Writes a given packet to a file.

Pkt

The PCAP packet.

File_name

The name of the file to write pkt to.

Returns

True on success

See also:

dump_rule_stats
Type

function (f: file) : bool

Write rule matcher statistics (DFA states, transitions, memory usage, cache hits/misses) to a file.

F

The file to write to.

Returns

True (unconditionally).

See also:

enable_raw_output
Type

function (f: file) : any

Prevents escaping of non-ASCII characters when writing to a file. This function is equivalent to &raw_output.

F

The file to disable raw output for.

encode_base64
Type

function (s: string, a: string &default = "" &optional) : string

Encodes a Base64-encoded string.

S

The string to encode.

A

An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.

Returns

The encoded version of s.

See also:

entropy_test_add
Type

function (handle: opaque of entropy, data: string) : bool

Adds data to an incremental entropy calculation.

Handle

The opaque handle representing the entropy calculation state.

Data

The data to add to the entropy calculation.

Returns

True on success.

See also:

entropy_test_finish
Type

function (handle: opaque of entropy) : entropy_test_result

Finishes an incremental entropy calculation. Before using this function, one needs to obtain an opaque handle with entropy_test_init and add data to it via entropy_test_add.

Handle

The opaque handle representing the entropy calculation state.

Returns

The result of the entropy test. See find_entropy for a description of the individual components.

See also:

entropy_test_init
Type

function () : opaque of entropy

Initializes data structures for incremental entropy calculation.

Returns

An opaque handle to be used in subsequent operations.

See also:

enum_names
Type

function (et: any) : string_set

Returns all value names associated with an enum type.

Et

An enum type.

Returns

All enum value names associated with enum type et. If et is not an enum type, an empty set is returned.

enum_to_int
Type

function (e: any) : int

Converts an enum to an int.

E

The enum to convert.

Returns

The int value that corresponds to the enum.

exit
Type

function (code: int) : any

Shuts down the Zeek process immediately.

Code

The exit code to return with.

See also:

exp
Type

function (d: double) : double

Computes the exponential function.

D

The argument to the exponential function.

Returns

e to the power of d.

See also:

file_magic
Type

function (data: string) : mime_matches

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

Data

The data for which to find matching MIME types.

Returns

All matching signatures, in order of strength.

See also:

file_mode
Type

function (mode: count) : string

Converts UNIX file permissions given by a mode to an ASCII string.

Mode

The permissions (an octal number like 0644 converted to decimal).

Returns

A string representation of mode in the format rw[xsS]rw[xsS]rw[xtT].

file_size
Type

function (f: string) : double

Returns the size of a given file.

F

The name of the file whose size to lookup.

Returns

The size of f in bytes.

filter_subnet_table
Type

function (search: subnet, t: any) : any

For a set[subnet]/table[subnet], create a new table that contains all entries that contain a given subnet.

Search

the subnet to search for.

T

the set[subnet] or table[subnet].

Returns

A new table that contains all the entries that cover the subnet searched for.

find_entropy
Type

function (data: string) : entropy_test_result

Performs an entropy test on the given data. See http://www.fourmilab.ch/random.

Data

The data to compute the entropy for.

Returns

The result of the entropy test, which contains the following fields.

  • entropy: The information density expressed as a number of bits per character.

  • chi_square: The chi-square test value expressed as an absolute number and a percentage which indicates how frequently a truly random sequence would exceed the value calculated, i.e., the degree to which the sequence tested is suspected of being non-random.

    If the percentage is greater than 99% or less than 1%, the sequence is almost certainly not random. If the percentage is between 99% and 95% or between 1% and 5%, the sequence is suspect. Percentages between 90% and 95% and 5% and 10% indicate the sequence is “almost suspect.”

  • mean: The arithmetic mean of all the bytes. If the data are close to random, it should be around 127.5.

  • monte_carlo_pi: Each successive sequence of six bytes is used as 24-bit x and y coordinates within a square. If the distance of the randomly-generated point is less than the radius of a circle inscribed within the square, the six-byte sequence is considered a “hit.” The percentage of hits can be used to calculate the value of pi. For very large streams the value will approach the correct value of pi if the sequence is close to random.

  • serial_correlation: This quantity measures the extent to which each byte in the file depends upon the previous byte. For random sequences this value will be close to zero.

See also:

floor
Type

function (d: double) : double

Computes the greatest integer less than the given double value. For example, floor(3.14) returns 3.0, and floor(-3.14) returns -4.0.

D

The double to manipulate.

Returns

The next lowest integer of d as double.

See also:

flush_all
Type

function () : bool

Flushes all open files to disk.

Returns

True on success.

See also:

fmt
Type

function (…) : string

Produces a formatted string à la printf. The first argument is the format string and specifies how subsequent arguments are converted for output. It is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output, and conversion specifications, each of which fetches zero or more subsequent arguments. Conversion specifications begin with % and the arguments must properly correspond to the specifier. After the %, the following characters may appear in sequence:

  • %: Literal %

  • -: Left-align field

  • [0-9]+: The field width (< 128)

  • .: Precision of floating point specifiers [efg] (< 128)

  • [DTdxsefg]: Format specifier

    • [DT]: ISO timestamp with microsecond precision

    • d: Signed/Unsigned integer (using C-style %lld/%llu

      for int/count)

    • x: Unsigned hexadecimal (using C-style %llx);

      addresses/ports are converted to host-byte order

    • s: String (byte values less than 32 or greater than 126

      will be escaped)

    • [efg]: Double

Returns

Returns the formatted string. Given no arguments, fmt returns an empty string. Given no format string or the wrong number of additional arguments for the given format specifier, fmt generates a run-time error.

See also:

fnv1a32
Type

function (input: any) : count

Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm. See https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function.

Input

The desired input value to hash.

Returns

The hashed value.

See also:

generate_all_events
Type

function () : bool

By default, zeek does not generate (raise) events that have not handled by any scripts. This means that these events will be invisible to a lot of other event handlers - and will not raise new_event.

Calling this function will cause all event handlers to be raised. This is, likely, only useful for debugging and causes reduced performance.

get_conn_transport_proto
Type

function (cid: conn_id) : transport_proto

Extracts the transport protocol from a connection.

Cid

The connection identifier.

Returns

The transport protocol of the connection identified by cid.

See also:

get_current_packet
Type

function () : pcap_packet

Returns the currently processed PCAP packet.

Returns

The currently processed packet, which is a record containing the timestamp, snaplen, and packet data.

See also:

get_current_packet_header
Type

function () : raw_pkt_hdr

Function to get the raw headers of the currently processed packet.

Returns

The raw_pkt_hdr record containing the Layer 2, 3 and 4 headers of the currently processed packet.

See also:

get_file_name
Type

function (f: file) : string

Gets the filename associated with a file handle.

F

The file handle to inquire the name for.

Returns

The filename associated with f.

See also:

get_port_transport_proto
Type

function (p: port) : transport_proto

Extracts the transport protocol from a port.

P

The port.

Returns

The transport protocol of the port p.

See also:

getenv
Type

function (var: string) : string

Returns a system environment variable.

Var

The name of the variable whose value to request.

Returns

The system environment variable identified by var, or an empty string if it is not defined.

See also:

gethostname
Type

function () : string

Returns the hostname of the machine Zeek runs on.

Returns

The hostname of the machine Zeek runs on.

getpid
Type

function () : count

Returns Zeek’s process ID.

Returns

Zeek’s process ID.

global_container_footprints
Type

function () : var_sizes

Generates a table of the “footprint” of all global container variables. This is (approximately) the number of objects the global contains either directly or indirectly. The number is not meant to be precise, but rather comparable: larger footprint correlates with more memory consumption. The table index is the variable name and the value is the footprint.

Returns

A table that maps variable names to their footprints.

See also:

global_ids
Type

function () : id_table

Generates a table with information about all global identifiers. The table value is a record containing the type name of the identifier, whether it is exported, a constant, an enum constant, redefinable, and its value (if it has one).

Returns

A table that maps identifier names to information about them.

See also:

global_options
Type

function () : string_set

Returns a set giving the names of all global options.

global_sizes
Type

function () : var_sizes

Attributes

&deprecated = “Remove in v5.1. MemoryAllocation() is deprecated and will be removed.”

Generates a table of the size of all global variables. The table index is the variable name and the value is the variable size in bytes.

Returns

A table that maps variable names to their sizes.

See also:

haversine_distance
Type

function (lat1: double, long1: double, lat2: double, long2: double) : double

Calculates distance between two geographic locations using the haversine formula. Latitudes and longitudes must be given in degrees, where southern hemispere latitudes are negative and western hemisphere longitudes are negative.

Lat1

Latitude (in degrees) of location 1.

Long1

Longitude (in degrees) of location 1.

Lat2

Latitude (in degrees) of location 2.

Long2

Longitude (in degrees) of location 2.

Returns

Distance in miles.

See also:

hexstr_to_bytestring
Type

function (hexstr: string) : string

Converts a hex-string into its binary representation. For example, "3034" would be converted to "04".

The input string is assumed to contain an even number of hexadecimal digits (0-9, a-f, or A-F), otherwise behavior is undefined.

Hexstr

The hexadecimal string representation.

Returns

The binary representation of hexstr.

See also:

hrw_weight
Type

function (key_digest: count, site_id: count) : count

Calculates a weight value for use in a Rendezvous Hashing algorithm. See https://en.wikipedia.org/wiki/Rendezvous_hashing. The weight function used is the one recommended in the original

Paper

http://www.eecs.umich.edu/techreports/cse/96/CSE-TR-316-96.pdf.

Key_digest

A 32-bit digest of a key. E.g. use fnv1a32 to produce this.

Site_id

A 32-bit site/node identifier.

Returns

The weight value for the key/site pair.

See also:

identify_data
Type

function (data: string, return_mime: bool &default = T &optional) : string

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

Data

The data to find the MIME type for.

Return_mime

Deprecated argument; does nothing, except emit a warning when false.

Returns

The MIME type of data, or “<unknown>” if there was an error or no match. This is the strongest signature match.

See also:

install_dst_addr_filter
Type

function (ip: addr, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets destined to a given IP address with a certain probability if none of a given set of TCP flags are set. Note that for IPv6 packets with a routing type header and non-zero segments left, this filters out against the final destination of the packet according to the routing extension header.

Ip

Drop packets to this IP address.

Tcp_flags

If none of these TCP flags are set, drop packets to ip with probability prob.

Prob

The probability [0.0, 1.0] used to drop packets to ip.

Returns

True (unconditionally).

See also:

Todo

The return value should be changed to any.

install_dst_net_filter
Type

function (snet: subnet, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets destined to a given subnet with a certain probability if none of a given set of TCP flags are set.

Snet

Drop packets to this subnet.

Tcp_flags

If none of these TCP flags are set, drop packets to snet with probability prob.

Prob

The probability [0.0, 1.0] used to drop packets to snet.

Returns

True (unconditionally).

See also:

Todo

The return value should be changed to any.

install_src_addr_filter
Type

function (ip: addr, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets from a given IP source address with a certain probability if none of a given set of TCP flags are set. Note that for IPv6 packets with a Destination options header that has the Home Address option, this filters out against that home address.

Ip

The IP address to drop.

Tcp_flags

If none of these TCP flags are set, drop packets from ip with probability prob.

Prob

The probability [0.0, 1.0] used to drop packets from ip.

Returns

True (unconditionally).

See also:

Todo

The return value should be changed to any.

install_src_net_filter
Type

function (snet: subnet, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets originating from a given subnet with a certain probability if none of a given set of TCP flags are set.

Snet

The subnet to drop packets from.

Tcp_flags

If none of these TCP flags are set, drop packets from snet with probability prob.

Prob

The probability [0.0, 1.0] used to drop packets from snet.

Returns

True (unconditionally).

See also:

Todo

The return value should be changed to any.

int_to_count
Type

function (n: int) : count

Converts a (positive) int to a count.

N

The int to convert.

Returns

The int n as unsigned integer, or 0 if n < 0.

int_to_double
Type

function (i: int) : double

Converts an int to a double.

I

The int to convert.

Returns

The int i as double.

See also:

interval_to_double
Type

function (i: interval) : double

Converts an interval to a double.

I

The interval to convert.

Returns

The interval i as double.

See also:

is_icmp_port
Type

function (p: port) : bool

Checks whether a given port has ICMP as transport protocol.

P

The port to check.

Returns

True iff p is an ICMP port.

See also:

is_local_interface
Type

function (ip: addr) : bool

Checks whether a given IP address belongs to a local interface.

Ip

The IP address to check.

Returns

True if ip belongs to a local interface.

is_processing_suspended
Type

function () : bool

Returns whether or not processing is currently suspended.

See also:

is_remote_event
Type

function () : bool

Checks whether the last raised event came from a remote peer.

Returns

True if the last raised event came from a remote peer.

is_tcp_port
Type

function (p: port) : bool

Checks whether a given port has TCP as transport protocol.

P

The port to check.

Returns

True iff p is a TCP port.

See also:

is_udp_port
Type

function (p: port) : bool

Checks whether a given port has UDP as transport protocol.

P

The port to check.

Returns

True iff p is a UDP port.

See also:

is_v4_addr
Type

function (a: addr) : bool

Returns whether an address is IPv4 or not.

A

the address to check.

Returns

true if a is an IPv4 address, else false.

is_v4_subnet
Type

function (s: subnet) : bool

Returns whether a subnet specification is IPv4 or not.

S

the subnet to check.

Returns

true if s is an IPv4 subnet, else false.

is_v6_addr
Type

function (a: addr) : bool

Returns whether an address is IPv6 or not.

A

the address to check.

Returns

true if a is an IPv6 address, else false.

is_v6_subnet
Type

function (s: subnet) : bool

Returns whether a subnet specification is IPv6 or not.

S

the subnet to check.

Returns

true if s is an IPv6 subnet, else false.

is_valid_ip
Type

function (ip: string) : bool

Checks if a string is a valid IPv4 or IPv6 address.

Ip

the string to check for valid IP formatting.

Returns

T if the string is a valid IPv4 or IPv6 address format.

ln
Type

function (d: double) : double

Computes the natural logarithm of a number.

D

The argument to the logarithm.

Returns

The natural logarithm of d.

See also:

log10
Type

function (d: double) : double

Computes the common logarithm of a number.

D

The argument to the logarithm.

Returns

The common logarithm of d.

See also:

lookup_ID
Type

function (id: string) : any

Returns the value of a global identifier.

Id

The global identifier.

Returns

The value of id. If id does not describe a valid identifier, the string "<unknown id>" or "<no ID value>" is returned.

lookup_addr
Type

function (host: addr) : string

Issues an asynchronous reverse DNS lookup and delays the function result. This function can therefore only be called inside a when condition, e.g., when ( local host = lookup_addr(10.0.0.1) ) { f(host); }.

Host

The IP address to lookup.

Returns

The DNS name of host.

See also:

lookup_asn
Type

function (a: addr) : count

Attributes

&deprecated = “Remove in v6.1. Functionality is now handled by lookup_autonomous_system().”

Performs an ASN lookup of an IP address. Requires Zeek to be built with libmaxminddb.

A

The IP address to lookup.

Returns

The number of the ASN that contains the IP address.

See also:

lookup_autonomous_system
Type

function (a: addr) : geo_autonomous_system

Performs an lookup of AS numbe & organization of an IP address. Requires Zeek to be built with libmaxminddb.

A

The IP address to lookup.

Returns

A record with autonomous system number and organization that contains a.

See also:

lookup_connection
Type

function (cid: conn_id) : connection

Returns the connection record for a given connection identifier.

Cid

The connection ID.

Returns

The connection record for cid. If cid does not point to an existing connection, the function generates a run-time error and returns a dummy value.

See also:

lookup_hostname
Type

function (host: string) : addr_set

Issues an asynchronous DNS lookup and delays the function result. This function can therefore only be called inside a when condition, e.g., when ( local h = lookup_hostname("www.zeek.org") ) { f(h); }.

Host

The hostname to lookup.

Returns

A set of DNS A and AAAA records associated with host.

See also:

lookup_hostname_txt
Type

function (host: string) : string

Issues an asynchronous TEXT DNS lookup and delays the function result. This function can therefore only be called inside a when condition, e.g., when ( local h = lookup_hostname_txt("www.zeek.org") ) { f(h); }.

Host

The hostname to lookup.

Returns

The DNS TXT record associated with host.

See also:

lookup_location
Type

function (a: addr) : geo_location

Performs a geo-lookup of an IP address. Requires Zeek to be built with libmaxminddb.

A

The IP address to lookup.

Returns

A record with country, region, city, latitude, and longitude.

See also:

mask_addr
Type

function (a: addr, top_bits_to_keep: count) : subnet

Masks an address down to the number of given upper bits. For example, mask_addr(1.2.3.4, 18) returns 1.2.0.0.

A

The address to mask.

Top_bits_to_keep

The number of top bits to keep in a; must be greater than 0 and less than 33 for IPv4, or 129 for IPv6.

Returns

The address a masked down to top_bits_to_keep bits.

See also:

match_signatures
Type

function (c: connection, pattern_type: int, s: string, bol: bool, eol: bool, from_orig: bool, clear: bool) : bool

Manually triggers the signature engine for a given connection. This is an internal function.

matching_subnets
Type

function (search: subnet, t: any) : subnet_vec

Gets all subnets that contain a given subnet from a set/table[subnet].

Search

the subnet to search for.

T

the set[subnet] or table[subnet].

Returns

All the keys of the set or table that cover the subnet searched for.

md5_hash
Type

function (…) : string

Computes the MD5 hash value of the provided list of arguments.

Returns

The MD5 hash value of the concatenated arguments.

See also:

Note

This function performs a one-shot computation of its arguments. For incremental hash computation, see md5_hash_init and friends.

md5_hash_finish
Type

function (handle: opaque of md5) : string

Returns the final MD5 digest of an incremental hash computation.

Handle

The opaque handle associated with this hash computation.

Returns

The hash value associated with the computation of handle.

See also:

md5_hash_init
Type

function () : opaque of md5

Constructs an MD5 handle to enable incremental hash computation. You can feed data to the returned opaque value with md5_hash_update and eventually need to call md5_hash_finish to finish the computation and get the hash digest.

For example, when computing incremental MD5 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call c$http$md5_handle = md5_hash_init() once before invoking md5_hash_update(c$http$md5_handle, some_more_data) in the http_entity_data event handler. When all data has arrived, a call to md5_hash_finish returns the final hash value.

Returns

The opaque handle associated with this hash computation.

See also:

md5_hash_update
Type

function (handle: opaque of md5, data: string) : bool

Updates the MD5 value associated with a given index. It is required to call md5_hash_init once before calling this function.

Handle

The opaque handle associated with this hash computation.

Data

The data to add to the hash computation.

Returns

True on success.

See also:

md5_hmac
Type

function (…) : string

Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC secret key is generated from available entropy when Zeek starts up, or it can be specified for repeatability using the -K command line flag.

Returns

The HMAC-MD5 hash value of the concatenated arguments.

See also:

mkdir
Type

function (f: string) : bool

Creates a new directory.

F

The directory name.

Returns

True if the operation succeeds or if f already exists, and false if the file creation fails.

See also:

mmdb_open_asn_db
Type

function (f: string) : bool

Initializes MMDB for later use of lookup_asn or lookup_autonomous_system. Requires Zeek to be built with libmaxminddb.

F

The filename of the MaxMind ASN DB.

Returns

A boolean indicating whether the db was successfully opened.

See also:

mmdb_open_location_db
Type

function (f: string) : bool

Initializes MMDB for later use of lookup_location. Requires Zeek to be built with libmaxminddb.

F

The filename of the MaxMind City or Country DB.

Returns

A boolean indicating whether the db was successfully opened.

See also:

network_time
Type

function () : time

Returns the timestamp of the last packet processed. This function returns the timestamp of the most recently read packet, whether read from a live network interface or from a save file.

Returns

The timestamp of the packet processed.

See also:

open
Type

function (f: string) : file

Opens a file for writing. If a file with the same name already exists, this function overwrites it (as opposed to open_for_append).

F

The path to the file.

Returns

A file handle for subsequent operations.

See also:

open_for_append
Type

function (f: string) : file

Opens a file for writing or appending. If a file with the same name already exists, this function appends to it (as opposed to open).

F

The path to the file.

Returns

A file handle for subsequent operations.

See also:

order
Type

function (…) : index_vec

Returns the order of the elements in a vector according to some comparison function. See sort for details about the comparison function.

V

The vector whose order to compute.

Returns

A vector of count with the indices of the ordered elements. For example, the elements of v in order are (assuming o is the vector returned by order): v[o[0]], v[o[1]], etc.

See also:

packet_source
Type

function () : PacketSource

Returns

the packet source being read by Zeek.

See also:

paraglob_equals
Type

function (p_one: opaque of paraglob, p_two: opaque of paraglob) : bool

Compares two paraglobs for equality.

P_one

A compiled paraglob.

P_two

A compiled paraglob.

Returns

True if both paraglobs contain the same patterns, false otherwise.

## .. zeek:see::paraglob_add paraglob_match paraglob_init

paraglob_init
Type

function (v: any) : opaque of paraglob

Initializes and returns a new paraglob.

V

Vector of patterns to initialize the paraglob with.

Returns

A new, compiled, paraglob with the patterns in v

paraglob_match
Type

function (handle: opaque of paraglob, match: string) : string_vec

Gets all the patterns inside the handle associated with an input string.

Handle

A compiled paraglob.

Match

string to match against the paraglob.

Returns

A vector of strings matching the input string.

## .. zeek:see::paraglob_add paraglob_equals paraglob_init

piped_exec
Type

function (program: string, to_write: string) : bool

Opens a program with popen and writes a given string to the returned stream to send it to the opened process’s stdin.

Program

The program to execute.

To_write

Data to pipe to the opened program’s process via stdin.

Returns

True on success.

See also:

port_to_count
Type

function (p: port) : count

Converts a port to a count.

P

The port to convert.

Returns

The port p as count.

See also:

preserve_prefix
Type

function (a: addr, width: count) : any

Preserves the prefix of an IP address in anonymization.

A

The address to preserve.

Width

The number of bits from the top that should remain intact.

See also:

Todo

Currently dysfunctional.

preserve_subnet
Type

function (a: subnet) : any

Preserves the prefix of a subnet in anonymization.

A

The subnet to preserve.

See also:

Todo

Currently dysfunctional.

print_raw
Type

function (…) : bool

Renders a sequence of values to a string of bytes and outputs them directly to stdout with no additional escape sequences added. No additional newline is added to the end either.

Returns

Always true.

See also:

ptr_name_to_addr
Type

function (s: string) : addr

Converts a reverse pointer name to an address. For example, 1.0.168.192.in-addr.arpa to 192.168.0.1.

S

The string with the reverse pointer name.

Returns

The IP address corresponding to s.

See also:

rand
Type

function (max: count) : count

Generates a random number.

Max

The maximum value of the random number.

Returns

a random positive integer in the interval [0, max).

See also:

Note

This function is a wrapper about the function random provided by the OS.

raw_bytes_to_v4_addr
Type

function (b: string) : addr

Converts a string of bytes into an IPv4 address. In particular, this function interprets the first 4 bytes of the string as an IPv4 address in network order.

B

The raw bytes (string) to convert.

Returns

The byte string b as addr.

See also:

raw_bytes_to_v6_addr
Type

function (x: string) : addr

Converts a string of bytes into an IPv6 address. In particular, this function interprets the first 16 bytes of the string as an IPv6 address in network order.

B

The raw bytes (string) to convert.

Returns

The byte string b as addr.

See also:

reading_live_traffic
Type

function () : bool

Checks whether Zeek reads traffic from one or more network interfaces (as opposed to from a network trace in a file). Note that this function returns true even after Zeek has stopped reading network traffic, for example due to receiving a termination signal.

Returns

True if reading traffic from a network interface.

See also:

reading_traces
Type

function () : bool

Checks whether Zeek reads traffic from a trace file (as opposed to from a network interface).

Returns

True if reading traffic from a network trace.

See also:

record_fields
Type

function (rec: any) : record_field_table

Generates metadata about a record’s fields. The returned information includes the field name, whether it is logged, its value (if it has one), and its default value (if specified).

Rec

The record value or type to inspect.

Returns

A table that describes the fields of a record.

record_type_to_vector
Type

function (rt: string) : string_vec

Converts a record type name to a vector of strings, where each element is the name of a record field. Nested records are flattened.

Rt

The name of the record type.

Returns

A string vector with the field names of rt.

remask_addr
Type

function (a1: addr, a2: addr, top_bits_from_a1: count) : addr

Takes some top bits (such as a subnet address) from one address and the other bits (intra-subnet part) from a second address and merges them to get a new address. This is useful for anonymizing at subnet level while preserving serial scans.

A1

The address to mask with top_bits_from_a1.

A2

The address to take the remaining bits from.

Top_bits_from_a1

The number of top bits to keep in a1; must be greater than 0 and less than 129. This value is always interpreted relative to the IPv6 bit width (v4-mapped addresses start at bit number 96).

Returns

The address a masked down to top_bits_to_keep bits.

See also:

rename
Type

function (src_f: string, dst_f: string) : bool

Renames a file from src_f to dst_f.

Src_f

the name of the file to rename.

Dest_f

the name of the file after the rename operation.

Returns

True if the rename succeeds and false otherwise.

See also:

resize
Type

function (aggr: any, newsize: count) : count

Resizes a vector.

Aggr

The vector instance.

Newsize

The new size of aggr.

Returns

The old size of aggr, or 0 if aggr is not a vector.

rmdir
Type

function (d: string) : bool

Removes a directory.

D

The directory name.

Returns

True if the operation succeeds, and false if the directory delete operation fails.

See also:

rotate_file
Type

function (f: file) : rotate_info

Rotates a file.

F

An open file handle.

Returns

Rotation statistics which include the original file name, the name after the rotation, and the time when f was opened/closed.

See also:

rotate_file_by_name
Type

function (f: string) : rotate_info

Rotates a file identified by its name.

F

The name of the file to rotate

Returns

Rotation statistics which include the original file name, the name after the rotation, and the time when f was opened/closed.

See also:

routing0_data_to_addrs
Type

function (s: string) : addr_vec

Converts the data field of ip6_routing records that have rtype of 0 into a vector of addresses.

S

The data field of an ip6_routing record that has an rtype of 0.

Returns

The vector of addresses contained in the routing header data.

same_object
Type

function (o1: any, o2: any) : bool

Checks whether two objects reference the same internal object. This function uses equality comparison of C++ raw pointer values to determine if the two objects are the same.

O1

The first object.

O2

The second object.

Returns

True if o1 and o2 are equal.

set_buf
Type

function (f: file, buffered: bool) : any

Alters the buffering behavior of a file.

F

A file handle to an open file.

Buffered

When true, f is fully buffered, i.e., bytes are saved in a buffer until the block size has been reached. When false, f is line buffered, i.e., bytes are saved up until a newline occurs.

See also:

set_inactivity_timeout
Type

function (cid: conn_id, t: interval) : interval

Sets an individual inactivity timeout for a connection and thus overrides the global inactivity timeout.

Cid

The connection ID.

T

The new inactivity timeout for the connection identified by cid.

Returns

The previous timeout interval.

set_network_time
Type

function (nt: time) : bool

Sets the timestamp associated with the last packet processed. Used for event replaying.

Nt

The time to which to set “network time”.

Returns

The timestamp of the packet processed.

See also:

set_record_packets
Type

function (cid: conn_id, do_record: bool) : bool

Controls whether packet contents belonging to a connection should be recorded (when -w option is provided on the command line).

Cid

The connection identifier.

Do_record

True to enable packet contents, and false to disable for the connection identified by cid.

Returns

False if cid does not point to an active connection, and true otherwise.

See also:

Note

This is independent of whether Zeek processes the packets of this connection, which is controlled separately by skip_further_processing.

See also:

setenv
Type

function (var: string, val: string) : bool

Sets a system environment variable.

Var

The name of the variable.

Val

The (new) value of the variable var.

Returns

True on success.

See also:

sha1_hash
Type

function (…) : string

Computes the SHA1 hash value of the provided list of arguments.

Returns

The SHA1 hash value of the concatenated arguments.

See also:

Note

This function performs a one-shot computation of its arguments. For incremental hash computation, see sha1_hash_init and friends.

sha1_hash_finish
Type

function (handle: opaque of sha1) : string

Returns the final SHA1 digest of an incremental hash computation.

Handle

The opaque handle associated with this hash computation.

Returns

The hash value associated with the computation of handle.

See also:

sha1_hash_init
Type

function () : opaque of sha1

Constructs an SHA1 handle to enable incremental hash computation. You can feed data to the returned opaque value with sha1_hash_update and finally need to call sha1_hash_finish to finish the computation and get the hash digest.

For example, when computing incremental SHA1 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call c$http$sha1_handle = sha1_hash_init() once before invoking sha1_hash_update(c$http$sha1_handle, some_more_data) in the http_entity_data event handler. When all data has arrived, a call to sha1_hash_finish returns the final hash value.

Returns

The opaque handle associated with this hash computation.

See also:

sha1_hash_update
Type

function (handle: opaque of sha1, data: string) : bool

Updates the SHA1 value associated with a given index. It is required to call sha1_hash_init once before calling this function.

Handle

The opaque handle associated with this hash computation.

Data

The data to add to the hash computation.

Returns

True on success.

See also:

sha256_hash
Type

function (…) : string

Computes the SHA256 hash value of the provided list of arguments.

Returns

The SHA256 hash value of the concatenated arguments.

See also:

Note

This function performs a one-shot computation of its arguments. For incremental hash computation, see sha256_hash_init and friends.

sha256_hash_finish
Type

function (handle: opaque of sha256) : string

Returns the final SHA256 digest of an incremental hash computation.

Handle

The opaque handle associated with this hash computation.

Returns

The hash value associated with the computation of handle.

See also:

sha256_hash_init
Type

function () : opaque of sha256

Constructs an SHA256 handle to enable incremental hash computation. You can feed data to the returned opaque value with sha256_hash_update and finally need to call sha256_hash_finish to finish the computation and get the hash digest.

For example, when computing incremental SHA256 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call c$http$sha256_handle = sha256_hash_init() once before invoking sha256_hash_update(c$http$sha256_handle, some_more_data) in the http_entity_data event handler. When all data has arrived, a call to sha256_hash_finish returns the final hash value.

Returns

The opaque handle associated with this hash computation.

See also:

sha256_hash_update
Type

function (handle: opaque of sha256, data: string) : bool

Updates the SHA256 value associated with a given index. It is required to call sha256_hash_init once before calling this function.

Handle

The opaque handle associated with this hash computation.

Data

The data to add to the hash computation.

Returns

True on success.

See also:

skip_further_processing
Type

function (cid: conn_id) : bool

Informs Zeek that it should skip any further processing of the contents of a given connection. In particular, Zeek will refrain from reassembling the TCP byte stream and from generating events relating to any analyzers that have been processing the connection.

Cid

The connection ID.

Returns

False if cid does not point to an active connection, and true otherwise.

Note

Zeek will still generate connection-oriented events such as connection_finished.

sort
Type

function (…) : any

Sorts a vector in place. The second argument is a comparison function that takes two arguments: if the vector type is vector of T, then the comparison function must be function(a: T, b: T): int, which returns a value less than zero if a < b for some type-specific notion of the less-than operator. The comparison function is optional if the type is a numeric type (int, count, double, time, etc.).

V

The vector instance to sort.

Returns

The vector, sorted from minimum to maximum value. If the vector could not be sorted, then the original vector is returned instead.

See also:

sqrt
Type

function (x: double) : double

Computes the square root of a double.

X

The number to compute the square root of.

Returns

The square root of x.

See also:

srand
Type

function (seed: count) : any

Sets the seed for subsequent rand calls.

Seed

The seed for the PRNG.

See also:

Note

This function is a wrapper about the function srandom provided by the OS.

strftime
Type

function (fmt: string, d: time) : string

Formats a given time value according to a format string.

Fmt

The format string. See man strftime for the syntax.

D

The time value.

Returns

The time d formatted according to fmt.

string_to_pattern
Type

function (s: string, convert: bool) : pattern

Converts a string into a pattern.

S

The string to convert.

Convert

If true, s is first passed through the function convert_for_pattern to escape special characters of patterns.

Returns

s as pattern.

See also:

strptime
Type

function (fmt: string, d: string) : time

Parse a textual representation of a date/time value into a time type value.

Fmt

The format string used to parse the following d argument. See man strftime for the syntax.

D

The string representing the time.

Returns

The time value calculated from parsing d with fmt.

subnet_to_addr
Type

function (sn: subnet) : addr

Converts a subnet to an addr by extracting the prefix.

Sn

The subnet to convert.

Returns

The subnet as an addr.

See also:

subnet_width
Type

function (sn: subnet) : count

Returns the width of a subnet.

Sn

The subnet.

Returns

The width of the subnet.

See also:

suspend_processing
Type

function () : any

Stops Zeek’s packet processing. This function is used to synchronize distributed trace processing with communication enabled (pseudo-realtime mode).

See also:

syslog
Type

function (s: string) : any

Send a string to syslog.

S

The string to log via syslog

system
Type

function (str: string) : int

Invokes a command via the system function of the OS. The command runs in the background with stdout redirecting to stderr. Here is a usage example: system(fmt("rm %s", safe_shell_quote(sniffed_data)));

Str

The command to execute.

Returns

The return value from the OS system function.

See also:

Note

Note that this corresponds to the status of backgrounding the given command, not to the exit status of the command itself. A value of 127 corresponds to a failure to execute sh, and -1 to an internal system failure.

system_env
Type

function (str: string, env: table_string_of_string) : int

Invokes a command via the system function of the OS with a prepared environment. The function is essentially the same as system, but changes the environment before invoking the command.

Str

The command to execute.

Env

A table with the environment variables in the form of key-value pairs. Each specified environment variable name will be automatically prepended with ZEEK_ARG_.

Returns

The return value from the OS system function.

See also:

terminate
Type

function () : bool

Gracefully shut down Zeek by terminating outstanding processing.

Returns

True after successful termination and false when Zeek is still in the process of shutting down.

See also:

time_to_double
Type

function (t: time) : double

Converts a time value to a double.

T

The time to convert.

Returns

The time value t as double.

See also:

to_addr
Type

function (ip: string) : addr

Converts a string to an addr.

Ip

The string to convert.

Returns

The string ip as addr, or the unspecified address :: if the input string does not parse correctly.

See also:

to_count
Type

function (str: string) : count

Converts a string to a count.

Str

The string to convert.

Returns

The string str as unsigned integer, or 0 if str has an invalid format.

See also:

to_double
Type

function (str: string) : double

Converts a string to a double.

Str

The string to convert.

Returns

The string str as double, or 0 if str has an invalid format.

to_int
Type

function (str: string) : int

Converts a string to an int.

Str

The string to convert.

Returns

The string str as int.

See also:

to_json
Type

function (val: any, only_loggable: bool &default = F &optional, field_escape_pattern: pattern &default = /^?(^_)$?/ &optional) : string

A function to convert arbitrary Zeek data into a JSON string.

V

The value to convert to JSON. Typically a record.

Only_loggable

If the v value is a record this will only cause fields with the &log attribute to be included in the JSON.

Returns

a JSON formatted string.

See also:

to_port
Type

function (s: string) : port

Converts a string to a port.

S

The string to convert.

Returns

A port converted from s.

See also:

to_subnet
Type

function (sn: string) : subnet

Converts a string to a subnet.

Sn

The subnet to convert.

Returns

The sn string as a subnet, or the unspecified subnet ::/0 if the input string does not parse correctly.

See also:

type_aliases
Type

function (x: any) : string_set

Returns all type name aliases of a value or type.

X

An arbitrary value or type.

Returns

The set of all type name aliases of x (or the type of x if it’s a value instead of a type). For primitive values and types like string or count, this returns an empty set. For types with user-defined names like record or enum, the returned set contains the original user-defined name for the type along with all aliases. For other compound types, like table, the returned set is empty unless explicitly requesting aliases for a user-defined type alias or a value that was explicitly created using a type alias (as opposed to originating from an “anonymous” constructor or initializer for that compound type).

type_name
Type

function (t: any) : string

Returns the type name of an arbitrary Zeek variable.

T

An arbitrary object.

Returns

The type name of t.

uninstall_dst_addr_filter
Type

function (ip: addr) : bool

Removes a destination address filter.

Ip

The IP address for which a destination filter was previously installed.

Returns

True on success.

See also:

uninstall_dst_net_filter
Type

function (snet: subnet) : bool

Removes a destination subnet filter.

Snet

The subnet for which a destination filter was previously installed.

Returns

True on success.

See also:

uninstall_src_addr_filter
Type

function (ip: addr) : bool

Removes a source address filter.

Ip

The IP address for which a source filter was previously installed.

Returns

True on success.

See also:

uninstall_src_net_filter
Type

function (snet: subnet) : bool

Removes a source subnet filter.

Snet

The subnet for which a source filter was previously installed.

Returns

True on success.

See also:

unique_id
Type

function (prefix: string) : string

Creates an identifier that is unique with high probability.

Prefix

A custom string prepended to the result.

Returns

A string identifier that is unique.

See also:

unique_id_from
Type

function (pool: int, prefix: string) : string

Creates an identifier that is unique with high probability.

Pool

A seed for determinism.

Prefix

A custom string prepended to the result.

Returns

A string identifier that is unique.

See also:

Type

function (f: string) : bool

Removes a file from a directory.

F

the file to delete.

Returns

True if the operation succeeds and the file was deleted, and false if the deletion fails.

See also:

uuid_to_string
Type

function (uuid: string) : string

Converts a bytes representation of a UUID into its string form. For example, given a string of 16 bytes, it produces an output string in this format: 550e8400-e29b-41d4-a716-446655440000. See http://en.wikipedia.org/wiki/Universally_unique_identifier.

Uuid

The 16 bytes of the UUID.

Returns

The string representation of uuid.

val_footprint
Type

function (v: any) : count

Computes a value’s “footprint”: the number of objects the value contains either directly or indirectly. The number is not meant to be precise, but rather comparable: larger footprint correlates with more memory consumption.

Returns

the footprint.

See also:

val_size
Type

function (v: any) : count

Attributes

&deprecated = “Remove in v5.1. MemoryAllocation() is deprecated and will be removed.”

Returns the number of bytes that a value occupies in memory.

V

The value

Returns

The number of bytes that v occupies.

write_file
Type

function (f: file, data: string) : bool

Writes data to an open file.

F

A file handle to an open file.

Data

The data to write to f.

Returns

True on success.

See also:

zeek_args
Type

function () : string_vec

Returns

list of command-line arguments (argv) used to run Zeek.

zeek_is_terminating
Type

function () : bool

Checks if Zeek is terminating.

Returns

True if Zeek is in the process of shutting down.

See also:

zeek_version
Type

function () : string

Returns the Zeek version string.

Returns

Zeek’s version, e.g., 2.0-beta-47-debug.

base/bif/stats.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

get_broker_stats: function

Returns statistics about Broker communication.

get_conn_stats: function

Returns Zeek traffic statistics.

get_dns_stats: function

Returns statistics about DNS lookup activity.

get_event_stats: function

Returns statistics about the event engine.

get_file_analysis_stats: function

Returns statistics about file analysis.

get_gap_stats: function

Returns statistics about TCP gaps.

get_matcher_stats: function

Returns statistics about the regular expression engine.

get_net_stats: function

Returns packet capture statistics.

get_proc_stats: function

Returns Zeek process statistics.

get_reassembler_stats: function

Returns statistics about reassembler usage.

get_reporter_stats: function

Returns statistics about reporter messages and weirds.

get_thread_stats: function

Returns statistics about thread usage.

get_timer_stats: function

Returns statistics about timer usage.
Detailed Interface
Functions
get_broker_stats
Type

function () : BrokerStats

Returns statistics about Broker communication.

Returns

A record with Broker statistics.

See also:

get_conn_stats
Type

function () : ConnStats

Returns Zeek traffic statistics.

Returns

A record with connection and packet statistics.

See also:

get_dns_stats
Type

function () : DNSStats

Returns statistics about DNS lookup activity.

Returns

A record with DNS lookup statistics.

See also:

get_event_stats
Type

function () : EventStats

Returns statistics about the event engine.

Returns

A record with event engine statistics.

See also:

get_file_analysis_stats
Type

function () : FileAnalysisStats

Returns statistics about file analysis.

Returns

A record with file analysis statistics.

See also:

get_gap_stats
Type

function () : GapStats

Returns statistics about TCP gaps.

Returns

A record with TCP gap statistics.

See also:

get_matcher_stats
Type

function () : MatcherStats

Returns statistics about the regular expression engine. Statistics include the number of distinct matchers, DFA states, DFA state transitions, memory usage of DFA states, cache hits/misses, and average number of NFA states across all matchers.

Returns

A record with matcher statistics.

See also:

get_net_stats
Type

function () : NetStats

Returns packet capture statistics. Statistics include the number of packets (i) received by Zeek, (ii) dropped, and (iii) seen on the link (not always available).

Returns

A record of packet statistics.

See also:

get_proc_stats
Type

function () : ProcStats

Returns Zeek process statistics.

Returns

A record with process statistics.

See also:

get_reassembler_stats
Type

function () : ReassemblerStats

Returns statistics about reassembler usage.

Returns

A record with reassembler statistics.

See also:

get_reporter_stats
Type

function () : ReporterStats

Returns statistics about reporter messages and weirds.

Returns

A record with reporter statistics.

See also:

get_thread_stats
Type

function () : ThreadStats

Returns statistics about thread usage.

Returns

A record with thread usage statistics.

See also:

get_timer_stats
Type

function () : TimerStats

Returns statistics about timer usage.

Returns

A record with timer usage statistics.

See also:

base/bif/reporter.bif.zeek

GLOBAL
Reporter

The reporter built-in functions allow for the scripting layer to generate messages of varying severity. If no event handlers exist for reporter messages, the messages are output to stderr. If event handlers do exist, it’s assumed they take care of determining how/where to output the messages.

See base/frameworks/reporter/main.zeek for a convenient reporter message logging framework.

Namespaces

GLOBAL, Reporter

Summary
Functions

Reporter::conn_weird: function

Generates a “conn” weird.

Reporter::error: function

Generates a non-fatal error indicative of a definite problem that should be addressed.

Reporter::fatal: function

Generates a fatal error on stderr and terminates program execution.

Reporter::fatal_error_with_core: function

Generates a fatal error on stderr and terminates program execution after dumping a core file

Reporter::file_weird: function

Generates a “file” weird.

Reporter::flow_weird: function

Generates a “flow” weird.

Reporter::get_weird_sampling_duration: function

Gets the current weird sampling duration.

Reporter::get_weird_sampling_global_list: function

Gets the weird sampling global list

Reporter::get_weird_sampling_rate: function

Gets the current weird sampling rate.

Reporter::get_weird_sampling_threshold: function

Gets the current weird sampling threshold

Reporter::get_weird_sampling_whitelist: function

Gets the weird sampling whitelist

Reporter::info: function

Generates an informational message.

Reporter::net_weird: function

Generates a “net” weird.

Reporter::set_weird_sampling_duration: function

Sets the current weird sampling duration.

Reporter::set_weird_sampling_global_list: function

Sets the weird sampling global list

Reporter::set_weird_sampling_rate: function

Sets the weird sampling rate.

Reporter::set_weird_sampling_threshold: function

Sets the current weird sampling threshold

Reporter::set_weird_sampling_whitelist: function

Sets the weird sampling whitelist

Reporter::warning: function

Generates a message that warns of a potential problem.
Detailed Interface
Functions
Reporter::conn_weird
Type

function (name: string, c: connection, addl: string &default = "" &optional, source: string &default = "" &optional) : bool

Generates a “conn” weird.

Name

the name of the weird.

C

the connection associated with the weird.

Addl

additional information to accompany the weird.

Returns

Always true.

Reporter::error
Type

function (msg: string) : bool

Generates a non-fatal error indicative of a definite problem that should be addressed. Program execution does not terminate.

Msg

The error message to report.

Returns

Always true.

See also:

Reporter::fatal
Type

function (msg: string) : bool

Generates a fatal error on stderr and terminates program execution.

Msg

The error message to report.

Returns

Always true.

Reporter::fatal_error_with_core
Type

function (msg: string) : bool

Generates a fatal error on stderr and terminates program execution after dumping a core file

Msg

The error message to report.

Returns

Always true.

Reporter::file_weird
Type

function (name: string, f: fa_file, addl: string &default = "" &optional, source: string &default = "" &optional) : bool

Generates a “file” weird.

Name

the name of the weird.

F

the file associated with the weird.

Addl

additional information to accompany the weird.

Returns

true if the file was still valid, else false.

Reporter::flow_weird
Type

function (name: string, orig: addr, resp: addr, addl: string &default = "" &optional, source: string &default = "" &optional) : bool

Generates a “flow” weird.

Name

the name of the weird.

Orig

the originator host associated with the weird.

Resp

the responder host associated with the weird.

Returns

Always true.

Reporter::get_weird_sampling_duration
Type

function () : interval

Gets the current weird sampling duration.

Returns

weird sampling duration.

Reporter::get_weird_sampling_global_list
Type

function () : string_set

Gets the weird sampling global list

Returns

Current weird sampling global list

Reporter::get_weird_sampling_rate
Type

function () : count

Gets the current weird sampling rate.

Returns

weird sampling rate.

Reporter::get_weird_sampling_threshold
Type

function () : count

Gets the current weird sampling threshold

Returns

current weird sampling threshold.

Reporter::get_weird_sampling_whitelist
Type

function () : string_set

Gets the weird sampling whitelist

Returns

Current weird sampling whitelist

Reporter::info
Type

function (msg: string) : bool

Generates an informational message.

Msg

The informational message to report.

Returns

Always true.

See also:

Reporter::net_weird
Type

function (name: string, addl: string &default = "" &optional, source: string &default = "" &optional) : bool

Generates a “net” weird.

Name

the name of the weird.

Returns

Always true.

Reporter::set_weird_sampling_duration
Type

function (weird_sampling_duration: interval) : bool

Sets the current weird sampling duration. Please note that this will not delete already running timers.

Weird_sampling_duration

New weird sampling duration.

Returns

always returns True

Reporter::set_weird_sampling_global_list
Type

function (weird_sampling_global_list: string_set) : bool

Sets the weird sampling global list

Global_list

New weird sampling rate.

Returns

Always true.

Reporter::set_weird_sampling_rate
Type

function (weird_sampling_rate: count) : bool

Sets the weird sampling rate.

Weird_sampling_rate

New weird sampling rate.

Returns

Always returns true.

Reporter::set_weird_sampling_threshold
Type

function (weird_sampling_threshold: count) : bool

Sets the current weird sampling threshold

Threshold

New weird sampling threshold.

Returns

Always returns true;

Reporter::set_weird_sampling_whitelist
Type

function (weird_sampling_whitelist: string_set) : bool

Sets the weird sampling whitelist

Whitelist

New weird sampling rate.

Returns

Always true.

Reporter::warning
Type

function (msg: string) : bool

Generates a message that warns of a potential problem.

Msg

The warning message to report.

Returns

Always true.

See also:

base/bif/strings.bif.zeek

GLOBAL

Definitions of built-in functions related to string processing and manipulation.

Namespace

GLOBAL

Summary
Functions

clean: function

Replaces non-printable characters in a string with escaped sequences.

count_substr: function

Returns the number of times a substring occurs within a string

edit: function

Returns an edited version of a string that applies a special “backspace character” (usually \x08 for backspace or \x7f for DEL).

ends_with: function

Returns whether a string ends with a substring.

escape_string: function

Replaces non-printable characters in a string with escaped sequences.

find_all: function

Finds all occurrences of a pattern in a string.

find_all_ordered: function

Finds all occurrences of a pattern in a string.

find_last: function

Finds the last occurrence of a pattern in a string.

find_str: function

Finds a string within another string, starting from the beginning.

gsub: function

Substitutes a given replacement string for all occurrences of a pattern in a given string.

hexdump: function

Returns a hex dump for given input data.

is_alnum: function

Returns whether a string consists entirely of alphanumeric characters.

is_alpha: function

Returns whether a string consists entirely of alphabetic characters.

is_ascii: function

Determines whether a given string contains only ASCII characters.

is_num: function

Returns whether a string consists entirely of digits.

join_string_vec: function

Joins all values in the given vector of strings with a separator placed between each element.

levenshtein_distance: function

Calculates the Levenshtein distance between the two strings.

ljust: function

Returns a left-justified version of the string, padded to a specific length with a specified character.

lstrip: function

Removes all combinations of characters in the chars argument starting at the beginning of the string until first mismatch.

remove_prefix: function

Similar to lstrip(), except does the removal repeatedly if the pattern repeats at the start of the string.

remove_suffix: function

Similar to rstrip(), except does the removal repeatedly if the pattern repeats at the end of the string.

reverse: function

Returns a reversed copy of the string

rfind_str: function

The same as find_str, but returns the highest index matching the substring instead of the smallest.

rjust: function

Returns a right-justified version of the string, padded to a specific length with a specified character.

rstrip: function

Removes all combinations of characters in the chars argument starting at the end of the string until first mismatch.

safe_shell_quote: function

Takes a string and escapes characters that would allow execution of commands at the shell level.

split_string: function

Splits a string into an array of strings according to a pattern.

split_string1: function

Splits a string once into a two-element array of strings according to a pattern.

split_string_all: function

Splits a string into an array of strings according to a pattern.

split_string_n: function

Splits a string a given number of times into an array of strings according to a pattern.

starts_with: function

Returns whether a string starts with a substring.

str_smith_waterman: function

Uses the Smith-Waterman algorithm to find similar/overlapping substrings.

str_split_indices: function

Splits a string into substrings with the help of an index vector of cutting points.

strcmp: function

Lexicographically compares two strings.

string_cat: function

Concatenates all arguments into a single string.

string_fill: function

Generates a string of a given size and fills it with repetitions of a source string.

string_to_ascii_hex: function

Returns an ASCII hexadecimal representation of a string.

strip: function

Strips whitespace at both ends of a string.

strstr: function

Locates the first occurrence of one string in another.

sub: function

Substitutes a given replacement string for the first occurrence of a pattern in a given string.

sub_bytes: function

Get a substring from a string, given a starting position and length.

subst_string: function

Substitutes each (non-overlapping) appearance of a string in another.

swap_case: function

Swaps the case of every alphabetic character in a string.

to_lower: function

Replaces all uppercase letters in a string with their lowercase counterpart.

to_string_literal: function

Replaces non-printable characters in a string with escaped sequences.

to_title: function

Converts a string to Title Case.

to_upper: function

Replaces all lowercase letters in a string with their uppercase counterpart.

zfill: function

Returns a copy of a string filled on the left side with zeroes.
Detailed Interface
Functions
clean
Type

function (str: string) : string

Replaces non-printable characters in a string with escaped sequences. The mappings are:

  • values not in [32, 126] to \xXX

If the string does not yet have a trailing NUL, one is added internally.

In contrast to escape_string, this encoding is not fully reversible.`

Str

The string to escape.

Returns

The escaped string.

See also:

count_substr
Type

function (str: string, sub: string) : count

Returns the number of times a substring occurs within a string

Str

The string to search in.

Substr

The string to search for.

Returns

The number of times the substring occurred.

edit
Type

function (arg_s: string, arg_edit_char: string) : string

Returns an edited version of a string that applies a special “backspace character” (usually \x08 for backspace or \x7f for DEL). For example, edit("hello there", "e") returns "llo t".

Arg_s

The string to edit.

Arg_edit_char

A string of exactly one character that represents the “backspace character”. If it is longer than one character Zeek generates a run-time error and uses the first character in the string.

Returns

An edited version of arg_s where arg_edit_char triggers the deletion of the last character.

See also:

ends_with
Type

function (str: string, sub: string) : bool

Returns whether a string ends with a substring.

escape_string
Type

function (s: string) : string

Replaces non-printable characters in a string with escaped sequences. The mappings are:

  • values not in [32, 126] to \xXX

  • \ to \\

In contrast to clean, this encoding is fully reversible.`

Str

The string to escape.

Returns

The escaped string.

See also:

find_all
Type

function (str: string, re: pattern, max_str_size: int &default = -1 &optional) : string_set

Finds all occurrences of a pattern in a string.

Str

The string to inspect.

Re

The pattern to look for in str.

Max_str_size

The maximum string size allowed as input. If set to -1, this will use the max_find_all_string_length global constant. If set to 0, this check is disabled. If the length of str is greater than this size, an empty set is returned.

Returns

The set of strings in str that match re, or the empty set.

find_all_ordered
Type

function (str: string, re: pattern, max_str_size: int &default = -1 &optional) : string_vec

Finds all occurrences of a pattern in a string. The order in which occurrences are found is preverved and the return value may contain duplicate elements.

Str

The string to inspect.

Re

The pattern to look for in str.

Max_str_size

The maximum string size allowed as input. If set to -1, this will use the max_find_all_string_length global constant. If set to 0, this check is disabled. If the length of str is greater than this size, an empty set is returned.

Returns

All strings in str that match re, or an empty vector.

find_last
Type

function (str: string, re: pattern) : string

Finds the last occurrence of a pattern in a string. This function returns the match that starts at the largest index in the string, which is not necessarily the longest match. For example, a pattern of /.*/ will return the final character in the string.

Str

The string to inspect.

Re

The pattern to look for in str.

Returns

The last string in str that matches re, or the empty string.

find_str
Type

function (str: string, sub: string, start: count &default = 0 &optional, end: int &default = -1 &optional, case_sensitive: bool &default = T &optional) : int

Finds a string within another string, starting from the beginning. This works by taking a substring within the provided indexes and searching for the sub argument. This means that ranges shorter than the string in the sub argument will always return a failure.

Str

The string to search in.

Substr

The string to search for.

Start

An optional position for the start of the substring.

End

An optional position for the end of the substring. A value less than zero (such as the default -1) means a search until the end of the string.

Case_sensitive

Set to false to perform a case-insensitive search. (default: T). Note that case-insensitive searches use the tolower libc function, which is locale-sensitive.

Returns

The position of the substring. Returns -1 if the string wasn’t found. Prints an error if the starting position is after the ending position.

gsub
Type

function (str: string, re: pattern, repl: string) : string

Substitutes a given replacement string for all occurrences of a pattern in a given string.

Str

The string to perform the substitution in.

Re

The pattern being replaced with repl.

Repl

The string that replaces re.

Returns

A copy of str with all occurrences of re replaced with repl.

See also:

hexdump
Type

function (data_str: string) : string

Returns a hex dump for given input data. The hex dump renders 16 bytes per line, with hex on the left and ASCII (where printable) on the right.

Data_str

The string to dump in hex format.

Returns

The hex dump of the given string.

See also:

Note

Based on Netdude’s hex editor code.

is_alnum
Type

function (str: string) : bool

Returns whether a string consists entirely of alphanumeric characters. The empty string is not alphanumeric.

is_alpha
Type

function (str: string) : bool

Returns whether a string consists entirely of alphabetic characters. The empty string is not alphabetic.

is_ascii
Type

function (str: string) : bool

Determines whether a given string contains only ASCII characters. The empty string is ASCII.

Str

The string to examine.

Returns

False if any byte value of str is greater than 127, and true otherwise.

See also:

is_num
Type

function (str: string) : bool

Returns whether a string consists entirely of digits. The empty string is not numeric.

join_string_vec
Type

function (vec: string_vec, sep: string) : string

Joins all values in the given vector of strings with a separator placed between each element.

Sep

The separator to place between each element.

Vec

The string_vec (vector of string).

Returns

The concatenation of all elements in vec, with sep placed between each element.

See also:

levenshtein_distance
Type

function (s1: string, s2: string) : count

Calculates the Levenshtein distance between the two strings. See Wikipedia for more information.

S1

The first string.

S2

The second string.

Returns

The Levenshtein distance of two strings as a count.

ljust
Type

function (str: string, width: count, fill: string &default = " " &optional) : string

Returns a left-justified version of the string, padded to a specific length with a specified character.

Str

The string to left-justify.

Count

The length of the returned string. If this value is less than or equal to the length of str, a copy of str is returned.

Fill

The character used to fill in any extra characters in the resulting string. If a string longer than one character is passed, an error is reported. This defaults to the space character.

Returns

A left-justified version of a string, padded with characters to a specific length.

lstrip
Type

function (str: string, chars: string &default = " \x09\x0a\x0d\x0b\x0c" &optional) : string

Removes all combinations of characters in the chars argument starting at the beginning of the string until first mismatch.

Str

The string to strip characters from.

Chars

A string consisting of the characters to be removed. Defaults to all whitespace characters.

Returns

A copy of str with the characters in chars removed from the beginning.

See also:

remove_prefix
Type

function (str: string, sub: string) : string

Similar to lstrip(), except does the removal repeatedly if the pattern repeats at the start of the string.

remove_suffix
Type

function (str: string, sub: string) : string

Similar to rstrip(), except does the removal repeatedly if the pattern repeats at the end of the string.

reverse
Type

function (str: string) : string

Returns a reversed copy of the string

Str

The string to reverse.

Returns

A reversed copy of str

rfind_str
Type

function (str: string, sub: string, start: count &default = 0 &optional, end: int &default = -1 &optional, case_sensitive: bool &default = T &optional) : int

The same as find_str, but returns the highest index matching the substring instead of the smallest.

Str

The string to search in.

Substr

The string to search for.

Start

An optional position for the start of the substring.

End

An optional position for the end of the substring. A value less than zero (such as the default -1) means a search from the end of the string.

Case_sensitive

Set to false to perform a case-insensitive search. (default: T). Note that case-insensitive searches use the tolower libc function, which is locale-sensitive.

Returns

The position of the substring. Returns -1 if the string wasn’t found. Prints an error if the starting position is after the ending position.

rjust
Type

function (str: string, width: count, fill: string &default = " " &optional) : string

Returns a right-justified version of the string, padded to a specific length with a specified character.

Str

The string to right-justify.

Count

The length of the returned string. If this value is less than or equal to the length of str, a copy of str is returned.

Fill

The character used to fill in any extra characters in the resulting string. If a string longer than one character is passed, an error is reported. This defaults to the space character.

Returns

A right-justified version of a string, padded with characters to a specific length.

rstrip
Type

function (str: string, chars: string &default = " \x09\x0a\x0d\x0b\x0c" &optional) : string

Removes all combinations of characters in the chars argument starting at the end of the string until first mismatch.

Str

The string to strip characters from.

Chars

A string consisting of the characters to be removed. Defaults to all whitespace characters.

Returns

A copy of str with the characters in chars removed from the end.

See also:

safe_shell_quote
Type

function (source: string) : string

Takes a string and escapes characters that would allow execution of commands at the shell level. Must be used before including strings in system or similar calls.

Source

The string to escape.

Returns

A shell-escaped version of source. Specifically, this backslash-escapes characters whose literal value is not otherwise preserved by enclosure in double-quotes (dollar-sign, backquote, backslash, and double-quote itself), and then encloses that backslash-escaped string in double-quotes to ultimately preserve the literal value of all input characters.

See also:

split_string
Type

function (str: string, re: pattern) : string_vec

Splits a string into an array of strings according to a pattern.

Str

The string to split.

Re

The pattern describing the element separator in str.

Returns

An array of strings where each element corresponds to a substring in str separated by re.

See also:

split_string1
Type

function (str: string, re: pattern) : string_vec

Splits a string once into a two-element array of strings according to a pattern. This function is the same as split_string, but str is only split once (if possible) at the earliest position and an array of two strings is returned.

Str

The string to split.

Re

The pattern describing the separator to split str in two pieces.

Returns

An array of strings with two elements in which the first represents the substring in str up to the first occurence of re, and the second everything after re. An array of one string is returned when s cannot be split.

See also:

split_string_all
Type

function (str: string, re: pattern) : string_vec

Splits a string into an array of strings according to a pattern. This function is the same as split_string, except that the separators are returned as well. For example, split_string_all("a-b--cd", /(\-)+/) returns {"a", "-", "b", "--", "cd"}: odd-indexed elements do match the pattern and even-indexed ones do not.

Str

The string to split.

Re

The pattern describing the element separator in str.

Returns

An array of strings where each two successive elements correspond to a substring in str of the part not matching re (even-indexed) and the part that matches re (odd-indexed).

See also:

split_string_n
Type

function (str: string, re: pattern, incl_sep: bool, max_num_sep: count) : string_vec

Splits a string a given number of times into an array of strings according to a pattern. This function is similar to split_string1 and split_string_all, but with customizable behavior with respect to including separators in the result and the number of times to split.

Str

The string to split.

Re

The pattern describing the element separator in str.

Incl_sep

A flag indicating whether to include the separator matches in the result (as in split_string_all).

Max_num_sep

The number of times to split str.

Returns

An array of strings where, if incl_sep is true, each two successive elements correspond to a substring in str of the part not matching re (even-indexed) and the part that matches re (odd-indexed).

See also:

starts_with
Type

function (str: string, sub: string) : bool

Returns whether a string starts with a substring.

str_smith_waterman
Type

function (s1: string, s2: string, params: sw_params) : sw_substring_vec

Uses the Smith-Waterman algorithm to find similar/overlapping substrings. See Wikipedia.

S1

The first string.

S2

The second string.

Params

Parameters for the Smith-Waterman algorithm.

Returns

The result of the Smith-Waterman algorithm calculation.

str_split_indices
Type

function (s: string, idx: index_vec) : string_vec

Splits a string into substrings with the help of an index vector of cutting points.

S

The string to split.

Idx

The index vector (vector of count) with the cutting points

Returns

A zero-indexed vector of strings.

See also:

strcmp
Type

function (s1: string, s2: string) : int

Lexicographically compares two strings.

S1

The first string.

S2

The second string.

Returns

An integer greater than, equal to, or less than 0 according as s1 is greater than, equal to, or less than s2.

string_cat
Type

function (…) : string

Concatenates all arguments into a single string. The function takes a variable number of arguments of type string and stitches them together.

Returns

The concatenation of all (string) arguments.

See also:

string_fill
Type

function (len: int, source: string) : string

Generates a string of a given size and fills it with repetitions of a source string.

Len

The length of the output string.

Source

The string to concatenate repeatedly until len has been reached.

Returns

A string of length len filled with source.

string_to_ascii_hex
Type

function (s: string) : string

Returns an ASCII hexadecimal representation of a string.

S

The string to convert to hex.

Returns

A copy of s where each byte is replaced with the corresponding hex nibble.

strip
Type

function (str: string) : string

Strips whitespace at both ends of a string.

Str

The string to strip the whitespace from.

Returns

A copy of str with leading and trailing whitespace removed.

See also:

strstr
Type

function (big: string, little: string) : count

Locates the first occurrence of one string in another.

Big

The string to look in.

Little

The (smaller) string to find inside big.

Returns

The location of little in big, or 0 if little is not found in big.

See also:

sub
Type

function (str: string, re: pattern, repl: string) : string

Substitutes a given replacement string for the first occurrence of a pattern in a given string.

Str

The string to perform the substitution in.

Re

The pattern being replaced with repl.

Repl

The string that replaces re.

Returns

A copy of str with the first occurence of re replaced with repl.

See also:

sub_bytes
Type

function (s: string, start: count, n: int) : string

Get a substring from a string, given a starting position and length.

S

The string to obtain a substring from.

Start

The starting position of the substring in s, where 1 is the first character. As a special case, 0 also represents the first character.

N

The number of characters to extract, beginning at start.

Returns

A substring of s of length n from position start.

subst_string
Type

function (s: string, from: string, to: string) : string

Substitutes each (non-overlapping) appearance of a string in another.

S

The string in which to perform the substitution.

From

The string to look for which is replaced with to.

To

The string that replaces all occurrences of from in s.

Returns

A copy of s where each occurrence of from is replaced with to.

See also:

swap_case
Type

function (str: string) : string

Swaps the case of every alphabetic character in a string. For example, the string “aBc” be returned as “AbC”.

Str

The string to swap cases in.

Returns

A copy of the str with the case of each character swapped.

to_lower
Type

function (str: string) : string

Replaces all uppercase letters in a string with their lowercase counterpart.

Str

The string to convert to lowercase letters.

Returns

A copy of the given string with the uppercase letters (as indicated by isascii and isupper) folded to lowercase (via tolower).

See also:

to_string_literal
Type

function (str: string) : string

Replaces non-printable characters in a string with escaped sequences. The mappings are:

  • values not in [32, 126] to \xXX

  • \ to \\

  • ' and "" to \' and \", respectively.

Str

The string to escape.

Returns

The escaped string.

See also:

to_title
Type

function (str: string) : string

Converts a string to Title Case. This changes the first character of each sequence of non-space characters in the string to be capitalized. See https://docs.python.org/3/library/stdtypes.html#str.title for more info.

Str

The string to convert.

Returns

A title-cased version of the string.

to_upper
Type

function (str: string) : string

Replaces all lowercase letters in a string with their uppercase counterpart.

Str

The string to convert to uppercase letters.

Returns

A copy of the given string with the lowercase letters (as indicated by isascii and islower) folded to uppercase (via toupper).

See also:

zfill
Type

function (str: string, width: count) : string

Returns a copy of a string filled on the left side with zeroes. This is effectively rjust(str, width, “0”).

base/bif/option.bif.zeek

GLOBAL
Option

Definitions of built-in functions that allow the scripting layer to change the value of options and to be notified when option values change.

Namespaces

GLOBAL, Option

Summary
Functions

Option::any_set_to_any_vec: function

Helper function that converts a set (of arbitrary index type) to a “vector of any”.

Option::set: function

Set an option to a new value.

Option::set_change_handler: function

Set a change handler for an option.
Detailed Interface
Functions
Option::any_set_to_any_vec
Type

function (v: any) : any_vec

Helper function that converts a set (of arbitrary index type) to a “vector of any”.

V

an “any” type corresponding to a set.

Returns

a vector-of-any with one element for each member of v.

Option::set
Type

function (ID: string, val: any, location: string &default = "" &optional) : bool

Set an option to a new value. This change will also cause the option change handlers to be called.

ID

The ID of the option to update.

Val

The new value of the option.

Location

Optional parameter detailing where this change originated from.

Returns

true on success, false when an error occurred.

See also:

Note

Option::set only works on one node and does not distribute new values across a cluster. The higher-level Config::set_value supports clusterization and should typically be used instead of this lower-level function.

Option::set_change_handler
Type

function (ID: string, on_change: any, priority: int &default = 0 &optional) : bool

Set a change handler for an option. The change handler will be called anytime Option::set is called for the option.

ID

The ID of the option for which change notifications are desired.

On_change

The function that will be called when a change occurs. The function can choose to receive two or three parameters: the first parameter is a string containing ID, the second parameter is the new option value. The third, optional, parameter is the location string as passed to Option::set. Note that the global value is not yet changed when the function is called. The passed function has to return the new value that it wants the option to be set to. This enables it to reject changes, or change values that are being set. When several change handlers are set for an option they are chained; the second change handler will see the return value of the first change handler as the “new value”.

Priority

The priority of the function that was added; functions with higher priority are called first, functions with the same priority are called in the order in which they were added.

Returns

true when the change handler was set, false when an error occurred.

See also:

base/frameworks/supervisor/api.zeek

Supervisor

The Zeek process supervision API. This API was introduced in Zeek 3.1.0 and considered unstable until 4.0.0. That is, it may change in various incompatible ways without warning or deprecation until the stable 4.0.0 release.

Namespace

Supervisor

Summary
Types

Supervisor::ClusterEndpoint: record

Describes configuration of a supervised-node within Zeek’s Cluster Framework.

Supervisor::ClusterRole: enum

The role a supervised-node will play in Zeek’s Cluster Framework.

Supervisor::NodeConfig: record

Configuration options that influence behavior of a supervised Zeek node.

Supervisor::NodeStatus: record

The current status of a supervised node.

Supervisor::Status: record

The current status of a set of supervised nodes.
Events

Supervisor::node_status: event

A notification event the Supervisor generates when it receives a status message update from the stem, indicating node has (re-)started.
Hooks

Supervisor::stderr_hook: hook

Hooks into the stderr stream for all supervisor’s child processes.

Supervisor::stdout_hook: hook

Hooks into the stdout stream for all supervisor’s child processes.
Functions

Supervisor::create: function

Create a new supervised node process.

Supervisor::destroy: function

Destroy and remove a supervised node process.

Supervisor::is_supervised: function

Returns: true if this is a supervised node process.

Supervisor::is_supervisor: function

Returns: true if this is the Supervisor process.

Supervisor::node: function

Returns: the node configuration if this is a supervised node.

Supervisor::restart: function

Restart a supervised node process by destroying (killing) and re-recreating it.

Supervisor::status: function

Retrieve current status of a supervised node process.
Detailed Interface
Types
Supervisor::ClusterEndpoint
Type

record

role: Supervisor::ClusterRole

The role a supervised-node will play in Zeek’s Cluster Framework.

host: addr

The host/IP at which the cluster node runs.

p: port

The TCP port at which the cluster node listens for connections.

interface: string &optional

The interface name from which the node will read/analyze packets. Typically used by worker nodes.

Describes configuration of a supervised-node within Zeek’s Cluster Framework.

Supervisor::ClusterRole
Type

enum

Supervisor::NONE
Supervisor::LOGGER
Supervisor::MANAGER
Supervisor::PROXY
Supervisor::WORKER

The role a supervised-node will play in Zeek’s Cluster Framework.

Supervisor::NodeConfig
Type

record

name: string

The name of the supervised node. These are unique within a given supervised process tree and typically human-readable.

interface: string &optional

The interface name from which the node will read/analyze packets.

directory: string &optional

The working directory that the node should use.

stdout_file: string &optional

The filename/path to which the node’s stdout will be redirected.

stderr_file: string &optional

The filename/path to which the node’s stderr will be redirected.

bare_mode: bool &optional

Whether to start the node in bare mode. When left out, the node inherits the bare-mode status the supervisor itself runs with.

scripts: vector of string &default = [] &optional

Additional script filenames/paths that the node should load.

env: table [string] of string &default = {  } &optional

Environment variables to define in the supervised node.

cpu_affinity: int &optional

A cpu/core number to which the node will try to pin itself.

cluster: table [string] of Supervisor::ClusterEndpoint &default = {  } &optional

The Cluster Layout definition. Each node in the Cluster Framework knows about the full, static cluster topology to which it belongs. Entries use node names for keys. The Supervisor framework will automatically translate this table into the right Cluster Framework configuration when spawning supervised-nodes. E.g. it will populate the both the CLUSTER_NODE environment variable and Cluster::nodes table.

Configuration options that influence behavior of a supervised Zeek node.

Supervisor::NodeStatus
Type

record

node: Supervisor::NodeConfig

The desired node configuration.

pid: int &optional

The current or last known process ID of the node. This may not be initialized if the process has not yet started.

The current status of a supervised node.

Supervisor::Status
Type

record

nodes: table [string] of Supervisor::NodeStatus

The status of supervised nodes, keyed by node names.

The current status of a set of supervised nodes.

Events
Supervisor::node_status
Type

event (node: string, pid: count)

A notification event the Supervisor generates when it receives a status message update from the stem, indicating node has (re-)started.

Node

the name of a previously created node via Supervisor::create indicating to which child process the stdout line is associated.

Pid

the process ID the stem reported for this node.

Hooks
Supervisor::stderr_hook
Type

hook (node: string, msg: string) : bool

Hooks into the stderr stream for all supervisor’s child processes. If a hook terminates with break, that will suppress output to the associated stream.

Node

the name of a previously created node via Supervisor::create indicating to which child process the stdout line is associated. A empty value is used to indicate the message came from the internal supervisor stem process. (this should typically never happen).

Msg

line-buffered contents from the stderr of a child process.

Supervisor::stdout_hook
Type

hook (node: string, msg: string) : bool

Hooks into the stdout stream for all supervisor’s child processes. If a hook terminates with break, that will suppress output to the associated stream.

Node

the name of a previously created node via Supervisor::create indicating to which child process the stdout line is associated. An empty value is used to indicate the message came from the internal supervisor stem process (this should typically never happen).

Msg

line-buffered contents from the stdout of a child process.

Functions
Supervisor::create
Type

function (node: Supervisor::NodeConfig) : string

Create a new supervised node process. It’s an error to call this from a process other than a Supervisor.

Node

the desired configuration for the new supervised node process.

Returns

an empty string on success or description of the error/failure.

Supervisor::destroy
Type

function (node: string &default = "" &optional) : bool

Destroy and remove a supervised node process. It’s an error to call this from a process other than a Supervisor.

Node

the name of the node to destroy or an empty string to mean “all nodes”.

Returns

true on success.

Supervisor::is_supervised
Type

function () : bool

Returns

true if this is a supervised node process.

Supervisor::is_supervisor
Type

function () : bool

Returns

true if this is the Supervisor process.

Supervisor::node
Type

function () : Supervisor::NodeConfig

Returns

the node configuration if this is a supervised node. It’s an error to call this function from a process other than a supervised one.

Supervisor::restart
Type

function (node: string &default = "" &optional) : bool

Restart a supervised node process by destroying (killing) and re-recreating it. It’s an error to call this from a process other than a Supervisor.

Node

the name of the node to restart or an empty string to mean “all nodes”.

Returns

true on success.

Supervisor::status
Type

function (node: string &default = "" &optional) : Supervisor::Status

Retrieve current status of a supervised node process. It’s an error to call this from a process other than a Supervisor.

Node

the name of the node to get the status of or an empty string to mean “all nodes”.

Returns

the current status of a set of nodes.

base/bif/supervisor.bif.zeek

GLOBAL
Supervisor

The BIFs that define the Zeek supervisor control interface.

Namespaces

GLOBAL, Supervisor

Summary
Functions

Supervisor::__create: function

Supervisor::__destroy: function

Supervisor::__init_cluster: function

Supervisor::__is_supervised: function

Supervisor::__is_supervisor: function

Supervisor::__node: function

Supervisor::__restart: function

Supervisor::__status: function

Supervisor::__stem_pid: function
Detailed Interface
Functions
Supervisor::__create
Type

function (node: Supervisor::NodeConfig) : string

Supervisor::__destroy
Type

function (node: string) : bool

Supervisor::__init_cluster
Type

function () : bool

Supervisor::__is_supervised
Type

function () : bool

Supervisor::__is_supervisor
Type

function () : bool

Supervisor::__node
Type

function () : Supervisor::NodeConfig

Supervisor::__restart
Type

function (node: string) : bool

Supervisor::__status
Type

function (node: string) : Supervisor::Status

Supervisor::__stem_pid
Type

function () : int

base/bif/packet_analysis.bif.zeek

GLOBAL
PacketAnalyzer
Namespaces

GLOBAL, PacketAnalyzer

Summary
Functions

PacketAnalyzer::__set_ignore_checksums_nets: function

Internal function that is used to update the core-mirror of the script-level ignore_checksums_nets variable.

PacketAnalyzer::register_packet_analyzer: function

Add an entry to parent’s dispatcher that maps a protocol/index to a next-stage child analyzer.

PacketAnalyzer::register_protocol_detection: function

Registers a child analyzer with a parent analyzer to perform packet detection when determining whether to forward from parent to child.

PacketAnalyzer::try_register_packet_analyzer_by_name: function

Attempts to add an entry to parent’s dispatcher that maps a protocol/index to a next-stage child analyzer.
Detailed Interface
Functions
PacketAnalyzer::__set_ignore_checksums_nets
Type

function (v: subnet_set) : bool

Internal function that is used to update the core-mirror of the script-level ignore_checksums_nets variable.

PacketAnalyzer::register_packet_analyzer
Type

function (parent: PacketAnalyzer::Tag, identifier: count, child: PacketAnalyzer::Tag) : bool

Add an entry to parent’s dispatcher that maps a protocol/index to a next-stage child analyzer.

Parent

The parent analyzer being modified

Identifier

The identifier for the protocol being registered

Child

The analyzer that will be called for the identifier

PacketAnalyzer::register_protocol_detection
Type

function (parent: PacketAnalyzer::Tag, child: PacketAnalyzer::Tag) : bool

Registers a child analyzer with a parent analyzer to perform packet detection when determining whether to forward from parent to child.

Parent

The parent analyzer being modified

Child

The analyzer that will use protocol detection

PacketAnalyzer::try_register_packet_analyzer_by_name
Type

function (parent: string, identifier: count, child: string) : bool

Attempts to add an entry to parent’s dispatcher that maps a protocol/index to a next-stage child analyzer. This may fail if either of the two names does not respond to a known analyzer.

Parent

The parent analyzer being modified

Identifier

The identifier for the protocol being registered

Child

The analyzer that will be called for the identifier

base/bif/CPP-load.bif.zeek

GLOBAL

Definitions of built-in functions related to loading compiled-to-C++ scripts.

Namespace

GLOBAL

Summary
Functions

load_CPP: function

Activates the compile-to-C++ scripts associated with the given hash.
Detailed Interface
Functions
load_CPP
Type

function (h: count) : bool

Activates the compile-to-C++ scripts associated with the given hash.

H

Hash of the set of C++ scripts.

Returns

True if it was present and loaded, false if not.

base/bif/plugins/Zeek_SNMP.types.bif.zeek

GLOBAL
SNMP
Namespaces

GLOBAL, SNMP

Summary
Detailed Interface

base/bif/plugins/Zeek_KRB.types.bif.zeek

GLOBAL
KRB
Namespaces

GLOBAL, KRB

Summary
Detailed Interface

base/bif/event.bif.zeek

GLOBAL

The protocol-independent events that the C/C++ core of Zeek can generate.

This is mostly events not related to a specific transport- or application-layer protocol, but also includes a few that may be generated by more than one protocols analyzer (like events generated by both UDP and TCP analysis.)

Namespace

GLOBAL

Summary
Events

Pcap::file_done: event

An event that signals a pcap file is done being processed.

analyzer_confirmation: event

Generated when a protocol analyzer confirms that a connection is indeed using that protocol.

analyzer_violation: event

Generated when a protocol analyzer determines that a connection it is parsing is not conforming to the protocol it expects.

anonymization_mapping: event

Shows an IP address anonymization mapping.

conn_stats: event

Generated when a TCP connection terminated, passing on statistics about the two endpoints.

conn_weird: event

Generated for unexpected activity related to a specific connection.

connection_flow_label_changed: event

Generated for a connection over IPv6 when one direction has changed the flow label that it’s using.

connection_reused: event

Generated when a connection 4-tuple is reused.

connection_state_remove: event

Generated when a connection’s internal state is about to be removed from memory.

connection_status_update: event

Generated in regular intervals during the lifetime of a connection.

connection_timeout: event

Generated when a TCP connection timed out.

content_gap: event

Generated when Zeek detects a gap in a reassembled TCP payload stream.

dns_mapping_altered: event

Generated when an internal DNS lookup produced a different result than in the past.

dns_mapping_lost_name: event

Generated when an internal DNS lookup returned zero answers even though it had succeeded in the past.

dns_mapping_name_changed: event

Generated when an internal DNS lookup returns a different host name than in the past.

dns_mapping_new_name: event

Generated when an internal DNS lookup succeeded but an earlier attempt did not.

dns_mapping_unverified: event

Generated when an internal DNS lookup got no answer even though it had succeeded in the past.

dns_mapping_valid: event

Generated when an internal DNS lookup produces the same result as last time.

esp_packet: event

Generated for any packets using the IPv6 Encapsulating Security Payload (ESP) extension header.

event_queue_flush_point: event

Marks a point in the event stream at which the event queue started flushing.

expired_conn_weird: event

Generated for unexpected activity related to a specific connection whose internal state has already been expired.

file_gap: event

Indicates that a chunk of the file is missing.

file_new: event

Indicates that an analysis of a new file has begun.

file_opened: event

Generated each time Zeek’s script interpreter opens a file.

file_over_new_connection: event

Indicates that a file has been seen being transferred over a connection different from the original.

file_reassembly_overflow: event

Indicates that the file had an overflow of the reassembly buffer.

file_sniff: event

Provide all metadata that has been inferred about a particular file from inspection of the initial content that been seen at the beginning of the file.

file_state_remove: event

This event is generated each time file analysis is ending for a given file.

file_timeout: event

Indicates that file analysis has timed out because no activity was seen for the file in a while.

file_weird: event

Generated for unexpected activity that is tied to a file.

flow_weird: event

Generated for unexpected activity related to a pair of hosts, but independent of a specific connection.

get_file_handle: event

This event is handled to provide feedback to the file analysis framework about how to identify the logical “file” to which some data/input belongs.

ipv6_ext_headers: event

Generated for every IPv6 packet that contains extension headers.

load_sample: event

Generated regularly for the purpose of profiling Zeek’s processing.

mobile_ipv6_message: event

Generated for any packet using a Mobile IPv6 Mobility Header.

net_done: event

Generated as one of the first steps of Zeek’s main-loop termination, just before it starts to flush any remaining events/timers/state.

net_weird: event

Generated for unexpected activity that is not tied to a specific connection or pair of hosts.

network_time_init: event

Generated when network time is initialized.

new_connection: event

Generated for every new connection.

new_event: event

A meta event generated for events that Zeek raises.

new_packet: event

Generated for all packets that make it into Zeek’s connection processing.

packet_contents: event

Generated for every packet that has a non-empty transport-layer payload.

packet_not_processed: event

An event for handling packets that reached the end of processing without being marked as processed.

profiling_update: event

Generated each time Zeek’s internal profiling log is updated.

protocol_confirmation: event &deprecated =

protocol_late_match: event

Generated if a DPD signature matched but the DPD buffer is already exhausted and thus the analyzer could not be attached.

protocol_violation: event &deprecated =

raw_packet: event

Generated for every packet Zeek sees that have a valid link-layer header.

reporter_error: event &error_handler

Raised for errors reported via Zeek’s reporter framework.

reporter_info: event &error_handler

Raised for informational messages reported via Zeek’s reporter framework.

reporter_warning: event &error_handler

Raised for warnings reported via Zeek’s reporter framework.

rexmit_inconsistency: event

Generated when Zeek detects a TCP retransmission inconsistency.

scheduled_analyzer_applied: event

Generated when a connection is seen that is marked as being expected.

signature_match: event

Generated when a signature matches.

tunnel_changed: event

Generated for a connection whose tunneling has changed.

udp_session_done: event

Generated when a UDP session for a supported protocol has finished.

unknown_protocol: event

Generated when a packet analyzer attempts to forward a protocol that it doesn’t know how to handle.

zeek_done: event

Generated at Zeek termination time.

zeek_init: event

Generated at Zeek initialization time.

zeek_script_loaded: event

Raised for each policy script loaded by the script interpreter.
Detailed Interface
Events
Pcap::file_done
Type

event (path: string)

An event that signals a pcap file is done being processed.

Path

the filesystem path of the pcap file

analyzer_confirmation
Type

event (c: connection, atype: Analyzer::Tag, aid: count)

Generated when a protocol analyzer confirms that a connection is indeed using that protocol. Zeek’s dynamic protocol detection heuristically activates analyzers as soon as it believes a connection could be using a particular protocol. It is then left to the corresponding analyzer to verify whether that is indeed the case; if so, this event will be generated.

C

The connection.

Atype

The type of the analyzer confirming that its protocol is in use. The value is one of the Analyzer::ANALYZER_* constants. For example, Analyzer::ANALYZER_HTTP means the HTTP analyzer determined that it’s indeed parsing an HTTP connection.

Aid

A unique integer ID identifying the specific instance of the analyzer atype that is analyzing the connection c. The ID can be used to reference the analyzer when using builtin functions like disable_analyzer.

See also:

Note

Zeek’s default scripts use this event to determine the service column of Conn::Info: once confirmed, the protocol will be listed there (and thus in conn.log).

analyzer_violation
Type

event (c: connection, atype: Analyzer::Tag, aid: count, reason: string)

Generated when a protocol analyzer determines that a connection it is parsing is not conforming to the protocol it expects. Zeek’s dynamic protocol detection heuristically activates analyzers as soon as it believes a connection could be using a particular protocol. It is then left to the corresponding analyzer to verify whether that is indeed the case; if not, the analyzer will trigger this event.

C

The connection.

Atype

The type of the analyzer confirming that its protocol is in use. The value is one of the Analyzer::ANALYZER_* constants. For example, Analyzer::ANALYZER_HTTP means the HTTP analyzer determined that it’s indeed parsing an HTTP connection.

Aid

A unique integer ID identifying the specific instance of the analyzer atype that is analyzing the connection c. The ID can be used to reference the analyzer when using builtin functions like disable_analyzer.

Reason

TODO.

See also:

Note

Zeek’s default scripts use this event to disable an analyzer via disable_analyzer if it’s parsing the wrong protocol. That’s however a script-level decision and not done automatically by the event engine.

anonymization_mapping
Type

event (orig: addr, mapped: addr)

Shows an IP address anonymization mapping.

conn_stats
Type

event (c: connection, os: endpoint_stats, rs: endpoint_stats)

Generated when a TCP connection terminated, passing on statistics about the two endpoints. This event is always generated when Zeek flushes the internal connection state, independent of how a connection terminates.

C

The connection.

Os

Statistics for the originator endpoint.

Rs

Statistics for the responder endpoint.

See also:

conn_weird
Type

event (name: string, c: connection, addl: string, source: string)

Type

event (name: string, c: connection, addl: string)

Generated for unexpected activity related to a specific connection. When Zeek’s packet analysis encounters activity that does not conform to a protocol’s specification, it raises one of the *_weird events to report that. This event is raised if the activity is tied directly to a specific connection.

Name

A unique name for the specific type of “weird” situation. Zeek’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.

C

The corresponding connection.

Addl

Optional additional context further describing the situation.

Source

Optional source for the weird. When called by analyzers, this should be filled in with the name of the analyzer.

See also:

Note

“Weird” activity is much more common in real-world network traffic than one would intuitively expect. While in principle, any protocol violation could be an attack attempt, it’s much more likely that an endpoint’s implementation interprets an RFC quite liberally.

connection_flow_label_changed
Type

event (c: connection, is_orig: bool, old_label: count, new_label: count)

Generated for a connection over IPv6 when one direction has changed the flow label that it’s using.

C

The connection.

Is_orig

True if the event is raised for the originator side.

Old_label

The old flow label that the endpoint was using.

New_label

The new flow label that the endpoint is using.

See also:

connection_reused
Type

event (c: connection)

Generated when a connection 4-tuple is reused. This event is raised when Zeek sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier connection it still considers active.

C

The connection.

See also:

connection_state_remove
Type

event (c: connection)

Generated when a connection’s internal state is about to be removed from memory. Zeek generates this event reliably once for every connection when it is about to delete the internal state. As such, the event is well-suited for script-level cleanup that needs to be performed for every connection. This event is generated not only for TCP sessions but also for UDP and ICMP flows.

C

The connection.

See also:

connection_status_update
Type

event (c: connection)

Generated in regular intervals during the lifetime of a connection. The event is raised each connection_status_update_interval seconds and can be used to check conditions on a regular basis.

C

The connection.

See also:

connection_timeout
Type

event (c: connection)

Generated when a TCP connection timed out. This event is raised when no activity was seen for an interval of at least tcp_connection_linger, and either one endpoint has already closed the connection or one side never became active.

C

The connection.

See also:

Note

The precise semantics of this event can be unintuitive as it only covers a subset of cases where a connection times out. Often, handling connection_state_remove is the better option. That one will be generated reliably when an interval of tcp_inactivity_timeout has passed without any activity seen (but also for all other ways a connection may terminate).

content_gap
Type

event (c: connection, is_orig: bool, seq: count, length: count)

Generated when Zeek detects a gap in a reassembled TCP payload stream. This event is raised when Zeek, while reassembling a payload stream, determines that a chunk of payload is missing (e.g., because the responder has already acknowledged it, even though Zeek didn’t see it).

C

The connection.

Is_orig

True if the gap is on the originator’s side.

Seq

The sequence number where the gap starts.

Length

The number of bytes missing.

Note

Content gaps tend to occur occasionally for various reasons, including broken TCP stacks. If, however, one finds lots of them, that typically means that there is a problem with the monitoring infrastructure such as a tap dropping packets, split routing on the path, or reordering at the tap.

dns_mapping_altered
Type

event (dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set)

Generated when an internal DNS lookup produced a different result than in the past. Zeek keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup returns a different answer than we have stored in the cache.

Dm

A record describing the new resolver result.

Old_addrs

Addresses that used to be part of the returned set for the query described by dm, but are not anymore.

New_addrs

Addresses that were not part of the returned set for the query described by dm, but now are.

See also:

dns_mapping_lost_name
Type

event (dm: dns_mapping)

Generated when an internal DNS lookup returned zero answers even though it had succeeded in the past. Zeek keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when on a subsequent lookup we receive an answer that is empty even though we have already stored a result in the cache.

Dm

A record describing the old resolver result.

See also:

dns_mapping_name_changed
Type

event (prev: dns_mapping, latest: dns_mapping)

Generated when an internal DNS lookup returns a different host name than in the past. Zeek keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when on a subsequent lookup we receive an answer that has a different host string than we already have in the cache.

Prev

A record describing the old resolver result.

Latest

A record describing the new resolver result.

See also:

dns_mapping_new_name
Type

event (dm: dns_mapping)

Generated when an internal DNS lookup succeeded but an earlier attempt did not. Zeek keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup produces an answer for a query that was marked as failed in the cache.

Dm

A record describing the new resolver result.

See also:

dns_mapping_unverified
Type

event (dm: dns_mapping)

Generated when an internal DNS lookup got no answer even though it had succeeded in the past. Zeek keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup does not produce an answer even though we have already stored a result in the cache.

Dm

A record describing the old resolver result.

See also:

dns_mapping_valid
Type

event (dm: dns_mapping)

Generated when an internal DNS lookup produces the same result as last time. Zeek keeps an internal DNS cache for host names and IP addresses it has already resolved. This event is generated when a subsequent lookup returns the same result as stored in the cache.

Dm

A record describing the new resolver result (which matches the old one).

See also:

esp_packet
Type

event (p: pkt_hdr)

Generated for any packets using the IPv6 Encapsulating Security Payload (ESP) extension header.

P

Information from the header of the packet that triggered the event.

See also:

event_queue_flush_point
Type

event ()

Marks a point in the event stream at which the event queue started flushing.

expired_conn_weird
Type

event (name: string, id: conn_id, uid: string, addl: string, source: string)

Type

event (name: string, id: conn_id, uid: string, addl: string)

Generated for unexpected activity related to a specific connection whose internal state has already been expired. That is to say, Reporter::conn_weird may have been called from a script, but the internal connection object/state was expired and so the full connection record is no longer available, just the UID and conn_id. When Zeek’s packet analysis encounters activity that does not conform to a protocol’s specification, it raises one of the *_weird events to report that. This event is raised if the activity is tied directly to a specific connection.

Name

A unique name for the specific type of “weird” situation. Zeek’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.

Id

The tuple associated with a previously-expired connection.

Uid

The UID string associated with a previously-expired connection.

Addl

Optional additional context further describing the situation.

Source

Optional source for the weird. When called by analyzers, this should be filled in with the name of the analyzer.

See also:

Note

“Weird” activity is much more common in real-world network traffic than one would intuitively expect. While in principle, any protocol violation could be an attack attempt, it’s much more likely that an endpoint’s implementation interprets an RFC quite liberally.

file_gap
Type

event (f: fa_file, offset: count, len: count)

Indicates that a chunk of the file is missing.

F

The file.

Offset

The byte offset from the start of the file at which the gap begins.

Len

The number of missing bytes.

See also:

file_new
Type

event (f: fa_file)

Indicates that an analysis of a new file has begun. The analysis can be augmented at this time via Files::add_analyzer.

F

The file.

See also:

file_opened
Type

event (f: file)

Generated each time Zeek’s script interpreter opens a file. This event is triggered only for files opened via open, and in particular not for normal log files as created by log writers.

F

The opened file.

file_over_new_connection
Type

event (f: fa_file, c: connection, is_orig: bool)

Indicates that a file has been seen being transferred over a connection different from the original.

F

The file.

C

The new connection over which the file is seen being transferred.

Is_orig

true if the originator of c is the one sending the file.

See also:

file_reassembly_overflow
Type

event (f: fa_file, offset: count, skipped: count)

Indicates that the file had an overflow of the reassembly buffer. This is a specialization of the file_gap event.

F

The file.

Offset

The byte offset from the start of the file at which the reassembly couldn’t continue due to running out of reassembly buffer space.

Skipped

The number of bytes of the file skipped over to flush some file data and get back under the reassembly buffer size limit. This value will also be represented as a gap.

See also:

file_sniff
Type

event (f: fa_file, meta: fa_metadata)

Provide all metadata that has been inferred about a particular file from inspection of the initial content that been seen at the beginning of the file. The analysis can be augmented at this time via Files::add_analyzer. The amount of data fed into the file sniffing can be increased or decreased by changing either default_file_bof_buffer_size or the bof_buffer_size field in an fa_file record. The event will be raised even if content inspection has been unable to infer any metadata, in which case the fields in meta will be left all unset.

F

The file.

Meta

Metadata that’s been discovered about the file.

See also:

file_state_remove
Type

event (f: fa_file)

This event is generated each time file analysis is ending for a given file.

F

The file.

See also:

file_timeout
Type

event (f: fa_file)

Indicates that file analysis has timed out because no activity was seen for the file in a while.

F

The file.

See also:

file_weird
Type

event (name: string, f: fa_file, addl: string, source: string)

Type

event (name: string, f: fa_file, addl: string)

Generated for unexpected activity that is tied to a file. When Zeek’s packet analysis encounters activity that does not conform to a protocol’s specification, it raises one of the *_weird events to report that.

Name

A unique name for the specific type of “weird” situation. Zeek’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.

F

The corresponding file.

Addl

Additional information related to the weird.

Source

The name of the file analyzer that generated the weird.

See also:

Note

“Weird” activity is much more common in real-world network traffic than one would intuitively expect. While in principle, any protocol violation could be an attack attempt, it’s much more likely that an endpoint’s implementation interprets an RFC quite liberally.

flow_weird
Type

event (name: string, src: addr, dst: addr, addl: string, source: string)

Type

event (name: string, src: addr, dst: addr, addl: string)

Generated for unexpected activity related to a pair of hosts, but independent of a specific connection. When Zeek’s packet analysis encounters activity that does not conform to a protocol’s specification, it raises one of the *_weird events to report that. This event is raised if the activity is related to a pair of hosts, yet not to a specific connection between them.

Name

A unique name for the specific type of “weird” situation. Zeek’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.

Src

The source address corresponding to the activity.

Dst

The destination address corresponding to the activity.

Addl

Optional additional context further describing the situation.

Source

Optional source for the weird. When called by analyzers, this should be filled in with the name of the analyzer.

See also:

Note

“Weird” activity is much more common in real-world network traffic than one would intuitively expect. While in principle, any protocol violation could be an attack attempt, it’s much more likely that an endpoint’s implementation interprets an RFC quite liberally.

get_file_handle
Type

event (tag: Analyzer::Tag, c: connection, is_orig: bool)

This event is handled to provide feedback to the file analysis framework about how to identify the logical “file” to which some data/input belongs. All incoming data to the framework is buffered, and depends on a handler for this event to return a string value that uniquely identifies a file. Among all handlers of this event, the last one to call set_file_handle will “win”.

Tag

The analyzer which is carrying the file data.

C

The connection which is carrying the file data.

Is_orig

The direction the file data is flowing over the connection.

See also:

ipv6_ext_headers
Type

event (c: connection, p: pkt_hdr)

Generated for every IPv6 packet that contains extension headers. This is potentially an expensive event to handle if analysing IPv6 traffic that happens to utilize extension headers frequently.

C

The connection the packet is part of.

P

Information from the header of the packet that triggered the event.

See also:

load_sample
Type

event (samples: load_sample_info, CPU: interval, dmem: int)

Generated regularly for the purpose of profiling Zeek’s processing. This event is raised for every load_sample_freq packet. For these packets, Zeek records script-level functions executed during their processing as well as further internal locations. By sampling the processing in this form, one can understand where Zeek spends its time.

Samples

A set with functions and locations seen during the processing of the sampled packet.

CPU

The CPU time spent on processing the sampled packet.

Dmem

The difference in memory usage caused by processing the sampled packet.

mobile_ipv6_message
Type

event (p: pkt_hdr)

Generated for any packet using a Mobile IPv6 Mobility Header.

P

Information from the header of the packet that triggered the event.

See also:

net_done
Type

event (t: time)

Generated as one of the first steps of Zeek’s main-loop termination, just before it starts to flush any remaining events/timers/state. The event engine generates this event when Zeek is about to terminate, either due to having exhausted reading its input trace file(s), receiving a termination signal, or because Zeek was run without a network input source and has finished executing any global statements. This event comes before zeek_init.

T

The time at with the Zeek-termination process started.

See also:

Note

If Zeek terminates due to an invocation of exit, then this event is not generated.

net_weird
Type

event (name: string, addl: string, source: string)

Type

event (name: string, addl: string)

Generated for unexpected activity that is not tied to a specific connection or pair of hosts. When Zeek’s packet analysis encounters activity that does not conform to a protocol’s specification, it raises one of the *_weird events to report that. This event is raised if the activity is not tied directly to a specific connection or pair of hosts.

Name

A unique name for the specific type of “weird” situation. Zeek’s default scripts use this name in filtering policies that specify which “weirds” are worth reporting.

Addl

Optional additional context further describing the situation.

Source

Optional source for the weird. When called by analyzers, this should be filled in with the name of the analyzer.

See also:

Note

“Weird” activity is much more common in real-world network traffic than one would intuitively expect. While in principle, any protocol violation could be an attack attempt, it’s much more likely that an endpoint’s implementation interprets an RFC quite liberally.

network_time_init
Type

event ()

Generated when network time is initialized. The event engine generates this event after the network time has been determined but before processing of packets is started.

See also:

new_connection
Type

event (c: connection)

Generated for every new connection. This event is raised with the first packet of a previously unknown connection. Zeek uses a flow-based definition of “connection” here that includes not only TCP sessions but also UDP and ICMP flows.

C

The connection.

See also:

Note

Handling this event is potentially expensive. For example, during a SYN flooding attack, every spoofed SYN packet will lead to a new event.

new_event
Type

event (name: string, params: call_argument_vector)

A meta event generated for events that Zeek raises. This will report all events for which at least one handler is defined.

Note that handling this meta event is expensive and should be limited to debugging purposes.

Name

The name of the event.

Params

The event’s parameters.

new_packet
Type

event (c: connection, p: pkt_hdr)

Generated for all packets that make it into Zeek’s connection processing. In contrast to raw_packet this filters out some more packets that don’t pass certain sanity checks.

This is a very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.

C

The connection the packet is part of.

P

Information from the header of the packet that triggered the event.

See also:

packet_contents
Type

event (c: connection, contents: string)

Generated for every packet that has a non-empty transport-layer payload. This is a very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. It’s even worse than new_packet. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.

C

The connection the packet is part of.

Contents

The raw transport-layer payload.

See also:

packet_not_processed
Type

event (pkt: pcap_packet)

An event for handling packets that reached the end of processing without being marked as processed. Note that this event may lead to unpredictable performance spikes, particularly if a network suddenly receives a burst of packets that are unprocessed.

Pkt

Data for the unprocessed packet

profiling_update
Type

event (f: file, expensive: bool)

Generated each time Zeek’s internal profiling log is updated. The file is defined by profiling_file, and its update frequency by profiling_interval and expensive_profiling_multiple.

F

The profiling file.

Expensive

True if this event corresponds to heavier-weight profiling as indicated by the expensive_profiling_multiple variable.

See also:

protocol_confirmation
Type

event (c: connection, atype: AllAnalyzers::Tag, aid: count)

Attributes

&deprecated = “Remove in v5.1. Use analyzer_confirmation.”

protocol_late_match
Type

event (c: connection, atype: Analyzer::Tag)

Generated if a DPD signature matched but the DPD buffer is already exhausted and thus the analyzer could not be attached. While this does not confirm that a protocol is actually used, it allows to retain that information.

C

The connection.

Atype

The type of the analyzer confirming that its protocol is in use. The value is one of the Analyzer::ANALYZER_* constants. For example, Analyzer::ANALYZER_HTTP means the HTTP analyzer determined that it’s indeed parsing an HTTP connection.

See also:

protocol_violation
Type

event (c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string)

Attributes

&deprecated = “Remove in v.5.1. Use analyzer_violation.”

raw_packet
Type

event (p: raw_pkt_hdr)

Generated for every packet Zeek sees that have a valid link-layer header. This is a very very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.

P

Information from the header of the packet that triggered the event.

See also:

reporter_error
Type

event (t: time, msg: string, location: string)

Attributes

&error_handler

Raised for errors reported via Zeek’s reporter framework. Such messages may be generated internally by the event engine and also by other scripts calling Reporter::error.

T

The time the error was passed to the reporter.

Msg

The error message.

Location

A (potentially empty) string describing a location associated with the error.

See also:

Note

Zeek will not call reporter events recursively. If the handler of any reporter event triggers a new reporter message itself, the output will go to stderr instead.

reporter_info
Type

event (t: time, msg: string, location: string)

Attributes

&error_handler

Raised for informational messages reported via Zeek’s reporter framework. Such messages may be generated internally by the event engine and also by other scripts calling Reporter::info.

T

The time the message was passed to the reporter.

Msg

The message itself.

Location

A (potentially empty) string describing a location associated with the message.

See also:

Note

Zeek will not call reporter events recursively. If the handler of any reporter event triggers a new reporter message itself, the output will go to stderr instead.

reporter_warning
Type

event (t: time, msg: string, location: string)

Attributes

&error_handler

Raised for warnings reported via Zeek’s reporter framework. Such messages may be generated internally by the event engine and also by other scripts calling Reporter::warning.

T

The time the warning was passed to the reporter.

Msg

The warning message.

Location

A (potentially empty) string describing a location associated with the warning.

See also:

Note

Zeek will not call reporter events recursively. If the handler of any reporter event triggers a new reporter message itself, the output will go to stderr instead.

rexmit_inconsistency
Type

event (c: connection, t1: string, t2: string, tcp_flags: string)

Generated when Zeek detects a TCP retransmission inconsistency. When reassembling a TCP stream, Zeek buffers all payload until it sees the responder acking it. If during that time, the sender resends a chunk of payload but with different content than originally, this event will be raised. In addition, if tcp_max_old_segments is larger than zero, mismatches with that older still-buffered data will likewise trigger the event.

C

The connection showing the inconsistency.

T1

The original payload.

T2

The new payload.

Tcp_flags

A string with the TCP flags of the packet triggering the inconsistency. In the string, each character corresponds to one set flag, as follows: S -> SYN; F -> FIN; R -> RST; A -> ACK; P -> PUSH; U -> URGENT. This string will not always be set, only if the information is available; it’s “best effort”.

See also:

scheduled_analyzer_applied
Type

event (c: connection, a: Analyzer::Tag)

Generated when a connection is seen that is marked as being expected. The function Analyzer::schedule_analyzer tells Zeek to expect a particular connection to come up, and which analyzer to associate with it. Once the first packet of such a connection is indeed seen, this event is raised.

C

The connection.

A

The analyzer that was scheduled for the connection with the Analyzer::schedule_analyzer call. When the event is raised, that analyzer will already have been activated to process the connection. The count is one of the ANALYZER_* constants, e.g., ANALYZER_HTTP.

See also:

Todo

We don’t have a good way to document the automatically generated ANALYZER_* constants right now.

signature_match
Type

event (state: signature_state, msg: string, data: string)

Generated when a signature matches. Zeek’s signature engine provides high-performance pattern matching separately from the normal script processing. If a signature with an event action matches, this event is raised.

See the user manual for more information about Zeek’s signature engine.

State

Context about the match, including which signatures triggered the event and the connection for which the match was found.

Msg

The message passed to the event signature action.

Data

The last chunk of input that triggered the match. Note that the specifics here are not well-defined as Zeek does not buffer any input. If a match is split across packet boundaries, only the last chunk triggering the match will be passed on to the event.

tunnel_changed
Type

event (c: connection, e: EncapsulatingConnVector)

Generated for a connection whose tunneling has changed. This could be from a previously seen connection now being encapsulated in a tunnel, or from the outer encapsulation changing. Note that connection c’s tunnel field is NOT automatically/internally assigned to the new encapsulation value of e after this event is raised. If the desired behavior is to track the latest tunnel encapsulation per-connection, then a handler of this event should assign e to c$tunnel (which Zeek’s default scripts are doing).

C

The connection whose tunnel/encapsulation changed.

E

The new encapsulation.

udp_session_done
Type

event (u: connection)

Generated when a UDP session for a supported protocol has finished. Some of Zeek’s application-layer UDP analyzers flag the end of a session by raising this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, Teredo, and GTPv1 support this.

U

The connection record for the corresponding UDP flow.

See also:

unknown_protocol
Type

event (analyzer_name: string, protocol: count, first_bytes: string)

Generated when a packet analyzer attempts to forward a protocol that it doesn’t know how to handle.

Analzyer_name

The string name of the analyzer attempting to forward the protocol

Protocol

The identifier of the protocol being forwarded

First_bytes

A certain number of bytes at the start of the unknown protocol’s header.

See also:

zeek_done
Type

event ()

Generated at Zeek termination time. The event engine generates this event when Zeek is about to terminate, either due to having exhausted reading its input trace file(s), receiving a termination signal, or because Zeek was run without a network input source and has finished executing any global statements.

See also:

Note

If Zeek terminates due to an invocation of exit, then this event is not generated.

zeek_init
Type

event ()

Generated at Zeek initialization time. The event engine generates this event just before normal input processing begins. It can be used to execute one-time initialization code at startup. At the time a handler runs, Zeek will have executed any global initializations and statements.

See also:

Note

When a zeek_init handler executes, Zeek has not yet seen any input packets and therefore network_time is not initialized yet. An artifact of that is that any timer installed in a zeek_init handler, like with schedule, will fire immediately with the first packet. The standard way to work around that is to ignore the first time the timer fires and immediately reschedule or to instead schedule the first event from with the network_time_init event.

zeek_script_loaded
Type

event (path: string, level: count)

Raised for each policy script loaded by the script interpreter.

Path

The full path to the script loaded.

Level

The “nesting level”: zero for a top-level Zeek script and incremented recursively for each @load.

base/packet-protocols/__load__.zeek

Imports

base/packet-protocols/ayiya, base/packet-protocols/ethernet, base/packet-protocols/fddi, base/packet-protocols/geneve, base/packet-protocols/gre, base/packet-protocols/gtpv1, base/packet-protocols/icmp, base/packet-protocols/ieee802_11, base/packet-protocols/ieee802_11_radio, base/packet-protocols/ip, base/packet-protocols/iptunnel, base/packet-protocols/linux_sll, base/packet-protocols/main.zeek, base/packet-protocols/mpls, base/packet-protocols/nflog, base/packet-protocols/null, base/packet-protocols/ppp_serial, base/packet-protocols/pppoe, base/packet-protocols/root, base/packet-protocols/skip, base/packet-protocols/tcp, base/packet-protocols/teredo, base/packet-protocols/udp, base/packet-protocols/vlan, base/packet-protocols/vntag, base/packet-protocols/vxlan

Summary
Detailed Interface

base/packet-protocols/main.zeek

PacketAnalyzer
Namespace

PacketAnalyzer

Imports

base/frameworks/analyzer/main.zeek

Summary
Functions

PacketAnalyzer::register_for_port: function

Registers an individual well-known port for an analyzer.

PacketAnalyzer::register_for_ports: function

Registers a set of well-known ports for an analyzer.
Detailed Interface
Functions
PacketAnalyzer::register_for_port
Type

function (parent: PacketAnalyzer::Tag, child: PacketAnalyzer::Tag, p: port) : bool

Registers an individual well-known port for an analyzer. If a future connection on this port is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.

Tag

The tag of the analyzer.

P

The well-known port to associate with the analyzer.

Returns

True if the port was successfully registered.

PacketAnalyzer::register_for_ports
Type

function (parent: PacketAnalyzer::Tag, child: PacketAnalyzer::Tag, ports: set [port]) : bool

Registers a set of well-known ports for an analyzer. If a future connection on one of these ports is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.

Tag

The tag of the analyzer.

Ports

The set of well-known ports to associate with the analyzer.

Returns

True if the ports were successfully registered.

base/frameworks/analyzer/main.zeek

Analyzer

Framework for managing Zeek’s protocol analyzers.

The analyzer framework allows to dynamically enable or disable analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.

Protocol analyzers are identified by unique tags of type Analyzer::Tag, such as Analyzer::ANALYZER_HTTP. These tags are defined internally by the analyzers themselves, and documented in their analyzer-specific description along with the events that they generate.

Analyzer tags are also inserted into a global AllAnalyzers::Tag enum type. This type contains duplicates of all of the Analyzer::Tag, PacketAnalyzer::Tag and Files::Tag enum values and can be used for arguments to function/hook/event definitions where they need to handle any analyzer type. See Analyzer::register_for_ports for an example.

Namespace

Analyzer

Imports

base/bif/analyzer.bif.zeek, base/frameworks/packet-filter/utils.zeek

Summary
State Variables

Analyzer::disable_all: bool &redef

If true, all available analyzers are initially disabled at startup.

Analyzer::disabled_analyzers: set &redef

A set of analyzers to disable by default at startup.

Analyzer::ports: table

A table of ports mapped to analyzers that handle those ports.
Functions

Analyzer::all_registered_ports: function

Returns a table of all ports-to-analyzer mappings currently registered.

Analyzer::analyzer_to_bpf: function

Automatically creates a BPF filter for the specified protocol based on the data supplied for the protocol through the Analyzer::register_for_ports function.

Analyzer::disable_analyzer: function

Disables an analyzer.

Analyzer::enable_analyzer: function

Enables an analyzer.

Analyzer::get_bpf: function

Create a BPF filter which matches all of the ports defined by the various protocol analysis scripts as “registered ports” for the protocol.

Analyzer::get_tag: function

Translates an analyzer’s name to a tag enum value.

Analyzer::has_tag: function

Check whether the given analyzer name exists.

Analyzer::name: function

Translates an analyzer type to a string with the analyzer’s name.

Analyzer::register_for_port: function

Registers an individual well-known port for an analyzer.

Analyzer::register_for_ports: function

Registers a set of well-known ports for an analyzer.

Analyzer::registered_ports: function

Returns a set of all well-known ports currently registered for a specific analyzer.

Analyzer::schedule_analyzer: function

Schedules an analyzer for a future connection originating from a given IP address and port.
Detailed Interface
State Variables
Analyzer::disable_all
Type

bool

Attributes

&redef

Default

F

If true, all available analyzers are initially disabled at startup. One can then selectively enable them with Analyzer::enable_analyzer.

Analyzer::disabled_analyzers
Type

set [Analyzer::Tag]

Attributes

&redef

Default
{
   Analyzer::ANALYZER_TCPSTATS
}

A set of analyzers to disable by default at startup. The default set contains legacy analyzers that are no longer supported.

Analyzer::ports
Type

table [AllAnalyzers::Tag] of set [port]

Default

{}

A table of ports mapped to analyzers that handle those ports. This is used by BPF filtering and DPD. Session analyzers can add to this using Analyzer::register_for_port(s) and packet analyzers can add to this using PacketAnalyzer::register_for_port(s).

Functions
Analyzer::all_registered_ports
Type

function () : table [AllAnalyzers::Tag] of set [port]

Returns a table of all ports-to-analyzer mappings currently registered.

Returns

A table mapping each analyzer to the set of ports registered for it.

Analyzer::analyzer_to_bpf
Type

function (tag: Analyzer::Tag) : string

Automatically creates a BPF filter for the specified protocol based on the data supplied for the protocol through the Analyzer::register_for_ports function.

Tag

The analyzer tag.

Returns

BPF filter string.

Analyzer::disable_analyzer
Type

function (tag: Analyzer::Tag) : bool

Disables an analyzer. Once disabled, the analyzer will not be used further for analysis of future connections.

Tag

The tag of the analyzer to disable.

Returns

True if the analyzer was successfully disabled.

Analyzer::enable_analyzer
Type

function (tag: Analyzer::Tag) : bool

Enables an analyzer. Once enabled, the analyzer may be used for analysis of future connections as decided by Zeek’s dynamic protocol detection.

Tag

The tag of the analyzer to enable.

Returns

True if the analyzer was successfully enabled.

Analyzer::get_bpf
Type

function () : string

Create a BPF filter which matches all of the ports defined by the various protocol analysis scripts as “registered ports” for the protocol.

Analyzer::get_tag
Type

function (name: string) : AllAnalyzers::Tag

Translates an analyzer’s name to a tag enum value.

Name

The analyzer name.

Returns

The analyzer tag corresponding to the name.

Analyzer::has_tag
Type

function (name: string) : bool

Check whether the given analyzer name exists.

This can be used before calling Analyzer::get_tag to verify that the given name as string is a valid analyzer name.

Name

The analyzer name.

Returns

True if the given name is a valid analyzer, else false.

Analyzer::name
Type

function (atype: AllAnalyzers::Tag) : string

Translates an analyzer type to a string with the analyzer’s name.

Tag

The analyzer tag.

Returns

The analyzer name corresponding to the tag.

Analyzer::register_for_port
Type

function (tag: Analyzer::Tag, p: port) : bool

Registers an individual well-known port for an analyzer. If a future connection on this port is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.

Tag

The tag of the analyzer.

P

The well-known port to associate with the analyzer.

Returns

True if the port was successfully registered.

Analyzer::register_for_ports
Type

function (tag: Analyzer::Tag, ports: set [port]) : bool

Registers a set of well-known ports for an analyzer. If a future connection on one of these ports is seen, the analyzer will be automatically assigned to parsing it. The function adds to all ports already registered, it doesn’t replace them.

Tag

The tag of the analyzer.

Ports

The set of well-known ports to associate with the analyzer.

Returns

True if the ports were successfully registered.

Analyzer::registered_ports
Type

function (tag: AllAnalyzers::Tag) : set [port]

Returns a set of all well-known ports currently registered for a specific analyzer.

Tag

The tag of the analyzer.

Returns

The set of ports.

Analyzer::schedule_analyzer
Type

function (orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool

Schedules an analyzer for a future connection originating from a given IP address and port.

Orig

The IP address originating a connection in the future. 0.0.0.0 can be used as a wildcard to match any originator address.

Resp

The IP address responding to a connection from orig.

Resp_p

The destination port at resp.

Analyzer

The analyzer ID.

Tout

A timeout interval after which the scheduling request will be discarded if the connection has not yet been seen.

Returns

True if successful.

base/frameworks/packet-filter/utils.zeek

PacketFilter
Namespace

PacketFilter

Summary
Functions

PacketFilter::combine_filters: function

Combines two valid BPF filter strings with a string based operator to form a new filter.

PacketFilter::port_to_bpf: function

Takes a port and returns a BPF expression which will match the port.

PacketFilter::sampling_filter: function

Create a BPF filter to sample IPv4 and IPv6 traffic.
Detailed Interface
Functions
PacketFilter::combine_filters
Type

function (lfilter: string, op: string, rfilter: string) : string

Combines two valid BPF filter strings with a string based operator to form a new filter.

Lfilter

Filter which will go on the left side.

Op

Operation being applied (typically “or” or “and”).

Rfilter

Filter which will go on the right side.

Returns

A new string representing the two filters combined with the operator. Either filter being an empty string will still result in a valid filter.

PacketFilter::port_to_bpf
Type

function (p: port) : string

Takes a port and returns a BPF expression which will match the port.

P

The port.

Returns

A valid BPF filter string for matching the port.

PacketFilter::sampling_filter
Type

function (num_parts: count, this_part: count) : string

Create a BPF filter to sample IPv4 and IPv6 traffic.

Num_parts

The number of parts the traffic should be split into.

This_part

The part of the traffic this filter will accept (0-based).

base/bif/analyzer.bif.zeek

Analyzer
GLOBAL

Internal functions and types used by the analyzer framework.

Namespaces

Analyzer, GLOBAL

Summary
Functions

Analyzer::__disable_all_analyzers: function

Analyzer::__disable_analyzer: function

Analyzer::__enable_analyzer: function

Analyzer::__has_tag: function

Analyzer::__name: function

Analyzer::__register_for_port: function

Analyzer::__schedule_analyzer: function

Analyzer::__tag: function
Detailed Interface
Functions
Analyzer::__disable_all_analyzers
Type

function () : any

Analyzer::__disable_analyzer
Type

function (id: Analyzer::Tag) : bool

Analyzer::__enable_analyzer
Type

function (id: Analyzer::Tag) : bool

Analyzer::__has_tag
Type

function (name: string) : bool

Analyzer::__name
Type

function (atype: AllAnalyzers::Tag) : string

Analyzer::__register_for_port
Type

function (id: Analyzer::Tag, p: port) : bool

Analyzer::__schedule_analyzer
Type

function (orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool

Analyzer::__tag
Type

function (name: string) : AllAnalyzers::Tag

base/packet-protocols/root/__load__.zeek

Imports

base/packet-protocols/root/main.zeek

Summary
Detailed Interface

base/packet-protocols/root/main.zeek

PacketAnalyzer::ROOT
Namespace

PacketAnalyzer::ROOT

Summary
Redefinable Options

PacketAnalyzer::ROOT::default_analyzer: PacketAnalyzer::Tag &redef

Default analyzer (if we don’t know the link type, we assume raw IP)
Detailed Interface
Redefinable Options
PacketAnalyzer::ROOT::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

Default analyzer (if we don’t know the link type, we assume raw IP)

base/packet-protocols/ip/__load__.zeek

Imports

base/packet-protocols/ip/main.zeek

Summary
Detailed Interface

base/packet-protocols/ip/main.zeek

PacketAnalyzer::IP
Namespace

PacketAnalyzer::IP

Summary
Detailed Interface

base/packet-protocols/skip/__load__.zeek

Imports

base/packet-protocols/skip/main.zeek

Summary
Detailed Interface

base/packet-protocols/skip/main.zeek

PacketAnalyzer::SKIP
Namespace

PacketAnalyzer::SKIP

Summary
Redefinable Options

PacketAnalyzer::SKIP::default_analyzer: PacketAnalyzer::Tag &redef

Default analyzer

PacketAnalyzer::SKIP::skip_bytes: count &redef

Bytes to skip.
Detailed Interface
Redefinable Options
PacketAnalyzer::SKIP::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

Default analyzer

PacketAnalyzer::SKIP::skip_bytes
Type

count

Attributes

&redef

Default

0

Bytes to skip.

base/packet-protocols/ethernet/__load__.zeek

Imports

base/packet-protocols/ethernet/main.zeek

Summary
Detailed Interface

base/packet-protocols/ethernet/main.zeek

PacketAnalyzer::ETHERNET
Namespace

PacketAnalyzer::ETHERNET

Summary
Detailed Interface

base/packet-protocols/fddi/__load__.zeek

Imports

base/packet-protocols/fddi/main.zeek

Summary
Detailed Interface

base/packet-protocols/fddi/main.zeek

PacketAnalyzer::FDDI
Namespace

PacketAnalyzer::FDDI

Summary
Redefinable Options

PacketAnalyzer::FDDI::default_analyzer: PacketAnalyzer::Tag &redef

Default analyzer
Detailed Interface
Redefinable Options
PacketAnalyzer::FDDI::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

Default analyzer

base/packet-protocols/ieee802_11/__load__.zeek

Imports

base/packet-protocols/ieee802_11/main.zeek

Summary
Detailed Interface

base/packet-protocols/ieee802_11/main.zeek

PacketAnalyzer::IEEE802_11
Namespace

PacketAnalyzer::IEEE802_11

Summary
Detailed Interface

base/packet-protocols/ieee802_11_radio/__load__.zeek

Imports

base/packet-protocols/ieee802_11_radio/main.zeek

Summary
Detailed Interface

base/packet-protocols/ieee802_11_radio/main.zeek

PacketAnalyzer::IEEE802_11_RADIO
Namespace

PacketAnalyzer::IEEE802_11_RADIO

Summary
Detailed Interface

base/packet-protocols/linux_sll/__load__.zeek

Imports

base/packet-protocols/linux_sll/main.zeek

Summary
Detailed Interface

base/packet-protocols/linux_sll/main.zeek

PacketAnalyzer::LINUXSLL
Namespace

PacketAnalyzer::LINUXSLL

Summary
Detailed Interface

base/packet-protocols/nflog/__load__.zeek

Imports

base/packet-protocols/nflog/main.zeek

Summary
Detailed Interface

base/packet-protocols/nflog/main.zeek

PacketAnalyzer::NFLOG
Namespace

PacketAnalyzer::NFLOG

Summary
Detailed Interface

base/packet-protocols/null/__load__.zeek

Imports

base/packet-protocols/null/main.zeek

Summary
Detailed Interface

base/packet-protocols/null/main.zeek

PacketAnalyzer::NULL
Namespace

PacketAnalyzer::NULL

Summary
Detailed Interface

base/packet-protocols/ppp_serial/__load__.zeek

Imports

base/packet-protocols/ppp_serial/main.zeek

Summary
Detailed Interface

base/packet-protocols/ppp_serial/main.zeek

PacketAnalyzer::PPP_SERIAL
Namespace

PacketAnalyzer::PPP_SERIAL

Summary
Detailed Interface

base/packet-protocols/pppoe/__load__.zeek

Imports

base/packet-protocols/pppoe/main.zeek

Summary
Detailed Interface

base/packet-protocols/pppoe/main.zeek

PacketAnalyzer::PPPOE
Namespace

PacketAnalyzer::PPPOE

Summary
Detailed Interface

base/packet-protocols/vlan/__load__.zeek

Imports

base/packet-protocols/vlan/main.zeek

Summary
Detailed Interface

base/packet-protocols/vlan/main.zeek

PacketAnalyzer::VLAN
Namespace

PacketAnalyzer::VLAN

Summary
Detailed Interface

base/packet-protocols/mpls/__load__.zeek

Imports

base/packet-protocols/mpls/main.zeek

Summary
Detailed Interface

base/packet-protocols/mpls/main.zeek

PacketAnalyzer::MPLS
Namespace

PacketAnalyzer::MPLS

Summary
Redefinable Options

PacketAnalyzer::MPLS::default_analyzer: PacketAnalyzer::Tag &redef

Default analyzer
Detailed Interface
Redefinable Options
PacketAnalyzer::MPLS::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

Default analyzer

base/packet-protocols/vntag/__load__.zeek

Imports

base/packet-protocols/vntag/main.zeek

Summary
Detailed Interface

base/packet-protocols/vntag/main.zeek

PacketAnalyzer::VNTAG
Namespace

PacketAnalyzer::VNTAG

Summary
Detailed Interface

base/packet-protocols/udp/__load__.zeek

Imports

base/packet-protocols/udp/main.zeek

Summary
Detailed Interface

base/packet-protocols/udp/main.zeek

PacketAnalyzer::UDP
Namespace

PacketAnalyzer::UDP

Summary
Detailed Interface

base/packet-protocols/tcp/__load__.zeek

Imports

base/packet-protocols/tcp/main.zeek

Summary
Detailed Interface

base/packet-protocols/tcp/main.zeek

PacketAnalyzer::TCP
Namespace

PacketAnalyzer::TCP

Summary
Detailed Interface

base/packet-protocols/icmp/__load__.zeek

Imports

base/packet-protocols/icmp/main.zeek

Summary
Detailed Interface

base/packet-protocols/icmp/main.zeek

PacketAnalyzer::ICMP
Namespace

PacketAnalyzer::ICMP

Summary
Detailed Interface

base/packet-protocols/gre/__load__.zeek

Imports

base/packet-protocols/gre/main.zeek

Summary
Detailed Interface

base/packet-protocols/gre/main.zeek

PacketAnalyzer::GRE
Namespace

PacketAnalyzer::GRE

Summary
Redefinable Options

PacketAnalyzer::GRE::default_analyzer: PacketAnalyzer::Tag &redef
Detailed Interface
Redefinable Options
PacketAnalyzer::GRE::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IPTUNNEL

base/packet-protocols/iptunnel/__load__.zeek

Imports

base/packet-protocols/iptunnel/main.zeek

Summary
Detailed Interface

base/packet-protocols/iptunnel/main.zeek

PacketAnalyzer::IPTUNNEL
Namespace

PacketAnalyzer::IPTUNNEL

Summary
Redefinable Options

PacketAnalyzer::IPTUNNEL::default_analyzer: PacketAnalyzer::Tag &redef
Detailed Interface
Redefinable Options
PacketAnalyzer::IPTUNNEL::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

base/packet-protocols/ayiya/__load__.zeek

Imports

base/packet-protocols/ayiya/main.zeek

Summary
Detailed Interface

base/packet-protocols/ayiya/main.zeek

PacketAnalyzer::AYIYA
Namespace

PacketAnalyzer::AYIYA

Imports

base/frameworks/analyzer/main.zeek

Summary
Redefinitions

likely_server_ports: set &redef
Detailed Interface

base/packet-protocols/geneve/__load__.zeek

Imports

base/packet-protocols/geneve/main.zeek

Summary
Detailed Interface

base/packet-protocols/geneve/main.zeek

PacketAnalyzer::Geneve
Namespace

PacketAnalyzer::Geneve

Summary
Redefinable Options

PacketAnalyzer::Geneve::geneve_ports: set &redef

The set of UDP ports used for Geneve traffic.
Redefinitions

likely_server_ports: set &redef
Detailed Interface
Redefinable Options
PacketAnalyzer::Geneve::geneve_ports
Type

set [port]

Attributes

&redef

Default
{
   6081/udp
}

The set of UDP ports used for Geneve traffic. Traffic using this UDP destination port will attempt to be decapsulated. Note that if if you customize this, you may still want to manually ensure that likely_server_ports also gets populated accordingly.

base/packet-protocols/vxlan/__load__.zeek

Imports

base/packet-protocols/vxlan/main.zeek

Summary
Detailed Interface

base/packet-protocols/vxlan/main.zeek

PacketAnalyzer::VXLAN
Namespace

PacketAnalyzer::VXLAN

Summary
Redefinable Options

PacketAnalyzer::VXLAN::default_analyzer: PacketAnalyzer::Tag &redef

PacketAnalyzer::VXLAN::vxlan_ports: set &redef

The set of UDP ports used for VXLAN traffic.
Redefinitions

likely_server_ports: set &redef
Detailed Interface
Redefinable Options
PacketAnalyzer::VXLAN::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_ETHERNET

PacketAnalyzer::VXLAN::vxlan_ports
Type

set [port]

Attributes

&redef

Default
{
   4789/udp
}

The set of UDP ports used for VXLAN traffic. Traffic using this UDP destination port will attempt to be decapsulated. Note that if if you customize this, you may still want to manually ensure that likely_server_ports also gets populated accordingly.

base/packet-protocols/teredo/__load__.zeek

Imports

base/packet-protocols/teredo/main.zeek

Summary
Detailed Interface

base/packet-protocols/teredo/main.zeek

PacketAnalyzer::TEREDO
Namespace

PacketAnalyzer::TEREDO

Imports

base/bif/plugins/Zeek_Teredo.functions.bif.zeek, base/frameworks/analyzer/main.zeek

Summary
Redefinable Options

PacketAnalyzer::TEREDO::default_analyzer: PacketAnalyzer::Tag &redef

Default analyzer
Redefinitions

likely_server_ports: set &redef
Detailed Interface
Redefinable Options
PacketAnalyzer::TEREDO::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

Default analyzer

base/bif/plugins/Zeek_Teredo.functions.bif.zeek

GLOBAL
PacketAnalyzer::TEREDO
Namespaces

GLOBAL, PacketAnalyzer::TEREDO

Summary
Functions

PacketAnalyzer::TEREDO::remove_teredo_connection: function
Detailed Interface
Functions
PacketAnalyzer::TEREDO::remove_teredo_connection
Type

function (cid: conn_id) : bool

base/packet-protocols/gtpv1/__load__.zeek

Imports

base/packet-protocols/gtpv1/main.zeek

Summary
Detailed Interface

base/packet-protocols/gtpv1/main.zeek

PacketAnalyzer::GTPV1
Namespace

PacketAnalyzer::GTPV1

Imports

base/bif/plugins/Zeek_GTPv1.functions.bif.zeek, base/frameworks/analyzer/main.zeek

Summary
Redefinable Options

PacketAnalyzer::GTPV1::default_analyzer: PacketAnalyzer::Tag &redef

Default analyzer
Redefinitions

likely_server_ports: set &redef
Detailed Interface
Redefinable Options
PacketAnalyzer::GTPV1::default_analyzer
Type

PacketAnalyzer::Tag

Attributes

&redef

Default

PacketAnalyzer::ANALYZER_IP

Default analyzer

base/bif/plugins/Zeek_GTPv1.functions.bif.zeek

GLOBAL
PacketAnalyzer::GTPV1
Namespaces

GLOBAL, PacketAnalyzer::GTPV1

Summary
Functions

PacketAnalyzer::GTPV1::remove_gtpv1_connection: function
Detailed Interface
Functions
PacketAnalyzer::GTPV1::remove_gtpv1_connection
Type

function (cid: conn_id) : bool

base/init-frameworks-and-bifs.zeek

Imports

base/bif, base/bif/plugins, base/frameworks/analyzer, base/frameworks/broker, base/frameworks/files, base/frameworks/input, base/frameworks/logging, base/frameworks/supervisor

Summary
Detailed Interface

base/frameworks/logging/__load__.zeek

Imports

base/frameworks/logging/main.zeek, base/frameworks/logging/postprocessors, base/frameworks/logging/writers/ascii.zeek, base/frameworks/logging/writers/none.zeek, base/frameworks/logging/writers/sqlite.zeek

Summary
Detailed Interface

base/frameworks/logging/main.zeek

Log

The Zeek logging interface.

See Logging Framework for an introduction to Zeek’s logging framework.

Namespace

Log

Imports

base/bif/logging.bif.zeek

Summary
Runtime Options

Log::default_rotation_dir: string &redef

Default rotation directory to use for the dir field of Log::RotationPath during calls to Log::rotation_format_func.
Redefinable Options

Log::default_ext_prefix: string &redef

A prefix for extension fields which can be optionally prefixed on all log lines by setting the ext_func field in the log filter.

Log::default_field_name_map: table &redef

Default field name mapping for renaming fields in a logging framework filter.

Log::default_mail_alarms_interval: interval &redef

Default alarm summary mail interval.

Log::default_rotation_date_format: string &redef

Default naming format for timestamps embedded into filenames.

Log::default_rotation_interval: interval &redef

Default rotation interval to use for filters that do not specify an interval.

Log::default_rotation_postprocessor_cmd: string &redef

Default shell command to run on rotated files.

Log::default_rotation_postprocessors: table &redef

Specifies the default postprocessor function per writer type.

Log::default_scope_sep: string &redef

Default separator for log field scopes when logs are unrolled and flattened.

Log::default_writer: Log::Writer &redef

Default writer to use if a filter does not specify anything else.

Log::empty_field: string &redef

Default string to use for empty fields.

Log::enable_local_logging: bool &redef

If true, local logging is by default enabled for all filters.

Log::enable_remote_logging: bool &redef

If true, remote logging is by default enabled for all filters.

Log::print_log_path: string &redef

If Log::print_to_log is enabled to write to a print log, this is the path to which the print Log Stream writes to

Log::print_to_log: Log::PrintLogType &redef

Set configuration for print statements redirected to logs.

Log::separator: string &redef

Default separator to use between fields.

Log::set_separator: string &redef

Default separator to use between elements of a set.

Log::unset_field: string &redef

Default string to use for an unset &optional field.
Constants

Log::no_filter: Log::Filter

Sentinel value for indicating that a filter was not found when looked up.
State Variables

Log::active_streams: table

The streams which are currently active and not disabled.
Types

Log::Filter: record

A filter type describes how to customize logging streams.

Log::ID: enum

Type that defines an ID unique to each log stream.

Log::PolicyHook: hook

A hook type to implement filtering policy at log filter granularity.

Log::PrintLogInfo: record

If Log::print_to_log is set to redirect, print statements will automatically populate log entries with the fields contained in this record.

Log::PrintLogType: enum

Configurations for Log::print_to_log

Log::RotationFmtInfo: record

Information passed into rotation format callback function given by Log::rotation_format_func.

Log::RotationInfo: record

Information passed into rotation callback functions.

Log::RotationPath: record

A log file rotation path specification that’s returned by the user-customizable Log::rotation_format_func.

Log::RotationPostProcessorFunc: function

The function type for log rotation post processors.

Log::Stream: record

Type defining the content of a logging stream.

Log::StreamPolicyHook: hook

A hook type to implement filtering policy.

Log::Writer: enum
Redefinitions

Log::Filter: record
New Fields

Log::Filter

policy: Log::PolicyHook &optional

Policy hooks can adjust log entry values and veto the writing of a log entry for the record passed into it.

Log::default_rotation_postprocessors: table &redef
Events

Log::log_print: event

Event for accessing logged print records.
Hooks

Log::log_stream_policy: Log::StreamPolicyHook

The global log policy hook.
Functions

Log::add_default_filter: function

Adds a default Log::Filter record with name field set as “default” to a given logging stream.

Log::add_filter: function

Adds a custom filter to an existing logging stream.

Log::create_stream: function

Creates a new logging stream with the default filter.

Log::default_ext_func: function &redef

Default log extension function in the case that you would like to apply the same extensions to all logs.

Log::default_path_func: function &redef

Builds the default path values for log filters if not otherwise specified by a filter.

Log::disable_stream: function

Disables a currently enabled logging stream.

Log::enable_stream: function

Enables a previously disabled logging stream.

Log::flush: function

Flushes any currently buffered output for all the writers of a given logging stream.

Log::get_filter: function

Gets a filter associated with an existing logging stream.

Log::get_filter_names: function

Gets the names of all filters associated with an existing logging stream.

Log::remove_default_filter: function

Removes the Log::Filter with name field equal to “default”.

Log::remove_filter: function

Removes a filter from an existing logging stream.

Log::remove_stream: function

Removes a logging stream completely, stopping all the threads.

Log::rotation_format_func: function &redef

A function that one may use to customize log file rotation paths.

Log::run_rotation_postprocessor_cmd: function

Runs a command given by Log::default_rotation_postprocessor_cmd on a rotated file.

Log::set_buf: function

Sets the buffering status for all the writers of a given logging stream.

Log::write: function

Writes a new log line/entry to a logging stream.
Detailed Interface
Runtime Options
Log::default_rotation_dir
Type

string

Attributes

&redef

Default

""

Redefinition

from policy/frameworks/management/persistence.zeek

=:

build_path(Management::get_spool_dir(), log-queue)

Default rotation directory to use for the dir field of Log::RotationPath during calls to Log::rotation_format_func. An empty string implies using the current working directory;

Redefinable Options
Log::default_ext_prefix
Type

string

Attributes

&redef

Default

"_"

A prefix for extension fields which can be optionally prefixed on all log lines by setting the ext_func field in the log filter.

Log::default_field_name_map
Type

table [string] of string

Attributes

&redef

Default

{}

Default field name mapping for renaming fields in a logging framework filter. This is typically used to ease integration with external data storage and analysis systems.

Log::default_mail_alarms_interval
Type

interval

Attributes

&redef

Default

0 secs

Default alarm summary mail interval. Zero disables alarm summary mails.

Note that this is overridden by the ZeekControl MailAlarmsInterval option.

Log::default_rotation_date_format
Type

string

Attributes

&redef

Default

"%Y-%m-%d-%H-%M-%S"

Default naming format for timestamps embedded into filenames. Uses a strftime() style.

Log::default_rotation_interval
Type

interval

Attributes

&redef

Default

0 secs

Default rotation interval to use for filters that do not specify an interval. Zero disables rotation.

Note that this is overridden by the ZeekControl LogRotationInterval option.

Log::default_rotation_postprocessor_cmd
Type

string

Attributes

&redef

Default

""

Default shell command to run on rotated files. Empty for none.

Log::default_rotation_postprocessors
Type

table [Log::Writer] of function (info: Log::RotationInfo) : bool

Attributes

&redef

Default

{}

Redefinition

from base/frameworks/logging/main.zeek

+=:

Log::WRITER_ASCII = Log::default_ascii_rotation_postprocessor_func
Redefinition

from base/frameworks/logging/writers/none.zeek

+=:

Log::WRITER_NONE = LogNone::default_rotation_postprocessor_func

Specifies the default postprocessor function per writer type. Entries in this table are initialized by each writer type.

Log::default_scope_sep
Type

string

Attributes

&redef

Default

"."

Default separator for log field scopes when logs are unrolled and flattened. This will be the string between field name components. For example, setting this to “_” will cause the typical field “id.orig_h” to turn into “id_orig_h”.

Log::default_writer
Type

Log::Writer

Attributes

&redef

Default

Log::WRITER_ASCII

Default writer to use if a filter does not specify anything else.

Log::empty_field
Type

string

Attributes

&redef

Default

"(empty)"

Default string to use for empty fields. This should be different from unset_field to make the output unambiguous. Individual writers can use a different value.

Log::enable_local_logging
Type

bool

Attributes

&redef

Default

T

If true, local logging is by default enabled for all filters.

Log::enable_remote_logging
Type

bool

Attributes

&redef

Default

T

If true, remote logging is by default enabled for all filters.

Log::print_log_path
Type

string

Attributes

&redef

Default

"print"

If Log::print_to_log is enabled to write to a print log, this is the path to which the print Log Stream writes to

Log::print_to_log
Type

Log::PrintLogType

Attributes

&redef

Default

Log::REDIRECT_NONE

Set configuration for print statements redirected to logs.

Log::separator
Type

string

Attributes

&redef

Default

"\x09"

Default separator to use between fields. Individual writers can use a different value.

Log::set_separator
Type

string

Attributes

&redef

Default

","

Default separator to use between elements of a set. Individual writers can use a different value.

Log::unset_field
Type

string

Attributes

&redef

Default

"-"

Default string to use for an unset &optional field. Individual writers can use a different value.

Constants
Log::no_filter
Type

Log::Filter

Default
{
   name="<not found>"
   writer=Log::WRITER_ASCII
   path=<uninitialized>
   path_func=<uninitialized>
   include=<uninitialized>
   exclude=<uninitialized>
   log_local=T
   log_remote=T
   field_name_map={

   }
   scope_sep="."
   ext_prefix="_"
   ext_func=lambda_<2528247166937952945>
   ;
   interv=0 secs
   postprocessor=<uninitialized>
   config={

   }
   policy=<uninitialized>
}

Sentinel value for indicating that a filter was not found when looked up.

State Variables
Log::active_streams
Type

table [Log::ID] of Log::Stream

Default

{}

The streams which are currently active and not disabled. This table is not meant to be modified by users! Only use it for examining which streams are active.

Types
Log::Filter
Type

record

name: string

Descriptive name to reference this filter.

writer: Log::Writer &default = Log::default_writer &optional

The logging writer implementation to use.

path: string &optional

Output path for recording entries matching this filter.

The specific interpretation of the string is up to the logging writer, and may for example be the destination file name. Generally, filenames are expected to be given without any extensions; writers will add appropriate extensions automatically.

If this path is found to conflict with another filter’s for the same writer type, it is automatically corrected by appending “-N”, where N is the smallest integer greater or equal to 2 that allows the corrected path name to not conflict with another filter’s.

path_func: function (id: Log::ID, path: string, rec: any)string &optional

A function returning the output path for recording entries matching this filter. This is similar to path yet allows to compute the string dynamically. It is ok to return different strings for separate calls, but be careful: it’s easy to flood the disk by returning a new string for each connection. Upon adding a filter to a stream, if neither path nor path_func is explicitly set by them, then Log::default_path_func is used.

id

The ID associated with the log stream.

path

A suggested path value, which may be either the filter’s path if defined, else a previous result from the function. If no path is defined for the filter, then the first call to the function will contain an empty string.

rec

An instance of the stream’s columns type with its fields set to the values to be logged.

returns

The path to be used for the filter, which will be subject to the same automatic correction rules as the path field of Log::Filter in the case of conflicts with other filters trying to use the same writer/path pair.

include: set [string] &optional

Subset of column names to record. If not given, all columns are recorded.

exclude: set [string] &optional

Subset of column names to exclude from recording. If not given, all columns are recorded.

log_local: bool &default = Log::enable_local_logging &optional

If true, entries are recorded locally.

log_remote: bool &default = Log::enable_remote_logging &optional

If true, entries are passed on to remote peers.

field_name_map: table [string] of string &default = Log::default_field_name_map &optional

Field name map to rename fields before the fields are written to the output.

scope_sep: string &default = Log::default_scope_sep &optional

A string that is used for unrolling and flattening field names for nested record types.

ext_prefix: string &default = Log::default_ext_prefix &optional

Default prefix for all extension fields. It’s typically prudent to set this to something that Zeek’s logging framework can’t normally write out in a field name.

ext_func: function (path: string)any &default = Log::default_ext_func &optional

Function to collect a log extension value. If not specified, no log extension will be provided for the log. The return value from the function must be a record.

interv: interval &default = Log::default_rotation_interval &optional

Rotation interval. Zero disables rotation.

postprocessor: function (info: Log::RotationInfo)bool &optional

Callback function to trigger for rotated files. If not set, the default comes out of Log::default_rotation_postprocessors.

config: table [string] of string &default = {  } &optional

A key/value table that will be passed on to the writer. Interpretation of the values is left to the writer, but usually they will be used for configuration purposes.

policy: Log::PolicyHook &optional

Policy hooks can adjust log entry values and veto the writing of a log entry for the record passed into it. Any hook that breaks from its body signals that Zeek won’t log the entry passed into it.

When no policy hook is defined, the filter inherits the hook from the stream it’s associated with.

A filter type describes how to customize logging streams.

Log::ID
Type

enum

Log::UNKNOWN

Dummy place-holder.

Log::PRINTLOG

Print statements that have been redirected to a log stream.

Broker::LOG

(present if base/frameworks/broker/log.zeek is loaded)

Files::LOG

(present if base/frameworks/files/main.zeek is loaded)

Logging stream for file analysis.

Reporter::LOG

(present if base/frameworks/reporter/main.zeek is loaded)

Cluster::LOG

(present if base/frameworks/cluster/main.zeek is loaded)

Notice::LOG

(present if base/frameworks/notice/main.zeek is loaded)

This is the primary logging stream for notices.

Notice::ALARM_LOG

(present if base/frameworks/notice/main.zeek is loaded)

This is the alarm stream.

Weird::LOG

(present if base/frameworks/notice/weird.zeek is loaded)

DPD::LOG

(present if base/frameworks/dpd/main.zeek is loaded)

Signatures::LOG

(present if base/frameworks/signatures/main.zeek is loaded)

PacketFilter::LOG

(present if base/frameworks/packet-filter/main.zeek is loaded)

Software::LOG

(present if base/frameworks/software/main.zeek is loaded)

Intel::LOG

(present if base/frameworks/intel/main.zeek is loaded)

Config::LOG

(present if base/frameworks/config/main.zeek is loaded)

Tunnel::LOG

(present if base/frameworks/tunnels/main.zeek is loaded)

OpenFlow::LOG

(present if base/frameworks/openflow/plugins/log.zeek is loaded)

NetControl::LOG

(present if base/frameworks/netcontrol/main.zeek is loaded)

NetControl::DROP_LOG

(present if base/frameworks/netcontrol/drop.zeek is loaded)

NetControl::SHUNT

(present if base/frameworks/netcontrol/shunt.zeek is loaded)

Conn::LOG

(present if base/protocols/conn/main.zeek is loaded)

DCE_RPC::LOG

(present if base/protocols/dce-rpc/main.zeek is loaded)

DHCP::LOG

(present if base/protocols/dhcp/main.zeek is loaded)

DNP3::LOG

(present if base/protocols/dnp3/main.zeek is loaded)

DNS::LOG

(present if base/protocols/dns/main.zeek is loaded)

FTP::LOG

(present if base/protocols/ftp/main.zeek is loaded)

SSL::LOG

(present if base/protocols/ssl/main.zeek is loaded)

X509::LOG

(present if base/files/x509/main.zeek is loaded)

OCSP::LOG

(present if base/files/x509/log-ocsp.zeek is loaded)

HTTP::LOG

(present if base/protocols/http/main.zeek is loaded)

IRC::LOG

(present if base/protocols/irc/main.zeek is loaded)

KRB::LOG

(present if base/protocols/krb/main.zeek is loaded)

Modbus::LOG

(present if base/protocols/modbus/main.zeek is loaded)

mysql::LOG

(present if base/protocols/mysql/main.zeek is loaded)

NTLM::LOG

(present if base/protocols/ntlm/main.zeek is loaded)

NTP::LOG

(present if base/protocols/ntp/main.zeek is loaded)

RADIUS::LOG

(present if base/protocols/radius/main.zeek is loaded)

RDP::LOG

(present if base/protocols/rdp/main.zeek is loaded)

RFB::LOG

(present if base/protocols/rfb/main.zeek is loaded)

SIP::LOG

(present if base/protocols/sip/main.zeek is loaded)

SNMP::LOG

(present if base/protocols/snmp/main.zeek is loaded)

SMB::AUTH_LOG

(present if base/protocols/smb/main.zeek is loaded)

SMB::MAPPING_LOG

(present if base/protocols/smb/main.zeek is loaded)

SMB::FILES_LOG

(present if base/protocols/smb/main.zeek is loaded)

SMTP::LOG

(present if base/protocols/smtp/main.zeek is loaded)

SOCKS::LOG

(present if base/protocols/socks/main.zeek is loaded)

SSH::LOG

(present if base/protocols/ssh/main.zeek is loaded)

Syslog::LOG

(present if base/protocols/syslog/main.zeek is loaded)

PE::LOG

(present if base/files/pe/main.zeek is loaded)

Management::Log::LOG

(present if policy/frameworks/management/log.zeek is loaded)

NetControl::CATCH_RELEASE

(present if policy/frameworks/netcontrol/catch-and-release.zeek is loaded)

Unified2::LOG

(present if policy/files/unified2/main.zeek is loaded)

Barnyard2::LOG

(present if policy/integration/barnyard2/main.zeek is loaded)

CaptureLoss::LOG

(present if policy/misc/capture-loss.zeek is loaded)

Traceroute::LOG

(present if policy/misc/detect-traceroute/main.zeek is loaded)

LoadedScripts::LOG

(present if policy/misc/loaded-scripts.zeek is loaded)

Stats::LOG

(present if policy/misc/stats.zeek is loaded)

WeirdStats::LOG

(present if policy/misc/weird-stats.zeek is loaded)

UnknownProtocol::LOG

(present if policy/misc/unknown-protocols.zeek is loaded)

Known::HOSTS_LOG

(present if policy/protocols/conn/known-hosts.zeek is loaded)

Known::SERVICES_LOG

(present if policy/protocols/conn/known-services.zeek is loaded)

Known::MODBUS_LOG

(present if policy/protocols/modbus/known-masters-slaves.zeek is loaded)

Modbus::REGISTER_CHANGE_LOG

(present if policy/protocols/modbus/track-memmap.zeek is loaded)

MQTT::CONNECT_LOG

(present if policy/protocols/mqtt/main.zeek is loaded)

MQTT::SUBSCRIBE_LOG

(present if policy/protocols/mqtt/main.zeek is loaded)

MQTT::PUBLISH_LOG

(present if policy/protocols/mqtt/main.zeek is loaded)

SMB::CMD_LOG

(present if policy/protocols/smb/log-cmds.zeek is loaded)

Known::CERTS_LOG

(present if policy/protocols/ssl/known-certs.zeek is loaded)

ZeekygenExample::LOG

(present if zeekygen/example.zeek is loaded)

Type that defines an ID unique to each log stream. Scripts creating new log streams need to redef this enum to add their own specific log ID. The log ID implicitly determines the default name of the generated log file.

Log::PolicyHook
Type

hook (rec: any, id: Log::ID, filter: Log::Filter) : bool

A hook type to implement filtering policy at log filter granularity. Like Log::StreamPolicyHook, these can implement added functionality, alter it prior to logging, or veto the write. These hooks run at log filter granularity, so get a Log::Filter instance as additional argument. You can pass additional state into the hook via the the filter$config table.

Rec

An instance of the stream’s columns type with its fields set to the values to be logged.

Id

The ID associated with the logging stream the filter belongs to.

Filter

The Log::Filter instance that steers the output of the given log record.

Log::PrintLogInfo
Type

record

ts: time &log

The network time at which the print statement was executed.

vals: string_vec &log

Set of strings passed to the print statement.

If Log::print_to_log is set to redirect, print statements will automatically populate log entries with the fields contained in this record.

Log::PrintLogType
Type

enum

Log::REDIRECT_NONE

No redirection of print statements.

Log::REDIRECT_STDOUT

Redirection of those print statements that were being logged to stdout, leaving behind those set to go to other specific files.

Log::REDIRECT_ALL

Redirection of all print statements.

Configurations for Log::print_to_log

Log::RotationFmtInfo
Type

record

writer: Log::Writer

The log writer being used.

path: string

Original path value.

open: time

Time when opened.

close: time

Time when closed.

terminating: bool

True if rotation occurred due to Zeek shutting down.

postprocessor: Log::RotationPostProcessorFunc &optional

The postprocessor function that will be called after rotation.

Information passed into rotation format callback function given by Log::rotation_format_func.

Log::RotationInfo
Type

record

writer: Log::Writer

The log writer being used.

fname: string

Full name of the rotated file.

path: string

Original path value.

open: time

Time when opened.

close: time

Time when closed.

terminating: bool

True if rotation occured due to Zeek shutting down.

Information passed into rotation callback functions.

Log::RotationPath
Type

record

dir: string &default = Log::default_rotation_dir &optional

A directory to rotate the log to. This directory is created just-in-time, as the log rotation is about to happen. If it cannot be created, an error is emitted and the rotation process tries to proceed with rotation inside the working directory. When setting this field, beware that renaming files across file systems will generally fail.

file_basename: string

A base name to use for the the rotated log. Log writers may later append a file extension of their choosing to this user-chosen base (e.g. if using the default ASCII writer and you want rotated files of the format “foo-<date>.log”, then this basename can be set to “foo-<date>” and the “.log” is added later (there’s also generally means of customizing the file extension, too, like the ZEEK_LOG_SUFFIX environment variable or writer-dependent configuration options.

A log file rotation path specification that’s returned by the user-customizable Log::rotation_format_func.

Log::RotationPostProcessorFunc
Type

function (info: Log::RotationInfo) : bool

The function type for log rotation post processors.

Log::Stream
Type

record

columns: any

A record type defining the log’s columns.

ev: any &optional

Event that will be raised once for each log entry. The event receives a single same parameter, an instance of type columns.

path: string &optional

A path that will be inherited by any filters added to the stream which do not already specify their own path.

policy: Log::PolicyHook &optional

Policy hooks can adjust log records and veto their writing. Any hook handler that breaks from its body signals that Zeek won’t log the entry passed into it. You can pass arbitrary state into the hook via the filter instance and its config table.

New Filters created for this stream will inherit this policy hook, unless they provide their own.

Type defining the content of a logging stream.

Log::StreamPolicyHook
Type

hook (rec: any, id: Log::ID) : bool

A hook type to implement filtering policy. Hook handlers run on each log record. They can implement arbitrary per-record processing, alter the log record, or veto the writing of the given record by breaking from the hook handler.

Rec

An instance of the stream’s columns type with its fields set to the values to be logged.

Id

The ID associated with the logging stream the filter belongs to.

Log::Writer
Type

enum

Log::WRITER_ASCII
Log::WRITER_NONE
Log::WRITER_SQLITE
Events
Log::log_print
Type

event (rec: Log::PrintLogInfo)

Event for accessing logged print records.

Hooks
Log::log_stream_policy
Type

Log::StreamPolicyHook

The global log policy hook. The framework invokes this hook for any log write, prior to iterating over the stream’s associated filters. As with filter-specific hooks, breaking from the hook vetoes writing of the given log record. Note that filter-level policy hooks still get invoked after the global hook vetos, but they cannot “un-veto” the write.

Functions
Log::add_default_filter
Type

function (id: Log::ID) : bool

Adds a default Log::Filter record with name field set as “default” to a given logging stream.

Id

The ID associated with a logging stream for which to add a default filter.

Returns

The status of a call to Log::add_filter using a default Log::Filter argument with name field set to “default”.

See also:

Log::add_filter
Type

function (id: Log::ID, filter: Log::Filter) : bool

Adds a custom filter to an existing logging stream. If a filter with a matching name field already exists for the stream, it is removed when the new filter is successfully added.

Id

The ID associated with the logging stream to filter.

Filter

A record describing the desired logging parameters.

Returns

True if the filter was successfully added, false if the filter was not added or the filter argument was not the correct type.

See also:

Log::create_stream
Type

function (id: Log::ID, stream: Log::Stream) : bool

Creates a new logging stream with the default filter.

Id

The ID enum to be associated with the new logging stream.

Stream

A record defining the content that the new stream will log.

Returns

True if a new logging stream was successfully created and a default filter added to it.

See also:

Log::default_ext_func
Type

function (path: string) : any

Attributes

&redef

Default log extension function in the case that you would like to apply the same extensions to all logs. The function must return a record with all of the fields to be included in the log. The default function included here does not return a value, which indicates that no extensions are added.

Log::default_path_func
Type

function (id: Log::ID, path: string, rec: any) : string

Attributes

&redef

Builds the default path values for log filters if not otherwise specified by a filter. The default implementation uses id to derive a name. Upon adding a filter to a stream, if neither path nor path_func is explicitly set by them, then this function is used as the path_func.

Id

The ID associated with the log stream.

Path

A suggested path value, which may be either the filter’s path if defined, else a previous result from the function. If no path is defined for the filter, then the first call to the function will contain an empty string.

Rec

An instance of the stream’s columns type with its fields set to the values to be logged.

Returns

The path to be used for the filter.

Log::disable_stream
Type

function (id: Log::ID) : bool

Disables a currently enabled logging stream. Disabled streams will not be written to until they are enabled again. New streams are enabled by default.

Id

The ID associated with the logging stream to disable.

Returns

True if the stream is now disabled or was already disabled.

See also:

Log::enable_stream
Type

function (id: Log::ID) : bool

Enables a previously disabled logging stream. Disabled streams will not be written to until they are enabled again. New streams are enabled by default.

Id

The ID associated with the logging stream to enable.

Returns

True if the stream is re-enabled or was not previously disabled.

See also:

Log::flush
Type

function (id: Log::ID) : bool

Flushes any currently buffered output for all the writers of a given logging stream.

Id

The ID associated with a logging stream for which to flush buffered data.

Returns

True if all writers of a log stream were signalled to flush buffered data or if the logging stream is disabled, false if the logging stream does not exist.

See also:

Log::get_filter
Type

function (id: Log::ID, name: string) : Log::Filter

Gets a filter associated with an existing logging stream.

Id

The ID associated with a logging stream from which to obtain one of its filters.

Name

A string to match against the name field of a Log::Filter for identification purposes.

Returns

A filter attached to the logging stream id matching name or, if no matches are found returns the Log::no_filter sentinel value.

See also:

Log::get_filter_names
Type

function (id: Log::ID) : set [string]

Gets the names of all filters associated with an existing logging stream.

Id

The ID of a logging stream from which to obtain the list of filter names.

Returns

The set of filter names associated with the stream.

..zeek:see:: Log::remove_filter Log::add_default_filter

Log::remove_default_filter Log::get_filter

Log::remove_default_filter
Type

function (id: Log::ID) : bool

Removes the Log::Filter with name field equal to “default”.

Id

The ID associated with a logging stream from which to remove the default filter.

Returns

The status of a call to Log::remove_filter using “default” as the argument.

See also:

Log::remove_filter
Type

function (id: Log::ID, name: string) : bool

Removes a filter from an existing logging stream.

Id

The ID associated with the logging stream from which to remove a filter.

Name

A string to match against the name field of a Log::Filter for identification purposes.

Returns

True if the logging stream’s filter was removed or if no filter associated with name was found.

See also:

Log::remove_stream
Type

function (id: Log::ID) : bool

Removes a logging stream completely, stopping all the threads.

Id

The ID associated with the logging stream.

Returns

True if the stream was successfully removed.

See also:

Log::rotation_format_func
Type

function (ri: Log::RotationFmtInfo) : Log::RotationPath

Attributes

&redef

A function that one may use to customize log file rotation paths. Note that the “fname” field of the ri argument is always an empty string for the purpose of this function call (i.e. the full file name is not determined yet).

Log::run_rotation_postprocessor_cmd
Type

function (info: Log::RotationInfo, npath: string) : bool

Runs a command given by Log::default_rotation_postprocessor_cmd on a rotated file. Meant to be called from postprocessor functions that are added to Log::default_rotation_postprocessors.

Info

A record holding meta-information about the log being rotated.

Npath

The new path of the file (after already being rotated/processed by writer-specific postprocessor as defined in Log::default_rotation_postprocessors).

Returns

True when Log::default_rotation_postprocessor_cmd is empty or the system command given by it has been invoked to postprocess a rotated log file.

See also:

Log::set_buf
Type

function (id: Log::ID, buffered: bool) : bool

Sets the buffering status for all the writers of a given logging stream. A given writer implementation may or may not support buffering and if it doesn’t then toggling buffering with this function has no effect.

Id

The ID associated with a logging stream for which to enable/disable buffering.

Buffered

Whether to enable or disable log buffering.

Returns

True if buffering status was set, false if the logging stream does not exist.

See also:

Log::write
Type

function (id: Log::ID, columns: any) : bool

Writes a new log line/entry to a logging stream.

Id

The ID associated with a logging stream to be written to.

Columns

A record value describing the values of each field/column to write to the log stream.

Returns

True if the stream was found and no error occurred in writing to it or if the stream was disabled and nothing was written. False if the stream was not found, or the columns argument did not match what the stream was initially defined to handle, or one of the stream’s filters has an invalid path_func.

See also:

base/bif/logging.bif.zeek

GLOBAL
Log

Internal functions and types used by the logging framework.

Namespaces

GLOBAL, Log

Summary
Functions

Log::__add_filter: function

Log::__create_stream: function

Log::__disable_stream: function

Log::__enable_stream: function

Log::__flush: function

Log::__remove_filter: function

Log::__remove_stream: function

Log::__set_buf: function

Log::__write: function
Detailed Interface
Functions
Log::__add_filter
Type

function (id: Log::ID, filter: Log::Filter) : bool

Log::__create_stream
Type

function (id: Log::ID, stream: Log::Stream) : bool

Log::__disable_stream
Type

function (id: Log::ID) : bool

Log::__enable_stream
Type

function (id: Log::ID) : bool

Log::__flush
Type

function (id: Log::ID) : bool

Log::__remove_filter
Type

function (id: Log::ID, name: string) : bool

Log::__remove_stream
Type

function (id: Log::ID) : bool

Log::__set_buf
Type

function (id: Log::ID, buffered: bool) : bool

Log::__write
Type

function (id: Log::ID, columns: any) : bool

base/frameworks/logging/postprocessors/__load__.zeek

Imports

base/frameworks/logging/postprocessors/scp.zeek, base/frameworks/logging/postprocessors/sftp.zeek

Summary
Detailed Interface

base/frameworks/logging/postprocessors/scp.zeek

Log

This script defines a postprocessing function that can be applied to a logging filter in order to automatically SCP (secure copy) a log stream (or a subset of it) to a remote host at configurable rotation time intervals. Generally, to use this functionality you must handle the zeek_init event and do the following in your handler:

  1. Create a new Log::Filter record that defines a name/path, rotation interval, and set the postprocessor to Log::scp_postprocessor.

  2. Add the filter to a logging stream using Log::add_filter.

  3. Add a table entry to Log::scp_destinations for the filter’s writer/path pair which defines a set of Log::SCPDestination records.

Namespace

Log

Summary
Redefinable Options

Log::scp_rotation_date_format: string &redef

Default naming format for timestamps embedded into log filenames that use the SCP rotator.
State Variables

Log::scp_destinations: table

A table indexed by a particular log writer and filter path, that yields a set of remote destinations.
Types

Log::SCPDestination: record

A container that describes the remote destination for the SCP command argument as user@host:path.
Functions

Log::scp_postprocessor: function

Secure-copies the rotated log to all the remote hosts defined in Log::scp_destinations and then deletes the local copy of the rotated log.
Detailed Interface
Redefinable Options
Log::scp_rotation_date_format
Type

string

Attributes

&redef

Default

"%Y-%m-%d-%H-%M-%S"

Default naming format for timestamps embedded into log filenames that use the SCP rotator.

State Variables
Log::scp_destinations
Type

table [Log::Writer, string] of set [Log::SCPDestination]

Default

{}

A table indexed by a particular log writer and filter path, that yields a set of remote destinations. The Log::scp_postprocessor function queries this table upon log rotation and performs a secure copy of the rotated log to each destination in the set. This table can be modified at run-time.

Types
Log::SCPDestination
Type

record

user: string

The remote user to log in as. A trust mechanism should be pre-established.

host: string

The remote host to which to transfer logs.

path: string

The path/directory on the remote host to send logs.

A container that describes the remote destination for the SCP command argument as user@host:path.

Functions
Log::scp_postprocessor
Type

function (info: Log::RotationInfo) : bool

Secure-copies the rotated log to all the remote hosts defined in Log::scp_destinations and then deletes the local copy of the rotated log. It’s not active when reading from trace files.

Info

A record holding meta-information about the log file to be postprocessed.

Returns

True if secure-copy system command was initiated or if no destination was configured for the log as described by info.

base/frameworks/logging/postprocessors/sftp.zeek

Log

This script defines a postprocessing function that can be applied to a logging filter in order to automatically SFTP a log stream (or a subset of it) to a remote host at configurable rotation time intervals. Generally, to use this functionality you must handle the zeek_init event and do the following in your handler:

  1. Create a new Log::Filter record that defines a name/path, rotation interval, and set the postprocessor to Log::sftp_postprocessor.

  2. Add the filter to a logging stream using Log::add_filter.

  3. Add a table entry to Log::sftp_destinations for the filter’s writer/path pair which defines a set of Log::SFTPDestination records.

Namespace

Log

Summary
Redefinable Options

Log::sftp_rotation_date_format: string &redef

Default naming format for timestamps embedded into log filenames that use the SFTP rotator.
State Variables

Log::sftp_destinations: table

A table indexed by a particular log writer and filter path, that yields a set of remote destinations.
Types

Log::SFTPDestination: record

A container that describes the remote destination for the SFTP command, comprised of the username, host, and path at which to upload the file.
Functions

Log::sftp_postprocessor: function

Securely transfers the rotated log to all the remote hosts defined in Log::sftp_destinations and then deletes the local copy of the rotated log.
Detailed Interface
Redefinable Options
Log::sftp_rotation_date_format
Type

string

Attributes

&redef

Default

"%Y-%m-%d-%H-%M-%S"

Default naming format for timestamps embedded into log filenames that use the SFTP rotator.

State Variables
Log::sftp_destinations
Type

table [Log::Writer, string] of set [Log::SFTPDestination]

Default

{}

A table indexed by a particular log writer and filter path, that yields a set of remote destinations. The Log::sftp_postprocessor function queries this table upon log rotation and performs a secure transfer of the rotated log to each destination in the set. This table can be modified at run-time.

Types
Log::SFTPDestination
Type

record

user: string

The remote user to log in as. A trust mechanism should be pre-established.

host: string

The remote host to which to transfer logs.

host_port: count &default = 22 &optional

The port to connect to. Defaults to 22

path: string

The path/directory on the remote host to send logs.

A container that describes the remote destination for the SFTP command, comprised of the username, host, and path at which to upload the file.

Functions
Log::sftp_postprocessor
Type

function (info: Log::RotationInfo) : bool

Securely transfers the rotated log to all the remote hosts defined in Log::sftp_destinations and then deletes the local copy of the rotated log. It’s not active when reading from trace files.

Info

A record holding meta-information about the log file to be postprocessed.

Returns

True if sftp system command was initiated or if no destination was configured for the log as described by info.

base/frameworks/logging/writers/ascii.zeek

LogAscii

Interface for the ASCII log writer. Redefinable options are available to tweak the output format of ASCII logs.

The ASCII writer currently supports one writer-specific per-filter config option: setting tsv to the string T turns the output into “tab-separated-value” mode where only a single header row with the column names is printed out as meta information, with no “# fields” prepended; no other meta data gets included in that mode. Example filter using this:

local f: Log::Filter = [$name = "my-filter",
                        $writer = Log::WRITER_ASCII,
                        $config = table(["tsv"] = "T")];
Namespace

LogAscii

Summary
Redefinable Options

LogAscii::empty_field: string &redef

String to use for empty fields.

LogAscii::enable_leftover_log_rotation: bool &redef

If true, detect log files that did not get properly rotated by a previous Zeek process (e.g.

LogAscii::enable_utf_8: bool &redef

If true, valid UTF-8 sequences will pass through unescaped and be written into logs.

LogAscii::gzip_file_extension: string &redef

Define the file extension used when compressing log files when they are created with the LogAscii::gzip_level option.

LogAscii::gzip_level: count &redef

Define the gzip level to compress the logs.

LogAscii::include_meta: bool &redef

If true, include lines with log meta information such as column names with types, the values of ASCII logging options that are in use, and the time when the file was opened and closed (the latter at the end).

LogAscii::json_include_unset_fields: bool &redef

Handling of optional fields when writing out JSON.

LogAscii::json_timestamps: JSON::TimestampFormat &redef

Format of timestamps when writing out JSON.

LogAscii::logdir: string &redef

Define the default logging directory.

LogAscii::meta_prefix: string &redef

Prefix for lines with meta information.

LogAscii::output_to_stdout: bool &redef

If true, output everything to stdout rather than into files.

LogAscii::separator: string &redef

Separator between fields.

LogAscii::set_separator: string &redef

Separator between set elements.

LogAscii::unset_field: string &redef

String to use for an unset &optional field.

LogAscii::use_json: bool &redef

If true, the default will be to write logs in a JSON format.
Detailed Interface
Redefinable Options
LogAscii::empty_field
Type

string

Attributes

&redef

Default

"(empty)"

String to use for empty fields. This should be different from unset_field to make the output unambiguous.

This option is also available as a per-filter $config option.

LogAscii::enable_leftover_log_rotation
Type

bool

Attributes

&redef

Default

F

If true, detect log files that did not get properly rotated by a previous Zeek process (e.g. due to crash) and rotate them.

This requires a positive rotation interval to be configured to have an effect. E.g. via Log::default_rotation_interval or the interv field of a Log::Filter.

LogAscii::enable_utf_8
Type

bool

Attributes

&redef

Default

T

If true, valid UTF-8 sequences will pass through unescaped and be written into logs.

This option is also available as a per-filter $config option.

LogAscii::gzip_file_extension
Type

string

Attributes

&redef

Default

"gz"

Define the file extension used when compressing log files when they are created with the LogAscii::gzip_level option.

This option is also available as a per-filter $config option.

LogAscii::gzip_level
Type

count

Attributes

&redef

Default

0

Define the gzip level to compress the logs. If 0, then no gzip compression is performed. Enabling compression also changes the log file name extension to include the value of LogAscii::gzip_file_extension.

This option is also available as a per-filter $config option.

LogAscii::include_meta
Type

bool

Attributes

&redef

Default

T

If true, include lines with log meta information such as column names with types, the values of ASCII logging options that are in use, and the time when the file was opened and closed (the latter at the end).

If writing in JSON format, this is implicitly disabled.

LogAscii::json_include_unset_fields
Type

bool

Attributes

&redef

Default

F

Handling of optional fields when writing out JSON. By default the JSON formatter skips key and val when the field is absent. Setting the following field to T includes the key, with a null value.

LogAscii::json_timestamps
Type

JSON::TimestampFormat

Attributes

&redef

Default

JSON::TS_EPOCH

Format of timestamps when writing out JSON. By default, the JSON formatter will use double values for timestamps which represent the number of seconds from the UNIX epoch.

This option is also available as a per-filter $config option.

LogAscii::logdir
Type

string

Attributes

&redef

Default

""

Define the default logging directory. If empty, logs are written to the current working directory.

LogAscii::meta_prefix
Type

string

Attributes

&redef

Default

"#"

Prefix for lines with meta information.

This option is also available as a per-filter $config option.

LogAscii::output_to_stdout
Type

bool

Attributes

&redef

Default

F

If true, output everything to stdout rather than into files. This is primarily for debugging purposes.

This option is also available as a per-filter $config option.

LogAscii::separator
Type

string

Attributes

&redef

Default

"\x09"

Separator between fields.

This option is also available as a per-filter $config option.

LogAscii::set_separator
Type

string

Attributes

&redef

Default

","

Separator between set elements.

This option is also available as a per-filter $config option.

LogAscii::unset_field
Type

string

Attributes

&redef

Default

"-"

String to use for an unset &optional field.

This option is also available as a per-filter $config option.

LogAscii::use_json
Type

bool

Attributes

&redef

Default

F

Redefinition

from policy/tuning/json-logs.zeek

=:

T

If true, the default will be to write logs in a JSON format.

This option is also available as a per-filter $config option.

base/frameworks/logging/writers/sqlite.zeek

LogSQLite

Interface for the SQLite log writer. Redefinable options are available to tweak the output format of the SQLite reader.

See SQLite Input/Logging for an introduction on how to use the SQLite log writer.

The SQL writer currently supports one writer-specific filter option via config: setting tablename sets the name of the table that is used or created in the SQLite database. An example for this is given in the introduction mentioned above.

Namespace

LogSQLite

Summary
Redefinable Options

LogSQLite::empty_field: string &redef

String to use for empty fields.

LogSQLite::set_separator: string &redef

Separator between set elements.

LogSQLite::unset_field: string &redef

String to use for an unset &optional field.
Detailed Interface
Redefinable Options
LogSQLite::empty_field
Type

string

Attributes

&redef

Default

"(empty)"

String to use for empty fields. This should be different from unset_field to make the output unambiguous.

LogSQLite::set_separator
Type

string

Attributes

&redef

Default

","

Separator between set elements.

LogSQLite::unset_field
Type

string

Attributes

&redef

Default

"-"

String to use for an unset &optional field.

base/frameworks/logging/writers/none.zeek

LogNone

Interface for the None log writer. This writer is mainly for debugging.

Namespace

LogNone

Summary
Redefinable Options

LogNone::debug: bool &redef

If true, output debugging output that can be useful for unit testing the logging framework.
Redefinitions

Log::default_rotation_postprocessors: table &redef
Detailed Interface
Redefinable Options
LogNone::debug
Type

bool

Attributes

&redef

Default

F

If true, output debugging output that can be useful for unit testing the logging framework.

base/frameworks/broker/__load__.zeek

Imports

base/frameworks/broker/log.zeek, base/frameworks/broker/main.zeek, base/frameworks/broker/store.zeek

Summary
Detailed Interface

base/frameworks/broker/main.zeek

Broker

The Broker-based communication API and its various options.

Namespace

Broker

Imports

base/bif/comm.bif.zeek, base/bif/messaging.bif.zeek

Summary
Runtime Options

Broker::metrics_export_endpoint_name: string &redef

ID for the metrics exporter.

Broker::metrics_export_interval: interval &redef

Frequency for publishing scraped metrics to the target topic.

Broker::metrics_export_prefixes: vector &redef

Selects prefixes from the local metrics.

Broker::metrics_export_topic: string &redef

Target topic for the metrics.

Broker::peer_counts_as_iosource: bool &redef

Whether calling Broker::peer will register the Broker system as an I/O source that will block the process from shutting down.
Redefinable Options

Broker::aggressive_interval: count &redef

Frequency of work-stealing polling attempts for Broker/CAF threads in “aggressive” mode.

Broker::aggressive_polls: count &redef

Number of work-stealing polling attempts for Broker/CAF threads in “aggressive” mode.

Broker::congestion_queue_size: count &redef

The number of buffered messages at the Broker/CAF layer after which a subscriber considers themselves congested (i.e.

Broker::default_connect_retry: interval &redef

Default interval to retry connecting to a peer if it cannot be made to work initially, or if it ever becomes disconnected.

Broker::default_listen_address: string &redef

Default address on which to listen.

Broker::default_listen_address_websocket: string &redef

Default address on which to listen for WebSocket connections.

Broker::default_listen_retry: interval &redef

Default interval to retry listening on a port if it’s currently in use already.

Broker::default_log_topic_prefix: string &redef

The default topic prefix where logs will be published.

Broker::default_port: port &redef

Default port for native Broker communication.

Broker::default_port_websocket: port &redef

Default port for Broker WebSocket communication.

Broker::disable_ssl: bool &redef

If true, do not use SSL for network connections.

Broker::forward_messages: bool &redef

Forward all received messages to subscribing peers.

Broker::log_batch_interval: interval &redef

Max time to buffer log messages before sending the current set out as a batch.

Broker::log_batch_size: count &redef

The max number of log entries per log stream to batch together when sending log messages to a remote logger.

Broker::max_threads: count &redef

Max number of threads to use for Broker/CAF functionality.

Broker::metrics_port: port &redef

Port for Broker’s metric exporter.

Broker::moderate_interval: count &redef

Frequency of work-stealing polling attempts for Broker/CAF threads in “moderate” mode.

Broker::moderate_polls: count &redef

Number of work-stealing polling attempts for Broker/CAF threads in “moderate” mode.

Broker::moderate_sleep: interval &redef

Interval of time for under-utilized Broker/CAF threads to sleep when in “moderate” mode.

Broker::relaxed_interval: count &redef

Frequency of work-stealing polling attempts for Broker/CAF threads in “relaxed” mode.

Broker::relaxed_sleep: interval &redef

Interval of time for under-utilized Broker/CAF threads to sleep when in “relaxed” mode.

Broker::scheduler_policy: string &redef

The CAF scheduling policy to use.

Broker::ssl_cafile: string &redef

Path to a file containing concatenated trusted certificates in PEM format.

Broker::ssl_capath: string &redef

Path to an OpenSSL-style directory of trusted certificates.

Broker::ssl_certificate: string &redef

Path to a file containing a X.509 certificate for this node in PEM format.

Broker::ssl_keyfile: string &redef

Path to the file containing the private key for this node’s certificate.

Broker::ssl_passphrase: string &redef

Passphrase to decrypt the private key specified by Broker::ssl_keyfile.
Types

Broker::Data: record

Opaque communication data.

Broker::DataVector: vector

Opaque communication data sequence.

Broker::EndpointInfo: record

Broker::ErrorCode: enum

Enumerates the possible error types.

Broker::Event: record

Opaque event communication data.

Broker::NetworkInfo: record

Broker::PeerInfo: record

Broker::PeerInfos: vector

Broker::PeerStatus: enum

The possible states of a peer endpoint.

Broker::TableItem: record

Opaque communication data used as a convenient way to wrap key-value pairs that comprise table entries.
Functions

Broker::auto_publish: function

Automatically send an event to any interested peers whenever it is locally dispatched.

Broker::auto_unpublish: function

Stop automatically sending an event to peers upon local dispatch.

Broker::default_log_topic: function

The default implementation for Broker::log_topic.

Broker::flush_logs: function

Sends all pending log messages to remote peers.

Broker::forward: function

Register a topic prefix subscription for events that should only be forwarded to any subscribing peers and not raise any event handlers on the receiving/forwarding node.

Broker::listen: function

Listen for remote connections using the native Broker protocol.

Broker::listen_websocket: function

Listen for remote connections using WebSocket.

Broker::log_topic: function &redef

A function that will be called for each log entry to determine what broker topic string will be used for sending it to peers.

Broker::node_id: function

Get a unique identifier for the local broker endpoint.

Broker::peer: function

Initiate a remote connection.

Broker::peers: function

Get a list of all peer connections.

Broker::publish_id: function

Publishes the value of an identifier to a given topic.

Broker::subscribe: function

Register interest in all peer event messages that use a certain topic prefix.

Broker::unpeer: function

Remove a remote connection.

Broker::unsubscribe: function

Unregister interest in all peer event messages that use a topic prefix.
Detailed Interface
Runtime Options
Broker::metrics_export_endpoint_name
Type

string

Attributes

&redef

Default

""

ID for the metrics exporter. When setting a target topic for the exporter, Broker sets this option to the suffix of the new topic unless the ID is a non-empty string. Since setting a topic starts the periodic publishing of events, we recommend setting the ID always first or avoid setting it at all if the topic suffix serves as a good-enough ID. Zeek overrides any value provided in zeek_init or earlier at startup if the environment variable BROKER_METRICS_ENDPOINT_NAME is defined.

Broker::metrics_export_interval
Type

interval

Attributes

&redef

Default

1.0 sec

Frequency for publishing scraped metrics to the target topic. Zeek overrides any value provided in zeek_init or earlier at startup if the environment variable BROKER_METRICS_EXPORT_INTERVAL is defined.

Broker::metrics_export_prefixes
Type

vector of string

Attributes

&redef

Default
[]

Selects prefixes from the local metrics. Only metrics with prefixes listed in this variable are included when publishing local metrics. Setting an empty vector selects all metrics.

Broker::metrics_export_topic
Type

string

Attributes

&redef

Default

""

Target topic for the metrics. Setting a non-empty string starts the periodic publishing of local metrics. Zeek overrides any value provided in zeek_init or earlier at startup if the environment variable BROKER_METRICS_EXPORT_TOPIC is defined.

Broker::peer_counts_as_iosource
Type

bool

Attributes

&redef

Default

T

Whether calling Broker::peer will register the Broker system as an I/O source that will block the process from shutting down. For example, set this to false when you are reading pcaps, but also want to initaiate a Broker peering and still shutdown after done reading the pcap.

Redefinable Options
Broker::aggressive_interval
Type

count

Attributes

&redef

Default

4

Frequency of work-stealing polling attempts for Broker/CAF threads in “aggressive” mode. Only used for the “stealing” scheduler policy.

Broker::aggressive_polls
Type

count

Attributes

&redef

Default

5

Number of work-stealing polling attempts for Broker/CAF threads in “aggressive” mode. Only used for the “stealing” scheduler policy.

Broker::congestion_queue_size
Type

count

Attributes

&redef

Default

200

The number of buffered messages at the Broker/CAF layer after which a subscriber considers themselves congested (i.e. tune the congestion control mechanisms).

Broker::default_connect_retry
Type

interval

Attributes

&redef

Default

30.0 secs

Default interval to retry connecting to a peer if it cannot be made to work initially, or if it ever becomes disconnected. Use of the ZEEK_DEFAULT_CONNECT_RETRY environment variable (set as number of seconds) will override this option and also any values given to Broker::peer.

Broker::default_listen_address
Type

string

Attributes

&redef

Default

""

Redefinition

from policy/frameworks/management/agent/boot.zeek

=:

127.0.0.1

Default address on which to listen.

See also:

Broker::default_listen_address_websocket
Type

string

Attributes

&redef

Default

""

Default address on which to listen for WebSocket connections.

See also:

Broker::default_listen_retry
Type

interval

Attributes

&redef

Default

30.0 secs

Default interval to retry listening on a port if it’s currently in use already. Use of the ZEEK_DEFAULT_LISTEN_RETRY environment variable (set as a number of seconds) will override this option and also any values given to Broker::listen.

Broker::default_log_topic_prefix
Type

string

Attributes

&redef

Default

"zeek/logs/"

The default topic prefix where logs will be published. The log’s stream id is appended when writing to a particular stream.

Broker::default_port
Type

port

Attributes

&redef

Default

9999/tcp

Default port for native Broker communication. Where not specified otherwise, this is the port to connect to and listen on.

Broker::default_port_websocket
Type

port

Attributes

&redef

Default

9997/tcp

Default port for Broker WebSocket communication. Where not specified otherwise, this is the port to connect to and listen on for WebSocket connections.

See the Broker documentation for a specification of the message format over WebSocket connections.

Broker::disable_ssl
Type

bool

Attributes

&redef

Default

F

If true, do not use SSL for network connections. By default, SSL will even be used if no certificates / CAs have been configured. In that case (which is the default) the communication will be encrypted, but not authenticated.

Broker::forward_messages
Type

bool

Attributes

&redef

Default

F

Forward all received messages to subscribing peers.

Broker::log_batch_interval
Type

interval

Attributes

&redef

Default

1.0 sec

Max time to buffer log messages before sending the current set out as a batch.

Broker::log_batch_size
Type

count

Attributes

&redef

Default

400

The max number of log entries per log stream to batch together when sending log messages to a remote logger.

Broker::max_threads
Type

count

Attributes

&redef

Default

1

Max number of threads to use for Broker/CAF functionality. The ZEEK_BROKER_MAX_THREADS environment variable overrides this setting.

Broker::metrics_port
Type

port

Attributes

&redef

Default

0/unknown

Port for Broker’s metric exporter. Setting this to a valid TCP port causes Broker to make metrics available to Prometheus scrapers via HTTP. Zeek overrides any value provided in zeek_init or earlier at startup if the environment variable BROKER_METRICS_PORT is defined.

Broker::moderate_interval
Type

count

Attributes

&redef

Default

2

Frequency of work-stealing polling attempts for Broker/CAF threads in “moderate” mode. Only used for the “stealing” scheduler policy.

Broker::moderate_polls
Type

count

Attributes

&redef

Default

5

Number of work-stealing polling attempts for Broker/CAF threads in “moderate” mode. Only used for the “stealing” scheduler policy.

Broker::moderate_sleep
Type

interval

Attributes

&redef

Default

16.0 msecs

Interval of time for under-utilized Broker/CAF threads to sleep when in “moderate” mode. Only used for the “stealing” scheduler policy.

Broker::relaxed_interval
Type

count

Attributes

&redef

Default

1

Frequency of work-stealing polling attempts for Broker/CAF threads in “relaxed” mode. Only used for the “stealing” scheduler policy.

Broker::relaxed_sleep
Type

interval

Attributes

&redef

Default

64.0 msecs

Interval of time for under-utilized Broker/CAF threads to sleep when in “relaxed” mode. Only used for the “stealing” scheduler policy.

Broker::scheduler_policy
Type

string

Attributes

&redef

Default

"sharing"

The CAF scheduling policy to use. Available options are “sharing” and “stealing”. The “sharing” policy uses a single, global work queue along with mutex and condition variable used for accessing it, which may be better for cases that don’t require much concurrency or need lower power consumption. The “stealing” policy uses multiple work queues protected by spinlocks, which may be better for use-cases that have more concurrency needs. E.g. may be worth testing the “stealing” policy along with dedicating more threads if a lot of data store processing is required.

Broker::ssl_cafile
Type

string

Attributes

&redef

Default

""

Path to a file containing concatenated trusted certificates in PEM format. If set, Zeek will require valid certificates for all peers.

Broker::ssl_capath
Type

string

Attributes

&redef

Default

""

Path to an OpenSSL-style directory of trusted certificates. If set, Zeek will require valid certificates for all peers.

Broker::ssl_certificate
Type

string

Attributes

&redef

Default

""

Path to a file containing a X.509 certificate for this node in PEM format. If set, Zeek will require valid certificates for all peers.

Broker::ssl_keyfile
Type

string

Attributes

&redef

Default

""

Path to the file containing the private key for this node’s certificate. If set, Zeek will require valid certificates for all peers.

Broker::ssl_passphrase
Type

string

Attributes

&redef

Default

""

Passphrase to decrypt the private key specified by Broker::ssl_keyfile. If set, Zeek will require valid certificates for all peers.

Types
Broker::Data
Type

record

data: opaque of Broker::Data &optional

Opaque communication data.

Broker::DataVector
Type

vector of Broker::Data

Opaque communication data sequence.

Broker::EndpointInfo
Type

record

id: string

A unique identifier of the node.

network: Broker::NetworkInfo &optional

Network-level information.

Broker::ErrorCode
Type

enum

Broker::NO_ERROR

(present if base/bif/comm.bif.zeek is loaded)

Broker::UNSPECIFIED

The unspecified default error code.

Broker::PEER_INCOMPATIBLE

Version incompatibility.

Broker::PEER_INVALID

Referenced peer does not exist.

Broker::PEER_UNAVAILABLE

Remote peer not listening.

Broker::PEER_DISCONNECT_DURING_HANDSHAKE

(present if base/bif/comm.bif.zeek is loaded)

Broker::PEER_TIMEOUT

A peering request timed out.

Broker::MASTER_EXISTS

Master with given name already exists.

Broker::NO_SUCH_MASTER

Master with given name does not exist.

Broker::NO_SUCH_KEY

The given data store key does not exist.

Broker::REQUEST_TIMEOUT

The store operation timed out.

Broker::TYPE_CLASH

The operation expected a different type than provided.

Broker::INVALID_DATA

The data value cannot be used to carry out the desired operation.

Broker::BACKEND_FAILURE

The storage backend failed to execute the operation.

Broker::STALE_DATA

The storage backend failed to execute the operation.

Broker::CANNOT_OPEN_FILE

(present if base/bif/comm.bif.zeek is loaded)

Broker::CANNOT_WRITE_FILE

(present if base/bif/comm.bif.zeek is loaded)

Broker::INVALID_TOPIC_KEY

(present if base/bif/comm.bif.zeek is loaded)

Broker::END_OF_FILE

(present if base/bif/comm.bif.zeek is loaded)

Broker::INVALID_TAG

(present if base/bif/comm.bif.zeek is loaded)

Broker::INVALID_STATUS

(present if base/bif/comm.bif.zeek is loaded)

Broker::CAF_ERROR

Catch-all for a CAF-level problem.

Enumerates the possible error types.

Broker::Event
Type

record

name: string &optional

The name of the event. Not set if invalid event or arguments.

args: Broker::DataVector

The arguments to the event.

Opaque event communication data.

Broker::NetworkInfo
Type

record

address: string &log

The IP address or hostname where the endpoint listens.

bound_port: port &log

The port where the endpoint is bound to.

Broker::PeerInfo
Type

record

peer: Broker::EndpointInfo

status: Broker::PeerStatus

Broker::PeerInfos
Type

vector of Broker::PeerInfo

Broker::PeerStatus
Type

enum

Broker::INITIALIZING

The peering process is initiated.

Broker::CONNECTING

Connection establishment in process.

Broker::CONNECTED

Connection established, peering pending.

Broker::PEERED

Successfully peered.

Broker::DISCONNECTED

Connection to remote peer lost.

Broker::RECONNECTING

Reconnecting to peer after a lost connection.

The possible states of a peer endpoint.

Broker::TableItem
Type

record

key: Broker::Data

val: Broker::Data

Opaque communication data used as a convenient way to wrap key-value pairs that comprise table entries.

Functions
Broker::auto_publish
Type

function (topic: string, ev: any) : bool

Automatically send an event to any interested peers whenever it is locally dispatched. (For example, using “event my_event(…);” in a script.)

Topic

a topic string associated with the event message. Peers advertise interest by registering a subscription to some prefix of this topic name.

Ev

a Zeek event value.

Returns

true if automatic event sending is now enabled.

Broker::auto_unpublish
Type

function (topic: string, ev: any) : bool

Stop automatically sending an event to peers upon local dispatch.

Topic

a topic originally given to Broker::auto_publish.

Ev

an event originally given to Broker::auto_publish.

Returns

true if automatic events will not occur for the topic/event pair.

Broker::default_log_topic
Type

function (id: Log::ID, path: string) : string

The default implementation for Broker::log_topic.

Broker::flush_logs
Type

function () : count

Sends all pending log messages to remote peers. This normally doesn’t need to be used except for test cases that are time-sensitive.

Broker::forward
Type

function (topic_prefix: string) : bool

Register a topic prefix subscription for events that should only be forwarded to any subscribing peers and not raise any event handlers on the receiving/forwarding node. i.e. it’s the same as Broker::subscribe except matching events are not raised on the receiver, just forwarded. Use Broker::unsubscribe with the same argument to undo this operation.

Topic_prefix

a prefix to match against remote message topics. e.g. an empty prefix matches everything and “a” matches “alice” and “amy” but not “bob”.

Returns

true if a new event forwarding/subscription is now registered.

Broker::listen
Type

function (a: string &default = Broker::default_listen_address &optional, p: port &default = Broker::default_port &optional, retry: interval &default = Broker::default_listen_retry &optional) : port

Listen for remote connections using the native Broker protocol.

A

an address string on which to accept connections, e.g. “127.0.0.1”. An empty string refers to INADDR_ANY.

P

the TCP port to listen on. The value 0 means that the OS should choose the next available free port.

Retry

If non-zero, retries listening in regular intervals if the port cannot be acquired immediately. 0 disables retries. If the ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number of seconds), it overrides any value given here.

Returns

the bound port or 0/? on failure.

See also:

Broker::listen_websocket
Type

function (a: string &default = Broker::default_listen_address_websocket &optional, p: port &default = Broker::default_port_websocket &optional, retry: interval &default = Broker::default_listen_retry &optional) : port

Listen for remote connections using WebSocket.

A

an address string on which to accept connections, e.g. “127.0.0.1”. An empty string refers to INADDR_ANY.

P

the TCP port to listen on. The value 0 means that the OS should choose the next available free port.

Retry

If non-zero, retries listening in regular intervals if the port cannot be acquired immediately. 0 disables retries. If the ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number of seconds), it overrides any value given here.

Returns

the bound port or 0/? on failure.

See also:

Broker::log_topic
Type

function (id: Log::ID, path: string) : string

Attributes

&redef

A function that will be called for each log entry to determine what broker topic string will be used for sending it to peers. The default implementation will return a value based on Broker::default_log_topic_prefix.

Id

the ID associated with the log stream entry that will be sent.

Path

the path to which the log stream entry will be output.

Returns

a string representing the broker topic to which the log will be sent.

Broker::node_id
Type

function () : string

Get a unique identifier for the local broker endpoint.

Returns

a unique identifier for the local broker endpoint.

Broker::peer
Type

function (a: string, p: port &default = Broker::default_port &optional, retry: interval &default = Broker::default_connect_retry &optional) : bool

Initiate a remote connection.

A

an address to connect to, e.g. “localhost” or “127.0.0.1”.

P

the TCP port on which the remote side is listening.

Retry

an interval at which to retry establishing the connection with the remote peer if it cannot be made initially, or if it ever becomes disconnected. If the ZEEK_DEFAULT_CONNECT_RETRY environment variable is set (as number of seconds), it overrides any value given here.

Returns

true if it’s possible to try connecting with the peer and it’s a new peer. The actual connection may not be established until a later point in time.

See also:

Broker::peers
Type

function () : vector of Broker::PeerInfo

Get a list of all peer connections.

Returns

a list of all peer connections.

Broker::publish_id
Type

function (topic: string, id: string) : bool

Publishes the value of an identifier to a given topic. The subscribers will update their local value for that identifier on receipt.

Topic

a topic associated with the message.

Id

the identifier to publish.

Returns

true if the message is sent.

Broker::subscribe
Type

function (topic_prefix: string) : bool

Register interest in all peer event messages that use a certain topic prefix. Note that subscriptions may not be altered immediately after calling (except during zeek_init).

Topic_prefix

a prefix to match against remote message topics. e.g. an empty prefix matches everything and “a” matches “alice” and “amy” but not “bob”.

Returns

true if it’s a new event subscription and it is now registered.

Broker::unpeer
Type

function (a: string, p: port) : bool

Remove a remote connection.

Note that this does not terminate the connection to the peer, it just means that we won’t exchange any further information with it unless peering resumes later.

A

the address used in previous successful call to Broker::peer.

P

the port used in previous successful call to Broker::peer.

Returns

true if the arguments match a previously successful call to Broker::peer.

TODO

We do not have a function yet to terminate a connection.

Broker::unsubscribe
Type

function (topic_prefix: string) : bool

Unregister interest in all peer event messages that use a topic prefix. Note that subscriptions may not be altered immediately after calling (except during zeek_init).

Topic_prefix

a prefix previously supplied to a successful call to Broker::subscribe or Broker::forward.

Returns

true if interest in the topic prefix is no longer advertised.

base/bif/comm.bif.zeek

Broker
GLOBAL

Functions and events regarding broker communication mechanisms.

Namespaces

Broker, GLOBAL

Summary
Types

Broker::BrokerProtocol: enum
Events

Broker::endpoint_discovered: event

Generated when a new Broker endpoint appeared.

Broker::endpoint_unreachable: event

Generated when the last path to a Broker endpoint has been lost.

Broker::error: event

Generated when an error occurs in the Broker sub-system.

Broker::peer_added: event

Generated when a new peering has been established.

Broker::peer_lost: event

Generated when an existing peering has been lost.

Broker::peer_removed: event

Generated when an existing peer has been removed.

Broker::status: event

Generated when something changes in the Broker sub-system.
Functions

Broker::__listen: function

Broker::__node_id: function

Broker::__peer: function

Broker::__peer_no_retry: function

Broker::__peers: function

Broker::__set_metrics_export_endpoint_name: function

Broker::__set_metrics_export_interval: function

Broker::__set_metrics_export_prefixes: function

Broker::__set_metrics_export_topic: function

Broker::__unpeer: function
Detailed Interface
Types
Broker::BrokerProtocol
Type

enum

Broker::NATIVE
Broker::WEBSOCKET
Events
Broker::endpoint_discovered
Type

event (endpoint: Broker::EndpointInfo, msg: string)

Generated when a new Broker endpoint appeared.

Broker::endpoint_unreachable
Type

event (endpoint: Broker::EndpointInfo, msg: string)

Generated when the last path to a Broker endpoint has been lost.

Broker::error
Type

event (code: Broker::ErrorCode, msg: string)

Generated when an error occurs in the Broker sub-system.

Broker::peer_added
Type

event (endpoint: Broker::EndpointInfo, msg: string)

Generated when a new peering has been established.

Broker::peer_lost
Type

event (endpoint: Broker::EndpointInfo, msg: string)

Generated when an existing peering has been lost.

Broker::peer_removed
Type

event (endpoint: Broker::EndpointInfo, msg: string)

Generated when an existing peer has been removed.

Broker::status
Type

event (endpoint: Broker::EndpointInfo, msg: string)

Generated when something changes in the Broker sub-system.

Functions
Broker::__listen
Type

function (a: string, p: port, proto: Broker::BrokerProtocol) : port

Broker::__node_id
Type

function () : string

Broker::__peer
Type

function (a: string, p: port, retry: interval) : bool

Broker::__peer_no_retry
Type

function (a: string, p: port) : bool

Broker::__peers
Type

function () : Broker::PeerInfos

Broker::__set_metrics_export_endpoint_name
Type

function (value: string) : bool

Broker::__set_metrics_export_interval
Type

function (value: interval) : bool

Broker::__set_metrics_export_prefixes
Type

function (filter: string_vec) : bool

Broker::__set_metrics_export_topic
Type

function (value: string) : bool

Broker::__unpeer
Type

function (a: string, p: port) : bool

base/bif/messaging.bif.zeek

Broker
Cluster
GLOBAL

Functions for peering and various messaging patterns.

Namespaces

Broker, Cluster, GLOBAL

Summary
Functions

Broker::__auto_publish: function

Broker::__auto_unpublish: function

Broker::__flush_logs: function

Broker::__forward: function

Broker::__publish_id: function

Broker::__subscribe: function

Broker::__unsubscribe: function

Broker::make_event: function

Create a data structure that may be used to send a remote event via Broker::publish.

Broker::publish: function

Publishes an event at a given topic.

Cluster::publish_hrw: function

Publishes an event to a node within a pool according to Rendezvous (Highest Random Weight) hashing strategy.

Cluster::publish_rr: function

Publishes an event to a node within a pool according to Round-Robin distribution strategy.
Detailed Interface
Functions
Broker::__auto_publish
Type

function (topic: string, ev: any) : bool

Broker::__auto_unpublish
Type

function (topic: string, ev: any) : bool

Broker::__flush_logs
Type

function () : count

Broker::__forward
Type

function (topic_prefix: string) : bool

Broker::__publish_id
Type

function (topic: string, id: string) : bool

Broker::__subscribe
Type

function (topic_prefix: string) : bool

Broker::__unsubscribe
Type

function (topic_prefix: string) : bool

Broker::make_event
Type

function (…) : Broker::Event

Create a data structure that may be used to send a remote event via Broker::publish.

Args

an event, followed by a list of argument values that may be used to call it.

Returns

opaque communication data that may be used to send a remote event.

Broker::publish
Type

function (…) : bool

Publishes an event at a given topic.

Topic

a topic associated with the event message.

Args

Either the event arguments as already made by Broker::make_event or the argument list to pass along to it.

Returns

true if the message is sent.

Cluster::publish_hrw
Type

function (…) : bool

Publishes an event to a node within a pool according to Rendezvous (Highest Random Weight) hashing strategy.

Pool

the pool of nodes that are eligible to receive the event.

Key

data used for input to the hashing function that will uniformly distribute keys among available nodes.

Args

Either the event arguments as already made by Broker::make_event or the argument list to pass along to it.

Returns

true if the message is sent.

Cluster::publish_rr
Type

function (…) : bool

Publishes an event to a node within a pool according to Round-Robin distribution strategy.

Pool

the pool of nodes that are eligible to receive the event.

Key

an arbitrary string to identify the purpose for which you’re distributing the event. e.g. consider using namespacing of your script like “Intel::cluster_rr_key”.

Args

Either the event arguments as already made by Broker::make_event or the argument list to pass along to it.

Returns

true if the message is sent.

base/frameworks/broker/store.zeek

Broker

The Broker-based data store API and its various options.

Namespace

Broker

Imports

base/bif/data.bif.zeek, base/bif/store.bif.zeek, base/frameworks/broker/main.zeek

Summary
Redefinable Options

Broker::default_clone_mutation_buffer_interval: interval &redef

The maximum amount of time that a disconnected clone will buffer data store mutation commands.

Broker::default_clone_resync_interval: interval &redef

The default frequency at which clones will attempt to reconnect/resynchronize with their master in the event that they become disconnected.

Broker::default_clone_stale_interval: interval &redef

The duration after which a clone that is disconnected from its master will begin to treat its local cache as stale.

Broker::table_store_db_directory: string &redef

The directory used for storing persistent database files when using Broker store backed Zeek tables.

Broker::table_store_master: bool &redef

If set to true, the current node is the master node for Broker stores backing Zeek tables.
Types

Broker::BackendOptions: record

Options to tune the particular storage backends.

Broker::BackendType: enum

Enumerates the possible storage backends.

Broker::QueryResult: record

The result of a data store query.

Broker::QueryStatus: enum

Whether a data store query could be completed or not.

Broker::SQLiteOptions: record

Options to tune the SQLite storage backend.
Functions

Broker::append: function

Extends an existing string with another.

Broker::clear: function

Deletes all of a store’s content, it will be empty afterwards.

Broker::close: function

Close a data store.

Broker::create_clone: function

Create a clone of a master data store which may live with a remote peer.

Broker::create_master: function

Create a master data store which contains key-value pairs.

Broker::data: function

Convert any Zeek value to communication data.

Broker::data_type: function

Retrieve the type of data associated with communication data.

Broker::decrement: function

Decrements an existing value by a given amount.

Broker::erase: function

Remove a key-value pair from the store.

Broker::exists: function

Check if a key exists in a data store.

Broker::get: function

Lookup the value associated with a key in a data store.

Broker::get_index_from_value: function

Retrieve a specific index from an existing container value.

Broker::increment: function

Increments an existing value by a given amount.

Broker::insert_into_set: function

Inserts an element into an existing set.

Broker::insert_into_table: function

Inserts an element into an existing table.

Broker::is_closed: function

Check if a store is closed or not.

Broker::keys: function

Returns a set with all of a store’s keys.

Broker::pop: function

Removes the last element of an existing vector.

Broker::push: function

Appends an element to an existing vector.

Broker::put: function

Insert a key-value pair in to the store.

Broker::put_unique: function

Insert a key-value pair in to the store, but only if the key does not already exist.

Broker::record_assign: function

Replace a field in a record at a particular position.

Broker::record_create: function

Create communication data of type “record”.

Broker::record_iterator: function

Create an iterator for a record.

Broker::record_iterator_last: function

Check if there are no more elements to iterate over.

Broker::record_iterator_next: function

Advance an iterator.

Broker::record_iterator_value: function

Retrieve the data at an iterator’s current position.

Broker::record_lookup: function

Lookup a field in a record at a particular position.

Broker::record_size: function

Get the number of fields within a record.

Broker::remove_from: function

Removes an element from an existing set or table.

Broker::set_clear: function

Remove all elements within a set.

Broker::set_contains: function

Check if a set contains a particular element.

Broker::set_create: function

Create communication data of type “set”.

Broker::set_insert: function

Insert an element into a set.

Broker::set_iterator: function

Create an iterator for a set.

Broker::set_iterator_last: function

Check if there are no more elements to iterate over.

Broker::set_iterator_next: function

Advance an iterator.

Broker::set_iterator_value: function

Retrieve the data at an iterator’s current position.

Broker::set_remove: function

Remove an element from a set.

Broker::set_size: function

Get the number of elements within a set.

Broker::store_name: function

Get the name of a store.

Broker::table_clear: function

Remove all elements within a table.

Broker::table_contains: function

Check if a table contains a particular key.

Broker::table_create: function

Create communication data of type “table”.

Broker::table_insert: function

Insert a key-value pair into a table.

Broker::table_iterator: function

Create an iterator for a table.

Broker::table_iterator_last: function

Check if there are no more elements to iterate over.

Broker::table_iterator_next: function

Advance an iterator.

Broker::table_iterator_value: function

Retrieve the data at an iterator’s current position.

Broker::table_lookup: function

Retrieve a value from a table.

Broker::table_remove: function

Remove a key-value pair from a table.

Broker::table_size: function

Get the number of elements within a table.

Broker::vector_clear: function

Remove all elements within a vector.

Broker::vector_create: function

Create communication data of type “vector”.

Broker::vector_insert: function

Insert an element into a vector at a particular position, possibly displacing existing elements (insertion always grows the size of the vector by one).

Broker::vector_iterator: function

Create an iterator for a vector.

Broker::vector_iterator_last: function

Check if there are no more elements to iterate over.

Broker::vector_iterator_next: function

Advance an iterator.

Broker::vector_iterator_value: function

Retrieve the data at an iterator’s current position.

Broker::vector_lookup: function

Lookup an element in a vector at a particular position.

Broker::vector_remove: function

Remove an element from a vector at a particular position.

Broker::vector_replace: function

Replace an element in a vector at a particular position.

Broker::vector_size: function

Get the number of elements within a vector.
Detailed Interface
Redefinable Options
Broker::default_clone_mutation_buffer_interval
Type

interval

Attributes

&redef

Default

2.0 mins

The maximum amount of time that a disconnected clone will buffer data store mutation commands. If the clone reconnects before this time, it will replay all stored commands. Note that this doesn’t completely prevent the loss of store updates: all mutation messages are fire-and-forget and not explicitly acknowledged by the master. A negative/zero value indicates to never buffer commands.

Broker::default_clone_resync_interval
Type

interval

Attributes

&redef

Default

10.0 secs

The default frequency at which clones will attempt to reconnect/resynchronize with their master in the event that they become disconnected.

Broker::default_clone_stale_interval
Type

interval

Attributes

&redef

Default

5.0 mins

The duration after which a clone that is disconnected from its master will begin to treat its local cache as stale. In the stale state, queries to the cache will timeout. A negative value indicates that the local cache is never treated as stale.

Broker::table_store_db_directory
Type

string

Attributes

&redef

Default

"."

The directory used for storing persistent database files when using Broker store backed Zeek tables.

Broker::table_store_master
Type

bool

Attributes

&redef

Default

T

If set to true, the current node is the master node for Broker stores backing Zeek tables. By default this value will be automatically set to true in standalone mode, and on the manager node of a cluster. This value should not typically be changed manually.

Types
Broker::BackendOptions
Type

record

sqlite: Broker::SQLiteOptions &default = [path=] &optional

Options to tune the particular storage backends.

Broker::BackendType
Type

enum

Broker::MEMORY
Broker::SQLITE

Enumerates the possible storage backends.

Broker::QueryResult
Type

record

status: Broker::QueryStatus

Whether the query completed or not.

result: Broker::Data

The result of the query. Certain queries may use a particular data type (e.g. querying store size always returns a count, but a lookup may return various data types).

The result of a data store query.

Broker::QueryStatus
Type

enum

Broker::SUCCESS
Broker::FAILURE

Whether a data store query could be completed or not.

Broker::SQLiteOptions
Type

record

path: string &default = "" &optional

File system path of the database. If left empty, will be derived from the name of the store, and use the ‘.sqlite’ file suffix.

Options to tune the SQLite storage backend.

Functions
Broker::append
Type

function (h: opaque of Broker::Store, k: any, s: string, e: interval &default = 0 secs &optional) : bool

Extends an existing string with another.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

S

the string to append.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::clear
Type

function (h: opaque of Broker::Store) : bool

Deletes all of a store’s content, it will be empty afterwards.

Returns

false if the store handle was not valid.

Broker::close
Type

function (h: opaque of Broker::Store) : bool

Close a data store.

H

a data store handle.

Returns

true if store was valid and is now closed. The handle can no longer be used for data store operations.

Broker::create_clone
Type

function (name: string, resync_interval: interval &default = Broker::default_clone_resync_interval &optional, stale_interval: interval &default = Broker::default_clone_stale_interval &optional, mutation_buffer_interval: interval &default = Broker::default_clone_mutation_buffer_interval &optional) : opaque of Broker::Store

Create a clone of a master data store which may live with a remote peer. A clone automatically synchronizes to the master by receiving modifications and applying them locally. Direct modifications are not possible, they must be sent through the master store, which then automatically broadcasts the changes out to clones. But queries may be made directly against the local cloned copy, which may be resolved quicker than reaching out to a remote master store.

Name

the unique name which identifies the master data store.

Resync_interval

the frequency at which a clone that is disconnected from its master attempts to reconnect with it.

Stale_interval

the duration after which a clone that is disconnected from its master will begin to treat its local cache as stale. In this state, queries to the clone will timeout. A negative value indicates that the local cache is never treated as stale.

Mutation_buffer_interval

the amount of time to buffer data store update messages once a clone detects its master is unavailable. If the clone reconnects before this time, it will replay all buffered commands. Note that this doesn’t completely prevent the loss of store updates: all mutation messages are fire-and-forget and not explicitly acknowledged by the master. A negative/zero value indicates that commands never buffer.

Returns

a handle to the data store for which a subsequent call to Broker::is_closed will return true if the store could not be created/opened.

Broker::create_master
Type

function (name: string, b: Broker::BackendType &default = Broker::MEMORY &optional, options: Broker::BackendOptions &default = [sqlite=[path=]] &optional) : opaque of Broker::Store

Create a master data store which contains key-value pairs.

Name

a unique name for the data store.

B

the storage backend to use.

Options

tunes how some storage backends operate.

Returns

a handle to the data store for which a subsequent call to Broker::is_closed will return true if the store could not be created/opened.

Broker::data
Type

function (d: any) : Broker::Data

Convert any Zeek value to communication data.

Note

Normally you won’t need to use this function as data conversion happens implicitly when passing Zeek values into Broker functions.

D

any Zeek value to attempt to convert (not all types are supported).

Returns

the converted communication data. If the supplied Zeek data type does not support conversion to communication data, the returned record’s optional field will not be set.

Broker::data_type
Type

function (d: Broker::Data) : Broker::DataType

Retrieve the type of data associated with communication data.

D

the communication data.

Returns

The data type associated with the communication data. Note that Broker represents records in the same way as vectors, so there is no “record” type.

Broker::decrement
Type

function (h: opaque of Broker::Store, k: any, a: any &default = 1 &optional, e: interval &default = 0 secs &optional) : bool

Decrements an existing value by a given amount. This is supported for all numerical types, as well as for timestamps.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

Amount

the amount to decrement the value by.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::erase
Type

function (h: opaque of Broker::Store, k: any) : bool

Remove a key-value pair from the store.

H

the handle of the store to modify.

K

the key to remove.

Returns

false if the store handle was not valid.

Broker::exists
Type

function (h: opaque of Broker::Store, k: any) : Broker::QueryResult

Check if a key exists in a data store.

H

the handle of the store to query.

K

the key to lookup.

Returns

True if the key exists in the data store.

Broker::get
Type

function (h: opaque of Broker::Store, k: any) : Broker::QueryResult

Lookup the value associated with a key in a data store.

H

the handle of the store to query.

K

the key to lookup.

Returns

the result of the query.

Broker::get_index_from_value
Type

function (h: opaque of Broker::Store, k: any, i: any) : Broker::QueryResult

Retrieve a specific index from an existing container value. This is supported for values of types set, table, and vector.

H

the handle of the store to query.

K

the key of the container value to lookup.

I

the index to retrieve from the container value.

Returns

For tables and vectors, the value at the given index, or failure if the index doesn’t exist. For sets, a boolean indicating whether the index exists. Returns failure if the key does not exist at all.

Broker::increment
Type

function (h: opaque of Broker::Store, k: any, a: any &default = 1 &optional, e: interval &default = 0 secs &optional) : bool

Increments an existing value by a given amount. This is supported for all numerical types, as well as for timestamps.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

A

the amount to increment the value by.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::insert_into_set
Type

function (h: opaque of Broker::Store, k: any, i: any, e: interval &default = 0 secs &optional) : bool

Inserts an element into an existing set.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

I

the index to insert into the set.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::insert_into_table
Type

function (h: opaque of Broker::Store, k: any, i: any, v: any, e: interval &default = 0 secs &optional) : bool

Inserts an element into an existing table.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

I

the index to insert into the table

V

the value to associate with the index.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::is_closed
Type

function (h: opaque of Broker::Store) : bool

Check if a store is closed or not.

Returns

true if the store is closed.

Broker::keys
Type

function (h: opaque of Broker::Store) : Broker::QueryResult

Returns a set with all of a store’s keys. The results reflect a snapshot in time that may diverge from reality soon afterwards. When acessing any of the element, it may no longer actually be there. The function is also expensive for large stores, as it copies the complete set.

Returns

a set with the keys. If you expect the keys to be of non-uniform type, consider using Broker::set_iterator to iterate over the result.

Broker::pop
Type

function (h: opaque of Broker::Store, k: any, e: interval &default = 0 secs &optional) : bool

Removes the last element of an existing vector.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::push
Type

function (h: opaque of Broker::Store, k: any, v: any, e: interval &default = 0 secs &optional) : bool

Appends an element to an existing vector.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

B

the value to append to the vector.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::put
Type

function (h: opaque of Broker::Store, k: any, v: any, e: interval &default = 0 secs &optional) : bool

Insert a key-value pair in to the store.

H

the handle of the store to modify.

K

the key to insert.

V

the value to insert.

E

the expiration interval of the key-value pair.

Returns

false if the store handle was not valid.

Broker::put_unique
Type

function (h: opaque of Broker::Store, k: any, v: any, e: interval &default = 0 secs &optional) : Broker::QueryResult

Insert a key-value pair in to the store, but only if the key does not already exist.

H

the handle of the store to modify.

K

the key to insert.

V

the value to insert.

E

the expiration interval of the key-value pair.

Returns

the result of the query which is a boolean data value that is true if the insertion happened, or false if it was rejected due to the key already existing.

Broker::record_assign
Type

function (r: Broker::Data, idx: count, d: any) : bool

Replace a field in a record at a particular position.

R

the record to modify.

D

the new field value to assign.

Idx

the index to replace.

Returns

false if the index was larger than any valid index, else true.

Broker::record_create
Type

function (sz: count) : Broker::Data

Create communication data of type “record”.

Sz

the number of fields in the record.

Returns

record data, with all fields uninitialized.

Broker::record_iterator
Type

function (r: Broker::Data) : opaque of Broker::RecordIterator

Create an iterator for a record. Note that this makes a copy of the record internally to ensure the iterator is always valid.

R

the record to iterate over.

Returns

an iterator.

Broker::record_iterator_last
Type

function (it: opaque of Broker::RecordIterator) : bool

Check if there are no more elements to iterate over.

It

an iterator.

Returns

true if there are no more elements to iterator over, i.e. the iterator is one-past-the-final-element.

Broker::record_iterator_next
Type

function (it: opaque of Broker::RecordIterator) : bool

Advance an iterator.

It

an iterator.

Returns

true if the iterator, after advancing, still references an element in the collection. False if the iterator, after advancing, is one-past-the-final-element.

Broker::record_iterator_value
Type

function (it: opaque of Broker::RecordIterator) : Broker::Data

Retrieve the data at an iterator’s current position.

It

an iterator.

Returns

element in the collection that the iterator currently references.

Broker::record_lookup
Type

function (r: Broker::Data, idx: count) : Broker::Data

Lookup a field in a record at a particular position.

R

the record to query.

Idx

the index to lookup.

Returns

the value at the index. The optional field of the returned record may not be set if the field of the record has no value or if the index was not valid.

Broker::record_size
Type

function (r: Broker::Data) : count

Get the number of fields within a record.

R

the record to query.

Returns

the number of fields in the record.

Broker::remove_from
Type

function (h: opaque of Broker::Store, k: any, i: any, e: interval &default = 0 secs &optional) : bool

Removes an element from an existing set or table.

H

the handle of the store to modify.

K

the key whose associated value is to be modified. The key must already exist.

I

the index to remove from the set or table.

E

the new expiration interval of the modified key. If null, the current expiration time isn’t changed.

Returns

false if the store handle was not valid.

Broker::set_clear
Type

function (s: Broker::Data) : bool

Remove all elements within a set.

S

the set to clear.

Returns

always true.

Broker::set_contains
Type

function (s: Broker::Data, key: any) : bool

Check if a set contains a particular element.

S

the set to query.

Key

the element to check for existence.

Returns

true if the key exists in the set.

Broker::set_create
Type

function () : Broker::Data

Create communication data of type “set”.

Broker::set_insert
Type

function (s: Broker::Data, key: any) : bool

Insert an element into a set.

S

the set to modify.

Key

the element to insert.

Returns

true if the key was inserted, or false if it already existed.

Broker::set_iterator
Type

function (s: Broker::Data) : opaque of Broker::SetIterator

Create an iterator for a set. Note that this makes a copy of the set internally to ensure the iterator is always valid.

S

the set to iterate over.

Returns

an iterator.

Broker::set_iterator_last
Type

function (it: opaque of Broker::SetIterator) : bool

Check if there are no more elements to iterate over.

It

an iterator.

Returns

true if there are no more elements to iterator over, i.e. the iterator is one-past-the-final-element.

Broker::set_iterator_next
Type

function (it: opaque of Broker::SetIterator) : bool

Advance an iterator.

It

an iterator.

Returns

true if the iterator, after advancing, still references an element in the collection. False if the iterator, after advancing, is one-past-the-final-element.

Broker::set_iterator_value
Type

function (it: opaque of Broker::SetIterator) : Broker::Data

Retrieve the data at an iterator’s current position.

It

an iterator.

Returns

element in the collection that the iterator currently references.

Broker::set_remove
Type

function (s: Broker::Data, key: any) : bool

Remove an element from a set.

S

the set to modify.

Key

the element to remove.

Returns

true if the element existed in the set and is now removed.

Broker::set_size
Type

function (s: Broker::Data) : count

Get the number of elements within a set.

S

the set to query.

Returns

the number of elements in the set.

Broker::store_name
Type

function (h: opaque of Broker::Store) : string

Get the name of a store.

Returns

the name of the store.

Broker::table_clear
Type

function (t: Broker::Data) : bool

Remove all elements within a table.

T

the table to clear.

Returns

always true.

Broker::table_contains
Type

function (t: Broker::Data, key: any) : bool

Check if a table contains a particular key.

T

the table to query.

Key

the key to check for existence.

Returns

true if the key exists in the table.

Broker::table_create
Type

function () : Broker::Data

Create communication data of type “table”.

Broker::table_insert
Type

function (t: Broker::Data, key: any, val: any) : Broker::Data

Insert a key-value pair into a table.

T

the table to modify.

Key

the key at which to insert the value.

Val

the value to insert.

Returns

true if the key-value pair was inserted, or false if the key already existed in the table.

Broker::table_iterator
Type

function (t: Broker::Data) : opaque of Broker::TableIterator

Create an iterator for a table. Note that this makes a copy of the table internally to ensure the iterator is always valid.

T

the table to iterate over.

Returns

an iterator.

Broker::table_iterator_last
Type

function (it: opaque of Broker::TableIterator) : bool

Check if there are no more elements to iterate over.

It

an iterator.

Returns

true if there are no more elements to iterator over, i.e. the iterator is one-past-the-final-element.

Broker::table_iterator_next
Type

function (it: opaque of Broker::TableIterator) : bool

Advance an iterator.

It

an iterator.

Returns

true if the iterator, after advancing, still references an element in the collection. False if the iterator, after advancing, is one-past-the-final-element.

Broker::table_iterator_value
Type

function (it: opaque of Broker::TableIterator) : Broker::TableItem

Retrieve the data at an iterator’s current position.

It

an iterator.

Returns

element in the collection that the iterator currently references.

Broker::table_lookup
Type

function (t: Broker::Data, key: any) : Broker::Data

Retrieve a value from a table.

T

the table to query.

Key

the key to lookup.

Returns

the value associated with the key. If the key did not exist, then the optional field of the returned record is not set.

Broker::table_remove
Type

function (t: Broker::Data, key: any) : Broker::Data

Remove a key-value pair from a table.

T

the table to modify.

Key

the key to remove from the table.

Returns

the value associated with the key. If the key did not exist, then the optional field of the returned record is not set.

Broker::table_size
Type

function (t: Broker::Data) : count

Get the number of elements within a table.

T

the table to query.

Returns

the number of elements in the table.

Broker::vector_clear
Type

function (v: Broker::Data) : bool

Remove all elements within a vector.

V

the vector to clear.

Returns

always true.

Broker::vector_create
Type

function () : Broker::Data

Create communication data of type “vector”.

Broker::vector_insert
Type

function (v: Broker::Data, idx: count, d: any) : bool

Insert an element into a vector at a particular position, possibly displacing existing elements (insertion always grows the size of the vector by one).

V

the vector to modify.

D

the element to insert.

Idx

the index at which to insert the data. If it is greater than the current size of the vector, the element is inserted at the end.

Returns

always true.

Broker::vector_iterator
Type

function (v: Broker::Data) : opaque of Broker::VectorIterator

Create an iterator for a vector. Note that this makes a copy of the vector internally to ensure the iterator is always valid.

V

the vector to iterate over.

Returns

an iterator.

Broker::vector_iterator_last
Type

function (it: opaque of Broker::VectorIterator) : bool

Check if there are no more elements to iterate over.

It

an iterator.

Returns

true if there are no more elements to iterator over, i.e. the iterator is one-past-the-final-element.

Broker::vector_iterator_next
Type

function (it: opaque of Broker::VectorIterator) : bool

Advance an iterator.

It

an iterator.

Returns

true if the iterator, after advancing, still references an element in the collection. False if the iterator, after advancing, is one-past-the-final-element.

Broker::vector_iterator_value
Type

function (it: opaque of Broker::VectorIterator) : Broker::Data

Retrieve the data at an iterator’s current position.

It

an iterator.

Returns

element in the collection that the iterator currently references.

Broker::vector_lookup
Type

function (v: Broker::Data, idx: count) : Broker::Data

Lookup an element in a vector at a particular position.

V

the vector to query.

Idx

the index to lookup.

Returns

the value at the index. If the index was larger than any valid index, the optional field of the returned record is not set.

Broker::vector_remove
Type

function (v: Broker::Data, idx: count) : Broker::Data

Remove an element from a vector at a particular position.

V

the vector to modify.

Idx

the index to remove.

Returns

the value that was just evicted. If the index was larger than any valid index, the optional field of the returned record is not set.

Broker::vector_replace
Type

function (v: Broker::Data, idx: count, d: any) : Broker::Data

Replace an element in a vector at a particular position.

V

the vector to modify.

D

the element to insert.

Idx

the index to replace.

Returns

the value that was just evicted. If the index was larger than any valid index, the optional field of the returned record is not set.

Broker::vector_size
Type

function (v: Broker::Data) : count

Get the number of elements within a vector.

V

the vector to query.

Returns

the number of elements in the vector.

base/bif/data.bif.zeek

Broker
GLOBAL

Functions for inspecting and manipulating broker data.

Namespaces

Broker, GLOBAL

Summary
Types

Broker::DataType: enum

Enumerates the possible types that Broker::Data may be in terms of Zeek data types.
Functions

Broker::__data: function

Broker::__data_type: function

Broker::__opaque_clone_through_serialization: function

Broker::__record_assign: function

Broker::__record_create: function

Broker::__record_iterator: function

Broker::__record_iterator_last: function

Broker::__record_iterator_next: function

Broker::__record_iterator_value: function

Broker::__record_lookup: function

Broker::__record_size: function

Broker::__set_clear: function

Broker::__set_contains: function

Broker::__set_create: function

Broker::__set_insert: function

Broker::__set_iterator: function

Broker::__set_iterator_last: function

Broker::__set_iterator_next: function

Broker::__set_iterator_value: function

Broker::__set_remove: function

Broker::__set_size: function

Broker::__table_clear: function

Broker::__table_contains: function

Broker::__table_create: function

Broker::__table_insert: function

Broker::__table_iterator: function

Broker::__table_iterator_last: function

Broker::__table_iterator_next: function

Broker::__table_iterator_value: function

Broker::__table_lookup: function

Broker::__table_remove: function

Broker::__table_size: function

Broker::__vector_clear: function

Broker::__vector_create: function

Broker::__vector_insert: function

Broker::__vector_iterator: function

Broker::__vector_iterator_last: function

Broker::__vector_iterator_next: function

Broker::__vector_iterator_value: function

Broker::__vector_lookup: function

Broker::__vector_remove: function

Broker::__vector_replace: function

Broker::__vector_size: function
Detailed Interface
Types
Broker::DataType
Type

enum

Broker::NONE
Broker::BOOL
Broker::INT
Broker::COUNT
Broker::DOUBLE
Broker::STRING
Broker::ADDR
Broker::SUBNET
Broker::PORT
Broker::TIME
Broker::INTERVAL
Broker::ENUM
Broker::SET
Broker::TABLE
Broker::VECTOR

Enumerates the possible types that Broker::Data may be in terms of Zeek data types.

Functions
Broker::__data
Type

function (d: any) : Broker::Data

Broker::__data_type
Type

function (d: Broker::Data) : Broker::DataType

Broker::__opaque_clone_through_serialization
Type

function (d: any) : any

Broker::__record_assign
Type

function (r: Broker::Data, idx: count, d: any) : bool

Broker::__record_create
Type

function (sz: count) : Broker::Data

Broker::__record_iterator
Type

function (r: Broker::Data) : opaque of Broker::RecordIterator

Broker::__record_iterator_last
Type

function (it: opaque of Broker::RecordIterator) : bool

Broker::__record_iterator_next
Type

function (it: opaque of Broker::RecordIterator) : bool

Broker::__record_iterator_value
Type

function (it: opaque of Broker::RecordIterator) : Broker::Data

Broker::__record_lookup
Type

function (r: Broker::Data, idx: count) : Broker::Data

Broker::__record_size
Type

function (r: Broker::Data) : count

Broker::__set_clear
Type

function (s: Broker::Data) : bool

Broker::__set_contains
Type

function (s: Broker::Data, key: any) : bool

Broker::__set_create
Type

function () : Broker::Data

Broker::__set_insert
Type

function (s: Broker::Data, key: any) : bool

Broker::__set_iterator
Type

function (s: Broker::Data) : opaque of Broker::SetIterator

Broker::__set_iterator_last
Type

function (it: opaque of Broker::SetIterator) : bool

Broker::__set_iterator_next
Type

function (it: opaque of Broker::SetIterator) : bool

Broker::__set_iterator_value
Type

function (it: opaque of Broker::SetIterator) : Broker::Data

Broker::__set_remove
Type

function (s: Broker::Data, key: any) : bool

Broker::__set_size
Type

function (s: Broker::Data) : count

Broker::__table_clear
Type

function (t: Broker::Data) : bool

Broker::__table_contains
Type

function (t: Broker::Data, key: any) : bool

Broker::__table_create
Type

function () : Broker::Data

Broker::__table_insert
Type

function (t: Broker::Data, key: any, val: any) : Broker::Data

Broker::__table_iterator
Type

function (t: Broker::Data) : opaque of Broker::TableIterator

Broker::__table_iterator_last
Type

function (it: opaque of Broker::TableIterator) : bool

Broker::__table_iterator_next
Type

function (it: opaque of Broker::TableIterator) : bool

Broker::__table_iterator_value
Type

function (it: opaque of Broker::TableIterator) : Broker::TableItem

Broker::__table_lookup
Type

function (t: Broker::Data, key: any) : Broker::Data

Broker::__table_remove
Type

function (t: Broker::Data, key: any) : Broker::Data

Broker::__table_size
Type

function (t: Broker::Data) : count

Broker::__vector_clear
Type

function (v: Broker::Data) : bool

Broker::__vector_create
Type

function () : Broker::Data

Broker::__vector_insert
Type

function (v: Broker::Data, idx: count, d: any) : bool

Broker::__vector_iterator
Type

function (v: Broker::Data) : opaque of Broker::VectorIterator

Broker::__vector_iterator_last
Type

function (it: opaque of Broker::VectorIterator) : bool

Broker::__vector_iterator_next
Type

function (it: opaque of Broker::VectorIterator) : bool

Broker::__vector_iterator_value
Type

function (it: opaque of Broker::VectorIterator) : Broker::Data

Broker::__vector_lookup
Type

function (v: Broker::Data, idx: count) : Broker::Data

Broker::__vector_remove
Type

function (v: Broker::Data, idx: count) : Broker::Data

Broker::__vector_replace
Type

function (v: Broker::Data, idx: count, d: any) : Broker::Data

Broker::__vector_size
Type

function (v: Broker::Data) : count

base/bif/store.bif.zeek

Broker
GLOBAL

Functions to interface with broker’s distributed data store.

Namespaces

Broker, GLOBAL

Summary
Functions

Broker::__append: function

Broker::__clear: function

Broker::__close: function

Broker::__create_clone: function

Broker::__create_master: function

Broker::__decrement: function

Broker::__erase: function

Broker::__exists: function

Broker::__get: function

Broker::__get_index_from_value: function

Broker::__increment: function

Broker::__insert_into_set: function

Broker::__insert_into_table: function

Broker::__is_closed: function

Broker::__keys: function

Broker::__pop: function

Broker::__push: function

Broker::__put: function

Broker::__put_unique: function

Broker::__remove_from: function

Broker::__store_name: function
Detailed Interface
Functions
Broker::__append
Type

function (h: opaque of Broker::Store, k: any, s: any, e: interval) : bool

Broker::__clear
Type

function (h: opaque of Broker::Store) : bool

Broker::__close
Type

function (h: opaque of Broker::Store) : bool

Broker::__create_clone
Type

function (id: string, resync_interval: interval, stale_interval: interval, mutation_buffer_interval: interval) : opaque of Broker::Store

Broker::__create_master
Type

function (id: string, b: Broker::BackendType, options: Broker::BackendOptions &default = [sqlite=[path=]] &optional) : opaque of Broker::Store

Broker::__decrement
Type

function (h: opaque of Broker::Store, k: any, a: any, e: interval) : bool

Broker::__erase
Type

function (h: opaque of Broker::Store, k: any) : bool

Broker::__exists
Type

function (h: opaque of Broker::Store, k: any) : Broker::QueryResult

Broker::__get
Type

function (h: opaque of Broker::Store, k: any) : Broker::QueryResult

Broker::__get_index_from_value
Type

function (h: opaque of Broker::Store, k: any, i: any) : Broker::QueryResult

Broker::__increment
Type

function (h: opaque of Broker::Store, k: any, a: any, e: interval) : bool

Broker::__insert_into_set
Type

function (h: opaque of Broker::Store, k: any, i: any, e: interval) : bool

Broker::__insert_into_table
Type

function (h: opaque of Broker::Store, k: any, i: any, v: any, e: interval) : bool

Broker::__is_closed
Type

function (h: opaque of Broker::Store) : bool

Broker::__keys
Type

function (h: opaque of Broker::Store) : Broker::QueryResult

Broker::__pop
Type

function (h: opaque of Broker::Store, k: any, e: interval) : bool

Broker::__push
Type

function (h: opaque of Broker::Store, k: any, v: any, e: interval) : bool

Broker::__put
Type

function (h: opaque of Broker::Store, k: any, v: any, e: interval) : bool

Broker::__put_unique
Type

function (h: opaque of Broker::Store, k: any, v: any, e: interval) : Broker::QueryResult

Broker::__remove_from
Type

function (h: opaque of Broker::Store, k: any, i: any, e: interval) : bool

Broker::__store_name
Type

function (h: opaque of Broker::Store) : string

base/frameworks/broker/log.zeek

Broker
Namespace

Broker

Imports

base/frameworks/broker/main.zeek

Summary
Types

Broker::Info: record

A record type containing the column fields of the Broker log.

Broker::Type: enum

The type of a Broker activity being logged.
Redefinitions

Log::ID: enum

The Broker logging stream identifier.
Hooks

Broker::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Types
Broker::Info
Type

record

ts: time &log

The network time at which a Broker event occurred.

ty: Broker::Type &log

The type of the Broker event.

ev: string &log

The event being logged.

peer: Broker::NetworkInfo &log &optional

The peer (if any) with which a Broker event is concerned.

message: string &log &optional

An optional message describing the Broker event in more detail

A record type containing the column fields of the Broker log.

Broker::Type
Type

enum

Broker::STATUS

An informational status update.

Broker::ERROR

An error situation.

The type of a Broker activity being logged.

Hooks
Broker::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

base/frameworks/supervisor/__load__.zeek

Imports

base/frameworks/supervisor/api.zeek, base/frameworks/supervisor/control.zeek, base/frameworks/supervisor/main.zeek

Summary
Detailed Interface

base/frameworks/supervisor/control.zeek

SupervisorControl

The Zeek process supervision (remote) control API. This defines a Broker topic prefix and events that can be used to control an external Zeek supervisor process. This API was introduced in Zeek 3.1.0 and considered unstable until 4.0.0. That is, it may change in various incompatible ways without warning or deprecation until the stable 4.0.0 release.

Namespace

SupervisorControl

Imports

base/frameworks/broker, base/frameworks/supervisor/api.zeek

Summary
Redefinable Options

SupervisorControl::enable_listen: bool &redef

When enabled, the Supervisor will listen on the configured Broker Broker::default_listen_address.

SupervisorControl::topic_prefix: string &redef

The Broker topic prefix to use when subscribing to Supervisor API requests and when publishing Supervisor API responses.
Events

SupervisorControl::create_request: event

Send a request to a remote Supervisor process to create a node.

SupervisorControl::create_response: event

Handle a response from a Supervisor process that received SupervisorControl::create_request.

SupervisorControl::destroy_request: event

Send a request to a remote Supervisor process to destroy a node.

SupervisorControl::destroy_response: event

Handle a response from a Supervisor process that received SupervisorControl::destroy_request.

SupervisorControl::node_status: event

A notification event the Supervisor generates when it receives a status message update from the stem, indicating node has (re-)started.

SupervisorControl::restart_request: event

Send a request to a remote Supervisor process to restart a node.

SupervisorControl::restart_response: event

Handle a response from a Supervisor process that received SupervisorControl::restart_request.

SupervisorControl::status_request: event

Send a request to a remote Supervisor process to retrieve node status.

SupervisorControl::status_response: event

Handle a response from a Supervisor process that received SupervisorControl::status_request.

SupervisorControl::stop_request: event

Send a request to a remote Supervisor to stop and shutdown its process tree.
Detailed Interface
Redefinable Options
SupervisorControl::enable_listen
Type

bool

Attributes

&redef

Default

F

Redefinition

from policy/frameworks/management/agent/boot.zeek

=:

T

When enabled, the Supervisor will listen on the configured Broker Broker::default_listen_address.

SupervisorControl::topic_prefix
Type

string

Attributes

&redef

Default

"zeek/supervisor"

The Broker topic prefix to use when subscribing to Supervisor API requests and when publishing Supervisor API responses. If you are publishing Supervisor requests, this is also the prefix string to use for their topic names.

Events
SupervisorControl::create_request
Type

event (reqid: string, node: Supervisor::NodeConfig)

Send a request to a remote Supervisor process to create a node.

Reqid

an arbitrary string that will be directly echoed in the response

Node

the desired configuration for the new supervised node process.

SupervisorControl::create_response
Type

event (reqid: string, result: string)

Handle a response from a Supervisor process that received SupervisorControl::create_request.

Reqid

an arbitrary string matching the value in the original request.

Result

the return value of the remote call to Supervisor::create.

SupervisorControl::destroy_request
Type

event (reqid: string, node: string)

Send a request to a remote Supervisor process to destroy a node.

Reqid

an arbitrary string that will be directly echoed in the response

Node

the name of the node to destory or empty string to mean “all nodes”.

SupervisorControl::destroy_response
Type

event (reqid: string, result: bool)

Handle a response from a Supervisor process that received SupervisorControl::destroy_request.

Reqid

an arbitrary string matching the value in the original request.

Result

the return value of the remote call to Supervisor::destroy.

SupervisorControl::node_status
Type

event (node: string, pid: count)

A notification event the Supervisor generates when it receives a status message update from the stem, indicating node has (re-)started. This is the remote equivalent of Supervisor::node_status.

Node

the name of a previously created node via Supervisor::create indicating to which child process the stdout line is associated.

Pid

the process ID the stem reported for this node.

SupervisorControl::restart_request
Type

event (reqid: string, node: string)

Send a request to a remote Supervisor process to restart a node.

Reqid

an arbitrary string that will be directly echoed in the response

Node

the name of the node to restart or empty string to mean “all nodes”.

SupervisorControl::restart_response
Type

event (reqid: string, result: bool)

Handle a response from a Supervisor process that received SupervisorControl::restart_request.

Reqid

an arbitrary string matching the value in the original request.

Result

the return value of the remote call to Supervisor::restart.

SupervisorControl::status_request
Type

event (reqid: string, node: string)

Send a request to a remote Supervisor process to retrieve node status.

Reqid

an arbitrary string that will be directly echoed in the response

Node

the name of the node to get status of or empty string to mean “all nodes”.

SupervisorControl::status_response
Type

event (reqid: string, result: Supervisor::Status)

Handle a response from a Supervisor process that received SupervisorControl::status_request.

Reqid

an arbitrary string matching the value in the original request.

Result

the return value of the remote call to Supervisor::status.

SupervisorControl::stop_request
Type

event ()

Send a request to a remote Supervisor to stop and shutdown its process tree. There is no response to this message as the Supervisor simply terminates on receipt.

base/frameworks/supervisor/main.zeek

Implements Zeek process supervision API and default behavior for its associated (remote) control events.

Imports

base/frameworks/supervisor/api.zeek, base/frameworks/supervisor/control.zeek

Summary
Detailed Interface

base/frameworks/input/__load__.zeek

Imports

base/frameworks/input/main.zeek, base/frameworks/input/readers/ascii.zeek, base/frameworks/input/readers/benchmark.zeek, base/frameworks/input/readers/binary.zeek, base/frameworks/input/readers/config.zeek, base/frameworks/input/readers/raw.zeek, base/frameworks/input/readers/sqlite.zeek

Summary
Detailed Interface

base/frameworks/input/main.zeek

Input

The input framework provides a way to read previously stored data either as an event stream or into a Zeek table.

Namespace

Input

Imports

base/bif/input.bif.zeek

Summary
Runtime Options

Input::default_mode: Input::Mode &redef

The default reader mode used.

Input::default_reader: Input::Reader &redef

The default input reader used.
Redefinable Options

Input::accept_unsupported_types: bool &redef

Flag that controls if the input framework accepts records that contain types that are not supported (at the moment file and function).

Input::empty_field: string &redef

String to use for empty fields.

Input::separator: string &redef

Separator between fields.

Input::set_separator: string &redef

Separator between set elements.

Input::unset_field: string &redef

String to use for an unset &optional field.
Types

Input::AnalysisDescription: record

A file analysis input stream type used to forward input data to the file analysis framework.

Input::Event: enum

Type that describes what kind of change occurred.

Input::EventDescription: record

An event input stream type used to send input data to a Zeek event.

Input::Mode: enum

Type that defines the input stream read mode.

Input::TableDescription: record

A table input stream type used to send data to a Zeek table.

Input::Reader: enum
Events

Input::end_of_data: event

Event that is called when the end of a data source has been reached, including after an update.
Functions

Input::add_analysis: function

Create a new file analysis input stream from a given source.

Input::add_event: function

Create a new event input stream from a given source.

Input::add_table: function

Create a new table input stream from a given source.

Input::force_update: function

Forces the current input to be checked for changes.

Input::remove: function

Remove an input stream.
Detailed Interface
Runtime Options
Input::default_mode
Type

Input::Mode

Attributes

&redef

Default

Input::MANUAL

The default reader mode used. Defaults to MANUAL.

Input::default_reader
Type

Input::Reader

Attributes

&redef

Default

Input::READER_ASCII

The default input reader used. Defaults to READER_ASCII.

Redefinable Options
Input::accept_unsupported_types
Type

bool

Attributes

&redef

Default

F

Flag that controls if the input framework accepts records that contain types that are not supported (at the moment file and function). If true, the input framework will warn in these cases, but continue. If false, it will abort. Defaults to false (abort).

Input::empty_field
Type

string

Attributes

&redef

Default

"(empty)"

String to use for empty fields. Individual readers can use a different value.

Input::separator
Type

string

Attributes

&redef

Default

"\x09"

Separator between fields. Please note that the separator has to be exactly one character long. Individual readers can use a different value.

Input::set_separator
Type

string

Attributes

&redef

Default

","

Separator between set elements. Please note that the separator has to be exactly one character long. Individual readers can use a different value.

Input::unset_field
Type

string

Attributes

&redef

Default

"-"

String to use for an unset &optional field. Individual readers can use a different value.

Types
Input::AnalysisDescription
Type

record

source: string

String that allows the reader to find the source. For READER_ASCII, this is the filename.

reader: Input::Reader &default = Input::READER_BINARY &optional

Reader to use for this stream. Compatible readers must be able to accept a filter of a single string type (i.e. they read a byte stream).

mode: Input::Mode &default = Input::default_mode &optional

Read mode to use for this stream.

name: string

Descriptive name that uniquely identifies the input source. Can be used to remove a stream at a later time. This will also be used for the unique source field of fa_file. Most of the time, the best choice for this field will be the same value as the source field.

config: table [string] of string &default = {  } &optional

A key/value table that will be passed to the reader. Interpretation of the values is left to the reader, but usually they will be used for configuration purposes.

A file analysis input stream type used to forward input data to the file analysis framework.

Input::Event
Type

enum

Input::EVENT_NEW

New data has been imported.

Input::EVENT_CHANGED

Existing data has been changed.

Input::EVENT_REMOVED

Previously existing data has been removed.

Type that describes what kind of change occurred.

Input::EventDescription
Type

record

source: string

String that allows the reader to find the source. For READER_ASCII, this is the filename.

reader: Input::Reader &default = Input::default_reader &optional

Reader to use for this stream.

mode: Input::Mode &default = Input::default_mode &optional

Read mode to use for this stream.

name: string

Descriptive name. Used to remove a stream at a later time.

fields: any

Record type describing the fields to be retrieved from the input source.

want_record: bool &default = T &optional

If this is false, the event receives each value in fields as a separate argument. If this is set to true (default), the event receives all fields in a single record value.

ev: any

The event that is raised each time a new line is received from the reader. The event will receive an Input::EventDescription record as the first argument, an Input::Event enum as the second argument, and the fields (as specified in fields) as the following arguments (this will either be a single record value containing all fields, or each field value as a separate argument).

error_ev: any &optional

Error event that is raised when an information, warning or error is raised by the input stream. If the level is error, the stream will automatically be closed. The event receives the Input::EventDescription as the first argument, the message as the second argument and the Reporter::Level as the third argument.

The event is raised like it had been declared as follows: error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional; The actual declaration uses the any type because of deficiencies of the Zeek type system.

config: table [string] of string &default = {  } &optional

A key/value table that will be passed to the reader. Interpretation of the values is left to the reader, but usually they will be used for configuration purposes.

An event input stream type used to send input data to a Zeek event.

Input::Mode
Type

enum

Input::MANUAL

Do not automatically reread the file after it has been read.

Input::REREAD

Reread the entire file each time a change is found.

Input::STREAM

Read data from end of file each time new data is appended.

Type that defines the input stream read mode.

Input::TableDescription
Type

record

source: string

String that allows the reader to find the source of the data. For READER_ASCII, this is the filename.

reader: Input::Reader &default = Input::default_reader &optional

Reader to use for this stream.

mode: Input::Mode &default = Input::default_mode &optional

Read mode to use for this stream.

name: string

Name of the input stream. This is used by some functions to manipulate the stream.

destination: any

Table which will receive the data read by the input framework.

idx: any

Record that defines the values used as the index of the table.

val: any &optional

Record that defines the values used as the elements of the table. If this is undefined, then destination must be a set.

want_record: bool &default = T &optional

Defines if the value of the table is a record (default), or a single value. When this is set to false, then val can only contain one element.

ev: any &optional

The event that is raised each time a value is added to, changed in, or removed from the table. The event will receive an Input::TableDescription as the first argument, an Input::Event enum as the second argument, the idx record as the third argument and the value (record) as the fourth argument.

pred: function (typ: Input::Event, left: any, right: any)bool &optional

Predicate function that can decide if an insertion, update or removal should really be executed. Parameters have same meaning as for the event. If true is returned, the update is performed. If false is returned, it is skipped.

error_ev: any &optional

Error event that is raised when an information, warning or error is raised by the input stream. If the level is error, the stream will automatically be closed. The event receives the Input::TableDescription as the first argument, the message as the second argument and the Reporter::Level as the third argument.

The event is raised like if it had been declared as follows: error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional; The actual declaration uses the any type because of deficiencies of the Zeek type system.

config: table [string] of string &default = {  } &optional

A key/value table that will be passed to the reader. Interpretation of the values is left to the reader, but usually they will be used for configuration purposes.

A table input stream type used to send data to a Zeek table.

Input::Reader
Type

enum

Input::READER_ASCII
Input::READER_BENCHMARK
Input::READER_BINARY
Input::READER_CONFIG
Input::READER_RAW
Input::READER_SQLITE
Events
Input::end_of_data
Type

event (name: string, source: string)

Event that is called when the end of a data source has been reached, including after an update.

Name

Name of the input stream.

Source

String that identifies the data source (such as the filename).

Functions
Input::add_analysis
Type

function (description: Input::AnalysisDescription) : bool

Create a new file analysis input stream from a given source. Data read from the source is automatically forwarded to the file analysis framework.

Description

A record describing the source.

Returns

true on success.

Input::add_event
Type

function (description: Input::EventDescription) : bool

Create a new event input stream from a given source.

Description

EventDescription record describing the source.

Returns

true on success.

Input::add_table
Type

function (description: Input::TableDescription) : bool

Create a new table input stream from a given source.

Description

TableDescription record describing the source.

Returns

true on success.

Input::force_update
Type

function (id: string) : bool

Forces the current input to be checked for changes.

Id

string value identifying the stream.

Returns

true on success and false if the named stream was not found.

Input::remove
Type

function (id: string) : bool

Remove an input stream.

Id

string value identifying the stream to be removed.

Returns

true on success and false if the named stream was not found.

base/bif/input.bif.zeek

GLOBAL
Input

Internal functions and types used by the input framework.

Namespaces

GLOBAL, Input

Summary
Functions

Input::__create_analysis_stream: function

Input::__create_event_stream: function

Input::__create_table_stream: function

Input::__force_update: function

Input::__remove_stream: function
Detailed Interface
Functions
Input::__create_analysis_stream
Type

function (description: Input::AnalysisDescription) : bool

Input::__create_event_stream
Type

function (description: Input::EventDescription) : bool

Input::__create_table_stream
Type

function (description: Input::TableDescription) : bool

Input::__force_update
Type

function (id: string) : bool

Input::__remove_stream
Type

function (id: string) : bool

base/frameworks/input/readers/ascii.zeek

InputAscii

Interface for the ascii input reader.

The defaults are set to match Zeek’s ASCII output.

Namespace

InputAscii

Summary
Redefinable Options

InputAscii::empty_field: string &redef

String to use for empty fields.

InputAscii::fail_on_file_problem: bool &redef

Fail on file read problems.

InputAscii::fail_on_invalid_lines: bool &redef

Fail on invalid lines.

InputAscii::path_prefix: string &redef

On input streams with a pathless or relative-path source filename, prefix the following path.

InputAscii::separator: string &redef

Separator between fields.

InputAscii::set_separator: string &redef

Separator between set and vector elements.

InputAscii::unset_field: string &redef

String to use for an unset &optional field.
Detailed Interface
Redefinable Options
InputAscii::empty_field
Type

string

Attributes

&redef

Default

"(empty)"

String to use for empty fields.

InputAscii::fail_on_file_problem
Type

bool

Attributes

&redef

Default

F

Fail on file read problems. If set to true, the ascii input reader will fail when encountering any problems while reading a file different from invalid lines. Examples of such problems are permission problems, or missing files. When set to false, these problems will be ignored. This has an especially big effect for the REREAD mode, which will seamlessly recover from read errors when a file is only temporarily inaccessible. For MANUAL or STREAM files, errors will most likely still be fatal since no automatic re-reading of the file is attempted. Individual readers can use a different value using the $config table. fail_on_file_problem = T was the default behavior until Bro 2.6.

InputAscii::fail_on_invalid_lines
Type

bool

Attributes

&redef

Default

F

Fail on invalid lines. If set to false, the ascii input reader will jump over invalid lines, reporting warnings in reporter.log. If set to true, errors in input lines will be handled as fatal errors for the reader thread; reading will abort immediately and an error will be logged to reporter.log. Individual readers can use a different value using the $config table. fail_on_invalid_lines = T was the default behavior until Bro 2.6.

InputAscii::path_prefix
Type

string

Attributes

&redef

Default

""

On input streams with a pathless or relative-path source filename, prefix the following path. This prefix can, but need not be, absolute. The default is to leave any filenames unchanged. This prefix has no effect if the source already is an absolute path.

InputAscii::separator
Type

string

Attributes

&redef

Default

"\x09"

Separator between fields. Please note that the separator has to be exactly one character long.

InputAscii::set_separator
Type

string

Attributes

&redef

Default

","

Separator between set and vector elements. Please note that the separator has to be exactly one character long.

InputAscii::unset_field
Type

string

Attributes

&redef

Default

"-"

String to use for an unset &optional field.

base/frameworks/input/readers/raw.zeek

InputRaw

Interface for the raw input reader.

Namespace

InputRaw

Summary
Redefinable Options

InputRaw::record_separator: string &redef

Separator between input records.
Events

InputRaw::process_finished: event

Event that is called when a process created by the raw reader exits.
Detailed Interface
Redefinable Options
InputRaw::record_separator
Type

string

Attributes

&redef

Default

"\x0a"

Separator between input records. Please note that the separator has to be exactly one character long.

Events
InputRaw::process_finished
Type

event (name: string, source: string, exit_code: count, signal_exit: bool)

Event that is called when a process created by the raw reader exits.

Name

name of the input stream.

Source

source of the input stream.

Exit_code

exit code of the program, or number of the signal that forced the program to exit.

Signal_exit

false when program exited normally, true when program was forced to exit by a signal.

base/frameworks/input/readers/benchmark.zeek

InputBenchmark

Interface for the benchmark input reader.

Namespace

InputBenchmark

Summary
Redefinable Options

InputBenchmark::addfactor: count &redef

Addition factor for each heartbeat.

InputBenchmark::autospread: double &redef

Spreading where usleep = 1000000 / autospread * num_lines

InputBenchmark::factor: double &redef

Multiplication factor for each second.

InputBenchmark::spread: count &redef

Spread factor between lines.

InputBenchmark::stopspreadat: count &redef

Stop spreading at x lines per heartbeat.

InputBenchmark::timedspread: double &redef

1 -> enable timed spreading.
Detailed Interface
Redefinable Options
InputBenchmark::addfactor
Type

count

Attributes

&redef

Default

0

Addition factor for each heartbeat.

InputBenchmark::autospread
Type

double

Attributes

&redef

Default

0.0

Spreading where usleep = 1000000 / autospread * num_lines

InputBenchmark::factor
Type

double

Attributes

&redef

Default

1.0

Multiplication factor for each second.

InputBenchmark::spread
Type

count

Attributes

&redef

Default

0

Spread factor between lines.

InputBenchmark::stopspreadat
Type

count

Attributes

&redef

Default

0

Stop spreading at x lines per heartbeat.

InputBenchmark::timedspread
Type

double

Attributes

&redef

Default

0.0

1 -> enable timed spreading.

base/frameworks/input/readers/binary.zeek

InputBinary

Interface for the binary input reader.

Namespace

InputBinary

Summary
Redefinable Options

InputBinary::chunk_size: count &redef

Size of data chunks to read from the input file at a time.

InputBinary::path_prefix: string &redef

On input streams with a pathless or relative-path source filename, prefix the following path.
Detailed Interface
Redefinable Options
InputBinary::chunk_size
Type

count

Attributes

&redef

Default

1024

Size of data chunks to read from the input file at a time.

InputBinary::path_prefix
Type

string

Attributes

&redef

Default

""

On input streams with a pathless or relative-path source filename, prefix the following path. This prefix can, but need not be, absolute. The default is to leave any filenames unchanged. This prefix has no effect if the source already is an absolute path.

base/frameworks/input/readers/config.zeek

InputConfig

Interface for the config input reader.

Namespace

InputConfig

Summary
Redefinable Options

InputConfig::empty_field: string &redef

String to use for empty fields.

InputConfig::fail_on_file_problem: bool &redef

Fail on file read problems.

InputConfig::set_separator: string &redef

Separator between set and vector elements.
Events

InputConfig::new_value: event

Event that is called when a config option is added or changes.
Detailed Interface
Redefinable Options
InputConfig::empty_field
Type

string

Attributes

&redef

Default

""

String to use for empty fields. By default this is the empty string, meaning that an empty input field will result in an empty set.

InputConfig::fail_on_file_problem
Type

bool

Attributes

&redef

Default

F

Fail on file read problems. If set to true, the config input reader will fail when encountering any problems while reading a file different from invalid lines. Examples of such problems are permission problems, or missing files. When set to false, these problems will be ignored. This has an especially big effect for the REREAD mode, which will seamlessly recover from read errors when a file is only temporarily inaccessible. For MANUAL or STREAM files, errors will most likely still be fatal since no automatic re-reading of the file is attempted. Individual readers can use a different value using the $config table.

InputConfig::set_separator
Type

string

Attributes

&redef

Default

","

Separator between set and vector elements. Please note that the separator has to be exactly one character long.

Events
InputConfig::new_value
Type

event (name: string, source: string, id: string, value: any)

Event that is called when a config option is added or changes.

Note - this does not track the reason for a change (new, changed), and also does not track removals. If you need this, combine the event with a table reader.

Name

Name of the input stream.

Source

Source of the input stream.

Id

ID of the configuration option being set.

Value

New value of the configuration option being set.

base/frameworks/input/readers/sqlite.zeek

InputSQLite

Interface for the SQLite input reader. Redefinable options are available to tweak the input format of the SQLite reader.

See SQLite Input/Logging for an introduction on how to use the SQLite reader.

When using the SQLite reader, you have to specify the SQL query that returns the desired data by setting query in the config table. See the introduction mentioned above for an example.

Namespace

InputSQLite

Summary
Redefinable Options

InputSQLite::empty_field: string &redef

String to use for empty fields.

InputSQLite::set_separator: string &redef

Separator between set elements.

InputSQLite::unset_field: string &redef

String to use for an unset &optional field.
Detailed Interface
Redefinable Options
InputSQLite::empty_field
Type

string

Attributes

&redef

Default

"(empty)"

String to use for empty fields.

InputSQLite::set_separator
Type

string

Attributes

&redef

Default

","

Separator between set elements. Please note that the separator has to be exactly one character long.

InputSQLite::unset_field
Type

string

Attributes

&redef

Default

"-"

String to use for an unset &optional field.

base/frameworks/analyzer/__load__.zeek

Imports

base/frameworks/analyzer/main.zeek

Summary
Detailed Interface

base/frameworks/files/__load__.zeek

Imports

base/frameworks/files/magic, base/frameworks/files/main.zeek

Summary
Detailed Interface

base/frameworks/files/main.zeek

Files

An interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.

Namespace

Files

Imports

base/bif/file_analysis.bif.zeek, base/frameworks/analyzer, base/frameworks/logging, base/utils/site.zeek

Summary
Runtime Options

Files::enable_reassembler: bool &redef

The default setting for file reassembly.
Redefinable Options

Files::analyze_by_mime_type_automatically: bool &redef

Decide if you want to automatically attached analyzers to files based on the detected mime type of the file.

Files::disable: table &redef

A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.

Files::reassembly_buffer_size: count &redef

The default per-file reassembly buffer size.
Types

Files::AnalyzerArgs: record &redef

A structure which parameterizes a type of file analysis.

Files::Info: record &redef

Contains all metadata related to the analysis of a given file.

Files::ProtoRegistration: record
Redefinitions

Log::ID: enum

fa_file: record &redef
New Fields

fa_file

info: Files::Info &optional
Events

Files::log_files: event

Event that can be handled to access the Info record as it is sent on to the logging framework.
Hooks

Files::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Files::add_analyzer: function

Adds an analyzer to the analysis of a given file.

Files::all_registered_mime_types: function

Returns a table of all MIME-type-to-analyzer mappings currently registered.

Files::analyzer_enabled: function

Checks whether a file analyzer is generally enabled.

Files::analyzer_name: function

Translates a file analyzer enum value to a string with the analyzer’s name.

Files::describe: function

Provides a text description regarding metadata of the file.

Files::disable_analyzer: function

Disables a file analyzer.

Files::disable_reassembly: function

Disables the file reassembler on this file.

Files::enable_analyzer: function

Enables a file analyzer.

Files::enable_reassembly: function

Allows the file reassembler to be used if it’s necessary because the file is transferred out of order.

Files::file_exists: function

Lookup to see if a particular file id exists and is still valid.

Files::lookup_file: function

Lookup an fa_file record with the file id.

Files::register_analyzer_add_callback: function

Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over.

Files::register_for_mime_type: function

Registers a MIME type for an analyzer.

Files::register_for_mime_types: function

Registers a set of MIME types for an analyzer.

Files::register_protocol: function

Register callbacks for protocols that work with the Files framework.

Files::registered_mime_types: function

Returns a set of all MIME types currently registered for a specific analyzer.

Files::remove_analyzer: function

Removes an analyzer from the analysis of a given file.

Files::set_reassembly_buffer_size: function

Set the maximum size the reassembly buffer is allowed to grow for the given file.

Files::set_timeout_interval: function

Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up.

Files::stop: function

Stops/ignores any further analysis of a given file.
Detailed Interface
Runtime Options
Files::enable_reassembler
Type

bool

Attributes

&redef

Default

T

The default setting for file reassembly.

Redefinable Options
Files::analyze_by_mime_type_automatically
Type

bool

Attributes

&redef

Default

T

Decide if you want to automatically attached analyzers to files based on the detected mime type of the file.

Files::disable
Type

table [Files::Tag] of bool

Attributes

&redef

Default

{}

A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.

Files::reassembly_buffer_size
Type

count

Attributes

&redef

Default

524288

The default per-file reassembly buffer size.

Types
Files::AnalyzerArgs
Type

record

chunk_event: event (f: fa_file, data: string, off: count) &optional

An event which will be generated for all new file contents, chunk-wise. Used when tag (in the Files::add_analyzer function) is Files::ANALYZER_DATA_EVENT.

stream_event: event (f: fa_file, data: string) &optional

An event which will be generated for all new file contents, stream-wise. Used when tag is Files::ANALYZER_DATA_EVENT.

extract_filename: string &optional

(present if base/files/extract/main.zeek is loaded)

The local filename to which to write an extracted file. This field is used in the core by the extraction plugin to know where to write the file to. If not specified, then a filename in the format “extract-<source>-<id>” is automatically assigned (using the source and id fields of fa_file).

extract_limit: count &default = FileExtract::default_limit &optional

(present if base/files/extract/main.zeek is loaded)

The maximum allowed file size in bytes of extract_filename. Once reached, a file_extraction_limit event is raised and the analyzer will be removed unless FileExtract::set_limit is called to increase the limit. A value of zero means “no limit”.

Attributes

&redef

A structure which parameterizes a type of file analysis.

Files::Info
Type

record

ts: time &log

The time when the file was first seen.

fuid: string &log

An identifier associated with a single file.

tx_hosts: set [addr] &default = {  } &optional &log

If this file was transferred over a network connection this should show the host or hosts that the data sourced from.

rx_hosts: set [addr] &default = {  } &optional &log

If this file was transferred over a network connection this should show the host or hosts that the data traveled to.

conn_uids: set [string] &default = {  } &optional &log

Connection UIDs over which the file was transferred.

source: string &log &optional

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

depth: count &default = 0 &optional &log

A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.

analyzers: set [string] &default = {  } &optional &log

A set of analysis types done during the file analysis.

mime_type: string &log &optional

A mime type provided by the strongest file magic signature match against the bof_buffer field of fa_file, or in the cases where no buffering of the beginning of file occurs, an initial guess of the mime type based on the first data seen.

filename: string &log &optional

A filename for the file if one is available from the source for the file. These will frequently come from “Content-Disposition” headers in network protocols.

duration: interval &log &default = 0 secs &optional

The duration the file was analyzed for.

local_orig: bool &log &optional

If the source of this file is a network connection, this field indicates if the data originated from the local network or not as determined by the configured Site::local_nets.

is_orig: bool &log &optional

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

seen_bytes: count &log &default = 0 &optional

Number of bytes provided to the file analysis engine for the file.

total_bytes: count &log &optional

Total number of bytes that are supposed to comprise the full file.

missing_bytes: count &log &default = 0 &optional

The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.

overflow_bytes: count &log &default = 0 &optional

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.

timedout: bool &log &default = F &optional

Whether the file analysis timed out at least once for the file.

parent_fuid: string &log &optional

Identifier associated with a container file from which this one was extracted as part of the file analysis.

md5: string &log &optional

(present if base/files/hash/main.zeek is loaded)

An MD5 digest of the file contents.

sha1: string &log &optional

(present if base/files/hash/main.zeek is loaded)

A SHA1 digest of the file contents.

sha256: string &log &optional

(present if base/files/hash/main.zeek is loaded)

A SHA256 digest of the file contents.

x509: X509::Info &optional

(present if base/files/x509/main.zeek is loaded)

Information about X509 certificates. This is used to keep certificate information until all events have been received.

extracted: string &optional &log

(present if base/files/extract/main.zeek is loaded)

Local filename of extracted file.

extracted_cutoff: bool &optional &log

(present if base/files/extract/main.zeek is loaded)

Set to true if the file being extracted was cut off so the whole file was not logged.

extracted_size: count &optional &log

(present if base/files/extract/main.zeek is loaded)

The number of bytes extracted to disk.

entropy: double &log &optional

(present if policy/frameworks/files/entropy-test-all-files.zeek is loaded)

The information density of the contents of the file, expressed as a number of bits per character.

Attributes

&redef

Contains all metadata related to the analysis of a given file. For the most part, fields here are derived from ones of the same name in fa_file.

Files::ProtoRegistration
Type

record

get_file_handle: function (c: connection, is_orig: bool)string

A callback to generate a file handle on demand when one is needed by the core.

describe: function (f: fa_file)string &default = function &optional

A callback to “describe” a file. In the case of an HTTP transfer the most obvious description would be the URL. It’s like an extremely compressed version of the normal log.

Events
Files::log_files
Type

event (rec: Files::Info)

Event that can be handled to access the Info record as it is sent on to the logging framework.

Hooks
Files::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Files::add_analyzer
Type

function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=104857600] &optional) : bool

Adds an analyzer to the analysis of a given file.

F

the file.

Tag

the analyzer type.

Args

any parameters the analyzer takes.

Returns

true if the analyzer will be added, or false if analysis for the file isn’t currently active or the args were invalid for the analyzer type.

Files::all_registered_mime_types
Type

function () : table [Files::Tag] of set [string]

Returns a table of all MIME-type-to-analyzer mappings currently registered.

Returns

A table mapping each analyzer to the set of MIME types registered for it.

Files::analyzer_enabled
Type

function (tag: Files::Tag) : bool

Checks whether a file analyzer is generally enabled.

Tag

the analyzer type to check.

Returns

true if the analyzer is generally enabled, else false.

Files::analyzer_name
Type

function (tag: Files::Tag) : string

Translates a file analyzer enum value to a string with the analyzer’s name.

Tag

The analyzer tag.

Returns

The analyzer name corresponding to the tag.

Files::describe
Type

function (f: fa_file) : string

Provides a text description regarding metadata of the file. For example, with HTTP it would return a URL.

F

The file to be described.

Returns

a text description regarding metadata of the file.

Files::disable_analyzer
Type

function (tag: Files::Tag) : bool

Disables a file analyzer.

Tag

the analyzer type to disable.

Returns

false if the analyzer tag could not be found, else true.

Files::disable_reassembly
Type

function (f: fa_file) : void

Disables the file reassembler on this file. If the file is not transferred out of order this will have no effect.

F

the file.

Files::enable_analyzer
Type

function (tag: Files::Tag) : bool

Enables a file analyzer.

Tag

the analyzer type to enable.

Returns

false if the analyzer tag could not be found, else true.

Files::enable_reassembly
Type

function (f: fa_file) : void

Allows the file reassembler to be used if it’s necessary because the file is transferred out of order.

F

the file.

Files::file_exists
Type

function (fuid: string) : bool

Lookup to see if a particular file id exists and is still valid.

Fuid

the file id.

Returns

T if the file uid is known.

Files::lookup_file
Type

function (fuid: string) : fa_file

Lookup an fa_file record with the file id.

Fuid

the file id.

Returns

the associated fa_file record.

Files::register_analyzer_add_callback
Type

function (tag: Files::Tag, callback: function (f: fa_file, args: Files::AnalyzerArgs) : void) : void

Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over. This is unlikely to be interesting for users and should only be called by file analyzer authors but is not required.

Tag

Tag for the file analyzer.

Callback

Function to execute when the given file analyzer is being added.

Files::register_for_mime_type
Type

function (tag: Files::Tag, mt: string) : bool

Registers a MIME type for an analyzer. If a future file with this type is seen, the analyzer will be automatically assigned to parsing it. The function adds to all MIME types already registered, it doesn’t replace them.

Tag

The tag of the analyzer.

Mt

The MIME type in the form “foo/bar” (case-insensitive).

Returns

True if the MIME type was successfully registered.

Files::register_for_mime_types
Type

function (tag: Files::Tag, mime_types: set [string]) : bool

Registers a set of MIME types for an analyzer. If a future connection on one of these types is seen, the analyzer will be automatically assigned to parsing it. The function adds to all MIME types already registered, it doesn’t replace them.

Tag

The tag of the analyzer.

Mts

The set of MIME types, each in the form “foo/bar” (case-insensitive).

Returns

True if the MIME types were successfully registered.

Files::register_protocol
Type

function (tag: Analyzer::Tag, reg: Files::ProtoRegistration) : bool

Register callbacks for protocols that work with the Files framework. The callbacks must uniquely identify a file and each protocol can only have a single callback registered for it.

Tag

Tag for the protocol analyzer having a callback being registered.

Reg

A Files::ProtoRegistration record.

Returns

true if the protocol being registered was not previously registered.

Files::registered_mime_types
Type

function (tag: Files::Tag) : set [string]

Returns a set of all MIME types currently registered for a specific analyzer.

Tag

The tag of the analyzer.

Returns

The set of MIME types.

Files::remove_analyzer
Type

function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=104857600] &optional) : bool

Removes an analyzer from the analysis of a given file.

F

the file.

Tag

the analyzer type.

Args

the analyzer (type and args) to remove.

Returns

true if the analyzer will be removed, or false if analysis for the file isn’t currently active.

Files::set_reassembly_buffer_size
Type

function (f: fa_file, max: count) : void

Set the maximum size the reassembly buffer is allowed to grow for the given file.

F

the file.

Max

Maximum allowed size of the reassembly buffer.

Files::set_timeout_interval
Type

function (f: fa_file, t: interval) : bool

Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up. When used within a file_timeout handler, the analysis will delay timing out again for the period specified by t.

F

the file.

T

the amount of time the file can remain inactive before discarding.

Returns

true if the timeout interval was set, or false if analysis for the file isn’t currently active.

Files::stop
Type

function (f: fa_file) : bool

Stops/ignores any further analysis of a given file.

F

the file.

Returns

true if analysis for the given file will be ignored for the rest of its contents, or false if analysis for the file isn’t currently active.

base/bif/file_analysis.bif.zeek

Files
GLOBAL

Internal functions and types used by the file analysis framework.

Namespaces

Files, GLOBAL

Summary
Functions

Files::__add_analyzer: function

Files::add_analyzer.

Files::__analyzer_enabled: function

Files::analyzer_enabled.

Files::__analyzer_name: function

Files::analyzer_name.

Files::__disable_analyzer: function

Files::disable_analyzer.

Files::__disable_reassembly: function

Files::disable_reassembly.

Files::__enable_analyzer: function

Files::enable_analyzer.

Files::__enable_reassembly: function

Files::enable_reassembly.

Files::__file_exists: function

Files::file_exists.

Files::__lookup_file: function

Files::lookup_file.

Files::__remove_analyzer: function

Files::remove_analyzer.

Files::__set_reassembly_buffer: function

Files::set_reassembly_buffer_size.

Files::__set_timeout_interval: function

Files::set_timeout_interval.

Files::__stop: function

Files::stop.

set_file_handle: function

For use within a get_file_handle handler to set a unique identifier to associate with the current input to the file analysis framework.
Detailed Interface
Functions
Files::__add_analyzer
Type

function (file_id: string, tag: Files::Tag, args: any) : bool

Files::add_analyzer.

Files::__analyzer_enabled
Type

function (tag: Files::Tag) : bool

Files::analyzer_enabled.

Files::__analyzer_name
Type

function (tag: Files::Tag) : string

Files::analyzer_name.

Files::__disable_analyzer
Type

function (tag: Files::Tag) : bool

Files::disable_analyzer.

Files::__disable_reassembly
Type

function (file_id: string) : bool

Files::disable_reassembly.

Files::__enable_analyzer
Type

function (tag: Files::Tag) : bool

Files::enable_analyzer.

Files::__enable_reassembly
Type

function (file_id: string) : bool

Files::enable_reassembly.

Files::__file_exists
Type

function (fuid: string) : bool

Files::file_exists.

Files::__lookup_file
Type

function (fuid: string) : fa_file

Files::lookup_file.

Files::__remove_analyzer
Type

function (file_id: string, tag: Files::Tag, args: any) : bool

Files::remove_analyzer.

Files::__set_reassembly_buffer
Type

function (file_id: string, max: count) : bool

Files::set_reassembly_buffer_size.

Files::__set_timeout_interval
Type

function (file_id: string, t: interval) : bool

Files::set_timeout_interval.

Files::__stop
Type

function (file_id: string) : bool

Files::stop.

set_file_handle
Type

function (handle: string) : any

For use within a get_file_handle handler to set a unique identifier to associate with the current input to the file analysis framework. Using an empty string for the handle signifies that the input will be ignored/discarded.

Handle

A string that uniquely identifies a file.

See also:

base/utils/site.zeek

Site

Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.

Namespace

Site

Imports

base/utils/patterns.zeek

Summary
Runtime Options

Site::local_admins: table &redef

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets: set &redef

Networks that are considered “local”.

Site::local_zones: set &redef

DNS zones that are considered “local”.

Site::neighbor_nets: set &redef

Networks that are considered “neighbors”.

Site::neighbor_zones: set &redef

DNS zones that are considered “neighbors”.

Site::private_address_space: set &redef

A list of subnets that are considered private address space.
State Variables

Site::local_nets_table: table

This is used for retrieving the subnet when using multiple entries in Site::local_nets.
Functions

Site::get_emails: function

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument.

Site::is_local_addr: function

Function that returns true if an address corresponds to one of the local networks, false if not.

Site::is_local_name: function

Function that returns true if a host name is within a local DNS zone.

Site::is_neighbor_addr: function

Function that returns true if an address corresponds to one of the neighbor networks, false if not.

Site::is_neighbor_name: function

Function that returns true if a host name is within a neighbor DNS zone.

Site::is_private_addr: function

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not.
Detailed Interface
Runtime Options
Site::local_admins
Type

table [subnet] of set [string]

Attributes

&redef

Default

{}

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Networks that are considered “local”. Note that ZeekControl sets this automatically.

Site::local_zones
Type

set [string]

Attributes

&redef

Default

{}

DNS zones that are considered “local”.

Site::neighbor_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Networks that are considered “neighbors”.

Site::neighbor_zones
Type

set [string]

Attributes

&redef

Default

{}

DNS zones that are considered “neighbors”.

Site::private_address_space
Type

set [subnet]

Attributes

&redef

Default
{
   64:ff9b:1::/48,
   198.18.0.0/15,
   fc00::/7,
   100.64.0.0/10,
   ::/128,
   2002:ffff:ffff::/48,
   ::1/128,
   2002:cb00:7100::/40,
   240.0.0.0/4,
   2002:c633:6400::/40,
   2002:a00::/24,
   100::/64,
   255.255.255.255/32,
   192.0.0.0/24,
   0.0.0.0/8,
   2001:2::/48,
   2002:c000:200::/40,
   172.16.0.0/12,
   2002:f000::/20,
   2002:7f00::/24,
   2001::/23,
   2002:6440::/26,
   2002:c000::/40,
   10.0.0.0/8,
   127.0.0.0/8,
   192.0.2.0/24,
   192.168.0.0/16,
   2002:ac10::/28,
   2002:a9fe::/32,
   2002:c612::/31,
   169.254.0.0/16,
   2002::/24,
   fe80::/10,
   2001:db8::/32,
   203.0.113.0/24,
   2002:c0a8::/32,
   198.51.100.0/24
}

A list of subnets that are considered private address space.

By default, it has address blocks defined by IANA as not being routable over the Internet.

See the IPv4 Special-Purpose Address Registry and the IPv6 Special-Purpose Address Registry

State Variables
Site::local_nets_table
Type

table [subnet] of subnet

Default

{}

This is used for retrieving the subnet when using multiple entries in Site::local_nets. It’s populated automatically from there. A membership query can be done with an addr and the table will yield the subnet it was found within.

Functions
Site::get_emails
Type

function (a: addr) : string

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects Site::local_admins.

Site::is_local_addr
Type

function (a: addr) : bool

Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects Site::local_nets.

Site::is_local_name
Type

function (name: string) : bool

Function that returns true if a host name is within a local DNS zone. The function inspects Site::local_zones.

Site::is_neighbor_addr
Type

function (a: addr) : bool

Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects Site::neighbor_nets.

Site::is_neighbor_name
Type

function (name: string) : bool

Function that returns true if a host name is within a neighbor DNS zone. The function inspects Site::neighbor_zones.

Site::is_private_addr
Type

function (a: addr) : bool

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects Site::private_address_space.

base/utils/patterns.zeek

GLOBAL

Functions for creating and working with patterns.

Namespace

GLOBAL

Summary
Types

PatternMatchResult: record
Functions

match_pattern: function

Matches the given pattern against the given string, returning a PatternMatchResult record.

set_to_regex: function

Given a pattern as a string with two tildes (~~) contained in it, it will return a pattern with string set’s elements OR’d together where the double-tilde was given.
Detailed Interface
Types
PatternMatchResult
Type

record

matched: bool

T if a match was found, F otherwise.

str: string

Portion of string that first matched.

off: count

1-based offset where match starts.

Functions
match_pattern
Type

function (s: string, p: pattern) : PatternMatchResult

Matches the given pattern against the given string, returning a PatternMatchResult record. For example: match_pattern("foobar", /o*[a-k]/) returns [matched=T, str=f, off=1], because the first match is for zero o’s followed by an [a-k], but match_pattern("foobar", /o+[a-k]/) returns [matched=T, str=oob, off=2].

S

a string to match against.

P

a pattern to match.

Returns

a record indicating the match status.

set_to_regex
Type

function (ss: set [string], pat: string) : pattern

Given a pattern as a string with two tildes (~~) contained in it, it will return a pattern with string set’s elements OR’d together where the double-tilde was given. Examples:

global r1 = set_to_regex(set("a", "b", "c"), "~~");
# r1 = /^?(a|b|c)$?/
global r2 = set_to_regex(set("a.com", "b.com", "c.com"), "\\.(~~)");
# r2 = /^?(\.(a\.com|b\.com|c\.com))$?/
Ss

a set of strings to OR together.

Pat

the pattern containing a “~~” in it. If a literal backslash is included, it needs to be escaped with another backslash due to Zeek’s string parsing reducing it to a single backslash upon rendering.

Returns

the input pattern with “~~” replaced by OR’d elements of input set.

base/frameworks/files/magic/__load__.zeek

Summary
Detailed Interface

base/bif/__load__.zeek

Imports

base/bif/CPP-load.bif.zeek, base/bif/analyzer.bif.zeek, base/bif/bloom-filter.bif.zeek, base/bif/cardinality-counter.bif.zeek, base/bif/comm.bif.zeek, base/bif/const.bif.zeek, base/bif/data.bif.zeek, base/bif/event.bif.zeek, base/bif/file_analysis.bif.zeek, base/bif/input.bif.zeek, base/bif/logging.bif.zeek, base/bif/messaging.bif.zeek, base/bif/option.bif.zeek, base/bif/packet_analysis.bif.zeek, base/bif/pcap.bif.zeek, base/bif/reporter.bif.zeek, base/bif/stats.bif.zeek, base/bif/store.bif.zeek, base/bif/strings.bif.zeek, base/bif/supervisor.bif.zeek, base/bif/telemetry.bif.zeek, base/bif/top-k.bif.zeek, base/bif/types.bif.zeek, base/bif/zeek.bif.zeek, base/bif/zeekygen.bif.zeek

Summary
Detailed Interface

base/bif/telemetry.bif.zeek

GLOBAL
Telemetry

Functions for accessing counter metrics from script land.

Namespaces

GLOBAL, Telemetry

Summary
Functions

Telemetry::__dbl_counter_family: function

Telemetry::__dbl_counter_inc: function

Telemetry::__dbl_counter_metric_get_or_add: function

Telemetry::__dbl_counter_singleton: function

Telemetry::__dbl_counter_value: function

Telemetry::__dbl_gauge_dec: function

Telemetry::__dbl_gauge_family: function

Telemetry::__dbl_gauge_inc: function

Telemetry::__dbl_gauge_metric_get_or_add: function

Telemetry::__dbl_gauge_singleton: function

Telemetry::__dbl_gauge_value: function

Telemetry::__dbl_histogram_family: function

Telemetry::__dbl_histogram_metric_get_or_add: function

Telemetry::__dbl_histogram_observe: function

Telemetry::__dbl_histogram_singleton: function

Telemetry::__dbl_histogram_sum: function

Telemetry::__int_counter_family: function

Telemetry::__int_counter_inc: function

Telemetry::__int_counter_metric_get_or_add: function

Telemetry::__int_counter_singleton: function

Telemetry::__int_counter_value: function

Telemetry::__int_gauge_dec: function

Telemetry::__int_gauge_family: function

Telemetry::__int_gauge_inc: function

Telemetry::__int_gauge_metric_get_or_add: function

Telemetry::__int_gauge_singleton: function

Telemetry::__int_gauge_value: function

Telemetry::__int_histogram_family: function

Telemetry::__int_histogram_metric_get_or_add: function

Telemetry::__int_histogram_observe: function

Telemetry::__int_histogram_singleton: function

Telemetry::__int_histogram_sum: function
Detailed Interface
Functions
Telemetry::__dbl_counter_family
Type

function (prefix: string, name: string, labels: string_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of dbl_counter_metric_family

Telemetry::__dbl_counter_inc
Type

function (val: opaque of dbl_counter_metric, amount: double &default = 1.0 &optional) : bool

Telemetry::__dbl_counter_metric_get_or_add
Type

function (family: opaque of dbl_counter_metric_family, labels: table_string_of_string) : opaque of dbl_counter_metric

Telemetry::__dbl_counter_singleton
Type

function (prefix: string, name: string, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of dbl_counter_metric

Telemetry::__dbl_counter_value
Type

function (val: opaque of dbl_counter_metric) : double

Telemetry::__dbl_gauge_dec
Type

function (val: opaque of dbl_gauge_metric, amount: double &default = 1.0 &optional) : bool

Telemetry::__dbl_gauge_family
Type

function (prefix: string, name: string, labels: string_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of dbl_gauge_metric_family

Telemetry::__dbl_gauge_inc
Type

function (val: opaque of dbl_gauge_metric, amount: double &default = 1.0 &optional) : bool

Telemetry::__dbl_gauge_metric_get_or_add
Type

function (family: opaque of dbl_gauge_metric_family, labels: table_string_of_string) : opaque of dbl_gauge_metric

Telemetry::__dbl_gauge_singleton
Type

function (prefix: string, name: string, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of dbl_gauge_metric

Telemetry::__dbl_gauge_value
Type

function (val: opaque of dbl_gauge_metric) : double

Telemetry::__dbl_histogram_family
Type

function (prefix: string, name: string, labels: string_vec, bounds: double_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of dbl_histogram_metric_family

Telemetry::__dbl_histogram_metric_get_or_add
Type

function (family: opaque of dbl_histogram_metric_family, labels: table_string_of_string) : opaque of dbl_histogram_metric

Telemetry::__dbl_histogram_observe
Type

function (val: opaque of dbl_histogram_metric, measurement: double) : bool

Telemetry::__dbl_histogram_singleton
Type

function (prefix: string, name: string, bounds: double_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of dbl_histogram_metric

Telemetry::__dbl_histogram_sum
Type

function (val: opaque of dbl_histogram_metric) : double

Telemetry::__int_counter_family
Type

function (prefix: string, name: string, labels: string_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of int_counter_metric_family

Telemetry::__int_counter_inc
Type

function (val: opaque of int_counter_metric, amount: int &default = 1 &optional) : bool

Telemetry::__int_counter_metric_get_or_add
Type

function (family: opaque of int_counter_metric_family, labels: table_string_of_string) : opaque of int_counter_metric

Telemetry::__int_counter_singleton
Type

function (prefix: string, name: string, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of int_counter_metric

Telemetry::__int_counter_value
Type

function (val: opaque of int_counter_metric) : int

Telemetry::__int_gauge_dec
Type

function (val: opaque of int_gauge_metric, amount: int &default = 1 &optional) : bool

Telemetry::__int_gauge_family
Type

function (prefix: string, name: string, labels: string_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of int_gauge_metric_family

Telemetry::__int_gauge_inc
Type

function (val: opaque of int_gauge_metric, amount: int &default = 1 &optional) : bool

Telemetry::__int_gauge_metric_get_or_add
Type

function (family: opaque of int_gauge_metric_family, labels: table_string_of_string) : opaque of int_gauge_metric

Telemetry::__int_gauge_singleton
Type

function (prefix: string, name: string, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of int_gauge_metric

Telemetry::__int_gauge_value
Type

function (val: opaque of int_gauge_metric) : int

Telemetry::__int_histogram_family
Type

function (prefix: string, name: string, labels: string_vec, bounds: int_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of int_histogram_metric_family

Telemetry::__int_histogram_metric_get_or_add
Type

function (family: opaque of int_histogram_metric_family, labels: table_string_of_string) : opaque of int_histogram_metric

Telemetry::__int_histogram_observe
Type

function (val: opaque of int_histogram_metric, measurement: int) : bool

Telemetry::__int_histogram_singleton
Type

function (prefix: string, name: string, bounds: int_vec, helptext: string &default = "Zeek Script Metric" &optional, unit: string &default = "1" &optional, is_sum: bool &default = F &optional) : opaque of int_histogram_metric

Telemetry::__int_histogram_sum
Type

function (val: opaque of int_histogram_metric) : int

base/bif/zeekygen.bif.zeek

GLOBAL

Functions for querying script, package, or variable documentation.

Namespace

GLOBAL

Summary
Functions

get_identifier_comments: function

Retrieve the Zeekygen-style comments (##) associated with an identifier (e.g.

get_package_readme: function

Retrieve the contents of a Zeek script package’s README file.

get_record_field_comments: function

Retrieve the Zeekygen-style comments (##) associated with a record field.

get_script_comments: function

Retrieve the Zeekygen-style summary comments (##!) associated with a Zeek script.
Detailed Interface
Functions
get_identifier_comments
Type

function (name: string) : string

Retrieve the Zeekygen-style comments (##) associated with an identifier (e.g. a variable or type).

Name

a script-level identifier for which to retrieve comments.

Returns

comments associated with name. If name is not a known identifier, an empty string is returned.

get_package_readme
Type

function (name: string) : string

Retrieve the contents of a Zeek script package’s README file.

Name

the name of a Zeek script package. It must be a relative path to where it is located within a particular component of ZEEKPATH.

Returns

contents of the package’s README file. If name is not a known package, an empty string is returned.

get_record_field_comments
Type

function (name: string) : string

Retrieve the Zeekygen-style comments (##) associated with a record field.

Name

the name of a record type and a field within it formatted like a typical record field access: “<record_type>$<field>”.

Returns

comments associated with the record field. If name does not point to a known record type or a known field within a record type, an empty string is returned.

get_script_comments
Type

function (name: string) : string

Retrieve the Zeekygen-style summary comments (##!) associated with a Zeek script.

Name

the name of a Zeek script. It must be a relative path to where it is located within a particular component of ZEEKPATH and use the same file name extension/suffix as the actual file (e.g. “.zeek”).

Returns

summary comments associated with script with name. If name is not a known script, an empty string is returned.

base/bif/pcap.bif.zeek

GLOBAL
Pcap
Namespaces

GLOBAL, Pcap

Summary
Functions

Pcap::error: function

Returns a string representation of the last PCAP error.

Pcap::findalldevs: function

Pcap::install_pcap_filter: function

Installs a PCAP filter that has been precompiled with Pcap::precompile_pcap_filter.

Pcap::precompile_pcap_filter: function

Precompiles a PCAP filter and binds it to a given identifier.
Detailed Interface
Functions
Pcap::error
Type

function () : string

Returns a string representation of the last PCAP error.

Returns

A descriptive error message of the PCAP function that failed.

See also:

Pcap::findalldevs
Type

function () : Pcap::Interfaces

Pcap::install_pcap_filter
Type

function (id: PcapFilterID) : bool

Installs a PCAP filter that has been precompiled with Pcap::precompile_pcap_filter.

Id

The PCAP filter id of a precompiled filter.

Returns

True if the filter associated with id has been installed successfully.

See also:

Pcap::precompile_pcap_filter
Type

function (id: PcapFilterID, s: string) : bool

Precompiles a PCAP filter and binds it to a given identifier.

Id

The PCAP identifier to reference the filter s later on.

S

The PCAP filter. See man tcpdump for valid expressions.

Returns

True if s is valid and precompiles successfully.

See also:

base/bif/bloom-filter.bif.zeek

GLOBAL

Functions to create and manipulate Bloom filters.

Namespace

GLOBAL

Summary
Functions

bloomfilter_add: function

Adds an element to a Bloom filter.

bloomfilter_basic_init: function

Creates a basic Bloom filter.

bloomfilter_basic_init2: function

Creates a basic Bloom filter.

bloomfilter_clear: function

Removes all elements from a Bloom filter.

bloomfilter_counting_init: function

Creates a counting Bloom filter.

bloomfilter_decrement: function

Decrements the counter for an element that was added to a counting bloom filter in the past.

bloomfilter_internal_state: function

Returns a string with a representation of a Bloom filter’s internal state.

bloomfilter_intersect: function

Intersects two Bloom filters.

bloomfilter_lookup: function

Retrieves the counter for a given element in a Bloom filter.

bloomfilter_merge: function

Merges two Bloom filters.
Detailed Interface
Functions
bloomfilter_add
Type

function (bf: opaque of bloomfilter, x: any) : any

Adds an element to a Bloom filter. For counting bloom filters, the counter is incremented.

Bf

The Bloom filter handle.

X

The element to add.

See also:

bloomfilter_basic_init
Type

function (fp: double, capacity: count, name: string &default = "" &optional) : opaque of bloomfilter

Creates a basic Bloom filter.

Fp

The desired false-positive rate.

Capacity

the maximum number of elements that guarantees a false-positive rate of fp.

Name

A name that uniquely identifies and seeds the Bloom filter. If empty, the filter will use global_hash_seed if that’s set, and otherwise use a local seed tied to the current Zeek process. Only filters with the same seed can be merged with bloomfilter_merge.

Returns

A Bloom filter handle.

See also:

bloomfilter_basic_init2
Type

function (k: count, cells: count, name: string &default = "" &optional) : opaque of bloomfilter

Creates a basic Bloom filter. This function serves as a low-level alternative to bloomfilter_basic_init where the user has full control over the number of hash functions and cells in the underlying bit vector.

K

The number of hash functions to use.

Cells

The number of cells of the underlying bit vector.

Name

A name that uniquely identifies and seeds the Bloom filter. If empty, the filter will use global_hash_seed if that’s set, and otherwise use a local seed tied to the current Zeek process. Only filters with the same seed can be merged with bloomfilter_merge.

Returns

A Bloom filter handle.

See also:

bloomfilter_clear
Type

function (bf: opaque of bloomfilter) : any

Removes all elements from a Bloom filter. This function resets all bits in the underlying bitvector back to 0 but does not change the parameterization of the Bloom filter, such as the element type and the hasher seed.

Bf

The Bloom filter handle.

See also:

bloomfilter_counting_init
Type

function (k: count, cells: count, max: count, name: string &default = "" &optional) : opaque of bloomfilter

Creates a counting Bloom filter.

K

The number of hash functions to use.

Cells

The number of cells of the underlying counter vector. As there’s no single answer to what’s the best parameterization for a counting Bloom filter, we refer to the Bloom filter literature here for choosing an appropiate value.

Max

The maximum counter value associated with each element described by w = ceil(log_2(max)) bits. Each bit in the underlying counter vector becomes a cell of size w bits.

Name

A name that uniquely identifies and seeds the Bloom filter. If empty, the filter will use global_hash_seed if that’s set, and otherwise use a local seed tied to the current Zeek process. Only filters with the same seed can be merged with bloomfilter_merge.

Returns

A Bloom filter handle.

See also:

bloomfilter_decrement
Type

function (bf: opaque of bloomfilter, x: any) : bool

Decrements the counter for an element that was added to a counting bloom filter in the past.

Note that decrement operations can lead to false negatives if used on a counting bloom-filter that exceeded the width of its counter.

Bf

The coubting bloom filter handle.

X

The element to decrement

Returns

True on success

See also:

bloomfilter_internal_state
Type

function (bf: opaque of bloomfilter) : string

Returns a string with a representation of a Bloom filter’s internal state. This is for debugging/testing purposes only.

Bf

The Bloom filter handle.

Returns

a string with a representation of a Bloom filter’s internal state.

bloomfilter_intersect
Type

function (bf1: opaque of bloomfilter, bf2: opaque of bloomfilter) : opaque of bloomfilter

Intersects two Bloom filters.

The resulting Bloom filter returns true when queried for elements that were contained in both bloom filters. Note that intersected Bloom filters have a slightly higher probability of false positives than Bloom filters created from scratch.

Please note that, while this function works with basic and with counting bloom filters, the result always is a basic bloom filter. So - intersecting two counting bloom filters will result in a basic bloom filter. The reason for this is that there is no reasonable definition of how to handle counters during intersection.

Bf1

The first Bloom filter handle.

Bf2

The second Bloom filter handle.

Returns

The intersection of bf1 and bf2.

See also:

bloomfilter_lookup
Type

function (bf: opaque of bloomfilter, x: any) : count

Retrieves the counter for a given element in a Bloom filter.

For a basic bloom filter, this is 0 when the element is not part of the bloom filter, or 1 if it is part of the bloom filter.

For a counting bloom filter, this is the estimate of how often an element was added.

Bf

The Bloom filter handle.

X

The element to count.

Returns

the counter associated with x in bf.

See also:

bloomfilter_merge
Type

function (bf1: opaque of bloomfilter, bf2: opaque of bloomfilter) : opaque of bloomfilter

Merges two Bloom filters.

Bf1

The first Bloom filter handle.

Bf2

The second Bloom filter handle.

Returns

The union of bf1 and bf2.

See also:

base/bif/cardinality-counter.bif.zeek

GLOBAL

Functions to create and manipulate probabilistic cardinality counters.

Namespace

GLOBAL

Summary
Functions

hll_cardinality_add: function

Adds an element to a HyperLogLog cardinality counter.

hll_cardinality_copy: function

Copy a HLL cardinality counter.

hll_cardinality_estimate: function

Estimate the current cardinality of an HLL cardinality counter.

hll_cardinality_init: function

Initializes a probabilistic cardinality counter that uses the HyperLogLog algorithm.

hll_cardinality_merge_into: function

Merges a HLL cardinality counter into another.
Detailed Interface
Functions
hll_cardinality_add
Type

function (handle: opaque of cardinality, elem: any) : bool

Adds an element to a HyperLogLog cardinality counter.

Handle

the HLL handle.

Elem

the element to add.

Returns

true on success.

See also:

hll_cardinality_copy
Type

function (handle: opaque of cardinality) : opaque of cardinality

Copy a HLL cardinality counter.

Handle

cardinality counter to copy.

Returns

copy of handle.

See also:

hll_cardinality_estimate
Type

function (handle: opaque of cardinality) : double

Estimate the current cardinality of an HLL cardinality counter.

Handle

the HLL handle.

Returns

the cardinality estimate. Returns -1.0 if the counter is empty.

See also:

hll_cardinality_init
Type

function (err: double, confidence: double) : opaque of cardinality

Initializes a probabilistic cardinality counter that uses the HyperLogLog algorithm.

Err

the desired error rate (e.g. 0.01).

Confidence

the desired confidence for the error rate (e.g., 0.95).

Returns

a HLL cardinality handle.

See also:

hll_cardinality_merge_into
Type

function (handle1: opaque of cardinality, handle2: opaque of cardinality) : bool

Merges a HLL cardinality counter into another.

Note

The same restrictions as for Bloom filter merging apply, see bloomfilter_merge.

Handle1

the first HLL handle, which will contain the merged result.

Handle2

the second HLL handle, which will be merged into the first.

Returns

true on success.

See also:

base/bif/top-k.bif.zeek

GLOBAL

Functions to probabilistically determine top-k elements.

Namespace

GLOBAL

Summary
Functions

topk_add: function

Add a new observed object to the data structure.

topk_count: function

Get an overestimated count of how often a value has been encountered.

topk_epsilon: function

Get the maximal overestimation for count.

topk_get_top: function

Get the first k elements of the top-k data structure.

topk_init: function

Creates a top-k data structure which tracks size elements.

topk_merge: function

Merge the second top-k data structure into the first.

topk_merge_prune: function

Merge the second top-k data structure into the first and prunes the final data structure back to the size given on initialization.

topk_size: function

Get the number of elements this data structure is supposed to track (given on init).

topk_sum: function

Get the sum of all counts of all elements in the data structure.
Detailed Interface
Functions
topk_add
Type

function (handle: opaque of topk, value: any) : any

Add a new observed object to the data structure.

Note

The first added object sets the type of data tracked by the top-k data structure. All following values have to be of the same type.

Handle

the TopK handle.

Value

observed value.

See also:

topk_count
Type

function (handle: opaque of topk, value: any) : count

Get an overestimated count of how often a value has been encountered.

Note

The value has to be part of the currently tracked elements, otherwise 0 will be returned and an error message will be added to reporter.

Handle

the TopK handle.

Value

Value to look up count for.

Returns

Overestimated number for how often the element has been encountered.

See also:

topk_epsilon
Type

function (handle: opaque of topk, value: any) : count

Get the maximal overestimation for count.

Note

Same restrictions as for topk_count apply.

Handle

the TopK handle.

Value

Value to look up epsilon for.

Returns

Number which represents the maximal overestimation for the count of this element.

See also:

topk_get_top
Type

function (handle: opaque of topk, k: count) : any_vec

Get the first k elements of the top-k data structure.

Handle

the TopK handle.

K

number of elements to return.

Returns

vector of the first k elements.

See also:

topk_init
Type

function (size: count) : opaque of topk

Creates a top-k data structure which tracks size elements.

Size

number of elements to track.

Returns

Opaque pointer to the data structure.

See also:

topk_merge
Type

function (handle1: opaque of topk, handle2: opaque of topk) : any

Merge the second top-k data structure into the first.

Handle1

the first TopK handle.

Handle2

the second TopK handle.

Note

This does not remove any elements, the resulting data structure can be bigger than the maximum size given on initialization.

See also:

topk_merge_prune
Type

function (handle1: opaque of topk, handle2: opaque of topk) : any

Merge the second top-k data structure into the first and prunes the final data structure back to the size given on initialization.

Note

Use with care and only when being aware of the restrictions this entails. Do not call topk_size or topk_add afterwards, results will probably not be what you expect.

Handle1

the TopK handle in which the second TopK structure is merged.

Handle2

the TopK handle in which is merged into the first TopK structure.

See also:

topk_size
Type

function (handle: opaque of topk) : count

Get the number of elements this data structure is supposed to track (given on init).

Note

Note that the actual number of elements in the data structure can be lower or higher (due to non-pruned merges) than this.

Handle

the TopK handle.

Returns

size given during initialization.

See also:

topk_sum
Type

function (handle: opaque of topk) : count

Get the sum of all counts of all elements in the data structure.

Note

This is equal to the number of all inserted objects if the data structure never has been pruned. Do not use after calling topk_merge_prune (will throw a warning message if used afterwards).

Handle

the TopK handle.

Returns

sum of all counts.

See also:

base/bif/plugins/__load__.zeek

Imports

base/bif/plugins/Zeek_ARP.events.bif.zeek, base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek, base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek, base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek, base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek, base/bif/plugins/Zeek_BitTorrent.events.bif.zeek, base/bif/plugins/Zeek_ConfigReader.config.bif.zeek, base/bif/plugins/Zeek_ConnSize.events.bif.zeek, base/bif/plugins/Zeek_ConnSize.functions.bif.zeek, base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek, base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek, base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek, base/bif/plugins/Zeek_DHCP.events.bif.zeek, base/bif/plugins/Zeek_DHCP.types.bif.zeek, base/bif/plugins/Zeek_DNP3.events.bif.zeek, base/bif/plugins/Zeek_DNS.events.bif.zeek, base/bif/plugins/Zeek_FTP.events.bif.zeek, base/bif/plugins/Zeek_FTP.functions.bif.zeek, base/bif/plugins/Zeek_File.events.bif.zeek, base/bif/plugins/Zeek_FileEntropy.events.bif.zeek, base/bif/plugins/Zeek_FileExtract.events.bif.zeek, base/bif/plugins/Zeek_FileExtract.functions.bif.zeek, base/bif/plugins/Zeek_FileHash.events.bif.zeek, base/bif/plugins/Zeek_Finger.events.bif.zeek, base/bif/plugins/Zeek_GSSAPI.events.bif.zeek, base/bif/plugins/Zeek_GTPv1.events.bif.zeek, base/bif/plugins/Zeek_GTPv1.functions.bif.zeek, base/bif/plugins/Zeek_Geneve.events.bif.zeek, base/bif/plugins/Zeek_Gnutella.events.bif.zeek, base/bif/plugins/Zeek_HTTP.events.bif.zeek, base/bif/plugins/Zeek_HTTP.functions.bif.zeek, base/bif/plugins/Zeek_ICMP.events.bif.zeek, base/bif/plugins/Zeek_IMAP.events.bif.zeek, base/bif/plugins/Zeek_IRC.events.bif.zeek, base/bif/plugins/Zeek_Ident.events.bif.zeek, base/bif/plugins/Zeek_KRB.events.bif.zeek, base/bif/plugins/Zeek_KRB.types.bif.zeek, base/bif/plugins/Zeek_Login.events.bif.zeek, base/bif/plugins/Zeek_Login.functions.bif.zeek, base/bif/plugins/Zeek_MIME.events.bif.zeek, base/bif/plugins/Zeek_MQTT.events.bif.zeek, base/bif/plugins/Zeek_MQTT.types.bif.zeek, base/bif/plugins/Zeek_Modbus.events.bif.zeek, base/bif/plugins/Zeek_MySQL.events.bif.zeek, base/bif/plugins/Zeek_NCP.consts.bif.zeek, base/bif/plugins/Zeek_NCP.events.bif.zeek, base/bif/plugins/Zeek_NTLM.events.bif.zeek, base/bif/plugins/Zeek_NTLM.types.bif.zeek, base/bif/plugins/Zeek_NTP.events.bif.zeek, base/bif/plugins/Zeek_NTP.types.bif.zeek, base/bif/plugins/Zeek_NetBIOS.events.bif.zeek, base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek, base/bif/plugins/Zeek_NoneWriter.none.bif.zeek, base/bif/plugins/Zeek_PE.events.bif.zeek, base/bif/plugins/Zeek_POP3.events.bif.zeek, base/bif/plugins/Zeek_RADIUS.events.bif.zeek, base/bif/plugins/Zeek_RDP.events.bif.zeek, base/bif/plugins/Zeek_RDP.types.bif.zeek, base/bif/plugins/Zeek_RFB.events.bif.zeek, base/bif/plugins/Zeek_RPC.events.bif.zeek, base/bif/plugins/Zeek_RawReader.raw.bif.zeek, base/bif/plugins/Zeek_SIP.events.bif.zeek, base/bif/plugins/Zeek_SMB.consts.bif.zeek, base/bif/plugins/Zeek_SMB.events.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek, base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek, base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek, base/bif/plugins/Zeek_SMB.types.bif.zeek, base/bif/plugins/Zeek_SMTP.events.bif.zeek, base/bif/plugins/Zeek_SMTP.functions.bif.zeek, base/bif/plugins/Zeek_SNMP.events.bif.zeek, base/bif/plugins/Zeek_SNMP.types.bif.zeek, base/bif/plugins/Zeek_SOCKS.events.bif.zeek, base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek, base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek, base/bif/plugins/Zeek_SSH.events.bif.zeek, base/bif/plugins/Zeek_SSH.types.bif.zeek, base/bif/plugins/Zeek_SSL.consts.bif.zeek, base/bif/plugins/Zeek_SSL.events.bif.zeek, base/bif/plugins/Zeek_SSL.functions.bif.zeek, base/bif/plugins/Zeek_SSL.types.bif.zeek, base/bif/plugins/Zeek_Syslog.events.bif.zeek, base/bif/plugins/Zeek_TCP.events.bif.zeek, base/bif/plugins/Zeek_TCP.functions.bif.zeek, base/bif/plugins/Zeek_TCP.types.bif.zeek, base/bif/plugins/Zeek_Teredo.events.bif.zeek, base/bif/plugins/Zeek_Teredo.functions.bif.zeek, base/bif/plugins/Zeek_UDP.events.bif.zeek, base/bif/plugins/Zeek_Unified2.events.bif.zeek, base/bif/plugins/Zeek_Unified2.types.bif.zeek, base/bif/plugins/Zeek_VXLAN.events.bif.zeek, base/bif/plugins/Zeek_X509.events.bif.zeek, base/bif/plugins/Zeek_X509.functions.bif.zeek, base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek, base/bif/plugins/Zeek_X509.types.bif.zeek, base/bif/plugins/Zeek_XMPP.events.bif.zeek

Summary
Detailed Interface

base/bif/plugins/Zeek_BitTorrent.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

bittorrent_peer_bitfield: event

TODO.

bittorrent_peer_cancel: event

TODO.

bittorrent_peer_choke: event

TODO.

bittorrent_peer_handshake: event

TODO.

bittorrent_peer_have: event

TODO.

bittorrent_peer_interested: event

TODO.

bittorrent_peer_keep_alive: event

TODO.

bittorrent_peer_not_interested: event

TODO.

bittorrent_peer_piece: event

TODO.

bittorrent_peer_port: event

TODO.

bittorrent_peer_request: event

TODO.

bittorrent_peer_unchoke: event

TODO.

bittorrent_peer_unknown: event

TODO.

bittorrent_peer_weird: event

TODO.

bt_tracker_request: event

TODO.

bt_tracker_response: event

TODO.

bt_tracker_response_not_ok: event

TODO.

bt_tracker_weird: event

TODO.
Detailed Interface
Events
bittorrent_peer_bitfield
Type

event (c: connection, is_orig: bool, bitfield: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_cancel
Type

event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_choke
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_handshake
Type

event (c: connection, is_orig: bool, reserved: string, info_hash: string, peer_id: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_have
Type

event (c: connection, is_orig: bool, piece_index: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_interested
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_keep_alive
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_not_interested
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_piece
Type

event (c: connection, is_orig: bool, index: count, begin: count, piece_length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_port
Type

event (c: connection, is_orig: bool, listen_port: port)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_request
Type

event (c: connection, is_orig: bool, index: count, begin: count, length: count)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_unchoke
Type

event (c: connection, is_orig: bool)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_unknown
Type

event (c: connection, is_orig: bool, message_id: count, data: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bittorrent_peer_weird
Type

event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_request
Type

event (c: connection, uri: string, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_response
Type

event (c: connection, status: count, headers: bt_tracker_headers, peers: bittorrent_peer_set, benc: bittorrent_benc_dir)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_response_not_ok
Type

event (c: connection, status: count, headers: bt_tracker_headers)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

bt_tracker_weird
Type

event (c: connection, is_orig: bool, msg: string)

TODO.

See Wikipedia for more information about the BitTorrent protocol.

See also:

base/bif/plugins/Zeek_ConnSize.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

conn_bytes_threshold_crossed: event

Generated for a connection that crossed a set byte threshold.

conn_duration_threshold_crossed: event

Generated for a connection that crossed a set duration threshold.

conn_packets_threshold_crossed: event

Generated for a connection that crossed a set packet threshold.
Detailed Interface
Events
conn_bytes_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

C

the connection

Threshold

the threshold that was set

Is_orig

true if the threshold was crossed by the originator of the connection

See also:

conn_duration_threshold_crossed
Type

event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::duration_threshold_crossed instead.

Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

C

the connection

Threshold

the threshold that was set

Is_orig

true if the threshold was crossed by the originator of the connection

See also:

conn_packets_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::packets_threshold_crossed instead.

C

the connection

Threshold

the threshold that was set

Is_orig

true if the threshold was crossed by the originator of the connection

See also:

base/bif/plugins/Zeek_ConnSize.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

get_current_conn_bytes_threshold: function

get_current_conn_duration_threshold: function

Gets the current duration threshold size for a connection.

get_current_conn_packets_threshold: function

Gets the current packet threshold size for a connection.

set_current_conn_bytes_threshold: function

Sets the current byte threshold for connection sizes, overwriting any potential old threshold.

set_current_conn_duration_threshold: function

Sets the current duration threshold for connection, overwriting any potential old threshold.

set_current_conn_packets_threshold: function

Sets a threshold for connection packets, overwtiting any potential old thresholds.
Detailed Interface
Functions
get_current_conn_bytes_threshold
Type

function (cid: conn_id, is_orig: bool) : count

Cid

The connection id.

Is_orig

If true, threshold of originator, otherwhise threshold of responder.

Returns

0 if no threshold is set or the threshold in bytes

See also:

get_current_conn_duration_threshold
Type

function (cid: conn_id) : interval

Gets the current duration threshold size for a connection.

Cid

The connection id.

Returns

0 if no threshold is set or the threshold in seconds

See also:

get_current_conn_packets_threshold
Type

function (cid: conn_id, is_orig: bool) : count

Gets the current packet threshold size for a connection.

Cid

The connection id.

Is_orig

If true, threshold of originator, otherwhise threshold of responder.

Returns

0 if no threshold is set or the threshold in packets

See also:

set_current_conn_bytes_threshold
Type

function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets the current byte threshold for connection sizes, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_bytes_threshold).

Cid

The connection id.

Threshold

Threshold in bytes.

Is_orig

If true, threshold is set for bytes from originator, otherwhise for bytes from responder.

See also:

set_current_conn_duration_threshold
Type

function (cid: conn_id, threshold: interval) : bool

Sets the current duration threshold for connection, overwriting any potential old threshold. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_duration_threshold).

Cid

The connection id.

Threshold

Threshold in seconds.

See also:

set_current_conn_packets_threshold
Type

function (cid: conn_id, threshold: count, is_orig: bool) : bool

Sets a threshold for connection packets, overwtiting any potential old thresholds. Be aware that in nearly any case you will want to use the high level API instead (ConnThreshold::set_packets_threshold).

Cid

The connection id.

Threshold

Threshold in packets.

Is_orig

If true, threshold is set for packets from originator, otherwhise for packets from responder.

See also:

base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek

DCE_RPC
GLOBAL
Namespaces

DCE_RPC, GLOBAL

Summary
Types

DCE_RPC::IfID: enum

DCE_RPC::PType: enum
Detailed Interface
Types
DCE_RPC::IfID
Type

enum

DCE_RPC::unknown_if
DCE_RPC::epmapper
DCE_RPC::lsarpc
DCE_RPC::lsa_ds
DCE_RPC::mgmt
DCE_RPC::netlogon
DCE_RPC::samr
DCE_RPC::srvsvc
DCE_RPC::spoolss
DCE_RPC::drs
DCE_RPC::winspipe
DCE_RPC::wkssvc
DCE_RPC::oxid
DCE_RPC::ISCMActivator
DCE_RPC::PType
Type

enum

DCE_RPC::REQUEST
DCE_RPC::PING
DCE_RPC::RESPONSE
DCE_RPC::FAULT
DCE_RPC::WORKING
DCE_RPC::NOCALL
DCE_RPC::REJECT
DCE_RPC::ACK
DCE_RPC::CL_CANCEL
DCE_RPC::FACK
DCE_RPC::CANCEL_ACK
DCE_RPC::BIND
DCE_RPC::BIND_ACK
DCE_RPC::BIND_NAK
DCE_RPC::ALTER_CONTEXT
DCE_RPC::ALTER_CONTEXT_RESP
DCE_RPC::AUTH3
DCE_RPC::SHUTDOWN
DCE_RPC::CO_CANCEL
DCE_RPC::ORPHANED
DCE_RPC::RTS

base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

dce_rpc_alter_context: event

Generated for every DCE-RPC alter context request message.

dce_rpc_alter_context_resp: event

Generated for every DCE-RPC alter context response message.

dce_rpc_bind: event

Generated for every DCE-RPC bind request message.

dce_rpc_bind_ack: event

Generated for every DCE-RPC bind request ack message.

dce_rpc_message: event

Generated for every DCE-RPC message.

dce_rpc_request: event

Generated for every DCE-RPC request message.

dce_rpc_request_stub: event

Generated for every DCE-RPC request message.

dce_rpc_response: event

Generated for every DCE-RPC response message.

dce_rpc_response_stub: event

Generated for every DCE-RPC response message.
Detailed Interface
Events
dce_rpc_alter_context
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Uuid

The string interpretted uuid of the endpoint being requested.

Ver_major

The major version of the endpoint being requested.

Ver_minor

The minor version of the endpoint being requested.

See also:

dce_rpc_alter_context_resp
Type

event (c: connection, fid: count)

Generated for every DCE-RPC alter context response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

See also:

dce_rpc_bind
Type

event (c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count)

Generated for every DCE-RPC bind request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Uuid

The string interpretted uuid of the endpoint being requested.

Ver_major

The major version of the endpoint being requested.

Ver_minor

The minor version of the endpoint being requested.

See also:

dce_rpc_bind_ack
Type

event (c: connection, fid: count, sec_addr: string)

Generated for every DCE-RPC bind request ack message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Sec_addr

Secondary address for the ack.

See also:

dce_rpc_message
Type

event (c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType)

Generated for every DCE-RPC message.

C

The connection.

Is_orig

True if the message was sent by the originator of the TCP connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ptype_id

Numeric representation of the procedure type of the message.

Ptype

Enum representation of the prodecure type of the message.

See also:

dce_rpc_request
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC request message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub_len

Length of the data for the request.

See also:

dce_rpc_request_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC request message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub

The data for the request.

See also:

dce_rpc_response
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

Generated for every DCE-RPC response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub_len

Length of the data for the response.

See also:

dce_rpc_response_stub
Type

event (c: connection, fid: count, ctx_id: count, opnum: count, stub: string)

Generated for every DCE-RPC response message.

C

The connection.

Fid

File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the DCE-RPC was not transported over a pipe.

Ctx_id

The context identifier of the data representation.

Opnum

Number of the RPC operation.

Stub

The data for the response.

See also:

base/bif/plugins/Zeek_DHCP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

dhcp_message: event

Generated for all DHCP messages.
Detailed Interface
Events
dhcp_message
Type

event (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

Generated for all DHCP messages.

C

The connection record describing the underlying UDP flow.

Is_orig

Indicate if the message came in a packet from the originator/client of the udp flow or the responder/server.

Msg

The parsed type-independent part of the DHCP message. The message type is indicated in this record.

Options

The full set of supported and parsed DHCP options.

base/bif/plugins/Zeek_DHCP.types.bif.zeek

DHCP
GLOBAL
Namespaces

DHCP, GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_DNP3.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

dnp3_analog_input_16wFlag: event

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_16woFlag: event

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_32wFlag: event

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_32woFlag: event

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_DPwFlag: event

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_analog_input_SPwFlag: event

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_event_16wTime: event

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_16woTime: event

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime: event

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_32woTime: event

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_DPwTime: event

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time

dnp3_analog_input_event_DPwoTime: event

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime: event

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_SPwoTime: event

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_application_request_header: event

Generated for a DNP3 request header.

dnp3_application_response_header: event

Generated for a DNP3 response header.

dnp3_attribute_common: event

Generated for DNP3 attributes.

dnp3_counter_16wFlag: event

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_16woFlag: event

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_counter_32wFlag: event

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_32woFlag: event

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_crob: event

Generated for DNP3 objects with the group number 12 and variation number 1 CROB: control relay output block

dnp3_debug_byte: event

Debugging event generated by the DNP3 analyzer.

dnp3_file_transport: event

g70

dnp3_frozen_analog_input_16wFlag: event

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_16wTime: event

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_16woFlag: event

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_32wFlag: event

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_32wTime: event

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag: event

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_DPwFlag: event

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_frozen_analog_input_SPwFlag: event

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_event_16wTime: event

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_16woTime: event

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime: event

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_32woTime: event

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_DPwTime: event

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_frozen_analog_input_event_DPwoTime: event

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime: event

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_SPwoTime: event

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_counter_16wFlag: event

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_16wFlagTime: event

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_16woFlag: event

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_frozen_counter_32wFlag: event

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_32wFlagTime: event

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_32woFlag: event

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_header_block: event

Generated for an additional header that the DNP3 analyzer passes to the script-level.

dnp3_object_header: event

Generated for the object header found in both DNP3 requests and responses.

dnp3_object_prefix: event

Generated for the prefix before a DNP3 object.

dnp3_pcb: event

Generated for DNP3 objects with the group number 12 and variation number 2 PCB: Pattern Control Block

dnp3_response_data_object: event

Generated for a DNP3 “Response_Data_Object”.
Detailed Interface
Events
dnp3_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 2 analog input 16 bit with flag

dnp3_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 4 analog input 16 bit without flag

dnp3_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 1 analog input 32 bit with flag

dnp3_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, value: count)

Generated for DNP3 objects with the group number 30 and variation number 3 analog input 32 bit without flag

dnp3_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 30 and variation number 6 analog input double precision, float point with flag

dnp3_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 30 and variation number 5 analog input single precision, float point with flag

dnp3_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 4 analog input event 16 bit with time

dnp3_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 2 analog input event 16 bit without time

dnp3_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 3 analog input event 32 bit with time

dnp3_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 1 analog input event 32 bit without time

dnp3_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 8 analog input event double-precisiion float point with time

dnp3_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value_low: count, value_high: count)

Generated for DNP3 objects with the group number 32 and variation number 6 analog input event double-precision float point without time

dnp3_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, value: count, time48: count)

Generated for DNP3 objects with the group number 32 and variation number 7 analog input event single-precision float point with time

dnp3_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, value: count)

Generated for DNP3 objects with the group number 32 and variation number 5 analog input event single-precision float point without time

dnp3_application_request_header
Type

event (c: connection, is_orig: bool, application: count, fc: count)

Generated for a DNP3 request header.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Fc

function code.

dnp3_application_response_header
Type

event (c: connection, is_orig: bool, application: count, fc: count, iin: count)

Generated for a DNP3 response header.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Fc

function code.

Iin

internal indication number.

dnp3_attribute_common
Type

event (c: connection, is_orig: bool, data_type_code: count, leng: count, attribute_obj: string)

Generated for DNP3 attributes.

dnp3_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 2 counter 16 bit with flag

dnp3_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 6 counter 16 bit without flag

dnp3_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 1 counter 32 bit with flag

dnp3_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 20 and variation number 5 counter 32 bit without flag

dnp3_crob
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 1

CROB

control relay output block

dnp3_debug_byte
Type

event (c: connection, is_orig: bool, debug: string)

Debugging event generated by the DNP3 analyzer. The “Debug_Byte” binpac unit generates this for unknown “cases”. The user can use it to debug the byte string to check what caused the malformed network packets.

dnp3_file_transport
Type

event (c: connection, is_orig: bool, file_handle: count, block_num: count, file_data: string)

g70

dnp3_frozen_analog_input_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 2 frozen analog input 16 bit with flag

dnp3_frozen_analog_input_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 4 frozen analog input 16 bit with time-of-freeze

dnp3_frozen_analog_input_16woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 6 frozen analog input 16 bit without flag

dnp3_frozen_analog_input_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 1 frozen analog input 32 bit with flag

dnp3_frozen_analog_input_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 31 and variation number 3 frozen analog input 32 bit with time-of-freeze

dnp3_frozen_analog_input_32woFlag
Type

event (c: connection, is_orig: bool, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 5 frozen analog input 32 bit without flag

dnp3_frozen_analog_input_DPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 31 and variation number 8 frozen analog input double-precision, float point with flag

dnp3_frozen_analog_input_SPwFlag
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 31 and variation number 7 frozen analog input single-precision, float point with flag

dnp3_frozen_analog_input_event_16wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 4 frozen analog input event 16 bit with time

dnp3_frozen_analog_input_event_16woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 2 frozen analog input event 16 bit without time

dnp3_frozen_analog_input_event_32wTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 3 frozen analog input event 32 bit with time

dnp3_frozen_analog_input_event_32woTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 1 frozen analog input event 32 bit without time

dnp3_frozen_analog_input_event_DPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)

Generated for DNP3 objects with the group number 34 and variation number 8 frozen analog input event double-precision float point with time

dnp3_frozen_analog_input_event_DPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count)

Generated for DNP3 objects with the group number 33 and variation number 6 frozen analog input event double-precision float point without time

dnp3_frozen_analog_input_event_SPwTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)

Generated for DNP3 objects with the group number 33 and variation number 7 frozen analog input event single-precision float point with time

dnp3_frozen_analog_input_event_SPwoTime
Type

event (c: connection, is_orig: bool, flag: count, frozen_value: count)

Generated for DNP3 objects with the group number 33 and variation number 5 frozen analog input event single-precision float point without time

dnp3_frozen_counter_16wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 2 frozen counter 16 bit with flag

dnp3_frozen_counter_16wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 6 frozen counter 16 bit with flag and time

dnp3_frozen_counter_16woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 10 frozen counter 16 bit without flag

dnp3_frozen_counter_32wFlag
Type

event (c: connection, is_orig: bool, flag: count, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 1 frozen counter 32 bit with flag

dnp3_frozen_counter_32wFlagTime
Type

event (c: connection, is_orig: bool, flag: count, count_value: count, time48: count)

Generated for DNP3 objects with the group number 21 and variation number 5 frozen counter 32 bit with flag and time

dnp3_frozen_counter_32woFlag
Type

event (c: connection, is_orig: bool, count_value: count)

Generated for DNP3 objects with the group number 21 and variation number 9 frozen counter 32 bit without flag

dnp3_header_block
Type

event (c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)

Generated for an additional header that the DNP3 analyzer passes to the script-level. This header mimics the DNP3 transport-layer yet is only passed once for each sequence of DNP3 records (which are otherwise reassembled and treated as a single entity).

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Len

the “length” field in the DNP3 Pseudo Link Layer.

Ctrl

the “control” field in the DNP3 Pseudo Link Layer.

Dest_addr

the “destination” field in the DNP3 Pseudo Link Layer.

Src_addr

the “source” field in the DNP3 Pseudo Link Layer.

dnp3_object_header
Type

event (c: connection, is_orig: bool, obj_type: count, qua_field: count, number: count, rf_low: count, rf_high: count)

Generated for the object header found in both DNP3 requests and responses.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Obj_type

type of object, which is classified based on an 8-bit group number and an 8-bit variation number.

Qua_field

qualifier field.

Number

TODO.

Rf_low

the structure of the range field depends on the qualified field. In some cases, the range field contains only one logic part, e.g., number of objects, so only rf_low contains useful values.

Rf_high

in some cases, the range field contains two logic parts, e.g., start index and stop index, so rf_low contains the start index while rf_high contains the stop index.

dnp3_object_prefix
Type

event (c: connection, is_orig: bool, prefix_value: count)

Generated for the prefix before a DNP3 object. The structure and the meaning of the prefix are defined by the qualifier field.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Prefix_value

The prefix.

dnp3_pcb
Type

event (c: connection, is_orig: bool, control_code: count, count8: count, on_time: count, off_time: count, status_code: count)

Generated for DNP3 objects with the group number 12 and variation number 2

PCB

Pattern Control Block

dnp3_response_data_object
Type

event (c: connection, is_orig: bool, data_value: count)

Generated for a DNP3 “Response_Data_Object”. The “Response_Data_Object” contains two parts: object prefix and object data. In most cases, object data are defined by new record types. But in a few cases, object data are directly basic types, such as int16_t, or int8_t; thus we use an additional data_value to record the values of those object data.

C

The connection the DNP3 communication is part of.

Is_orig

True if this reflects originator-side activity.

Data_value

The value for those objects that carry their information here directly.

base/bif/plugins/Zeek_DNS.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

dns_A6_reply: event

Generated for DNS replies of type A6.

dns_AAAA_reply: event

Generated for DNS replies of type AAAA.

dns_A_reply: event

Generated for DNS replies of type A.

dns_BINDS: event

Generated for DNS replies of type BINDS.

dns_CAA_reply: event

Generated for DNS replies of type CAA (Certification Authority Authorization).

dns_CNAME_reply: event

Generated for DNS replies of type CNAME.

dns_DNSKEY: event

Generated for DNS replies of type DNSKEY.

dns_DS: event

Generated for DNS replies of type DS.

dns_EDNS_addl: event

Generated for DNS replies of type EDNS.

dns_EDNS_cookie: event

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10.

dns_EDNS_ecs: event

Generated for DNS replies of type EDNS.

dns_EDNS_tcp_keepalive: event

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11.

dns_HINFO_reply: event

Generated for DNS replies of type HINFO.

dns_HTTPS: event

Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints).

dns_LOC: event

Generated for DNS replies of type LOC.

dns_MX_reply: event

Generated for DNS replies of type MX.

dns_NSEC: event

Generated for DNS replies of type NSEC.

dns_NSEC3: event

Generated for DNS replies of type NSEC3.

dns_NSEC3PARAM: event

Generated for DNS replies of type NSEC3PARAM.

dns_NS_reply: event

Generated for DNS replies of type NS.

dns_PTR_reply: event

Generated for DNS replies of type PTR.

dns_RRSIG: event

Generated for DNS replies of type RRSIG.

dns_SOA_reply: event

Generated for DNS replies of type CNAME.

dns_SPF_reply: event

Generated for DNS replies of type SPF.

dns_SRV_reply: event

Generated for DNS replies of type SRV.

dns_SSHFP: event

Generated for DNS replies of type BINDS.

dns_SVCB: event

Generated for DNS replies of type SVCB (General Purpose Service Endpoints).

dns_TSIG_addl: event

Generated for DNS replies of type TSIG.

dns_TXT_reply: event

Generated for DNS replies of type TXT.

dns_WKS_reply: event

Generated for DNS replies of type WKS.

dns_end: event

Generated at the end of processing a DNS packet.

dns_message: event

Generated for all DNS messages.

dns_query_reply: event

Generated for each entry in the Question section of a DNS reply.

dns_rejected: event

Generated for DNS replies that reject a query.

dns_request: event

Generated for DNS requests.

dns_unknown_reply: event

Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.
Detailed Interface
Events
dns_A6_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A6. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

A

The address returned by the reply.

See also:

dns_AAAA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type AAAA. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

A

The address returned by the reply.

See also:

dns_A_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, a: addr)

Generated for DNS replies of type A. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

A

The address returned by the reply.

See also:

dns_BINDS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Binds

The parsed RDATA of BIND-Signeing state record.

dns_CAA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)

Generated for DNS replies of type CAA (Certification Authority Authorization). For replies with multiple answers, an individual event of the corresponding type is raised for each. See RFC 6844 for more details.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Flags

The flags byte of the CAA reply.

Tag

The property identifier of the CAA reply.

Value

The property value of the CAA reply.

dns_CNAME_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

See also:

dns_DNSKEY
Type

event (c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)

Generated for DNS replies of type DNSKEY. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Dnskey

The parsed DNSKEY record.

dns_DS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)

Generated for DNS replies of type DS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Ds

The parsed RDATA of DS record.

dns_EDNS_addl
Type

event (c: connection, msg: dns_msg, ans: dns_edns_additional)

Generated for DNS replies of type EDNS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The parsed EDNS reply.

See also:

Type

event (c: connection, msg: dns_msg, opt: dns_edns_cookie)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 10. For replies with multiple options fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7873 for more information about EDNS0 cookie. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Opt

The parsed EDNS Cookie option.

See also:

dns_EDNS_ecs
Type

event (c: connection, msg: dns_msg, opt: dns_edns_ecs)

Generated for DNS replies of type EDNS. For replies with multiple options, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Opt

The parsed EDNS option.

See also:

dns_EDNS_tcp_keepalive
Type

event (c: connection, msg: dns_msg, opt: dns_edns_tcp_keepalive)

Generated for DNS replies of type EDNS, and an option field in this EDNS record has an opt-type of 11. For replies with multiple option fields, an individual event is raised for each.

See Wikipedia for more information about the DNS protocol. See RFC7828 for more information about EDNS0 TCP keepalive. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Opt

The parsed EDNS Keepalive option.

See also:

dns_HINFO_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)

Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type HINFO. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

See also:

dns_HTTPS
Type

event (c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr)

Generated for DNS replies of type HTTPS (HTTPS Specific Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Https

The parsed RDATA of HTTPS type record.

dns_LOC
Type

event (c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr)

Generated for DNS replies of type LOC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Loc

The parsed RDATA of LOC type record.

dns_MX_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count)

Generated for DNS replies of type MX. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

Preference

The preference for name specified by the reply.

See also:

dns_NSEC
Type

event (c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)

Generated for DNS replies of type NSEC. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Next_name

The parsed next secure domain name.

Bitmaps

vector of strings in hex for the bit maps present.

dns_NSEC3
Type

event (c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)

Generated for DNS replies of type NSEC3. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Nsec3

The parsed RDATA of Nsec3 record.

dns_NSEC3PARAM
Type

event (c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr)

Generated for DNS replies of type NSEC3PARAM. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Nsec3param

The parsed RDATA of NSEC3PARAM record.

dns_NS_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type NS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

See also:

dns_PTR_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, name: string)

Generated for DNS replies of type PTR. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Name

The name returned by the reply.

See also:

dns_RRSIG
Type

event (c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)

Generated for DNS replies of type RRSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Rrsig

The parsed RRSIG record.

dns_SOA_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)

Generated for DNS replies of type CNAME. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Soa

The parsed SOA value.

See also:

dns_SPF_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type SPF. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Strs

The textual information returned by the reply.

See also:

dns_SRV_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count)

Generated for DNS replies of type SRV. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Target

Target of the SRV response – the canonical hostname of the machine providing the service, ending in a dot.

Priority

Priority of the SRV response – the priority of the target host, lower value means more preferred.

Weight

Weight of the SRV response – a relative weight for records with the same priority, higher value means more preferred.

P

Port of the SRV response – the TCP or UDP port on which the service is to be found.

See also:

dns_SSHFP
Type

event (c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string)

Generated for DNS replies of type BINDS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Binds

The parsed RDATA of BIND-Signeing state record.

dns_SVCB
Type

event (c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr)

Generated for DNS replies of type SVCB (General Purpose Service Endpoints). See RFC draft for DNS SVCB/HTTPS for more information about DNS SVCB/HTTPS resource records. For replies with multiple answers, an individual event of the corresponding type is raised for each.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Svcb

The parsed RDATA of SVCB type record.

dns_TSIG_addl
Type

event (c: connection, msg: dns_msg, ans: dns_tsig_additional)

Generated for DNS replies of type TSIG. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The parsed TSIG reply.

See also:

dns_TXT_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec)

Generated for DNS replies of type TXT. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

Strs

The textual information returned by the reply.

See also:

dns_WKS_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated for DNS replies of type WKS. For replies with multiple answers, an individual event of the corresponding type is raised for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

See also:

dns_end
Type

event (c: connection, msg: dns_msg)

Generated at the end of processing a DNS packet. This event is the last dns_* event that will be raised for a DNS query/reply and signals that all resource records have been passed on.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

See also:

dns_message
Type

event (c: connection, is_orig: bool, msg: dns_msg, len: count)

Generated for all DNS messages.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Is_orig

True if the message was sent by the originator of the connection.

Msg

The parsed DNS message header.

Len

The length of the message’s raw representation (i.e., the DNS payload).

See also:

dns_query_reply
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for each entry in the Question section of a DNS reply.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Query

The queried name.

Qtype

The queried resource record type.

Qclass

The queried resource record class.

Original_query

The queried name, with the original case kept intact

See also:

dns_rejected
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS replies that reject a query. This event is raised if a DNS reply indicates failure because it does not pass on any answers to a query. Note that all of the event’s parameters are parsed out of the reply; there’s no stateful correlation with the query.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Query

The queried name (normalized to all lowercase).

Qtype

The queried resource record type.

Qclass

The queried resource record class.

Original_query

The queried name, with the original case kept intact

See also:

dns_request
Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string)

Type

event (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)

Generated for DNS requests. For requests with multiple queries, this event is raised once for each.

See Wikipedia for more information about the DNS protocol. Zeek analyzes both UDP and TCP DNS sessions.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Query

The queried name (normalized to all lowercase).

Qtype

The queried resource record type.

Qclass

The queried resource record class.

Original_query

The queried name, with the original case kept intact

See also:

dns_unknown_reply
Type

event (c: connection, msg: dns_msg, ans: dns_answer)

Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.

C

The connection, which may be UDP or TCP depending on the type of the transport-layer session being analyzed.

Msg

The parsed DNS message header.

Ans

The type-independent part of the parsed answer record.

See also:

base/bif/plugins/Zeek_File.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

file_transferred: event

Generated when a TCP connection associated w/ file data transfer is seen (e.g.
Detailed Interface
Events
file_transferred
Type

event (c: connection, prefix: string, descr: string, mime_type: string)

Generated when a TCP connection associated w/ file data transfer is seen (e.g. as happens w/ FTP or IRC).

C

The connection over which file data is transferred.

Prefix

Up to 1024 bytes of the file data.

Descr

Deprecated/unused argument.

Mime_type

MIME type of the file or “<unknown>” if no file magic signatures matched.

base/bif/plugins/Zeek_Finger.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

finger_reply: event

Generated for Finger replies.

finger_request: event

Generated for Finger requests.
Detailed Interface
Events
finger_reply
Type

event (c: connection, reply_line: string)

Generated for Finger replies.

See Wikipedia for more information about the Finger protocol.

C

The connection.

Reply_line

The reply as returned by the server

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

finger_request
Type

event (c: connection, full: bool, username: string, hostname: string)

Generated for Finger requests.

See Wikipedia for more information about the Finger protocol.

C

The connection.

Full

True if verbose information is requested (/W switch).

Username

The request’s user name.

Hostname

The request’s host name.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_FTP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ftp_reply: event

Generated for server-side FTP replies.

ftp_request: event

Generated for client-side FTP commands.
Detailed Interface
Events
ftp_reply
Type

event (c: connection, code: count, msg: string, cont_resp: bool)

Generated for server-side FTP replies.

See Wikipedia for more information about the FTP protocol.

C

The connection.

Code

The numerical response code the server responded with.

Msg

The textual message of the response.

Cont_resp

True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also:

ftp_request
Type

event (c: connection, command: string, arg: string)

Generated for client-side FTP commands.

See Wikipedia for more information about the FTP protocol.

C

The connection.

Command

The FTP command issued by the client (without any arguments).

Arg

The arguments going with the command.

See also:

base/bif/plugins/Zeek_FTP.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

fmt_ftp_port: function

Formats an IP address and TCP port as an FTP PORT command.

parse_eftp_port: function

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port.

parse_ftp_epsv: function

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port.

parse_ftp_pasv: function

Converts the result of the FTP PASV command to an ftp_port.

parse_ftp_port: function

Converts a string representation of the FTP PORT command to an ftp_port.
Detailed Interface
Functions
fmt_ftp_port
Type

function (a: addr, p: port) : string

Formats an IP address and TCP port as an FTP PORT command. For example, 10.0.0.1 and 1055/tcp yields "10,0,0,1,4,31".

A

The IP address.

P

The TCP port.

Returns

The FTP PORT string.

See also:

parse_eftp_port
Type

function (s: string) : ftp_port

Converts a string representation of the FTP EPRT command (see RFC 2428) to an ftp_port. The format is "EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>", where <d> is a delimiter in the ASCII range 33-126 (usually |).

S

The string of the FTP EPRT command, e.g., "|1|10.0.0.1|1055|".

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

parse_ftp_epsv
Type

function (str: string) : ftp_port

Converts the result of the FTP EPSV command (see RFC 2428) to an ftp_port. The format is "<text> (<d><d><d><tcp-port><d>)", where <d> is a delimiter in the ASCII range 33-126 (usually |).

Str

The string containing the result of the FTP EPSV command.

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

parse_ftp_pasv
Type

function (str: string) : ftp_port

Converts the result of the FTP PASV command to an ftp_port.

Str

The string containing the result of the FTP PASV command.

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

parse_ftp_port
Type

function (s: string) : ftp_port

Converts a string representation of the FTP PORT command to an ftp_port.

S

The string of the FTP PORT command, e.g., "10,0,0,1,4,31".

Returns

The FTP PORT, e.g., [h=10.0.0.1, p=1055/tcp, valid=T].

See also:

base/bif/plugins/Zeek_Gnutella.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

gnutella_binary_msg: event

TODO.

gnutella_establish: event

TODO.

gnutella_http_notify: event

TODO.

gnutella_not_establish: event

TODO.

gnutella_partial_binary_msg: event

TODO.

gnutella_text_msg: event

TODO.
Detailed Interface
Events
gnutella_binary_msg
Type

event (c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, trunc: bool, complete: bool)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_establish
Type

event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_http_notify
Type

event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_not_establish
Type

event (c: connection)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_partial_binary_msg
Type

event (c: connection, orig: bool, msg: string, len: count)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

gnutella_text_msg
Type

event (c: connection, orig: bool, headers: string)

TODO.

See Wikipedia for more information about the Gnutella protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_GSSAPI.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

gssapi_neg_result: event

Generated for GSSAPI negotiation results.
Detailed Interface
Events
gssapi_neg_result
Type

event (c: connection, state: count)

Generated for GSSAPI negotiation results.

C

The connection.

State

The resulting state of the negotiation.

base/bif/plugins/Zeek_HTTP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

http_all_headers: event

Generated for HTTP headers, passing on all headers of an HTTP message at once.

http_begin_entity: event

Generated when starting to parse an HTTP body entity.

http_connection_upgrade: event

Generated when a HTTP session is upgraded to a different protocol (e.g.

http_content_type: event

Generated for reporting an HTTP body’s content type.

http_end_entity: event

Generated when finishing parsing an HTTP body entity.

http_entity_data: event

Generated when parsing an HTTP body entity, passing on the data.

http_event: event

Generated for errors found when decoding HTTP requests or replies.

http_header: event

Generated for HTTP headers.

http_message_done: event

Generated once at the end of parsing an HTTP message.

http_reply: event

Generated for HTTP replies.

http_request: event

Generated for HTTP requests.

http_stats: event

Generated at the end of an HTTP session to report statistics about it.
Detailed Interface
Events
http_all_headers
Type

event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated for HTTP headers, passing on all headers of an HTTP message at once. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the header was sent by the originator of the TCP connection.

Hlist

A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also:

Note

This event is also raised for headers found in nested body entities.

http_begin_entity
Type

event (c: connection, is_orig: bool)

Generated when starting to parse an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event just before it starts parsing each entity’s content.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

See also:

http_connection_upgrade
Type

event (c: connection, protocol: string)

Generated when a HTTP session is upgraded to a different protocol (e.g. websocket). This event is raised when a server replies with a HTTP 101 reply. No more HTTP events will be raised after this event.

C

The connection.

Protocol

The protocol to which the connection is switching.

See also:

http_content_type
Type

event (c: connection, is_orig: bool, ty: string, subty: string)

Generated for reporting an HTTP body’s content type. This event is generated at the end of parsing an HTTP header, passing on the MIME type as specified by the Content-Type header. If that header is missing, this event is still raised with a default value of text/plain.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

Ty

The main type.

Subty

The subtype.

See also:

Note

This event is also raised for headers found in nested body entities.

http_end_entity
Type

event (c: connection, is_orig: bool)

Generated when finishing parsing an HTTP body entity. This event is generated at least once for each non-empty (client or server) HTTP body; and potentially more than once if the body contains further nested MIME entities. Zeek raises this event at the point when it has finished parsing an entity’s content.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

See also:

http_entity_data
Type

event (c: connection, is_orig: bool, length: count, data: string)

Generated when parsing an HTTP body entity, passing on the data. This event can potentially be raised many times for each entity, each time passing a chunk of the data of not further defined size.

A common idiom for using this event is to first reassemble the data at the scripting layer by concatenating it to a successively growing string; and only perform further content analysis once the corresponding http_end_entity event has been raised. Note, however, that doing so can be quite expensive for HTTP tranders. At the very least, one should impose an upper size limit on how much data is being buffered.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

Length

The length of data.

Data

One chunk of raw entity data.

See also:

http_event
Type

event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding HTTP requests or replies.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Event_type

A string describing the general category of the problem found (e.g., illegal format).

Detail

Further more detailed description of the error.

See also:

http_header
Type

event (c: connection, is_orig: bool, original_name: string, name: string, value: string)

Type

event (c: connection, is_orig: bool, name: string, value: string)

Generated for HTTP headers. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the header was sent by the originator of the TCP connection.

Original_name

The name of the header (unaltered).

Name

The name of the header (converted to all uppercase).

Value

The value of the header.

See also:

Note

This event is also raised for headers found in nested body entities.

http_message_done
Type

event (c: connection, is_orig: bool, stat: http_message_stat)

Generated once at the end of parsing an HTTP message. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. A “message” is one top-level HTTP entity, such as a complete request or reply. Each message can have further nested sub-entities inside. This event is raised once all sub-entities belonging to a top-level message have been processed (and their corresponding http_entity_* events generated).

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Is_orig

True if the entity was sent by the originator of the TCP connection.

Stat

Further meta information about the message.

See also:

http_reply
Type

event (c: connection, version: string, code: count, reason: string)

Generated for HTTP replies. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a reply’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Version

The version number specified in the reply (e.g., 1.1).

Code

The numerical response code returned by the server.

Reason

The textual description returned by the server along with code.

See also:

http_request
Type

event (c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)

Generated for HTTP requests. Zeek supports persistent and pipelined HTTP sessions and raises corresponding events as it parses client/server dialogues. This event is generated as soon as a request’s initial line has been parsed, and before any http_header events are raised.

See Wikipedia for more information about the HTTP protocol.

C

The connection.

Method

The HTTP method extracted from the request (e.g., GET, POST).

Original_URI

The unprocessed URI as specified in the request.

Unescaped_URI

The URI with all percent-encodings decoded.

Version

The version number specified in the request (e.g., 1.1).

See also:

http_stats
Type

event (c: connection, stats: http_stats_rec)

Generated at the end of an HTTP session to report statistics about it. This event is raised after all of an HTTP session’s requests and replies have been fully processed.

C

The connection.

Stats

Statistics summarizing HTTP-level properties of the finished connection.

See also:

base/bif/plugins/Zeek_HTTP.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

skip_http_entity_data: function

Skips the data of the HTTP entity.

unescape_URI: function

Unescapes all characters in a URI (decode every %xx group).
Detailed Interface
Functions
skip_http_entity_data
Type

function (c: connection, is_orig: bool) : any

Skips the data of the HTTP entity.

C

The HTTP connection.

Is_orig

If true, the client data is skipped, and the server data otherwise.

See also:

unescape_URI
Type

function (URI: string) : string

Unescapes all characters in a URI (decode every %xx group).

URI

The URI to unescape.

Returns

The unescaped URI with all %xx groups decoded.

Note

Unescaping reserved characters may cause loss of information. RFC 2396: A URI is always in an “escaped” form, since escaping or unescaping a completed URI might change its semantics. Normally, the only time escape encodings can safely be made is when the URI is being created from its component parts.

base/bif/plugins/Zeek_Ident.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ident_error: event

Generated for Ident error replies.

ident_reply: event

Generated for Ident replies.

ident_request: event

Generated for Ident requests.
Detailed Interface
Events
ident_error
Type

event (c: connection, lport: port, rport: port, line: string)

Generated for Ident error replies.

See Wikipedia for more information about the Ident protocol.

C

The connection.

Lport

The corresponding request’s local port.

Rport

The corresponding request’s remote port.

Line

The error description returned by the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ident_reply
Type

event (c: connection, lport: port, rport: port, user_id: string, system: string)

Generated for Ident replies.

See Wikipedia for more information about the Ident protocol.

C

The connection.

Lport

The corresponding request’s local port.

Rport

The corresponding request’s remote port.

User_id

The user id returned by the reply.

System

The operating system returned by the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ident_request
Type

event (c: connection, lport: port, rport: port)

Generated for Ident requests.

See Wikipedia for more information about the Ident protocol.

C

The connection.

Lport

The request’s local port.

Rport

The request’s remote port.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_IMAP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

imap_capabilities: event

Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.

imap_starttls: event

Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.
Detailed Interface
Events
imap_capabilities
Type

event (c: connection, capabilities: string_vec)

Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.

C

The connection.

Capabilities

The list of IMAP capabilities as sent by the server.

imap_starttls
Type

event (c: connection)

Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.

C

The connection.

base/bif/plugins/Zeek_IRC.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

irc_channel_info: event

Generated for an IRC reply of type luserchannels.

irc_channel_topic: event

Generated for an IRC reply of type topic.

irc_dcc_message: event

Generated for IRC messages of type dcc.

irc_error_message: event

Generated for IRC messages of type error.

irc_global_users: event

Generated for an IRC reply of type globalusers.

irc_invalid_nick: event

Generated when a server rejects an IRC nickname.

irc_invite_message: event

Generated for IRC messages of type invite.

irc_join_message: event

Generated for IRC messages of type join.

irc_kick_message: event

Generated for IRC messages of type kick.

irc_message: event

Generated for IRC commands forwarded from the server to the client.

irc_mode_message: event

Generated for IRC messages of type mode.

irc_names_info: event

Generated for an IRC reply of type namereply.

irc_network_info: event

Generated for an IRC reply of type luserclient.

irc_nick_message: event

Generated for IRC messages of type nick.

irc_notice_message: event

Generated for IRC messages of type notice.

irc_oper_message: event

Generated for IRC messages of type oper.

irc_oper_response: event

Generated for IRC replies of type youreoper and nooperhost.

irc_part_message: event

Generated for IRC messages of type part.

irc_password_message: event

Generated for IRC messages of type password.

irc_privmsg_message: event

Generated for IRC messages of type privmsg.

irc_quit_message: event

Generated for IRC messages of type quit.

irc_reply: event

Generated for all IRC replies.

irc_request: event

Generated for all client-side IRC commands.

irc_server_info: event

Generated for an IRC reply of type luserme.

irc_squery_message: event

Generated for IRC messages of type squery.

irc_squit_message: event

Generated for IRC messages of type squit.

irc_starttls: event

Generated if an IRC connection switched to TLS using STARTTLS.

irc_user_message: event

Generated for IRC messages of type user.

irc_who_line: event

Generated for an IRC reply of type whoreply.

irc_who_message: event

Generated for IRC messages of type who.

irc_whois_channel_line: event

Generated for an IRC reply of type whoischannels.

irc_whois_message: event

Generated for IRC messages of type whois.

irc_whois_operator_line: event

Generated for an IRC reply of type whoisoperator.

irc_whois_user_line: event

Generated for an IRC reply of type whoisuser.
Detailed Interface
Events
irc_channel_info
Type

event (c: connection, is_orig: bool, chans: count)

Generated for an IRC reply of type luserchannels.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Chans

The number of channels as returned in the reply.

See also:

irc_channel_topic
Type

event (c: connection, is_orig: bool, channel: string, topic: string)

Generated for an IRC reply of type topic.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Channel

The channel name specified in the reply.

Topic

The topic specified in the reply.

See also:

irc_dcc_message
Type

event (c: connection, is_orig: bool, prefix: string, target: string, dcc_type: string, argument: string, address: addr, dest_port: count, size: count)

Generated for IRC messages of type dcc. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Target

The target specified in the message.

Dcc_type

The DCC type specified in the message.

Argument

The argument specified in the message.

Address

The address specified in the message.

Dest_port

The destination port specified in the message.

Size

The size specified in the message.

See also:

irc_error_message
Type

event (c: connection, is_orig: bool, prefix: string, message: string)

Generated for IRC messages of type error. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Message

The textual description specified in the message.

See also:

irc_global_users
Type

event (c: connection, is_orig: bool, prefix: string, msg: string)

Generated for an IRC reply of type globalusers.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Msg

The message coming with the reply.

See also:

irc_invalid_nick
Type

event (c: connection, is_orig: bool)

Generated when a server rejects an IRC nickname.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

See also:

irc_invite_message
Type

event (c: connection, is_orig: bool, prefix: string, nickname: string, channel: string)

Generated for IRC messages of type invite. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Nickname

The nickname specified in the message.

Channel

The channel specified in the message.

See also:

irc_join_message
Type

event (c: connection, is_orig: bool, info_list: irc_join_list)

Generated for IRC messages of type join. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Info_list

The user information coming with the command.

See also:

irc_kick_message
Type

event (c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string)

Generated for IRC messages of type kick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Chans

The channels specified in the message.

Users

The users specified in the message.

Comment

The comment specified in the message.

See also:

irc_message
Type

event (c: connection, is_orig: bool, prefix: string, command: string, message: string)

Generated for IRC commands forwarded from the server to the client.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

Always false.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Command

The command.

Message

TODO.

See also:

Note

This event is generated only for messages that are forwarded by the server to the client. Commands coming from client trigger the irc_request event instead.

irc_mode_message
Type

event (c: connection, is_orig: bool, prefix: string, params: string)

Generated for IRC messages of type mode. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Params

The parameters coming with the message.

See also:

irc_names_info
Type

event (c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)

Generated for an IRC reply of type namereply.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

C_type

The channel type.

Channel

The channel.

Users

The set of users.

See also:

irc_network_info
Type

event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserclient.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Users

The number of users as returned in the reply.

Services

The number of services as returned in the reply.

Servers

The number of servers as returned in the reply.

See also:

irc_nick_message
Type

event (c: connection, is_orig: bool, who: string, newnick: string)

Generated for IRC messages of type nick. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Who

The user changing its nickname.

Newnick

The new nickname.

See also:

irc_notice_message
Type

event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type notice. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Source

The source of the private communication.

Target

The target of the private communication.

Message

The text of communication.

See also:

irc_oper_message
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for IRC messages of type oper. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

User

The user specified in the message.

Password

The password specified in the message.

See also:

irc_oper_response
Type

event (c: connection, is_orig: bool, got_oper: bool)

Generated for IRC replies of type youreoper and nooperhost.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Got_oper

True if the oper command was executed successfully (youreport) and false otherwise (nooperhost).

See also:

irc_part_message
Type

event (c: connection, is_orig: bool, nick: string, chans: string_set, message: string)

Generated for IRC messages of type part. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname coming with the message.

Chans

The set of channels affected.

Message

The text coming with the message.

See also:

irc_password_message
Type

event (c: connection, is_orig: bool, password: string)

Generated for IRC messages of type password. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Password

The password specified in the message.

See also:

irc_privmsg_message
Type

event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type privmsg. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Source

The source of the private communication.

Target

The target of the private communication.

Message

The text of communication.

See also:

irc_quit_message
Type

event (c: connection, is_orig: bool, nick: string, message: string)

Generated for IRC messages of type quit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname coming with the message.

Message

The text included with the message.

See also:

irc_reply
Type

event (c: connection, is_orig: bool, prefix: string, code: count, params: string)

Generated for all IRC replies. IRC replies are sent in response to a request and come with a reply code.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the reply. IRC uses the prefix to indicate the true origin of a message.

Code

The reply code, as specified by the protocol.

Params

The reply’s parameters.

See also:

irc_request
Type

event (c: connection, is_orig: bool, prefix: string, command: string, arguments: string)

Generated for all client-side IRC commands.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

Always true.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Command

The command.

Arguments

The arguments for the command.

See also:

Note

This event is generated only for messages that originate at the client-side. Commands coming in from remote trigger the irc_message event instead.

irc_server_info
Type

event (c: connection, is_orig: bool, users: count, services: count, servers: count)

Generated for an IRC reply of type luserme.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Users

The number of users as returned in the reply.

Services

The number of services as returned in the reply.

Servers

The number of servers as returned in the reply.

See also:

irc_squery_message
Type

event (c: connection, is_orig: bool, source: string, target: string, message: string)

Generated for IRC messages of type squery. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Source

The source of the private communication.

Target

The target of the private communication.

Message

The text of communication.

See also:

irc_squit_message
Type

event (c: connection, is_orig: bool, prefix: string, server: string, message: string)

Generated for IRC messages of type squit. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Prefix

The optional prefix coming with the command. IRC uses the prefix to indicate the true origin of a message.

Server

The server specified in the message.

Message

The textual description specified in the message.

See also:

irc_starttls
Type

event (c: connection)

Generated if an IRC connection switched to TLS using STARTTLS. After this event no more IRC events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

C

The connection.

irc_user_message
Type

event (c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string)

Generated for IRC messages of type user. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

User

The user specified in the message.

Host

The host name specified in the message.

Server

The server name specified in the message.

Real_name

The real name specified in the message.

See also:

irc_who_line
Type

event (c: connection, is_orig: bool, target_nick: string, channel: string, user: string, host: string, server: string, nick: string, params: string, hops: count, real_name: string)

Generated for an IRC reply of type whoreply.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Target_nick

The target nickname.

Channel

The channel.

User

The user.

Host

The host.

Server

The server.

Nick

The nickname.

Params

The parameters.

Hops

The hop count.

Real_name

The real name.

See also:

irc_who_message
Type

event (c: connection, is_orig: bool, mask: string, oper: bool)

Generated for IRC messages of type who. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Mask

The mask specified in the message.

Oper

True if the operator flag was set.

See also:

irc_whois_channel_line
Type

event (c: connection, is_orig: bool, nick: string, chans: string_set)

Generated for an IRC reply of type whoischannels.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname specified in the reply.

Chans

The set of channels returned.

See also:

irc_whois_message
Type

event (c: connection, is_orig: bool, server: string, users: string)

Generated for IRC messages of type whois. This event is generated for messages coming from both the client and the server.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Server

TODO.

Users

TODO.

See also:

irc_whois_operator_line
Type

event (c: connection, is_orig: bool, nick: string)

Generated for an IRC reply of type whoisoperator.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname specified in the reply.

See also:

irc_whois_user_line
Type

event (c: connection, is_orig: bool, nick: string, user: string, host: string, real_name: string)

Generated for an IRC reply of type whoisuser.

See Wikipedia for more information about the IRC protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Nick

The nickname specified in the reply.

User

The user name specified in the reply.

Host

The host name specified in the reply.

Real_name

The real name specified in the reply.

See also:

base/bif/plugins/Zeek_KRB.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

krb_ap_request: event

A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120.

krb_ap_response: event

A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120.

krb_as_request: event

A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120.

krb_as_response: event

A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120.

krb_cred: event

A Kerberos 5 Credential Message as defined in RFC 4120.

krb_error: event

A Kerberos 5 Error Message as defined in RFC 4120.

krb_priv: event

A Kerberos 5 Private Message as defined in RFC 4120.

krb_safe: event

A Kerberos 5 Safe Message as defined in RFC 4120.

krb_tgs_request: event

A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120.

krb_tgs_response: event

A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120.
Detailed Interface
Events
krb_ap_request
Type

event (c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)

A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120. This message contains authentication information that should be part of the first message in an authenticated transaction.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Ticket

The Kerberos ticket being used for authentication.

Opts

A Kerberos AP options data structure.

See also:

krb_ap_response
Type

event (c: connection)

A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120. This is used if mutual authentication is desired. All of the interesting information in here is encrypted, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

See also:

krb_as_request
Type

event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120. The AS request contains a username of the client requesting authentication, and returns an AS reply with an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC request message data structure.

See also:

krb_as_response
Type

event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120. Following the AS request for a user, an AS reply contains an encrypted Ticket Granting Ticket (TGT) for that user. The TGT can then be used to request further tickets for other services.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC reply message data structure.

See also:

krb_cred
Type

event (c: connection, is_orig: bool, tickets: KRB::Ticket_Vector)

A Kerberos 5 Credential Message as defined in RFC 4120. This is a private (encrypted) message to forward credentials.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Is_orig

Whether the originator of the connection sent this message.

Tickets

Tickets obtained from the KDC that are being forwarded.

See also:

krb_error
Type

event (c: connection, msg: KRB::Error_Msg)

A Kerberos 5 Error Message as defined in RFC 4120.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos error message data structure.

See also:

krb_priv
Type

event (c: connection, is_orig: bool)

A Kerberos 5 Private Message as defined in RFC 4120. This is a private (encrypted) application message, so the event doesn’t have much useful data, but it’s provided in case it’s important to know that this message was sent.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Is_orig

Whether the originator of the connection sent this message.

See also:

krb_safe
Type

event (c: connection, is_orig: bool, msg: KRB::SAFE_Msg)

A Kerberos 5 Safe Message as defined in RFC 4120. This is a safe (checksummed) application message.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Is_orig

Whether the originator of the connection sent this message.

Msg

A Kerberos SAFE message data structure.

See also:

krb_tgs_request
Type

event (c: connection, msg: KRB::KDC_Request)

A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120. Following the Authentication Server exchange, if successful, the client now has a Ticket Granting Ticket (TGT). To authenticate to a Kerberized service, the client requests a Service Ticket, which will be returned in the TGS reply.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC request message data structure.

See also:

krb_tgs_response
Type

event (c: connection, msg: KRB::KDC_Response)

A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120. This message returns a Service Ticket to the client, which is encrypted with the service’s long-term key, and which the client can use to authenticate to that service.

See Wikipedia for more information about the Kerberos protocol.

C

The connection over which this Kerberos message was sent.

Msg

A Kerberos KDC reply message data structure.

See also:

base/bif/plugins/Zeek_Login.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

activating_encryption: event

Generated for Telnet sessions when encryption is activated.

authentication_accepted: event

Generated when a Telnet authentication has been successful.

authentication_rejected: event

Generated when a Telnet authentication has been unsuccessful.

authentication_skipped: event

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

bad_option: event

Generated for an ill-formed or unrecognized Telnet option.

bad_option_termination: event

Generated for a Telnet option that’s incorrectly terminated.

inconsistent_option: event

Generated for an inconsistent Telnet option.

login_confused: event

Generated when tracking of Telnet/Rlogin authentication failed.

login_confused_text: event

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog.

login_display: event

Generated for clients transmitting an X11 DISPLAY in a Telnet session.

login_failure: event

Generated for Telnet/Rlogin login failures.

login_input_line: event

Generated for lines of input on Telnet/Rlogin sessions.

login_output_line: event

Generated for lines of output on Telnet/Rlogin sessions.

login_prompt: event

Generated for clients transmitting a terminal prompt in a Telnet session.

login_success: event

Generated for successful Telnet/Rlogin logins.

login_terminal: event

Generated for clients transmitting a terminal type in a Telnet session.

rsh_reply: event

Generated for client side commands on an RSH connection.

rsh_request: event

Generated for client side commands on an RSH connection.
Detailed Interface
Events
activating_encryption
Type

event (c: connection)

Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

authentication_accepted
Type

event (name: string, c: connection)

Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name

The authenticated name.

C

The connection.

See also:

Note

This event inspects the corresponding Telnet option while login_success heuristically determines success by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_rejected
Type

event (name: string, c: connection)

Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name

The attempted authentication name.

C

The connection.

See also:

Note

This event inspects the corresponding Telnet option while login_success heuristically determines failure by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_skipped
Type

event (c: connection)

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option
Type

event (c: connection)

Generated for an ill-formed or unrecognized Telnet option.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option_termination
Type

event (c: connection)

Generated for a Telnet option that’s incorrectly terminated.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

inconsistent_option
Type

event (c: connection)

Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

See also:

login_confused
Type

event (c: connection, msg: string, line: string)

Generated when tracking of Telnet/Rlogin authentication failed. As Zeek’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.

C

The connection.

Msg

Gives the particular problem the heuristics detected (for example, multiple_login_prompts means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)

Line

The line of text that caused the heuristics to conclude they were confused.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused_text
Type

event (c: connection, line: string)

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported login_confused for a connection.

C

The connection.

Line

The line the user typed.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_display
Type

event (c: connection, display: string)

Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C

The connection.

Display

The DISPLAY transmitted.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_failure
Type

event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.

C

The connection.

User

The user name tried.

Client_user

For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).

Password

The password tried.

Line

The line of text that led the analyzer to conclude that the authentication had failed.

See also:

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeeks’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_input_line
Type

event (c: connection, line: string)

Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C

The connection.

Line

The input line.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_output_line
Type

event (c: connection, line: string)

Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C

The connection.

Line

The ouput line.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_prompt
Type

event (c: connection, prompt: string)

Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

See Wikipedia for more information about the Telnet protocol.

C

The connection.

Prompt

The TTYPROMPT transmitted.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_success
Type

event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.

C

The connection.

User

The user name used.

Client_user

For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).

Password

The password used.

Line

The line of text that led the analyzer to conclude that the authentication had succeeded.

See also:

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_terminal
Type

event (c: connection, terminal: string)

Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C

The connection.

Terminal

The TERM value transmitted.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rsh_reply
Type

event (c: connection, client_user: string, server_user: string, line: string)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C

The connection.

Client_user

The client-side user name as sent in the initial protocol handshake.

Server_user

The server-side user name as sent in the initial protocol handshake.

Line

The command line sent in the request.

See also:

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rsh_request
Type

event (c: connection, client_user: string, server_user: string, line: string, new_session: bool)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C

The connection.

Client_user

The client-side user name as sent in the initial protocol handshake.

Server_user

The server-side user name as sent in the initial protocol handshake.

Line

The command line sent in the request.

New_session

True if this is the first command of the Rsh session.

See also:

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_Login.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

get_login_state: function

Returns the state of the given login (Telnet or Rlogin) connection.

set_login_state: function

Sets the login state of a connection with a login analyzer.
Detailed Interface
Functions
get_login_state
Type

function (cid: conn_id) : count

Returns the state of the given login (Telnet or Rlogin) connection.

Cid

The connection ID.

Returns

False if the connection is not active or is not tagged as a login analyzer. Otherwise the function returns the state, which can be one of:

  • LOGIN_STATE_AUTHENTICATE: The connection is in its initial authentication dialog.

  • LOGIN_STATE_LOGGED_IN: The analyzer believes the user has successfully authenticated.

  • LOGIN_STATE_SKIP: The analyzer has skipped any further processing of the connection.

  • LOGIN_STATE_CONFUSED: The analyzer has concluded that it does not correctly know the state of the connection, and/or the username associated with it.

See also:

set_login_state
Type

function (cid: conn_id, new_state: count) : bool

Sets the login state of a connection with a login analyzer.

Cid

The connection ID.

New_state

The new state of the login analyzer. See get_login_state for possible values.

Returns

Returns false if cid is not an active connection or is not tagged as a login analyzer, and true otherwise.

See also:

base/bif/plugins/Zeek_MIME.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

mime_all_data: event

Generated for passing on all data decoded from a single email MIME message.

mime_all_headers: event

Generated for MIME headers extracted from email MIME entities, passing all headers at once.

mime_begin_entity: event

Generated when starting to parse an email MIME entity.

mime_content_hash: event

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums.

mime_end_entity: event

Generated when finishing parsing an email MIME entity.

mime_entity_data: event

Generated for data decoded from an email MIME entity.

mime_event: event

Generated for errors found when decoding email MIME entities.

mime_one_header: event

Generated for individual MIME headers extracted from email MIME entities.

mime_segment_data: event

Generated for chunks of decoded MIME data from email MIME entities.
Detailed Interface
Events
mime_all_data
Type

event (c: connection, length: count, data: string)

Generated for passing on all data decoded from a single email MIME message. If an email message has more than one MIME entity, this event combines all their data into a single value for analysis. Note that because of the potentially significant buffering necessary, using this event can be expensive.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Length

The length of data.

Data

The raw data of all MIME entities concatenated.

See also:

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_all_headers
Type

event (c: connection, hlist: mime_header_list)

Generated for MIME headers extracted from email MIME entities, passing all headers at once. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Hlist

A table containing all headers extracted from the current entity. The table is indexed by the position of the header (1 for the first, 2 for the second, etc.).

See also:

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_begin_entity
Type

event (c: connection)

Generated when starting to parse an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it begins parsing a MIME entity extracted from an email protocol.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

See also:

Note

Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises http_begin_entity instead.

mime_content_hash
Type

event (c: connection, content_len: count, hash_value: string)

Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums. Zeek computes the MD5 over the complete decoded data of each MIME entity.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Content_len

The length of the entity being hashed.

Hash_value

The MD5 hash.

See also:

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_end_entity
Type

event (c: connection)

Generated when finishing parsing an email MIME entity. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. Zeek raises this event when it finished parsing a MIME entity extracted from an email protocol.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

See also:

Note

Zeek also extracts MIME entities from HTTP sessions. For those, however, it raises http_end_entity instead.

mime_entity_data
Type

event (c: connection, length: count, data: string)

Generated for data decoded from an email MIME entity. This event delivers the complete content of a single MIME entity with the quoted-printable and and base64 data decoded. In contrast, there is also mime_segment_data, which passes on a sequence of data chunks as they come in. While mime_entity_data is more convenient to handle, mime_segment_data is more efficient as Zeek does not need to buffer the data. Thus, if possible, the latter should be preferred.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Length

The length of data.

Data

The raw data of the complete entity.

See also:

Note

While Zeek also decodes MIME entities extracted from HTTP sessions, there’s no corresponding event for that currently.

mime_event
Type

event (c: connection, event_type: string, detail: string)

Generated for errors found when decoding email MIME entities.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Event_type

A string describing the general category of the problem found (e.g., illegal format).

Detail

Further more detailed description of the error.

See also:

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_event instead.

mime_one_header
Type

event (c: connection, h: mime_header_rec)

Generated for individual MIME headers extracted from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

H

The parsed MIME header.

See also:

Note

Zeek also extracts MIME headers from HTTP sessions. For those, however, it raises http_header instead.

mime_segment_data
Type

event (c: connection, length: count, data: string)

Generated for chunks of decoded MIME data from email MIME entities. MIME is a protocol-independent data format for encoding text and files, along with corresponding metadata, for transmission. As Zeek parses the data of an entity, it raises a sequence of these events, each coming as soon as a new chunk of data is available. In contrast, there is also mime_entity_data, which passes all of an entities data at once in a single block. While the latter is more convenient to handle, mime_segment_data is more efficient as Zeek does not need to buffer the data. Thus, if possible, this event should be preferred.

Zeek’s MIME analyzer for emails currently supports SMTP and POP3. See Wikipedia for more information about MIME.

C

The connection.

Length

The length of data.

Data

The raw data of one segment of the current entity.

See also:

Note

Zeek also extracts MIME data from HTTP sessions. For those, however, it raises http_entity_data (sic!) instead.

base/bif/plugins/Zeek_Modbus.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

modbus_exception: event

Generated for any Modbus exception message.

modbus_mask_write_register_request: event

Generated for a Modbus mask write register request.

modbus_mask_write_register_response: event

Generated for a Modbus mask write register request.

modbus_message: event

Generated for any Modbus message regardless if the particular function is further supported or not.

modbus_read_coils_request: event

Generated for a Modbus read coils request.

modbus_read_coils_response: event

Generated for a Modbus read coils response.

modbus_read_discrete_inputs_request: event

Generated for a Modbus read discrete inputs request.

modbus_read_discrete_inputs_response: event

Generated for a Modbus read discrete inputs response.

modbus_read_fifo_queue_request: event

Generated for a Modbus read FIFO queue request.

modbus_read_fifo_queue_response: event

Generated for a Modbus read FIFO queue response.

modbus_read_file_record_request: event

Generated for a Modbus read file record request.

modbus_read_file_record_response: event

Generated for a Modbus read file record response.

modbus_read_holding_registers_request: event

Generated for a Modbus read holding registers request.

modbus_read_holding_registers_response: event

Generated for a Modbus read holding registers response.

modbus_read_input_registers_request: event

Generated for a Modbus read input registers request.

modbus_read_input_registers_response: event

Generated for a Modbus read input registers response.

modbus_read_write_multiple_registers_request: event

Generated for a Modbus read/write multiple registers request.

modbus_read_write_multiple_registers_response: event

Generated for a Modbus read/write multiple registers response.

modbus_write_file_record_request: event

Generated for a Modbus write file record request.

modbus_write_file_record_response: event

Generated for a Modbus write file record response.

modbus_write_multiple_coils_request: event

Generated for a Modbus write multiple coils request.

modbus_write_multiple_coils_response: event

Generated for a Modbus write multiple coils response.

modbus_write_multiple_registers_request: event

Generated for a Modbus write multiple registers request.

modbus_write_multiple_registers_response: event

Generated for a Modbus write multiple registers response.

modbus_write_single_coil_request: event

Generated for a Modbus write single coil request.

modbus_write_single_coil_response: event

Generated for a Modbus write single coil response.

modbus_write_single_register_request: event

Generated for a Modbus write single register request.

modbus_write_single_register_response: event

Generated for a Modbus write single register response.
Detailed Interface
Events
modbus_exception
Type

event (c: connection, headers: ModbusHeaders, code: count)

Generated for any Modbus exception message.

C

The connection.

Headers

The headers for the modbus function.

Code

The exception code.

modbus_mask_write_register_request
Type

event (c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)

Generated for a Modbus mask write register request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register where the masks should be applied.

And_mask

The value of the logical AND mask to apply to the register.

Or_mask

The value of the logical OR mask to apply to the register.

modbus_mask_write_register_response
Type

event (c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)

Generated for a Modbus mask write register request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register where the masks were applied.

And_mask

The value of the logical AND mask applied register.

Or_mask

The value of the logical OR mask applied to the register.

modbus_message
Type

event (c: connection, headers: ModbusHeaders, is_orig: bool)

Generated for any Modbus message regardless if the particular function is further supported or not.

C

The connection.

Headers

The headers for the modbus function.

Is_orig

True if the event is raised for the originator side.

modbus_read_coils_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read coils request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil to be read.

Quantity

The number of coils to be read.

modbus_read_coils_response
Type

event (c: connection, headers: ModbusHeaders, coils: ModbusCoils)

Generated for a Modbus read coils response.

C

The connection.

Headers

The headers for the modbus function.

Coils

The coil values returned from the device.

modbus_read_discrete_inputs_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read discrete inputs request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil to be read.

Quantity

The number of coils to be read.

modbus_read_discrete_inputs_response
Type

event (c: connection, headers: ModbusHeaders, coils: ModbusCoils)

Generated for a Modbus read discrete inputs response.

C

The connection.

Headers

The headers for the modbus function.

Coils

The coil values returned from the device.

modbus_read_fifo_queue_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count)

Generated for a Modbus read FIFO queue request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The address of the FIFO queue to read.

modbus_read_fifo_queue_response
Type

event (c: connection, headers: ModbusHeaders, fifos: ModbusRegisters)

Generated for a Modbus read FIFO queue response.

C

The connection.

Headers

The headers for the modbus function.

Fifos

The register values read from the FIFO queue on the device.

modbus_read_file_record_request
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus read file record request.

C

The connection.

Headers

The headers for the modbus function.

modbus_read_file_record_response
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus read file record response.

C

The connection.

Headers

The headers for the modbus function.

modbus_read_holding_registers_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read holding registers request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register to be read.

Quantity

The number of registers to be read.

modbus_read_holding_registers_response
Type

event (c: connection, headers: ModbusHeaders, registers: ModbusRegisters)

Generated for a Modbus read holding registers response.

C

The connection.

Headers

The headers for the modbus function.

Registers

The register values returned from the device.

modbus_read_input_registers_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus read input registers request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register to be read.

Quantity

The number of registers to be read.

modbus_read_input_registers_response
Type

event (c: connection, headers: ModbusHeaders, registers: ModbusRegisters)

Generated for a Modbus read input registers response.

C

The connection.

Headers

The headers for the modbus function.

Registers

The register values returned from the device.

modbus_read_write_multiple_registers_request
Type

event (c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters)

Generated for a Modbus read/write multiple registers request.

C

The connection.

Headers

The headers for the modbus function.

Read_start_address

The memory address of the first register to be read.

Read_quantity

The number of registers to read.

Write_start_address

The memory address of the first register to be written.

Write_registers

The values to be written to the registers.

modbus_read_write_multiple_registers_response
Type

event (c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters)

Generated for a Modbus read/write multiple registers response.

C

The connection.

Headers

The headers for the modbus function.

Written_registers

The register values read from the registers specified in the request.

modbus_write_file_record_request
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus write file record request.

C

The connection.

Headers

The headers for the modbus function.

modbus_write_file_record_response
Type

event (c: connection, headers: ModbusHeaders)

Generated for a Modbus write file record response.

C

The connection.

Headers

The headers for the modbus function.

modbus_write_multiple_coils_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils)

Generated for a Modbus write multiple coils request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil to be written.

Coils

The values to be written to the coils.

modbus_write_multiple_coils_response
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus write multiple coils response.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first coil that was written.

Quantity

The quantity of coils that were written.

modbus_write_multiple_registers_request
Type

event (c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters)

Generated for a Modbus write multiple registers request.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register to be written.

Registers

The values to be written to the registers.

modbus_write_multiple_registers_response
Type

event (c: connection, headers: ModbusHeaders, start_address: count, quantity: count)

Generated for a Modbus write multiple registers response.

C

The connection.

Headers

The headers for the modbus function.

Start_address

The memory address of the first register that was written.

Quantity

The quantity of registers that were written.

modbus_write_single_coil_request
Type

event (c: connection, headers: ModbusHeaders, address: count, value: bool)

Generated for a Modbus write single coil request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the coil to be written.

Value

The value to be written to the coil.

modbus_write_single_coil_response
Type

event (c: connection, headers: ModbusHeaders, address: count, value: bool)

Generated for a Modbus write single coil response.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the coil that was written.

Value

The value that was written to the coil.

modbus_write_single_register_request
Type

event (c: connection, headers: ModbusHeaders, address: count, value: count)

Generated for a Modbus write single register request.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register to be written.

Value

The value to be written to the register.

modbus_write_single_register_response
Type

event (c: connection, headers: ModbusHeaders, address: count, value: count)

Generated for a Modbus write single register response.

C

The connection.

Headers

The headers for the modbus function.

Address

The memory address of the register that was written.

Value

The value that was written to the register.

base/bif/plugins/Zeek_MQTT.types.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_MQTT.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

mqtt_connack: event

Generated for MQTT acknowledge connection messages

mqtt_connect: event

Generated for MQTT “client requests a connection” messages

mqtt_disconnect: event

Generated for MQTT disconnect messages sent by the client when it is diconnecting cleanly.

mqtt_pingreq: event

Generated for MQTT ping requests sent by the client.

mqtt_pingresp: event

Generated for MQTT ping responses sent by the server.

mqtt_puback: event

Generated for MQTT publish acknowledgement messages

mqtt_pubcomp: event

Generated for MQTT publish complete messages (QoS 2 publish received, part 3)

mqtt_publish: event

Generated for MQTT publish messages

mqtt_pubrec: event

Generated for MQTT publish received messages (QoS 2 publish received, part 1)

mqtt_pubrel: event

Generated for MQTT publish release messages (QoS 2 publish received, part 2)

mqtt_suback: event

Generated for MQTT subscribe messages

mqtt_subscribe: event

Generated for MQTT subscribe messages

mqtt_unsuback: event

Generated for MQTT unsubscribe acknowledgements sent by the server

mqtt_unsubscribe: event

Generated for MQTT unsubscribe messages sent by the client
Detailed Interface
Events
mqtt_connack
Type

event (c: connection, msg: MQTT::ConnectAckMsg)

Generated for MQTT acknowledge connection messages

C

The connection

Msg

MQTT connect ack message fields.

mqtt_connect
Type

event (c: connection, msg: MQTT::ConnectMsg)

Generated for MQTT “client requests a connection” messages

C

The connection

Msg

MQTT connect message fields.

mqtt_disconnect
Type

event (c: connection)

Generated for MQTT disconnect messages sent by the client when it is diconnecting cleanly.

C

The connection

mqtt_pingreq
Type

event (c: connection)

Generated for MQTT ping requests sent by the client.

C

The connection

mqtt_pingresp
Type

event (c: connection)

Generated for MQTT ping responses sent by the server.

C

The connection

mqtt_puback
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish acknowledgement messages

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_pubcomp
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish complete messages (QoS 2 publish received, part 3)

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_publish
Type

event (c: connection, is_orig: bool, msg_id: count, msg: MQTT::PublishMsg)

Generated for MQTT publish messages

C

The connection

Is_orig

Direction in which the message was sent

Msg

The MQTT publish message record.

mqtt_pubrec
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish received messages (QoS 2 publish received, part 1)

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_pubrel
Type

event (c: connection, is_orig: bool, msg_id: count)

Generated for MQTT publish release messages (QoS 2 publish received, part 2)

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_suback
Type

event (c: connection, msg_id: count, granted_qos: count)

Generated for MQTT subscribe messages

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

mqtt_subscribe
Type

event (c: connection, msg_id: count, topics: string_vec, requested_qos: index_vec)

Generated for MQTT subscribe messages

C

The connection

Is_orig

Direction in which the message was sent

Msg_id

The id value for the message.

Topics

The topics being subscribed to

Requested_qos

The desired QoS option associated with each topic.

mqtt_unsuback
Type

event (c: connection, msg_id: count)

Generated for MQTT unsubscribe acknowledgements sent by the server

C

The connection

Msg_id

The id value for the message.

mqtt_unsubscribe
Type

event (c: connection, msg_id: count, topics: string_vec)

Generated for MQTT unsubscribe messages sent by the client

C

The connection

Msg_id

The id value for the message.

Topics

The topics being unsubscribed from

base/bif/plugins/Zeek_MySQL.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

mysql_command_request: event

Generated for a command request from a MySQL client.

mysql_error: event

Generated for an unsuccessful MySQL response.

mysql_handshake: event

Generated for a client handshake response packet, which includes the username the client is attempting to connect as.

mysql_ok: event

Generated for a successful MySQL response.

mysql_result_row: event

Generated for each MySQL ResultsetRow response packet.

mysql_server_version: event

Generated for the initial server handshake packet, which includes the MySQL server version.
Detailed Interface
Events
mysql_command_request
Type

event (c: connection, command: count, arg: string)

Generated for a command request from a MySQL client.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Command

The numerical code of the command issued.

Arg

The argument for the command (empty string if not provided).

See also:

mysql_error
Type

event (c: connection, code: count, msg: string)

Generated for an unsuccessful MySQL response.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Code

The error code.

Msg

Any extra details about the error (empty string if not provided).

See also:

mysql_handshake
Type

event (c: connection, username: string)

Generated for a client handshake response packet, which includes the username the client is attempting to connect as.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Username

The username supplied by the client

See also:

mysql_ok
Type

event (c: connection, affected_rows: count)

Generated for a successful MySQL response.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Affected_rows

The number of rows that were affected.

See also:

mysql_result_row
Type

event (c: connection, row: string_vec)

Generated for each MySQL ResultsetRow response packet.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Row

The result row data.

See also:

mysql_server_version
Type

event (c: connection, ver: string)

Generated for the initial server handshake packet, which includes the MySQL server version.

See the MySQL documentation for more information about the MySQL protocol.

C

The connection.

Ver

The server version string.

See also:

base/bif/plugins/Zeek_NCP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ncp_reply: event

Generated for NCP replies (Netware Core Protocol).

ncp_request: event

Generated for NCP requests (Netware Core Protocol).
Detailed Interface
Events
ncp_reply
Type

event (c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)

Generated for NCP replies (Netware Core Protocol).

See Wikipedia for more information about the NCP protocol.

C

The connection.

Frame_type

The frame type, as specified by the protocol.

Length

The length of the request body, excluding the frame header.

Req_frame

The frame type from the corresponding request.

Req_func

The function code from the corresponding request.

Completion_code

The reply’s completion code, as specified by the protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

ncp_request
Type

event (c: connection, frame_type: count, length: count, func: count)

Generated for NCP requests (Netware Core Protocol).

See Wikipedia for more information about the NCP protocol.

C

The connection.

Frame_type

The frame type, as specified by the protocol.

Length

The length of the request body, excluding the frame header.

Func

The requested function, as specified by the protocol.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_NCP.consts.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_NetBIOS.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

netbios_session_accepted: event

Generated for NetBIOS messages of type positive session response.

netbios_session_keepalive: event

Generated for NetBIOS messages of type keep-alive.

netbios_session_message: event

Generated for all NetBIOS SSN and DGM messages.

netbios_session_raw_message: event

Generated for NetBIOS messages of type session message that are not carrying an SMB payload.

netbios_session_rejected: event

Generated for NetBIOS messages of type negative session response.

netbios_session_request: event

Generated for NetBIOS messages of type session request.

netbios_session_ret_arg_resp: event

Generated for NetBIOS messages of type retarget response.
Detailed Interface
Events
netbios_session_accepted
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type positive session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_keepalive
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type keep-alive. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_message
Type

event (c: connection, is_orig: bool, msg_type: count, data_len: count)

Generated for all NetBIOS SSN and DGM messages. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Is_orig

True if the message was sent by the originator of the connection.

Msg_type

The general type of message, as defined in Section 4.3.1 of RFC 1002.

Data_len

The length of the message’s payload.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_raw_message
Type

event (c: connection, is_orig: bool, msg: string)

Generated for NetBIOS messages of type session message that are not carrying an SMB payload.

NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Is_orig

True if the message was sent by the originator of the connection.

Msg

The raw payload of the message sent, excluding the common NetBIOS header (i.e., the user_data).

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

This is an oddly named event. In fact, it’s probably an odd event to have to begin with.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_rejected
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type negative session response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_request
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type session request. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

netbios_session_ret_arg_resp
Type

event (c: connection, msg: string)

Generated for NetBIOS messages of type retarget response. Zeek’s NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.

See Wikipedia for more information about NetBIOS. RFC 1002 describes the packet format for NetBIOS over TCP/IP, which Zeek parses.

C

The connection, which may be TCP or UDP, depending on the type of the NetBIOS session.

Msg

The raw payload of the message sent, excluding the common NetBIOS header.

See also:

Note

These days, NetBIOS is primarily used as a transport mechanism for SMB/CIFS. Zeek’s SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.

Todo

This is an oddly named event.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

decode_netbios_name: function

Decode a NetBIOS name.

decode_netbios_name_type: function

Converts a NetBIOS name type to its corresponding numeric value.
Detailed Interface
Functions
decode_netbios_name
Type

function (name: string) : string

Decode a NetBIOS name. See https://jeffpar.github.io/kbarchive/kb/194/Q194203/.

Name

The encoded NetBIOS name, e.g., "FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF".

Returns

The decoded NetBIOS name, e.g., "THE NETBIOS NAM". An empty string is returned if the argument is not a valid NetBIOS encoding (though an encoding that would decode to something that includes only null-bytes or space-characters also yields an empty string).

See also:

decode_netbios_name_type
Type

function (name: string) : count

Converts a NetBIOS name type to its corresponding numeric value. See https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_Suffixes.

Name

An encoded NetBIOS name.

Returns

The numeric value of name or 256 if it’s not a valid encoding.

See also:

base/bif/plugins/Zeek_NTLM.types.bif.zeek

GLOBAL
NTLM
Namespaces

GLOBAL, NTLM

Summary
Detailed Interface

base/bif/plugins/Zeek_NTLM.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ntlm_authenticate: event

Generated for NTLM messages of type authenticate.

ntlm_challenge: event

Generated for NTLM messages of type challenge.

ntlm_negotiate: event

Generated for NTLM messages of type negotiate.
Detailed Interface
Events
ntlm_authenticate
Type

event (c: connection, request: NTLM::Authenticate)

Generated for NTLM messages of type authenticate.

C

The connection.

Request

The parsed data of the NTLM message. See init-bare for more details.

See also:

ntlm_challenge
Type

event (c: connection, challenge: NTLM::Challenge)

Generated for NTLM messages of type challenge.

C

The connection.

Negotiate

The parsed data of the NTLM message. See init-bare for more details.

See also:

ntlm_negotiate
Type

event (c: connection, negotiate: NTLM::Negotiate)

Generated for NTLM messages of type negotiate.

C

The connection.

Negotiate

The parsed data of the NTLM message. See init-bare for more details.

See also:

base/bif/plugins/Zeek_NTP.types.bif.zeek

GLOBAL
NTP
Namespaces

GLOBAL, NTP

Summary
Detailed Interface

base/bif/plugins/Zeek_NTP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ntp_message: event

Generated for all NTP messages.
Detailed Interface
Events
ntp_message
Type

event (c: connection, is_orig: bool, msg: NTP::Message)

Generated for all NTP messages. Different from many other of Zeek’s events, this one is generated for both client-side and server-side messages.

See Wikipedia for more information about the NTP protocol.

C

The connection record describing the corresponding UDP flow.

Is_orig

True if the message was sent by the originator.

Msg

The parsed NTP message.

base/bif/plugins/Zeek_POP3.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

pop3_data: event

Generated for server-side multi-line responses on POP3 connections.

pop3_login_failure: event

Generated for unsuccessful authentications on POP3 connections.

pop3_login_success: event

Generated for successful authentications on POP3 connections.

pop3_reply: event

Generated for server-side replies to commands on POP3 connections.

pop3_request: event

Generated for client-side commands on POP3 connections.

pop3_starttls: event

Generated when a POP3 connection goes encrypted.

pop3_unexpected: event

Generated for errors encountered on POP3 sessions.
Detailed Interface
Events
pop3_data
Type

event (c: connection, is_orig: bool, data: string)

Generated for server-side multi-line responses on POP3 connections. POP3 connections use multi-line responses to send bulk data, such as the actual mails. This event is generated once for each line that’s part of such a response.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the data was sent by the originator of the TCP connection.

Data

The data sent.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_login_failure
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for unsuccessful authentications on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

Always false.

User

The user name attempted for authentication. The event is only generated if a non-empty user name was used.

Password

The password attempted for authentication.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_login_success
Type

event (c: connection, is_orig: bool, user: string, password: string)

Generated for successful authentications on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

Always false.

User

The user name used for authentication. The event is only generated if a non-empty user name was used.

Password

The password used for authentication.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_reply
Type

event (c: connection, is_orig: bool, cmd: string, msg: string)

Generated for server-side replies to commands on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Cmd

The success indicator sent by the server. This corresponds to the first token on the line sent, and should be either OK or ERR.

Msg

The textual description the server sent along with cmd.

See also:

Todo

This event is receiving odd parameters, should unify.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_request
Type

event (c: connection, is_orig: bool, command: string, arg: string)

Generated for client-side commands on POP3 connections.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the command was sent by the originator of the TCP connection.

Command

The command sent.

Arg

The argument to the command.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_starttls
Type

event (c: connection)

Generated when a POP3 connection goes encrypted. While POP3 is by default a clear-text protocol, extensions exist to switch to encryption. This event is generated if that happens and the analyzer then stops processing the connection.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pop3_unexpected
Type

event (c: connection, is_orig: bool, msg: string, detail: string)

Generated for errors encountered on POP3 sessions. If the POP3 analyzer finds state transitions that do not conform to the protocol specification, or other situations it can’t handle, it raises this event.

See Wikipedia for more information about the POP3 protocol.

C

The connection.

Is_orig

True if the data was sent by the originator of the TCP connection.

Msg

A textual description of the situation.

Detail

The input that triggered the event.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_RADIUS.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

radius_attribute: event

Generated for each RADIUS attribute.

radius_message: event

Generated for RADIUS messages.
Detailed Interface
Events
radius_attribute
Type

event (c: connection, attr_type: count, value: string)

Generated for each RADIUS attribute.

See Wikipedia for more information about RADIUS.

C

The connection.

Attr_type

The value of the code field (1 == User-Name, 2 == User-Password, etc.).

Value

The data/value bound to the attribute.

radius_message
Type

event (c: connection, result: RADIUS::Message)

Generated for RADIUS messages.

See Wikipedia for more information about RADIUS.

C

The connection.

Result

A record containing fields parsed from a RADIUS packet.

base/bif/plugins/Zeek_RDP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

rdp_begin_encryption: event

Generated when an RDP session becomes encrypted.

rdp_client_cluster_data: event

Generated for client cluster data packets.

rdp_client_core_data: event

Generated for MCS client requests.

rdp_client_network_data: event

Generated for Client Network Data (TS_UD_CS_NET) packets

rdp_client_security_data: event

Generated for client security data packets.

rdp_connect_request: event

Generated for X.224 client requests.

rdp_gcc_server_create_response: event

Generated for MCS server responses.

rdp_native_encrypted_data: event

Generated for each packet after RDP native encryption begins

rdp_negotiation_failure: event

Generated for RDP Negotiation Failure messages.

rdp_negotiation_response: event

Generated for RDP Negotiation Response messages.

rdp_server_certificate: event

Generated for a server certificate section.

rdp_server_security: event

Generated for MCS server responses.

rdpeudp_data: event

Generated when for data messages exchanged after a RDPEUDP connection establishes

rdpeudp_established: event

Generated when RDPEUDP connections are established (both sides SYN)

rdpeudp_syn: event

Generated for RDPEUDP SYN UDP Datagram

rdpeudp_synack: event

Generated for RDPEUDP SYNACK UDP Datagram
Detailed Interface
Events
rdp_begin_encryption
Type

event (c: connection, security_protocol: count)

Generated when an RDP session becomes encrypted.

C

The connection record for the underlying transport-layer session/flow.

Security_protocol

The security protocol being used for the session.

rdp_client_cluster_data
Type

event (c: connection, data: RDP::ClientClusterData)

Generated for client cluster data packets.

C

The connection record for the underlying transport-layer session/flow.

Data

The data contained in the client security data structure.

rdp_client_core_data
Type

event (c: connection, data: RDP::ClientCoreData)

Generated for MCS client requests.

C

The connection record for the underlying transport-layer session/flow.

Data

The data contained in the client core data structure.

rdp_client_network_data
Type

event (c: connection, channels: RDP::ClientChannelList)

Generated for Client Network Data (TS_UD_CS_NET) packets

C

The connection record for the underlying transport-layer session/flow.

Channels

The channels that were requested

rdp_client_security_data
Type

event (c: connection, data: RDP::ClientSecurityData)

Generated for client security data packets.

C

The connection record for the underlying transport-layer session/flow.

Data

The data contained in the client security data structure.

rdp_connect_request
Type

event (c: connection, cookie: string, flags: count)

Type

event (c: connection, cookie: string)

Generated for X.224 client requests.

C

The connection record for the underlying transport-layer session/flow.

Cookie

The cookie included in the request.

Flags

The flags set by the client.

rdp_gcc_server_create_response
Type

event (c: connection, result: count)

Generated for MCS server responses.

C

The connection record for the underlying transport-layer session/flow.

Result

The 8-bit integer representing the GCC Conference Create Response result.

rdp_native_encrypted_data
Type

event (c: connection, orig: bool, len: count)

Generated for each packet after RDP native encryption begins

C

The connection record for the underlying transport-layer session/flow.

Orig

True if the packet was sent by the originator of the connection.

Len

The length of the encrypted data.

rdp_negotiation_failure
Type

event (c: connection, failure_code: count, flags: count)

Type

event (c: connection, failure_code: count)

Generated for RDP Negotiation Failure messages.

C

The connection record for the underlying transport-layer session/flow.

Failure_code

The failure code sent by the server.

Flags

The flags set by the server.

rdp_negotiation_response
Type

event (c: connection, security_protocol: count, flags: count)

Type

event (c: connection, security_protocol: count)

Generated for RDP Negotiation Response messages.

C

The connection record for the underlying transport-layer session/flow.

Security_protocol

The security protocol selected by the server.

Flags

The flags set by the server.

rdp_server_certificate
Type

event (c: connection, cert_type: count, permanently_issued: bool)

Generated for a server certificate section. If multiple X.509 certificates are included in chain, this event will still only be generated a single time.

C

The connection record for the underlying transport-layer session/flow.

Cert_type

Indicates the type of certificate.

Permanently_issued

Value will be true is the certificate(s) is permanent on the server.

rdp_server_security
Type

event (c: connection, encryption_method: count, encryption_level: count)

Generated for MCS server responses.

C

The connection record for the underlying transport-layer session/flow.

Encryption_method

The 32-bit integer representing the encryption method used in the connection.

Encryption_level

The 32-bit integer representing the encryption level used in the connection.

rdpeudp_data
Type

event (c: connection, is_orig: bool, version: count, data: string)

Generated when for data messages exchanged after a RDPEUDP connection establishes

C

The connection record for the underlying transport-layer session/flow.

Is_orig

Whether the data was sent by the originator or responder of the connection.

Version

Whether the connection is RDPEUDP1 or RDPEUDP2

Data

The payload of the packet. This is probably very non-performant.

rdpeudp_established
Type

event (c: connection, version: count)

Generated when RDPEUDP connections are established (both sides SYN)

C

The connection record for the underlying transport-layer session/flow.

Version

Whether the connection is RDPEUDP1 or RDPEUDP2

rdpeudp_syn
Type

event (c: connection)

Generated for RDPEUDP SYN UDP Datagram

C

The connection record for the underlying transport-layer session/flow.

rdpeudp_synack
Type

event (c: connection)

Generated for RDPEUDP SYNACK UDP Datagram

C

The connection record for the underlying transport-layer session/flow.

base/bif/plugins/Zeek_RDP.types.bif.zeek

GLOBAL
RDP
Namespaces

GLOBAL, RDP

Summary
Detailed Interface

base/bif/plugins/Zeek_RFB.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

rfb_auth_result: event

Generated for RFB event authentication result message

rfb_authentication_type: event

Generated for RFB event authentication mechanism selection

rfb_client_version: event

Generated for RFB event client banner message

rfb_server_parameters: event

Generated for RFB event server parameter message

rfb_server_version: event

Generated for RFB event server banner message

rfb_share_flag: event

Generated for RFB event share flag messages
Detailed Interface
Events
rfb_auth_result
Type

event (c: connection, result: bool)

Generated for RFB event authentication result message

C

The connection record for the underlying transport-layer session/flow.

Result

whether or not authentication was succesful

rfb_authentication_type
Type

event (c: connection, authtype: count)

Generated for RFB event authentication mechanism selection

C

The connection record for the underlying transport-layer session/flow.

Authtype

the value of the chosen authentication mechanism

rfb_client_version
Type

event (c: connection, major_version: string, minor_version: string)

Generated for RFB event client banner message

C

The connection record for the underlying transport-layer session/flow.

Version

of the client’s rfb library

rfb_server_parameters
Type

event (c: connection, name: string, width: count, height: count)

Generated for RFB event server parameter message

C

The connection record for the underlying transport-layer session/flow.

Name

name of the shared screen

Width

width of the shared screen

Height

height of the shared screen

rfb_server_version
Type

event (c: connection, major_version: string, minor_version: string)

Generated for RFB event server banner message

C

The connection record for the underlying transport-layer session/flow.

Version

of the server’s rfb library

rfb_share_flag
Type

event (c: connection, flag: bool)

Generated for RFB event share flag messages

C

The connection record for the underlying transport-layer session/flow.

Flag

whether or not the share flag was set

base/bif/plugins/Zeek_RPC.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

mount_proc_mnt: event

Generated for MOUNT3 request/reply dialogues of type mnt.

mount_proc_not_implemented: event

Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.

mount_proc_null: event

Generated for MOUNT3 request/reply dialogues of type null.

mount_proc_umnt: event

Generated for MOUNT3 request/reply dialogues of type umnt.

mount_proc_umnt_all: event

Generated for MOUNT3 request/reply dialogues of type umnt_all.

mount_reply_status: event

Generated for each MOUNT3 reply message received, reporting just the status included.

nfs_proc_create: event

Generated for NFSv3 request/reply dialogues of type create.

nfs_proc_getattr: event

Generated for NFSv3 request/reply dialogues of type getattr.

nfs_proc_link: event

Generated for NFSv3 request/reply dialogues of type link.

nfs_proc_lookup: event

Generated for NFSv3 request/reply dialogues of type lookup.

nfs_proc_mkdir: event

Generated for NFSv3 request/reply dialogues of type mkdir.

nfs_proc_not_implemented: event

Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.

nfs_proc_null: event

Generated for NFSv3 request/reply dialogues of type null.

nfs_proc_read: event

Generated for NFSv3 request/reply dialogues of type read.

nfs_proc_readdir: event

Generated for NFSv3 request/reply dialogues of type readdir.

nfs_proc_readlink: event

Generated for NFSv3 request/reply dialogues of type readlink.

nfs_proc_remove: event

Generated for NFSv3 request/reply dialogues of type remove.

nfs_proc_rename: event

Generated for NFSv3 request/reply dialogues of type rename.

nfs_proc_rmdir: event

Generated for NFSv3 request/reply dialogues of type rmdir.

nfs_proc_sattr: event

Generated for NFSv3 request/reply dialogues of type sattr.

nfs_proc_symlink: event

Generated for NFSv3 request/reply dialogues of type symlink.

nfs_proc_write: event

Generated for NFSv3 request/reply dialogues of type write.

nfs_reply_status: event

Generated for each NFSv3 reply message received, reporting just the status included.

pm_attempt_callit: event

Generated for failed Portmapper requests of type callit.

pm_attempt_dump: event

Generated for failed Portmapper requests of type dump.

pm_attempt_getport: event

Generated for failed Portmapper requests of type getport.

pm_attempt_null: event

Generated for failed Portmapper requests of type null.

pm_attempt_set: event

Generated for failed Portmapper requests of type set.

pm_attempt_unset: event

Generated for failed Portmapper requests of type unset.

pm_bad_port: event

Generated for Portmapper requests or replies that include an invalid port number.

pm_request_callit: event

Generated for Portmapper request/reply dialogues of type callit.

pm_request_dump: event

Generated for Portmapper request/reply dialogues of type dump.

pm_request_getport: event

Generated for Portmapper request/reply dialogues of type getport.

pm_request_null: event

Generated for Portmapper requests of type null.

pm_request_set: event

Generated for Portmapper request/reply dialogues of type set.

pm_request_unset: event

Generated for Portmapper request/reply dialogues of type unset.

rpc_call: event

Generated for RPC call messages.

rpc_dialogue: event

Generated for RPC request/reply pairs.

rpc_reply: event

Generated for RPC reply messages.
Detailed Interface
Events
mount_proc_mnt
Type

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)

Generated for MOUNT3 request/reply dialogues of type mnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_not_implemented
Type

event (c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)

Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Proc

The procedure called that Zeek does not implement.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_null
Type

event (c: connection, info: MOUNT3::info_t)

Generated for MOUNT3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt
Type

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_proc_umnt_all
Type

event (c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)

Generated for MOUNT3 request/reply dialogues of type umnt_all. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out. MOUNT is a service running on top of RPC.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

mount_reply_status
Type

event (n: connection, info: MOUNT3::info_t)

Generated for each MOUNT3 reply message received, reporting just the status included.

N

The connection.

Info

Reports the status included in the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_create
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type create. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_getattr
Type

event (c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t)

Generated for NFSv3 request/reply dialogues of type getattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Fh

TODO.

Attrs

The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type

event (c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)

Generated for NFSv3 request/reply dialogues of type link. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_lookup
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t)

Generated for NFSv3 request/reply dialogues of type lookup. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_mkdir
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type mkdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_not_implemented
Type

event (c: connection, info: NFS3::info_t, proc: NFS3::proc_t)

Generated for NFSv3 request/reply dialogues of a type that Zeek’s NFSv3 analyzer does not implement.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Proc

The procedure called that Zeek does not implement.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_null
Type

event (c: connection, info: NFS3::info_t)

Generated for NFSv3 request/reply dialogues of type null. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_read
Type

event (c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t)

Generated for NFSv3 request/reply dialogues of type read. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_readdir
Type

event (c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t)

Generated for NFSv3 request/reply dialogues of type readdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type

event (c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t)

Generated for NFSv3 request/reply dialogues of type readlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Fh

The file handle passed in the request.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_remove
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type remove. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rename
Type

event (c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rename. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_rmdir
Type

event (c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t)

Generated for NFSv3 request/reply dialogues of type rmdir. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_sattr
Type

event (c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)

Generated for NFSv3 request/reply dialogues of type sattr. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

Type

event (c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)

Generated for NFSv3 request/reply dialogues of type symlink. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

The arguments passed in the request.

Rep

The attributes returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_proc_write
Type

event (c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t)

Generated for NFSv3 request/reply dialogues of type write. The event is generated once we have either seen both the request and its corresponding reply, or an unanswered request has timed out.

NFS is a service running on top of RPC. See Wikipedia for more information about the service.

C

The RPC connection.

Info

Reports the status of the dialogue, along with some meta information.

Req

TODO.

Rep

The response returned in the reply. The values may not be valid if the request was unsuccessful.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

nfs_reply_status
Type

event (n: connection, info: NFS3::info_t)

Generated for each NFSv3 reply message received, reporting just the status included.

N

The connection.

Info

Reports the status included in the reply.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_callit
Type

event (r: connection, status: rpc_status, call: pm_callit_request)

Generated for failed Portmapper requests of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

Call

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_dump
Type

event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_getport
Type

event (r: connection, status: rpc_status, pr: pm_port_request)

Generated for failed Portmapper requests of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

Pr

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_null
Type

event (r: connection, status: rpc_status)

Generated for failed Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_set
Type

event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

M

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_attempt_unset
Type

event (r: connection, status: rpc_status, m: pm_mapping)

Generated for failed Portmapper requests of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Status

The status of the reply, which should be one of the index values of RPC_status.

M

The argument to the original request.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_bad_port
Type

event (r: connection, bad_p: count)

Generated for Portmapper requests or replies that include an invalid port number. Since ports are represented by unsigned 4-byte integers, they can stray outside the allowed range of 0–65535 by being >= 65536. If so, this event is generated.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Bad_p

The invalid port value.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_callit
Type

event (r: connection, call: pm_callit_request, p: port)

Generated for Portmapper request/reply dialogues of type callit.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Call

The argument to the request.

P

The port value returned by the call.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_dump
Type

event (r: connection, m: pm_mappings)

Generated for Portmapper request/reply dialogues of type dump.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

M

The mappings returned by the server.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_getport
Type

event (r: connection, pr: pm_port_request, p: port)

Generated for Portmapper request/reply dialogues of type getport.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

Pr

The argument to the request.

P

The port returned by the server.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_null
Type

event (r: connection)

Generated for Portmapper requests of type null.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_set
Type

event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type set.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

M

The argument to the request.

Success

True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

pm_request_unset
Type

event (r: connection, m: pm_mapping, success: bool)

Generated for Portmapper request/reply dialogues of type unset.

Portmapper is a service running on top of RPC. See Wikipedia for more information about the service.

R

The RPC connection.

M

The argument to the request.

Success

True if the request was successful, according to the corresponding reply. If no reply was seen, this will be false once the request times out.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rpc_call
Type

event (c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count)

Generated for RPC call messages.

See Wikipedia for more information about the ONC RPC protocol.

C

The connection.

Xid

The transaction identifier allowing to match requests with replies.

Prog

The remote program to call.

Ver

The version of the remote program to call.

Proc

The procedure of the remote program to call.

Call_len

The size of the call_body PDU.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_dialogue
Type

event (c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count)

Generated for RPC request/reply pairs. The RPC analyzer associates request and reply by their transaction identifiers and raises this event once both have been seen. If there’s not a reply, this event will still be generated eventually on timeout. In that case, status will be set to RPC_TIMEOUT.

See Wikipedia for more information about the ONC RPC protocol.

C

The connection.

Prog

The remote program to call.

Ver

The version of the remote program to call.

Proc

The procedure of the remote program to call.

Status

The status of the reply, which should be one of the index values of RPC_status.

Start_time

The time when the call was seen.

Call_len

The size of the call_body PDU.

Reply_len

The size of the reply_body PDU.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rpc_reply
Type

event (c: connection, xid: count, status: rpc_status, reply_len: count)

Generated for RPC reply messages.

See Wikipedia for more information about the ONC RPC protocol.

C

The connection.

Xid

The transaction identifier allowing to match requests with replies.

Status

The status of the reply, which should be one of the index values of RPC_status.

Reply_len

The size of the reply_body PDU.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

base/bif/plugins/Zeek_SIP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

sip_all_headers: event

Generated once for all SIP headers from the originator or responder.

sip_begin_entity: event

Generated at the beginning of a SIP message.

sip_end_entity: event

Generated at the end of a SIP message.

sip_header: event

Generated for each SIP header.

sip_reply: event

Generated for SIP replies, used in Voice over IP (VoIP).

sip_request: event

Generated for SIP requests, used in Voice over IP (VoIP).
Detailed Interface
Events
sip_all_headers
Type

event (c: connection, is_orig: bool, hlist: mime_header_list)

Generated once for all SIP headers from the originator or responder.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the headers came from the originator.

Hlist

All the headers, and their values

See also:

sip_begin_entity
Type

event (c: connection, is_orig: bool)

Generated at the beginning of a SIP message.

This event is generated as soon as a message’s initial line has been parsed.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the message came from the originator.

See also:

sip_end_entity
Type

event (c: connection, is_orig: bool)

Generated at the end of a SIP message.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the message came from the originator.

See also:

sip_header
Type

event (c: connection, is_orig: bool, name: string, value: string)

Generated for each SIP header.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Is_orig

Whether the header came from the originator.

Name

Header name.

Value

Header value.

See also:

sip_reply
Type

event (c: connection, version: string, code: count, reason: string)

Generated for SIP replies, used in Voice over IP (VoIP).

This event is generated as soon as a reply’s initial line has been parsed.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Version

The SIP version in use.

Code

The response code.

Reason

Textual details for the response code.

See also:

sip_request
Type

event (c: connection, method: string, original_URI: string, version: string)

Generated for SIP requests, used in Voice over IP (VoIP).

This event is generated as soon as a request’s initial line has been parsed.

See Wikipedia for more information about the SIP protocol.

C

The connection.

Method

The SIP method extracted from the request (e.g., REGISTER, NOTIFY).

Original_URI

The unprocessed URI as specified in the request.

Version

The version number specified in the request (e.g., 2.0).

See also:

base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_check_directory_request: event

Generated for SMB/CIFS version 1 requests of type check directory.

smb1_check_directory_response: event

Generated for SMB/CIFS version 1 responses of type check directory.
Detailed Interface
Events
smb1_check_directory_request
Type

event (c: connection, hdr: SMB1::Header, directory_name: string)

Generated for SMB/CIFS version 1 requests of type check directory. This is used by the client to verify that a specified path resolves to a valid directory on the server.

For more information, see MS-CIFS:2.2.4.17

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Directory_name

The directory name to check for existence.

See also:

smb1_check_directory_response
Type

event (c: connection, hdr: SMB1::Header)

Generated for SMB/CIFS version 1 responses of type check directory. This is the server response to the check directory request.

For more information, see MS-CIFS:2.2.4.17

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_close_request: event

Generated for SMB/CIFS version 1 requests of type close.
Detailed Interface
Events
smb1_close_request
Type

event (c: connection, hdr: SMB1::Header, file_id: count)

Generated for SMB/CIFS version 1 requests of type close. This is used by the client to close an instance of an object associated with a valid file ID.

For more information, see MS-CIFS:2.2.4.5

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_id

The file identifier being closed.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_create_directory_request: event

Generated for SMB/CIFS version 1 requests of type create directory.

smb1_create_directory_response: event

Generated for SMB/CIFS version 1 responses of type create directory.
Detailed Interface
Events
smb1_create_directory_request
Type

event (c: connection, hdr: SMB1::Header, directory_name: string)

Generated for SMB/CIFS version 1 requests of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is used by the client to create a new directory on the server, relative to a connected share.

For more information, see MS-CIFS:2.2.4.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Directory_name

The name of the directory to create.

See also:

smb1_create_directory_response
Type

event (c: connection, hdr: SMB1::Header)

Generated for SMB/CIFS version 1 responses of type create directory. This is a deprecated command which has been replaced by the trans2_create_directory subcommand. This is the server response to the create directory request.

For more information, see MS-CIFS:2.2.4.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_echo_request: event

Generated for SMB/CIFS version 1 requests of type echo.

smb1_echo_response: event

Generated for SMB/CIFS version 1 responses of type echo.
Detailed Interface
Events
smb1_echo_request
Type

event (c: connection, echo_count: count, data: string)

Generated for SMB/CIFS version 1 requests of type echo. This is sent by the client to test the transport layer connection with the server.

For more information, see MS-CIFS:2.2.4.39

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Echo_count

The number of times the server should echo the data back.

Data

The data for the server to echo.

See also:

smb1_echo_response
Type

event (c: connection, seq_num: count, data: string)

Generated for SMB/CIFS version 1 responses of type echo. This is the server response to the echo request.

For more information, see MS-CIFS:2.2.4.39

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Seq_num

The sequence number of this echo reply.

Data

The data echoed back from the client.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_logoff_andx: event

Generated for SMB/CIFS version 1 requests of type logoff andx.
Detailed Interface
Events
smb1_logoff_andx
Type

event (c: connection, is_orig: bool)

Generated for SMB/CIFS version 1 requests of type logoff andx. This is used by the client to logoff the user connection represented by UID in the SMB Header. The server releases all locks and closes all files currently open by this user, disconnects all tree connects, cancels any outstanding requests for this UID, and invalidates the UID.

For more information, see MS-CIFS:2.2.4.54

C

The connection.

Is_orig

Indicates which host sent the logoff message.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_negotiate_request: event

Generated for SMB/CIFS version 1 requests of type negotiate.

smb1_negotiate_response: event

Generated for SMB/CIFS version 1 responses of type negotiate.
Detailed Interface
Events
smb1_negotiate_request
Type

event (c: connection, hdr: SMB1::Header, dialects: string_vec)

Generated for SMB/CIFS version 1 requests of type negotiate. This is sent by the client to initiate an SMB connection between the client and the server. A negotiate exchange MUST be completed before any other SMB messages are sent to the server.

For more information, see MS-CIFS:2.2.4.52

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Dialects

The SMB dialects supported by the client.

See also:

smb1_negotiate_response
Type

event (c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse)

Generated for SMB/CIFS version 1 responses of type negotiate. This is the server response to the negotiate request.

For more information, see MS-CIFS:2.2.4.52

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Response

A record structure containing more information from the response.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_nt_create_andx_request: event

Generated for SMB/CIFS version 1 requests of type nt create andx.

smb1_nt_create_andx_response: event

Generated for SMB/CIFS version 1 responses of type nt create andx.
Detailed Interface
Events
smb1_nt_create_andx_request
Type

event (c: connection, hdr: SMB1::Header, file_name: string)

Generated for SMB/CIFS version 1 requests of type nt create andx. This is sent by the client to create and open a new file, or to open an existing file, or to open and truncate an existing file to zero length, or to create a directory, or to create a connection to a named pipe.

For more information, see MS-CIFS:2.2.4.64

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Name

The name attribute specified in the message.

See also:

smb1_nt_create_andx_response
Type

event (c: connection, hdr: SMB1::Header, file_id: count, file_size: count, times: SMB::MACTimes)

Generated for SMB/CIFS version 1 responses of type nt create andx. This is the server response to the nt create andx request.

For more information, see MS-CIFS:2.2.4.64

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_id

The SMB2 GUID for the file.

File_size

Size of the file.

Times

Timestamps associated with the file in question.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_nt_cancel_request: event

Generated for SMB/CIFS version 1 requests of type nt cancel.
Detailed Interface
Events
smb1_nt_cancel_request
Type

event (c: connection, hdr: SMB1::Header)

Generated for SMB/CIFS version 1 requests of type nt cancel. This is sent by the client to request that a currently pending request be cancelled.

For more information, see MS-CIFS:2.2.4.65

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_query_information_request: event

Generated for SMB/CIFS version 1 requests of type query information.
Detailed Interface
Events
smb1_query_information_request
Type

event (c: connection, hdr: SMB1::Header, filename: string)

Generated for SMB/CIFS version 1 requests of type query information. This is a deprecated command which has been replaced by the trans2_query_path_information subcommand. This is used by the client to obtain attribute information about a file.

For more information, see MS-CIFS:2.2.4.9

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Filename

The filename that the client is querying.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_read_andx_request: event

Generated for SMB/CIFS version 1 requests of type read andx.

smb1_read_andx_response: event

Generated for SMB/CIFS version 1 responses of type read andx.
Detailed Interface
Events
smb1_read_andx_request
Type

event (c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count)

Generated for SMB/CIFS version 1 requests of type read andx. This is sent by the client to read bytes from a regular file, a named pipe, or a directly accessible device such as a serial port (COM) or printer port (LPT).

For more information, see MS-CIFS:2.2.4.42

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_id

The file identifier being written to.

Offset

The byte offset the requested read begins at.

Length

The number of bytes being requested.

See also:

smb1_read_andx_response
Type

event (c: connection, hdr: SMB1::Header, data_len: count)

Generated for SMB/CIFS version 1 responses of type read andx. This is the server response to the read andx request.

For more information, see MS-CIFS:2.2.4.42

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Data_len

The length of data from the requested file.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_session_setup_andx_request: event

Generated for SMB/CIFS version 1 requests of type setup andx.

smb1_session_setup_andx_response: event

Generated for SMB/CIFS version 1 responses of type setup andx.
Detailed Interface
Events
smb1_session_setup_andx_request
Type

event (c: connection, hdr: SMB1::Header, request: SMB1::SessionSetupAndXRequest)

Generated for SMB/CIFS version 1 requests of type setup andx. This is sent by the client to configure an SMB session.

For more information, see MS-CIFS:2.2.4.53

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Request

The parsed request data of the SMB message. See init-bare for more details.

See also:

smb1_session_setup_andx_response
Type

event (c: connection, hdr: SMB1::Header, response: SMB1::SessionSetupAndXResponse)

Generated for SMB/CIFS version 1 responses of type setup andx. This is the server response to the setup andx request.

For more information, see MS-CIFS:2.2.4.53

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Response

The parsed response data of the SMB message. See init-bare for more details.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_transaction_request: event

Generated for SMB/CIFS version 1 requests of type transaction.

smb1_transaction_response: event

Generated for SMB/CIFS version 1 requests of type transaction.
Detailed Interface
Events
smb1_transaction_request
Type

event (c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.

For more information, see MS-CIFS:2.2.4.33.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Name

A name string that MAY identify the resource (a specific Mailslot or Named Pipe) against which the operation is performed.

Sub_cmd

The sub command, some may be parsed and have their own events.

Parameters

content of the SMB_Data.Trans_Parameters field

Data

content of the SMB_Data.Trans_Data field

See also:

smb1_transaction_response
Type

event (c: connection, hdr: SMB1::Header, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction. This command serves as the transport for the Transaction Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system.

For more information, see MS-CIFS:2.2.4.33.2

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Parameters

content of the SMB_Data.Trans_Parameters field

Data

content of the SMB_Data.Trans_Data field

base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_transaction_secondary_request: event

Generated for SMB/CIFS version 1 requests of type transaction_secondary.
Detailed Interface
Events
smb1_transaction_secondary_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction_secondary. This command serves as an additional request data container for the Transaction Subprotocol Commands (carried by transaction requests).

For more information, see MS-CIFS:2.2.4.34

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Parameters

the SMB_Data.Trans_Parameters field content

Data

the SMB_Data.Trans_Data field content

base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_trans2_find_first2_request: event

Generated for SMB/CIFS version 1 transaction2 requests of subtype find first2.

smb1_trans2_get_dfs_referral_request: event

Generated for SMB/CIFS version 1 transaction2 requests of subtype get DFS referral.

smb1_trans2_query_path_info_request: event

Generated for SMB/CIFS version 1 transaction2 requests of subtype query path info.

smb1_transaction2_request: event

Generated for SMB/CIFS version 1 requests of type transaction2.
Detailed Interface
Events
smb1_trans2_find_first2_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Find_First2_Request_Args)

Generated for SMB/CIFS version 1 transaction2 requests of subtype find first2. This transaction is used to begin a search for file(s) within a directory or for a directory

For more information, see MS-CIFS:2.2.6.2

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Args

A record data structure with arguments given to the command.

See also:

smb1_trans2_get_dfs_referral_request
Type

event (c: connection, hdr: SMB1::Header, file_name: string)

Generated for SMB/CIFS version 1 transaction2 requests of subtype get DFS referral. This transaction is used to request a referral for a disk object in DFS.

For more information, see MS-CIFS:2.2.6.16

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_name

File name the request is in reference to.

See also:

smb1_trans2_query_path_info_request
Type

event (c: connection, hdr: SMB1::Header, file_name: string)

Generated for SMB/CIFS version 1 transaction2 requests of subtype query path info. This transaction is used to get information about a specific file or directory.

For more information, see MS-CIFS:2.2.6.6

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

File_name

File name the request is in reference to.

See also:

smb1_transaction2_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)

Generated for SMB/CIFS version 1 requests of type transaction2. This command serves as the transport for the Transaction2 Subprotocol Commands. These commands operate on mailslots and named pipes, which are interprocess communication endpoints within the CIFS file system. Compared to the Transaction Subprotocol Commands, these commands allow clients to set and retrieve Extended Attribute key/value pairs, make use of long file names (longer than the original 8.3 format names), and perform directory searches, among other tasks.

For more information, see MS-CIFS:2.2.4.46

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Sub_cmd

The sub command, some are parsed and have their own events.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_transaction2_secondary_request: event

Generated for SMB/CIFS version 1 requests of type transaction2 secondary.
Detailed Interface
Events
smb1_transaction2_secondary_request
Type

event (c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)

Generated for SMB/CIFS version 1 requests of type transaction2 secondary.

For more information, see MS-CIFS:2.2.4.47.1

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Args

arguments of the message (SMB_Parameters.Words)

Parameters

content of the SMB_Data.Trans_Parameters field

Data

content of the SMB_Data.Trans_Data field

base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_tree_connect_andx_request: event

Generated for SMB/CIFS version 1 requests of type tree connect andx.

smb1_tree_connect_andx_response: event

Generated for SMB/CIFS version 1 responses of type tree connect andx.
Detailed Interface
Events
smb1_tree_connect_andx_request
Type

event (c: connection, hdr: SMB1::Header, path: string, service: string)

Generated for SMB/CIFS version 1 requests of type tree connect andx. This is sent by the client to establish a connection to a server share.

For more information, see MS-CIFS:2.2.4.55

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Path

The path attribute specified in the message.

Service

The service attribute specified in the message.

See also:

smb1_tree_connect_andx_response
Type

event (c: connection, hdr: SMB1::Header, service: string, native_file_system: string)

Generated for SMB/CIFS version 1 responses of type tree connect andx. This is the server reply to the tree connect andx request.

For more information, see MS-CIFS:2.2.4.55

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Service

The service attribute specified in the message.

Native_file_system

The file system of the remote server as indicate by the server.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_tree_disconnect: event

Generated for SMB/CIFS version 1 requests of type tree disconnect.
Detailed Interface
Events
smb1_tree_disconnect
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for SMB/CIFS version 1 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.

For more information, see MS-CIFS:2.2.4.51

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Is_orig

True if the message was from the originator.

See also:

base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_write_andx_request: event

Generated for SMB/CIFS version 1 requests of type write andx.

smb1_write_andx_response: event

Generated for SMB/CIFS version 1 responses of type write andx.
Detailed Interface
Events
smb1_write_andx_request
Type

event (c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count)

Generated for SMB/CIFS version 1 requests of type write andx. This is sent by the client to write bytes to a regular file, a named pipe, or a directly accessible I/O device such as a serial port (COM) or printer port (LPT).

For more information, see MS-CIFS:2.2.4.43

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Offset

The byte offset into the referenced file data is being written.

Data

The data being written.

See also:

smb1_write_andx_response
Type

event (c: connection, hdr: SMB1::Header, written_bytes: count)

Generated for SMB/CIFS version 1 responses of type write andx. This is the server response to the write andx request.

For more information, see MS-CIFS:2.2.4.43

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Written_bytes

The number of bytes the server reported having actually written.

See also:

base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb1_empty_response: event

Generated when there is an SMB version 1 response with no message body.

smb1_error: event

Generated for SMB version 1 messages that indicate an error.

smb1_message: event

Generated for all SMB/CIFS version 1 messages.
Detailed Interface
Events
smb1_empty_response
Type

event (c: connection, hdr: SMB1::Header)

Generated when there is an SMB version 1 response with no message body.

C

The connection.

Hdr

The parsed header of the SMB message.

See also:

smb1_error
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for SMB version 1 messages that indicate an error. This event is triggered by an SMB header including a status that signals an error.

C

The connection.

Hdr

The parsed header of the SMB message.

Is_orig

True if the message was sent by the originator of the underlying transport-level connection.

See also:

smb1_message
Type

event (c: connection, hdr: SMB1::Header, is_orig: bool)

Generated for all SMB/CIFS version 1 messages.

See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.

C

The connection.

Hdr

The parsed header of the SMB version 1 message.

Is_orig

True if the message was sent by the originator of the underlying transport-level connection.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_close_request: event

Generated for SMB/CIFS version 2 requests of type close.

smb2_close_response: event

Generated for SMB/CIFS version 2 responses of type close.
Detailed Interface
Events
smb2_close_request
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)

Generated for SMB/CIFS version 2 requests of type close. This is used by the client to close an instance of a file that was opened previously with a successful SMB2 CREATE Request.

For more information, see MS-SMB2:2.2.15

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_name

The SMB2 GUID of the file being closed.

See also:

smb2_close_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse)

Generated for SMB/CIFS version 2 responses of type close. This is sent by the server to indicate that an SMB2 CLOSE request was processed successfully.

For more information, see MS-SMB2:2.2.16

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record of attributes returned from the server from the close.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_create_request: event

Generated for SMB/CIFS version 2 requests of type create.

smb2_create_response: event

Generated for SMB/CIFS version 2 responses of type create.
Detailed Interface
Events
smb2_create_request
Type

event (c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)

Generated for SMB/CIFS version 2 requests of type create. This is sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.13

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Request

A record with more information related to the request.

See also:

smb2_create_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)

Generated for SMB/CIFS version 2 responses of type create. This is sent by the server to notify the client of the status of its SMB2 CREATE request.

For more information, see MS-SMB2:2.2.14

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record with more information related to the response.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_negotiate_request: event

Generated for SMB/CIFS version 2 requests of type negotiate.

smb2_negotiate_response: event

Generated for SMB/CIFS version 2 responses of type negotiate.
Detailed Interface
Events
smb2_negotiate_request
Type

event (c: connection, hdr: SMB2::Header, dialects: index_vec)

Generated for SMB/CIFS version 2 requests of type negotiate. This is used by the client to notify the server what dialects of the SMB2 Protocol the client understands.

For more information, see MS-SMB2:2.2.3

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Dialects

A vector of the client’s supported dialects.

See also:

smb2_negotiate_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse)

Generated for SMB/CIFS version 2 responses of type negotiate. This is sent by the server to notify the client of the preferred common dialect.

For more information, see MS-SMB2:2.2.4

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

The negotiate response data structure.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_read_request: event

Generated for SMB/CIFS version 2 requests of type read.
Detailed Interface
Events
smb2_read_request
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)

Generated for SMB/CIFS version 2 requests of type read. This is sent by the client to request a read operation on the specified file.

For more information, see MS-SMB2:2.2.19

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The GUID being used for the file.

Offset

How far into the file this read should be taking place.

Length

The number of bytes of the file being read.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_session_setup_request: event

Generated for SMB/CIFS version 2 requests of type session_setup.

smb2_session_setup_response: event

Generated for SMB/CIFS version 2 responses of type session_setup.
Detailed Interface
Events
smb2_session_setup_request
Type

event (c: connection, hdr: SMB2::Header, request: SMB2::SessionSetupRequest)

Generated for SMB/CIFS version 2 requests of type session_setup. This is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.5

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Request

A record containing more information related to the request.

See also:

smb2_session_setup_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::SessionSetupResponse)

Generated for SMB/CIFS version 2 responses of type session_setup. This is sent by the server in response to a session_setup request.

For more information, see MS-SMB2:2.2.6

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record containing more information related to the response.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_file_allocation: event

Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype

smb2_file_delete: event

Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype.

smb2_file_endoffile: event

Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype

smb2_file_fscontrol: event

Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype

smb2_file_fsobjectid: event

Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype

smb2_file_fullea: event

Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype

smb2_file_link: event

Generated for SMB/CIFS version 2 requests of type set_info of the link subtype

smb2_file_mode: event

Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype

smb2_file_pipe: event

Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype

smb2_file_position: event

Generated for SMB/CIFS version 2 requests of type set_info of the position subtype

smb2_file_rename: event

Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype.

smb2_file_sattr: event

Generated for SMB/CIFS version 2 requests of type set_info of the file subtype

smb2_file_shortname: event

Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype

smb2_file_validdatalength: event

Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype
Detailed Interface
Events
smb2_file_allocation
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, alloc_size: int)

Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Alloc_size

desired allocation size.

See also:

smb2_file_delete
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool)

Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype.

For more information, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Delete_pending

A boolean value to indicate that a file should be deleted when it’s closed if set to T.

See also:

smb2_file_endoffile
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, end_of_file: int)

Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

End_of_file

the absolute new end of file position as a byte offset from the start of the file

See also:

smb2_file_fscontrol
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, fs_control: SMB2::Fscontrol)

Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Fs_control

contains fs_control info (see MS-FCC 2.5.2)

See also:

smb2_file_fsobjectid
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, object_id: SMB2::GUID, extended_info: string)

Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Object_id

contains a 16-bytes GUID that identifies the file system volume (see MS-FCC 2.5.6)

Extended_info

contains extended information on the file system volume

See also:

smb2_file_fullea
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_eas: SMB2::FileEAs)

Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

FileEAs

a vector of extended file attributes as defined in MS-FSCC:2.4.15

See also:

Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, root_directory: count, file_name: string)

Generated for SMB/CIFS version 2 requests of type set_info of the link subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Root_directory

contains the file handle for the directory where the link is to be created

File_name

contains the name to be assigned to the newly created link

See also:

smb2_file_mode
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, mode: count)

Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Mode

specifies how the file will subsequently be accessed.

See also:

smb2_file_pipe
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, read_mode: count, completion_mode: count)

Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Read_mode

specifies if data must be read as a stream of bytes or messages

Completion_mode

specifies if blocking mode must be enabled or not

See also:

smb2_file_position
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, current_byte_offset: int)

Generated for SMB/CIFS version 2 requests of type set_info of the position subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Current_byte_offset

specifies the offset, in bytes, of the file pointer from the beginning of the file

See also:

smb2_file_rename
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string)

Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype.

For more information, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

A GUID to identify the file.

Dst_filename

The filename to rename the file into.

See also:

smb2_file_sattr
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs)

Generated for SMB/CIFS version 2 requests of type set_info of the file subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Times

Timestamps associated with the file in question.

Attrs

File attributes.

See also:

smb2_file_shortname
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_name: string)

Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

File_name

specifies the name of the file to be changed

See also:

smb2_file_validdatalength
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, valid_data_length: int)

Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype

For more infomation, see MS-SMB2:2.2.39

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The SMB2 GUID for the file.

Valid_data_length

specifies the new valid data length for the file

See also:

base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_tree_connect_request: event

Generated for SMB/CIFS version 2 requests of type tree_connect.

smb2_tree_connect_response: event

Generated for SMB/CIFS version 2 responses of type tree_connect.
Detailed Interface
Events
smb2_tree_connect_request
Type

event (c: connection, hdr: SMB2::Header, path: string)

Generated for SMB/CIFS version 2 requests of type tree_connect. This is sent by a client to request access to a particular share on the server.

For more information, see MS-SMB2:2.2.9

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Path

Path of the requested tree.

See also:

smb2_tree_connect_response
Type

event (c: connection, hdr: SMB2::Header, response: SMB2::TreeConnectResponse)

Generated for SMB/CIFS version 2 responses of type tree_connect. This is sent by the server when a tree_connect request is successfully processed by the server.

For more information, see MS-SMB2:2.2.10

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Response

A record with more information related to the response.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_tree_disconnect_request: event

Generated for SMB/CIFS version 2 requests of type tree disconnect.

smb2_tree_disconnect_response: event

Generated for SMB/CIFS version 2 requests of type tree disconnect.
Detailed Interface
Events
smb2_tree_disconnect_request
Type

event (c: connection, hdr: SMB2::Header)

Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the client to logically disconnect client access to a server resource.

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

See also:

smb2_tree_disconnect_response
Type

event (c: connection, hdr: SMB2::Header)

Generated for SMB/CIFS version 2 requests of type tree disconnect. This is sent by the server to logically disconnect client access to a server resource.

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_write_request: event

Generated for SMB/CIFS version 2 requests of type write.

smb2_write_response: event

Generated for SMB/CIFS version 2 requests of type write.
Detailed Interface
Events
smb2_write_request
Type

event (c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)

Generated for SMB/CIFS version 2 requests of type write. This is sent by the client to write data to the file or named pipe on the server.

For more information, see MS-SMB2:2.2.21

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

File_id

The GUID being used for the file.

Offset

How far into the file this write should be taking place.

Length

The number of bytes of the file being written.

See also:

smb2_write_response
Type

event (c: connection, hdr: SMB2::Header, length: count)

Generated for SMB/CIFS version 2 requests of type write. This is sent by the server in response to a write request or named pipe on the server.

For more information, see MS-SMB2:2.2.22

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Length

The number of bytes of the file being written.

See also:

base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_transform_header: event

Generated for SMB/CIFS version 3.x transform_header.
Detailed Interface
Events
smb2_transform_header
Type

event (c: connection, hdr: SMB2::Transform_header)

Generated for SMB/CIFS version 3.x transform_header. This is used by the client or server when sending encrypted messages.

For more information, see MS-SMB2:2.2.41

C

The connection.

Hdr

The parsed transformed header message, which is starting with xfdSMB and different from SMB1 and SMB2 headers.

See also:

base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb2_message: event

Generated for SMB/CIFS version 2 messages.
Detailed Interface
Events
smb2_message
Type

event (c: connection, hdr: SMB2::Header, is_orig: bool)

Generated for SMB/CIFS version 2 messages.

See Wikipedia for more information about the SMB/CIFS protocol. Zeek’s SMB/CIFS analyzer parses both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445.

C

The connection.

Hdr

The parsed header of the SMB version 2 message.

Is_orig

True if the message came from the originator side.

See also:

base/bif/plugins/Zeek_SMB.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smb_pipe_connect_heuristic: event

Generated for SMB connections when a named pipe has been detected heuristically.
Detailed Interface
Events
smb_pipe_connect_heuristic
Type

event (c: connection)

Generated for SMB connections when a named pipe has been detected heuristically. The case when this comes up is when the drive mapping isn’t seen so the analyzer is not able to determine whether to send the data to the files framework or to the DCE_RPC analyzer. This heuristic can be tuned by adding or removing “named pipe” names from the SMB::pipe_filenames const.

C

The connection.

base/bif/plugins/Zeek_SMB.consts.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_SMB.types.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_SMTP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

smtp_data: event

Generated for DATA transmitted on SMTP sessions.

smtp_reply: event

Generated for server-side SMTP commands.

smtp_request: event

Generated for client-side SMTP commands.

smtp_starttls: event

Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.

smtp_unexpected: event

Generated for unexpected activity on SMTP sessions.
Detailed Interface
Events
smtp_data
Type

event (c: connection, is_orig: bool, data: string)

Generated for DATA transmitted on SMTP sessions. This event is raised for subsequent chunks of raw data following the DATA SMTP command until the corresponding end marker . is seen. A handler may want to reassemble the pieces as they come in if stream-analysis is required.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the data is the originator of the TCP connection.

Data

The raw data. Note that the size of each chunk is undefined and depends on specifics of the underlying TCP connection.

See also:

Note

This event receives the unprocessed raw data. There is a separate set of mime_* events that strip out the outer MIME-layer of emails and provide structured access to their content.

smtp_reply
Type

event (c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool)

Generated for server-side SMTP commands.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP TURN command allows client and server to flip roles on established SMTP sessions, and hence a “reply” might still come from the TCP-level originator. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.

Code

The reply’s numerical code.

Cmd

TODO.

Msg

The reply’s textual description.

Cont_resp

True if the reply line is tagged as being continued to the next line. If so, further events will be raised and a handler may want to reassemble the pieces before processing the response any further.

See also:

Note

Zeek doesn’t support the newer ETRN extension yet.

smtp_request
Type

event (c: connection, is_orig: bool, command: string, arg: string)

Generated for client-side SMTP commands.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the command is the originator of the TCP connection. Note that this is not redundant: the SMTP TURN command allows client and server to flip roles on established SMTP sessions, and hence a “request” might still come from the TCP-level responder. In practice, however, that will rarely happen as TURN is considered insecure and rarely used.

Command

The request’s command, without any arguments.

Arg

The request command’s arguments.

See also:

Note

Zeek does not support the newer ETRN extension yet.

smtp_starttls
Type

event (c: connection)

Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS. After this event no more SMTP events will be raised for the connection. See the SSL analyzer for related SSL events, which will now be generated.

C

The connection.

smtp_unexpected
Type

event (c: connection, is_orig: bool, msg: string, detail: string)

Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the state of SMTP sessions and reports commands and other activity with this event that it sees even though it would not expect so at the current point of the communication.

See Wikipedia for more information about the SMTP protocol.

C

The connection.

Is_orig

True if the sender of the unexpected activity is the originator of the TCP connection.

Msg

A descriptive message of what was unexpected.

Detail

The actual SMTP line triggering the event.

See also:

base/bif/plugins/Zeek_SMTP.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

skip_smtp_data: function

Skips SMTP data until the next email in a connection.
Detailed Interface
Functions
skip_smtp_data
Type

function (c: connection) : any

Skips SMTP data until the next email in a connection.

C

The SMTP connection.

See also:

base/bif/plugins/Zeek_SNMP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

snmp_encrypted_pdu: event

An SNMPv3 encrypted PDU message.

snmp_get_bulk_request: event

An SNMP GetBulkRequest-PDU message from RFC 3416.

snmp_get_next_request: event

An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416.

snmp_get_request: event

An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416.

snmp_inform_request: event

An SNMP InformRequest-PDU message from RFC 3416.

snmp_report: event

An SNMP Report-PDU message from RFC 3416.

snmp_response: event

An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416.

snmp_set_request: event

An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416.

snmp_trap: event

An SNMP Trap-PDU message from RFC 1157.

snmp_trapV2: event

An SNMP SNMPv2-Trap-PDU message from RFC 1157.

snmp_unknown_header_version: event

A datagram with an unknown SNMP version.

snmp_unknown_pdu: event

An SNMP PDU message of unknown type.

snmp_unknown_scoped_pdu: event

An SNMPv3 ScopedPDUData of unknown type (neither plaintext or an encrypted PDU was in the datagram).
Detailed Interface
Events
snmp_encrypted_pdu
Type

event (c: connection, is_orig: bool, header: SNMP::Header)

An SNMPv3 encrypted PDU message.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

snmp_get_bulk_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU)

An SNMP GetBulkRequest-PDU message from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_get_next_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_get_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_inform_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP InformRequest-PDU message from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_report
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP Report-PDU message from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_response
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_set_request
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_trap
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU)

An SNMP Trap-PDU message from RFC 1157.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_trapV2
Type

event (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)

An SNMP SNMPv2-Trap-PDU message from RFC 1157.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Pdu

An SNMP PDU data structure.

snmp_unknown_header_version
Type

event (c: connection, is_orig: bool, version: count)

A datagram with an unknown SNMP version.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Version

The value of the unknown SNMP version.

snmp_unknown_pdu
Type

event (c: connection, is_orig: bool, header: SNMP::Header, tag: count)

An SNMP PDU message of unknown type.

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Tag

The tag of the unknown SNMP PDU.

snmp_unknown_scoped_pdu
Type

event (c: connection, is_orig: bool, header: SNMP::Header, tag: count)

An SNMPv3 ScopedPDUData of unknown type (neither plaintext or an encrypted PDU was in the datagram).

C

The connection over which the SNMP datagram is sent.

Is_orig

The endpoint which sent the SNMP datagram.

Header

SNMP version-dependent data that precedes PDU data in the top-level SNMP message structure.

Tag

The tag of the unknown SNMP PDU scope.

base/bif/plugins/Zeek_SOCKS.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

socks_login_userpass_reply: event

Generated when a SOCKS server replies to a username/password login attempt.

socks_login_userpass_request: event

Generated when a SOCKS client performs username and password based login.

socks_reply: event

Generated when a SOCKS reply is analyzed.

socks_request: event

Generated when a SOCKS request is analyzed.
Detailed Interface
Events
socks_login_userpass_reply
Type

event (c: connection, code: count)

Generated when a SOCKS server replies to a username/password login attempt.

C

The parent connection of the proxy.

Code

The response code for the attempted login.

socks_login_userpass_request
Type

event (c: connection, user: string, password: string)

Generated when a SOCKS client performs username and password based login.

C

The parent connection of the proxy.

User

The given username.

Password

The given password.

socks_reply
Type

event (c: connection, version: count, reply: count, sa: SOCKS::Address, p: port)

Generated when a SOCKS reply is analyzed.

C

The parent connection of the proxy.

Version

The version of SOCKS this message used.

Reply

The status reply from the server.

Sa

The address that the server sent the traffic to.

P

The destination port for the proxied traffic.

socks_request
Type

event (c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string)

Generated when a SOCKS request is analyzed.

C

The parent connection of the proxy.

Version

The version of SOCKS this message used.

Request_type

The type of the request.

Sa

Address that the tunneled traffic should be sent to.

P

The destination port for the proxied traffic.

User

Username given for the SOCKS connection. This is not yet implemented for SOCKSv5.

base/bif/plugins/Zeek_SSH.types.bif.zeek

GLOBAL
SSH
Namespaces

GLOBAL, SSH

Summary
Detailed Interface

base/bif/plugins/Zeek_SSH.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ssh1_server_host_key: event

During the SSH key exchange, the server supplies its public host key.

ssh2_dh_server_params: event

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.

ssh2_ecc_key: event

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.

ssh2_gss_error: event

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details.

ssh2_server_host_key: event

During the SSH key exchange, the server supplies its public host key.

ssh_auth_attempted: event

This event is generated when an SSH connection was determined to have had an authentication attempt.

ssh_auth_successful: event

This event is generated when an SSH connection was determined to have had a successful authentication.

ssh_capabilities: event

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.

ssh_client_version: event

An SSH Protocol Version Exchange message from the client.

ssh_encrypted_packet: event

This event is generated when an SSH encrypted packet is seen.

ssh_server_host_key: event

During the SSH key exchange, the server supplies its public host key.

ssh_server_version: event

An SSH Protocol Version Exchange message from the server.
Detailed Interface
Events
ssh1_server_host_key
Type

event (c: connection, modulus: string, exponent: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.

C

The connection over which the SSH connection took place.

P

The exponent for the server’s public host key (note this parameter is truly the exponent even though named p and the exponent parameter will eventually replace it).

E

The prime modulus for the server’s public host key (note this parameter is truly the modulus even though named e and the modulus parameter will eventually replace it).

Modulus

The prime modulus of the server’s public host key.

Exponent

The exponent of the server’s public host key.

See also:

ssh2_dh_server_params
Type

event (c: connection, p: string, q: string)

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.

C

The connection.

P

The DH prime modulus.

Q

The DH generator.

See also:

ssh2_ecc_key
Type

event (c: connection, is_orig: bool, q: string)

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.

C

The connection

Is_orig

Did this message come from the originator?

Q

The ephemeral public key

See also:

ssh2_gss_error
Type

event (c: connection, major_status: count, minor_status: count, err_msg: string)

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.

C

The connection.

Major_status

GSS-API major status code.

Minor_status

GSS-API minor status code.

Err_msg

Detailed human-readable error message

See also:

ssh2_server_host_key
Type

event (c: connection, key: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.

C

The connection over which the SSH connection took place.

Key

The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.

See also:

ssh_auth_attempted
Type

event (c: connection, authenticated: bool)

This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authenication attempt occured, this event is not raised.

At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.

This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless

C

The connection over which the SSH connection took place.

Authenticated

This is true if the analyzer detected a successful connection from the authentication attempt.

See also:

ssh_auth_successful
Type

event (c: connection, auth_method_none: bool)

This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.

C

The connection over which the SSH connection took place.

Auth_method_none

This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.

See also:

ssh_capabilities
Type

event (c: connection, cookie: string, capabilities: SSH::Capabilities)

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.

C

The connection over which the SSH connection took place.

Cookie

The SSH_MSG_KEXINIT cookie - a random value generated by the sender.

Capabilities

The list of algorithms and languages that the sender advertises support for, in order of preference.

See also:

ssh_client_version
Type

event (c: connection, version: string)

An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C

The connection over which the message was sent.

Version

The identification string

See also:

ssh_encrypted_packet
Type

event (c: connection, orig: bool, len: count)

This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set SSH::disable_analyzer_after_detection to false to use this event. This carries a performance penalty.

C

The connection over which the SSH connection took place.

Orig

Whether the packet was sent by the originator of the TCP connection.

Len

The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.

See also:

ssh_server_host_key
Type

event (c: connection, hash: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1 or SSH2 and provides a fingerprint of the server’s host key.

C

The connection over which the SSH connection took place.

Hash

an MD5 hash fingerprint associated with the server’s host key. For SSH2, this is the hash of the “server public host key” string as seen on the wire in the Diffie-Hellman key exchange reply message (the string itself, excluding the 4-byte length associated with it), which is also the key parameter of ssh2_server_host_key For SSH1, this is the hash of the combined multiprecision integer strings representing the RSA1 key’s prime modulus and public exponent (concatenated in that order) as seen on the wire, which are also the parameters of ssh1_server_host_key. In either case, the hash is the same “fingerprint” string as presented by other traditional tools, ssh, ssh-keygen, etc, and is the hexadecimal representation of all 16 MD5 hash bytes delimited by colons.

See also:

ssh_server_version
Type

event (c: connection, version: string)

An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C

The connection over which the message was sent.

Version

The identification string

See also:

base/bif/plugins/Zeek_SSL.types.bif.zeek

GLOBAL
SSL
Namespaces

GLOBAL, SSL

Summary
Detailed Interface

base/bif/plugins/Zeek_SSL.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ssl_alert: event

Generated for SSL/TLS alert records.

ssl_change_cipher_spec: event

This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins.

ssl_client_hello: event

Generated for an SSL/TLS client’s initial hello message.

ssl_dh_client_params: event

Generated if a client uses a DH-anon or DHE cipher suite.

ssl_dh_server_params: event

Generated if a server uses a DH-anon or DHE cipher suite.

ssl_ecdh_client_params: event

Generated if a client uses an ECDH-anon or ECDHE cipher suite.

ssl_ecdh_server_params: event

Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492.

ssl_encrypted_data: event

Generated for SSL/TLS messages that are sent after session encryption started.

ssl_established: event

Generated at the end of an SSL/TLS handshake.

ssl_extension: event

Generated for SSL/TLS extensions seen in an initial handshake.

ssl_extension_application_layer_protocol_negotiation: event

Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.

ssl_extension_ec_point_formats: event

Generated for an SSL/TLS Supported Point Formats extension.

ssl_extension_elliptic_curves: event

Generated for an SSL/TLS Elliptic Curves extension.

ssl_extension_key_share: event

Generated for a Key Share extension.

ssl_extension_pre_shared_key_client_hello: event

Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.

ssl_extension_pre_shared_key_server_hello: event

Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.

ssl_extension_psk_key_exchange_modes: event

Generated for an TLS Pre-Shared Key Exchange Modes extension.

ssl_extension_server_name: event

Generated for an SSL/TLS Server Name extension.

ssl_extension_signature_algorithm: event

Generated for an Signature Algorithms extension.

ssl_extension_signed_certificate_timestamp: event

Generated for the signed_certificate_timestamp TLS extension as defined in RFC 6962.

ssl_extension_supported_versions: event

Generated for an TLS Supported Versions extension.

ssl_handshake_message: event

This event is raised for each unencrypted SSL/TLS handshake message.

ssl_heartbeat: event

Generated for SSL/TLS heartbeat messages that are sent before session encryption starts.

ssl_plaintext_data: event

Generated for SSL/TLS messages that are sent before full session encryption starts.

ssl_probable_encrypted_handshake_message: event

This event is generated for application data records of TLS 1.3 connections of which we suspect that they contain handshake messages.

ssl_rsa_client_pms: event

Generated if a client uses RSA key exchange.

ssl_server_hello: event

Generated for an SSL/TLS server’s initial hello message.

ssl_server_signature: event

Generated if a server uses a non-anonymous DHE or ECDHE cipher suite.

ssl_session_ticket_handshake: event

Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism.

ssl_stapled_ocsp: event

This event contains the OCSP response contained in a Certificate Status Request message, when the client requested OCSP stapling and the server supports it.
Detailed Interface
Events
ssl_alert
Type

event (c: connection, is_orig: bool, level: count, desc: count)

Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. If during that handshake, an endpoint encounters a fatal error, it sends an alert record, that in turn triggers this event. After an alert, any endpoint may close the connection immediately.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Level

The severity level, as sent in the alert. The values are defined as part of the SSL/TLS protocol.

Desc

A numerical value identifying the cause of the alert. The values are defined as part of the SSL/TLS protocol.

See also:

ssl_change_cipher_spec
Type

event (c: connection, is_orig: bool)

This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins. Traffic will be encrypted following this message.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

See also:

ssl_client_hello
Type

event (c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)

Generated for an SSL/TLS client’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to the initial information sent by the client.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Version

The protocol version as extracted from the client’s message. The values are standardized as part of the SSL/TLS protocol. The SSL::version_strings table maps them to descriptive names.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Possible_ts

The current time as sent by the client. Note that SSL/TLS does not require clocks to be set correctly, so treat with care.

Session_id

The session ID sent by the client (if any).

Client_random

The random value sent by the client. For version 2 connections, the client challenge is returned.

Ciphers

The list of ciphers the client offered to use. The values are standardized as part of the SSL/TLS protocol. The SSL::cipher_desc table maps them to descriptive names.

Comp_methods

The list of compression methods that the client offered to use. This value is not sent in TLSv1.3 or SSLv2.

See also:

ssl_dh_client_params
Type

event (c: connection, Yc: string)

Generated if a client uses a DH-anon or DHE cipher suite. This event contains the client DH parameters contained in the ClientKeyExchange message as defined in RFC 5246.

C

The connection.

Yc

The client’s DH public key.

See also:

ssl_dh_server_params
Type

event (c: connection, p: string, q: string, Ys: string)

Generated if a server uses a DH-anon or DHE cipher suite. This event contains the server DH parameters, contained in the ServerKeyExchange message as defined in RFC 5246.

C

The connection.

P

The DH prime modulus.

Q

The DH generator.

Ys

The server’s DH public key.

See also:

ssl_ecdh_client_params
Type

event (c: connection, point: string)

Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event contains the client ECDH public value contained in the ClientKeyExchange message as defined in RFC 4492.

C

The connection.

Point

The client’s ECDH public key.

See also:

ssl_ecdh_server_params
Type

event (c: connection, curve: count, point: string)

Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492.

C

The connection.

Curve

The curve parameters.

Point

The server’s ECDH public key.

See also:

ssl_encrypted_data
Type

event (c: connection, is_orig: bool, record_version: count, content_type: count, length: count)

Generated for SSL/TLS messages that are sent after session encryption started.

Note that SSL::disable_analyzer_after_detection has to be changed from its default to false for this event to be generated.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Content_type

message type as reported by TLS session layer. Not populated for SSLv2.

Length

length of the entire message.

See also:

ssl_established
Type

event (c: connection)

Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event signals the time when an SSL/TLS has finished the handshake and its endpoints consider it as fully established. Typically, everything from now on will be encrypted.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

See also:

ssl_extension
Type

event (c: connection, is_orig: bool, code: count, val: string)

Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to any extensions either side sends as part of an extended hello message.

Note that Zeek offers more specialized events for a few extensions.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Code

The numerical code of the extension. The values are standardized as part of the SSL/TLS protocol. The SSL::extensions table maps them to descriptive names.

Val

The raw extension value that was sent in the message.

See also:

ssl_extension_application_layer_protocol_negotiation
Type

event (c: connection, is_orig: bool, protocols: string_vec)

Generated for an SSL/TLS Application-Layer Protocol Negotiation extension. This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in the initial handshake. It contains the list of client supported application protocols by the client or the server, respectively.

At the moment it is mostly used to negotiate the use of SPDY / HTTP2.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Protocols

List of supported application layer protocols.

See also:

ssl_extension_ec_point_formats
Type

event (c: connection, is_orig: bool, point_formats: index_vec)

Generated for an SSL/TLS Supported Point Formats extension. This TLS extension is defined in RFC 4492 and sent by the client and/or server in the initial handshake. It gives the list of elliptic curve point formats supported by the client.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Point_formats

List of supported point formats.

See also:

ssl_extension_elliptic_curves
Type

event (c: connection, is_orig: bool, curves: index_vec)

Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is defined in RFC 4492 and sent by the client in the initial handshake. It gives the list of elliptic curves supported by the client.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Curves

List of supported elliptic curves.

See also:

ssl_extension_key_share
Type

event (c: connection, is_orig: bool, curves: index_vec)

Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 and sent by the client and the server in the initial handshake. It gives the list of named groups supported by the client and chosen by the server.

C

The connection.

Is_orig

True if event is raised for the originator side of the connection.

Curves

List of supported/chosen named groups.

See also:

ssl_extension_pre_shared_key_client_hello
Type

event (c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)

Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.

The extension lists the identities the client is willing to negotiate with the server; they can either be pre-shared or be based on previous handshakes.

C

The connection.

Is_orig

True if event is raised for the originator side of the connection

Identities

A list of the identities the client is willing to negotiate with the server.

Binders

A series of HMAC values; for computation, see the TLS 1.3 RFC.

See also:

ssl_extension_pre_shared_key_server_hello
Type

event (c: connection, is_orig: bool, selected_identity: count)

Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.

C

The connection.

Is_orig

True if event is raised for the originator side of the connection

Selected_identity

The identity the server chose as a 0-based index into the identities the client sent.

See also:

ssl_extension_psk_key_exchange_modes
Type

event (c: connection, is_orig: bool, modes: index_vec)

Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the list of Pre-Shared Key Exchange Modes that it supports.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Versions

List of supported Pre-Shared Key Exchange Modes.

See also:

ssl_extension_server_name
Type

event (c: connection, is_orig: bool, names: string_vec)

Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is defined in RFC 3546 and sent by the client in the initial handshake. It contains the name of the server it is contacting. This information can be used by the server to choose the correct certificate for the host the client wants to contact.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Names

A list of server names (DNS hostnames).

See also:

ssl_extension_signature_algorithm
Type

event (c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec)

Generated for an Signature Algorithms extension. This TLS extension is defined in RFC 5246 and sent by the client in the initial handshake. It gives the list of signature and hash algorithms supported by the client.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Signature_algorithms

List of supported signature and hash algorithm pairs.

See also:

ssl_extension_signed_certificate_timestamp
Type

event (c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)

Generated for the signed_certificate_timestamp TLS extension as defined in RFC 6962. The extension is used to transmit signed proofs that are used for Certificate Transparency.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Version

the version of the protocol to which the SCT conforms. Always should be 0 (representing version 1)

Logid

32 bit key id

Timestamp

the NTP Time when the entry was logged measured since the epoch, ignoring leap seconds, in milliseconds.

Signature_and_hashalgorithm

signature and hash algorithm used for the digitally_signed struct

Signature

signature part of the digitally_signed struct

See also:

ssl_extension_supported_versions
Type

event (c: connection, is_orig: bool, versions: index_vec)

Generated for an TLS Supported Versions extension. This TLS extension is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the TLS versions that it supports. This informaion can be used by the server to choose the best TLS version o use.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Versions

List of supported TLS versions.

See also:

ssl_handshake_message
Type

event (c: connection, is_orig: bool, msg_type: count, length: count)

This event is raised for each unencrypted SSL/TLS handshake message.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Msg_type

Type of the handshake message that was seen.

Length

Length of the handshake message that was seen.

See also:

ssl_heartbeat
Type

event (c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)

Generated for SSL/TLS heartbeat messages that are sent before session encryption starts. Generally heartbeat messages should rarely be seen in normal TLS traffic. Heartbeats are described in RFC 6520.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Length

length of the entire heartbeat message.

Heartbeat_type

type of the heartbeat message. Per RFC, 1 = request, 2 = response.

Payload_length

length of the payload of the heartbeat message, according to packet field.

Payload

payload contained in the heartbeat message. Size can differ from payload_length, if payload_length and actual packet length disagree.

See also:

ssl_plaintext_data
Type

event (c: connection, is_orig: bool, record_version: count, content_type: count, length: count)

Generated for SSL/TLS messages that are sent before full session encryption starts. Note that “full encryption” is a bit fuzzy, especially for TLSv1.3; here this event will be raised for early packets that are already using pre-encryption. # This event is also used by Zeek internally to determine if the connection has been completely setup. This is necessary as TLS 1.3 does not have CCS anymore.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Content_type

message type as reported by TLS session layer. Not populated for SSLv2.

Length

length of the entire message.

See also:

ssl_probable_encrypted_handshake_message
Type

event (c: connection, is_orig: bool, length: count)

This event is generated for application data records of TLS 1.3 connections of which we suspect that they contain handshake messages.

In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets typically exchanged are the client hello and the server hello. The first few packets after the client and server hello, however, are a continuation of the handshake and still include handshake data.

This event is raised for these packets of which we suspect that they are handshake records, including the finished record.

The heuristic for this is: all application data record after the server hello are handshake records until at least one application data record has been received from both the server and the client. Typically, the server will send more records before the client sends the first application data record; and the first application data record of the client will typically include the finished message.

Given the encrypted nature of the protocol, in some cases this determination is not correct; the client can send more handshake packets before the finished message, e.g., when client certificates are used.

Note that :zeek:see::ssl_encrypted_data is also raised for these messages.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Length

length of the entire message.

See also:

ssl_rsa_client_pms
Type

event (c: connection, pms: string)

Generated if a client uses RSA key exchange. This event contains the client encrypted pre-master secret which is encrypted using the public key of the server’s certificate as defined in RFC 5246.

C

The connection.

Pms

The encrypted pre-master secret.

See also:

ssl_server_hello
Type

event (c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)

Generated for an SSL/TLS server’s initial hello message. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event provides access to the initial information sent by the client.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Version

The protocol version as extracted from the server’s message. The values are standardized as part of the SSL/TLS protocol. The SSL::version_strings table maps them to descriptive names.

Record_version

TLS version given in the record layer of the message. Set to 0 for SSLv2.

Possible_ts

The current time as sent by the server. Note that SSL/TLS does not require clocks to be set correctly, so treat with care. This value is meaningless in SSLv2 and TLSv1.3.

Session_id

The session ID as sent back by the server (if any). This value is not sent in TLSv1.3.

Server_random

The random value sent by the server. For version 2 connections, the connection-id is returned. Note - the full 32 bytes are included in server_random. This means that the 4 bytes present in possible_ts are repeated; if you do not want this behavior ignore the first 4 bytes.

Cipher

The cipher chosen by the server. The values are standardized as part of the SSL/TLS protocol. The SSL::cipher_desc table maps them to descriptive names.

Comp_method

The compression method chosen by the client. The values are standardized as part of the SSL/TLS protocol. This value is not sent in TLSv1.3 or SSLv2.

See also:

ssl_server_signature
Type

event (c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)

Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event contains the server signature over the key exchange parameters contained in the ServerKeyExchange message as defined in RFC 4492 and RFC 5246.

C

The connection.

Signature_and_hashalgorithm

signature and hash algorithm used for the digitally_signed struct. This field is only present starting with TLSv1.2 and DTLSv1.2. Earlier versions used a hardcoded hash algorithm. For protocol versions below D(TLS)v1.2 this field is filled with an dummy value of 256.

Signature

Signature part of the digitally_signed struct. The private key corresponding to the certified public key in the server’s certificate message is used for signing.

See also:

ssl_session_ticket_handshake
Type

event (c: connection, ticket_lifetime_hint: count, ticket: string)

Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism. SSL/TLS sessions start with an unencrypted handshake, and Zeek extracts as much information out of that as it can. This event is raised when an SSL/TLS server passes a session ticket to the client that can later be used for resuming the session. The mechanism is described in RFC 4507.

See Wikipedia for more information about the SSL/TLS protocol.

C

The connection.

Ticket_lifetime_hint

A hint from the server about how long the ticket should be stored by the client.

Ticket

The raw ticket data.

See also:

ssl_stapled_ocsp
Type

event (c: connection, is_orig: bool, response: string)

This event contains the OCSP response contained in a Certificate Status Request message, when the client requested OCSP stapling and the server supports it. See description in RFC 6066.

C

The connection.

Is_orig

True if event is raised for originator side of the connection.

Response

OCSP data.

base/bif/plugins/Zeek_SSL.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

set_keys: function

Set the decryption keys that should be used to decrypt TLS application data in the connection.

set_secret: function

Set the secret that should be used to derive keys for the connection.

set_ssl_established: function

Sets if the SSL analyzer should consider the connection established (handshake finished succesfully).
Detailed Interface
Functions
set_keys
Type

function (c: connection, keys: string) : bool

Set the decryption keys that should be used to decrypt TLS application data in the connection.

C

The affected connection

Keys

The key buffer as derived via TLS PRF.

Returns

T on success, F on failure.

set_secret
Type

function (c: connection, secret: string) : bool

Set the secret that should be used to derive keys for the connection. (For TLS 1.2 this is the pre-master secret).

C

The affected connection

Secret

secret to set

Returns

T on success, F on failure.

set_ssl_established
Type

function (c: connection) : bool

Sets if the SSL analyzer should consider the connection established (handshake finished succesfully).

C

The SSL connection.

Returns

T on success, F on failure.

base/bif/plugins/Zeek_SSL.consts.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_Syslog.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

syslog_message: event

Generated for monitored Syslog messages.
Detailed Interface
Events
syslog_message
Type

event (c: connection, facility: count, severity: count, msg: string)

Generated for monitored Syslog messages.

See Wikipedia for more information about the Syslog protocol.

C

The connection record for the underlying transport-layer session/flow.

Facility

The “facility” included in the message.

Severity

The “severity” included in the message.

Msg

The message logged.

Note

Zeek currently parses only UDP syslog traffic. Support for TCP syslog will be added soon.

base/bif/plugins/Zeek_TCP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

connection_EOF: event

Generated at the end of reassembled TCP connections.

connection_SYN_packet: event

Generated for a SYN packet.

connection_attempt: event

Generated for an unsuccessful connection attempt.

connection_established: event

Generated when seeing a SYN-ACK packet from the responder in a TCP handshake.

connection_finished: event

Generated for a TCP connection that finished normally.

connection_first_ACK: event

Generated for the first ACK packet seen for a TCP connection from its originator.

connection_half_finished: event

Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state.

connection_partial_close: event

Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence.

connection_pending: event

Generated for each still-open TCP connection when Zeek terminates.

connection_rejected: event

Generated for a rejected TCP connection.

connection_reset: event

Generated when an endpoint aborted a TCP connection.

contents_file_write_failure: event

Generated when failing to write contents of a TCP stream to a file.

new_connection_contents: event

Generated when reassembly starts for a TCP connection.

partial_connection: event

Generated for a new active TCP connection if Zeek did not see the initial handshake.

tcp_contents: event

Generated for each chunk of reassembled TCP payload.

tcp_multiple_checksum_errors: event

Generated if a TCP flow crosses a checksum-error threshold, per ‘C’/’c’ history reporting.

tcp_multiple_gap: event

Generated if a TCP flow crosses a gap threshold, per ‘G’/’g’ history reporting.

tcp_multiple_retransmissions: event

Generated if a TCP flow crosses a retransmission threshold, per ‘T’/’t’ history reporting.

tcp_multiple_zero_windows: event

Generated if a TCP flow crosses a zero-window threshold, per ‘W’/’w’ history reporting.

tcp_option: event

Generated for each option found in a TCP header.

tcp_options: event

Generated for each TCP header that contains TCP options.

tcp_packet: event

Generated for every TCP packet.

tcp_rexmit: event

Generated for each detected TCP segment retransmission.
Detailed Interface
Events
connection_EOF
Type

event (c: connection, is_orig: bool)

Generated at the end of reassembled TCP connections. The TCP reassembler raised the event once for each endpoint of a connection when it finished reassembling the corresponding side of the communication.

C

The connection.

Is_orig

True if the event is raised for the originator side.

See also:

connection_SYN_packet
Type

event (c: connection, pkt: SYN_packet)

Generated for a SYN packet. Zeek raises this event for every SYN packet seen by its TCP analyzer.

C

The connection.

Pkt

Information extracted from the SYN packet.

See also:

Note

This event has quite low-level semantics and can potentially be expensive to generate. It should only be used if one really needs the specific information passed into the handler via the pkt argument. If not, handling one of the other connection_* events is typically the better approach.

connection_attempt
Type

event (c: connection)

Generated for an unsuccessful connection attempt. This event is raised when an originator unsuccessfully attempted to establish a connection. “Unsuccessful” is defined as at least tcp_attempt_delay seconds having elapsed since the originator first sent a connection establishment packet to the destination without seeing a reply.

C

The connection.

See also:

connection_established
Type

event (c: connection)

Generated when seeing a SYN-ACK packet from the responder in a TCP handshake. An associated SYN packet was not seen from the originator side if its state is not set to TCP_ESTABLISHED. The final ACK of the handshake in response to SYN-ACK may or may not occur later, one way to tell is to check the history field of connection to see if the originator sent an ACK, indicated by ‘A’ in the history string.

C

The connection.

See also:

connection_finished
Type

event (c: connection)

Generated for a TCP connection that finished normally. The event is raised when a regular FIN handshake from both endpoints was observed.

C

The connection.

See also:

connection_first_ACK
Type

event (c: connection)

Generated for the first ACK packet seen for a TCP connection from its originator.

C

The connection.

See also:

Note

This event has quite low-level semantics and should be used only rarely.

connection_half_finished
Type

event (c: connection)

Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state. This can happen due to split routing, in which Zeek only sees one side of a connection.

C

The connection.

See also:

connection_partial_close
Type

event (c: connection)

Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence. When the endpoint sent one of these packets, Zeek waits tcp_partial_close_delay prior to generating the event, to give the other endpoint a chance to close the connection normally.

C

The connection.

See also:

connection_pending
Type

event (c: connection)

Generated for each still-open TCP connection when Zeek terminates.

C

The connection.

See also:

connection_rejected
Type

event (c: connection)

Generated for a rejected TCP connection. This event is raised when an originator attempted to setup a TCP connection but the responder replied with a RST packet denying it.

C

The connection.

See also:

Note

If the responder does not respond at all, connection_attempt is raised instead. If the responder initially accepts the connection but aborts it later, Zeek first generates connection_established and then connection_reset.

connection_reset
Type

event (c: connection)

Generated when an endpoint aborted a TCP connection. The event is raised when one endpoint of an established TCP connection aborted by sending a RST packet.

C

The connection.

See also:

contents_file_write_failure
Type

event (c: connection, is_orig: bool, msg: string)

Generated when failing to write contents of a TCP stream to a file.

C

The connection whose contents are being recorded.

Is_orig

Which side of the connection encountered a failure to write.

Msg

A reason or description for the failure.

See also:

new_connection_contents
Type

event (c: connection)

Generated when reassembly starts for a TCP connection. This event is raised at the moment when Zeek’s TCP analyzer enables stream reassembly for a connection.

C

The connection.

See also:

partial_connection
Type

event (c: connection)

Generated for a new active TCP connection if Zeek did not see the initial handshake. This event is raised when Zeek has observed traffic from each endpoint, but the activity did not begin with the usual connection establishment.

C

The connection.

See also:

tcp_contents
Type

event (c: connection, is_orig: bool, seq: count, contents: string)

Generated for each chunk of reassembled TCP payload. When content delivery is enabled for a TCP connection (via tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp), this event is raised for each chunk of in-order payload reconstructed from the packet stream. Note that this event is potentially expensive if many connections carry significant amounts of data as then all that data needs to be passed on to the scripting layer.

C

The connection the payload is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Seq

The sequence number corresponding to the first byte of the payload chunk.

Contents

The raw payload, which will be non-empty.

See also:

Note

The payload received by this event is the same that is also passed into application-layer protocol analyzers internally. Subsequent invocations of this event for the same connection receive non-overlapping in-order chunks of its TCP payload stream. It is however undefined what size each chunk has; while Zeek passes the data on as soon as possible, specifics depend on network-level effects such as latency, acknowledgements, reordering, etc.

tcp_multiple_checksum_errors
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a checksum-error threshold, per ‘C’/’c’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_multiple_gap
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a gap threshold, per ‘G’/’g’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_multiple_retransmissions
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a retransmission threshold, per ‘T’/’t’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_multiple_zero_windows
Type

event (c: connection, is_orig: bool, threshold: count)

Generated if a TCP flow crosses a zero-window threshold, per ‘W’/’w’ history reporting.

C

The connection record for the TCP connection.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

tcp_option
Type

event (c: connection, is_orig: bool, opt: count, optlen: count)

Generated for each option found in a TCP header. Like many of the tcp_* events, this is a very low-level event and potentially expensive as it may be raised very often.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Opt

The numerical option number, as found in the TCP header.

Optlen

The length of the options value.

See also:

Note

To inspect the actual option values, if any, use tcp_options.

tcp_options
Type

event (c: connection, is_orig: bool, options: TCP::OptionList)

Generated for each TCP header that contains TCP options. This is a very low-level event and potentially expensive as it may be raised very often.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Options

The list of options parsed out of the TCP header.

See also:

tcp_packet
Type

event (c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string)

Generated for every TCP packet. This is a very low-level and expensive event that should be avoided when at all possible. It’s usually infeasible to handle when processing even medium volumes of traffic in real-time. It’s slightly better than new_packet because it affects only TCP, but not much. That said, if you work from a trace and want to do some packet-level analysis, it may come in handy.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Flags

A string with the packet’s TCP flags. In the string, each character corresponds to one set flag, as follows: S -> SYN; F -> FIN; R -> RST; A -> ACK; P -> PUSH; U -> URGENT.

Seq

The packet’s relative TCP sequence number.

Ack

If the ACK flag is set for the packet, the packet’s relative ACK number, else zero.

Len

The length of the TCP payload, as specified in the packet header.

Payload

The raw TCP payload. Note that this may be shorter than len if the packet was not fully captured.

See also:

tcp_rexmit
Type

event (c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count)

Generated for each detected TCP segment retransmission.

C

The connection the packet is part of.

Is_orig

True if the packet was sent by the connection’s originator.

Seq

The segment’s relative TCP sequence number.

Len

The length of the TCP segment, as specified in the packet header.

Data_in_flight

The number of bytes corresponding to the difference between the last sequence number and last acknowledgement number we’ve seen for a given endpoint.

Window

the TCP window size.

base/bif/plugins/Zeek_TCP.types.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_TCP.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

get_contents_file: function

Returns the file handle of the contents file of a connection.

get_orig_seq: function

Get the originator sequence number of a TCP connection.

get_resp_seq: function

Get the responder sequence number of a TCP connection.

set_contents_file: function

Associates a file handle with a connection for writing TCP byte stream contents.
Detailed Interface
Functions
get_contents_file
Type

function (cid: conn_id, direction: count) : file

Returns the file handle of the contents file of a connection.

Cid

The connection ID.

Direction

Controls what sides of the connection to record. See set_contents_file for possible values.

Returns

The file handle for the contents file of the connection identified by cid. If the connection exists but there is no contents file for direction, then the function generates an error and returns a file handle to stderr.

See also:

get_orig_seq
Type

function (cid: conn_id) : count

Get the originator sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).

Cid

The connection ID.

Returns

The highest sequence number sent by a connection’s originator, or 0 if cid does not point to an active TCP connection.

See also:

get_resp_seq
Type

function (cid: conn_id) : count

Get the responder sequence number of a TCP connection. Sequence numbers are absolute (i.e., they reflect the values seen directly in packet headers; they are not relative to the beginning of the connection).

Cid

The connection ID.

Returns

The highest sequence number sent by a connection’s responder, or 0 if cid does not point to an active TCP connection.

See also:

set_contents_file
Type

function (cid: conn_id, direction: count, f: file) : bool

Associates a file handle with a connection for writing TCP byte stream contents.

Cid

The connection ID.

Direction

Controls what sides of the connection to record. The argument can take one of the four values:

  • CONTENTS_NONE: Stop recording the connection’s content.

  • CONTENTS_ORIG: Record the data sent by the connection originator (often the client).

  • CONTENTS_RESP: Record the data sent by the connection responder (often the server).

  • CONTENTS_BOTH: Record the data sent in both directions. Results in the two directions being intermixed in the file, in the order the data was seen by Zeek.

F

The file handle of the file to write the contents to.

Returns

Returns false if cid does not point to an active connection, and true otherwise.

Note

The data recorded to the file reflects the byte stream, not the contents of individual packets. Reordering and duplicates are removed. If any data is missing, the recording stops at the missing data; this can happen, e.g., due to an content_gap event.

See also:

base/bif/plugins/Zeek_XMPP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

xmpp_starttls: event

Generated when a XMPP connection goes encrypted after a successful StartTLS exchange between the client and the server.
Detailed Interface
Events
xmpp_starttls
Type

event (c: connection)

Generated when a XMPP connection goes encrypted after a successful StartTLS exchange between the client and the server.

C

The connection.

base/bif/plugins/Zeek_ARP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

arp_reply: event

Generated for ARP replies.

arp_request: event

Generated for ARP requests.

bad_arp: event

Generated for ARP packets that Zeek cannot interpret.
Detailed Interface
Events
arp_reply
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP replies.

See Wikipedia for more information about the ARP protocol.

Mac_src

The reply’s source MAC address.

Mac_dst

The reply’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also:

arp_request
Type

event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)

Generated for ARP requests.

See Wikipedia for more information about the ARP protocol.

Mac_src

The request’s source MAC address.

Mac_dst

The request’s destination MAC address.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

See also:

bad_arp
Type

event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)

Generated for ARP packets that Zeek cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.

SPA

The sender protocol address.

SHA

The sender hardware address.

TPA

The target protocol address.

THA

The target hardware address.

Explanation

A short description of why the ARP packet is considered “bad”.

See also:

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

base/bif/plugins/Zeek_UDP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

udp_contents: event

Generated for UDP packets to pass on their payload.

udp_multiple_checksum_errors: event

Generated if a UDP flow crosses a checksum-error threshold, per ‘C’/’c’ history reporting.

udp_reply: event

Generated for each packet sent by a UDP flow’s responder.

udp_request: event

Generated for each packet sent by a UDP flow’s originator.
Detailed Interface
Events
udp_contents
Type

event (u: connection, is_orig: bool, contents: string)

Generated for UDP packets to pass on their payload. As the number of UDP packets can be very large, this event is normally raised only for those on ports configured in udp_content_delivery_ports_orig (for packets sent by the flow’s originator) or udp_content_delivery_ports_resp (for packets sent by the flow’s responder). However, delivery can be enabled for all UDP request and reply packets by setting udp_content_deliver_all_orig or udp_content_deliver_all_resp, respectively. Note that this event is also raised for all matching UDP packets, including empty ones.

U

The connection record for the corresponding UDP flow.

Is_orig

True if the event is raised for the originator side.

Contents

TODO.

See also:

udp_multiple_checksum_errors
Type

event (u: connection, is_orig: bool, threshold: count)

Generated if a UDP flow crosses a checksum-error threshold, per ‘C’/’c’ history reporting.

U

The connection record for the corresponding UDP flow.

Is_orig

True if the event is raised for the originator side.

Threshold

the threshold that was crossed

See also:

udp_reply
Type

event (u: connection)

Generated for each packet sent by a UDP flow’s responder. This a potentially expensive event due to the volume of UDP traffic and should be used with care.

U

The connection record for the corresponding UDP flow.

See also:

udp_request
Type

event (u: connection)

Generated for each packet sent by a UDP flow’s originator. This a potentially expensive event due to the volume of UDP traffic and should be used with care.

U

The connection record for the corresponding UDP flow.

See also:

base/bif/plugins/Zeek_ICMP.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

icmp_echo_reply: event

Generated for ICMP echo reply messages.

icmp_echo_request: event

Generated for ICMP echo request messages.

icmp_error_message: event

Generated for all ICMPv6 error messages that are not handled separately with dedicated events.

icmp_neighbor_advertisement: event

Generated for ICMP neighbor advertisement messages.

icmp_neighbor_solicitation: event

Generated for ICMP neighbor solicitation messages.

icmp_packet_too_big: event

Generated for ICMPv6 packet too big messages.

icmp_parameter_problem: event

Generated for ICMPv6 parameter problem messages.

icmp_redirect: event

Generated for ICMP redirect messages.

icmp_router_advertisement: event

Generated for ICMP router advertisement messages.

icmp_router_solicitation: event

Generated for ICMP router solicitation messages.

icmp_sent: event

Generated for all ICMP messages that are not handled separately with dedicated ICMP events.

icmp_sent_payload: event

The same as icmp_sent except containing the ICMP payload.

icmp_time_exceeded: event

Generated for ICMP time exceeded messages.

icmp_unreachable: event

Generated for ICMP destination unreachable messages.
Detailed Interface
Events
icmp_echo_reply
Type

event (c: connection, info: icmp_info, id: count, seq: count, payload: string)

Generated for ICMP echo reply messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Id

The echo reply identifier.

Seq

The echo reply sequence number.

Payload

The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also:

icmp_echo_request
Type

event (c: connection, info: icmp_info, id: count, seq: count, payload: string)

Generated for ICMP echo request messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Id

The echo request identifier.

Seq

The echo request sequence number.

Payload

The message-specific data of the packet payload, i.e., everything after the first 8 bytes of the ICMP header.

See also:

icmp_error_message
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for all ICMPv6 error messages that are not handled separately with dedicated events. Zeek’s ICMP analyzer handles a number of ICMP error messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMPv6 protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the error message.

Context

A record with specifics of the original packet that the message refers to.

See also:

icmp_neighbor_advertisement
Type

event (c: connection, info: icmp_info, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor advertisement messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Router

Flag indicating the sender is a router.

Solicited

Flag indicating advertisement is in response to a solicitation.

Override

Flag indicating advertisement should override existing caches.

Tgt

the Target Address in the soliciting message or the address whose link-layer address has changed for unsolicited adverts.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also:

icmp_neighbor_solicitation
Type

event (c: connection, info: icmp_info, tgt: addr, options: icmp6_nd_options)

Generated for ICMP neighbor solicitation messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Tgt

The IP address of the target of the solicitation.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also:

icmp_packet_too_big
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMPv6 packet too big messages.

See Wikipedia for more information about the ICMPv6 protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the too big message.

Context

A record with specifics of the original packet that the message refers to. Too big messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the too big includes only a partial IP header for some reason, no fields of context will be filled out.

See also:

icmp_parameter_problem
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMPv6 parameter problem messages.

See Wikipedia for more information about the ICMPv6 protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the parameter problem message.

Context

A record with specifics of the original packet that the message refers to. Parameter problem messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the parameter problem includes only a partial IP header for some reason, no fields of context will be filled out.

See also:

icmp_redirect
Type

event (c: connection, info: icmp_info, tgt: addr, dest: addr, options: icmp6_nd_options)

Generated for ICMP redirect messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Tgt

The address that is supposed to be a better first hop to use for ICMP Destination Address.

Dest

The address of the destination which is redirected to the target.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also:

icmp_router_advertisement
Type

event (c: connection, info: icmp_info, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options)

Generated for ICMP router advertisement messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Cur_hop_limit

The default value that should be placed in Hop Count field for outgoing IP packets.

Managed

Managed address configuration flag, RFC 4861.

Other

Other stateful configuration flag, RFC 4861.

Home_agent

Mobile IPv6 home agent flag, RFC 3775.

Pref

Router selection preferences, RFC 4191.

Proxy

Neighbor discovery proxy flag, RFC 4389.

Rsv

Remaining two reserved bits of router advertisement flags.

Router_lifetime

How long this router should be used as a default router.

Reachable_time

How long a neighbor should be considered reachable.

Retrans_timer

How long a host should wait before retransmitting.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also:

icmp_router_solicitation
Type

event (c: connection, info: icmp_info, options: icmp6_nd_options)

Generated for ICMP router solicitation messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Options

Any Neighbor Discovery options included with message (RFC 4861).

See also:

icmp_sent
Type

event (c: connection, info: icmp_info)

Generated for all ICMP messages that are not handled separately with dedicated ICMP events. Zeek’s ICMP analyzer handles a number of ICMP messages directly with dedicated events. This event acts as a fallback for those it doesn’t.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

See also:

icmp_sent_payload
Type

event (c: connection, info: icmp_info, payload: string)

The same as icmp_sent except containing the ICMP payload.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Payload

The payload of the ICMP message.

See also:

icmp_time_exceeded
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMP time exceeded messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the exceeded message.

Context

A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the exceeded includes only a partial IP header for some reason, no fields of context will be filled out.

See also:

icmp_unreachable
Type

event (c: connection, info: icmp_info, code: count, context: icmp_context)

Generated for ICMP destination unreachable messages.

See Wikipedia for more information about the ICMP protocol.

C

The connection record for the corresponding ICMP flow.

Icmp

Additional ICMP-specific information augmenting the standard connection record c.

Info

Additional ICMP-specific information augmenting the standard connection record c.

Code

The ICMP code of the unreachable message.

Context

A record with specifics of the original packet that the message refers to. Unreachable messages should include the original IP header from the packet that triggered them, and Zeek parses that into the context structure. Note that if the unreachable includes only a partial IP header for some reason, no fields of context will be filled out.

See also:

base/bif/plugins/Zeek_Geneve.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

geneve_packet: event

Generated for any packet encapsulated in a Geneve tunnel.
Detailed Interface
Events
geneve_packet
Type

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a Geneve tunnel. See RFC 8926 for more information about the Geneve protocol.

Outer

The Geneve tunnel connection.

Inner

The Geneve-encapsulated Ethernet packet header and transport header.

Vni

Geneve Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

base/bif/plugins/Zeek_VXLAN.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

vxlan_packet: event

Generated for any packet encapsulated in a VXLAN tunnel.
Detailed Interface
Events
vxlan_packet
Type

event (outer: connection, inner: pkt_hdr, vni: count)

Generated for any packet encapsulated in a VXLAN tunnel. See RFC 7348 for more information about the VXLAN protocol.

Outer

The VXLAN tunnel connection.

Inner

The VXLAN-encapsulated Ethernet packet header and transport header.

Vni

VXLAN Network Identifier.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

base/bif/plugins/Zeek_Teredo.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

teredo_authentication: event

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method.

teredo_bubble: event

Generated for Teredo bubble packets.

teredo_origin_indication: event

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method.

teredo_packet: event

Generated for any IPv6 packet encapsulated in a Teredo tunnel.
Detailed Interface
Events
teredo_authentication
Type

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo authentication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_bubble
Type

event (outer: connection, inner: teredo_hdr)

Generated for Teredo bubble packets. That is, IPv6 packets encapsulated in a Teredo tunnel that have a Next Header value of IPPROTO_NONE. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_origin_indication
Type

event (outer: connection, inner: teredo_hdr)

Generated for IPv6 packets encapsulated in a Teredo tunnel that use the Teredo origin indication encapsulation method. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

teredo_packet
Type

event (outer: connection, inner: teredo_hdr)

Generated for any IPv6 packet encapsulated in a Teredo tunnel. See RFC 4380 for more information about the Teredo protocol.

Outer

The Teredo tunnel connection.

Inner

The Teredo-encapsulated IPv6 packet header and transport header.

See also:

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

base/bif/plugins/Zeek_GTPv1.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

gtpv1_create_pdp_ctx_request: event

Generated for GTPv1-C Create PDP Context Request messages.

gtpv1_create_pdp_ctx_response: event

Generated for GTPv1-C Create PDP Context Response messages.

gtpv1_delete_pdp_ctx_request: event

Generated for GTPv1-C Delete PDP Context Request messages.

gtpv1_delete_pdp_ctx_response: event

Generated for GTPv1-C Delete PDP Context Response messages.

gtpv1_g_pdu_packet: event

Generated for GTPv1 G-PDU packets.

gtpv1_message: event

Generated for any GTP message with a GTPv1 header.

gtpv1_update_pdp_ctx_request: event

Generated for GTPv1-C Update PDP Context Request messages.

gtpv1_update_pdp_ctx_response: event

Generated for GTPv1-C Update PDP Context Response messages.
Detailed Interface
Events
gtpv1_create_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements)

Generated for GTPv1-C Create PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_create_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements)

Generated for GTPv1-C Create PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements)

Generated for GTPv1-C Delete PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_delete_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements)

Generated for GTPv1-C Delete PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_g_pdu_packet
Type

event (outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr)

Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload that includes a GTP header followed by an IPv4 or IPv6 packet.

Outer

The GTP outer tunnel connection.

Inner_gtp

The GTP header.

Inner_ip

The inner IP and transport layer packet headers.

Note

Since this event may be raised on a per-packet basis, handling it may become particularly expensive for real-time analysis.

gtpv1_message
Type

event (c: connection, hdr: gtpv1_hdr)

Generated for any GTP message with a GTPv1 header.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

gtpv1_update_pdp_ctx_request
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements)

Generated for GTPv1-C Update PDP Context Request messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

gtpv1_update_pdp_ctx_response
Type

event (c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements)

Generated for GTPv1-C Update PDP Context Response messages.

C

The connection over which the message is sent.

Hdr

The GTPv1 header.

Elements

The set of Information Elements comprising the message.

base/bif/plugins/Zeek_FileEntropy.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

file_entropy: event

This event is generated each time file analysis performs entropy testing on a file.
Detailed Interface
Events
file_entropy
Type

event (f: fa_file, ent: entropy_test_result)

This event is generated each time file analysis performs entropy testing on a file.

F

The file.

Ent

The results of the entropy testing.

base/bif/plugins/Zeek_FileExtract.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

file_extraction_limit: event

This event is generated when a file extraction analyzer is about to exceed the maximum permitted file size allowed by the extract_limit field of Files::AnalyzerArgs.
Detailed Interface
Events
file_extraction_limit
Type

event (f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count)

This event is generated when a file extraction analyzer is about to exceed the maximum permitted file size allowed by the extract_limit field of Files::AnalyzerArgs. The analyzer is automatically removed from file f.

F

The file.

Args

Arguments that identify a particular file extraction analyzer. This is only provided to be able to pass along to FileExtract::set_limit.

Limit

The limit, in bytes, the extracted file is about to breach.

Len

The length of the file chunk about to be written.

See also:

base/bif/plugins/Zeek_FileExtract.functions.bif.zeek

FileExtract
GLOBAL

Internal functions used by the extraction file analyzer.

Namespaces

FileExtract, GLOBAL

Summary
Functions

FileExtract::__set_limit: function

FileExtract::set_limit.
Detailed Interface
Functions
FileExtract::__set_limit
Type

function (file_id: string, args: any, n: count) : bool

FileExtract::set_limit.

base/bif/plugins/Zeek_FileHash.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

file_hash: event

This event is generated each time file analysis generates a digest of the file contents.
Detailed Interface
Events
file_hash
Type

event (f: fa_file, kind: string, hash: string)

This event is generated each time file analysis generates a digest of the file contents.

F

The file.

Kind

The type of digest algorithm.

Hash

The result of the hashing.

See also:

base/bif/plugins/Zeek_PE.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

pe_dos_code: event

A PE file DOS stub was parsed.

pe_dos_header: event

A PE file DOS header was parsed.

pe_file_header: event

A PE file file header was parsed.

pe_optional_header: event

A PE file optional header was parsed.

pe_section_header: event

A PE file section header was parsed.
Detailed Interface
Events
pe_dos_code
Type

event (f: fa_file, code: string)

A PE file DOS stub was parsed. The stub is a valid application that runs under MS-DOS, by default to inform the user that the program can’t be run in DOS mode.

F

The file.

Code

The DOS stub

See also:

pe_dos_header
Type

event (f: fa_file, h: PE::DOSHeader)

A PE file DOS header was parsed. This is the top-level header and contains information like the size of the file, initial value of registers, etc.

F

The file.

H

The parsed DOS header information.

See also:

pe_file_header
Type

event (f: fa_file, h: PE::FileHeader)

A PE file file header was parsed. This header contains information like the target machine, the timestamp when the file was created, the number of sections, and pointers to other parts of the file.

F

The file.

H

The parsed file header information.

See also:

pe_optional_header
Type

event (f: fa_file, h: PE::OptionalHeader)

A PE file optional header was parsed. This header is required for executable files, but not for object files. It contains information like OS requirements to execute the file, the original entry point address, and information needed to load the file into memory.

F

The file.

H

The parsed optional header information.

See also:

pe_section_header
Type

event (f: fa_file, h: PE::SectionHeader)

A PE file section header was parsed. This header contains information like the section name, size, address, and characteristics.

F

The file.

H

The parsed section header information.

See also:

base/bif/plugins/Zeek_Unified2.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

unified2_event: event

Abstract all of the various Unified2 event formats into a single event.

unified2_packet: event

The Unified2 packet format event.
Detailed Interface
Events
unified2_event
Type

event (f: fa_file, ev: Unified2::IDSEvent)

Abstract all of the various Unified2 event formats into a single event.

F

The file.

Ev

TODO.

unified2_packet
Type

event (f: fa_file, pkt: Unified2::Packet)

The Unified2 packet format event.

F

The file.

Pkt

TODO.

base/bif/plugins/Zeek_Unified2.types.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_X509.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

x509_certificate: event

Generated for encountered X509 certificates, e.g., in the clear SSL/TLS connection handshake.

x509_ext_basic_constraints: event

Generated for the X509 basic constraints extension seen in a certificate.

x509_ext_subject_alternative_name: event

Generated for the X509 subject alternative name extension seen in a certificate.

x509_extension: event

Generated for X509 extensions seen in a certificate.

x509_ocsp_ext_signed_certificate_timestamp: event

Generated for the signed_certificate_timestamp X509 extension as defined in RFC 6962.
Detailed Interface
Events
x509_certificate
Type

event (f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)

Generated for encountered X509 certificates, e.g., in the clear SSL/TLS connection handshake.

See Wikipedia for more information about the X.509 format.

F

The file.

Cert_ref

An opaque pointer to the underlying OpenSSL data structure of the certificate.

Cert

The parsed certificate information.

See also:

x509_ext_basic_constraints
Type

event (f: fa_file, ext: X509::BasicConstraints)

Generated for the X509 basic constraints extension seen in a certificate. This extension can be used to identify the subject of a certificate as a CA.

F

The file.

Ext

The parsed basic constraints extension.

See also:

x509_ext_subject_alternative_name
Type

event (f: fa_file, ext: X509::SubjectAlternativeName)

Generated for the X509 subject alternative name extension seen in a certificate. This extension can be used to allow additional entities to be bound to the subject of the certificate. Usually it is used to specify one or multiple DNS names for which a certificate is valid.

F

The file.

Ext

The parsed subject alternative name extension.

See also:

x509_extension
Type

event (f: fa_file, ext: X509::Extension)

Generated for X509 extensions seen in a certificate.

See Wikipedia for more information about the X.509 format.

F

The file.

Ext

The parsed extension.

See also:

x509_ocsp_ext_signed_certificate_timestamp
Type

event (f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)

Generated for the signed_certificate_timestamp X509 extension as defined in RFC 6962. The extension is used to transmit signed proofs that are used for Certificate Transparency. Raised when the extension is encountered in an X.509 certificate or in an OCSP reply.

F

The file.

Version

the version of the protocol to which the SCT conforms. Always should be 0 (representing version 1)

Logid

32 bit key id

Timestamp

the NTP Time when the entry was logged measured since the epoch, ignoring leap seconds, in milliseconds.

Signature_and_hashalgorithm

signature and hash algorithm used for the digitally_signed struct

Signature

signature part of the digitally_signed struct

See also:

base/bif/plugins/Zeek_X509.types.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Detailed Interface

base/bif/plugins/Zeek_X509.functions.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Functions

sct_verify: function

Verifies a Signed Certificate Timestamp as used for Certificate Transparency.

x509_check_cert_hostname: function

This function checks if a hostname matches one of the hostnames given in the certificate.

x509_check_hostname: function

This function checks a hostname against the name given in a certificate subject/SAN, including our interpretation of RFC6128 wildcard expansions.

x509_from_der: function

Constructs an opaque of X509 from a der-formatted string.

x509_get_certificate_string: function

Returns the string form of a certificate.

x509_issuer_name_hash: function

Get the hash of the issuer’s distinguished name.

x509_ocsp_verify: function

Verifies an OCSP reply.

x509_parse: function

Parses a certificate into an X509::Certificate structure.

x509_set_certificate_cache: function

This function can be used to set up certificate caching.

x509_set_certificate_cache_hit_callback: function

This function sets up the callback that is called when an entry is matched against the table set by x509_set_certificate_cache.

x509_spki_hash: function

Get the hash of the Subject Public Key Information of the certificate.

x509_subject_name_hash: function

Get the hash of the subject’s distinguished name.

x509_verify: function

Verifies a certificate.
Detailed Interface
Functions
sct_verify
Type

function (cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default = "" &optional) : bool

Verifies a Signed Certificate Timestamp as used for Certificate Transparency. See RFC6962 for more details.

Cert

Certificate against which the SCT should be validated.

Logid

Log id of the SCT.

Log_key

Public key of the Log that issued the SCT proof.

Timestamp

Timestamp at which the proof was generated.

Hash_algorithm

Hash algorithm that was used for the SCT proof.

Issuer_key_hash

The SHA-256 hash of the certificate issuer’s public key. This only has to be provided if the SCT was encountered in an X.509 certificate extension; in that case, it is necessary for validation.

Returns

T if the validation could be performed succesfully, F otherwhise.

See also:

x509_check_cert_hostname
Type

function (cert_opaque: opaque of x509, hostname: string) : string

This function checks if a hostname matches one of the hostnames given in the certificate.

For our matching we adhere to RFC6128 for the labels (see x509_check_hostname). Furthermore we adhere to RFC2818 and check only the names given in the SAN, if a SAN is present, ignoring CNs in the Subject. If no SAN is present, we will use the last CN in the subject for our tests.

Cert

The X509 certificate opaque handle.

Hostname

Hostname to check

Returns

empty string if the hostname does not match; matched name (which can contain wildcards) if it did.

See also:

x509_check_hostname
Type

function (hostname: string, certname: string) : bool

This function checks a hostname against the name given in a certificate subject/SAN, including our interpretation of RFC6128 wildcard expansions. This specifically means that wildcards are only allowed in the leftmost label, wildcards only span one label, the wildcard has to be the last character before the label-separator, but additional characters are allowed before it, and the wildcard has to be at least at the third level (so *.a.b).

Hostname

Hostname to test

Certname

Name given in the CN/SAN of a certificate; wildcards will be expanded

Returns

True if the hostname matches.

See also:

x509_from_der
Type

function (der: string) : opaque of x509

Constructs an opaque of X509 from a der-formatted string.

Note

this function is mostly meant for testing purposes

See also:

x509_get_certificate_string
Type

function (cert: opaque of x509, pem: bool &default = F &optional) : string

Returns the string form of a certificate.

Cert

The X509 certificate opaque handle.

Pem

A boolean that specifies if the certificate is returned in pem-form (true), or as the raw ASN1 encoded binary (false).

Returns

X509 certificate as a string.

See also:

x509_issuer_name_hash
Type

function (cert: opaque of x509, hash_alg: count) : string

Get the hash of the issuer’s distinguished name.

Cert

The X509 certificate opaque handle.

Hash_alg

the hash algorithm to use, according to the IANA mapping at

:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

Returns

The hash as a string.

See also:

x509_ocsp_verify
Type

function (certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default = 0.0 &optional) : X509::Result

Verifies an OCSP reply.

Certs

Specifies the certificate chain to use. Server certificate first.

Ocsp_reply

the ocsp reply to validate.

Root_certs

A list of root certificates to validate the certificate chain.

Verify_time

Time for the validity check of the certificates.

Returns

A record of type X509::Result containing the result code of the verify operation.

See also:

x509_parse
Type

function (cert: opaque of x509) : X509::Certificate

Parses a certificate into an X509::Certificate structure.

Cert

The X509 certificate opaque handle.

Returns

A X509::Certificate structure.

See also:

x509_set_certificate_cache
Type

function (tbl: string_any_table) : bool

This function can be used to set up certificate caching. It has to be passed a table[string] which can contain any type.

After this is set up, for each certificate encountered, the X509 analyzer will check if the entry tbl[sha256 of certificate] is set. If this is the case, the X509 analyzer will skip all further processing, and instead just call the callback that is set with

x509_set_certificate_cache_hit_callback.

Tbl

Table to use as the certificate cache.

Returns

Always returns true.

Note

The base scripts use this function to set up certificate caching. You should only change the cache table if you are sure you will not conflict with the base scripts.

See also:

x509_set_certificate_cache_hit_callback
Type

function (f: string_any_file_hook) : bool

This function sets up the callback that is called when an entry is matched against the table set by x509_set_certificate_cache.

F

The callback that will be called when encountering a certificate in the cache table.

Returns

Always returns true.

Note

The base scripts use this function to set up certificate caching. You should only change the callback function if you are sure you will not conflict with the base scripts.

See also:

x509_spki_hash
Type

function (cert: opaque of x509, hash_alg: count) : string

Get the hash of the Subject Public Key Information of the certificate.

Cert

The X509 certificate opaque handle.

Hash_alg

the hash algorithm to use, according to the IANA mapping at

:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

Returns

The hash as a string.

See also:

x509_subject_name_hash
Type

function (cert: opaque of x509, hash_alg: count) : string

Get the hash of the subject’s distinguished name.

Cert

The X509 certificate opaque handle.

Hash_alg

the hash algorithm to use, according to the IANA mapping at

:https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18

Returns

The hash as a string.

See also:

x509_verify
Type

function (certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default = 0.0 &optional) : X509::Result

Verifies a certificate.

Certs

Specifies a certificate chain that is being used to validate the given certificate against the root store given in root_certs. The host certificate has to be at index 0.

Root_certs

A list of root certificates to validate the certificate chain.

Verify_time

Time for the validity check of the certificates.

Returns

A record of type X509::Result containing the result code of the verify operation. In case of success also returns the full certificate chain.

See also:

base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary
Events

ocsp_extension: event

This event is raised when an OCSP extension is encountered in an OCSP response.

ocsp_request: event

Event that is raised when encountering an OCSP request, e.g.

ocsp_request_certificate: event

Event that is raised when encountering an OCSP request for a certificate, e.g.

ocsp_response_bytes: event

This event is raised when encountering an OCSP response that contains response information.

ocsp_response_certificate: event

This event is raised for each SingleResponse contained in an OCSP response.

ocsp_response_status: event

This event is raised when encountering an OCSP reply, e.g.
Detailed Interface
Events
ocsp_extension
Type

event (f: fa_file, ext: X509::Extension, global_resp: bool)

This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.

F

The file.

Ext

The parsed extension (same format as X.509 extensions).

Global_resp

T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse.

See also:

ocsp_request
Type

event (f: fa_file, version: count)

Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.

This event is raised exactly once for each OCSP Request.

F

The file.

Req

version: the version of the OCSP request. Typically 0 (Version 1).

See also:

ocsp_request_certificate
Type

event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)

Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.

Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.

F

The file.

HashAlgorithm

The hash algorithm used for the issuerKeyHash.

IssuerKeyHash

Hash of the issuers public key.

SerialNumber

Serial number of the certificate for which the status is requested.

See also:

ocsp_response_bytes
Type

event (f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)

This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.

F

The file.

Status

The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

Version

Version of the OCSP response (typically - for version 1).

ResponderId

The id of the OCSP responder; either a public key hash or a distinguished name.

ProducedAt

Time at which the reply was produced.

SignatureAlgorithm

Algorithm used for the OCSP signature.

Certs

Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply.

See also:

ocsp_response_certificate
Type

event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time)

This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.

F

The file.

HashAlgorithm

The hash algorithm used for issuerNameHash and issuerKeyHash.

IssuerNameHash

Hash of the issuer’s distinguished name.

IssuerKeyHash

Hash of the issuer’s public key.

SerialNumber

Serial number of the affected certificate.

CertStatus

Status of the certificate.

RevokeTime

Time the certificate was revoked, 0 if not revoked.

RevokeTeason

Reason certificate was revoked; empty string if not revoked or not specified.

ThisUpdate

Time this response was generated.

NextUpdate

Time next response will be ready; 0 if not supploed.

See also:

ocsp_response_status
Type

event (f: fa_file, status: string)

This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.

This event is raised exactly once for each OCSP reply.

F

The file.

Status

The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

See also:

base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek

GLOBAL
InputAscii
Namespaces

GLOBAL, InputAscii

Summary
Detailed Interface

base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek

GLOBAL
InputBenchmark
Namespaces

GLOBAL, InputBenchmark

Summary
Detailed Interface

base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek

GLOBAL
InputBinary
Namespaces

GLOBAL, InputBinary

Summary
Detailed Interface

base/bif/plugins/Zeek_ConfigReader.config.bif.zeek

GLOBAL
InputConfig
Namespaces

GLOBAL, InputConfig

Summary
Detailed Interface

base/bif/plugins/Zeek_RawReader.raw.bif.zeek

GLOBAL
InputRaw
Namespaces

GLOBAL, InputRaw

Summary
Detailed Interface

base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek

GLOBAL
InputSQLite
Namespaces

GLOBAL, InputSQLite

Summary
Detailed Interface

base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek

GLOBAL
LogAscii
Namespaces

GLOBAL, LogAscii

Summary
Detailed Interface

base/bif/plugins/Zeek_NoneWriter.none.bif.zeek

GLOBAL
LogNone
Namespaces

GLOBAL, LogNone

Summary
Detailed Interface

base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek

GLOBAL
LogSQLite
Namespaces

GLOBAL, LogSQLite

Summary
Detailed Interface

base/init-default.zeek

This script loads everything in the base/ script directory. If you want to run Zeek without all of these scripts loaded by default, you can use the -b (--bare-mode) command line argument. You can also copy the “@load” lines from this script to your own script to load only the scripts that you actually want.

Imports

base/files/extract, base/files/hash, base/files/pe, base/files/x509, base/frameworks/analyzer, base/frameworks/cluster, base/frameworks/config, base/frameworks/control, base/frameworks/dpd, base/frameworks/intel, base/frameworks/netcontrol, base/frameworks/notice, base/frameworks/openflow, base/frameworks/packet-filter, base/frameworks/reporter, base/frameworks/signatures, base/frameworks/software, base/frameworks/sumstats, base/frameworks/tunnels, base/misc/find-checksum-offloading.zeek, base/misc/find-filtered-trace.zeek, base/misc/installation.zeek, base/misc/version.zeek, base/protocols/conn, base/protocols/dce-rpc, base/protocols/dhcp, base/protocols/dnp3, base/protocols/dns, base/protocols/ftp, base/protocols/http, base/protocols/imap, base/protocols/irc, base/protocols/krb, base/protocols/modbus, base/protocols/mqtt, base/protocols/mysql, base/protocols/ntlm, base/protocols/ntp, base/protocols/pop3, base/protocols/radius, base/protocols/rdp, base/protocols/rfb, base/protocols/sip, base/protocols/smb, base/protocols/smtp, base/protocols/snmp, base/protocols/socks, base/protocols/ssh, base/protocols/ssl, base/protocols/syslog, base/protocols/tunnels, base/protocols/xmpp, base/utils/active-http.zeek, base/utils/addrs.zeek, base/utils/backtrace.zeek, base/utils/conn-ids.zeek, base/utils/dir.zeek, base/utils/directions-and-hosts.zeek, base/utils/email.zeek, base/utils/exec.zeek, base/utils/files.zeek, base/utils/geoip-distance.zeek, base/utils/hash_hrw.zeek, base/utils/numbers.zeek, base/utils/paths.zeek, base/utils/patterns.zeek, base/utils/queue.zeek, base/utils/site.zeek, base/utils/strings.zeek, base/utils/thresholds.zeek, base/utils/time.zeek, base/utils/urls.zeek

Summary
Detailed Interface

base/utils/active-http.zeek

ActiveHTTP

A module for performing active HTTP requests and getting the reply at runtime.

Namespace

ActiveHTTP

Imports

base/utils/exec.zeek

Summary
Runtime Options

ActiveHTTP::default_max_time: interval &redef

The default timeout for HTTP requests.

ActiveHTTP::default_method: string &redef

The default HTTP method/verb to use for requests.
Types

ActiveHTTP::Request: record

ActiveHTTP::Response: record
Functions

ActiveHTTP::request: function

Perform an HTTP request according to the ActiveHTTP::Request record.
Detailed Interface
Runtime Options
ActiveHTTP::default_max_time
Type

interval

Attributes

&redef

Default

1.0 min

The default timeout for HTTP requests.

ActiveHTTP::default_method
Type

string

Attributes

&redef

Default

"GET"

The default HTTP method/verb to use for requests.

Types
ActiveHTTP::Request
Type

record

url: string

The URL being requested.

method: string &default = ActiveHTTP::default_method &optional

The HTTP method/verb to use for the request.

client_data: string &optional

Data to send to the server in the client body. Keep in mind that you will probably need to set the method field to “POST” or “PUT”.

max_time: interval &default = ActiveHTTP::default_max_time &optional

Timeout for the request.

addl_curl_args: string &optional

Additional curl command line arguments. Be very careful with this option since shell injection could take place if careful handling of untrusted data is not applied.

ActiveHTTP::Response
Type

record

code: count

Numeric response code from the server.

msg: string

String response message from the server.

body: string &optional

Full body of the response.

headers: table [string] of string &optional

All headers returned by the server.

Functions
ActiveHTTP::request
Type

function (req: ActiveHTTP::Request) : ActiveHTTP::Response

Perform an HTTP request according to the ActiveHTTP::Request record. This is an asynchronous function and must be called within a “when” statement.

Req

A record instance representing all options for an HTTP request.

Returns

A record with the full response message.

base/utils/exec.zeek

Exec

A module for executing external command line programs.

Namespace

Exec

Imports

base/frameworks/input

Summary
Types

Exec::Command: record

Exec::Result: record
Functions

Exec::run: function

Function for running command line programs and getting output.
Detailed Interface
Types
Exec::Command
Type

record

cmd: string

The command line to execute. Use care to avoid injection attacks (i.e., if the command uses untrusted/variable data, sanitize it with safe_shell_quote).

stdin: string &default = "" &optional

Provide standard input to the program as a string.

read_files: set [string] &optional

If additional files are required to be read in as part of the output of the command they can be defined here.

uid: string &default = q3FkxySjt2a &optional

The unique id for tracking executors.

Exec::Result
Type

record

exit_code: count &default = 0 &optional

Exit code from the program.

signal_exit: bool &default = F &optional

True if the command was terminated with a signal.

stdout: vector of string &optional

Each line of standard output.

stderr: vector of string &optional

Each line of standard error.

files: table [string] of string_vec &optional

If additional files were requested to be read in the content of the files will be available here.

Functions
Exec::run
Type

function (cmd: Exec::Command) : Exec::Result

Function for running command line programs and getting output. This is an asynchronous function which is meant to be run with the when statement.

Cmd

The command to run. Use care to avoid injection attacks!

Returns

A record representing the full results from the external program execution.

base/utils/addrs.zeek

Functions for parsing and manipulating IP and MAC addresses.

Summary
Constants

ip_addr_regex: pattern

ipv4_addr_regex: pattern

ipv4_decim: pattern

ipv6_8hex_regex: pattern

ipv6_addr_regex: pattern

ipv6_compressed_hex4dec_regex: pattern

ipv6_compressed_hex_regex: pattern

ipv6_compressed_hext4dec_lead_hextets0: pattern

ipv6_compressed_hext4dec_lead_hextets1: pattern

ipv6_compressed_hext4dec_lead_hextets2: pattern

ipv6_compressed_hext4dec_lead_hextets3: pattern

ipv6_compressed_hext4dec_lead_hextets4: pattern

ipv6_compressed_hext4dec_lead_hextets5: pattern

ipv6_compressed_lead_hextets0: pattern

ipv6_compressed_lead_hextets1: pattern

ipv6_compressed_lead_hextets2: pattern

ipv6_compressed_lead_hextets3: pattern

ipv6_compressed_lead_hextets4: pattern

ipv6_compressed_lead_hextets5: pattern

ipv6_compressed_lead_hextets6: pattern

ipv6_compressed_lead_hextets7: pattern

ipv6_hex4dec_regex: pattern

ipv6_hextet: pattern
Functions

addr_to_uri: function

Returns the string representation of an IP address suitable for inclusion in a URI.

extract_ip_addresses: function

Extracts all IP (v4 or v6) address strings from a given string.

has_valid_octets: function

Checks if all elements of a string array are a valid octet value.

normalize_mac: function

Given a string, extracts the hex digits and returns a MAC address in the format: 00:a0:32:d7:81:8f.
Detailed Interface
Constants
ip_addr_regex
Type

pattern

Default
/^?((^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)|(^?((^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?)|(^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?))$?)|(^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?))$?))$?/
ipv4_addr_regex
Type

pattern

Default
/^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?/
ipv4_decim
Type

pattern

Default
/^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?/
ipv6_8hex_regex
Type

pattern

Default
/^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?/
ipv6_addr_regex
Type

pattern

Default
/^?((^?((^?((^?((^?(([0-9A-Fa-f]{1,4}:){7})$?)(^?([0-9A-Fa-f]{1,4})$?))$?)|(^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?))$?)|(^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?))$?/
ipv6_compressed_hex4dec_regex
Type

pattern

Default
/^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?)|(^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?))$?/
ipv6_compressed_hex_regex
Type

pattern

Default
/^?((^?((^?((^?((^?((^?((^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?))$?)|(^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?))$?/
ipv6_compressed_hext4dec_lead_hextets0
Type

pattern

Default
/^?((^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_compressed_hext4dec_lead_hextets1
Type

pattern

Default
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_compressed_hext4dec_lead_hextets2
Type

pattern

Default
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_compressed_hext4dec_lead_hextets3
Type

pattern

Default
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_compressed_hext4dec_lead_hextets4
Type

pattern

Default
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_compressed_hext4dec_lead_hextets5
Type

pattern

Default
/^?((^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::)$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_compressed_lead_hextets0
Type

pattern

Default
/^?(::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,6})?)$?/
ipv6_compressed_lead_hextets1
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,5})?)$?/
ipv6_compressed_lead_hextets2
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){1}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,4})?)$?/
ipv6_compressed_lead_hextets3
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){2}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,3})?)$?/
ipv6_compressed_lead_hextets4
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){3}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,2})?)$?/
ipv6_compressed_lead_hextets5
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){4}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,1})?)$?/
ipv6_compressed_lead_hextets6
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){5}::([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){0,0})?)$?/
ipv6_compressed_lead_hextets7
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4}){6}::)$?/
ipv6_hex4dec_regex
Type

pattern

Default
/^?((^?(([0-9A-Fa-f]{1,4}:){6})$?)(^?((^?((^?((^?((^?((^?((^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?)(^?(\.)$?))$?)(^?([0-9]{1}|[0-9]{2}|0[0-9]{2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])$?))$?))$?/
ipv6_hextet
Type

pattern

Default
/^?([0-9A-Fa-f]{1,4})$?/
Functions
addr_to_uri
Type

function (a: addr) : string

Returns the string representation of an IP address suitable for inclusion in a URI. For IPv4, this does no special formatting, but for IPv6, the address is included in square brackets.

A

the address to make suitable for URI inclusion.

Returns

the string representation of the address suitable for URI inclusion.

extract_ip_addresses
Type

function (input: string, check_wrapping: bool &default = F &optional) : string_vec

Extracts all IP (v4 or v6) address strings from a given string.

Input

a string that may contain an IP address anywhere within it.

Check_wrapping

if true, will only return IP addresses that are wrapped in matching pairs of spaces, square brackets, curly braces, or parens. This can be used to avoid extracting strings that look like IPs from innocuous strings, such as SMTP headers.

Returns

an array containing all valid IP address strings found in input.

has_valid_octets
Type

function (octets: string_vec) : bool

Checks if all elements of a string array are a valid octet value.

Octets

an array of strings to check for valid octet values.

Returns

T if every element is between 0 and 255, inclusive, else F.

normalize_mac
Type

function (a: string) : string

Given a string, extracts the hex digits and returns a MAC address in the format: 00:a0:32:d7:81:8f. If the string doesn’t contain 12 or 16 hex digits, an empty string is returned.

A

the string to normalize.

Returns

a normalized MAC address, or an empty string in the case of an error.

base/utils/backtrace.zeek

Summary
Functions

print_backtrace: function

Prints a Zeek function call stack.
Detailed Interface
Functions
print_backtrace
Type

function (show_args: bool &default = F &optional, one_line: bool &default = F &optional, one_line_delim: string &default = "|" &optional, skip: count &default = 1 &optional, to_file: file &default = file "/dev/stdout" of string &optional) : void

Prints a Zeek function call stack.

Show_args

whether to print function argument names/types/values.

One_line

whether to print the stack in a single line or multiple.

One_line_delim

delimiter between stack elements if printing to one line.

Skip

the number of call stack elements to skip past, starting from zero, with that being the call to this function.

To_file

the file to which the call stack will be printed.

See also:

base/utils/conn-ids.zeek

GLOBAL

Simple functions for generating ASCII strings from connection IDs.

Namespace

GLOBAL

Summary
Functions

directed_id_string: function

Calls id_string or reverse_id_string if the second argument is T or F, respectively.

id_string: function

Takes a conn_id record and returns a string representation with the general data flow appearing to be from the connection originator on the left to the responder on the right.

reverse_id_string: function

Takes a conn_id record and returns a string representation with the general data flow appearing to be from the connection responder on the right to the originator on the left.
Detailed Interface
Functions
directed_id_string
Type

function (id: conn_id, is_orig: bool) : string

Calls id_string or reverse_id_string if the second argument is T or F, respectively.

id_string
Type

function (id: conn_id) : string

Takes a conn_id record and returns a string representation with the general data flow appearing to be from the connection originator on the left to the responder on the right.

reverse_id_string
Type

function (id: conn_id) : string

Takes a conn_id record and returns a string representation with the general data flow appearing to be from the connection responder on the right to the originator on the left.

base/utils/dir.zeek

Dir
Namespace

Dir

Imports

base/frameworks/reporter, base/utils/exec.zeek, base/utils/paths.zeek

Summary
Runtime Options

Dir::polling_interval: interval &redef

The default interval this module checks for files in directories when using the Dir::monitor function.
Functions

Dir::monitor: function

Register a directory to monitor with a callback that is called every time a previously unseen file is seen.
Detailed Interface
Runtime Options
Dir::polling_interval
Type

interval

Attributes

&redef

Default

30.0 secs

The default interval this module checks for files in directories when using the Dir::monitor function.

Functions
Dir::monitor
Type

function (dir: string, callback: function (fname: string) : void, poll_interval: interval &default = Dir::polling_interval &optional) : void

Register a directory to monitor with a callback that is called every time a previously unseen file is seen. If a file is deleted and seen to be gone, then the file is available for being seen again in the future.

Dir

The directory to monitor for files.

Callback

Callback that gets executed with each file name that is found. Filenames are provided with the full path.

Poll_interval

An interval at which to check for new files.

base/frameworks/reporter/__load__.zeek

Imports

base/frameworks/reporter/main.zeek

Summary
Detailed Interface

base/frameworks/reporter/main.zeek

Reporter

This framework is intended to create an output and filtering path for internal messages/warnings/errors. It should typically be loaded to log such messages to a file in a standard way. For the options to toggle whether messages are additionally written to STDERR, see Reporter::info_to_stderr, Reporter::warnings_to_stderr, and Reporter::errors_to_stderr.

Note that this framework deals with the handling of internally generated reporter messages, for the interface into actually creating reporter messages from the scripting layer, use the built-in functions in base/bif/reporter.bif.zeek.

Namespace

Reporter

Summary
Types

Reporter::Info: record

The record type which contains the column fields of the reporter log.
Redefinitions

Log::ID: enum

The reporter logging stream identifier.
Hooks

Reporter::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Types
Reporter::Info
Type

record

ts: time &log

The network time at which the reporter event was generated.

level: Reporter::Level &log

The severity of the reporter message. Levels are INFO for informational messages, not needing specific attention; WARNING for warning of a potential problem, and ERROR for a non-fatal error that should be addressed, but doesn’t terminate program execution.

message: string &log

An info/warning/error message that could have either been generated from the internal Zeek core or at the scripting-layer.

location: string &log &optional

This is the location in a Zeek script where the message originated. Not all reporter messages will have locations in them though.

The record type which contains the column fields of the reporter log.

Hooks
Reporter::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

base/utils/paths.zeek

Functions to parse and manipulate UNIX style paths and directories.

Summary
Constants

absolute_path_pat: pattern
Functions

build_path: function

Constructs a path to a file given a directory and a file name.

build_path_compressed: function

Returns a compressed path to a file given a directory and file name.

extract_path: function

Given an arbitrary string, extracts a single, absolute path (directory with filename).
Detailed Interface
Constants
absolute_path_pat
Type

pattern

Default
/^?((\/|[A-Za-z]:[\\\/]).*)$?/
Functions
build_path
Type

function (dir: string, file_name: string) : string

Constructs a path to a file given a directory and a file name.

Dir

the directory in which the file lives.

File_name

the name of the file.

Returns

the concatenation of the directory path and file name, or just the file name if it’s already an absolute path or dir is empty.

build_path_compressed
Type

function (dir: string, file_name: string) : string

Returns a compressed path to a file given a directory and file name. See build_path and compress_path.

extract_path
Type

function (input: string) : string

Given an arbitrary string, extracts a single, absolute path (directory with filename).

Todo

Make this work on Window’s style directories.

Input

a string that may contain an absolute path.

Returns

the first absolute path found in input string, else an empty string.

base/utils/directions-and-hosts.zeek

Imports

base/utils/site.zeek

Summary
Types

Direction: enum

Host: enum
Functions

addr_matches_host: function

Checks whether a given host (IP address) matches a given host type.

id_matches_direction: function

Checks whether a given connection is of a given direction with respect to the locally-monitored network.
Detailed Interface
Types
Direction
Type

enum

INBOUND

The connection originator is not within the locally-monitored network, but the other endpoint is.

OUTBOUND

The connection originator is within the locally-monitored network, but the other endpoint is not.

BIDIRECTIONAL

Only one endpoint is within the locally-monitored network, meaning the connection is either outbound or inbound.

NO_DIRECTION

This value doesn’t match any connection.

Host
Type

enum

LOCAL_HOSTS

A host within the locally-monitored network.

REMOTE_HOSTS

A host not within the locally-monitored network.

ALL_HOSTS

Any host.

NO_HOSTS

This value doesn’t match any host.

Functions
addr_matches_host
Type

function (ip: addr, h: Host) : bool

Checks whether a given host (IP address) matches a given host type.

Ip

address of a host.

H

a host type.

Returns

T if the given host matches the given type, else F.

id_matches_direction
Type

function (id: conn_id, d: Direction) : bool

Checks whether a given connection is of a given direction with respect to the locally-monitored network.

Id

a connection record containing the originator/responder hosts.

D

a direction with respect to the locally-monitored network.

Returns

T if the two connection endpoints match the given direction, else F.

base/utils/email.zeek

Summary
Functions

extract_email_addrs_set: function

Extract mail addresses out of address specifications conforming to RFC5322.

extract_email_addrs_vec: function

Extract mail addresses out of address specifications conforming to RFC5322.

extract_first_email_addr: function

Extract the first email address from a string.

split_mime_email_addresses: function

Split email addresses from MIME headers.
Detailed Interface
Functions
extract_email_addrs_set
Type

function (str: string) : set [string]

Extract mail addresses out of address specifications conforming to RFC5322.

Str

A string potentially containing email addresses.

Returns

A set of extracted email addresses. An empty set is returned if no email addresses are discovered.

extract_email_addrs_vec
Type

function (str: string) : string_vec

Extract mail addresses out of address specifications conforming to RFC5322.

Str

A string potentially containing email addresses.

Returns

A vector of extracted email addresses. An empty vector is returned if no email addresses are discovered.

extract_first_email_addr
Type

function (str: string) : string

Extract the first email address from a string.

Str

A string potentially containing email addresses.

Returns

An email address or empty string if none found.

split_mime_email_addresses
Type

function (line: string) : set [string]

Split email addresses from MIME headers. The email addresses will include the display name and email address as it was given by the mail mail client. Note that this currently does not account for MIME group addresses and won’t handle them correctly. The group name will show up as part of an email address.

Str

The argument from a MIME header.

Returns

A set of addresses or empty string if none found.

base/utils/files.zeek

Imports

base/utils/addrs.zeek

Summary
Functions

extract_filename_from_content_disposition: function

For CONTENT-DISPOSITION headers, this function can be used to extract the filename.

generate_extraction_filename: function

This function can be used to generate a consistent filename for when contents of a file, stream, or connection are being extracted to disk.
Detailed Interface
Functions
extract_filename_from_content_disposition
Type

function (data: string) : string

For CONTENT-DISPOSITION headers, this function can be used to extract the filename.

generate_extraction_filename
Type

function (prefix: string, c: connection, suffix: string) : string

This function can be used to generate a consistent filename for when contents of a file, stream, or connection are being extracted to disk.

base/utils/geoip-distance.zeek

Functions to calculate distance between two locations, based on GeoIP data.

Summary
Functions

haversine_distance_ip: function

Returns the distance between two IP addresses using the haversine formula, based on GeoIP database locations.
Detailed Interface
Functions
haversine_distance_ip
Type

function (a1: addr, a2: addr) : double

Returns the distance between two IP addresses using the haversine formula, based on GeoIP database locations. Requires Zeek to be built with GeoIP.

A1

First IP address.

A2

Second IP address.

Returns

The distance between a1 and a2 in miles, or -1.0 if GeoIP data is not available for either of the IP addresses.

See also:

base/utils/hash_hrw.zeek

HashHRW

An implementation of highest random weight (HRW) hashing, also called rendezvous hashing. See https://en.wikipedia.org/wiki/Rendezvous_hashing.

Namespace

HashHRW

Summary
Types

HashHRW::Pool: record

A collection of sites to distribute keys across.

HashHRW::Site: record

A site/node is a unique location to which you want a subset of keys to be distributed.

HashHRW::SiteTable: table

A table of sites, indexed by their id.
Functions

HashHRW::add_site: function

Add a site to a pool.

HashHRW::get_site: function

Returns: the site to which the key maps.

HashHRW::rem_site: function

Remove a site from a pool.
Detailed Interface
Types
HashHRW::Pool
Type

record

sites: HashHRW::SiteTable &default = {  } &optional

A collection of sites to distribute keys across.

HashHRW::Site
Type

record

id: count

A unique identifier for the site, should not exceed what can be contained in a 32-bit integer.

user_data: any &optional

Other data to associate with the site.

A site/node is a unique location to which you want a subset of keys to be distributed.

HashHRW::SiteTable
Type

table [count] of HashHRW::Site

A table of sites, indexed by their id.

Functions
HashHRW::add_site
Type

function (pool: HashHRW::Pool, site: HashHRW::Site) : bool

Add a site to a pool.

Returns

F is the site is already in the pool, else T.

HashHRW::get_site
Type

function (pool: HashHRW::Pool, key: any) : HashHRW::Site

Returns

the site to which the key maps.

HashHRW::rem_site
Type

function (pool: HashHRW::Pool, site: HashHRW::Site) : bool

Remove a site from a pool.

Returns

F if the site is not in the pool, else T.

base/utils/numbers.zeek

Summary
Functions

extract_count: function

Extract an integer from a string.
Detailed Interface
Functions
extract_count
Type

function (s: string, get_first: bool &default = T &optional) : count

Extract an integer from a string.

S

The string to search for a number.

Get_first

Provide F if you would like the last number found.

Returns

The request integer from the given string or 0 if no integer was found.

base/utils/queue.zeek

Queue

A FIFO queue.

Namespace

Queue

Summary
Types

Queue::Queue: record

The internal data structure for the queue.

Queue::Settings: record

Settings for initializing the queue.
Redefinitions

Queue::Queue: record
New Fields

Queue::Queue

initialized: bool &default = F &optional

vals: table [count] of any &optional

settings: Queue::Settings &optional

top: count &default = 0 &optional

bottom: count &default = 0 &optional

size: count &default = 0 &optional
Functions

Queue::get: function

Get a value from the end of a queue.

Queue::get_vector: function

Get the contents of the queue as a vector.

Queue::init: function

Initialize a queue record structure.

Queue::len: function

Get the number of items in a queue.

Queue::merge: function

Merge two queues together.

Queue::peek: function

Peek at the value at the end of the queue without removing it.

Queue::put: function

Put a value onto the beginning of a queue.
Detailed Interface
Types
Queue::Queue
Type

record

initialized: bool &default = F &optional

vals: table [count] of any &optional

settings: Queue::Settings &optional

top: count &default = 0 &optional

bottom: count &default = 0 &optional

size: count &default = 0 &optional

The internal data structure for the queue.

Queue::Settings
Type

record

max_len: count &optional

If a maximum length is set for the queue it will maintain itself at that maximum length automatically.

Settings for initializing the queue.

Functions
Queue::get
Type

function (q: Queue::Queue) : any

Get a value from the end of a queue.

Q

The queue to get the value from.

Returns

The value gotten from the queue.

Queue::get_vector
Type

function (q: Queue::Queue, ret: vector of any) : void

Get the contents of the queue as a vector.

Q

The queue.

Ret

A vector containing the current contents of the queue as the type of ret.

Queue::init
Type

function (s: Queue::Settings &default = [] &optional) : Queue::Queue

Initialize a queue record structure.

S

A record which configures the queue.

Returns

An opaque queue record.

Queue::len
Type

function (q: Queue::Queue) : count

Get the number of items in a queue.

Q

The queue.

Returns

The length of the queue.

Queue::merge
Type

function (q1: Queue::Queue, q2: Queue::Queue) : Queue::Queue

Merge two queues together. If any settings are applied to the queues, the settings from q1 are used for the new merged queue.

Q1

The first queue. Settings are taken from here.

Q2

The second queue.

Returns

A new queue from merging the other two together.

Queue::peek
Type

function (q: Queue::Queue) : any

Peek at the value at the end of the queue without removing it.

Q

The queue to get the value from.

Returns

The value at the end of the queue.

Queue::put
Type

function (q: Queue::Queue, val: any) : void

Put a value onto the beginning of a queue.

Q

The queue to put the value into.

Val

The value to insert into the queue.

base/utils/strings.zeek

Functions to assist with small string analysis and manipulation that can be implemented as Zeek functions and don’t need to be implemented as built-in functions.

Summary
Functions

cut_tail: function

Cut a number of characters from the end of the given string.

is_string_binary: function

Returns true if the given string is at least 25% composed of 8-bit characters.

join_string_set: function

Join a set of strings together, with elements delimited by a constant string.

string_escape: function

Given a string, returns an escaped version.
Detailed Interface
Functions
cut_tail
Type

function (s: string, tail_len: count) : string

Cut a number of characters from the end of the given string.

S

a string to trim.

Tail_len

the number of characters to remove from the end of the string.

Returns

the given string with tail_len characters removed from the end.

is_string_binary
Type

function (s: string) : bool

Returns true if the given string is at least 25% composed of 8-bit characters.

join_string_set
Type

function (ss: set [string], j: string) : string

Join a set of strings together, with elements delimited by a constant string.

Ss

a set of strings to join.

J

the string used to join set elements.

Returns

a string composed of all elements of the set, delimited by the joining string.

string_escape
Type

function (s: string, chars: string) : string

Given a string, returns an escaped version.

S

a string to escape.

Chars

a string containing all the characters that need to be escaped.

Returns

a string with all occurrences of any character in chars escaped using \, and any literal \ characters likewise escaped.

base/utils/thresholds.zeek

GLOBAL

Functions for using multiple thresholds with a counting tracker. For example, you may want to generate a notice when something happens 10 times and again when it happens 100 times but nothing in between. You can use the check_threshold function to define your threshold points and the TrackCount variable where you are keeping track of your counter.

Namespace

GLOBAL

Summary
Redefinable Options

default_notice_thresholds: vector &redef

The thresholds you would like to use as defaults with the default_check_threshold function.
Types

TrackCount: record
Functions

check_threshold: function

This will check if a TrackCount variable has crossed any thresholds in a given set.

default_check_threshold: function

This will use the default_notice_thresholds variable to check a TrackCount variable to see if it has crossed another threshold.

new_track_count: function
Detailed Interface
Redefinable Options
default_notice_thresholds
Type

vector of count

Attributes

&redef

Default
[30, 100, 1000, 10000, 100000, 1000000, 10000000]

The thresholds you would like to use as defaults with the default_check_threshold function.

Types
TrackCount
Type

record

n: count &default = 0 &optional

The counter for the number of times something has happened.

index: count &default = 0 &optional

The index of the vector where the counter currently is. This is used to track which threshold is currently being watched for.

Functions
check_threshold
Type

function (v: vector of count, tracker: TrackCount) : bool

This will check if a TrackCount variable has crossed any thresholds in a given set.

V

a vector holding counts that represent thresholds.

Tracker

the record being used to track event counter and currently monitored threshold value.

Returns

T if a threshold has been crossed, else F.

default_check_threshold
Type

function (tracker: TrackCount) : bool

This will use the default_notice_thresholds variable to check a TrackCount variable to see if it has crossed another threshold.

new_track_count
Type

function () : TrackCount

base/utils/time.zeek

Summary
Functions

duration_to_mins_secs: function

Given an interval, returns a string representing the minutes and seconds in the interval (for example, “3m34s”).
Detailed Interface
Functions
duration_to_mins_secs
Type

function (dur: interval) : string

Given an interval, returns a string representing the minutes and seconds in the interval (for example, “3m34s”).

base/utils/urls.zeek

Functions for URL handling.

Summary
Redefinable Options

url_regex: pattern &redef

A regular expression for matching and extracting URLs.
Types

URI: record

A URI, as parsed by decompose_uri.
Functions

decompose_uri: function

find_all_urls: function

Extracts URLs discovered in arbitrary text.

find_all_urls_without_scheme: function

Extracts URLs discovered in arbitrary text without the URL scheme included.
Detailed Interface
Redefinable Options
url_regex
Type

pattern

Attributes

&redef

Default
/^?(^([a-zA-Z\-]{3,5}):\/\/(-\.)?([^[:blank:]\/?\.#-]+\.?)+(\/[^[:blank:]]*)?)$?/

A regular expression for matching and extracting URLs. This is the @imme_emosol regex from https://mathiasbynens.be/demo/url-regex, adapted for Zeek. It’s not perfect for all of their test cases, but it’s one of the shorter ones that covers most of the test cases.

Types
URI
Type

record

scheme: string &optional

The URL’s scheme..

netlocation: string

The location, which could be a domain name or an IP address. Left empty if not specified.

portnum: count &optional

Port number, if included in URI.

path: string

Full including the file name. Will be ‘/’ if there’s not path given.

file_name: string &optional

Full file name, including extension, if there is a file name.

file_base: string &optional

The base filename, without extension, if there is a file name.

file_ext: string &optional

The filename’s extension, if there is a file name.

params: table [string] of string &optional

A table of all query parameters, mapping their keys to values, if there’s a query.

A URI, as parsed by decompose_uri.

Functions
decompose_uri
Type

function (uri: string) : URI

find_all_urls
Type

function (s: string) : string_set

Extracts URLs discovered in arbitrary text.

find_all_urls_without_scheme
Type

function (s: string) : string_set

Extracts URLs discovered in arbitrary text without the URL scheme included.

base/frameworks/notice/__load__.zeek

Imports

base/frameworks/notice/actions/add-geodata.zeek, base/frameworks/notice/actions/email_admin.zeek, base/frameworks/notice/actions/page.zeek, base/frameworks/notice/actions/pp-alarms.zeek, base/frameworks/notice/main.zeek, base/frameworks/notice/weird.zeek

Summary
Detailed Interface

base/frameworks/notice/main.zeek

GLOBAL
Notice

This is the notice framework which enables Zeek to “notice” things which are odd or potentially bad. Decisions of the meaning of various notices need to be done per site because Zeek does not ship with assumptions about what is bad activity for sites. More extensive documentation about using the notice framework can be found in Notice Framework.

Namespaces

GLOBAL, Notice

Imports

base/frameworks/cluster

Summary
Runtime Options

Notice::alarmed_types: set &redef

Alarmed notice types.

Notice::default_suppression_interval: interval &redef

The notice framework is able to do automatic notice suppression by utilizing the identifier field in Notice::Info records.

Notice::emailed_types: set &redef

Emailed notice types.

Notice::ignored_types: set &redef

Ignored notice types.

Notice::mail_from: string &redef

Address that emails will be from.

Notice::mail_subject_prefix: string &redef

Text string prefixed to the subject of all emails sent out.

Notice::not_suppressed_types: set &redef

Types that should be suppressed for the default suppression interval.

Notice::reply_to: string &redef

Reply-to address used in outbound email.

Notice::sendmail: string &redef

Local system sendmail program.
Redefinable Options

Notice::mail_dest: string &redef

The default email address to send notices with the Notice::ACTION_EMAIL action or to send bulk alarm logs on rotation with Notice::ACTION_ALARM.

Notice::max_email_delay: interval &redef

The maximum amount of time a plugin can delay email from being sent.

Notice::type_suppression_intervals: table &redef

This table can be used as a shorthand way to modify suppression intervals for entire notice types.
Types

Notice::Action: enum

These are values representing actions that can be taken with notices.

Notice::ActionSet: set

Type that represents a set of actions.

Notice::FileInfo: record

Contains a portion of fa_file that’s also contained in Notice::Info.

Notice::Info: record

The record type that is used for representing and logging notices.

Notice::Type: enum

Scripts creating new notices need to redef this enum to add their own specific notice types which would then get used when they call the NOTICE function.
Redefinitions

Log::ID: enum
Events

Notice::begin_suppression: event

This event is generated when a notice begins to be suppressed.

Notice::log_notice: event

This event can be handled to access the Notice::Info record as it is sent on to the logging framework.

Notice::manager_begin_suppression: event

This is an internal event that is used to broadcast the begin_suppression event over a cluster.

Notice::suppressed: event

This event is generated on each occurrence of an event being suppressed.
Hooks

Notice::log_policy: Log::PolicyHook

Default logging policy hooks for the streams.

Notice::log_policy_alarm: Log::PolicyHook

Notice::notice: hook

This is the event that is called as the entry point to the notice framework by the global NOTICE function.

Notice::policy: hook

The hook to modify notice handling.
Functions

NOTICE: function

Notice::apply_policy: function

This is an internal function to populate policy records.

Notice::create_file_info: function

Creates a record containing a subset of a full fa_file record.

Notice::email_headers: function

Constructs mail headers to which an email body can be appended for sending with sendmail.

Notice::email_notice_to: function

Call this function to send a notice in an email.

Notice::is_being_suppressed: function

A function to determine if an event is supposed to be suppressed.

Notice::log_mailing_postprocessor: function

A log postprocessing function that implements emailing the contents of a log upon rotation to any configured Notice::mail_dest.

Notice::populate_file_info: function

Populates file-related fields in a notice info record.

Notice::populate_file_info2: function

Populates file-related fields in a notice info record.
Detailed Interface
Runtime Options
Notice::alarmed_types
Type

set [Notice::Type]

Attributes

&redef

Default

{}

Alarmed notice types.

Notice::default_suppression_interval
Type

interval

Attributes

&redef

Default

1.0 hr

The notice framework is able to do automatic notice suppression by utilizing the identifier field in Notice::Info records. Set this to “0secs” to completely disable automated notice suppression.

Notice::emailed_types
Type

set [Notice::Type]

Attributes

&redef

Default

{}

Emailed notice types.

Notice::ignored_types
Type

set [Notice::Type]

Attributes

&redef

Default

{}

Ignored notice types.

Notice::mail_from
Type

string

Attributes

&redef

Default

"Zeek <zeek@localhost>"

Address that emails will be from.

Note that this is overridden by the ZeekControl MailFrom option.

Notice::mail_subject_prefix
Type

string

Attributes

&redef

Default

"[Zeek]"

Text string prefixed to the subject of all emails sent out.

Note that this is overridden by the ZeekControl MailSubjectPrefix option.

Notice::not_suppressed_types
Type

set [Notice::Type]

Attributes

&redef

Default

{}

Types that should be suppressed for the default suppression interval.

Notice::reply_to
Type

string

Attributes

&redef

Default

""

Reply-to address used in outbound email.

Notice::sendmail
Type

string

Attributes

&redef

Default

"/usr/sbin/sendmail"

Local system sendmail program.

Note that this is overridden by the ZeekControl SendMail option.

Redefinable Options
Notice::mail_dest
Type

string

Attributes

&redef

Default

""

The default email address to send notices with the Notice::ACTION_EMAIL action or to send bulk alarm logs on rotation with Notice::ACTION_ALARM.

Note that this is overridden by the ZeekControl MailTo option or by the email_dest field in the Notice::Info record.

Notice::max_email_delay
Type

interval

Attributes

&redef

Default

15.0 secs

The maximum amount of time a plugin can delay email from being sent.

Notice::type_suppression_intervals
Type

table [Notice::Type] of interval

Attributes

&redef

Default

{}

This table can be used as a shorthand way to modify suppression intervals for entire notice types.

Types
Notice::Action
Type

enum

Notice::ACTION_NONE

Indicates that there is no action to be taken.

Notice::ACTION_LOG

Indicates that the notice should be sent to the notice logging stream.

Notice::ACTION_EMAIL

Indicates that the notice should be sent to the email address(es) configured in the Notice::mail_dest variable.

Notice::ACTION_ALARM

Indicates that the notice should be alarmed. A readable ASCII version is saved in notice_alarm log, and emailed in bulk to the address(es) configured in Notice::mail_dest.

Notice::ACTION_DROP

Indicates that the notice should result in a drop action. The exact action taken depends on loaded policy scripts; see e.g. NetControl::acld_rule_policy.

Notice::ACTION_EMAIL_ADMIN

(present if base/frameworks/notice/actions/email_admin.zeek is loaded)

Indicate that the generated email should be addressed to the appropriate email addresses as found by the Site::get_emails function based on the relevant address or addresses indicated in the notice.

Notice::ACTION_PAGE

(present if base/frameworks/notice/actions/page.zeek is loaded)

Indicates that the notice should be sent to the pager email address configured in the Notice::mail_page_dest variable.

Notice::ACTION_ADD_GEODATA

(present if base/frameworks/notice/actions/add-geodata.zeek is loaded)

Indicates that the notice should have geodata added for the “remote” host. Site::local_nets must be defined in order for this to work.

These are values representing actions that can be taken with notices.

Notice::ActionSet
Type

set [Notice::Action]

Type that represents a set of actions.

Notice::FileInfo
Type

record

fuid: string

File UID.

desc: string

File description from e.g. Files::describe.

mime: string &optional

Strongest mime type match for file.

cid: conn_id &optional

Connection tuple over which file is sent.

cuid: string &optional

Connection UID over which file is sent.

Contains a portion of fa_file that’s also contained in Notice::Info.

Notice::Info
Type

record

ts: time &log &optional

An absolute time indicating when the notice occurred, defaults to the current network time.

uid: string &log &optional

A connection UID which uniquely identifies the endpoints concerned with the notice.

id: conn_id &log &optional

A connection 4-tuple identifying the endpoints concerned with the notice.

conn: connection &optional

A shorthand way of giving the uid and id to a notice. The reference to the actual connection will be deleted after applying the notice policy.

iconn: icmp_conn &optional

A shorthand way of giving the uid and id to a notice. The reference to the actual connection will be deleted after applying the notice policy.

f: fa_file &optional

A file record if the notice is related to a file. The reference to the actual fa_file record will be deleted after applying the notice policy.

fuid: string &log &optional

A file unique ID if this notice is related to a file. If the f field is provided, this will be automatically filled out.

file_mime_type: string &log &optional

A mime type if the notice is related to a file. If the f field is provided, this will be automatically filled out.

file_desc: string &log &optional

Frequently files can be “described” to give a bit more context. This field will typically be automatically filled out from an fa_file record. For example, if a notice was related to a file over HTTP, the URL of the request would be shown.

proto: transport_proto &log &optional

The transport protocol. Filled automatically when either conn, iconn or p is specified.

note: Notice::Type &log

The Notice::Type of the notice.

msg: string &log &optional

The human readable message for the notice.

sub: string &log &optional

The human readable sub-message.

src: addr &log &optional

Source address, if we don’t have a conn_id.

dst: addr &log &optional

Destination address.

p: port &log &optional

Associated port, if we don’t have a conn_id.

n: count &log &optional

Associated count, or perhaps a status code.

peer_name: string &optional

Name of remote peer that raised this notice.

peer_descr: string &log &optional

Textual description for the peer that raised this notice, including name, host address and port.

actions: Notice::ActionSet &log &default = {  } &optional

The actions which have been applied to this notice.

email_dest: set [string] &log &default = {  } &optional

The email address(es) where to send this notice

email_body_sections: vector of string &optional

By adding chunks of text into this element, other scripts can expand on notices that are being emailed. The normal way to add text is to extend the vector by handling the Notice::notice event and modifying the notice in place.

email_delay_tokens: set [string] &optional

Adding a string “token” to this set will cause the notice framework’s built-in emailing functionality to delay sending the email until either the token has been removed or the email has been delayed for Notice::max_email_delay.

identifier: string &optional

This field is to be provided when a notice is generated for the purpose of deduplicating notices. The identifier string should be unique for a single instance of the notice. This field should be filled out in almost all cases when generating notices to define when a notice is conceptually a duplicate of a previous notice.

For example, an SSL certificate that is going to expire soon should always have the same identifier no matter the client IP address that connected and resulted in the certificate being exposed. In this case, the resp_h, resp_p, and hash of the certificate would be used to create this value. The hash of the cert is included because servers can return multiple certificates on the same port.

Another example might be a host downloading a file which triggered a notice because the MD5 sum of the file it downloaded was known by some set of intelligence. In that case, the orig_h (client) and MD5 sum would be used in this field to dedup because if the same file is downloaded over and over again you really only want to know about it a single time. This makes it possible to send those notices to email without worrying so much about sending thousands of emails.

suppress_for: interval &log &default = Notice::default_suppression_interval &optional

This field indicates the length of time that this unique notice should be suppressed.

remote_location: geo_location &log &optional

(present if base/frameworks/notice/actions/add-geodata.zeek is loaded)

If GeoIP support is built in, notices can have geographic information attached to them.

dropped: bool &log &default = F &optional

(present if policy/frameworks/notice/actions/drop.zeek is loaded)

Indicate if the $src IP address was dropped and denied network access.

The record type that is used for representing and logging notices.

Notice::Type
Type

enum

Notice::Tally

Notice reporting a count of how often a notice occurred.

Weird::Activity

(present if base/frameworks/notice/weird.zeek is loaded)

Generic unusual but notice-worthy weird activity.

Signatures::Sensitive_Signature

(present if base/frameworks/signatures/main.zeek is loaded)

Generic notice type for notice-worthy signature matches.

Signatures::Multiple_Signatures

(present if base/frameworks/signatures/main.zeek is loaded)

Host has triggered many signatures on the same host. The number of signatures is defined by the Signatures::vert_scan_thresholds variable.

Signatures::Multiple_Sig_Responders

(present if base/frameworks/signatures/main.zeek is loaded)

Host has triggered the same signature on multiple hosts as defined by the Signatures::horiz_scan_thresholds variable.

Signatures::Count_Signature

(present if base/frameworks/signatures/main.zeek is loaded)

The same signature has triggered multiple times for a host. The number of times the signature has been triggered is defined by the Signatures::count_thresholds variable. To generate this notice, the Signatures::SIG_COUNT_PER_RESP action must be set for the signature.

Signatures::Signature_Summary

(present if base/frameworks/signatures/main.zeek is loaded)

Summarize the number of times a host triggered a signature. The interval between summaries is defined by the Signatures::summary_interval variable.

PacketFilter::Compile_Failure

(present if base/frameworks/packet-filter/main.zeek is loaded)

This notice is generated if a packet filter cannot be compiled.

PacketFilter::Install_Failure

(present if base/frameworks/packet-filter/main.zeek is loaded)

Generated if a packet filter fails to install.

PacketFilter::Too_Long_To_Compile_Filter

(present if base/frameworks/packet-filter/main.zeek is loaded)

Generated when a notice takes too long to compile.

PacketFilter::Dropped_Packets

(present if base/frameworks/packet-filter/netstats.zeek is loaded)

Indicates packets were dropped by the packet filter.

ProtocolDetector::Protocol_Found

(present if policy/frameworks/dpd/detect-protocols.zeek is loaded)

ProtocolDetector::Server_Found

(present if policy/frameworks/dpd/detect-protocols.zeek is loaded)

Intel::Notice

(present if policy/frameworks/intel/do_notice.zeek is loaded)

This notice is generated when an intelligence indicator is denoted to be notice-worthy.

TeamCymruMalwareHashRegistry::Match

(present if policy/frameworks/files/detect-MHR.zeek is loaded)

The hash value of a file transferred over HTTP matched in the malware hash registry.

PacketFilter::No_More_Conn_Shunts_Available

(present if policy/frameworks/packet-filter/shunt.zeek is loaded)

Indicative that PacketFilter::max_bpf_shunts connections are already being shunted with BPF filters and no more are allowed.

PacketFilter::Cannot_BPF_Shunt_Conn

(present if policy/frameworks/packet-filter/shunt.zeek is loaded)

Limitations in BPF make shunting some connections with BPF impossible. This notice encompasses those various cases.

Software::Software_Version_Change

(present if policy/frameworks/software/version-changes.zeek is loaded)

For certain software, a version changing may matter. In that case, this notice will be generated. Software that matters if the version changes can be configured with the Software::interesting_version_changes variable.

Software::Vulnerable_Version

(present if policy/frameworks/software/vulnerable.zeek is loaded)

Indicates that a vulnerable version of software was detected.

CaptureLoss::Too_Much_Loss

(present if policy/misc/capture-loss.zeek is loaded)

Report if the detected capture loss exceeds the percentage threshold defined in CaptureLoss::too_much_loss.

CaptureLoss::Too_Little_Traffic

(present if policy/misc/capture-loss.zeek is loaded)

Report if the traffic seen by a peer within a given watch interval is less than CaptureLoss::minimum_acks.

Traceroute::Detected

(present if policy/misc/detect-traceroute/main.zeek is loaded)

Indicates that a host was seen running traceroutes. For more detail about specific traceroutes that we run, refer to the traceroute.log.

Scan::Address_Scan

(present if policy/misc/scan.zeek is loaded)

Address scans detect that a host appears to be scanning some number of destinations on a single port. This notice is generated when more than Scan::addr_scan_threshold unique hosts are seen over the previous Scan::addr_scan_interval time range.

Scan::Port_Scan

(present if policy/misc/scan.zeek is loaded)

Port scans detect that an attacking host appears to be scanning a single victim host on several ports. This notice is generated when an attacking host attempts to connect to Scan::port_scan_threshold unique ports on a single host over the previous Scan::port_scan_interval time range.

Conn::Retransmission_Inconsistency

(present if policy/protocols/conn/weirds.zeek is loaded)

Possible evasion; usually just chud.

Conn::Content_Gap

(present if policy/protocols/conn/weirds.zeek is loaded)

Data has sequence hole; perhaps due to filtering.

DNS::External_Name

(present if policy/protocols/dns/detect-external-names.zeek is loaded)

Raised when a non-local name is found to be pointing at a local host. The Site::local_zones variable must be set appropriately for this detection.

FTP::Bruteforcing

(present if policy/protocols/ftp/detect-bruteforcing.zeek is loaded)

Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.

FTP::Site_Exec_Success

(present if policy/protocols/ftp/detect.zeek is loaded)

Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.

HTTP::SQL_Injection_Attacker

(present if policy/protocols/http/detect-sqli.zeek is loaded)

Indicates that a host performing SQL injection attacks was detected.

HTTP::SQL_Injection_Victim

(present if policy/protocols/http/detect-sqli.zeek is loaded)

Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.

SMTP::Blocklist_Error_Message

(present if policy/protocols/smtp/blocklists.zeek is loaded)

An SMTP server sent a reply mentioning an SMTP block list.

SMTP::Blocklist_Blocked_Host

(present if policy/protocols/smtp/blocklists.zeek is loaded)

The originator’s address is seen in the block list error message. This is useful to detect local hosts sending SPAM with a high positive rate.

SMTP::Suspicious_Origination

(present if policy/protocols/smtp/detect-suspicious-orig.zeek is loaded)

SSH::Password_Guessing

(present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded)

Indicates that a host has been identified as crossing the SSH::password_guesses_limit threshold with failed logins.

SSH::Login_By_Password_Guesser

(present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded)

Indicates that a host previously identified as a “password guesser” has now had a successful login attempt. This is not currently implemented.

SSH::Watched_Country_Login

(present if policy/protocols/ssh/geo-data.zeek is loaded)

If an SSH login is seen to or from a “watched” country based on the SSH::watched_countries variable then this notice will be generated.

SSH::Interesting_Hostname_Login

(present if policy/protocols/ssh/interesting-hostnames.zeek is loaded)

Generated if a login originates or responds with a host where the reverse hostname lookup resolves to a name matched by the SSH::interesting_hostnames regular expression.

SSL::Certificate_Expired

(present if policy/protocols/ssl/expiring-certs.zeek is loaded)

Indicates that a certificate’s NotValidAfter date has lapsed and the certificate is now invalid.

SSL::Certificate_Expires_Soon

(present if policy/protocols/ssl/expiring-certs.zeek is loaded)

Indicates that a certificate is going to expire within SSL::notify_when_cert_expiring_in.

SSL::Certificate_Not_Valid_Yet

(present if policy/protocols/ssl/expiring-certs.zeek is loaded)

Indicates that a certificate’s NotValidBefore date is future dated.

Heartbleed::SSL_Heartbeat_Attack

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

Indicates that a host performed a heartbleed attack or scan.

Heartbleed::SSL_Heartbeat_Attack_Success

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

Indicates that a host performing a heartbleed attack was probably successful.

Heartbleed::SSL_Heartbeat_Odd_Length

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

Indicates we saw heartbeat requests with odd length. Probably an attack or scan.

Heartbleed::SSL_Heartbeat_Many_Requests

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

Indicates we saw many heartbeat requests without a reply. Might be an attack.

SSL::Invalid_Server_Cert

(present if policy/protocols/ssl/validate-certs.zeek is loaded)

This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.

SSL::Invalid_Ocsp_Response

(present if policy/protocols/ssl/validate-ocsp.zeek is loaded)

This indicates that the OCSP response was not deemed to be valid.

SSL::Weak_Key

(present if policy/protocols/ssl/weak-keys.zeek is loaded)

Indicates that a server is using a potentially unsafe key.

SSL::Old_Version

(present if policy/protocols/ssl/weak-keys.zeek is loaded)

Indicates that a server is using a potentially unsafe version

SSL::Weak_Cipher

(present if policy/protocols/ssl/weak-keys.zeek is loaded)

Indicates that a server is using a potentially unsafe cipher

ZeekygenExample::Zeekygen_One

(present if zeekygen/example.zeek is loaded)

Any number of this type of comment will document “Zeekygen_One”.

ZeekygenExample::Zeekygen_Two

(present if zeekygen/example.zeek is loaded)

Any number of this type of comment will document “ZEEKYGEN_TWO”.

ZeekygenExample::Zeekygen_Three

(present if zeekygen/example.zeek is loaded)

ZeekygenExample::Zeekygen_Four

(present if zeekygen/example.zeek is loaded)

Omitting comments is fine, and so is mixing ## and ##<, but it’s probably best to use only one style consistently.

Scripts creating new notices need to redef this enum to add their own specific notice types which would then get used when they call the NOTICE function. The convention is to give a general category along with the specific notice separating words with underscores and using leading capitals on each word except for abbreviations which are kept in all capitals. For example, SSH::Password_Guessing is for hosts that have crossed a threshold of failed SSH logins.

Events
Notice::begin_suppression
Type

event (ts: time, suppress_for: interval, note: Notice::Type, identifier: string)

This event is generated when a notice begins to be suppressed.

Ts

time indicating then when the notice to be suppressed occured.

Suppress_for

length of time that this notice should be suppressed.

Note

The Notice::Type of the notice.

Identifier

The identifier string of the notice that should be suppressed.

Notice::log_notice
Type

event (rec: Notice::Info)

This event can be handled to access the Notice::Info record as it is sent on to the logging framework.

Rec

The record containing notice data before it is logged.

Notice::manager_begin_suppression
Type

event (ts: time, suppress_for: interval, note: Notice::Type, identifier: string)

This is an internal event that is used to broadcast the begin_suppression event over a cluster.

Ts

time indicating then when the notice to be suppressed occured.

Suppress_for

length of time that this notice should be suppressed.

Note

The Notice::Type of the notice.

Identifier

The identifier string of the notice that should be suppressed.

Notice::suppressed
Type

event (n: Notice::Info)

This event is generated on each occurrence of an event being suppressed.

N

The record containing notice data regarding the notice type being suppressed.

Hooks
Notice::log_policy
Type

Log::PolicyHook

Default logging policy hooks for the streams.

Notice::log_policy_alarm
Type

Log::PolicyHook

Notice::notice
Type

hook (n: Notice::Info) : bool

This is the event that is called as the entry point to the notice framework by the global NOTICE function. By the time this event is generated, default values have already been filled out in the Notice::Info record and the notice policy has also been applied.

N

The record containing notice data.

Notice::policy
Type

hook (n: Notice::Info) : bool

The hook to modify notice handling.

Functions
NOTICE
Type

function (n: Notice::Info) : void

Notice::apply_policy
Type

function (n: Notice::Info) : void

This is an internal function to populate policy records.

Notice::create_file_info
Type

function (f: fa_file) : Notice::FileInfo

Creates a record containing a subset of a full fa_file record.

F

record containing metadata about a file.

Returns

record containing a subset of fields copied from f.

Notice::email_headers
Type

function (subject_desc: string, dest: string) : string

Constructs mail headers to which an email body can be appended for sending with sendmail.

Subject_desc

a subject string to use for the mail.

Dest

recipient string to use for the mail.

Returns

a string of mail headers to which an email body can be appended.

Notice::email_notice_to
Type

function (n: Notice::Info, dest: string, extend: bool) : void

Call this function to send a notice in an email. It is already used by default with the built in Notice::ACTION_EMAIL and Notice::ACTION_PAGE actions.

N

The record of notice data to email.

Dest

The intended recipient of the notice email.

Extend

Whether to extend the email using the email_body_sections field of n.

Notice::is_being_suppressed
Type

function (n: Notice::Info) : bool

A function to determine if an event is supposed to be suppressed.

N

The record containing the notice in question.

Notice::log_mailing_postprocessor
Type

function (info: Log::RotationInfo) : bool

A log postprocessing function that implements emailing the contents of a log upon rotation to any configured Notice::mail_dest. The rotated log is removed upon being sent.

Info

A record containing the rotated log file information.

Returns

True.

Notice::populate_file_info
Type

function (f: fa_file, n: Notice::Info) : void

Populates file-related fields in a notice info record.

F

record containing metadata about a file.

N

a notice record that needs file-related fields populated.

Notice::populate_file_info2
Type

function (fi: Notice::FileInfo, n: Notice::Info) : void

Populates file-related fields in a notice info record.

Fi

record containing metadata about a file.

N

a notice record that needs file-related fields populated.

base/frameworks/cluster/__load__.zeek

Imports

base/frameworks/cluster/main.zeek, base/frameworks/cluster/pools.zeek

Summary
Detailed Interface

base/frameworks/cluster/main.zeek

Cluster

A framework for establishing and controlling a cluster of Zeek instances. In order to use the cluster framework, a script named cluster-layout.zeek must exist somewhere in Zeek’s script search path which has a cluster definition of the Cluster::nodes variable. The CLUSTER_NODE environment variable or Cluster::node must also be sent and the cluster framework loaded as a package like @load base/frameworks/cluster.

Namespace

Cluster

Imports

base/frameworks/broker, base/frameworks/control

Summary
Redefinable Options

Cluster::default_backend: Broker::BackendType &redef

The type of data store backend that will be used for all data stores if no other has already been specified by the user in Cluster::stores.

Cluster::default_master_node: string &redef

Name of the node on which master data stores will be created if no other has already been specified by the user in Cluster::stores.

Cluster::default_persistent_backend: Broker::BackendType &redef

The type of persistent data store backend that will be used for all data stores if no other has already been specified by the user in Cluster::stores.

Cluster::default_store_dir: string &redef

Setting a default dir will, for persistent backends that have not been given an explicit file path via Cluster::stores, automatically create a path within this dir that is based on the name of the data store.

Cluster::enable_round_robin_logging: bool &redef

Whether to distribute log messages among available logging nodes.

Cluster::logger_topic: string &redef

The topic name used for exchanging messages that are relevant to logger nodes in a cluster.

Cluster::manager_is_logger: bool &redef

Indicates whether or not the manager will act as the logger and receive logs.

Cluster::manager_topic: string &redef

The topic name used for exchanging messages that are relevant to manager nodes in a cluster.

Cluster::node: string &redef

This is usually supplied on the command line for each instance of the cluster that is started up.

Cluster::node_topic_prefix: string &redef

The topic prefix used for exchanging messages that are relevant to a named node in a cluster.

Cluster::nodeid_topic_prefix: string &redef

The topic prefix used for exchanging messages that are relevant to a unique node in a cluster.

Cluster::nodes: table &redef

The cluster layout definition.

Cluster::proxy_topic: string &redef

The topic name used for exchanging messages that are relevant to proxy nodes in a cluster.

Cluster::retry_interval: interval &redef

Interval for retrying failed connections between cluster nodes.

Cluster::time_machine_topic: string &redef

The topic name used for exchanging messages that are relevant to time machine nodes in a cluster.

Cluster::worker_topic: string &redef

The topic name used for exchanging messages that are relevant to worker nodes in a cluster.
State Variables

Cluster::stores: table &default = &redef

A table of cluster-enabled data stores that have been created, indexed by their name.

Cluster::worker_count: count

This gives the value for the number of workers currently connected to, and it’s maintained internally by the cluster framework.
Types

Cluster::Info: record &log

The record type which contains the column fields of the cluster log.

Cluster::Node: record

Record type to indicate a node in a cluster.

Cluster::NodeType: enum

Types of nodes that are allowed to participate in the cluster configuration.

Cluster::StoreInfo: record

Information regarding a cluster-enabled data store.
Redefinitions

Log::ID: enum

The cluster logging stream identifier.
Events

Cluster::hello: event

When using broker-enabled cluster framework, nodes broadcast this event to exchange their user-defined name along with a string that uniquely identifies it for the duration of its lifetime.

Cluster::node_down: event

When using broker-enabled cluster framework, this event will be emitted locally whenever a connected cluster node becomes disconnected.

Cluster::node_up: event

When using broker-enabled cluster framework, this event will be emitted locally whenever a cluster node connects or reconnects.
Hooks

Cluster::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Cluster::create_store: function

Sets up a cluster-enabled data store.

Cluster::is_enabled: function

This function can be called at any time to determine if the cluster framework is being enabled for this run.

Cluster::local_node_type: function

This function can be called at any time to determine what type of cluster node the current Zeek instance is going to be acting as.

Cluster::log: function

Write a message to the cluster logging stream.

Cluster::node_topic: function

Retrieve the topic associated with a specific node in the cluster.

Cluster::nodeid_topic: function

Retrieve the topic associated with a specific node in the cluster.
Detailed Interface
Redefinable Options
Cluster::default_backend
Type

Broker::BackendType

Attributes

&redef

Default

Broker::MEMORY

The type of data store backend that will be used for all data stores if no other has already been specified by the user in Cluster::stores.

Cluster::default_master_node
Type

string

Attributes

&redef

Default

""

Name of the node on which master data stores will be created if no other has already been specified by the user in Cluster::stores. An empty value means “use whatever name corresponds to the manager node”.

Cluster::default_persistent_backend
Type

Broker::BackendType

Attributes

&redef

Default

Broker::SQLITE

The type of persistent data store backend that will be used for all data stores if no other has already been specified by the user in Cluster::stores. This will be used when script authors call Cluster::create_store with the persistent argument set true.

Cluster::default_store_dir
Type

string

Attributes

&redef

Default

""

Setting a default dir will, for persistent backends that have not been given an explicit file path via Cluster::stores, automatically create a path within this dir that is based on the name of the data store.

Cluster::enable_round_robin_logging
Type

bool

Attributes

&redef

Default

T

Whether to distribute log messages among available logging nodes.

Cluster::logger_topic
Type

string

Attributes

&redef

Default

"zeek/cluster/logger"

The topic name used for exchanging messages that are relevant to logger nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::manager_is_logger
Type

bool

Attributes

&redef

Default

T

Indicates whether or not the manager will act as the logger and receive logs. This value should be set in the cluster-layout.zeek script (the value should be true only if no logger is specified in Cluster::nodes). Note that ZeekControl handles this automatically.

Cluster::manager_topic
Type

string

Attributes

&redef

Default

"zeek/cluster/manager"

The topic name used for exchanging messages that are relevant to manager nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::node
Type

string

Attributes

&redef

Default

""

This is usually supplied on the command line for each instance of the cluster that is started up.

Cluster::node_topic_prefix
Type

string

Attributes

&redef

Default

"zeek/cluster/node/"

The topic prefix used for exchanging messages that are relevant to a named node in a cluster. Used with broker-enabled cluster communication.

Cluster::nodeid_topic_prefix
Type

string

Attributes

&redef

Default

"zeek/cluster/nodeid/"

The topic prefix used for exchanging messages that are relevant to a unique node in a cluster. Used with broker-enabled cluster communication.

Cluster::nodes
Type

table [string] of Cluster::Node

Attributes

&redef

Default

{}

The cluster layout definition. This should be placed into a filter named cluster-layout.zeek somewhere in the ZEEKPATH. It will be automatically loaded if the CLUSTER_NODE environment variable is set. Note that ZeekControl handles all of this automatically. The table is typically indexed by node names/labels (e.g. “manager” or “worker-1”).

Cluster::proxy_topic
Type

string

Attributes

&redef

Default

"zeek/cluster/proxy"

The topic name used for exchanging messages that are relevant to proxy nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::retry_interval
Type

interval

Attributes

&redef

Default

1.0 min

Interval for retrying failed connections between cluster nodes. If set, the ZEEK_DEFAULT_CONNECT_RETRY (given in number of seconds) environment variable overrides this option.

Cluster::time_machine_topic
Type

string

Attributes

&redef

Default

"zeek/cluster/time_machine"

The topic name used for exchanging messages that are relevant to time machine nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::worker_topic
Type

string

Attributes

&redef

Default

"zeek/cluster/worker"

The topic name used for exchanging messages that are relevant to worker nodes in a cluster. Used with broker-enabled cluster communication.

State Variables
Cluster::stores
Type

table [string] of Cluster::StoreInfo

Attributes

&default = [name=<uninitialized>, store=<uninitialized>, master_node=, master=F, backend=Broker::MEMORY, options=[sqlite=[path=]], clone_resync_interval=10.0 secs, clone_stale_interval=5.0 mins, clone_mutation_buffer_interval=2.0 mins] &redef

Default

{}

A table of cluster-enabled data stores that have been created, indexed by their name. This table will be populated automatically by Cluster::create_store, but if you need to customize the options related to a particular data store, you may redef this table. Calls to Cluster::create_store will first check the table for an entry of the same name and, if found, will use the predefined options there when setting up the store.

Cluster::worker_count
Type

count

Default

0

This gives the value for the number of workers currently connected to, and it’s maintained internally by the cluster framework. It’s primarily intended for use by managers to find out how many workers should be responding to requests.

Types
Cluster::Info
Type

record

ts: time &log

The time at which a cluster message was generated.

node: string &log

The name of the node that is creating the log record.

message: string &log

A message indicating information about the cluster’s operation.

Attributes

&log

The record type which contains the column fields of the cluster log.

Cluster::Node
Type

record

node_type: Cluster::NodeType

Identifies the type of cluster node in this node’s configuration.

ip: addr

The IP address of the cluster node.

zone_id: string &default = "" &optional

If the ip field is a non-global IPv6 address, this field can specify a particular RFC 4007 zone_id.

p: port &default = 0/unknown &optional

The port that this node will listen on for peer connections. A value of 0/unknown means the node is not pre-configured to listen.

interface: string &optional

Identifier for the interface a worker is sniffing.

manager: string &optional

Name of the manager node this node uses. For workers and proxies.

time_machine: string &optional

Name of a time machine node with which this node connects.

id: string &optional

A unique identifier assigned to the node by the broker framework. This field is only set while a node is connected.

lb_filter: string &optional

(present if policy/misc/load-balancing.zeek is loaded)

A BPF filter for load balancing traffic sniffed on a single interface across a number of processes. In normal uses, this will be assigned dynamically by the manager and installed by the workers.

Record type to indicate a node in a cluster.

Cluster::NodeType
Type

enum

Cluster::NONE

A dummy node type indicating the local node is not operating within a cluster.

Cluster::CONTROL

A node type which is allowed to view/manipulate the configuration of other nodes in the cluster.

Cluster::LOGGER

A node type responsible for log management.

Cluster::MANAGER

A node type responsible for policy management.

Cluster::PROXY

A node type for relaying worker node communication and synchronizing worker node state.

Cluster::WORKER

The node type doing all the actual traffic analysis.

Cluster::TIME_MACHINE

A node acting as a traffic recorder using the Time Machine software.

Types of nodes that are allowed to participate in the cluster configuration.

Cluster::StoreInfo
Type

record

name: string &optional

The name of the data store.

store: opaque of Broker::Store &optional

The store handle.

master_node: string &default = Cluster::default_master_node &optional

The name of the cluster node on which the master version of the data store resides.

master: bool &default = F &optional

Whether the data store is the master version or a clone.

backend: Broker::BackendType &default = Cluster::default_backend &optional

The type of backend used for storing data.

options: Broker::BackendOptions &default = [sqlite=[path=]] &optional

Parameters used for configuring the backend.

clone_resync_interval: interval &default = Broker::default_clone_resync_interval &optional

A resync/reconnect interval to pass through to Broker::create_clone.

clone_stale_interval: interval &default = Broker::default_clone_stale_interval &optional

A staleness duration to pass through to Broker::create_clone.

clone_mutation_buffer_interval: interval &default = Broker::default_clone_mutation_buffer_interval &optional

A mutation buffer interval to pass through to Broker::create_clone.

Information regarding a cluster-enabled data store.

Events
Cluster::hello
Type

event (name: string, id: string)

When using broker-enabled cluster framework, nodes broadcast this event to exchange their user-defined name along with a string that uniquely identifies it for the duration of its lifetime. This string may change if the node dies and has to reconnect later.

Cluster::node_down
Type

event (name: string, id: string)

When using broker-enabled cluster framework, this event will be emitted locally whenever a connected cluster node becomes disconnected.

Cluster::node_up
Type

event (name: string, id: string)

When using broker-enabled cluster framework, this event will be emitted locally whenever a cluster node connects or reconnects.

Hooks
Cluster::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Cluster::create_store
Type

function (name: string, persistent: bool &default = F &optional) : Cluster::StoreInfo

Sets up a cluster-enabled data store. They will also still properly function for uses that are not operating a cluster.

Name

the name of the data store to create.

Persistent

whether the data store must be persistent.

Returns

the store’s information. For master stores, the store will be ready to use immediately. For clones, the store field will not be set until the node containing the master store has connected.

Cluster::is_enabled
Type

function () : bool

This function can be called at any time to determine if the cluster framework is being enabled for this run.

Returns

True if Cluster::node has been set.

Cluster::local_node_type
Type

function () : Cluster::NodeType

This function can be called at any time to determine what type of cluster node the current Zeek instance is going to be acting as. If Cluster::is_enabled returns false, then Cluster::NONE is returned.

Returns

The Cluster::NodeType the calling node acts as.

Cluster::log
Type

function (msg: string) : void

Write a message to the cluster logging stream.

Cluster::node_topic
Type

function (name: string) : string

Retrieve the topic associated with a specific node in the cluster.

Name

the name of the cluster node (e.g. “manager”).

Returns

a topic string that may used to send a message exclusively to a given cluster node.

Cluster::nodeid_topic
Type

function (id: string) : string

Retrieve the topic associated with a specific node in the cluster.

Id

the id of the cluster node (from Broker::EndpointInfo or Broker::node_id.

Returns

a topic string that may used to send a message exclusively to a given cluster node.

base/frameworks/control/__load__.zeek

Imports

base/frameworks/control/main.zeek

Summary
Detailed Interface

base/frameworks/control/main.zeek

Control

The control framework provides the foundation for providing “commands” that can be taken remotely at runtime to modify a running Zeek instance or collect information from the running instance.

Namespace

Control

Summary
Redefinable Options

Control::arg: string &redef

This can be used by commands that take an argument.

Control::cmd: string &redef

The command that is being done.

Control::commands: set &redef

The commands that can currently be given on the command line for remote control.

Control::controllee_listen: bool &redef

Whether the controllee should call Broker::listen.

Control::host: addr &redef

The address of the host that will be controlled.

Control::host_port: port &redef

The port of the host that will be controlled.

Control::zone_id: string &redef

If Control::host is a non-global IPv6 address and requires a specific RFC 4007 zone_id, it can be set here.
Constants

Control::ignore_ids: set

Variable IDs that are to be ignored by the update process.

Control::topic_prefix: string

The topic prefix used for exchanging control messages via Broker.
Events

Control::configuration_update: event

This event is a wrapper and alias for the Control::configuration_update_request event.

Control::configuration_update_request: event

Inform the remote Zeek instance that it’s configuration may have been updated.

Control::configuration_update_response: event

Message in response to a configuration update request.

Control::id_value_request: event

Event for requesting the value of an ID (a variable).

Control::id_value_response: event

Event for returning the value of an ID after an Control::id_value_request event.

Control::net_stats_request: event

Requests the current net_stats.

Control::net_stats_response: event

Returns the current net_stats.

Control::peer_status_request: event

Requests the current communication status.

Control::peer_status_response: event

Returns the current communication status.

Control::shutdown_request: event

Requests that the Zeek instance begins shutting down.

Control::shutdown_response: event

Message in response to a shutdown request.
Detailed Interface
Redefinable Options
Control::arg
Type

string

Attributes

&redef

Default

""

This can be used by commands that take an argument.

Control::cmd
Type

string

Attributes

&redef

Default

""

The command that is being done. It’s typically set on the command line.

Control::commands
Type

set [string]

Attributes

&redef

Default
{
   "peer_status",
   "id_value",
   "net_stats",
   "configuration_update",
   "shutdown"
}

The commands that can currently be given on the command line for remote control.

Control::controllee_listen
Type

bool

Attributes

&redef

Default

T

Whether the controllee should call Broker::listen. In a cluster, this isn’t needed since the setup process calls it.

Control::host
Type

addr

Attributes

&redef

Default

0.0.0.0

The address of the host that will be controlled.

Control::host_port
Type

port

Attributes

&redef

Default

0/tcp

The port of the host that will be controlled.

Control::zone_id
Type

string

Attributes

&redef

Default

""

If Control::host is a non-global IPv6 address and requires a specific RFC 4007 zone_id, it can be set here.

Constants
Control::ignore_ids
Type

set [string]

Default

{}

Variable IDs that are to be ignored by the update process.

Control::topic_prefix
Type

string

Default

"zeek/control"

The topic prefix used for exchanging control messages via Broker.

Events
Control::configuration_update
Type

event ()

This event is a wrapper and alias for the Control::configuration_update_request event. This event is also a primary hooking point for the control framework.

Control::configuration_update_request
Type

event ()

Inform the remote Zeek instance that it’s configuration may have been updated.

Control::configuration_update_response
Type

event ()

Message in response to a configuration update request.

Control::id_value_request
Type

event (id: string)

Event for requesting the value of an ID (a variable).

Control::id_value_response
Type

event (id: string, val: string)

Event for returning the value of an ID after an Control::id_value_request event.

Control::net_stats_request
Type

event ()

Requests the current net_stats.

Control::net_stats_response
Type

event (s: string)

Returns the current net_stats.

Control::peer_status_request
Type

event ()

Requests the current communication status.

Control::peer_status_response
Type

event (s: string)

Returns the current communication status.

Control::shutdown_request
Type

event ()

Requests that the Zeek instance begins shutting down.

Control::shutdown_response
Type

event ()

Message in response to a shutdown request.

base/frameworks/cluster/pools.zeek

Cluster

Defines an interface for managing pools of cluster nodes. Pools are a useful way to distribute work or data among nodes within a cluster.

Namespace

Cluster

Imports

base/frameworks/cluster/main.zeek, base/utils/hash_hrw.zeek

Summary
State Variables

Cluster::logger_pool: Cluster::Pool

A pool containing all the logger nodes of a cluster.

Cluster::logger_pool_spec: Cluster::PoolSpec &redef

The specification for Cluster::logger_pool.

Cluster::proxy_pool: Cluster::Pool

A pool containing all the proxy nodes of a cluster.

Cluster::proxy_pool_spec: Cluster::PoolSpec &redef

The specification for Cluster::proxy_pool.

Cluster::worker_pool: Cluster::Pool

A pool containing all the worker nodes of a cluster.

Cluster::worker_pool_spec: Cluster::PoolSpec &redef

The specification for Cluster::worker_pool.
Types

Cluster::PoolNode: record

Store state of a cluster within the context of a work pool.

Cluster::PoolNodeTable: table

Cluster::PoolSpec: record

A pool specification.

Cluster::RoundRobinTable: table
Functions

Cluster::hrw_topic: function

Retrieve the topic associated with the node mapped via Rendezvous hash of an arbitrary key.

Cluster::register_pool: function

Registers and initializes a pool.

Cluster::rr_log_topic: function

Distributes log message topics among logger nodes via round-robin.

Cluster::rr_topic: function

Retrieve the topic associated with the node in a round-robin fashion.
Detailed Interface
State Variables
Cluster::logger_pool
Type

Cluster::Pool

Default
{
   spec=[topic="", node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]
   nodes={

   }
   node_list=[]
   hrw_pool=[sites={

   }]
   rr_key_seq={

   }
   alive_count=0
}

A pool containing all the logger nodes of a cluster. The pool’s node membership/availability is automatically maintained by the cluster framework.

Cluster::logger_pool_spec
Type

Cluster::PoolSpec

Attributes

&redef

Default
{
   topic="zeek/cluster/pool/logger"
   node_type=Cluster::LOGGER
   max_nodes=<uninitialized>
   exclusive=F
}

The specification for Cluster::logger_pool.

Cluster::proxy_pool
Type

Cluster::Pool

Default
{
   spec=[topic="", node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]
   nodes={

   }
   node_list=[]
   hrw_pool=[sites={

   }]
   rr_key_seq={

   }
   alive_count=0
}

A pool containing all the proxy nodes of a cluster. The pool’s node membership/availability is automatically maintained by the cluster framework.

Cluster::proxy_pool_spec
Type

Cluster::PoolSpec

Attributes

&redef

Default
{
   topic="zeek/cluster/pool/proxy"
   node_type=Cluster::PROXY
   max_nodes=<uninitialized>
   exclusive=F
}

The specification for Cluster::proxy_pool.

Cluster::worker_pool
Type

Cluster::Pool

Default
{
   spec=[topic="", node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]
   nodes={

   }
   node_list=[]
   hrw_pool=[sites={

   }]
   rr_key_seq={

   }
   alive_count=0
}

A pool containing all the worker nodes of a cluster. The pool’s node membership/availability is automatically maintained by the cluster framework.

Cluster::worker_pool_spec
Type

Cluster::PoolSpec

Attributes

&redef

Default
{
   topic="zeek/cluster/pool/worker"
   node_type=Cluster::WORKER
   max_nodes=<uninitialized>
   exclusive=F
}

The specification for Cluster::worker_pool.

Types
Cluster::PoolNode
Type

record

name: string

The node name (e.g. “manager”).

alias: string

An alias of name used to prevent hashing collisions when creating site_id.

site_id: count

A 32-bit unique identifier for the pool node, derived from name/alias.

alive: bool &default = F &optional

Whether the node is currently alive and can receive work.

Store state of a cluster within the context of a work pool.

Cluster::PoolNodeTable
Type

table [string] of Cluster::PoolNode

Cluster::PoolSpec
Type

record

topic: string &default = "" &optional

A topic string that can be used to reach all nodes within a pool.

node_type: Cluster::NodeType &default = Cluster::PROXY &optional

The type of nodes that are contained within the pool.

max_nodes: count &optional

The maximum number of nodes that may belong to the pool. If not set, then all available nodes will be added to the pool, else the cluster framework will automatically limit the pool membership according to the threshhold.

exclusive: bool &default = F &optional

Whether the pool requires exclusive access to nodes. If true, then max_nodes nodes will not be assigned to any other pool. When using this flag, max_nodes must also be set.

A pool specification.

Cluster::RoundRobinTable
Type

table [string] of int

Functions
Cluster::hrw_topic
Type

function (pool: Cluster::Pool, key: any) : string

Retrieve the topic associated with the node mapped via Rendezvous hash of an arbitrary key.

Pool

the pool of nodes to consider.

Key

data used for input to the hashing function that will uniformly distribute keys among available nodes.

Returns

a topic string associated with a cluster node that is alive or an empty string if nothing is alive.

Cluster::register_pool
Type

function (spec: Cluster::PoolSpec) : Cluster::Pool

Registers and initializes a pool.

Cluster::rr_log_topic
Type

function (id: Log::ID, path: string) : string

Distributes log message topics among logger nodes via round-robin. This will be automatically assigned to Broker::log_topic if Cluster::enable_round_robin_logging is enabled. If no logger nodes are active, then this will return the value of Broker::default_log_topic.

Cluster::rr_topic
Type

function (pool: Cluster::Pool, key: string &default = "" &optional) : string

Retrieve the topic associated with the node in a round-robin fashion.

Pool

the pool of nodes to consider.

Key

an arbitrary string to identify the purpose for which you’re requesting the topic. e.g. consider using a name-spaced key like “Intel::cluster_rr_key” if you need to guarantee that a group of messages get distributed in a well-defined pattern without other messages being interleaved within the round-robin. Usually sharing the default key is fine for load-balancing purposes.

Returns

a topic string associated with a cluster node that is alive, or an empty string if nothing is alive.

base/frameworks/notice/weird.zeek

Weird

This script provides a default set of actions to take for “weird activity” events generated from Zeek’s event engine. Weird activity is defined as unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware, or even an attacker attempting to avoid/confuse a sensor. Without context, it’s hard to judge whether a particular category of weird activity is interesting, but this script provides a starting point for the user.

Namespace

Weird

Imports

base/frameworks/notice/main.zeek, base/utils/conn-ids.zeek, base/utils/site.zeek

Summary
Runtime Options

Weird::ignore_hosts: set &redef

To completely ignore a specific weird for a host, add the host and weird name into this set.

Weird::weird_do_not_ignore_repeats: set &redef

Don’t ignore repeats for weirds in this set.
Redefinable Options

Weird::actions: table &default = Weird::ACTION_LOG &redef

A table specifying default/recommended actions per weird type.
State Variables

Weird::did_log: set &create_expire = 1.0 day &redef

A state set which tracks unique weirds solely by name to reduce duplicate logging.

Weird::did_notice: set &create_expire = 1.0 day &redef

A state set which tracks unique weirds solely by name to reduce duplicate notices from being raised.

Weird::weird_ignore: set &create_expire = 10.0 mins &redef

This table is used to track identifier and name pairs that should be temporarily ignored because the problem has already been reported.
Types

Weird::Action: enum

Types of actions that may be taken when handling weird activity events.

Weird::Info: record

The record which is used for representing and logging weirds.
Redefinitions

Log::ID: enum

The weird logging stream identifier.

Notice::Type: enum
Events

Weird::log_weird: event

Handlers of this event are invoked once per write to the weird logging stream before the data is actually written.
Hooks

Weird::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Weird::weird: function
Detailed Interface
Runtime Options
Weird::ignore_hosts
Type

set [addr, string]

Attributes

&redef

Default

{}

To completely ignore a specific weird for a host, add the host and weird name into this set.

Weird::weird_do_not_ignore_repeats
Type

set [string]

Attributes

&redef

Default
{
   "bad_ICMP_checksum",
   "bad_UDP_checksum",
   "bad_TCP_checksum",
   "bad_IP_checksum"
}

Don’t ignore repeats for weirds in this set. For example, it’s handy keeping track of clustered checksum errors.

Redefinable Options
Weird::actions
Type

table [string] of Weird::Action

Attributes

&default = Weird::ACTION_LOG &redef

Default
{
   ["bad_ICMP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["truncated_IP"] = Weird::ACTION_LOG,
   ["data_after_reset"] = Weird::ACTION_LOG,
   ["data_before_established"] = Weird::ACTION_LOG,
   ["irc_invalid_oper_message_format"] = Weird::ACTION_LOG,
   ["irc_invalid_whois_user_line"] = Weird::ACTION_LOG,
   ["FTP_too_many_pending_commands"] = Weird::ACTION_LOG_PER_CONN,
   ["DNS_label_len_gt_name_len"] = Weird::ACTION_LOG_PER_ORIG,
   ["FTP_max_command_length_exceeded"] = Weird::ACTION_LOG_PER_CONN,
   ["irc_invalid_dcc_message_format"] = Weird::ACTION_LOG,
   ["netbios_server_session_request"] = Weird::ACTION_LOG,
   ["RPC_rexmit_inconsistency"] = Weird::ACTION_LOG,
   ["unpaired_RPC_response"] = Weird::ACTION_LOG,
   ["SYN_inside_connection"] = Weird::ACTION_LOG,
   ["excessively_large_fragment"] = Weird::ACTION_LOG,
   ["truncated_header"] = Weird::ACTION_LOG,
   ["contentline_size_exceeded"] = Weird::ACTION_LOG,
   ["smtp_mail_transaction_invalid"] = Weird::ACTION_LOG_PER_CONN,
   ["unescaped_%_in_URI"] = Weird::ACTION_LOG,
   ["fragment_overlap"] = Weird::ACTION_LOG_PER_ORIG,
   ["smb_tree_connect_andx_response_without_tree"] = Weird::ACTION_LOG_PER_CONN,
   ["bad_TCP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["pop3_client_command_unknown"] = Weird::ACTION_LOG,
   ["TCP_christmas"] = Weird::ACTION_LOG,
   ["irc_invalid_notice_message_format"] = Weird::ACTION_LOG,
   ["partial_RPC"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_invalid_kick_message_format"] = Weird::ACTION_LOG,
   ["excess_RPC"] = Weird::ACTION_LOG_PER_ORIG,
   ["invalid_irc_global_users_reply"] = Weird::ACTION_LOG,
   ["FTP_reply_msg_too_long"] = Weird::ACTION_LOG_PER_CONN,
   ["bad_rsh_prolog"] = Weird::ACTION_LOG,
   ["irc_line_too_short"] = Weird::ACTION_LOG,
   ["UDP_datagram_length_mismatch"] = Weird::ACTION_LOG_PER_ORIG,
   ["bad_ident_reply"] = Weird::ACTION_LOG,
   ["fragment_with_DF"] = Weird::ACTION_LOG,
   ["irc_invalid_invite_message_format"] = Weird::ACTION_LOG,
   ["premature_connection_reuse"] = Weird::ACTION_LOG,
   ["fragment_size_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
   ["smtp_excessive_invalid_mail_transactions"] = Weird::ACTION_LOG_PER_CONN,
   ["SYN_with_data"] = Weird::ACTION_LOG_PER_ORIG,
   ["DNS_RR_length_mismatch"] = Weird::ACTION_LOG,
   ["irc_invalid_whois_operator_line"] = Weird::ACTION_LOG,
   ["base64_illegal_encoding"] = Weird::ACTION_LOG,
   ["bad_ident_port"] = Weird::ACTION_LOG,
   ["simultaneous_open"] = Weird::ACTION_LOG_PER_CONN,
   ["ident_request_addendum"] = Weird::ACTION_LOG,
   ["DNS_truncated_quest_too_short"] = Weird::ACTION_LOG,
   ["illegal_%_at_end_of_URI"] = Weird::ACTION_LOG,
   ["pop3_server_sending_client_commands"] = Weird::ACTION_LOG,
   ["irc_invalid_mode_message_format"] = Weird::ACTION_LOG,
   ["SYN_after_close"] = Weird::ACTION_LOG,
   ["window_recision"] = Weird::ACTION_LOG,
   ["inflate_failed"] = Weird::ACTION_LOG,
   ["DNS_truncated_len_lt_hdr_len"] = Weird::ACTION_LOG,
   ["irc_invalid_privmsg_message_format"] = Weird::ACTION_LOG,
   ["pending_data_when_closed"] = Weird::ACTION_LOG,
   ["excessive_data_without_further_acks"] = Weird::ACTION_LOG,
   ["netbios_raw_session_msg"] = Weird::ACTION_LOG,
   ["responder_RPC_call"] = Weird::ACTION_LOG_PER_ORIG,
   ["SYN_after_reset"] = Weird::ACTION_LOG,
   ["bad_SYN_ack"] = Weird::ACTION_LOG,
   ["unsolicited_SYN_response"] = Weird::ACTION_IGNORE,
   ["line_terminated_with_single_LF"] = Weird::ACTION_LOG,
   ["irc_invalid_names_line"] = Weird::ACTION_LOG,
   ["DNS_RR_unknown_type"] = Weird::ACTION_LOG,
   ["repeated_SYN_reply_wo_ack"] = Weird::ACTION_LOG,
   ["bad_HTTP_reply"] = Weird::ACTION_LOG,
   ["FIN_storm"] = Weird::ACTION_NOTICE_PER_ORIG,
   ["NUL_in_line"] = Weird::ACTION_LOG,
   ["pop3_server_command_unknown"] = Weird::ACTION_LOG,
   ["fragment_inconsistency"] = Weird::ACTION_LOG_PER_ORIG,
   ["FIN_advanced_last_seq"] = Weird::ACTION_LOG,
   ["baroque_SYN"] = Weird::ACTION_LOG,
   ["unexpected_multiple_HTTP_requests"] = Weird::ACTION_LOG,
   ["unknown_netbios_type"] = Weird::ACTION_LOG,
   ["FTP_user_too_long"] = Weird::ACTION_LOG_PER_CONN,
   ["bad_RPC"] = Weird::ACTION_LOG_PER_ORIG,
   ["incompletely_captured_fragment"] = Weird::ACTION_LOG,
   ["irc_too_many_invalid"] = Weird::ACTION_LOG,
   ["DNS_AAAA_neg_length"] = Weird::ACTION_LOG,
   ["SYN_seq_jump"] = Weird::ACTION_LOG,
   ["malformed_ssh_version"] = Weird::ACTION_LOG,
   ["bad_rlogin_prolog"] = Weird::ACTION_LOG,
   ["unmatched_HTTP_reply"] = Weird::ACTION_LOG,
   ["possible_split_routing"] = Weird::ACTION_LOG,
   ["irc_invalid_who_message_format"] = Weird::ACTION_LOG,
   ["HTTP_chunked_transfer_for_multipart_message"] = Weird::ACTION_LOG,
   ["FTP_arg_too_long"] = Weird::ACTION_LOG_PER_CONN,
   ["irc_invalid_njoin_line"] = Weird::ACTION_LOG,
   ["line_terminated_with_single_CR"] = Weird::ACTION_LOG,
   ["HTTP_overlapping_messages"] = Weird::ACTION_LOG,
   ["deficit_netbios_hdr_len"] = Weird::ACTION_LOG,
   ["irc_invalid_reply_number"] = Weird::ACTION_LOG,
   ["repeated_SYN_with_ack"] = Weird::ACTION_LOG,
   ["malformed_ssh_identification"] = Weird::ACTION_LOG,
   ["RPC_underflow"] = Weird::ACTION_LOG,
   ["unexpected_server_HTTP_data"] = Weird::ACTION_LOG,
   ["DNS_RR_bad_length"] = Weird::ACTION_LOG,
   ["SSL_many_server_names"] = Weird::ACTION_LOG,
   ["irc_invalid_whois_channel_line"] = Weird::ACTION_LOG,
   ["irc_line_size_exceeded"] = Weird::ACTION_LOG,
   ["DNS_label_len_gt_pkt"] = Weird::ACTION_LOG_PER_ORIG,
   ["DNS_Conn_count_too_large"] = Weird::ACTION_LOG,
   ["irc_invalid_command"] = Weird::ACTION_LOG,
   ["inappropriate_FIN"] = Weird::ACTION_LOG,
   ["transaction_subcmd_missing"] = Weird::ACTION_LOG,
   ["HTTP_version_mismatch"] = Weird::ACTION_LOG,
   ["irc_invalid_join_line"] = Weird::ACTION_LOG,
   ["multiple_HTTP_request_elements"] = Weird::ACTION_LOG,
   ["rlogin_text_after_rejected"] = Weird::ACTION_LOG,
   ["spontaneous_RST"] = Weird::ACTION_IGNORE,
   ["bad_IP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["no_smb_session_using_parsesambamsg"] = Weird::ACTION_LOG,
   ["unexpected_client_HTTP_data"] = Weird::ACTION_LOG,
   ["SMB_parsing_error"] = Weird::ACTION_LOG,
   ["partial_ftp_request"] = Weird::ACTION_LOG,
   ["double_%_in_URI"] = Weird::ACTION_LOG,
   ["truncated_NTP"] = Weird::ACTION_LOG,
   ["internally_truncated_header"] = Weird::ACTION_LOG,
   ["partial_finger_request"] = Weird::ACTION_LOG,
   ["irc_invalid_squery_message_format"] = Weird::ACTION_LOG,
   ["DNS_label_forward_compress_offset"] = Weird::ACTION_LOG_PER_ORIG,
   ["connection_originator_SYN_ack"] = Weird::ACTION_LOG_PER_ORIG,
   ["excessively_small_fragment"] = Weird::ACTION_LOG_PER_ORIG,
   ["irc_invalid_line"] = Weird::ACTION_LOG,
   ["DNS_label_too_long"] = Weird::ACTION_LOG_PER_ORIG,
   ["bad_ident_request"] = Weird::ACTION_LOG,
   ["irc_invalid_who_line"] = Weird::ACTION_LOG,
   ["DNS_truncated_ans_too_short"] = Weird::ACTION_LOG,
   ["RST_with_data"] = Weird::ACTION_LOG,
   ["FTP_password_too_long"] = Weird::ACTION_LOG_PER_CONN,
   ["above_hole_data_without_any_acks"] = Weird::ACTION_LOG,
   ["bad_UDP_checksum"] = Weird::ACTION_LOG_PER_ORIG,
   ["partial_ident_request"] = Weird::ACTION_LOG,
   ["DNS_truncated_RR_rdlength_lt_len"] = Weird::ACTION_LOG,
   ["bad_RPC_program"] = Weird::ACTION_LOG,
   ["irc_invalid_topic_reply"] = Weird::ACTION_LOG,
   ["unescaped_special_URI_char"] = Weird::ACTION_LOG,
   ["successful_RPC_reply_to_invalid_request"] = Weird::ACTION_NOTICE_PER_ORIG,
   ["smb_andx_command_failed_to_parse"] = Weird::ACTION_LOG,
   ["DNS_NAME_too_long"] = Weird::ACTION_LOG,
   ["crud_trailing_HTTP_request"] = Weird::ACTION_LOG,
   ["spontaneous_FIN"] = Weird::ACTION_IGNORE,
   ["rsh_text_after_rejected"] = Weird::ACTION_LOG,
   ["pop3_malformed_auth_plain"] = Weird::ACTION_LOG,
   ["bad_HTTP_version"] = Weird::ACTION_LOG,
   ["bad_TCP_header_len"] = Weird::ACTION_LOG,
   ["unknown_HTTP_method"] = Weird::ACTION_LOG,
   ["netbios_client_session_reply"] = Weird::ACTION_LOG,
   ["SYN_after_partial"] = Weird::ACTION_NOTICE_PER_ORIG,
   ["irc_invalid_whois_message_format"] = Weird::ACTION_LOG,
   ["excess_netbios_hdr_len"] = Weird::ACTION_LOG,
   ["pop3_client_sending_server_commands"] = Weird::ACTION_LOG,
   ["RST_storm"] = Weird::ACTION_LOG,
   ["fragment_protocol_inconsistency"] = Weird::ACTION_LOG,
   ["originator_RPC_reply"] = Weird::ACTION_LOG_PER_ORIG,
   ["pop3_bad_base64_encoding"] = Weird::ACTION_LOG,
   ["active_connection_reuse"] = Weird::ACTION_LOG,
   ["FIN_after_reset"] = Weird::ACTION_IGNORE,
   ["truncated_ARP"] = Weird::ACTION_LOG,
   ["HTTP_bad_chunk_size"] = Weird::ACTION_LOG
}

A table specifying default/recommended actions per weird type.

State Variables
Weird::did_log
Type

set [string, string]

Attributes

&create_expire = 1.0 day &redef

Default

{}

A state set which tracks unique weirds solely by name to reduce duplicate logging. This is deliberately not synchronized because it could cause overload during storms.

Weird::did_notice
Type

set [string, string]

Attributes

&create_expire = 1.0 day &redef

Default

{}

A state set which tracks unique weirds solely by name to reduce duplicate notices from being raised.

Weird::weird_ignore
Type

set [string, string]

Attributes

&create_expire = 10.0 mins &redef

Default

{}

This table is used to track identifier and name pairs that should be temporarily ignored because the problem has already been reported. This helps reduce the volume of high volume weirds by only allowing a unique weird every create_expire interval.

Types
Weird::Action
Type

enum

Weird::ACTION_UNSPECIFIED

A dummy action indicating the user does not care what internal decision is made regarding a given type of weird.

Weird::ACTION_IGNORE

No action is to be taken.

Weird::ACTION_LOG

Log the weird event every time it occurs.

Weird::ACTION_LOG_ONCE

Log the weird event only once.

Weird::ACTION_LOG_PER_CONN

Log the weird event once per connection.

Weird::ACTION_LOG_PER_ORIG

Log the weird event once per originator host.

Weird::ACTION_NOTICE

Always generate a notice associated with the weird event.

Weird::ACTION_NOTICE_ONCE

Generate a notice associated with the weird event only once.

Weird::ACTION_NOTICE_PER_CONN

Generate a notice for the weird event once per connection.

Weird::ACTION_NOTICE_PER_ORIG

Generate a notice for the weird event once per originator host.

Types of actions that may be taken when handling weird activity events.

Weird::Info
Type

record

ts: time &log

The time when the weird occurred.

uid: string &log &optional

If a connection is associated with this weird, this will be the connection’s unique ID.

id: conn_id &log &optional

conn_id for the optional connection.

conn: connection &optional

A shorthand way of giving the uid and id to a weird.

name: string &log

The name of the weird that occurred.

addl: string &log &optional

Additional information accompanying the weird if any.

notice: bool &log &default = F &optional

Indicate if this weird was also turned into a notice.

peer: string &log &optional &default = peer_description

The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble.

source: string &log &optional

The source of the weird. When reported by an analyzer, this should be the name of the analyzer.

identifier: string &optional

This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird.

The record which is used for representing and logging weirds.

Events
Weird::log_weird
Type

event (rec: Weird::Info)

Handlers of this event are invoked once per write to the weird logging stream before the data is actually written.

Rec

The weird columns about to be logged to the weird stream.

Hooks
Weird::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Weird::weird
Type

function (w: Weird::Info) : void

base/frameworks/notice/actions/email_admin.zeek

Notice

Adds a new notice action type which can be used to email notices to the administrators of a particular address space as set by Site::local_admins if the notice contains a source or destination address that lies within their space.

Namespace

Notice

Imports

base/frameworks/notice/main.zeek, base/utils/site.zeek

Summary
Redefinitions

Notice::Action: enum

  • Notice::ACTION_EMAIL_ADMIN: Indicate that the generated email should be addressed to the appropriate email addresses as found by the Site::get_emails function based on the relevant address or addresses indicated in the notice.
Detailed Interface

base/frameworks/notice/actions/page.zeek

Notice

Allows configuration of a pager email address to which notices can be sent.

Namespace

Notice

Imports

base/frameworks/notice/main.zeek

Summary
Runtime Options

Notice::mail_page_dest: string &redef

Email address to send notices with the Notice::ACTION_PAGE action.
Redefinitions

Notice::Action: enum
Detailed Interface
Runtime Options
Notice::mail_page_dest
Type

string

Attributes

&redef

Default

""

Email address to send notices with the Notice::ACTION_PAGE action.

base/frameworks/notice/actions/add-geodata.zeek

Notice

This script adds geographic location data to notices for the “remote” host in a connection. It does make the assumption that one of the addresses in a connection is “local” and one is “remote” which is probably a safe assumption to make in most cases. If both addresses are remote, it will use the $src address.

Namespace

Notice

Imports

base/frameworks/notice, base/frameworks/notice/main.zeek, base/utils/site.zeek

Summary
Runtime Options

Notice::lookup_location_types: set &redef

Notice types which should have the “remote” location looked up.
Redefinitions

Notice::Action: enum

Notice::Info: record
New Fields

Notice::Info

remote_location: geo_location &log &optional

If GeoIP support is built in, notices can have geographic information attached to them.
Detailed Interface
Runtime Options
Notice::lookup_location_types
Type

set [Notice::Type]

Attributes

&redef

Default

{}

Notice types which should have the “remote” location looked up. If GeoIP support is not built in, this does nothing.

base/frameworks/notice/actions/pp-alarms.zeek

Notice

Notice extension that mails out a pretty-printed version of notice_alarm.log in regular intervals, formatted for better human readability. If activated, that replaces the default summary mail having the raw log output.

Namespace

Notice

Imports

base/frameworks/cluster, base/frameworks/notice/main.zeek

Summary
Redefinable Options

Notice::mail_dest_pretty_printed: string &redef

Address to send the pretty-printed reports to.

Notice::pretty_print_alarms: bool &redef

Activate pretty-printed alarm summaries.
State Variables

Notice::flag_nets: set &redef

If an address from one of these networks is reported, we mark the entry with an additional quote symbol (i.e., “>”).

Notice::force_email_summaries: bool &redef

Force generating mail file, even if reading from traces or no mail destination is defined.
Functions

Notice::pretty_print_alarm: function &redef

Function that renders a single alarm.
Detailed Interface
Redefinable Options
Notice::mail_dest_pretty_printed
Type

string

Attributes

&redef

Default

""

Address to send the pretty-printed reports to. Default if not set is Notice::mail_dest.

Note that this is overridden by the ZeekControl MailAlarmsTo option.

Notice::pretty_print_alarms
Type

bool

Attributes

&redef

Default

T

Activate pretty-printed alarm summaries.

State Variables
Notice::flag_nets
Type

set [subnet]

Attributes

&redef

Default

{}

If an address from one of these networks is reported, we mark the entry with an additional quote symbol (i.e., “>”). Many MUAs then highlight such lines differently.

Notice::force_email_summaries
Type

bool

Attributes

&redef

Default

F

Force generating mail file, even if reading from traces or no mail destination is defined. This is mainly for testing.

Functions
Notice::pretty_print_alarm
Type

function (out: file, n: Notice::Info) : void

Attributes

&redef

Function that renders a single alarm. Can be overridden.

base/frameworks/dpd/__load__.zeek

Imports

base/frameworks/dpd/main.zeek

Summary
Detailed Interface

base/frameworks/dpd/main.zeek

DPD

Activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

Namespace

DPD

Summary
Runtime Options

DPD::ignore_violations: set &redef

Analyzers which you don’t want to throw

DPD::ignore_violations_after: count &redef

Ignore violations which go this many bytes into the connection.

DPD::max_violations: table &default = 5 &optional &redef

Number of protocol violations to tolerate before disabling an analyzer.
Types

DPD::Info: record

The record type defining the columns to log in the DPD logging stream.

DPD::State: record

Ongoing DPD state tracking information.
Redefinitions

Log::ID: enum

Add the DPD logging stream identifier.

connection: record
New Fields

connection

dpd: DPD::Info &optional

dpd_state: DPD::State &optional
Hooks

DPD::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Runtime Options
DPD::ignore_violations
Type

set [Analyzer::Tag]

Attributes

&redef

Default

{}

Redefinition

from base/protocols/dce-rpc/main.zeek

+=:

Analyzer::ANALYZER_DCE_RPC
Redefinition

from base/protocols/ntlm/main.zeek

+=:

Analyzer::ANALYZER_NTLM

Analyzers which you don’t want to throw

DPD::ignore_violations_after
Type

count

Attributes

&redef

Default

10240

Ignore violations which go this many bytes into the connection. Set to 0 to never ignore protocol violations.

DPD::max_violations
Type

table [Analyzer::Tag] of count

Attributes

&default = 5 &optional &redef

Default

{}

Number of protocol violations to tolerate before disabling an analyzer.

Types
DPD::Info
Type

record

ts: time &log

Timestamp for when protocol analysis failed.

uid: string &log

Connection unique ID.

id: conn_id &log

Connection ID containing the 4-tuple which identifies endpoints.

proto: transport_proto &log

Transport protocol for the violation.

analyzer: string &log

The analyzer that generated the violation.

failure_reason: string &log

The textual reason for the analysis failure.

packet_segment: string &optional &log

(present if policy/frameworks/dpd/packet-segment-logging.zeek is loaded)

A chunk of the payload that most likely resulted in the analyzer violation.

The record type defining the columns to log in the DPD logging stream.

DPD::State
Type

record

violations: table [count] of count

Current number of protocol violations seen per analyzer instance.

Ongoing DPD state tracking information.

Hooks
DPD::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

base/frameworks/signatures/__load__.zeek

Imports

base/frameworks/signatures/main.zeek

Summary
Detailed Interface

base/frameworks/signatures/main.zeek

Signatures

Script level signature support. See the signature documentation for more information about Zeek’s signature engine.

Namespace

Signatures

Imports

base/frameworks/notice

Summary
Runtime Options

Signatures::ignored_ids: pattern &redef

Signature IDs that should always be ignored.

Signatures::summary_interval: interval &redef

The interval between when Signatures::Signature_Summary notices are generated.
Redefinable Options

Signatures::actions: table &redef &default = Signatures::SIG_ALARM

Actions for a signature.

Signatures::count_thresholds: set &redef

Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.

Signatures::horiz_scan_thresholds: set &redef

Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.

Signatures::vert_scan_thresholds: set &redef

Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.
Types

Signatures::Action: enum

These are the default actions you can apply to signature matches.

Signatures::Info: record

The record type which contains the column fields of the signature log.
Redefinitions

Log::ID: enum

The signature logging stream identifier.

Notice::Type: enum

Add various signature-related notice types.
Events

Signatures::log_signature: event

This event can be handled to access/alter data about to be logged to the signature logging stream.
Hooks

Signatures::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Runtime Options
Signatures::ignored_ids
Type

pattern

Attributes

&redef

Default
/^?(NO_DEFAULT_MATCHES)$?/
Redefinition

from policy/misc/detect-traceroute/main.zeek

+=:

/^?(traceroute-detector.*)$?/
Redefinition

from policy/protocols/http/detect-webapps.zeek

+=:

/^?(^webapp-)$?/

Signature IDs that should always be ignored.

Signatures::summary_interval
Type

interval

Attributes

&redef

Default

1.0 day

The interval between when Signatures::Signature_Summary notices are generated.

Redefinable Options
Signatures::actions
Type

table [string] of Signatures::Action

Attributes

&redef &default = Signatures::SIG_ALARM

Default
{
   ["unspecified"] = Signatures::SIG_IGNORE
}

Actions for a signature.

Signatures::count_thresholds
Type

set [count]

Attributes

&redef

Default
{
   1000,
   10000,
   500,
   5,
   10,
   100,
   50,
   1000000
}

Generate a notice if a Signatures::SIG_COUNT_PER_RESP signature is triggered as often as given by one of these thresholds.

Signatures::horiz_scan_thresholds
Type

set [count]

Attributes

&redef

Default
{
   1000,
   500,
   5,
   10,
   100,
   50
}

Generate a notice if, for a pair [orig, signature], the number of different responders has reached one of the thresholds.

Signatures::vert_scan_thresholds
Type

set [count]

Attributes

&redef

Default
{
   1000,
   500,
   5,
   10,
   100,
   50
}

Generate a notice if, for a pair [orig, resp], the number of different signature matches has reached one of the thresholds.

Types
Signatures::Action
Type

enum

Signatures::SIG_IGNORE

Ignore this signature completely (even for scan detection). Don’t write to the signatures logging stream.

Signatures::SIG_QUIET

Process through the various aggregate techniques, but don’t report individually and don’t write to the signatures logging stream.

Signatures::SIG_LOG

Generate a notice.

Signatures::SIG_FILE_BUT_NO_SCAN

The same as Signatures::SIG_LOG, but ignore for aggregate/scan processing.

Signatures::SIG_ALARM

Generate a notice and set it to be alarmed upon.

Signatures::SIG_ALARM_PER_ORIG

Alarm once per originator.

Signatures::SIG_ALARM_ONCE

Alarm once and then never again.

Signatures::SIG_COUNT_PER_RESP

Count signatures per responder host and alarm with the Signatures::Count_Signature notice if a threshold defined by Signatures::count_thresholds is reached.

Signatures::SIG_SUMMARY

Don’t alarm, but generate per-orig summary.

These are the default actions you can apply to signature matches. All of them write the signature record to the logging stream unless declared otherwise.

Signatures::Info
Type

record

ts: time &log

The network time at which a signature matching type of event to be logged has occurred.

uid: string &log &optional

A unique identifier of the connection which triggered the signature match event.

src_addr: addr &log &optional

The host which triggered the signature match event.

src_port: port &log &optional

The host port on which the signature-matching activity occurred.

dst_addr: addr &log &optional

The destination host which was sent the payload that triggered the signature match.

dst_port: port &log &optional

The destination host port which was sent the payload that triggered the signature match.

note: Notice::Type &log

Notice associated with signature event.

sig_id: string &log &optional

The name of the signature that matched.

event_msg: string &log &optional

A more descriptive message of the signature-matching event.

sub_msg: string &log &optional

Extracted payload data or extra message.

sig_count: count &log &optional

Number of sigs, usually from summary count.

host_count: count &log &optional

Number of hosts, from a summary count.

The record type which contains the column fields of the signature log.

Events
Signatures::log_signature
Type

event (rec: Signatures::Info)

This event can be handled to access/alter data about to be logged to the signature logging stream.

Rec

The record of signature data about to be logged.

Hooks
Signatures::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

base/frameworks/packet-filter/__load__.zeek

Imports

base/frameworks/cluster, base/frameworks/packet-filter/main.zeek, base/frameworks/packet-filter/netstats.zeek, base/frameworks/packet-filter/utils.zeek

Summary
Detailed Interface

base/frameworks/packet-filter/main.zeek

PacketFilter

This script supports how Zeek sets its BPF capture filter. By default Zeek sets a capture filter that allows all traffic. If a filter is set on the command line, that filter takes precedence over the default open filter and all filters defined in Zeek scripts with the capture_filters and restrict_filters variables.

Namespace

PacketFilter

Imports

base/frameworks/analyzer, base/frameworks/notice, base/frameworks/packet-filter/utils.zeek

Summary
Redefinable Options

PacketFilter::default_capture_filter: string &redef

The BPF filter that is used by default to define what traffic should be captured.

PacketFilter::enable_auto_protocol_capture_filters: bool &redef

Enables the old filtering approach of “only watch common ports for analyzed protocols”.

PacketFilter::max_filter_compile_time: interval &redef

The maximum amount of time that you’d like to allow for BPF filters to compile.

PacketFilter::restricted_filter: string &redef

Filter string which is unconditionally and’ed to the beginning of every dynamically built filter.

PacketFilter::unrestricted_filter: string &redef

Filter string which is unconditionally or’ed to the beginning of every dynamically built filter.
State Variables

PacketFilter::current_filter: string

This is where the default packet filter is stored and it should not normally be modified by users.
Types

PacketFilter::FilterPlugin: record

A data structure to represent filter generating plugins.

PacketFilter::Info: record

The record type defining columns to be logged in the packet filter logging stream.
Redefinitions

Log::ID: enum

Add the packet filter logging stream.

Notice::Type: enum

Add notice types related to packet filter errors.

PcapFilterID: enum
Hooks

PacketFilter::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

PacketFilter::exclude: function

Install a BPF filter to exclude some traffic.

PacketFilter::exclude_for: function

Install a temporary filter to traffic which should not be passed through the BPF filter.

PacketFilter::install: function

Call this function to build and install a new dynamically built packet filter.

PacketFilter::register_filter_plugin: function

API function to register a new plugin for dynamic restriction filters.
Detailed Interface
Redefinable Options
PacketFilter::default_capture_filter
Type

string

Attributes

&redef

Default

"ip or not ip"

The BPF filter that is used by default to define what traffic should be captured. Filters defined in restrict_filters will still be applied to reduce the captured traffic.

PacketFilter::enable_auto_protocol_capture_filters
Type

bool

Attributes

&redef

Default

F

Enables the old filtering approach of “only watch common ports for analyzed protocols”.

Unless you know what you are doing, leave this set to F.

PacketFilter::max_filter_compile_time
Type

interval

Attributes

&redef

Default

100.0 msecs

The maximum amount of time that you’d like to allow for BPF filters to compile. If this time is exceeded, compensation measures may be taken by the framework to reduce the filter size. This threshold being crossed also results in the PacketFilter::Too_Long_To_Compile_Filter notice.

PacketFilter::restricted_filter
Type

string

Attributes

&redef

Default

""

Filter string which is unconditionally and’ed to the beginning of every dynamically built filter. This is mostly used when a custom filter is being used but MPLS or VLAN tags are on the traffic.

PacketFilter::unrestricted_filter
Type

string

Attributes

&redef

Default

""

Filter string which is unconditionally or’ed to the beginning of every dynamically built filter.

State Variables
PacketFilter::current_filter
Type

string

Default

"<not set yet>"

This is where the default packet filter is stored and it should not normally be modified by users.

Types
PacketFilter::FilterPlugin
Type

record

func: function ()void

A function that is directly called when generating the complete filter.

A data structure to represent filter generating plugins.

PacketFilter::Info
Type

record

ts: time &log

The time at which the packet filter installation attempt was made.

node: string &log &optional

This is a string representation of the node that applied this packet filter. It’s mostly useful in the context of dynamically changing filters on clusters.

filter: string &log

The packet filter that is being set.

init: bool &log &default = F &optional

Indicate if this is the filter set during initialization.

success: bool &log &default = T &optional

Indicate if the filter was applied successfully.

The record type defining columns to be logged in the packet filter logging stream.

Hooks
PacketFilter::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
PacketFilter::exclude
Type

function (filter_id: string, filter: string) : bool

Install a BPF filter to exclude some traffic. The filter should positively match what is to be excluded, it will be wrapped in a “not”.

Filter_id

An arbitrary string that can be used to identify the filter.

Filter

A BPF expression of traffic that should be excluded.

Returns

A boolean value to indicate if the filter was successfully installed or not.

PacketFilter::exclude_for
Type

function (filter_id: string, filter: string, span: interval) : bool

Install a temporary filter to traffic which should not be passed through the BPF filter. The filter should match the traffic you don’t want to see (it will be wrapped in a “not” condition).

Filter_id

An arbitrary string that can be used to identify the filter.

Filter

A BPF expression of traffic that should be excluded.

Length

The duration for which this filter should be put in place.

Returns

A boolean value to indicate if the filter was successfully installed or not.

PacketFilter::install
Type

function () : bool

Call this function to build and install a new dynamically built packet filter.

PacketFilter::register_filter_plugin
Type

function (fp: PacketFilter::FilterPlugin) : void

API function to register a new plugin for dynamic restriction filters.

base/frameworks/packet-filter/netstats.zeek

PacketFilter

This script reports on packet loss from the various packet sources. When Zeek is reading input from trace files, this script will not report any packet loss statistics.

Namespace

PacketFilter

Imports

base/frameworks/notice

Summary
Constants

PacketFilter::stats_collection_interval: interval

This is the interval between individual statistics collection.
Redefinitions

Notice::Type: enum
Detailed Interface
Constants
PacketFilter::stats_collection_interval
Type

interval

Default

5.0 mins

This is the interval between individual statistics collection.

base/frameworks/software/__load__.zeek

Imports

base/frameworks/software/main.zeek

Summary
Detailed Interface

base/frameworks/software/main.zeek

Software

This script provides the framework for software version detection and parsing but doesn’t actually do any detection on it’s own. It relies on other protocol specific scripts to parse out software from the protocols that they analyze. The entry point for providing new software detections to this framework is through the Software::found function.

Namespace

Software

Imports

base/frameworks/cluster, base/utils/directions-and-hosts.zeek, base/utils/numbers.zeek

Summary
Runtime Options

Software::asset_tracking: Host &redef

Hosts whose software should be detected and tracked.
State Variables

Software::alternate_names: table &default = function

Sometimes software will expose itself on the network with slight naming variations.

Software::tracked: table &create_expire = 1.0 day

The set of software associated with an address.
Types

Software::Info: record

The record type that is used for representing and logging software.

Software::SoftwareSet: table

Type to represent a collection of Software::Info records.

Software::Type: enum

Scripts detecting new types of software need to redef this enum to add their own specific software types which would then be used when they create Software::Info records.

Software::Version: record &log

A structure to represent the numeric version of software.
Redefinitions

Log::ID: enum

The software logging stream identifier.
Events

Software::log_software: event

This event can be handled to access the Software::Info record as it is sent on to the logging framework.

Software::register: event

This event is raised when software is about to be registered for tracking in Software::tracked.

Software::version_change: event

This event can be handled to access software information whenever it’s version is found to have changed.
Hooks

Software::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Software::cmp_versions: function

Compare two version records.

Software::found: function

Other scripts should call this function when they detect software.
Detailed Interface
Runtime Options
Software::asset_tracking
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Redefinition

from policy/tuning/track-all-assets.zeek

=:

ALL_HOSTS

Hosts whose software should be detected and tracked. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.

State Variables
Software::alternate_names
Type

table [string] of string

Attributes

&default = function

Default
{
   ["Flash Player"] = "Flash"
}

Sometimes software will expose itself on the network with slight naming variations. This table provides a mechanism for a piece of software to be renamed to a single name even if it exposes itself with an alternate name. The yielded string is the name that will be logged and generally used for everything.

Software::tracked
Type

table [addr] of Software::SoftwareSet

Attributes

&create_expire = 1.0 day

Default

{}

The set of software associated with an address. Data expires from this table after one day by default so that a detected piece of software will be logged once each day. In a cluster, this table is uniformly distributed among proxy nodes.

Types
Software::Info
Type

record

ts: time &log &optional

The time at which the software was detected.

host: addr &log

The IP address detected running the software.

host_p: port &log &optional

The port on which the software is running. Only sensible for server software.

software_type: Software::Type &log &default = Software::UNKNOWN &optional

The type of software detected (e.g. HTTP::SERVER).

name: string &log &optional

Name of the software (e.g. Apache).

version: Software::Version &log &optional

Version of the software.

unparsed_version: string &log &optional

The full unparsed version string found because the version parsing doesn’t always work reliably in all cases and this acts as a fallback in the logs.

force_log: bool &default = F &optional

This can indicate that this software being detected should definitely be sent onward to the logging framework. By default, only software that is “interesting” due to a change in version or it being currently unknown is sent to the logging framework. This can be set to T to force the record to be sent to the logging framework if some amount of this tracking needs to happen in a specific way to the software.

url: string &optional &log

(present if policy/protocols/http/detect-webapps.zeek is loaded)

Most root URL where the software was discovered.

The record type that is used for representing and logging software.

Software::SoftwareSet
Type

table [string] of Software::Info

Type to represent a collection of Software::Info records. It’s indexed with the name of a piece of software such as “Firefox” and it yields a Software::Info record with more information about the software.

Software::Type
Type

enum

Software::UNKNOWN

A placeholder type for when the type of software is not known.

OS::WINDOWS

(present if policy/frameworks/software/windows-version-detection.zeek is loaded)

Identifier for Windows operating system versions

DHCP::SERVER

(present if policy/protocols/dhcp/software.zeek is loaded)

Identifier for web servers in the software framework.

DHCP::CLIENT

(present if policy/protocols/dhcp/software.zeek is loaded)

Identifier for web browsers in the software framework.

FTP::CLIENT

(present if policy/protocols/ftp/software.zeek is loaded)

Identifier for FTP clients in the software framework.

FTP::SERVER

(present if policy/protocols/ftp/software.zeek is loaded)

Not currently implemented.

HTTP::WEB_APPLICATION

(present if policy/protocols/http/detect-webapps.zeek is loaded)

Identifier for web applications in the software framework.

HTTP::BROWSER_PLUGIN

(present if policy/protocols/http/software-browser-plugins.zeek is loaded)

Identifier for browser plugins in the software framework.

HTTP::SERVER

(present if policy/protocols/http/software.zeek is loaded)

Identifier for web servers in the software framework.

HTTP::APPSERVER

(present if policy/protocols/http/software.zeek is loaded)

Identifier for app servers in the software framework.

HTTP::BROWSER

(present if policy/protocols/http/software.zeek is loaded)

Identifier for web browsers in the software framework.

MySQL::SERVER

(present if policy/protocols/mysql/software.zeek is loaded)

Identifier for MySQL servers in the software framework.

SMTP::MAIL_CLIENT

(present if policy/protocols/smtp/software.zeek is loaded)

SMTP::MAIL_SERVER

(present if policy/protocols/smtp/software.zeek is loaded)

SMTP::WEBMAIL_SERVER

(present if policy/protocols/smtp/software.zeek is loaded)

SSH::SERVER

(present if policy/protocols/ssh/software.zeek is loaded)

Identifier for SSH clients in the software framework.

SSH::CLIENT

(present if policy/protocols/ssh/software.zeek is loaded)

Identifier for SSH servers in the software framework.

Scripts detecting new types of software need to redef this enum to add their own specific software types which would then be used when they create Software::Info records.

Software::Version
Type

record

major: count &optional &log

Major version number.

minor: count &optional &log

Minor version number.

minor2: count &optional &log

Minor subversion number.

minor3: count &optional &log

Minor updates number.

addl: string &optional &log

Additional version string (e.g. “beta42”).

Attributes

&log

A structure to represent the numeric version of software.

Events
Software::log_software
Type

event (rec: Software::Info)

This event can be handled to access the Software::Info record as it is sent on to the logging framework.

Software::register
Type

event (info: Software::Info)

This event is raised when software is about to be registered for tracking in Software::tracked.

Software::version_change
Type

event (old: Software::Info, new: Software::Info)

This event can be handled to access software information whenever it’s version is found to have changed.

Hooks
Software::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Software::cmp_versions
Type

function (v1: Software::Version, v2: Software::Version) : int

Compare two version records.

Returns

-1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2. If the numerical version numbers match, the addl string is compared lexicographically.

Software::found
Type

function (id: conn_id, info: Software::Info) : bool

Other scripts should call this function when they detect software.

Id

The connection id where the software was discovered.

Info

A record representing the software discovered.

Returns

T if the software was logged, F otherwise.

base/frameworks/intel/__load__.zeek

Imports

base/frameworks/cluster, base/frameworks/intel/files.zeek, base/frameworks/intel/input.zeek, base/frameworks/intel/main.zeek

Summary
Detailed Interface

base/frameworks/intel/main.zeek

Intel

The intelligence framework provides a way to store and query intelligence data (e.g. IP addresses, URLs and hashes). The intelligence items can be associated with metadata to allow informed decisions about matching and handling.

Namespace

Intel

Imports

base/frameworks/notice

Summary
Redefinable Options

Intel::item_expiration: interval &redef

The expiration timeout for intelligence items.
Types

Intel::Info: record

Record used for the logging framework representing a positive hit within the intelligence framework.

Intel::Item: record

Represents a piece of intelligence.

Intel::MetaData: record

Data about an Intel::Item.

Intel::Seen: record

Information about a piece of “seen” data.

Intel::Type: enum

Enum type to represent various types of intelligence data.

Intel::TypeSet: set

Set of intelligence data types.

Intel::Where: enum

Enum to represent where data came from when it was discovered.
Redefinitions

Log::ID: enum
Events

Intel::log_intel: event

Intel::match: event

Event to represent a match in the intelligence data from data that was seen.
Hooks

Intel::extend_match: hook

This hook can be used to influence the logging of intelligence hits (e.g.

Intel::filter_item: hook

This hook can be used to filter intelligence items that are about to be inserted into the internal data store.

Intel::item_expired: hook

This hook can be used to handle expiration of intelligence items.

Intel::log_policy: Log::PolicyHook
Functions

Intel::insert: function

Function to insert intelligence data.

Intel::remove: function

Function to remove intelligence data.

Intel::seen: function

Function to declare discovery of a piece of data in order to check it against known intelligence for matches.
Detailed Interface
Redefinable Options
Intel::item_expiration
Type

interval

Attributes

&redef

Default

-1.0 min

Redefinition

from policy/frameworks/intel/do_expire.zeek

=:

10.0 mins

The expiration timeout for intelligence items. Once an item expires, the Intel::item_expired hook is called. Reinsertion of an item resets the timeout. A negative value disables expiration of intelligence items.

Types
Intel::Info
Type

record

ts: time &log

Timestamp when the data was discovered.

uid: string &log &optional

If a connection was associated with this intelligence hit, this is the uid for the connection

id: conn_id &log &optional

If a connection was associated with this intelligence hit, this is the conn_id for the connection.

seen: Intel::Seen &log

Where the data was seen.

matched: Intel::TypeSet &log

Which indicator types matched.

sources: set [string] &log &default = {  } &optional

Sources which supplied data that resulted in this match.

fuid: string &log &optional

(present if base/frameworks/intel/files.zeek is loaded)

If a file was associated with this intelligence hit, this is the uid for the file.

file_mime_type: string &log &optional

(present if base/frameworks/intel/files.zeek is loaded)

A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.

file_desc: string &log &optional

(present if base/frameworks/intel/files.zeek is loaded)

Frequently files can be “described” to give a bit more context. If the $f field is provided this field will be automatically filled out.

cif: Intel::CIF &log &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Record used for the logging framework representing a positive hit within the intelligence framework.

Intel::Item
Type

record

indicator: string

The intelligence indicator.

indicator_type: Intel::Type

The type of data that the indicator field represents.

meta: Intel::MetaData

Metadata for the item. Typically represents more deeply descriptive data for a piece of intelligence.

Represents a piece of intelligence.

Intel::MetaData
Type

record

source: string

An arbitrary string value representing the data source. This value is used as unique key to identify a metadata record in the scope of a single intelligence item.

desc: string &optional

A freeform description for the data.

url: string &optional

A URL for more information about the data.

do_notice: bool &default = F &optional

(present if policy/frameworks/intel/do_notice.zeek is loaded)

A boolean value to allow the data itself to represent if the indicator that this metadata is attached to is notice worthy.

if_in: Intel::Where &optional

(present if policy/frameworks/intel/do_notice.zeek is loaded)

Restrictions on when notices are created to only create them if the do_notice field is T and the notice was seen in the indicated location.

whitelist: bool &default = F &optional

(present if policy/frameworks/intel/whitelist.zeek is loaded)

A boolean value to indicate whether the item is whitelisted.

remove: bool &default = F &optional

(present if policy/frameworks/intel/removal.zeek is loaded)

A boolean value to indicate whether the item should be removed.

cif_tags: string &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Maps to the ‘tags’ fields in CIF

cif_confidence: double &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Maps to the ‘confidence’ field in CIF

cif_source: string &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Maps to the ‘source’ field in CIF

cif_description: string &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Maps to the ‘description’ field in CIF

cif_firstseen: string &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Maps to the ‘firstseen’ field in CIF

cif_lastseen: string &optional

(present if policy/integration/collective-intel/main.zeek is loaded)

Maps to the ‘lastseen’ field in CIF

Data about an Intel::Item.

Intel::Seen
Type

record

indicator: string &log &optional

The string if the data is about a string.

indicator_type: Intel::Type &log &optional

The type of data that the indicator represents.

host: addr &optional

If the indicator type was Intel::ADDR, then this field will be present.

where: Intel::Where &log

Where the data was discovered.

node: string &optional &log

The name of the node where the match was discovered.

conn: connection &optional

If the data was discovered within a connection, the connection record should go here to give context to the data.

uid: string &optional

If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.

f: fa_file &optional

(present if base/frameworks/intel/files.zeek is loaded)

If the data was discovered within a file, the file record should go here to provide context to the data.

fuid: string &optional

(present if base/frameworks/intel/files.zeek is loaded)

If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.

Information about a piece of “seen” data.

Intel::Type
Type

enum

Intel::ADDR

An IP address.

Intel::SUBNET

A subnet in CIDR notation.

Intel::URL

A complete URL without the prefix "http://".

Intel::SOFTWARE

Software name.

Intel::EMAIL

Email address.

Intel::DOMAIN

DNS domain name.

Intel::USER_NAME

A user name.

Intel::CERT_HASH

Certificate SHA-1 hash.

Intel::PUBKEY_HASH

Public key MD5 hash, formatted as hexadecimal digits delimited by colons. (SSH server host keys are a good example.)

Intel::FILE_HASH

(present if base/frameworks/intel/files.zeek is loaded)

File hash which is non-hash type specific. It’s up to the user to query for any relevant hash types.

Intel::FILE_NAME

(present if base/frameworks/intel/files.zeek is loaded)

File name. Typically with protocols with definite indications of a file name.

Enum type to represent various types of intelligence data.

Intel::TypeSet
Type

set [Intel::Type]

Set of intelligence data types.

Intel::Where
Type

enum

Intel::IN_ANYWHERE

A catchall value to represent data of unknown provenance.

Conn::IN_ORIG

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

Conn::IN_RESP

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

Files::IN_HASH

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

Files::IN_NAME

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

DNS::IN_REQUEST

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

DNS::IN_RESPONSE

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

HTTP::IN_HOST_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

HTTP::IN_REFERRER_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

HTTP::IN_USER_AGENT_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

HTTP::IN_X_FORWARDED_FOR_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

HTTP::IN_URL

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_MAIL_FROM

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_RCPT_TO

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_FROM

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_TO

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_CC

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_RECEIVED_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_REPLY_TO

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_X_ORIGINATING_IP_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_MESSAGE

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SSH::IN_SERVER_HOST_KEY

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SSL::IN_SERVER_NAME

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMTP::IN_HEADER

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

X509::IN_CERT

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SMB::IN_FILE_NAME

(present if policy/frameworks/intel/seen/where-locations.zeek is loaded)

SSH::SUCCESSFUL_LOGIN

(present if policy/protocols/ssh/detect-bruteforcing.zeek is loaded)

An indicator of the login for the intel framework.

Enum to represent where data came from when it was discovered. The convention is to prefix the name with IN_.

Events
Intel::log_intel
Type

event (rec: Intel::Info)

Intel::match
Type

event (s: Intel::Seen, items: set [Intel::Item])

Event to represent a match in the intelligence data from data that was seen. On clusters there is no assurance as to when this event will be generated so do not assume that arbitrary global state beyond the given data will be available.

This is the primary mechanism where a user may take actions based on data provided by the intelligence framework.

Hooks
Intel::extend_match
Type

hook (info: Intel::Info, s: Intel::Seen, items: set [Intel::Item]) : bool

This hook can be used to influence the logging of intelligence hits (e.g. by adding data to the Info record). The default information is added with a priority of 5.

Info

The Info record that will be logged.

S

Information about the data seen.

Items

The intel items that match the seen data.

In case the hook execution is terminated using break, the match will not be logged.

Intel::filter_item
Type

hook (item: Intel::Item) : bool

This hook can be used to filter intelligence items that are about to be inserted into the internal data store. In case the hook execution is terminated using break, the item will not be (re)added to the internal data store.

Item

The intel item that should be inserted.

Intel::item_expired
Type

hook (indicator: string, indicator_type: Intel::Type, metas: set [Intel::MetaData]) : bool

This hook can be used to handle expiration of intelligence items.

Indicator

The indicator of the expired item.

Indicator_type

The indicator type of the expired item.

Metas

The set of metadata describing the expired item.

If all hook handlers are executed, the expiration timeout will be reset. Otherwise, if one of the handlers terminates using break, the item will be removed.

Intel::log_policy
Type

Log::PolicyHook

Functions
Intel::insert
Type

function (item: Intel::Item) : void

Function to insert intelligence data. If the indicator is already present, the associated metadata will be added to the indicator. If the indicator already contains a metadata record from the same source, the existing metadata record will be updated.

Intel::remove
Type

function (item: Intel::Item, purge_indicator: bool &default = F &optional) : void

Function to remove intelligence data. If purge_indicator is set, the given metadata is ignored and the indicator is removed completely.

Intel::seen
Type

function (s: Intel::Seen) : void

Function to declare discovery of a piece of data in order to check it against known intelligence for matches.

base/frameworks/intel/files.zeek

Intel

File analysis framework integration for the intelligence framework. This script manages file information in intelligence framework data structures.

Namespace

Intel

Imports

base/frameworks/intel/main.zeek

Summary
Redefinitions

Intel::Info: record

Record used for the logging framework representing a positive hit within the intelligence framework.

New Fields

Intel::Info

fuid: string &log &optional

If a file was associated with this intelligence hit, this is the uid for the file.

file_mime_type: string &log &optional

A mime type if the intelligence hit is related to a file.

file_desc: string &log &optional

Frequently files can be “described” to give a bit more context.

Intel::Seen: record

Information about a piece of “seen” data.

New Fields

Intel::Seen

f: fa_file &optional

If the data was discovered within a file, the file record should go here to provide context to the data.

fuid: string &optional

If the data was discovered within a file, the file uid should go here to provide context to the data.

Intel::Type: enum

Enum type to represent various types of intelligence data.
Detailed Interface

base/frameworks/intel/input.zeek

Intel

Input handling for the intelligence framework. This script implements the import of intelligence data from files using the input framework.

Namespace

Intel

Imports

base/frameworks/intel/main.zeek

Summary
Redefinable Options

Intel::path_prefix: string &redef

An optional path prefix for intel files.

Intel::read_files: set &redef

Intelligence files that will be read off disk.
Events

Intel::read_entry: event

This event is raised each time the intel framework reads a new line from an intel file.

Intel::read_error: event

This event is raised each time the input framework detects an error while reading the intel file.
Detailed Interface
Redefinable Options
Intel::path_prefix
Type

string

Attributes

&redef

Default

""

An optional path prefix for intel files. This prefix can, but need not be, absolute. The default is to leave any filenames unchanged. This prefix has no effect if a read_file entry is an absolute path. This prefix gets applied _before_ entering the input framework, so if the prefix is absolute, the input framework won’t munge it further. If it is relative, then any path_prefix specified in the input framework will apply additionally.

Intel::read_files
Type

set [string]

Attributes

&redef

Default

{}

Intelligence files that will be read off disk. The files are reread every time they are updated so updates must be atomic with “mv” instead of writing the file in place.

Events
Intel::read_entry
Type

event (desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)

This event is raised each time the intel framework reads a new line from an intel file. It is used in the intel framework but can also be used in custom scripts for further checks.

Desc

The Input::EventDescription record which generated the event.

Tpe

The type of input event.

Item

The intel item being read (of type Intel::Item).

Intel::read_error
Type

event (desc: Input::EventDescription, message: string, level: Reporter::Level)

This event is raised each time the input framework detects an error while reading the intel file. It can be used to implement further checks in custom scripts. Errors can be of different levels (information, warning, errors).

Desc

The Input::EventDescription record which generated the error.

Message

An error message.

Level

The Reporter::Level of the error.

base/frameworks/config/__load__.zeek

Imports

base/frameworks/config/input.zeek, base/frameworks/config/main.zeek, base/frameworks/config/weird.zeek

Summary
Detailed Interface

base/frameworks/config/main.zeek

Config

The configuration framework provides a way to change Zeek options (as specified by the “option” keyword) at runtime. It also logs runtime changes to options to config.log.

Namespace

Config

Imports

base/frameworks/cluster

Summary
Types

Config::Info: record

Represents the data in config.log.
Redefinitions

Log::ID: enum

The config logging stream identifier.
Events

Config::log_config: event

Event that can be handled to access the Config::Info record as it is sent on to the logging framework.
Hooks

Config::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Config::set_value: function

This function is the config framework layer around the lower-level Option::set call.
Detailed Interface
Types
Config::Info
Type

record

ts: time &log

Timestamp at which the configuration change occured.

id: string &log

ID of the value that was changed.

old_value: string &log

Value before the change.

new_value: string &log

Value after the change.

location: string &optional &log

Optional location that triggered the change.

Represents the data in config.log.

Events
Config::log_config
Type

event (rec: Config::Info)

Event that can be handled to access the Config::Info record as it is sent on to the logging framework.

Hooks
Config::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Config::set_value
Type

function (ID: string, val: any, location: string &default = "" &optional) : bool

This function is the config framework layer around the lower-level Option::set call. Config::set_value will set the configuration value for all nodes in the cluster, no matter where it was called. Note that Option::set does not distribute configuration changes to other nodes.

ID

The ID of the option to update.

Val

The new value of the option.

Location

Optional parameter detailing where this change originated from.

Returns

true on success, false when an error occurs.

base/frameworks/config/input.zeek

Config

File input for the configuration framework using the input framework.

Namespace

Config

Imports

base/frameworks/cluster, base/frameworks/config/main.zeek

Summary
Redefinable Options

Config::config_files: set &redef

Configuration files that will be read off disk.
Functions

Config::read_config: function

Read specified configuration file and apply values; updates to file are not tracked.
Detailed Interface
Redefinable Options
Config::config_files
Type

set [string]

Attributes

&redef

Default

{}

Configuration files that will be read off disk. Files are reread every time they are updated so updates should be atomic with “mv” instead of writing the file in place.

If the same configuration option is defined in several files with different values, behavior is unspecified.

Functions
Config::read_config
Type

function (filename: string) : void

Read specified configuration file and apply values; updates to file are not tracked.

base/frameworks/config/weird.zeek

Config

This script sets up the config framework change handlers for weirds.

Namespace

Config

Imports

base/frameworks/config/main.zeek

Summary
Detailed Interface

base/frameworks/sumstats/__load__.zeek

Imports

base/frameworks/cluster, base/frameworks/sumstats/main.zeek, base/frameworks/sumstats/non-cluster.zeek, base/frameworks/sumstats/plugins

Summary
Detailed Interface

base/frameworks/sumstats/main.zeek

SumStats

The summary statistics framework provides a way to summarize large streams of data into simple reduced measurements.

Namespace

SumStats

Summary
Types

SumStats::Calculation: enum

Type to represent the calculations that are available.

SumStats::Key: record

Represents a thing which is having summarization results collected for it.

SumStats::Observation: record

Represents data being added for a single observation.

SumStats::Reducer: record

Represents a reducer.

SumStats::Result: table

Type to store a table of results for multiple reducers indexed by observation stream identifier.

SumStats::ResultTable: table

Type to store a table of sumstats results indexed by keys.

SumStats::ResultVal: record

Result calculated for an observation stream fed into a reducer.

SumStats::SumStat: record

Represents a SumStat, which consists of an aggregation of reducers along with mechanisms to handle various situations like the epoch ending or thresholds being crossed.
Redefinitions

SumStats::Reducer: record
New Fields

SumStats::Reducer

ssname: string &optional

calc_funcs: vector of SumStats::Calculation &optional
Functions

SumStats::create: function

Create a summary statistic.

SumStats::key2str: function

Helper function to represent a SumStats::Key value as a simple string.

SumStats::next_epoch: function

Manually end the current epoch for a sumstat.

SumStats::observe: function

Add data into an observation stream.

SumStats::request_key: function

Dynamically request a sumstat key.
Detailed Interface
Types
SumStats::Calculation
Type

enum

SumStats::PLACEHOLDER
SumStats::AVERAGE

(present if base/frameworks/sumstats/plugins/average.zeek is loaded)

Calculate the average of the values.

SumStats::HLL_UNIQUE

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

Calculate the number of unique values.

SumStats::LAST

(present if base/frameworks/sumstats/plugins/last.zeek is loaded)

Keep last X observations in a queue.

SumStats::MAX

(present if base/frameworks/sumstats/plugins/max.zeek is loaded)

Find the maximum value.

SumStats::MIN

(present if base/frameworks/sumstats/plugins/min.zeek is loaded)

Find the minimum value.

SumStats::SAMPLE

(present if base/frameworks/sumstats/plugins/sample.zeek is loaded)

Get uniquely distributed random samples from the observation stream.

SumStats::VARIANCE

(present if base/frameworks/sumstats/plugins/variance.zeek is loaded)

Calculate the variance of the values.

SumStats::STD_DEV

(present if base/frameworks/sumstats/plugins/std-dev.zeek is loaded)

Calculate the standard deviation of the values.

SumStats::SUM

(present if base/frameworks/sumstats/plugins/sum.zeek is loaded)

Calculate the sum of the values. For string values, this will be the number of strings.

SumStats::TOPK

(present if base/frameworks/sumstats/plugins/topk.zeek is loaded)

Keep a top-k list of values.

SumStats::UNIQUE

(present if base/frameworks/sumstats/plugins/unique.zeek is loaded)

Calculate the number of unique values.

Type to represent the calculations that are available. The calculations are all defined as plugins.

SumStats::Key
Type

record

str: string &optional

A non-address related summarization or a sub-key for an address based summarization. An example might be successful SSH connections by client IP address where the client string would be the key value. Another example might be number of HTTP requests to a particular value in a Host header. This is an example of a non-host based metric since multiple IP addresses could respond for the same Host header value.

host: addr &optional

Host is the value to which this metric applies.

Represents a thing which is having summarization results collected for it.

SumStats::Observation
Type

record

num: count &optional

Count value.

dbl: double &optional

Double value.

str: string &optional

String value.

Represents data being added for a single observation. Only supply a single field at a time!

SumStats::Reducer
Type

record

stream: string

Observation stream identifier for the reducer to attach to.

apply: set [SumStats::Calculation]

The calculations to perform on the data points.

pred: function (key: SumStats::Key, obs: SumStats::Observation)bool &optional

A predicate so that you can decide per key if you would like to accept the data being inserted.

normalize_key: function (key: SumStats::Key)SumStats::Key &optional

A function to normalize the key. This can be used to aggregate or normalize the entire key.

ssname: string &optional

calc_funcs: vector of SumStats::Calculation &optional

hll_error_margin: double &default = 0.01 &optional

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

The error margin for HLL.

hll_confidence: double &default = 0.95 &optional

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

The confidence for HLL.

num_last_elements: count &default = 0 &optional

(present if base/frameworks/sumstats/plugins/last.zeek is loaded)

Number of elements to keep.

num_samples: count &default = 0 &optional

(present if base/frameworks/sumstats/plugins/sample.zeek is loaded)

The number of sample Observations to collect.

topk_size: count &default = 500 &optional

(present if base/frameworks/sumstats/plugins/topk.zeek is loaded)

Number of elements to keep in the top-k list.

unique_max: count &optional

(present if base/frameworks/sumstats/plugins/unique.zeek is loaded)

Maximum number of unique values to store.

Represents a reducer.

SumStats::Result
Type

table [string] of SumStats::ResultVal

Type to store a table of results for multiple reducers indexed by observation stream identifier.

SumStats::ResultTable
Type

table [SumStats::Key] of SumStats::Result

Type to store a table of sumstats results indexed by keys.

SumStats::ResultVal
Type

record

begin: time

The time when the first observation was added to this result value.

end: time

The time when the last observation was added to this result value.

num: count &default = 0 &optional

The number of observations received.

average: double &optional

(present if base/frameworks/sumstats/plugins/average.zeek is loaded)

For numeric data, this is the average of all values.

hll_unique: count &default = 0 &optional

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

If cardinality is being tracked, the number of unique items is tracked here.

card: opaque of cardinality &optional

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

hll_error_margin: double &optional

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

hll_confidence: double &optional

(present if base/frameworks/sumstats/plugins/hll_unique.zeek is loaded)

last_elements: Queue::Queue &optional

(present if base/frameworks/sumstats/plugins/last.zeek is loaded)

This is the queue where elements are maintained. Don’t access this value directly, instead use the SumStats::get_last function to get a vector of the current element values.

max: double &optional

(present if base/frameworks/sumstats/plugins/max.zeek is loaded)

For numeric data, this tracks the maximum value.

min: double &optional

(present if base/frameworks/sumstats/plugins/min.zeek is loaded)

For numeric data, this tracks the minimum value.

samples: vector of SumStats::Observation &default = [] &optional

(present if base/frameworks/sumstats/plugins/sample.zeek is loaded)

This is the vector in which the samples are maintained.

sample_elements: count &default = 0 &optional

(present if base/frameworks/sumstats/plugins/sample.zeek is loaded)

Number of total observed elements.

num_samples: count &default = 0 &optional

(present if base/frameworks/sumstats/plugins/sample.zeek is loaded)

variance: double &optional

(present if base/frameworks/sumstats/plugins/variance.zeek is loaded)

For numeric data, this is the variance.

prev_avg: double &optional

(present if base/frameworks/sumstats/plugins/variance.zeek is loaded)

var_s: double &default = 0.0 &optional

(present if base/frameworks/sumstats/plugins/variance.zeek is loaded)

std_dev: double &default = 0.0 &optional

(present if base/frameworks/sumstats/plugins/std-dev.zeek is loaded)

For numeric data, this calculates the standard deviation.

sum: double &default = 0.0 &optional

(present if base/frameworks/sumstats/plugins/sum.zeek is loaded)

For numeric data, this tracks the sum of all values.

topk: opaque of topk &optional

(present if base/frameworks/sumstats/plugins/topk.zeek is loaded)

A handle which can be passed to some built-in functions to get the top-k results.

unique: count &default = 0 &optional

(present if base/frameworks/sumstats/plugins/unique.zeek is loaded)

If cardinality is being tracked, the number of unique values is tracked here.

unique_max: count &optional

(present if base/frameworks/sumstats/plugins/unique.zeek is loaded)

unique_vals: set [SumStats::Observation] &optional

(present if base/frameworks/sumstats/plugins/unique.zeek is loaded)

Result calculated for an observation stream fed into a reducer. Most of the fields are added by plugins.

SumStats::SumStat
Type

record

name: string

An arbitrary name for the sumstat so that it can be referred to later.

epoch: interval

The interval at which this sumstat should be “broken” and the epoch_result callback called. The results are also reset at this time so any threshold based detection needs to be set to a value that should be expected to happen within this epoch.

Passing an epoch of zero (e.g. 0 secs) causes this sumstat to be set to manual epochs. You will have to manually end the epoch by calling SumStats::next_epoch.

reducers: set [SumStats::Reducer]

The reducers for the SumStat.

threshold_val: function (key: SumStats::Key, result: SumStats::Result)double &optional

A function that will be called once for each observation in order to calculate a value from the SumStats::Result structure which will be used for thresholding. This function is required if a threshold value or a threshold_series is given.

threshold: double &optional

The threshold value for calling the threshold_crossed callback. If you need more than one threshold value, then use threshold_series instead.

threshold_series: vector of double &optional

A series of thresholds for calling the threshold_crossed callback. These thresholds must be listed in ascending order, because a threshold is not checked until the preceding one has been crossed.

threshold_crossed: function (key: SumStats::Key, result: SumStats::Result)void &optional

A callback that is called when a threshold is crossed. A threshold is crossed when the value returned from threshold_val is greater than or equal to the threshold value, but only the first time this happens within an epoch.

epoch_result: function (ts: time, key: SumStats::Key, result: SumStats::Result)void &optional

A callback that receives each of the results at the end of the analysis epoch. The function will be called once for each key.

epoch_finished: function (ts: time)void &optional

A callback that will be called when a single collection interval is completed. The ts value will be the time of when the collection started.

Represents a SumStat, which consists of an aggregation of reducers along with mechanisms to handle various situations like the epoch ending or thresholds being crossed.

It’s best to not access any global state outside of the variables given to the callbacks because there is no assurance provided as to where the callbacks will be executed on clusters.

Functions
SumStats::create
Type

function (ss: SumStats::SumStat) : void

Create a summary statistic.

Ss

The SumStat to create.

SumStats::key2str
Type

function (key: SumStats::Key) : string

Helper function to represent a SumStats::Key value as a simple string.

Key

The metric key that is to be converted into a string.

Returns

A string representation of the metric key.

SumStats::next_epoch
Type

function (ss_name: string) : bool

Manually end the current epoch for a sumstat. Calling this function will cause the end of the epoch processing of sumstats to start. Note that the epoch will not end immediately - especially in a cluster settings, a number of messages need to be exchanged between the cluster nodes.

Note that this function only can be called if the sumstat was created with an epoch time of zero (manual epochs).

In a cluster, this function must be called on the manager; it will not have any effect when called on workers.

Ss_name

SumStat name.

Returns

true on success, false on failure. Failures can be: sumstat not found, or sumstat not created for manual epochs.

SumStats::observe
Type

function (id: string, orig_key: SumStats::Key, obs: SumStats::Observation) : void

Add data into an observation stream. This should be called when a script has measured some point value.

Id

The observation stream identifier that the data point represents.

Key

The key that the value is related to.

Obs

The data point to send into the stream.

SumStats::request_key
Type

function (ss_name: string, key: SumStats::Key) : SumStats::Result

Dynamically request a sumstat key. This function should be used sparingly and not as a replacement for the callbacks from the SumStats::SumStat record. The function is only available for use within “when” statements as an asynchronous function.

Ss_name

SumStat name.

Key

The SumStat key being requested.

Returns

The result for the requested sumstat key.

base/frameworks/sumstats/plugins/__load__.zeek

Imports

base/frameworks/sumstats/plugins/average.zeek, base/frameworks/sumstats/plugins/hll_unique.zeek, base/frameworks/sumstats/plugins/last.zeek, base/frameworks/sumstats/plugins/max.zeek, base/frameworks/sumstats/plugins/min.zeek, base/frameworks/sumstats/plugins/sample.zeek, base/frameworks/sumstats/plugins/std-dev.zeek, base/frameworks/sumstats/plugins/sum.zeek, base/frameworks/sumstats/plugins/topk.zeek, base/frameworks/sumstats/plugins/unique.zeek, base/frameworks/sumstats/plugins/variance.zeek

Summary
Detailed Interface

base/frameworks/sumstats/plugins/average.zeek

SumStats

Calculate the average.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

average: double &optional

For numeric data, this is the average of all values.
Detailed Interface

base/frameworks/sumstats/plugins/hll_unique.zeek

SumStats

Calculate the number of unique values (using the HyperLogLog algorithm).

Namespace

SumStats

Imports

base/frameworks/sumstats

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::Reducer: record
New Fields

SumStats::Reducer

hll_error_margin: double &default = 0.01 &optional

The error margin for HLL.

hll_confidence: double &default = 0.95 &optional

The confidence for HLL.

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

hll_unique: count &default = 0 &optional

If cardinality is being tracked, the number of unique items is tracked here.

card: opaque of cardinality &optional

hll_error_margin: double &optional

hll_confidence: double &optional

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

hll_unique: count &default = 0 &optional

If cardinality is being tracked, the number of unique items is tracked here.

card: opaque of cardinality &optional

hll_error_margin: double &optional

hll_confidence: double &optional
Detailed Interface

base/frameworks/sumstats/plugins/last.zeek

SumStats

Keep the last X observations.

Namespace

SumStats

Imports

base/frameworks/sumstats, base/utils/queue.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::Reducer: record
New Fields

SumStats::Reducer

num_last_elements: count &default = 0 &optional

Number of elements to keep.

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

last_elements: Queue::Queue &optional

This is the queue where elements are maintained.
Functions

SumStats::get_last: function

Get a vector of element values from a ResultVal.
Detailed Interface
Functions
SumStats::get_last
Type

function (rv: SumStats::ResultVal) : vector of SumStats::Observation

Get a vector of element values from a ResultVal.

base/frameworks/sumstats/plugins/max.zeek

SumStats

Find the maximum value.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

max: double &optional

For numeric data, this tracks the maximum value.
Detailed Interface

base/frameworks/sumstats/plugins/min.zeek

SumStats

Find the minimum value.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

min: double &optional

For numeric data, this tracks the minimum value.
Detailed Interface

base/frameworks/sumstats/plugins/sample.zeek

SumStats

Keep a random sample of values.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Redefinitions

SumStats::Calculation: enum

  • SumStats::SAMPLE: Get uniquely distributed random samples from the observation stream.

SumStats::Reducer: record
New Fields

SumStats::Reducer

num_samples: count &default = 0 &optional

The number of sample Observations to collect.

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

samples: vector of SumStats::Observation &default = [] &optional

This is the vector in which the samples are maintained.

sample_elements: count &default = 0 &optional

Number of total observed elements.

num_samples: count &default = 0 &optional

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

samples: vector of SumStats::Observation &default = [] &optional

This is the vector in which the samples are maintained.

sample_elements: count &default = 0 &optional

Number of total observed elements.

num_samples: count &default = 0 &optional
Detailed Interface

base/frameworks/sumstats/plugins/std-dev.zeek

SumStats

Calculate the standard deviation.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek, base/frameworks/sumstats/plugins/variance.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

std_dev: double &default = 0.0 &optional

For numeric data, this calculates the standard deviation.
Detailed Interface

base/frameworks/sumstats/plugins/variance.zeek

SumStats

Calculate the variance.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek, base/frameworks/sumstats/plugins/average.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

variance: double &optional

For numeric data, this is the variance.

prev_avg: double &optional

var_s: double &default = 0.0 &optional

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

variance: double &optional

For numeric data, this is the variance.

prev_avg: double &optional

var_s: double &default = 0.0 &optional
Detailed Interface

base/frameworks/sumstats/plugins/sum.zeek

SumStats

Calculate the sum.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

sum: double &default = 0.0 &optional

For numeric data, this tracks the sum of all values.
Detailed Interface

base/frameworks/sumstats/plugins/topk.zeek

SumStats

Keep the top-k (i.e., most frequently occurring) observations.

This plugin uses a probabilistic algorithm to count the top-k elements. The algorithm (called Space-Saving) is described in the paper Efficient Computation of Frequent and Top-k Elements in Data Streams”, by Metwally et al. (2005).

Namespace

SumStats

Imports

base/frameworks/sumstats

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::Reducer: record
New Fields

SumStats::Reducer

topk_size: count &default = 500 &optional

Number of elements to keep in the top-k list.

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

topk: opaque of topk &optional

A handle which can be passed to some built-in functions to get the top-k results.
Detailed Interface

base/frameworks/sumstats/plugins/unique.zeek

SumStats

Calculate the number of unique values.

Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Redefinitions

SumStats::Calculation: enum

SumStats::Reducer: record
New Fields

SumStats::Reducer

unique_max: count &optional

Maximum number of unique values to store.

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

unique: count &default = 0 &optional

If cardinality is being tracked, the number of unique values is tracked here.

unique_max: count &optional

unique_vals: set [SumStats::Observation] &optional

SumStats::ResultVal: record
New Fields

SumStats::ResultVal

unique: count &default = 0 &optional

If cardinality is being tracked, the number of unique values is tracked here.

unique_max: count &optional

unique_vals: set [SumStats::Observation] &optional
Detailed Interface

base/frameworks/sumstats/non-cluster.zeek

SumStats
Namespace

SumStats

Imports

base/frameworks/sumstats/main.zeek

Summary
Detailed Interface

base/frameworks/tunnels/__load__.zeek

Imports

base/frameworks/tunnels/main.zeek

Summary
Detailed Interface

base/frameworks/tunnels/main.zeek

Tunnel

This script handles the tracking/logging of tunnels (e.g. Teredo, AYIYA, or IP-in-IP such as 6to4 where “IP” is either IPv4 or IPv6).

For any connection that occurs over a tunnel, information about its encapsulating tunnels is also found in the tunnel field of connection.

Namespace

Tunnel

Imports

base/protocols/conn/removal-hooks.zeek

Summary
Redefinable Options

Tunnel::expiration_interval: interval &redef

The amount of time a tunnel is not used in establishment of new connections before it is considered inactive/expired.
State Variables

Tunnel::active: table &read_expire = Tunnel::expiration_interval &expire_func = Tunnel::expire

Currently active tunnels.
Types

Tunnel::Action: enum

Types of interesting activity that can occur with a tunnel.

Tunnel::Info: record

The record type which contains column fields of the tunnel log.
Redefinitions

Log::ID: enum

The tunnel logging stream identifier.
Hooks

Tunnel::finalize_tunnel: Conn::RemovalHook

Tunnel finalization hook.

Tunnel::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Tunnel::close: function

Removes a single tunnel from the Tunnel::active table and logs the closing/expiration of the tunnel.

Tunnel::expire: function

Logs a single tunnel “connection” with action Tunnel::EXPIRE and removes it from the Tunnel::active table.

Tunnel::register: function

Logs a single tunnel “connection” with action Tunnel::DISCOVER if it’s not already in the Tunnel::active table and adds it if not.

Tunnel::register_all: function

Logs all tunnels in an encapsulation chain with action Tunnel::DISCOVER that aren’t already in the Tunnel::active table and adds them if not.
Detailed Interface
Redefinable Options
Tunnel::expiration_interval
Type

interval

Attributes

&redef

Default

1.0 hr

The amount of time a tunnel is not used in establishment of new connections before it is considered inactive/expired.

State Variables
Tunnel::active
Type

table [conn_id] of Tunnel::Info

Attributes

&read_expire = Tunnel::expiration_interval &expire_func = Tunnel::expire

Default

{}

Currently active tunnels. That is, tunnels for which new, encapsulated connections have been seen in the interval indicated by Tunnel::expiration_interval.

Types
Tunnel::Action
Type

enum

Tunnel::DISCOVER

A new tunnel (encapsulating “connection”) has been seen.

Tunnel::CLOSE

A tunnel connection has closed.

Tunnel::EXPIRE

No new connections over a tunnel happened in the amount of time indicated by Tunnel::expiration_interval.

Types of interesting activity that can occur with a tunnel.

Tunnel::Info
Type

record

ts: time &log

Time at which some tunnel activity occurred.

uid: string &log &optional

The unique identifier for the tunnel, which may correspond to a connection’s uid field for non-IP-in-IP tunnels. This is optional because there could be numerous connections for payload proxies like SOCKS but we should treat it as a single tunnel.

id: conn_id &log

The tunnel “connection” 4-tuple of endpoint addresses/ports. For an IP tunnel, the ports will be 0.

tunnel_type: Tunnel::Type &log

The type of tunnel.

action: Tunnel::Action &log

The type of activity that occurred.

The record type which contains column fields of the tunnel log.

Hooks
Tunnel::finalize_tunnel
Type

Conn::RemovalHook

Tunnel finalization hook. Remaining Tunnel info may get logged when it’s called.

Tunnel::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Tunnel::close
Type

function (tunnel: Tunnel::Info, action: Tunnel::Action) : void

Removes a single tunnel from the Tunnel::active table and logs the closing/expiration of the tunnel.

Tunnel

The tunnel which has closed or expired.

Action

The specific reason for the tunnel ending.

Tunnel::expire
Type

function (t: table [conn_id] of Tunnel::Info, idx: conn_id) : interval

Logs a single tunnel “connection” with action Tunnel::EXPIRE and removes it from the Tunnel::active table.

T

A table of tunnels.

Idx

The index of the tunnel table corresponding to the tunnel to expire.

Returns

0secs, which when this function is used as an &expire_func, indicates to remove the element at idx immediately.

Tunnel::register
Type

function (ec: Tunnel::EncapsulatingConn) : void

Logs a single tunnel “connection” with action Tunnel::DISCOVER if it’s not already in the Tunnel::active table and adds it if not.

Tunnel::register_all
Type

function (ecv: EncapsulatingConnVector) : void

Logs all tunnels in an encapsulation chain with action Tunnel::DISCOVER that aren’t already in the Tunnel::active table and adds them if not.

base/protocols/conn/removal-hooks.zeek

Conn

Adds a framework for registering “connection removal hooks”. All registered hooks for a given connection get run within the connection_state_remove event for that connection. This functionality is useful from a performance/scaling concern: if every new protocol-analysis script uses connection_state_remove to implement its finalization/cleanup logic, then all connections take the performance hit of dispatching that event, even if they aren’t related to that specific protocol.

Namespace

Conn

Summary
Types

Conn::RemovalHook: hook

A hook function for use with either Conn::register_removal_hook or Conn::unregister_removal_hook.
Redefinitions

connection: record
New Fields

connection

removal_hooks: set [Conn::RemovalHook] &optional
Functions

Conn::register_removal_hook: function

Register a hook that will later be called during a connection’s connection_state_remove event.

Conn::unregister_removal_hook: function

Unregister a hook that would have been called during a connection’s connection_state_remove event such that it will no longer be called.
Detailed Interface
Types
Conn::RemovalHook
Type

hook (c: connection) : bool

A hook function for use with either Conn::register_removal_hook or Conn::unregister_removal_hook. The connection argument refers to the connection currently being removed within a connection_state_remove event.

Functions
Conn::register_removal_hook
Type

function (c: connection, hk: Conn::RemovalHook) : bool

Register a hook that will later be called during a connection’s connection_state_remove event.

C

The associated connection whose connection_state_remove event should trigger a callback to hk.

Hk

The hook function to use as a callback.

Returns

false if the provided hook was previously registered, else true.

Conn::unregister_removal_hook
Type

function (c: connection, hk: Conn::RemovalHook) : bool

Unregister a hook that would have been called during a connection’s connection_state_remove event such that it will no longer be called.

C

The associated connection whose connection_state_remove event could have triggered a callback to hk.

Hk

The hook function that would have been used as a callback.

Returns

true if the provided hook was previously registered, else false.

base/frameworks/openflow/__load__.zeek

Imports

base/frameworks/cluster, base/frameworks/openflow/consts.zeek, base/frameworks/openflow/main.zeek, base/frameworks/openflow/non-cluster.zeek, base/frameworks/openflow/plugins, base/frameworks/openflow/types.zeek

Summary
Detailed Interface

base/frameworks/openflow/consts.zeek

OpenFlow

Constants used by the OpenFlow framework.

Namespace

OpenFlow

Summary
Constants

OpenFlow::ETH_APPLETALK: count

OpenFlow::ETH_APPLETALK_ARP: count

OpenFlow::ETH_ARP: count

OpenFlow::ETH_EAP_OVER_LAN: count

OpenFlow::ETH_ETHER_FLOW_CONTROL: count

OpenFlow::ETH_IPX: count

OpenFlow::ETH_IPX_OLD: count

OpenFlow::ETH_IPv4: count

OpenFlow::ETH_IPv6: count

OpenFlow::ETH_JUMBO_FRAMES: count

OpenFlow::ETH_MAC_SECURITY: count

OpenFlow::ETH_MPLS_MULTICAST: count

OpenFlow::ETH_MPLS_UNICAST: count

OpenFlow::ETH_PPPOE_DISCOVERY: count

OpenFlow::ETH_PPPOE_SESSION: count

OpenFlow::ETH_PROVIDER_BRIDING: count

OpenFlow::ETH_QINQ: count

OpenFlow::ETH_RARP: count

OpenFlow::ETH_VLAN: count

OpenFlow::ETH_WOL: count

OpenFlow::INVALID_COOKIE: count

Return value for a cookie from a flow which is not added, modified or deleted from the Zeek openflow framework.

OpenFlow::IP_CBT: count

OpenFlow::IP_EGP: count

OpenFlow::IP_ETHERIP: count

OpenFlow::IP_FC: count

OpenFlow::IP_GGP: count

OpenFlow::IP_GRE: count

OpenFlow::IP_HOPOPT: count

OpenFlow::IP_ICMP: count

OpenFlow::IP_IGMP: count

OpenFlow::IP_IGP: count

OpenFlow::IP_IPIP: count

OpenFlow::IP_IPv6: count

OpenFlow::IP_ISIS: count

OpenFlow::IP_L2TP: count

OpenFlow::IP_MPLS: count

OpenFlow::IP_MTP: count

OpenFlow::IP_OSPF: count

OpenFlow::IP_RDP: count

OpenFlow::IP_RSVP: count

OpenFlow::IP_ST: count

OpenFlow::IP_TCP: count

OpenFlow::IP_UDP: count

OpenFlow::OFPFF_CHECK_OVERLAP: count

Check for overlapping entries first.

OpenFlow::OFPFF_EMERG: count

Remark this is for emergency.

OpenFlow::OFPFF_SEND_FLOW_REM: count

Send flow removed message when flow expires or is deleted.

OpenFlow::OFPP_ALL: count

All physical ports except input port.

OpenFlow::OFPP_ANY: count

Wildcard port used only for flow mod (delete) and flow stats requests.

OpenFlow::OFPP_CONTROLLER: count

Send to controller.

OpenFlow::OFPP_FLOOD: count

All physical ports except input port and those disabled by STP.

OpenFlow::OFPP_IN_PORT: count

Send the packet out the input port.

OpenFlow::OFPP_LOCAL: count

Local openflow “port”.

OpenFlow::OFPP_NORMAL: count

Process with normal L2/L3 switching.

OpenFlow::OFPP_TABLE: count

Perform actions in flow table.

OpenFlow::OFPTT_ALL: count

OpenFlow::OFP_NO_BUFFER: count
Types

OpenFlow::ofp_action_type: enum

Openflow action_type definitions.

OpenFlow::ofp_config_flags: enum

Openflow config flag definitions.

OpenFlow::ofp_flow_mod_command: enum

Openflow flow_mod_command definitions.
Detailed Interface
Constants
OpenFlow::ETH_APPLETALK
Type

count

Default

32923

OpenFlow::ETH_APPLETALK_ARP
Type

count

Default

33011

OpenFlow::ETH_ARP
Type

count

Default

2054

OpenFlow::ETH_EAP_OVER_LAN
Type

count

Default

34958

OpenFlow::ETH_ETHER_FLOW_CONTROL
Type

count

Default

34824

OpenFlow::ETH_IPX
Type

count

Default

33080

OpenFlow::ETH_IPX_OLD
Type

count

Default

33079

OpenFlow::ETH_IPv4
Type

count

Default

2048

OpenFlow::ETH_IPv6
Type

count

Default

34525

OpenFlow::ETH_JUMBO_FRAMES
Type

count

Default

34928

OpenFlow::ETH_MAC_SECURITY
Type

count

Default

35045

OpenFlow::ETH_MPLS_MULTICAST
Type

count

Default

34888

OpenFlow::ETH_MPLS_UNICAST
Type

count

Default

34887

OpenFlow::ETH_PPPOE_DISCOVERY
Type

count

Default

34915

OpenFlow::ETH_PPPOE_SESSION
Type

count

Default

34916

OpenFlow::ETH_PROVIDER_BRIDING
Type

count

Default

34984

OpenFlow::ETH_QINQ
Type

count

Default

37120

OpenFlow::ETH_RARP
Type

count

Default

32821

OpenFlow::ETH_VLAN
Type

count

Default

33024

OpenFlow::ETH_WOL
Type

count

Default

2114

Type

count

Default

9223372036854775807

Return value for a cookie from a flow which is not added, modified or deleted from the Zeek openflow framework.

OpenFlow::IP_CBT
Type

count

Default

7

OpenFlow::IP_EGP
Type

count

Default

8

OpenFlow::IP_ETHERIP
Type

count

Default

97

OpenFlow::IP_FC
Type

count

Default

133

OpenFlow::IP_GGP
Type

count

Default

3

OpenFlow::IP_GRE
Type

count

Default

47

OpenFlow::IP_HOPOPT
Type

count

Default

0

OpenFlow::IP_ICMP
Type

count

Default

1

OpenFlow::IP_IGMP
Type

count

Default

2

OpenFlow::IP_IGP
Type

count

Default

9

OpenFlow::IP_IPIP
Type

count

Default

4

OpenFlow::IP_IPv6
Type

count

Default

41

OpenFlow::IP_ISIS
Type

count

Default

124

OpenFlow::IP_L2TP
Type

count

Default

115

OpenFlow::IP_MPLS
Type

count

Default

137

OpenFlow::IP_MTP
Type

count

Default

92

OpenFlow::IP_OSPF
Type

count

Default

89

OpenFlow::IP_RDP
Type

count

Default

27

OpenFlow::IP_RSVP
Type

count

Default

46

OpenFlow::IP_ST
Type

count

Default

5

OpenFlow::IP_TCP
Type

count

Default

6

OpenFlow::IP_UDP
Type

count

Default

17

OpenFlow::OFPFF_CHECK_OVERLAP
Type

count

Default

2

Check for overlapping entries first.

OpenFlow::OFPFF_EMERG
Type

count

Default

4

Remark this is for emergency. Flows added with this are only used when the controller is disconnected.

OpenFlow::OFPFF_SEND_FLOW_REM
Type

count

Default

1

Send flow removed message when flow expires or is deleted.

OpenFlow::OFPP_ALL
Type

count

Default

4294967292

All physical ports except input port.

OpenFlow::OFPP_ANY
Type

count

Default

4294967295

Wildcard port used only for flow mod (delete) and flow stats requests.

OpenFlow::OFPP_CONTROLLER
Type

count

Default

4294967293

Send to controller.

OpenFlow::OFPP_FLOOD
Type

count

Default

4294967291

All physical ports except input port and those disabled by STP.

OpenFlow::OFPP_IN_PORT
Type

count

Default

4294967288

Send the packet out the input port. This virual port must be explicitly used in order to send back out of the input port.

OpenFlow::OFPP_LOCAL
Type

count

Default

4294967294

Local openflow “port”.

OpenFlow::OFPP_NORMAL
Type

count

Default

4294967290

Process with normal L2/L3 switching.

OpenFlow::OFPP_TABLE
Type

count

Default

4294967289

Perform actions in flow table. NB: This can only be the destination port for packet-out messages.

OpenFlow::OFPTT_ALL
Type

count

Default

255

OpenFlow::OFP_NO_BUFFER
Type

count

Default

4294967295

Types
OpenFlow::ofp_action_type
Type

enum

OpenFlow::OFPAT_OUTPUT

Output to switch port.

OpenFlow::OFPAT_SET_VLAN_VID

Set the 802.1q VLAN id.

OpenFlow::OFPAT_SET_VLAN_PCP

Set the 802.1q priority.

OpenFlow::OFPAT_STRIP_VLAN

Strip the 802.1q header.

OpenFlow::OFPAT_SET_DL_SRC

Ethernet source address.

OpenFlow::OFPAT_SET_DL_DST

Ethernet destination address.

OpenFlow::OFPAT_SET_NW_SRC

IP source address.

OpenFlow::OFPAT_SET_NW_DST

IP destination address.

OpenFlow::OFPAT_SET_NW_TOS

IP ToS (DSCP field, 6 bits).

OpenFlow::OFPAT_SET_TP_SRC

TCP/UDP source port.

OpenFlow::OFPAT_SET_TP_DST

TCP/UDP destination port.

OpenFlow::OFPAT_ENQUEUE

Output to queue.

OpenFlow::OFPAT_VENDOR

Vendor specific.

Openflow action_type definitions.

The openflow action type defines what actions openflow can take to modify a packet

OpenFlow::ofp_config_flags
Type

enum

OpenFlow::OFPC_FRAG_NORMAL

No special handling for fragments.

OpenFlow::OFPC_FRAG_DROP

Drop fragments.

OpenFlow::OFPC_FRAG_REASM

Reassemble (only if OFPC_IP_REASM set).

OpenFlow::OFPC_FRAG_MASK

Openflow config flag definitions.

TODO: describe

OpenFlow::ofp_flow_mod_command
Type

enum

OpenFlow::OFPFC_ADD

New flow.

OpenFlow::OFPFC_MODIFY

Modify all matching flows.

OpenFlow::OFPFC_MODIFY_STRICT

Modify entry strictly matching wildcards.

OpenFlow::OFPFC_DELETE

Delete all matching flows.

OpenFlow::OFPFC_DELETE_STRICT

Strictly matching wildcards and priority.

Openflow flow_mod_command definitions.

The openflow flow_mod_command describes of what kind an action is.

base/frameworks/openflow/types.zeek

OpenFlow

Types used by the OpenFlow framework.

Namespace

OpenFlow

Imports

base/frameworks/openflow/consts.zeek

Summary
Types

OpenFlow::Controller: record

Controller record representing an openflow controller.

OpenFlow::ControllerState: record &redef

Controller related state.

OpenFlow::Plugin: enum

Available openflow plugins.

OpenFlow::ofp_flow_action: record &log

The actions that can be taken in a flow.

OpenFlow::ofp_flow_mod: record &log

Openflow flow_mod definition, describing the action to perform.

OpenFlow::ofp_match: record &log

Openflow match definition.
Detailed Interface
Types
OpenFlow::Controller
Type

record

state: OpenFlow::ControllerState

Controller related state.

supports_flow_removed: bool

Does the controller support the flow_removed event?

describe: function (state: OpenFlow::ControllerState)string

Function that describes the controller. Has to be implemented.

init: function (state: OpenFlow::ControllerState)void &optional

One-time initialization function. If defined, controller_init_done has to be called once initialization finishes.

destroy: function (state: OpenFlow::ControllerState)void &optional

One-time destruction function.

flow_mod: function (state: OpenFlow::ControllerState, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)bool &optional

flow_mod function.

flow_clear: function (state: OpenFlow::ControllerState)bool &optional

flow_clear function.

Controller record representing an openflow controller.

OpenFlow::ControllerState
Type

record

_plugin: OpenFlow::Plugin &optional

Internally set to the type of plugin used.

_name: string &optional

Internally set to the unique name of the controller.

_activated: bool &default = F &optional

Internally set to true once the controller is activated.

ryu_host: addr &optional

(present if base/frameworks/openflow/plugins/ryu.zeek is loaded)

Controller ip.

ryu_port: count &optional

(present if base/frameworks/openflow/plugins/ryu.zeek is loaded)

Controller listen port.

ryu_dpid: count &optional

(present if base/frameworks/openflow/plugins/ryu.zeek is loaded)

OpenFlow switch datapath id.

ryu_debug: bool &default = F &optional

(present if base/frameworks/openflow/plugins/ryu.zeek is loaded)

Enable debug mode - output JSON to stdout; do not perform actions.

log_dpid: count &optional

(present if base/frameworks/openflow/plugins/log.zeek is loaded)

OpenFlow switch datapath id.

log_success_event: bool &optional

(present if base/frameworks/openflow/plugins/log.zeek is loaded)

Raise or do not raise success event.

broker_host: addr &optional

(present if base/frameworks/openflow/plugins/broker.zeek is loaded)

Controller ip.

broker_port: port &optional

(present if base/frameworks/openflow/plugins/broker.zeek is loaded)

Controller listen port.

broker_dpid: count &optional

(present if base/frameworks/openflow/plugins/broker.zeek is loaded)

OpenFlow switch datapath id.

broker_topic: string &optional

(present if base/frameworks/openflow/plugins/broker.zeek is loaded)

Topic to send events for this controller to.

Attributes

&redef

Controller related state. Can be redefined by plugins to add state.

OpenFlow::Plugin
Type

enum

OpenFlow::INVALID

Internal placeholder plugin.

OpenFlow::RYU

(present if base/frameworks/openflow/plugins/ryu.zeek is loaded)

OpenFlow::OFLOG

(present if base/frameworks/openflow/plugins/log.zeek is loaded)

OpenFlow::BROKER

(present if base/frameworks/openflow/plugins/broker.zeek is loaded)

Available openflow plugins.

OpenFlow::ofp_flow_action
Type

record

out_ports: vector of count &default = [] &optional &log

Output ports to send data to.

vlan_vid: count &optional &log

Set vlan vid to this value.

vlan_pcp: count &optional &log

Set vlan priority to this value.

vlan_strip: bool &default = F &optional &log

Strip vlan tag.

dl_src: string &optional &log

Set ethernet source address.

dl_dst: string &optional &log

Set ethernet destination address.

nw_tos: count &optional &log

Set ip tos to this value.

nw_src: addr &optional &log

Set source to this ip.

nw_dst: addr &optional &log

Set destination to this ip.

tp_src: count &optional &log

Set tcp/udp source port.

tp_dst: count &optional &log

Set tcp/udp destination port.

Attributes

&log

The actions that can be taken in a flow. (Separate record to make ofp_flow_mod less crowded)

OpenFlow::ofp_flow_mod
Type

record

cookie: count &log

Opaque controller-issued identifier.

table_id: count &optional &log

Table to put the flow in. OFPTT_ALL can be used for delete, to delete flows from all matching tables.

command: OpenFlow::ofp_flow_mod_command &log

One of OFPFC_*.

idle_timeout: count &default = 0 &optional &log

Idle time before discarding (seconds).

hard_timeout: count &default = 0 &optional &log

Max time before discarding (seconds).

priority: count &default = 0 &optional &log

Priority level of flow entry.

out_port: count &optional &log

For OFPFC_DELETE* commands, require matching entried to include this as an output port/group. OFPP_ANY/OFPG_ANY means no restrictions.

out_group: count &optional &log

flags: count &default = 0 &optional &log

Bitmap of the OFPFF_* flags

actions: OpenFlow::ofp_flow_action &default = [out_ports=[], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>] &optional &log

Actions to take on match

Attributes

&log

Openflow flow_mod definition, describing the action to perform.

OpenFlow::ofp_match
Type

record

in_port: count &optional &log

dl_src: string &optional &log

dl_dst: string &optional &log

dl_vlan: count &optional &log

dl_vlan_pcp: count &optional &log

dl_type: count &optional &log

nw_tos: count &optional &log

nw_proto: count &optional &log

nw_src: subnet &optional &log

nw_dst: subnet &optional &log

tp_src: count &optional &log

tp_dst: count &optional &log

Attributes

&log

Openflow match definition.

The openflow match record describes which packets match to a specific rule in a flow table.

base/frameworks/openflow/main.zeek

OpenFlow

Zeek’s OpenFlow control framework.

This plugin-based framework allows to control OpenFlow capable switches by implementing communication to an OpenFlow controller via plugins. The framework has to be instantiated via the new function in one of the plugins. This framework only offers very low-level functionality; if you want to use OpenFlow capable switches, e.g., for shunting, please look at the NetControl framework, which provides higher level functions and can use the OpenFlow framework as a backend.

Namespace

OpenFlow

Imports

base/frameworks/openflow/consts.zeek, base/frameworks/openflow/types.zeek

Summary
Events

OpenFlow::controller_activated: event

Event that is raised once a controller finishes initialization and is completely activated.

OpenFlow::flow_mod_failure: event

Reports an error while installing a flow Rule.

OpenFlow::flow_mod_success: event

Event confirming successful modification of a flow rule.

OpenFlow::flow_removed: event

Reports that a flow was removed by the switch because of either the hard or the idle timeout.
Functions

OpenFlow::controller_init_done: function

Function to signal that a controller finished activation and is ready to use.

OpenFlow::flow_clear: function

Clear the current flow table of the controller.

OpenFlow::flow_mod: function

Global flow_mod function.

OpenFlow::generate_cookie: function

Function to generate a new cookie using our group id.

OpenFlow::get_cookie_gid: function

Function to get the group id out of a given cookie.

OpenFlow::get_cookie_uid: function

Function to get the unique id out of a given cookie.

OpenFlow::lookup_controller: function

Function to lookup a controller instance by name.

OpenFlow::match_conn: function

Convert a conn_id record into an ofp_match record that can be used to create match objects for OpenFlow.

OpenFlow::register_controller: function

Function to register a controller instance.

OpenFlow::unregister_controller: function

Function to unregister a controller instance.
Detailed Interface
Events
OpenFlow::controller_activated
Type

event (name: string, controller: OpenFlow::Controller)

Event that is raised once a controller finishes initialization and is completely activated.

Name

Unique name of this controller instance.

Controller

The controller that finished activation.

OpenFlow::flow_mod_failure
Type

event (name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string &default = "" &optional)

Reports an error while installing a flow Rule.

Name

The unique name of the OpenFlow controller from which this event originated.

Match

The ofp_match record which describes the flow to match.

Flow_mod

The openflow flow_mod record which describes the action to take.

Msg

Message to describe the event.

OpenFlow::flow_mod_success
Type

event (name: string, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod, msg: string &default = "" &optional)

Event confirming successful modification of a flow rule.

Name

The unique name of the OpenFlow controller from which this event originated.

Match

The ofp_match record which describes the flow to match.

Flow_mod

The openflow flow_mod record which describes the action to take.

Msg

An optional informational message by the plugin.

OpenFlow::flow_removed
Type

event (name: string, match: OpenFlow::ofp_match, cookie: count, priority: count, reason: count, duration_sec: count, idle_timeout: count, packet_count: count, byte_count: count)

Reports that a flow was removed by the switch because of either the hard or the idle timeout. This message is only generated by controllers that indicate that they support flow removal in supports_flow_removed.

Name

The unique name of the OpenFlow controller from which this event originated.

Match

The ofp_match record which was used to create the flow.

Cookie

The cookie that was specified when creating the flow.

Priority

The priority that was specified when creating the flow.

Reason

The reason for flow removal (OFPRR_*).

Duration_sec

Duration of the flow in seconds.

Packet_count

Packet count of the flow.

Byte_count

Byte count of the flow.

Functions
OpenFlow::controller_init_done
Type

function (controller: OpenFlow::Controller) : void

Function to signal that a controller finished activation and is ready to use. Will throw the OpenFlow::controller_activated event.

OpenFlow::flow_clear
Type

function (controller: OpenFlow::Controller) : bool

Clear the current flow table of the controller.

Controller

The controller which should execute the flow modification.

Returns

F on error or if the plugin does not support the operation, T when the operation was queued.

OpenFlow::flow_mod
Type

function (controller: OpenFlow::Controller, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod) : bool

Global flow_mod function.

Controller

The controller which should execute the flow modification.

Match

The ofp_match record which describes the flow to match.

Flow_mod

The openflow flow_mod record which describes the action to take.

Returns

F on error or if the plugin does not support the operation, T when the operation was queued.

Type

function (cookie: count &default = 0 &optional) : count

Function to generate a new cookie using our group id.

Cookie

The openflow match cookie.

Returns

The cookie group id.

Type

function (cookie: count) : count

Function to get the group id out of a given cookie.

Cookie

The openflow match cookie.

Returns

The cookie group id.

Type

function (cookie: count) : count

Function to get the unique id out of a given cookie.

Cookie

The openflow match cookie.

Returns

The cookie unique id.

OpenFlow::lookup_controller
Type

function (name: string) : vector of OpenFlow::Controller

Function to lookup a controller instance by name.

Name

Unique name of the controller to look up.

Returns

One element vector with controller, if found. Empty vector otherwise.

OpenFlow::match_conn
Type

function (id: conn_id, reverse: bool &default = F &optional) : OpenFlow::ofp_match

Convert a conn_id record into an ofp_match record that can be used to create match objects for OpenFlow.

Id

The conn_id record that describes the record.

Reverse

Reverse the sources and destinations when creating the match record (default F).

Returns

ofp_match object for the conn_id record.

OpenFlow::register_controller
Type

function (tpe: OpenFlow::Plugin, name: string, controller: OpenFlow::Controller) : void

Function to register a controller instance. This function is called automatically by the plugin _new functions.

Tpe

Type of this plugin.

Name

Unique name of this controller instance.

Controller

The controller to register.

OpenFlow::unregister_controller
Type

function (controller: OpenFlow::Controller) : void

Function to unregister a controller instance. This function should be called when a specific controller should no longer be used.

Controller

The controller to unregister.

base/frameworks/openflow/plugins/__load__.zeek

Imports

base/frameworks/openflow/plugins/broker.zeek, base/frameworks/openflow/plugins/log.zeek, base/frameworks/openflow/plugins/ryu.zeek

Summary
Detailed Interface

base/frameworks/openflow/plugins/ryu.zeek

OpenFlow

OpenFlow plugin for the Ryu controller.

Namespace

OpenFlow

Imports

base/frameworks/openflow, base/utils/active-http.zeek, base/utils/exec.zeek

Summary
Redefinitions

OpenFlow::ControllerState: record &redef
New Fields

OpenFlow::ControllerState

ryu_host: addr &optional

Controller ip.

ryu_port: count &optional

Controller listen port.

ryu_dpid: count &optional

OpenFlow switch datapath id.

ryu_debug: bool &default = F &optional

Enable debug mode - output JSON to stdout; do not perform actions.

OpenFlow::Plugin: enum
Functions

OpenFlow::ryu_new: function

Ryu controller constructor.
Detailed Interface
Functions
OpenFlow::ryu_new
Type

function (host: addr, host_port: count, dpid: count) : OpenFlow::Controller

Ryu controller constructor.

Host

Controller ip.

Host_port

Controller listen port.

Dpid

OpenFlow switch datapath id.

Returns

OpenFlow::Controller record.

base/frameworks/openflow/plugins/log.zeek

OpenFlow

OpenFlow plugin that outputs flow-modification commands to a Zeek log file.

Namespace

OpenFlow

Imports

base/frameworks/logging, base/frameworks/openflow

Summary
Types

OpenFlow::Info: record

The record type which contains column fields of the OpenFlow log.
Redefinitions

Log::ID: enum

OpenFlow::ControllerState: record &redef
New Fields

OpenFlow::ControllerState

log_dpid: count &optional

OpenFlow switch datapath id.

log_success_event: bool &optional

Raise or do not raise success event.

OpenFlow::Plugin: enum
Events

OpenFlow::log_openflow: event

Event that can be handled to access the OpenFlow::Info record as it is sent on to the logging framework.
Hooks

OpenFlow::log_policy: Log::PolicyHook
Functions

OpenFlow::log_new: function

Log controller constructor.
Detailed Interface
Types
OpenFlow::Info
Type

record

ts: time &log

Network time.

dpid: count &log

OpenFlow switch datapath id.

match: OpenFlow::ofp_match &log

OpenFlow match fields.

flow_mod: OpenFlow::ofp_flow_mod &log

OpenFlow modify flow entry message.

The record type which contains column fields of the OpenFlow log.

Events
OpenFlow::log_openflow
Type

event (rec: OpenFlow::Info)

Event that can be handled to access the OpenFlow::Info record as it is sent on to the logging framework.

Hooks
OpenFlow::log_policy
Type

Log::PolicyHook

Functions
OpenFlow::log_new
Type

function (dpid: count, success_event: bool &default = T &optional) : OpenFlow::Controller

Log controller constructor.

Dpid

OpenFlow switch datapath id.

Success_event

If true, flow_mod_success is raised for each logged line.

Returns

OpenFlow::Controller record.

base/frameworks/openflow/plugins/broker.zeek

OpenFlow

OpenFlow plugin for interfacing to controllers via Broker.

Namespace

OpenFlow

Imports

base/frameworks/broker, base/frameworks/openflow

Summary
Redefinitions

OpenFlow::ControllerState: record &redef
New Fields

OpenFlow::ControllerState

broker_host: addr &optional

Controller ip.

broker_port: port &optional

Controller listen port.

broker_dpid: count &optional

OpenFlow switch datapath id.

broker_topic: string &optional

Topic to send events for this controller to.

OpenFlow::Plugin: enum
Events

OpenFlow::broker_flow_clear: event

OpenFlow::broker_flow_mod: event
Functions

OpenFlow::broker_new: function

Broker controller constructor.
Detailed Interface
Events
OpenFlow::broker_flow_clear
Type

event (name: string, dpid: count)

OpenFlow::broker_flow_mod
Type

event (name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)

Functions
OpenFlow::broker_new
Type

function (name: string, host: addr, host_port: port, topic: string, dpid: count) : OpenFlow::Controller

Broker controller constructor.

Host

Controller ip.

Host_port

Controller listen port.

Topic

Broker topic to send messages to.

Dpid

OpenFlow switch datapath id.

Returns

OpenFlow::Controller record.

base/frameworks/openflow/non-cluster.zeek

OpenFlow
Namespace

OpenFlow

Imports

base/frameworks/openflow/main.zeek

Summary
Detailed Interface

base/frameworks/netcontrol/__load__.zeek

Imports

base/frameworks/cluster, base/frameworks/netcontrol/drop.zeek, base/frameworks/netcontrol/main.zeek, base/frameworks/netcontrol/non-cluster.zeek, base/frameworks/netcontrol/plugins, base/frameworks/netcontrol/shunt.zeek, base/frameworks/netcontrol/types.zeek

Summary
Detailed Interface

base/frameworks/netcontrol/types.zeek

NetControl

This file defines the types that are used by the NetControl framework.

The most important type defined in this file is NetControl::Rule, which is used to describe all rules that can be expressed by the NetControl framework.

Namespace

NetControl

Summary
Runtime Options

NetControl::default_priority: int &redef

The default priority that is used when creating rules.
Redefinable Options

NetControl::whitelist_priority: int &redef

The default priority that is used when using the high-level functions to push whitelist entries to the backends (NetControl::whitelist_address and NetControl::whitelist_subnet).
Types

NetControl::Entity: record

Type defining the entity a rule is operating on.

NetControl::EntityType: enum

Type defining the entity that a rule applies to.

NetControl::Flow: record

Flow is used in NetControl::Entity together with NetControl::FLOW to specify a uni-directional flow that a rule applies to.

NetControl::FlowInfo: record

Information of a flow that can be provided by switches when the flow times out.

NetControl::FlowMod: record

Type for defining a flow modification action.

NetControl::Rule: record

A rule for the framework to put in place.

NetControl::RuleType: enum

Type of rules that the framework supports.

NetControl::TargetType: enum

Type defining the target of a rule.
Detailed Interface
Runtime Options
NetControl::default_priority
Type

int

Attributes

&redef

Default

0

The default priority that is used when creating rules.

Redefinable Options
NetControl::whitelist_priority
Type

int

Attributes

&redef

Default

5

The default priority that is used when using the high-level functions to push whitelist entries to the backends (NetControl::whitelist_address and NetControl::whitelist_subnet).

Note that this priority is not automatically used when manually creating rules that have a NetControl::RuleType of NetControl::WHITELIST.

Types
NetControl::Entity
Type

record

ty: NetControl::EntityType

Type of entity.

conn: conn_id &optional

Used with NetControl::CONNECTION.

flow: NetControl::Flow &optional

Used with NetControl::FLOW.

ip: subnet &optional

Used with NetControl::ADDRESS to specifiy a CIDR subnet.

mac: string &optional

Used with NetControl::MAC.

Type defining the entity a rule is operating on.

NetControl::EntityType
Type

enum

NetControl::ADDRESS

Activity involving a specific IP address.

NetControl::CONNECTION

Activity involving all of a bi-directional connection’s activity.

NetControl::FLOW

Activity involving a uni-directional flow’s activity. Can contain wildcards.

NetControl::MAC

Activity involving a MAC address.

Type defining the entity that a rule applies to.

NetControl::Flow
Type

record

src_h: subnet &optional

The source IP address/subnet.

src_p: port &optional

The source port number.

dst_h: subnet &optional

The destination IP address/subnet.

dst_p: port &optional

The destination port number.

src_m: string &optional

The source MAC address.

dst_m: string &optional

The destination MAC address.

Flow is used in NetControl::Entity together with NetControl::FLOW to specify a uni-directional flow that a rule applies to.

If optional fields are not set, they are interpreted as wildcarded.

NetControl::FlowInfo
Type

record

duration: interval &optional

Total duration of the rule.

packet_count: count &optional

Number of packets exchanged over connections matched by the rule.

byte_count: count &optional

Total bytes exchanged over connections matched by the rule.

Information of a flow that can be provided by switches when the flow times out. Currently this is heavily influenced by the data that OpenFlow returns by default. That being said - their design makes sense and this is probably the data one can expect to be available.

NetControl::FlowMod
Type

record

src_h: addr &optional

The source IP address.

src_p: count &optional

The source port number.

dst_h: addr &optional

The destination IP address.

dst_p: count &optional

The destination port number.

src_m: string &optional

The source MAC address.

dst_m: string &optional

The destination MAC address.

redirect_port: count &optional

Type for defining a flow modification action.

NetControl::Rule
Type

record

ty: NetControl::RuleType

Type of rule.

target: NetControl::TargetType

Where to apply rule.

entity: NetControl::Entity

Entity to apply rule to.

expire: interval &optional

Timeout after which to expire the rule.

priority: int &default = NetControl::default_priority &optional

Priority if multiple rules match an entity (larger value is higher priority).

location: string &optional

Optional string describing where/what installed the rule.

out_port: count &optional

Argument for NetControl::REDIRECT rules.

mod: NetControl::FlowMod &optional

Argument for NetControl::MODIFY rules.

id: string &default = "" &optional

Internally determined unique ID for this rule. Will be set when added.

cid: count &default = 0 &optional

Internally determined unique numeric ID for this rule. Set when added.

_plugin_ids: set [count] &default = {  } &optional

(present if base/frameworks/netcontrol/main.zeek is loaded)

Internally set to the plugins handling the rule.

_active_plugin_ids: set [count] &default = {  } &optional

(present if base/frameworks/netcontrol/main.zeek is loaded)

Internally set to the plugins on which the rule is currently active.

_no_expire_plugins: set [count] &default = {  } &optional

(present if base/frameworks/netcontrol/main.zeek is loaded)

Internally set to plugins where the rule should not be removed upon timeout.

_added: bool &default = F &optional

(present if base/frameworks/netcontrol/main.zeek is loaded)

Track if the rule was added successfully by all responsible plugins.

A rule for the framework to put in place. Of all rules currently in place, the first match will be taken, sorted by priority. All further rules will be ignored.

NetControl::RuleType
Type

enum

NetControl::DROP

Stop forwarding all packets matching the entity.

No additional arguments.

NetControl::MODIFY

Modify all packets matching entity. The packets will be modified according to the mod entry of the rule.

NetControl::REDIRECT

Redirect all packets matching entity to a different switch port, given in the out_port argument of the rule.

NetControl::WHITELIST

Whitelists all packets of an entity, meaning no restrictions will be applied. While whitelisting is the default if no rule matches, this type can be used to override lower-priority rules that would otherwise take effect for the entity.

Type of rules that the framework supports. Each type lists the extra NetControl::Rule fields it uses, if any.

Plugins may extend this type to define their own.

NetControl::TargetType
Type

enum

NetControl::FORWARD
NetControl::MONITOR

Type defining the target of a rule.

Rules can either be applied to the forward path, affecting all network traffic, or on the monitor path, only affecting the traffic that is sent to Zeek. The second is mostly used for shunting, which allows Zeek to tell the networking hardware that it wants to no longer see traffic that it identified as benign.

base/frameworks/netcontrol/main.zeek

NetControl

Zeek’s NetControl framework.

This plugin-based framework allows to control the traffic that Zeek monitors as well as, if having access to the forwarding path, the traffic the network forwards. By default, the framework lets everything through, to both Zeek itself as well as on the network. Scripts can then add rules to impose restrictions on entities, such as specific connections or IP addresses.

This framework has two APIs: a high-level and low-level. The high-level API provides convenience functions for a set of common operations. The low-level API provides full flexibility.

Namespace

NetControl

Imports

base/frameworks/netcontrol/plugin.zeek, base/frameworks/netcontrol/types.zeek

Summary
Types

NetControl::Info: record

The record type defining the column fields of the NetControl log.

NetControl::InfoCategory: enum

Type of an entry in the NetControl log.

NetControl::InfoState: enum

State of an entry in the NetControl log.
Redefinitions

Log::ID: enum

The framework’s logging stream identifier.

NetControl::Rule: record
New Fields

NetControl::Rule

_plugin_ids: set [count] &default = {  } &optional

Internally set to the plugins handling the rule.

_active_plugin_ids: set [count] &default = {  } &optional

Internally set to the plugins on which the rule is currently active.

_no_expire_plugins: set [count] &default = {  } &optional

Internally set to plugins where the rule should not be removed upon timeout.

_added: bool &default = F &optional

Track if the rule was added successfully by all responsible plugins.
Events

NetControl::init: event

Event that is used to initialize plugins.

NetControl::init_done: event

Event that is raised once all plugins activated in NetControl::init have finished their initialization.

NetControl::log_netcontrol: event

Event that can be handled to access the NetControl::Info record as it is sent on to the logging framework.

NetControl::rule_added: event

Confirms that a rule was put in place by a plugin.

NetControl::rule_destroyed: event

This event is raised when a rule is deleted from the NetControl framework, because it is no longer in use.

NetControl::rule_error: event

Reports an error when operating on a rule.

NetControl::rule_exists: event

Signals that a rule that was supposed to be put in place was already existing at the specified plugin.

NetControl::rule_new: event

This event is raised when a new rule is created by the NetControl framework due to a call to add_rule.

NetControl::rule_removed: event

Reports that a plugin reports a rule was removed due to a remove_rule function call.

NetControl::rule_timeout: event

Reports that a rule was removed from a plugin due to a timeout.
Hooks

NetControl::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

NetControl::rule_policy: hook

Hook that allows the modification of rules passed to add_rule before they are passed on to the plugins.
Functions

NetControl::activate: function

Activates a plugin.

NetControl::add_rule: function

Installs a rule.

NetControl::clear: function

Flushes all state by calling NetControl::remove_rule on all currently active rules.

NetControl::delete_rule: function

Deletes a rule without removing it from the backends to which it has been added before.

NetControl::find_rules_addr: function

Searches all rules affecting a certain IP address.

NetControl::find_rules_subnet: function

Searches all rules affecting a certain subnet.

NetControl::plugin_activated: function

Function called by plugins once they finished their activation.

NetControl::quarantine_host: function

Quarantines a host.

NetControl::redirect_flow: function

Redirects a uni-directional flow to another port.

NetControl::remove_rule: function

Removes a rule.

NetControl::whitelist_address: function

Allows all traffic involving a specific IP address to be forwarded.

NetControl::whitelist_subnet: function

Allows all traffic involving a specific IP subnet to be forwarded.
Detailed Interface
Types
NetControl::Info
Type

record

ts: time &log

Time at which the recorded activity occurred.

rule_id: string &log &optional

ID of the rule; unique during each Zeek run.

category: NetControl::InfoCategory &log &optional

Type of the log entry.

cmd: string &log &optional

The command the log entry is about.

state: NetControl::InfoState &log &optional

State the log entry reflects.

action: string &log &optional

String describing an action the entry is about.

target: NetControl::TargetType &log &optional

The target type of the action.

entity_type: string &log &optional

Type of the entity the log entry is about.

entity: string &log &optional

String describing the entity the log entry is about.

mod: string &log &optional

String describing the optional modification of the entry (e.h. redirect)

msg: string &log &optional

String with an additional message.

priority: int &log &optional

Number describing the priority of the log entry.

expire: interval &log &optional

Expiry time of the log entry.

location: string &log &optional

Location where the underlying action was triggered.

plugin: string &log &optional

Plugin triggering the log entry.

The record type defining the column fields of the NetControl log.

NetControl::InfoCategory
Type

enum

NetControl::MESSAGE

A log entry reflecting a framework message.

NetControl::ERROR

A log entry reflecting a framework message.

NetControl::RULE

A log entry about a rule.

Type of an entry in the NetControl log.

NetControl::InfoState
Type

enum

NetControl::REQUESTED

The request to add/remove a rule was sent to the respective backend.

NetControl::SUCCEEDED

A rule was successfully added by a backend.

NetControl::EXISTS

A backend reported that a rule was already existing.

NetControl::FAILED

A rule addition failed.

NetControl::REMOVED

A rule was successfully removed by a backend.

NetControl::TIMEOUT

A rule timeout was triggered by the NetControl framework or a backend.

State of an entry in the NetControl log.

Events
NetControl::init
Type

event ()

Event that is used to initialize plugins. Place all plugin initialization related functionality in this event.

NetControl::init_done
Type

event ()

Event that is raised once all plugins activated in NetControl::init have finished their initialization.

NetControl::log_netcontrol
Type

event (rec: NetControl::Info)

Event that can be handled to access the NetControl::Info record as it is sent on to the logging framework.

NetControl::rule_added
Type

event (r: NetControl::Rule, p: NetControl::PluginState, msg: string &default = "" &optional)

Confirms that a rule was put in place by a plugin.

R

The rule now in place.

P

The state for the plugin that put it into place.

Msg

An optional informational message by the plugin.

NetControl::rule_destroyed
Type

event (r: NetControl::Rule)

This event is raised when a rule is deleted from the NetControl framework, because it is no longer in use. This can be caused by the fact that a rule was removed by all plugins to which it was added, by the fact that it timed out or due to rule errors.

To get the cause of a rule remove, catch the rule_removed, rule_timeout and rule_error events.

NetControl::rule_error
Type

event (r: NetControl::Rule, p: NetControl::PluginState, msg: string &default = "" &optional)

Reports an error when operating on a rule.

R

The rule that encountered an error.

P

The state for the plugin that reported the error.

Msg

An optional informational message by the plugin.

NetControl::rule_exists
Type

event (r: NetControl::Rule, p: NetControl::PluginState, msg: string &default = "" &optional)

Signals that a rule that was supposed to be put in place was already existing at the specified plugin. Rules that already have been existing continue to be tracked like normal, but no timeout calls will be sent to the specified plugins. Removal of the rule from the hardware can still be forced by manually issuing a remove_rule call.

R

The rule that was already in place.

P

The plugin that reported that the rule already was in place.

Msg

An optional informational message by the plugin.

NetControl::rule_new
Type

event (r: NetControl::Rule)

This event is raised when a new rule is created by the NetControl framework due to a call to add_rule. From this moment, until the rule_destroyed event is raised, the rule is tracked internally by the NetControl framework.

Note that this event does not mean that a rule was successfully added by any backend; it just means that the rule has been accepted and addition to the specified backend is queued. To get information when rules are actually installed by the hardware, use the rule_added, rule_exists, rule_removed, rule_timeout and rule_error events.

NetControl::rule_removed
Type

event (r: NetControl::Rule, p: NetControl::PluginState, msg: string &default = "" &optional)

Reports that a plugin reports a rule was removed due to a remove_rule function call.

R

The rule now removed.

P

The state for the plugin that had the rule in place and now removed it.

Msg

An optional informational message by the plugin.

NetControl::rule_timeout
Type

event (r: NetControl::Rule, i: NetControl::FlowInfo, p: NetControl::PluginState)

Reports that a rule was removed from a plugin due to a timeout.

R

The rule now removed.

I

Additional flow information, if supported by the protocol.

P

The state for the plugin that had the rule in place and now removed it.

Msg

An optional informational message by the plugin.

Hooks
NetControl::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

NetControl::rule_policy
Type

hook (r: NetControl::Rule) : bool

Hook that allows the modification of rules passed to add_rule before they are passed on to the plugins. If one of the hooks uses break, the rule is ignored and not passed on to any plugin.

R

The rule to be added.

Functions
NetControl::activate
Type

function (p: NetControl::PluginState, priority: int) : void

Activates a plugin.

P

The plugin to activate.

Priority

The higher the priority, the earlier this plugin will be checked whether it supports an operation, relative to other plugins.

NetControl::add_rule
Type

function (r: NetControl::Rule) : string

Installs a rule.

R

The rule to install.

Returns

If successful, returns an ID string unique to the rule that can later be used to refer to it. If unsuccessful, returns an empty string. The ID is also assigned to r$id. Note that “successful” means “a plugin knew how to handle the rule”, it doesn’t necessarily mean that it was indeed successfully put in place, because that might happen asynchronously and thus fail only later.

NetControl::clear
Type

function () : void

Flushes all state by calling NetControl::remove_rule on all currently active rules.

NetControl::delete_rule
Type

function (id: string, reason: string &default = "" &optional) : bool

Deletes a rule without removing it from the backends to which it has been added before. This means that no messages will be sent to the switches to which the rule has been added; if it is not removed from them by a separate mechanism, it will stay installed and not be removed later.

Id

The rule to delete, specified as the ID returned by NetControl::add_rule.

Reason

Optional string argument giving information on why the rule was deleted.

Returns

True if removal is successful, or sent to manager. False if the rule could not be found.

NetControl::find_rules_addr
Type

function (ip: addr) : vector of NetControl::Rule

Searches all rules affecting a certain IP address.

This function works on both the manager and workers of a cluster. Note that on the worker, the internal rule variables (starting with _) will not reflect the current state.

Ip

The ip address to search for.

Returns

vector of all rules affecting the IP address.

NetControl::find_rules_subnet
Type

function (sn: subnet) : vector of NetControl::Rule

Searches all rules affecting a certain subnet.

A rule affects a subnet, if it covers the whole subnet. Note especially that this function will not reveal all rules that are covered by a subnet.

For example, a search for 192.168.17.0/8 will reveal a rule that exists for 192.168.0.0/16, since this rule affects the subnet. However, it will not reveal a more specific rule for 192.168.17.1/32, which does not directy affect the whole subnet.

This function works on both the manager and workers of a cluster. Note that on the worker, the internal rule variables (starting with _) will not reflect the current state.

Sn

The subnet to search for.

Returns

vector of all rules affecting the subnet.

NetControl::plugin_activated
Type

function (p: NetControl::PluginState) : void

Function called by plugins once they finished their activation. After all plugins defined in zeek_init finished to activate, rules will start to be sent to the plugins. Rules that scripts try to set before the backends are ready will be discarded.

NetControl::quarantine_host
Type

function (infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default = "" &optional) : vector of string

Quarantines a host. This requires a special quarantine server, which runs a HTTP server explaining the quarantine and a DNS server which resolves all requests to the quarantine server. DNS queries from the host to the network DNS server will be rewritten and will be sent to the quarantine server instead. Only http communication infected to quarantinehost is allowed. All other network communication is blocked.

Infected

the host to quarantine.

Dns

the network dns server.

Quarantine

the quarantine server running a dns and a web server.

T

how long to leave the quarantine in place.

Returns

Vector of inserted rules on success, empty list on failure.

NetControl::redirect_flow
Type

function (f: flow_id, out_port: count, t: interval, location: string &default = "" &optional) : string

Redirects a uni-directional flow to another port.

F

The flow to redirect.

Out_port

Port to redirect the flow to.

T

How long to leave the redirect in place, with 0 being indefinitely.

Location

An optional string describing where the redirect was triggered.

Returns

The id of the inserted rule on success and zero on failure.

NetControl::remove_rule
Type

function (id: string, reason: string &default = "" &optional) : bool

Removes a rule.

Id

The rule to remove, specified as the ID returned by NetControl::add_rule.

Reason

Optional string argument giving information on why the rule was removed.

Returns

True if successful, the relevant plugin indicated that it knew how to handle the removal. Note that again “success” means the plugin accepted the removal. It might still fail to put it into effect, as that might happen asynchronously and thus go wrong at that point.

NetControl::whitelist_address
Type

function (a: addr, t: interval, location: string &default = "" &optional) : string

Allows all traffic involving a specific IP address to be forwarded.

A

The address to be whitelisted.

T

How long to whitelist it, with 0 being indefinitely.

Location

An optional string describing whitelist was triddered.

Returns

The id of the inserted rule on success and zero on failure.

NetControl::whitelist_subnet
Type

function (s: subnet, t: interval, location: string &default = "" &optional) : string

Allows all traffic involving a specific IP subnet to be forwarded.

S

The subnet to be whitelisted.

T

How long to whitelist it, with 0 being indefinitely.

Location

An optional string describing whitelist was triddered.

Returns

The id of the inserted rule on success and zero on failure.

base/frameworks/netcontrol/plugin.zeek

NetControl

This file defines the plugin interface for NetControl.

Namespace

NetControl

Imports

base/frameworks/netcontrol/types.zeek

Summary
Types

NetControl::Plugin: record

Definition of a plugin.

NetControl::PluginState: record

This record keeps the per instance state of a plugin.
Redefinitions

NetControl::PluginState: record

Table for a plugin to store instance-specific configuration information.

New Fields

NetControl::PluginState

plugin: NetControl::Plugin &optional

The plugin that the state belongs to.
Detailed Interface
Types
NetControl::Plugin
Type

record

name: function (state: NetControl::PluginState)string

Returns a descriptive name of the plugin instance, suitable for use in logging messages. Note that this function is not optional.

can_expire: bool

If true, plugin can expire rules itself. If false, the NetControl framework will manage rule expiration.

init: function (state: NetControl::PluginState)void &optional

One-time initialization function called when plugin gets registered, and before any other methods are called.

If this function is provided, NetControl assumes that the plugin has to perform, potentially lengthy, initialization before the plugin will become active. In this case, the plugin has to call NetControl::plugin_activated, once initialization finishes.

done: function (state: NetControl::PluginState)void &optional

One-time finalization function called when a plugin is shutdown; no further functions will be called afterwords.

add_rule: function (state: NetControl::PluginState, r: NetControl::Rule)bool &optional

Implements the add_rule() operation. If the plugin accepts the rule, it returns true, false otherwise. The rule will already have its id field set, which the plugin may use for identification purposes.

remove_rule: function (state: NetControl::PluginState, r: NetControl::Rule, reason: string)bool &optional

Implements the remove_rule() operation. This will only be called for rules that the plugin has previously accepted with add_rule(). The id field will match that of the add_rule() call. Generally, a plugin that accepts an add_rule() should also accept the remove_rule().

Definition of a plugin.

Generally a plugin needs to implement only what it can support. By returning failure, it indicates that it can’t support something and the framework will then try another plugin, if available; or inform the that the operation failed. If a function isn’t implemented by a plugin, that’s considered an implicit failure to support the operation.

If plugin accepts a rule operation, it must generate one of the reporting events rule_{added,remove,error} to signal if it indeed worked out; this is separate from accepting the operation because often a plugin will only know later (i.e., asynchronously) if that was an error for something it thought it could handle.

NetControl::PluginState
Type

record

config: table [string] of string &default = {  } &optional

Table for a plugin to store custom, instance-specific state.

_id: count &optional

Unique plugin identifier – used for backlookup of plugins from Rules. Set internally.

_priority: int &default = 0 &optional

Set internally.

_activated: bool &default = F &optional

Set internally. Signifies if the plugin has returned that it has activated successfully.

plugin: NetControl::Plugin &optional

The plugin that the state belongs to. (Defined separately because of cyclic type dependency.)

of_controller: OpenFlow::Controller &optional

(present if base/frameworks/netcontrol/plugins/openflow.zeek is loaded)

OpenFlow controller for NetControl OpenFlow plugin.

of_config: NetControl::OfConfig &optional

(present if base/frameworks/netcontrol/plugins/openflow.zeek is loaded)

OpenFlow configuration record that is passed on initialization.

broker_config: NetControl::BrokerConfig &optional

(present if base/frameworks/netcontrol/plugins/broker.zeek is loaded)

OpenFlow controller for NetControl Broker plugin.

broker_id: count &optional

(present if base/frameworks/netcontrol/plugins/broker.zeek is loaded)

The ID of this broker instance - for the mapping to PluginStates.

acld_config: NetControl::AcldConfig &optional

(present if base/frameworks/netcontrol/plugins/acld.zeek is loaded)

acld_id: count &optional

(present if base/frameworks/netcontrol/plugins/acld.zeek is loaded)

The ID of this acld instance - for the mapping to PluginStates.

This record keeps the per instance state of a plugin.

Individual plugins commonly extend this record to suit their needs.

base/frameworks/netcontrol/plugins/__load__.zeek

Imports

base/frameworks/netcontrol/plugins/acld.zeek, base/frameworks/netcontrol/plugins/broker.zeek, base/frameworks/netcontrol/plugins/debug.zeek, base/frameworks/netcontrol/plugins/openflow.zeek, base/frameworks/netcontrol/plugins/packetfilter.zeek

Summary
Detailed Interface

base/frameworks/netcontrol/plugins/debug.zeek

NetControl

Debugging plugin for the NetControl framework, providing insight into executed operations.

Namespace

NetControl

Imports

base/frameworks/netcontrol/main.zeek, base/frameworks/netcontrol/plugin.zeek

Summary
Functions

NetControl::create_debug: function

Instantiates a debug plugin for the NetControl framework.
Detailed Interface
Functions
NetControl::create_debug
Type

function (do_something: bool) : NetControl::PluginState

Instantiates a debug plugin for the NetControl framework. The debug plugin simply logs the operations it receives.

Do_something

If true, the plugin will claim it supports all operations; if false, it will indicate it doesn’t support any.

base/frameworks/netcontrol/plugins/openflow.zeek

NetControl

OpenFlow plugin for the NetControl framework.

Namespace

NetControl

Imports

base/frameworks/netcontrol/main.zeek, base/frameworks/netcontrol/plugin.zeek, base/frameworks/openflow

Summary
Redefinable Options

NetControl::openflow_flow_timeout: interval &redef

The time interval after we consider a flow timed out.

NetControl::openflow_message_timeout: interval &redef

The time interval after which an openflow message is considered to be timed out and we delete it from our internal tracking.
Types

NetControl::OfConfig: record

This record specifies the configuration that is passed to NetControl::create_openflow.

NetControl::OfTable: record
Redefinitions

NetControl::PluginState: record
New Fields

NetControl::PluginState

of_controller: OpenFlow::Controller &optional

OpenFlow controller for NetControl OpenFlow plugin.

of_config: NetControl::OfConfig &optional

OpenFlow configuration record that is passed on initialization.
Functions

NetControl::create_openflow: function

Instantiates an openflow plugin for the NetControl framework.
Detailed Interface
Redefinable Options
NetControl::openflow_flow_timeout
Type

interval

Attributes

&redef

Default

1.0 day

The time interval after we consider a flow timed out. This should be fairly high (or even disabled) if you expect a lot of long flows. However, one also will have state buildup for quite a while if keeping this around…

NetControl::openflow_message_timeout
Type

interval

Attributes

&redef

Default

20.0 secs

The time interval after which an openflow message is considered to be timed out and we delete it from our internal tracking.

Types
NetControl::OfConfig
Type

record

monitor: bool &default = T &optional

Accept rules that target the monitor path.

forward: bool &default = T &optional

Accept rules that target the forward path.

idle_timeout: count &default = 0 &optional

Default OpenFlow idle timeout.

table_id: count &optional

Default OpenFlow table ID.

priority_offset: int &default = 0 &optional

Add this to all rule priorities. Can be useful if you want the openflow priorities be offset from the netcontrol priorities without having to write a filter function.

check_pred: function (p: NetControl::PluginState, r: NetControl::Rule)bool &optional

Predicate that is called on rule insertion or removal.

p

Current plugin state.

r

The rule to be inserted or removed.

returns

T if the rule can be handled by the current backend, F otherwise.

match_pred: function (p: NetControl::PluginState, e: NetControl::Entity, m: vector of OpenFlow::ofp_match)vector of OpenFlow::ofp_match &optional

This predicate is called each time an OpenFlow match record is created. The predicate can modify the match structure before it is sent on to the device.

p

Current plugin state.

r

The rule to be inserted or removed.

m

The openflow match structures that were generated for this rules.

returns

The modified OpenFlow match structures that will be used in place of the structures passed in m.

flow_mod_pred: function (p: NetControl::PluginState, r: NetControl::Rule, m: OpenFlow::ofp_flow_mod)OpenFlow::ofp_flow_mod &optional

This predicate is called before a FlowMod message is sent to the OpenFlow device. It can modify the FlowMod message before it is passed on.

p

Current plugin state.

r

The rule to be inserted or removed.

m

The OpenFlow FlowMod message.

returns

The modified FlowMod message that is used in lieu of m.

This record specifies the configuration that is passed to NetControl::create_openflow.

NetControl::OfTable
Type

record

p: NetControl::PluginState

r: NetControl::Rule

c: count &default = 0 &optional

packet_count: count &default = 0 &optional

byte_count: count &default = 0 &optional

duration_sec: double &default = 0.0 &optional

Functions
NetControl::create_openflow
Type

function (controller: OpenFlow::Controller, config: NetControl::OfConfig &default = [] &optional) : NetControl::PluginState

Instantiates an openflow plugin for the NetControl framework.

base/frameworks/netcontrol/plugins/packetfilter.zeek

NetControl

NetControl plugin for the process-level PacketFilter that comes with Zeek. Since the PacketFilter in Zeek is quite limited in scope and can only add/remove filters for addresses, this is quite limited in scope at the moment.

Namespace

NetControl

Imports

base/frameworks/netcontrol/plugin.zeek

Summary
Functions

NetControl::create_packetfilter: function

Instantiates the packetfilter plugin.
Detailed Interface
Functions
NetControl::create_packetfilter
Type

function () : NetControl::PluginState

Instantiates the packetfilter plugin.

base/frameworks/netcontrol/plugins/broker.zeek

NetControl

Broker plugin for the NetControl framework. Sends the raw data structures used in NetControl on to Broker to allow for easy handling, e.g., of command-line scripts.

Namespace

NetControl

Imports

base/frameworks/broker, base/frameworks/netcontrol/main.zeek, base/frameworks/netcontrol/plugin.zeek

Summary
Types

NetControl::BrokerConfig: record

This record specifies the configuration that is passed to NetControl::create_broker.
Redefinitions

NetControl::PluginState: record
New Fields

NetControl::PluginState

broker_config: NetControl::BrokerConfig &optional

OpenFlow controller for NetControl Broker plugin.

broker_id: count &optional

The ID of this broker instance - for the mapping to PluginStates.
Events

NetControl::broker_add_rule: event

NetControl::broker_remove_rule: event

NetControl::broker_rule_added: event

NetControl::broker_rule_error: event

NetControl::broker_rule_exists: event

NetControl::broker_rule_removed: event

NetControl::broker_rule_timeout: event
Functions

NetControl::create_broker: function

Instantiates the broker plugin.
Detailed Interface
Types
NetControl::BrokerConfig
Type

record

topic: string &optional

The broker topic to send events to.

host: addr &optional

Broker host to connect to.

bport: port &optional

Broker port to connect to.

monitor: bool &default = T &optional

Do we accept rules for the monitor path? Default true.

forward: bool &default = T &optional

Do we accept rules for the forward path? Default true.

check_pred: function (p: NetControl::PluginState, r: NetControl::Rule)bool &optional

Predicate that is called on rule insertion or removal.

p

Current plugin state.

r

The rule to be inserted or removed.

returns

T if the rule can be handled by the current backend, F otherwise.

This record specifies the configuration that is passed to NetControl::create_broker.

Events
NetControl::broker_add_rule
Type

event (id: count, r: NetControl::Rule)

NetControl::broker_remove_rule
Type

event (id: count, r: NetControl::Rule, reason: string)

NetControl::broker_rule_added
Type

event (id: count, r: NetControl::Rule, msg: string)

NetControl::broker_rule_error
Type

event (id: count, r: NetControl::Rule, msg: string)

NetControl::broker_rule_exists
Type

event (id: count, r: NetControl::Rule, msg: string)

NetControl::broker_rule_removed
Type

event (id: count, r: NetControl::Rule, msg: string)

NetControl::broker_rule_timeout
Type

event (id: count, r: NetControl::Rule, i: NetControl::FlowInfo)

Functions
NetControl::create_broker
Type

function (config: NetControl::BrokerConfig, can_expire: bool) : NetControl::PluginState

Instantiates the broker plugin.

base/frameworks/netcontrol/plugins/acld.zeek

NetControl

Acld plugin for the netcontrol framework.

Namespace

NetControl

Imports

base/frameworks/broker, base/frameworks/netcontrol/main.zeek, base/frameworks/netcontrol/plugin.zeek

Summary
Types

NetControl::AclRule: record

NetControl::AcldConfig: record
Redefinitions

NetControl::PluginState: record
New Fields

NetControl::PluginState

acld_config: NetControl::AcldConfig &optional

acld_id: count &optional

The ID of this acld instance - for the mapping to PluginStates.
Events

NetControl::acld_add_rule: event

Events that are sent from us to Broker.

NetControl::acld_remove_rule: event

NetControl::acld_rule_added: event

Events that are sent from Broker to us.

NetControl::acld_rule_error: event

NetControl::acld_rule_exists: event

NetControl::acld_rule_removed: event
Hooks

NetControl::acld_rule_policy: hook

Hook that is called after a rule is converted to an acld rule.
Functions

NetControl::create_acld: function

Instantiates the acld plugin.
Detailed Interface
Types
NetControl::AclRule
Type

record

command: string

cookie: count

arg: string

comment: string &optional

NetControl::AcldConfig
Type

record

acld_topic: string

The acld topic to send events to.

acld_host: addr

Broker host to connect to.

acld_port: port

Broker port to connect to.

monitor: bool &default = F &optional

Do we accept rules for the monitor path? Default false.

forward: bool &default = T &optional

Do we accept rules for the forward path? Default true.

check_pred: function (p: NetControl::PluginState, r: NetControl::Rule)bool &optional

Predicate that is called on rule insertion or removal.

p

Current plugin state.

r

The rule to be inserted or removed.

returns

T if the rule can be handled by the current backend, F otherwise.

Events
NetControl::acld_add_rule
Type

event (id: count, r: NetControl::Rule, ar: NetControl::AclRule)

Events that are sent from us to Broker.

NetControl::acld_remove_rule
Type

event (id: count, r: NetControl::Rule, ar: NetControl::AclRule)

NetControl::acld_rule_added
Type

event (id: count, r: NetControl::Rule, msg: string)

Events that are sent from Broker to us.

NetControl::acld_rule_error
Type

event (id: count, r: NetControl::Rule, msg: string)

NetControl::acld_rule_exists
Type

event (id: count, r: NetControl::Rule, msg: string)

NetControl::acld_rule_removed
Type

event (id: count, r: NetControl::Rule, msg: string)

Hooks
NetControl::acld_rule_policy
Type

hook (p: NetControl::PluginState, r: NetControl::Rule, ar: NetControl::AclRule) : bool

Hook that is called after a rule is converted to an acld rule. The hook may modify the rule before it is sent to acld. Setting the acld command to F will cause the rule to be rejected by the plugin.

P

Current plugin state.

R

The rule to be inserted or removed.

Ar

The acld rule to be inserted or removed.

Functions
NetControl::create_acld
Type

function (config: NetControl::AcldConfig) : NetControl::PluginState

Instantiates the acld plugin.

base/frameworks/netcontrol/drop.zeek

NetControl

Implementation of the drop functionality for NetControl.

Namespace

NetControl

Imports

base/frameworks/netcontrol/main.zeek

Summary
Types

NetControl::DropInfo: record
Redefinitions

Log::ID: enum
Events

NetControl::log_netcontrol_drop: event

Event that can be handled to access the NetControl::ShuntInfo record as it is sent on to the logging framework.
Hooks

NetControl::drop_rule_policy: hook

Hook that allows the modification of rules passed to drop_* before they are passed on.

NetControl::log_policy_drop: Log::PolicyHook
Functions

NetControl::drop_address: function

Stops all packets involving an IP address from being forwarded.

NetControl::drop_connection: function

Stops all packets involving a connection address from being forwarded.
Detailed Interface
Types
NetControl::DropInfo
Type

record

ts: time &log

Time at which the recorded activity occurred.

rule_id: string &log

ID of the rule; unique during each Zeek run.

orig_h: addr &log

The originator’s IP address.

orig_p: port &log &optional

The originator’s port number.

resp_h: addr &log &optional

The responder’s IP address.

resp_p: port &log &optional

The responder’s port number.

expire: interval &log

Expiry time of the shunt.

location: string &log &optional

Location where the underlying action was triggered.

Events
NetControl::log_netcontrol_drop
Type

event (rec: NetControl::DropInfo)

Event that can be handled to access the NetControl::ShuntInfo record as it is sent on to the logging framework.

Hooks
NetControl::drop_rule_policy
Type

hook (r: NetControl::Rule) : bool

Hook that allows the modification of rules passed to drop_* before they are passed on. If one of the hooks uses break, the rule is ignored.

R

The rule to be added.

NetControl::log_policy_drop
Type

Log::PolicyHook

Functions
NetControl::drop_address
Type

function (a: addr, t: interval, location: string &default = "" &optional) : string

Stops all packets involving an IP address from being forwarded.

A

The address to be dropped.

T

How long to drop it, with 0 being indefinitely.

Location

An optional string describing where the drop was triggered.

Returns

The id of the inserted rule on success and zero on failure.

NetControl::drop_connection
Type

function (c: conn_id, t: interval, location: string &default = "" &optional) : string

Stops all packets involving a connection address from being forwarded.

C

The connection to be dropped.

T

How long to drop it, with 0 being indefinitely.

Location

An optional string describing where the drop was triggered.

Returns

The id of the inserted rule on success and zero on failure.

base/frameworks/netcontrol/shunt.zeek

NetControl

Implementation of the shunt functionality for NetControl.

Namespace

NetControl

Imports

base/frameworks/netcontrol/main.zeek

Summary
Types

NetControl::ShuntInfo: record
Redefinitions

Log::ID: enum
Events

NetControl::log_netcontrol_shunt: event

Event that can be handled to access the NetControl::ShuntInfo record as it is sent on to the logging framework.
Hooks

NetControl::log_policy_shunt: Log::PolicyHook
Functions

NetControl::shunt_flow: function

Stops forwarding a uni-directional flow’s packets to Zeek.
Detailed Interface
Types
NetControl::ShuntInfo
Type

record

ts: time &log

Time at which the recorded activity occurred.

rule_id: string &log

ID of the rule; unique during each Zeek run.

f: flow_id &log

Flow ID of the shunted flow.

expire: interval &log

Expiry time of the shunt.

location: string &log &optional

Location where the underlying action was triggered.

Events
NetControl::log_netcontrol_shunt
Type

event (rec: NetControl::ShuntInfo)

Event that can be handled to access the NetControl::ShuntInfo record as it is sent on to the logging framework.

Hooks
NetControl::log_policy_shunt
Type

Log::PolicyHook

Functions
NetControl::shunt_flow
Type

function (f: flow_id, t: interval, location: string &default = "" &optional) : string

Stops forwarding a uni-directional flow’s packets to Zeek.

F

The flow to shunt.

T

How long to leave the shunt in place, with 0 being indefinitely.

Location

An optional string describing where the shunt was triggered.

Returns

The id of the inserted rule on success and zero on failure.

base/frameworks/netcontrol/non-cluster.zeek

NetControl
Namespace

NetControl

Imports

base/frameworks/netcontrol/main.zeek

Summary
Detailed Interface

base/protocols/conn/__load__.zeek

Imports

base/protocols/conn/contents.zeek, base/protocols/conn/inactivity.zeek, base/protocols/conn/main.zeek, base/protocols/conn/polling.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/conn/thresholds.zeek

Summary
Detailed Interface

base/protocols/conn/main.zeek

Conn

This script manages the tracking/logging of general information regarding TCP, UDP, and ICMP traffic. For UDP and ICMP, “connections” are to be interpreted using flow semantics (sequence of packets from a source host/port to a destination host/port). Further, ICMP “ports” are to be interpreted as the source port meaning the ICMP message type and the destination port being the ICMP message code.

Namespace

Conn

Imports

base/utils/site.zeek

Summary
Types

Conn::Info: record

The record type which contains column fields of the connection log.
Redefinitions

Log::ID: enum

The connection logging stream identifier.

connection: record
New Fields

connection

conn: Conn::Info &optional
Events

Conn::log_conn: event

Event that can be handled to access the Conn::Info record as it is sent on to the logging framework.
Hooks

Conn::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Types
Conn::Info
Type

record

ts: time &log

This is the time of the first packet.

uid: string &log

A unique identifier of the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

proto: transport_proto &log

The transport layer protocol of the connection.

service: string &log &optional

An identification of an application protocol being sent over the connection.

duration: interval &log &optional

How long the connection lasted. For 3-way or 4-way connection tear-downs, this will not include the final ACK.

orig_bytes: count &log &optional

The number of payload bytes the originator sent. For TCP this is taken from sequence numbers and might be inaccurate (e.g., due to large connections).

resp_bytes: count &log &optional

The number of payload bytes the responder sent. See orig_bytes.

conn_state: string &log &optional

Possible conn_state values:

  • S0: Connection attempt seen, no reply.

  • S1: Connection established, not terminated.

  • SF: Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.

  • REJ: Connection attempt rejected.

  • S2: Connection established and close attempt by originator seen (but no reply from responder).

  • S3: Connection established and close attempt by responder seen (but no reply from originator).

  • RSTO: Connection established, originator aborted (sent a RST).

  • RSTR: Responder sent a RST.

  • RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.

  • RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.

  • SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was “half” open).

  • SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.

  • OTH: No SYN seen, just midstream traffic (one example of this is a “partial connection” that was not later closed).

local_orig: bool &log &optional

If the connection is originated locally, this value will be T. If it was originated remotely it will be F. In the case that the Site::local_nets variable is undefined, this field will be left empty at all times.

local_resp: bool &log &optional

If the connection is responded to locally, this value will be T. If it was responded to remotely it will be F. In the case that the Site::local_nets variable is undefined, this field will be left empty at all times.

missed_bytes: count &log &default = 0 &optional

Indicates the number of bytes missed in content gaps, which is representative of packet loss. A value other than zero will normally cause protocol analysis to fail but some analysis may have been completed prior to the packet loss.

history: string &log &optional

Records the state history of connections as a string of letters. The meaning of those letters is:

Letter

Meaning

s

a SYN w/o the ACK bit set

h

a SYN+ACK (“handshake”)

a

a pure ACK

d

packet with payload (“data”)

f

packet with FIN bit set

r

packet with RST bit set

c

packet with a bad checksum (applies to UDP too)

g

a content gap

t

packet with retransmitted payload

w

packet with a zero window advertisement

i

inconsistent packet (e.g. FIN+RST bits set)

q

multi-flag packet (SYN+FIN or SYN+RST bits set)

^

connection direction was flipped by Zeek’s heuristic

If the event comes from the originator, the letter is in upper-case; if it comes from the responder, it’s in lower-case. The ‘a’, ‘d’, ‘i’ and ‘q’ flags are recorded a maximum of one time in either direction regardless of how many are actually seen. ‘f’, ‘h’, ‘r’ and ‘s’ can be recorded multiple times for either direction if the associated sequence number differs from the last-seen packet of the same flag type. ‘c’, ‘g’, ‘t’ and ‘w’ are recorded in a logarithmic fashion: the second instance represents that the event was seen (at least) 10 times; the third instance, 100 times; etc.

orig_pkts: count &log &optional

Number of packets that the originator sent. Only set if use_conn_size_analyzer = T.

orig_ip_bytes: count &log &optional

Number of IP level bytes that the originator sent (as seen on the wire, taken from the IP total_length header field). Only set if use_conn_size_analyzer = T.

resp_pkts: count &log &optional

Number of packets that the responder sent. Only set if use_conn_size_analyzer = T.

resp_ip_bytes: count &log &optional

Number of IP level bytes that the responder sent (as seen on the wire, taken from the IP total_length header field). Only set if use_conn_size_analyzer = T.

tunnel_parents: set [string] &log &optional

If this connection was over a tunnel, indicate the uid values for any encapsulating parent connections used over the lifetime of this inner connection.

orig_l2_addr: string &log &optional

(present if policy/protocols/conn/mac-logging.zeek is loaded)

Link-layer address of the originator, if available.

resp_l2_addr: string &log &optional

(present if policy/protocols/conn/mac-logging.zeek is loaded)

Link-layer address of the responder, if available.

vlan: int &log &optional

(present if policy/protocols/conn/vlan-logging.zeek is loaded)

The outer VLAN for this connection, if applicable.

inner_vlan: int &log &optional

(present if policy/protocols/conn/vlan-logging.zeek is loaded)

The inner VLAN for this connection, if applicable.

speculative_service: string &log &optional

(present if policy/protocols/conn/speculative-service.zeek is loaded)

Protocol that was determined by a matching signature after the beginning of a connection. In this situation no analyzer can be attached and hence the data cannot be analyzed nor the protocol can be confirmed.

The record type which contains column fields of the connection log.

Events
Conn::log_conn
Type

event (rec: Conn::Info)

Event that can be handled to access the Conn::Info record as it is sent on to the logging framework.

Hooks
Conn::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

base/protocols/conn/contents.zeek

Conn

This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the c$extract_orig and/or the c$extract_resp variable must be set to T. One way to achieve this would be to handle the connection_established event elsewhere and set the extract_orig and extract_resp options there. However, there may be trouble with the timing due to event queue delay.

Note

This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.

Namespace

Conn

Imports

base/utils/files.zeek

Summary
Runtime Options

Conn::default_extract: bool &redef

If this variable is set to T, then all contents of all connections will be extracted.

Conn::extraction_prefix: string &redef

The prefix given to files containing extracted connections as they are opened on disk.
Redefinitions

connection: record
New Fields

connection

extract_orig: bool &default = Conn::default_extract &optional

extract_resp: bool &default = Conn::default_extract &optional
Detailed Interface
Runtime Options
Conn::default_extract
Type

bool

Attributes

&redef

Default

F

If this variable is set to T, then all contents of all connections will be extracted.

Conn::extraction_prefix
Type

string

Attributes

&redef

Default

"contents"

The prefix given to files containing extracted connections as they are opened on disk.

base/protocols/conn/inactivity.zeek

Conn

Adjust the inactivity timeouts for interactive services which could very possibly have long delays between packets.

Namespace

Conn

Summary
Runtime Options

Conn::analyzer_inactivity_timeouts: table &redef

Define inactivity timeouts by the service detected being used over the connection.

Conn::port_inactivity_timeouts: table &redef

Define inactivity timeouts based on common protocol ports.
Detailed Interface
Runtime Options
Conn::analyzer_inactivity_timeouts
Type

table [AllAnalyzers::Tag] of interval

Attributes

&redef

Default
{
   [AllAnalyzers::ANALYZER_ANALYZER_SSH] = 1.0 hr,
   [AllAnalyzers::ANALYZER_ANALYZER_FTP] = 1.0 hr
}

Define inactivity timeouts by the service detected being used over the connection.

Conn::port_inactivity_timeouts
Type

table [port] of interval

Attributes

&redef

Default
{
   [513/tcp] = 1.0 hr,
   [21/tcp] = 1.0 hr,
   [23/tcp] = 1.0 hr,
   [22/tcp] = 1.0 hr
}

Define inactivity timeouts based on common protocol ports.

base/protocols/conn/polling.zeek

ConnPolling

Implements a generic way to poll connections looking for certain features (e.g. monitor bytes transferred). The specific feature of a connection to look for, the polling interval, and the code to execute if the feature is found are all controlled by user-defined callback functions.

Namespace

ConnPolling

Summary
Functions

ConnPolling::watch: function

Starts monitoring a given connection.
Detailed Interface
Functions
ConnPolling::watch
Type

function (c: connection, callback: function (c: connection, cnt: count) : interval, cnt: count, i: interval) : void

Starts monitoring a given connection.

C

The connection to watch.

Callback

A callback function that takes as arguments the monitored connection, and counter cnt that increments each time the callback is called. It returns an interval indicating how long in the future to schedule an event which will call the callback. A negative return interval causes polling to stop.

Cnt

The initial value of a counter which gets passed to callback.

I

The initial interval at which to schedule the next callback. May be 0secs to poll right away.

base/protocols/conn/thresholds.zeek

ConnThreshold

Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.

Namespace

ConnThreshold

Summary
Types

ConnThreshold::Thresholds: record
Redefinitions

connection: record
New Fields

connection

thresholds: ConnThreshold::Thresholds &optional
Events

ConnThreshold::bytes_threshold_crossed: event

Generated for a connection that crossed a set byte threshold

ConnThreshold::duration_threshold_crossed: event

Generated for a connection that crossed a set duration threshold.

ConnThreshold::packets_threshold_crossed: event

Generated for a connection that crossed a set byte threshold
Functions

ConnThreshold::delete_bytes_threshold: function

Deletes a byte threshold for connection sizes.

ConnThreshold::delete_duration_threshold: function

Deletes a duration threshold for a connection.

ConnThreshold::delete_packets_threshold: function

Deletes a packet threshold for connection sizes.

ConnThreshold::set_bytes_threshold: function

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.

ConnThreshold::set_duration_threshold: function

Sets a duration threshold for a connection, adding it to potentially already existing thresholds.

ConnThreshold::set_packets_threshold: function

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
Detailed Interface
Types
ConnThreshold::Thresholds
Type

record

orig_byte: set [count] &default = {  } &optional

current originator byte thresholds we watch for

resp_byte: set [count] &default = {  } &optional

current responder byte thresholds we watch for

orig_packet: set [count] &default = {  } &optional

current originator packet thresholds we watch for

resp_packet: set [count] &default = {  } &optional

current responder packet thresholds we watch for

duration: set [interval] &default = {  } &optional

current duration thresholds we watch for

Events
ConnThreshold::bytes_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

C

the connection

Threshold

the threshold that was set

Is_orig

True if the threshold was crossed by the originator of the connection

ConnThreshold::duration_threshold_crossed
Type

event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

C

the connection

Threshold

the threshold that was set

Is_orig

True if the threshold was crossed by the originator of the connection

ConnThreshold::packets_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

C

the connection

Threshold

the threshold that was set

Is_orig

True if the threshold was crossed by the originator of the connection

Functions
ConnThreshold::delete_bytes_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a byte threshold for connection sizes.

Cid

The connection id.

Threshold

Threshold in bytes to remove.

Is_orig

If true, threshold is removed for packets from originator, otherwhise for packets from responder.

Returns

T on success, F on failure.

ConnThreshold::delete_duration_threshold
Type

function (c: connection, threshold: interval) : bool

Deletes a duration threshold for a connection.

Cid

The connection id.

Threshold

Threshold in packets.

Returns

T on success, F on failure.

ConnThreshold::delete_packets_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a packet threshold for connection sizes.

Cid

The connection id.

Threshold

Threshold in packets.

Is_orig

If true, threshold is removed for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.

ConnThreshold::set_bytes_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. conn_bytes_threshold_crossed will be raised for each set threshold.

Cid

The connection id.

Threshold

Threshold in bytes.

Is_orig

If true, threshold is set for bytes from originator, otherwise for bytes from responder.

Returns

T on success, F on failure.

ConnThreshold::set_duration_threshold
Type

function (c: connection, threshold: interval) : bool

Sets a duration threshold for a connection, adding it to potentially already existing thresholds. conn_duration_threshold_crossed will be raised for each set threshold.

Cid

The connection id.

Threshold

Threshold in seconds.

Returns

T on success, F on failure.

ConnThreshold::set_packets_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. conn_packets_threshold_crossed will be raised for each set threshold.

Cid

The connection id.

Threshold

Threshold in packets.

Is_orig

If true, threshold is set for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.

base/protocols/dce-rpc/__load__.zeek

Imports

base/protocols/dce-rpc/consts.zeek, base/protocols/dce-rpc/main.zeek

Summary
Detailed Interface

base/protocols/dce-rpc/consts.zeek

DCE_RPC
Namespace

DCE_RPC

Summary
Redefinable Options

DCE_RPC::operations: table &redef &default = function

DCE_RPC::pipe_name_to_common_uuid: table &redef

This table is to map pipe names to the most common service used over that pipe.

DCE_RPC::uuid_endpoint_map: table &redef &default = function
Detailed Interface
Redefinable Options
DCE_RPC::operations
Type

table [string, count] of string

Attributes

&redef &default = function

Default
{
   ["367abb81-9844-35f1-ad32-98f038001003", 16] = "OpenServiceW",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 69] = "LlsrProductLicensesGetA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 65] = "R_DhcpServerSetConfigV6",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 111] = "R_DhcpV4DeletePolicy",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 5] = "S_DSSetObjectSecurity",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 3] = "CreateApplication",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 57] = "RRPC_FWEnumCryptoSets2_10",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 24] = "Opnum24NotUsedOnWire",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 67] = "HrGetErrorData",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 3] = "RpcFilterByCallersName",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 44] = "RRPC_FWGetGlobalConfig2_10",
   ["12345678-1234-abcd-ef00-01234567cffb", 36] = "NetrEnumerateTrustedDomainsEx",
   ["01954e6b-9254-4e6e-808c-c9e05d007696", 6] = "Clone",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 1] = "AudioServerDisconnect",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 26] = "PNP_GetClassRegProp",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 7] = "Opnum7NotUsedOnWire",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 1] = "RpcSrvRenewPrefix",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 35] = "PolicyConfigGetShareMode",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 22] = "ApiCreateResEnum",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 61] = "LlsrReplicationServerAddW",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 34] = "RpcAsyncSendRecvBidiData",
   ["12345778-1234-abcd-ef00-0123456789ab", 91] = "LsarQueryAuditSecurity",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 6] = "GetObject",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 71] = "ApiEvictNode",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 8] = "DsRolerServerSaveStateForUpgrade",
   ["12345678-1234-abcd-ef00-0123456789ab", 28] = "RpcWaitForPrinterChange",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 4] = "R_WinsDoScavenging",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 20] = "GetConditionalPolicy",
   ["12345678-1234-abcd-ef00-0123456789ab", 56] = "RpcFindClosePrinterChangeNotification",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 45] = "DiskMerge",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 75] = "RRPC_FWSetFirewallRule2_25",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 12] = "EvtRpcQuerySeek",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 2] = "KeyrEnumerateProviderTypes",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 37] = "RpcWinStationTerminateProcess",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 2] = "RpcSrvRenewLeaseByBroadcast",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 7] = "Opnum7NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 30] = "LsarQuerySecret",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 0] = "FrsRpcSendCommPkt",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 74] = "R_DhcpCreateClassV6",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 55] = "NetrServerAliasEnum",
   ["12345678-1234-abcd-ef00-0123456789ab", 45] = "RpcPrinterMessageBox",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 2] = "EcDoRpc",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 61] = "RpcWinStationIsHelpAssistantSession",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 34] = "NetprNameCanonicalize",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 28] = "Backup",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 55] = "ApiCreateNotify",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 26] = "Format",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 2] = "R_WinsTrigger",
   ["00000000-0000-0000-c000-000000000046", 1] = "Opnum1NotUsedOnWire",
   ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72", 5] = "ModifyObject",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 40] = "PNP_HwProfFlags",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 6] = "EcDummyRpc",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 24] = "BackupOpenFile",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 63] = "RpcAsyncUploadPrinterDriverPackage",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 10] = "WakeupGetNotificationRpc",
   ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 0] = "SASetAccountInformation",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 1] = "R_WinsStatus",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 11] = "DeleteDate",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 16] = "GetDataPaths",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 36] = "RpcAsyncPlayGdiScriptOnPrinterIC",
   ["6bffd098-a112-3610-9833-46c3f874532d", 33] = "R_DhcpSetClientInfoV4",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 19] = "ChangePermissions",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 51] = "RpcAsyncAddMonitor",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 17] = "DRSAddEntry",
   ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 10] = "Status",
   ["12345778-1234-abcd-ef00-0123456789ac", 33] = "SamrGetMembersInAlias",
   ["86d35949-83c9-4044-b424-db363231fd0c", 12] = "SchRpcRun",
   ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72", 3] = "CreateObject",
   ["12345678-1234-abcd-ef00-0123456789ab", 6] = "RpcDeletePrinter",
   ["484809d6-4239-471b-b5bc-61df8c23ac48", 0] = "RpcWaitForSessionState",
   ["12345778-1234-abcd-ef00-0123456789ac", 40] = "SamrQueryDisplayInformation",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 42] = "R_DhcpQueryDnsRegCredentials",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 27] = "ApiDeleteResourceType",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 8] = "nsi_profile_elt_remove",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 70] = "PNP_DriverStoreAddDriverPackage",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 39] = "RpcServerNWLogonQueryAdmin",
   ["6bffd098-a112-3610-9833-46c3f874532d", 44] = "R_DhcpCreateClientInfoVQ",
   ["12345678-1234-abcd-ef00-0123456789ab", 97] = "RpcAddPrinterConnection2",
   ["338cd001-2244-31f1-aaaa-900038001003", 28] = "OpenDynData",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 16] = "FTBreakMirror",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 78] = "RRPC_FWAddFirewallRule2_26",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 63] = "LlsrReplicationServiceAddW",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 62] = "Opnum62NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 67] = "RRPC_FWEnumFirewallRules2_20",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 24] = "EvtRpcGetPublisherMetadata",
   ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 10] = "DeleteResourceGroup",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 80] = "Opnum80NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 17] = "RRPC_FWAddAuthenticationSet",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 12] = "SetExclusionList",
   ["12345678-1234-abcd-ef00-0123456789ab", 68] = "RpcSetAllocFailCount",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 21] = "RpcWinStationInstallLicense",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 35] = "CreatePartitionsForVolume",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 29] = "RpcWinStationGetApplicationInfo",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 3] = "FrsNOP",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 132] = "R_DhcpV4GetClientInfoEx",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 27] = "RRPC_FWEnumPhase1SAs",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 3] = "RpcGetLastInputTime",
   ["86d35949-83c9-4044-b424-db363231fd0c", 7] = "SchRpcEnumTasks",
   ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 1] = "nsi_binding_lookup_done",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 34] = "DeleteVolume",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 7] = "KeyrEnroll",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 26] = "RRPC_FWEnumCryptoSets",
   ["68b58241-c259-4f03-a2e5-a2651dcbc930", 2] = "KSrGetCAs",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 6] = "R_InetInfoQueryStatistics",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 55] = "GetDontShow",
   ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 3] = "RpcStartListener",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 15] = "FTDeleteVolume",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 72] = "RpcWinStationUnRegisterNotificationEvent",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 8] = "ApiOpenResource",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 4] = "Opnum4NotUsedOnWire",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 75] = "R_DhcpModifyClassV6",
   ["12345778-1234-abcd-ef00-0123456789ab", 83] = "LsarSetAuditPolicy",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 6] = "RpcWinStationSetInformation",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 2] = "RpcSrvReleasePrefix",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 8] = "PutClass",
   ["338cd001-2244-31f1-aaaa-900038001003", 30] = "BaseInitiateSystemShutdownEx",
   ["86d35949-83c9-4044-b424-db363231fd0c", 4] = "SchRpcSetSecurity",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 40] = "LlsrMappingAddW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 33] = "PNP_UninstallDevInst",
   ["12345678-1234-abcd-ef00-01234567cffb", 15] = "NetrServerAuthenticate2",
   ["367abb81-9844-35f1-ad32-98f038001003", 2] = "DeleteService",
   ["12345778-1234-abcd-ef00-0123456789ab", 68] = "LsarLookupNames3",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 12] = "S_DSSetPropsGuid",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 116] = "R_DhcpV6SetStatelessStoreParams",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 22] = "RpcAsyncDeleteForm",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 80] = "AddAccessPath",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 13] = "CreateClassEnumAsync",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 10] = "InstanceName",
   ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 2] = "nsi_binding_lookup_next",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 15] = "R_WinsDeleteWins",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 16] = "RpcAsyncGetPrinterData",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 3] = "RRPC_FWGetGlobalConfig",
   ["12345778-1234-abcd-ef00-0123456789ac", 48] = "SamrQueryDisplayInformation2",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 36] = "LlsrMappingUserAddW",
   ["12345678-1234-abcd-ef00-01234567cffb", 19] = "NetrEnumerateTrustedDomains",
   ["86d35949-83c9-4044-b424-db363231fd0c", 9] = "SchRpcGetInstanceInfo",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 25] = "RRPC_FWDeleteAllCryptoSets",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 17] = "LlsrUserEnumA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 119] = "R_DhcpV4EnumSubnetReservations",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 7] = "Opnum7NotUsedOnWire",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 9] = "GetCRL",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 13] = "GetMachineInfo",
   ["00020401-0000-0000-c000-000000000046", 3] = "GetTypeAttr",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 87] = "LlsrLocalServiceInfoGetW",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 57] = "AudioSessionGetDisplayName",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 62] = "R_DhcpDeleteSubnetV6",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 72] = "LlsrCertificateClaimEnumW",
   ["8165b19e-8d3a-4d0b-80c8-97de310db583", 3] = "GetComponentInfo",
   ["6bffd098-a112-3610-9833-46c3f874532d", 29] = "R_DhcpAddSubnetElementV4",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 54] = "RpcWinStationUpdateUserConfig",
   ["00020401-0000-0000-c000-000000000046", 14] = "GetRefTypeInfo",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 8] = "Opnum8NotUsedOnWire",
   ["8298d101-f992-43b7-8eca-5052d885b995", 37] = "Import",
   ["367abb81-9844-35f1-ad32-98f038001003", 28] = "OpenServiceA",
   ["6bffd098-a112-3610-9833-012892020162", 5] = "BrowserrQueryStatistics",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 19] = "FTReplaceMirrorPartition",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 86] = "R_DhcpEnumFilterV4",
   ["12345678-1234-abcd-ef00-0123456789ab", 35] = "RpcEnumPorts",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 12] = "PNP_GetDepth",
   ["12345778-1234-abcd-ef00-0123456789ab", 92] = "CredReadByTokenHandle",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 30] = "NetrEnumerateComputerNames",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 84] = "LlsrLocalServiceAddW",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 44] = "R_DhcpBackupDatabase",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 61] = "Opnum61NotUsedOnWire",
   ["f31931a9-832d-481c-9503-887a0e6a79f0", 7] = "GetSupportedClient",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 50] = "PNP_GetResDesData",
   ["4bdafc52-fe6a-11d2-93f8-00105a11164a", 3] = "GetMaxAdjustedFreeSpace",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 48] = "NetrDfsCreateExitPoint",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 43] = "AudioSessionManagerDeleteAudioSessionClientNotification",
   ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 2] = "SAGetNSAccountInformation",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 7] = "EvtRpcExportLog",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 10] = "NetrFileGetInfo",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 45] = "PNP_GetNextLogConf",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 7] = "NtFrsApi_Rpc_InfoW",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 14] = "EcDoAsyncConnectEx",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 0] = "ApiOpenCluster",
   ["12345778-1234-abcd-ef00-0123456789ac", 54] = "SamrOemChangePasswordUser2",
   ["12345678-1234-abcd-ef00-0123456789ab", 93] = "RpcCloseSpoolFileHandle",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 46] = "NetrDfsSetLocalVolumeState",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 13] = "AudioSessionGetLastActivation",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 41] = "Opnum41NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 20] = "RRPC_FWDeleteAllAuthenticationSets",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 39] = "GetArchivedKey",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 18] = "EfsRpcGetEncryptedFileMetadata",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 65] = "RpcAsyncCorePrinterDriverInstalled",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 30] = "RestoreGetDatabaseLocations",
   ["12345678-1234-abcd-ef00-0123456789ab", 14] = "RpcAddPrintProcessor",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 64] = "PNP_GetServerSideDeviceInstallFlags",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 5] = "R_DhcpEnumMScopeElements",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 14] = "RpcAsyncEndDocPrinter",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 11] = "RpcWinStationVirtualOpen",
   ["338cd001-2244-31f1-aaaa-900038001003", 0] = "OpenClassesRoot",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 1] = "KeyrEnumerateProviders",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 13] = "GetScheduleInfo",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 0] = "RpcGetClientData",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 6] = "DnssrvQuery2",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 51] = "ApiMoveGroup",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 8] = "Opnum8NotUsedOnWire",
   ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366", 1] = "RpcNetEventReceiveData",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 3] = "EnumDisksEx",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 18] = "DRSExecuteKCC",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 3] = "SfcSrv_InitiateScan",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 87] = "ApiSetNetworkPriorityOrder",
   ["12345678-1234-abcd-ef00-0123456789ab", 10] = "RpcEnumPrinterDrivers",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 8] = "AudioServerIsFormatSupported",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 40] = "NetrpSetFileSecurity",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 68] = "ApiGetNodeState",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 57] = "NetrShareDelEx",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 35] = "Opnum35NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 88] = "LsarLookupAuditCategoryName",
   ["2f5f3220-c126-1076-b549-074d078619da", 1] = "NDdeShareDelA",
   ["00000143-0000-0000-c000-000000000046", 6] = "RemQueryInterface2",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 64] = "LlsrReplicationUserAddW",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 6] = "DeleteApplicationPool",
   ["12345778-1234-abcd-ef00-0123456789ab", 8] = "LsarSetInformationPolicy",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 4] = "GetCACert",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 64] = "RpcWinStationFUSCanRemoteUserDisconnect",
   ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 2] = "WitnessrUnRegister",
   ["367abb81-9844-35f1-ad32-98f038001003", 26] = "EnumServicesStatusA",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 101] = "ApiCreateNodeEnum",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 13] = "FTEnumVolumes",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 5] = "Opnum5NotUsedOnWire",
   ["68b58241-c259-4f03-a2e5-a2651dcbc930", 0] = "KSrSubmitRequest",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 34] = "RRPC_FWDeleteMainModeRule",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 66] = "Opnum66NotUsedOnWire",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 17] = "Opnum17NotUsedOnWire",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 6] = "Opnum6NotUsedOnWire",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 9] = "R_WinsPullRange",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 25] = "ExportToBlob",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 8] = "RegisterNotificationRpc",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 65] = "LlsrProductSecurityGetW",
   ["12345778-1234-abcd-ef00-0123456789ab", 46] = "LsarQueryInformationPolicy2",
   ["12345678-1234-abcd-ef00-01234567cffb", 24] = "NetrLogonComputeServerDigest",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 1] = "nsi_group_mbr_add",
   ["17fdd703-1827-4e34-79d4-24a55c53bb37", 1] = "NetrMessageNameEnum",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 49] = "RpcWinStationNotifyNewSession",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 9] = "DsRolerUpgradeDownlevelServer",
   ["027947e1-d731-11ce-a357-000000000001", 7] = "Skip",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 60] = "LlsrReplicationRequestW",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 24] = "SetLastChangeTime",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 14] = "ApiGetResourceId",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 49] = "LlsrLocalProductEnumA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 97] = "R_DhcpV4FailoverGetScopeStatistics",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 70] = "ApiResumeNode",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 1] = "DeregisterServiceRpcByUSN",
   ["12345778-1234-abcd-ef00-0123456789ab", 93] = "CredrRestoreCredentials",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 19] = "EfsRpcSetEncryptedFileMetadata",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 31] = "RpcAsyncDeletePrinterDataEx",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 3] = "LlsrLicenseEnumA",
   ["12345678-1234-abcd-ef00-0123456789ab", 19] = "RpcWritePrinter",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 121] = "R_DhcpV6GetFreeIPAddress",
   ["2a3eb639-d134-422d-90d8-aaa1b5216202", 7] = "ExportObjects",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 40] = "R_DhcpGetServerBindingInfo",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 35] = "ApiDeleteKey",
   ["2a3eb639-d134-422d-90d8-aaa1b5216202", 8] = "GetImportConflicts",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 7] = "CreatePartitionAssignandFormatEx",
   ["000001a0-0000-0000-c000-000000000046", 4] = "RemoteCreateInstance",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 31] = "RRPC_FWEnumProducts",
   ["6bffd098-a112-3610-9833-46c3f874532d", 1] = "R_DhcpSetSubnetInfo",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 52] = "LlsrLocalProductInfoSetW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 59] = "PNP_RegisterNotification",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 2] = "NspiUpdateStat",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 20] = "ElfrDeregisterClusterSvc",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 50] = "RpcServerGetInternetConnectorStatus",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 5] = "CleanupCacheRpc",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 60] = "RpcWinStationCloseServerEx",
   ["12345778-1234-abcd-ef00-0123456789ab", 94] = "CredrBackupCredentials",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 9] = "ModifyPolicy",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 1] = "RRPC_FWClosePolicyStore",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 81] = "R_DhcpGetMibInfoV5",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 8] = "RpcGetAllListeners",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 1] = "W32TimeGetNetlogonServiceBits",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 0] = "SfcSrv_GetNextProtectedFile",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 3] = "EcGetMoreRpc",
   ["338cd001-2244-31f1-aaaa-900038001003", 11] = "BaseRegFlushKey",
   ["12345778-1234-abcd-ef00-0123456789ab", 29] = "LsarSetSecret",
   ["367abb81-9844-35f1-ad32-98f038001003", 25] = "EnumDependentServicesA",
   ["6bffd098-a112-3610-9833-012892020162", 0] = "BrowserrServerEnum",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 72] = "RpcAsyncDeleteJobNamedProperty",
   ["12345678-1234-abcd-ef00-0123456789ab", 73] = "RpcDeletePrinterData",
   ["214a0f28-b737-4026-b847-4f9e37d79529", 8] = "Opnum08NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 94] = "ApiGetNetInterfaceState",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 13] = "R_WinsGetNameAndAdd",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 6] = "EfsRpcQueryUsersOnFile",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 6] = "R_WinsTerm",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 11] = "R_W3ClearStatistics2",
   ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 0] = "ItSrvRegisterIdleTask",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 15] = "PutInstanceAsync",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 7] = "DsRolerCancel",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 23] = "AudioSessionSetMute",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 7] = "NetrWkstaTransportDel",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 79] = "EnumAccessPathForVolume",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 20] = "NetrGetJoinInformation",
   ["6bffd098-a112-3610-9833-012892020162", 3] = "BrowserrResetNetlogonState",
   ["86d35949-83c9-4044-b424-db363231fd0c", 8] = "SchRpcEnumInstances",
   ["338cd001-2244-31f1-aaaa-900038001003", 24] = "BaseInitiateSystemShutdown",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 56] = "Opnum56NotUsedOnWire",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 38] = "AddMirror",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 74] = "ApiNodeResourceTypeControl",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 4] = "DeleteApplication",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 20] = "EvtRpcGetChannelConfig",
   ["8298d101-f992-43b7-8eca-5052d885b995", 38] = "RestoreHistory",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 21] = "NetrDfsEnumEx",
   ["12345678-1234-abcd-ef00-0123456789ab", 84] = "RpcDeletePrinterDriverEx",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 55] = "LlsrServiceInfoGetA",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 44] = "RpcAsyncAddPrintProcessor",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 53] = "LlsrLocalProductInfoSetA",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 47] = "RpcAsyncEnumPorts",
   ["6bffd098-a112-3610-9833-012892020162", 1] = "BrowserrDebugCall",
   ["91ae6020-9e3c-11cf-8d7c-00aa00c091be", 0] = "CertServerRequest",
   ["afa8bd80-7d8a-11c9-bef4-08002b102989", 4] = "inq_princ_name",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 5] = "S_DSEndDeleteNotification",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 36] = "RpcWinStationEnumerateProcesses",
   ["12345778-1234-abcd-ef00-0123456789ab", 37] = "LsarAddAccountRights",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 9] = "RpcWinStationNameFromLogonId",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 56] = "NetrServerAliasDel",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 3] = "OpenNamespace",
   ["12345678-1234-abcd-ef00-01234567cffb", 6] = "NetrServerPasswordSet",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 33] = "RpcAsyncXcvData",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 88] = "ApiNodeNetworkControl",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 2] = "Opnum2NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 78] = "ApiNodeNodeControl",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 35] = "RpcAsyncCreatePrinterIC",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 75] = "ApiResourceTypeControl",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 0] = "ept_insert",
   ["894de0c0-0d55-11d3-a322-00c04fa321a1", 0] = "BaseInitiateShutdown",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 98] = "R_DhcpV4FailoverGetClientInfo",
   ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 3] = "SAGetAccountInformation",
   ["12345678-1234-abcd-ef00-0123456789ab", 104] = "RpcReportJobProcessingProgress",
   ["12345678-1234-abcd-ef00-0123456789ab", 42] = "RpcDeletePrinterIC",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 28] = "LlsrMappingEnumW",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 7] = "EfsRpcQueryRecoveryAgents",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 6] = "CreatePartitionAssignAndFormat",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 11] = "GetExclusionList",
   ["6bffd098-a112-3610-9833-46c3f874532d", 41] = "R_DhcpServerSetConfigVQ",
   ["00000143-0000-0000-c000-000000000046", 2] = "Release",
   ["367abb81-9844-35f1-ad32-98f038001003", 49] = "CloseNotifyHandle",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 24] = "PNP_RegisterDeviceClassAssociation",
   ["12345778-1234-abcd-ef00-0123456789ac", 30] = "SamrDeleteAlias",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 44] = "RpcWinStationGetProcessSid",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 32] = "RRPC_FWAddMainModeRule",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 29] = "Restore",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 1] = "LlsrClose",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 23] = "DRSGetObjectExistence",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 62] = "LlsrReplicationServerServiceAddW",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 36] = "DeletePartitionsForVolume",
   ["6bffd098-a112-3610-9833-46c3f874532d", 3] = "R_DhcpEnumSubnets",
   ["2f5f3220-c126-1076-b549-074d078619da", 2] = "NDdeShareDelW",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 23] = "Opnum23NotUsedOnWire",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 39] = "InitializeDiskEx",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 13] = "RRPC_FWSetConnectionSecurityRule",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 27] = "EnumVolumes",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 41] = "AudioSessionManagerGetExistingSession",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 59] = "R_DhcpAddSubnetElementV6",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 17] = "RdcFileDataTransferKeepAlive",
   ["12345778-1234-abcd-ef00-0123456789ab", 72] = "LsarUnregisterAuditEvent",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 12] = "PrepareShadowCopy",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 8] = "DeletePartition",
   ["12345678-1234-abcd-ef00-0123456789ab", 101] = "RpcGetCorePrinterDrivers",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 54] = "RpcAsyncEnumPrintProcessorDatatypes",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 56] = "RpcWinStationRegisterConsoleNotification",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 2] = "ElfrCloseEL",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 59] = "Opnum59NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 11] = "RRPC_FWSetConfig",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 26] = "NetrGetJoinableOUs2",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 0] = "R_WinsRecordAction",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 18] = "NetrValidateName",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 17] = "PNP_DeleteRegistryKey",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 6] = "NetrDfsRename",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 40] = "RpcAsyncEnumPrinterDrivers",
   ["338cd001-2244-31f1-aaaa-900038001003", 13] = "BaseRegLoadKey",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 33] = "AudioServerGetDevicePeriod",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 32] = "ApiSetValue",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 7] = "RpcLicensingGetPolicyInformation",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 25] = "LlsrUserProductEnumA",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 53] = "PNP_DetectResourceConflict",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 1] = "S_DSGetPropsEx",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 30] = "RRPC_FWDeletePhase2SAs",
   ["2f5f3220-c126-1076-b549-074d078619da", 7] = "NDdeShareEnumA",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 20] = "GetServerTimeZone",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 10] = "RpcAsyncStartDocPrinter",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 66] = "AbortTask",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 23] = "ApiAddResourceNode",
   ["12345678-1234-abcd-ef00-01234567cffb", 3] = "NetrLogonSamLogoff",
   ["12345778-1234-abcd-ef00-0123456789ac", 0] = "SamrConnect",
   ["12345678-1234-abcd-ef00-01234567cffb", 45] = "NetrLogonSamLogonWithFlags",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 7] = "GetPolicyInfo",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 19] = "CreateInstanceEnumAsync",
   ["2f5f6521-ca47-1068-b319-00dd010662db", 2] = "RemoteSPDetach",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 8] = "EfsRpcRemoveUsersFromFile",
   ["6bffd098-a112-3610-9833-46c3f874532d", 2] = "R_DhcpGetSubnetInfo",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 22] = "EfsRpcQueryProtectors",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 16] = "R_WinsSetFlags",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 11] = "DRSGetNT4ChangeLog",
   ["12345778-1234-abcd-ef00-0123456789ab", 60] = "CredrWrite",
   ["12345678-1234-abcd-ef00-01234567cffb", 32] = "NetrLogonSendToSam",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 4] = "S_DSNotifyDelete",
   ["12345678-1234-abcd-ef00-0123456789ab", 65] = "RpcRemoteFindFirstPrinterChangeNotificationEx",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 23] = "GetDataSetNumber",
   ["12345778-1234-abcd-ef00-0123456789ac", 42] = "SamrTestPrivateFunctionsDomain",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 18] = "NetrShareDel",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 57] = "Opnum57NotUsedOnWire",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 4] = "LlsrLicenseAddW",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 21] = "EnumDriveLetters",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 68] = "GetTaskDetail",
   ["f309ad18-d86a-11d0-a075-00c04fb68820", 4] = "RequestChallenge",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a", 5] = "ServerAlive2",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 6] = "W32TimeQueryStatus",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 4] = "SfcSrv_PurgeCache",
   ["12345678-1234-abcd-ef00-0123456789ab", 44] = "RpcDeletePrinterConnection",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 18] = "nsi_mgmt_entry_create",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 8] = "KeyrExportCert",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 4] = "CancelAsyncCall",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 7] = "DRSReplicaModify",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 45] = "R_DhcpRestoreDatabase",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 35] = "EnumViewColumnTable",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 8] = "RecycleApplicationPool",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 48] = "RpcWinStationSendWindowMessage",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 31] = "PolicyConfigGetDeviceFormat",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 0] = "GetSupportedVersion",
   ["86d35949-83c9-4044-b424-db363231fd0c", 13] = "SchRpcDelete",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 11] = "Eject",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 9] = "RdcGetSignatures",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 22] = "GetSystemChangeNumber",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 19] = "DRSGetReplInfo",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 2] = "TsProxyAuthorizeTunnel",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 37] = "PNP_RequestDeviceEject",
   ["6bffd098-a112-3610-9833-46c3f874532d", 15] = "R_DhcpRemoveOptionValue",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 7] = "GetObjectAsync",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 19] = "FTReplaceMirrorPartition",
   ["12345778-1234-abcd-ef00-0123456789ab", 43] = "LsarRetrievePrivateData",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 45] = "RRPC_FWGetConfig2_10",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 10] = "NetrUseDel",
   ["12345678-1234-abcd-ef00-0123456789ab", 23] = "RpcEndDocPrinter",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 13] = "EvtRpcClose",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 9] = "Opnum9NotUsedOnWire",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 69] = "R_DhcpGetServerBindingInfoV6",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 10] = "S_DSDeleteObjectGuid",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 18] = "SetAccountingClientStatus",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 16] = "EfsRpcFileKeyInfoEx",
   ["12345778-1234-abcd-ef00-0123456789ac", 68] = "SamrQueryLocalizableAccountsInDomain",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 14] = "FTEnumLogicalDiskMembers",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 25] = "AudioSessionSetChannelVolume",
   ["29822ab7-f302-11d0-9953-00c04fd919c1", 7] = "AppDeleteRecoverable",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 65] = "Opnum65NotUsedOnWire",
   ["12345678-1234-abcd-ef00-01234567cffb", 9] = "NetrAccountDeltas",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 15] = "RRPC_FWEnumConnectionSecurityRules",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 80] = "R_DhcpGetSubnetDelayOffer",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 35] = "Opnum35NotUsedOnWire",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 42] = "LlsrMappingDeleteW",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 108] = "ApiSetServiceAccountPassword",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 6] = "EvtRpcClearLog",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 36] = "R_DhcpServerRedoAuthorization",
   ["484809d6-4239-471b-b5bc-61df8c23ac48", 1] = "RpcRegisterAsyncNotification",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 19] = "R_DhcpSetOptionValueV5",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 39] = "RRPC_FWQueryMainModeRules",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 103] = "ApiCreateResTypeEnum",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 14] = "FTEnumLogicalDiskMembers",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 89] = "R_DhcpV4FailoverCreateRelationship",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 5] = "ept_inq_object",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 15] = "ElfrRegisterEventSourceA",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 6] = "PNP_ValidateDeviceInstance",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 20] = "RpcWinStationGenerateLicense",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 0] = "RpcSrvRequestPrefix",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 17] = "GetAccountingClients",
   ["12345678-1234-abcd-ef00-0123456789ab", 32] = "RpcGetForm",
   ["367abb81-9844-35f1-ad32-98f038001003", 46] = "ScQueryServiceTagInfo",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 27] = "BackupTruncateLogs",
   ["12345778-1234-abcd-ef00-0123456789ac", 2] = "SamrSetSecurityObject",
   ["afa8bd80-7d8a-11c9-bef4-08002b102989", 0] = "inq_if_ids",
   ["367abb81-9844-35f1-ad32-98f038001003", 20] = "GetServiceDisplayNameW",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 8] = "GetReferenceBacklogCounts",
   ["367abb81-9844-35f1-ad32-98f038001003", 31] = "StartServiceA",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 63] = "Opnum63NotUsedOnWire",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 6] = "SfcSrv_SetDisable",
   ["12345778-1234-abcd-ef00-0123456789ab", 86] = "LsarEnumerateAuditCategories",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 35] = "LlsrMappingUserEnumA",
   ["2f5f3220-c126-1076-b549-074d078619da", 18] = "NDdeSpecialCommand",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 0] = "Opnum0NotUsedOnWire",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 60] = "PNP_UnregisterNotification",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 47] = "ReAttachDisk",
   ["12345678-1234-abcd-ef00-0123456789ab", 33] = "RpcSetForm",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 63] = "PNP_GetBlockedDriverInfo",
   ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a", 6] = "CreateObject",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 4] = "NetrCharDevQGetInfo",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 6] = "DRSReplicaDel",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 22] = "NetrServerSetInfo",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 10] = "RevokeCertificate",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 35] = "R_DhcpServerQueryAttributes",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 68] = "RpcWinStationSessionInitialized",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 13] = "EfsRpcDuplicateEncryptionInfoFile",
   ["367abb81-9844-35f1-ad32-98f038001003", 39] = "QueryServiceConfig2W",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 1] = "gfxCreateGfxFactoriesList",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 36] = "RRPC_FWEnumMainModeRules",
   ["12345678-1234-abcd-ef00-0123456789ab", 29] = "RpcClosePrinter",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 41] = "NetrServerTransportAddEx",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 9] = "NtFrsApi_Rpc_WriterCommand",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 67] = "R_DhcpGetMibInfoV6",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 6] = "RpcLicensingGetPolicy",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 7] = "SfcSrv_InstallProtectedFiles",
   ["4da1c422-943d-11d1-acae-00c04fc2aa3f", 0] = "LnkSvrMessage",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 77] = "ApiGroupControl",
   ["12345678-1234-abcd-ef00-0123456789ab", 89] = "RpcAddPrinterDriverEx",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 17] = "GetCurrentPolicy",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 39] = "LlsrMappingUserDeleteA",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 21] = "ApiCanResourceBeDependent",
   ["12345678-1234-abcd-ef00-0123456789ab", 70] = "RpcAddPrinterEx",
   ["378e52b0-c0a9-11cf-822d-00aa0051e40f", 1] = "SASetNSAccountInformation",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 2] = "NetrCharDevControl",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 0] = "Opnum0NotUsedOnWire",
   ["12345678-1234-abcd-ef00-0123456789ab", 30] = "RpcAddForm",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 11] = "DeregisterNotificationRpc",
   ["6619a740-8154-43be-a186-0319578e02db", 8] = "RemoteDispatchNotAutoDone",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 10] = "PNP_GetDeviceList",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 67] = "RpcWinStationNotifyDisconnectPipe",
   ["00020401-0000-0000-c000-000000000046", 17] = "GetMops",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 8] = "ept_map_auth_async",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 18] = "PNP_GetClassCount",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 15] = "nsi_entry_expand_name",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 36] = "NetrShareEnumSticky",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 7] = "AbortShadowCopySet",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 30] = "NetprPathType",
   ["12345778-1234-abcd-ef00-0123456789ac", 55] = "SamrUnicodeChangePasswordUser2",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 16] = "EfsRpcFileKeyInfoEx",
   ["367abb81-9844-35f1-ad32-98f038001003", 48] = "GetNotifyResult",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 46] = "RpcWinStationReInitializeSecurity",
   ["fa7df749-66e7-4986-a27f-e2f04ae53772", 5] = "QuerySnapshotsByVolume",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 9] = "ModifyCalendar",
   ["f309ad18-d86a-11d0-a075-00c04fb68820", 5] = "WBEMLogin",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 20] = "RpcSrvGetOriginalSubnetMask",
   ["d95afe70-a6d5-4259-822e-2c84da1ddb0d", 0] = "WsdrInitiateShutdown",
   ["12345778-1234-abcd-ef00-0123456789ab", 79] = "LsarAdtRegisterSecurityEventSource",
   ["367abb81-9844-35f1-ad32-98f038001003", 51] = "ControlServiceExW",
   ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 7] = "GetResourceGroupInfo",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 1] = "DnssrvQuery",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 28] = "R_DhcpEnumClasses",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 13] = "S_DSGetObjectSecurityGuid",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 8] = "DeletePartition",
   ["29822ab7-f302-11d0-9953-00c04fd919c1", 4] = "AppDelete",
   ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 1] = "ItSrvUnregisterIdleTask",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 0] = "NspiBind",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 2] = "RpcAsyncSetJob",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 36] = "Opnum36NotUsedOnWire",
   ["12345678-1234-abcd-ef00-0123456789ab", 78] = "RpcGetPrinterDataEx",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 3] = "Request",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 15] = "GetCalDefaultPolicyName",
   ["12345678-1234-abcd-ef00-0123456789ab", 3] = "RpcGetJob",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 20] = "R_DhcpSetOptionValuesV5",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 25] = "NetrServerTransportAdd",
   ["12345778-1234-abcd-ef00-0123456789ab", 36] = "LsarEnumerateAccountRights",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 12] = "nsi_entry_object_inq_begin",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 58] = "RRPC_FWAddConnectionSecurityRule2_20",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 4] = "NtFrsApi_Rpc_Set_DsPollingIntervalW",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 9] = "ElfrOpenBELW",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 8] = "gfxLogoff",
   ["12345678-1234-abcd-ef00-01234567cffb", 2] = "NetrLogonSamLogon",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 12] = "R_WinsWorkerThdUpd",
   ["8298d101-f992-43b7-8eca-5052d885b995", 39] = "EnumHistory",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 2] = "nsi_group_mbr_remove",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 29] = "AudioServerDisconnect",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 10] = "nsi_profile_elt_inq_next",
   ["12345778-1234-abcd-ef00-0123456789ab", 70] = "LsarRegisterAuditEvent",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 12] = "R_FtpQueryStatistics2",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 14] = "GetllSAppPoolNames",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 58] = "AudioVolumeAddMasterVolumeNotification",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 54] = "LlsrServiceInfoGetW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 28] = "PNP_CreateDevInst",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 1] = "R_InetInfoGetAdminInformation",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 31] = "Opnum31NotUsedOnWire",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 4] = "DeleteKey",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 77] = "R_DhcpEnumClassesV6",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 6] = "AuthrzModifySids",
   ["29822ab7-f302-11d0-9953-00c04fd919c1", 5] = "AppUnLoad",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 34] = "LlsrMappingUserEnumW",
   ["12345778-1234-abcd-ef00-0123456789ab", 84] = "LsarQueryAuditPolicy",
   ["367abb81-9844-35f1-ad32-98f038001003", 19] = "StartServiceW",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 20] = "NetrDfsRemove2",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 27] = "Opnum27NotUsedOnWire",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 16] = "DeleteClass",
   ["484809d6-4239-471b-b5bc-61df8c23ac48", 2] = "RpcWaitAsyncNotification",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 51] = "R_DhcpRemoveOptionV6",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 17] = "DeleteClassAsync",
   ["b9785960-524f-11df-8b6d-83dcded72085", 0] = "GetKey",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 19] = "NetrDfsAdd2",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 11] = "RestoreXMLFiles",
   ["12345678-1234-abcd-ef00-01234567cffb", 34] = "DsrGetDcNameEx2",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 5] = "gfxModifyGx",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 13] = "DRSWriteSPN",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 25] = "EvtRpcGetPublisherResourceMetadata",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 78] = "DeleteAccessPath",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 3] = "UpdateCacheRpc",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 12] = "EfsRpcFileKeyInfo",
   ["6bffd098-a112-3610-9833-012892020162", 8] = "NetrBrowserStatisticsGet",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 25] = "ExecMethodAsync",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 9] = "Opnum9NotUsedOnWire",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 14] = "RpcWinStationReset",
   ["214a0f28-b737-4026-b847-4f9e37d79529", 6] = "QueryDiffAreasForVolume",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 11] = "RenameMachineGroup",
   ["12345778-1234-abcd-ef00-0123456789ac", 32] = "SamrRemoveMemberFromAlias",
   ["2f5f3220-c126-1076-b549-074d078619da", 10] = "NDdeShareSetInfoW",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 30] = "ApiOpenKey",
   ["12345678-1234-abcd-ef00-0123456789ab", 25] = "RpcScheduleJob",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 19] = "NetrShareDelSticky",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 5] = "FrsBackupComplete",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 28] = "EnumVolumeMembers",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 23] = "RpcWinStationActivateLicense",
   ["12345778-1234-abcd-ef00-0123456789ab", 76] = "LsarLookupSids3",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 37] = "SetCASecurity",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 24] = "Opnum24NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 5] = "LsarChangePassword",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 24] = "ApiRemoveResourceNode",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 15] = "R_DhcpSetOptionInfoV5",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 22] = "AssignDriveLetter",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 9] = "EvtRpcMessageRender",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 21] = "S_DSQMGetObjectSecurity",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 5] = "RpcAsyncAddJob",
   ["367abb81-9844-35f1-ad32-98f038001003", 34] = "ScGetCurrentGroupStateW",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 2] = "RpcLicensingLoadPolicy",
   ["2f5f6521-ca47-1068-b319-00dd010662db", 1] = "RemoteSPEventProc",
   ["12345678-1234-abcd-ef00-0123456789ab", 26] = "RpcGetPrinterData",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 3] = "RequestUpdates",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 11] = "RpcAsyncStartPagePrinter",
   ["12345678-1234-abcd-ef00-0123456789ab", 13] = "RpcDeletePrinterDriver",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 39] = "Opnum39NotUsedOnWire",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 69] = "Uninitialize",
   ["367abb81-9844-35f1-ad32-98f038001003", 1] = "ControlService",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 46] = "R_DhcpGetServerSpecificStrings",
   ["12345678-1234-abcd-ef00-0123456789ab", 39] = "RpcDeletePort",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 11] = "NetrDfsRemoveFtRoot",
   ["12345778-1234-abcd-ef00-0123456789ac", 25] = "SamrGetMembersInGroup",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 101] = "R_DhcpV4SetOptionValue",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 9] = "RpcGetSessionProtocolLastInputTime",
   ["894de0c0-0d55-11d3-a322-00c04fa321a1", 1] = "BaseAbortShutdown",
   ["12345678-1234-abcd-ef00-0123456789ab", 83] = "RpcSeekPrinter",
   ["00020401-0000-0000-c000-000000000046", 7] = "GetNames",
   ["367abb81-9844-35f1-ad32-98f038001003", 15] = "OpenSCManagerW",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 81] = "ApiOpenNetwork",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 13] = "EcUnknown0xD",
   ["12345678-1234-abcd-ef00-0123456789ab", 80] = "RpcEnumPrinterKey",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 7] = "UpdateCancel",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 20] = "EfsRpcFlushEfsCache",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 18] = "EvtRpcGetLogFileInfo",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 6] = "RecoveryCompleteShadowCopySet",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 25] = "RpcSrvGetNotificationStatus",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 2] = "PNP_GetVersion",
   ["00000143-0000-0000-c000-000000000046", 0] = "QueryInterface",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 73] = "SecureSystemPartition",
   ["12345778-1234-abcd-ef00-0123456789ab", 49] = "LsarSetTrustedDomainInfoByName",
   ["12345778-1234-abcd-ef00-0123456789ab", 48] = "LsarQueryTrustedDomainInfoByName",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 117] = "R_DhcpV6GetStatelessStoreParams",
   ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 3] = "nsi_mgmt_handle_set_exp_age",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 29] = "BackupGetDynamicFiles",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 22] = "RRPC_FWAddCryptoSet",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 23] = "ElfrFlushEL",
   ["12345678-1234-abcd-ef00-0123456789ab", 16] = "RpcGetPrintProcessorDirectory",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 0] = "RpcLicensingOpenServer",
   ["6bffd098-a112-3610-9833-46c3f874532d", 48] = "R_DhcpCreateSubnetVQ",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 18] = "SetCurrentPolicy",
   ["12345678-1234-abcd-ef00-0123456789ab", 98] = "RpcDeletePrinterConnection2",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 29] = "RRPC_FWDeletePhase1SAs",
   ["12345778-1234-abcd-ef00-0123456789ac", 67] = "SamrValidatePassword",
   ["12345778-1234-abcd-ef00-0123456789ac", 15] = "SamrEnumerateAliasesInDomain",
   ["6619a740-8154-43be-a186-0319578e02db", 7] = "RemoteDispatchAutoDone",
   ["367abb81-9844-35f1-ad32-98f038001003", 44] = "CreateServiceWOW64A",
   ["12345678-1234-abcd-ef00-0123456789ab", 47] = "RpcDeleteMonitor",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 59] = "AudioVolumeDeleteMasterVolumeNotification",
   ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 6] = "Clone",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 41] = "ApiOpenGroup",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 2] = "RpcFilterByState",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 26] = "RpcSrvGetDhcpServicedConnections",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 99] = "ApiAddNotifyNetInterface",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 32] = "R_DhcpAuditLogSetParams",
   ["338cd001-2244-31f1-aaaa-900038001003", 31] = "BaseRegSaveKeyEx",
   ["12345778-1234-abcd-ef00-0123456789ab", 42] = "LsarStorePrivateData",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 108] = "R_DhcpV4CreatePolicy",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 11] = "KeyrEnumerateCAs",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 18] = "MoveBeforeCalendar",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 51] = "EncapsulateDiskEx",
   ["12345778-1234-abcd-ef00-0123456789ac", 64] = "SamrConnect5",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 65] = "ApiGetNotify",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 83] = "R_DhcpDeleteFilterV4",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 26] = "R_DhcpDeleteClass",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 14] = "ElfrOpenELA",
   ["12345778-1234-abcd-ef00-0123456789ab", 23] = "LsarGetSystemAccessAccount",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 4] = "LookupCacheRpc",
   ["367abb81-9844-35f1-ad32-98f038001003", 0] = "CloseServiceHandle",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 18] = "NetrDfsFlushFtTable",
   ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 7] = "Stop",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 29] = "EnumVolumeMembers",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 34] = "GetCAPropertyInfo",
   ["367abb81-9844-35f1-ad32-98f038001003", 30] = "QueryServiceLockStatusA",
   ["12345678-1234-abcd-ef00-0123456789ab", 31] = "RpcDeleteForm",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 3] = "S_DSBeginDeleteNotification",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 7] = "ept_map_auth",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 14] = "EvtRpcCancel",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 13] = "KeyrQueryRequestStatus",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 20] = "SetClientPermissions",
   ["d99e6e70-fc88-11d0-b498-00a0c90312f3", 3] = "Request",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 28] = "NetrRemoveAlternateComputerName",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 7] = "CreateAccountingDb",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 32] = "NetprPathCompare",
   ["17fdd703-1827-4e34-79d4-24a55c53bb37", 3] = "NetrMessageNameDel",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 2] = "RpcIcaServerPing",
   ["12345678-1234-abcd-ef00-0123456789ab", 22] = "RpcReadPrinter",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 9] = "DRSGetMemberships",
   ["214a0f28-b737-4026-b847-4f9e37d79529", 5] = "QueryVolumesSupportedForDiffAreas",
   ["12345778-1234-abcd-ef00-0123456789ab", 51] = "LsarCreateTrustedDomainEx",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 1] = "DRSUnbind",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 21] = "EnumDriveLetters",
   ["338cd001-2244-31f1-aaaa-900038001003", 1] = "OpenCurrentUser",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 13] = "R_DhcpEnumMScopeClients",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 9] = "PutClassAsync",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 72] = "ApiNodeResourceControl",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 1] = "NetrDfsAdd",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 20] = "RpcAsyncClosePrinter",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 91] = "R_DhcpV4FailoverDeleteRelationship",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 16] = "RdcGetFileDataAsync",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 57] = "PNP_QueryArbitratorFreeSize",
   ["12345778-1234-abcd-ef00-0123456789ac", 43] = "SamrTestPrivateFunctionsUser",
   ["12345778-1234-abcd-ef00-0123456789ab", 66] = "CredrGetTargetInfo",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 27] = "PNP_SetClassRegProp",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 8] = "RpcSrvRemoveDnsRegistrations",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 6] = "NetrWkstaTransportAdd",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 103] = "R_DhcpV4GetOptionValue",
   ["12345678-1234-abcd-ef00-0123456789ab", 2] = "RpcSetJob",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 3] = "DnssrvEnumRecords",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 41] = "R_DhcpSetServerBindingInfo",
   ["12345778-1234-abcd-ef00-0123456789ab", 18] = "LsarEnumeratePrivilegesAccount",
   ["6bffd098-a112-3610-9833-46c3f874532d", 47] = "R_DhcpEnumSubnetClientsVQ",
   ["12345678-1234-abcd-ef00-01234567cffb", 41] = "DsrDeregisterDnsHostRecords",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 7] = "NspiDNToEph",
   ["367abb81-9844-35f1-ad32-98f038001003", 22] = "ScSetServiceBitsA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 1] = "R_DhcpSetMScopeInfo",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 5] = "EcRUnregisterPushNotification",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 8] = "NetrUseAdd",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 48] = "ApiGetNodeId",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 21] = "RpcSrvSetMSFTVendorSpecificOptions",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 32] = "GetCAProperty",
   ["12345678-1234-abcd-ef00-01234567cffb", 37] = "DsrAddressToSiteNamesExW",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 7] = "EcRGetDCName",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 21] = "EvtRpcPutChannelConfig",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 29] = "NetrServerSetServiceBits",
   ["12345778-1234-abcd-ef00-0123456789ab", 38] = "LsarRemoveAccountRights",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 37] = "RpcAsyncDeletePrinterIC",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 7] = "GetCalendarInfo",
   ["338cd001-2244-31f1-aaaa-900038001003", 29] = "BaseRegQueryMultipleValues",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 48] = "LlsrLocalProductEnumW",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 7] = "FrsBackupComplete",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 15] = "NetrDfsAddStdRootForced",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 8] = "RenameKey",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 10] = "AudioVolumeGetMasterVolumeLevelScalar",
   ["338cd001-2244-31f1-aaaa-900038001003", 20] = "BaseRegSaveKey",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 34] = "ApiQueryValue",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 59] = "LlsrReplClose",
   ["12345678-1234-abcd-ef00-0123456789ab", 92] = "RpcCommitSpoolData",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 24] = "ElfrReportEventAndSourceW",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 60] = "RpcSyncRefreshRemoteNotifications",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 9] = "NetrFileEnum",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 55] = "QueryChangePartitionNumbers",
   ["12345778-1234-abcd-ef00-0123456789ac", 29] = "SamrSetInformationAlias",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 0] = "AuthzrFreeContext",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 17] = "nsi_mgmt_entry_delete",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 10] = "DeletePolicy",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 44] = "DiskMergeQuery",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 33] = "GetVolumeMountName",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 22] = "ExecNotificationQuery",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 26] = "ApiCreateResourceType",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 2] = "W32TimeQueryProviderStatus",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 56] = "ApiCloseNotify",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 1] = "SetContext",
   ["12345678-1234-abcd-ef00-0123456789ab", 69] = "RpcSplOpenPrinter",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 57] = "SetDontShow",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 37] = "LlsrMappingUserAddA",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 13] = "R_GetAllData",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 11] = "nsi_profile_elt_inq_done",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 26] = "Opnum26NotUsedOnWire",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 15] = "RestoreExclusionList",
   ["12345678-1234-abcd-ef00-0123456789ab", 85] = "RpcAddPerMachineConnection",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 18] = "RpcWinStationShadowTargetSetup",
   ["338cd001-2244-31f1-aaaa-900038001003", 8] = "BaseRegDeleteValue",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 18] = "ElfrReportEventA",
   ["12345678-1234-abcd-ef00-01234567cffb", 28] = "DsrGetSiteName",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 8] = "NetrDfsManagerGetConfigInfo",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 45] = "RpcWinStationGetTermSrvCountersValue",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 23] = "Opnum23NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 54] = "RRPC_FWEnumAuthenticationSets2_10",
   ["894de0c0-0d55-11d3-a322-00c04fa321a1", 2] = "BaseInitiateShutdownEx",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 16] = "nsi_mgmt_binding_unexport",
   ["338cd001-2244-31f1-aaaa-900038001003", 5] = "BaseRegCloseKey",
   ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 3] = "WitnessrAsyncNotify",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 107] = "R_DhcpSetPolicyEnforcement",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 3] = "RpcWinStationEnumerate",
   ["12345778-1234-abcd-ef00-0123456789ac", 59] = "SamrSetBootKeyInformation",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 25] = "GetLastChangeTime",
   ["6bffd098-a112-3610-9833-46c3f874532d", 14] = "R_DhcpEnumOptionValues",
   ["12345678-1234-abcd-ef00-0123456789ab", 102] = "RpcCorePrinterDriverInstalled",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 14] = "NetrLogonDomainNameAdd",
   ["6bffd098-a112-3610-9833-012892020162", 2] = "BrowserrQueryOtherDomains",
   ["1257b580-ce2f-4109-82d6-a9459d0bf6bc", 0] = "RpcShadow2",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 32] = "RpcAsyncDeletePrinterKey",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 14] = "ModifyMachineInfo",
   ["c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4", 4] = "GetObjectIdentify",
   ["367abb81-9844-35f1-ad32-98f038001003", 27] = "OpenSCManagerA",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 27] = "R_KeyExchangePhase2",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 10] = "DeleteClass",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 74] = "RpcWinStationCheckAccess",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 12] = "RdcClose",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 4] = "RequestVersionVector",
   ["6bffd098-a112-3610-9833-46c3f874532d", 42] = "R_DhcpServerGetConfigVQ",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 12] = "EcUnknown0xC",
   ["12345778-1234-abcd-ef00-0123456789ab", 32] = "LsarLookupPrivilegeName",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 65] = "RpcWinStationCheckLoopBack",
   ["7c44d7d4-31d5-424c-bd5e-2b3e1f323d22", 0] = "IDL_DSAPrepareScript",
   ["00020400-0000-0000-c000-000000000046", 5] = "GetIDsOfNames",
   ["12345778-1234-abcd-ef00-0123456789ab", 53] = "LsarQueryDomainInformationPolicy",
   ["6bffd098-a112-3610-9833-46c3f874532d", 12] = "R_DhcpSetOptionValue",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 9] = "NetrUseGetInfo",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 33] = "ApiDeleteValue",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 17] = "Opnum17NotUsedOnWire",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 10] = "MarkActivePartition",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 81] = "DeleteAccessPath",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 31] = "NetprPathCanonicalize",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 2] = "EvtRpcRemoteSubscriptionNext",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 53] = "R_DhcpEnumOptionValuesV6",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 26] = "RpcAsyncGetPrinterDriver",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 129] = "R_DhcpV4EnumPoliciesEx",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 4] = "GetCompressedReport",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 19] = "CheckAccountingConnection",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 33] = "Opnum33NotUsedOnWire",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 23] = "NetrUnjoinDomain2",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 21] = "NetrGetJoinableOUs",
   ["6bffd098-a112-3610-9833-46c3f874532d", 37] = "R_DhcpGetSuperScopeInfoV4",
   ["12345678-1234-abcd-ef00-01234567cffb", 31] = "NetrServerPasswordGet",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 4] = "RpcLicensingSetPolicy",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 78] = "R_DhcpGetOptionValueV6",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 64] = "EnumTasks",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 54] = "ApiSetGroupNodeList",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 1] = "EfsRpcReadFileRaw",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 13] = "InitializeFileTransferAsync",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 14] = "IsWSRMActivated",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 26] = "LlsrUserProductDeleteW",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 9] = "RpcGetEnumResultEx",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 25] = "Opnum25NotUsedOnWire",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 14] = "DRSRemoveDsServer",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 13] = "FTEnumVolumes",
   ["12345778-1234-abcd-ef00-0123456789ac", 20] = "SamrQueryInformationGroup",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 33] = "LlsrMappingInfoSetA",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 107] = "ApiUnblockGetNotifyCall",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 22] = "RpcSrvRequestCachedParams",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 8] = "R_DhcpScanMDatabase",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 39] = "ApiSetKeySecurity",
   ["fdf8a2b9-02de-47f4-bc26-aa85ab5e5267", 5] = "CreateVirtualSmartCardWithPinPolicy",
   ["12345678-1234-abcd-ef00-0123456789ab", 96] = "RpcAddDriverCatalog",
   ["12345678-1234-abcd-ef00-0123456789ab", 67] = "RpcRouterRefreshPrinterChangeNotification",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 27] = "R_DhcpGetClassInfo",
   ["12345778-1234-abcd-ef00-0123456789ab", 40] = "LsarSetTrustedDomainInfo",
   ["12345678-1234-abcd-ef00-0123456789ab", 75] = "RpcClusterSplClose",
   ["1a1bb35f-abb8-451c-a1ae-33d98f1bef4a", 3] = "ReportProgress",
   ["12345678-1234-abcd-ef00-01234567cffb", 0] = "NetrLogonUasLogon",
   ["12345678-1234-abcd-ef00-0123456789ab", 90] = "RpcSplOpenPrinter",
   ["367abb81-9844-35f1-ad32-98f038001003", 40] = "QueryServiceStatusEx",
   ["6bffd098-a112-3610-9833-46c3f874532d", 23] = "R_DhcpEnumOptions",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 63] = "R_DhcpGetSubnetInfoV6",
   ["00000131-0000-0000-c000-000000000046", 4] = "RemAddRef",
   ["367abb81-9844-35f1-ad32-98f038001003", 50] = "ControlServiceExA",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 57] = "LlsrServiceInfoSetA",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 30] = "RpcWinStationReadRegistry",
   ["12345678-1234-abcd-ef00-01234567cffb", 43] = "DsrGetForestTrustInformation",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 1] = "I_nsi_lookup_done",
   ["12345778-1234-abcd-ef00-0123456789ab", 39] = "LsarQueryTrustedDomainInfo",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 52] = "ApiMoveGroupToNode",
   ["367abb81-9844-35f1-ad32-98f038001003", 33] = "GetServiceKeyNameA",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 19] = "GetCurrentStateAndActivePolicyName",
   ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 1] = "WitnessrRegister",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 51] = "RpcServerSetInternetConnectorStatus",
   ["afc07e2e-311c-4435-808c-c483ffeec7c9", 0] = "LsarGetAvailableCAPIDs",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 7] = "ApiCreateEnum",
   ["12345678-1234-abcd-ef00-0123456789ab", 60] = "RpcReplyClosePrinter",
   ["367abb81-9844-35f1-ad32-98f038001003", 10] = "ScSetServiceBitsW",
   ["00020400-0000-0000-c000-000000000046", 4] = "GetTypeInfo",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 32] = "PNP_DisableDevInst",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 46] = "DiskMerge",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 106] = "R_DhcpV4QueryPolicyEnforcement",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 27] = "NetrServerTransportDel",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 66] = "RRPC_FWSetFirewallRule2_20",
   ["86d35949-83c9-4044-b424-db363231fd0c", 2] = "SchRpcRetrieveTask",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 11] = "EvtRpcQueryNext",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 52] = "NetrDfsManagerReportSiteInfo",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 46] = "RpcAsyncGetPrintProcessorDirectory",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 80] = "RRPC_FWEnumFirewallRules2_26",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 15] = "AudioSessionIsSystemSoundsSession",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 6] = "LlsrProductEnumW",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 1] = "RpcGetConfigData",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 29] = "R_DhcpGetAllOptions",
   ["12345778-1234-abcd-ef00-0123456789ac", 9] = "SamrSetInformationDomain",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 29] = "CreateVolume",
   ["6bffd098-a112-3610-9833-46c3f874532d", 5] = "R_DhcpEnumSubnetElements",
   ["12b81e99-f207-4a4c-85d3-77b42f76fd14", 0] = "SeclCreateProcessWithLogonW",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 26] = "BackupCloseFile",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 120] = "R_DhcpV4GetFreeIPAddress",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 4] = "R_DhcpAddMScopeElement",
   ["12345778-1234-abcd-ef00-0123456789ac", 50] = "SamrCreateUser2InDomain",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 26] = "NetrServerTransportEnum",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 37] = "R_DhcpAddSubnetElementV5",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 4] = "SetAttributes",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 13] = "winmmAdvisePreferredDeviceChange",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 14] = "nsi_entry_object_inq_done",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 22] = "R_DhcpEnumOptionValuesV5",
   ["12345778-1234-abcd-ef00-0123456789ac", 49] = "SamrGetDisplayEnumerationIndex2",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 6] = "S_DSIsServerGC",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 43] = "NetrDfsGetVersion",
   ["12345778-1234-abcd-ef00-0123456789ac", 6] = "SamrEnumerateDomainsInSamServer",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 2] = "S_DSGetPropsGuidEx",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 7] = "RpcWinStationSendMessage",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 25] = "R_DhcpModifyClass",
   ["811109bf-a4e1-11d1-ab54-00a0c91e9b45", 0] = "R_WinsTombstoneDbRecs",
   ["112b1dff-d9dc-41f7-869f-d67fee7cb591", 3] = "CreateVirtualSmartCard",
   ["12345778-1234-abcd-ef00-0123456789ac", 14] = "SamrCreateAliasInDomain",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 60] = "Opnum60NotUsedOnWire",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 33] = "RpcWinStationNotifyLogoff",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 13] = "RpcWinStationDisconnect",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 56] = "AudioVolumeSetMute",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 37] = "Opnum37NotUsedOnWire",
   ["6bffd098-a112-3610-9833-46c3f874532d", 19] = "R_DhcpDeleteClientInfo",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 0] = "gfxCreateZoneFactoriesList",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 28] = "RRPC_FWEnumPhase2SAs",
   ["338cd001-2244-31f1-aaaa-900038001003", 32] = "OpenPerformanceText",
   ["12345778-1234-abcd-ef00-0123456789ab", 22] = "LsarSetQuotasForAccount",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 58] = "RpcWinStationUpdateSettings",
   ["12345778-1234-abcd-ef00-0123456789ac", 17] = "SamrLookupNamesInDomain",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 8] = "EcRNetGetDCName",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 18] = "ApiOfflineResource",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 16] = "EvtRpcRetractConfig",
   ["367abb81-9844-35f1-ad32-98f038001003", 17] = "QueryServiceConfigW",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 3] = "S_DSSetProps",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 16] = "NetrDfsGetDcAddress",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 8] = "NetrConnectionEnum",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 22] = "AudioSessionGetMute",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 14] = "Opnum14NotUsedOnWire",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 14] = "Opnum14NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 34] = "LsarDeleteObject",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 0] = "R_InetInfoGetVersion",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 53] = "GetEncapsulateDiskInfoEx",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 23] = "RRPC_FWSetCryptoSet",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 2] = "DnssrvComplexOperation",
   ["12345778-1234-abcd-ef00-0123456789ab", 89] = "LsarLookupAuditSubCategoryName",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 50] = "RRPC_FWSetConnectionSecurityRule2_10",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 0] = "AudioServerConnect",
   ["12345678-1234-abcd-ef00-0123456789ab", 94] = "RpcFlushPrinter",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 49] = "RRPC_FWAddConnectionSecurityRule2_10",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 23] = "RpcSrvRegisterConnectionStateNotification",
   ["fc910418-55ca-45ef-b264-83d4ce7d30e0", 8] = "SetRemoteUserCategories",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 28] = "AudioSessionGetAllVolumes",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 5] = "ExposeShadowCopySet",
   ["12345678-1234-abcd-ef00-0123456789ab", 50] = "RpcDeletePrintProvidor",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 7] = "AudioServerGetMixFormat",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 23] = "RpcAsyncGetForm",
   ["6bffd098-a112-3610-9833-012892020162", 9] = "BrowserrSetNetlogonState",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 71] = "RpcAsyncSetJobNamedProperty",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 7] = "IsValidCertificate",
   ["367abb81-9844-35f1-ad32-98f038001003", 24] = "CreateServiceA",
   ["12345678-1234-abcd-ef00-0123456789ab", 61] = "RpcAddPortEx",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 38] = "Opnum38NotUsedOnWire",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 6] = "RpcSrvFallbackRefreshParams",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 30] = "R_DhcpGetAllOptionValues",
   ["68b58241-c259-4f03-a2e5-a2651dcbc930", 1] = "KSrGetTemplates",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 80] = "LlsrCapabilityGet",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 64] = "RpcAsyncGetCorePrinterDrivers",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 4] = "EnumDiskRegionsEx",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 74] = "LlsrCertificateClaimAddCheckW",
   ["367abb81-9844-35f1-ad32-98f038001003", 9] = "NotifyBootConfigStatus",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 43] = "RRPC_FWEnumAdapters",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 4] = "ept_lookup_handle_free",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 6] = "I_nsi_entry_object_inq_begin",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 9] = "RpcAsyncGetPrinter",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 40] = "Opnum40NotUsedOnWire",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 4] = "W32TimeQueryProviderConfiguration",
   ["2f5f3220-c126-1076-b549-074d078619da", 11] = "NDdeSetTrustedShareA",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 63] = "Opnum63NotUsedOnWire",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 11] = "NetrUseEnum",
   ["6bffd098-a112-3610-9833-46c3f874532d", 27] = "R_DhcpScanDatabase",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 1] = "SSCatDBDeleteCatalog",
   ["027947e1-d731-11ce-a357-000000000001", 5] = "NextAsync",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 48] = "ReplaceRaid5Column",
   ["6bffd098-a112-3610-9833-46c3f874532d", 31] = "R_DhcpRemoveSubnetElementV4",
   ["00020401-0000-0000-c000-000000000046", 6] = "GetVarDesc",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 17] = "RpcWinStationShadow",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 11] = "Eject",
   ["12345678-1234-abcd-ef00-01234567cffb", 40] = "DsrEnumerateDomainTrusts",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 26] = "R_KeyExchangePhase1",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 56] = "PNP_QueryArbitratorFreeData",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 31] = "PNP_SetDeviceProblem",
   ["367abb81-9844-35f1-ad32-98f038001003", 36] = "ChangeServiceConfig2A",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 44] = "LlsrServerEnumW",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 9] = "ApiCreateResource",
   ["000001a0-0000-0000-c000-000000000046", 3] = "RemoteGetClassObject",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 10] = "LlsrProductUserEnumW",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 75] = "LlsrCertificateClaimAddA",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 29] = "RpcAsyncEnumPrinterKey",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 14] = "PNP_SetDeviceRegProp",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 55] = "R_DhcpGetAllOptionsV6",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 7] = "S_DSLookupNext",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 2] = "EfsRpcWriteFileRaw",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 41] = "PNP_GetHwProfInfo",
   ["12345778-1234-abcd-ef00-0123456789ab", 11] = "LsarEnumerateAccounts",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 10] = "DeleteCalendar",
   ["12345778-1234-abcd-ef00-0123456789ac", 5] = "SamrLookupDomainInSamServer",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 59] = "RRPC_FWSetConnectionSecurityRule2_20",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 21] = "RpcAsyncAddForm",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 10] = "RRPC_FWGetConfig",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 5] = "R_WinsGetDbRecs",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 86] = "ApiGetNetworkId",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 70] = "Refresh",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 13] = "DisableDeviceHost",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 12] = "RpcWinStationBeepOpen",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 49] = "Opnum49NotUsedOnWire",
   ["2f5f3220-c126-1076-b549-074d078619da", 3] = "NDdeGetShareSecurityA",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 15] = "PNP_GetClassInstance",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 10] = "ApiDeleteResource",
   ["12345778-1234-abcd-ef00-0123456789ab", 77] = "LsarLookupNames4",
   ["86d35949-83c9-4044-b424-db363231fd0c", 0] = "SchRpcHighestVersion",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 10] = "winmmUnregisterSessionNotification",
   ["12345678-1234-abcd-ef00-0123456789ab", 59] = "RpcRouterReplyPrinter",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 0] = "NetrCharDevEnum",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 8] = "IsPathSupported",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 52] = "RRPC_FWAddAuthenticationSet2_10",
   ["1ff70682-0a51-30e8-076d-740be8cee98b", 2] = "NetrJobEnum",
   ["12345778-1234-abcd-ef00-0123456789ac", 24] = "SamrRemoveMemberFromGroup",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 23] = "R_DhcpRemoveOptionValueV5",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 4] = "RRPC_FWSetGlobalConfig",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 49] = "AudioVolumeSetMasterVolumeLevelScalar",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a", 1] = "SimplePing",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 3] = "AudioServerGetAudioSession",
   ["12345678-1234-abcd-ef00-01234567cffb", 27] = "DsrGetDcNameEx",
   ["57674cd0-5200-11ce-a897-08002b2e9c6d", 1] = "LlsrLicenseFree",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 47] = "LlsrServerProductEnumA",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 3] = "R_WinsDoStaticInit",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 1] = "RpcLicensingCloseServer",
   ["12345778-1234-abcd-ef00-0123456789ac", 28] = "SamrQueryInformationAlias",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 113] = "R_DhcpV4AddPolicyRange",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 122] = "R_DhcpV4CreateClientInfo",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 6] = "S_DSLookupBegin",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 56] = "LlsrServiceInfoSetW",
   ["6bffd098-a112-3610-9833-46c3f874532d", 18] = "R_DhcpGetClientInfo",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 9] = "NspiGetProps",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 14] = "winmmGetPnpInfo",
   ["12345678-1234-abcd-ef00-0123456789ab", 72] = "RpcEnumPrinterData",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 8] = "DRSVerifyNames",
   ["12345678-1234-abcd-ef00-01234567cffb", 22] = "NetrLogonSetServiceBits",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 41] = "RpcWinStationBreakPoint",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 41] = "RpcAsyncGetPrinterDriverDirectory",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 2] = "DsRolerDcAsDc",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 1] = "EcDoDisconnect",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 40] = "ApiGetKeySecurity",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 4] = "RpcWinStationRename",
   ["6bffd098-a112-3610-9833-46c3f874532d", 34] = "R_DhcpGetClientInfoV4",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 6] = "Request2",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 25] = "Opnum25NotUsedOnWire",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 5] = "AuthrzModifyClaims",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 15] = "Opnum15NotUsedOnWire",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 6] = "EnumKeys",
   ["12345778-1234-abcd-ef00-0123456789ab", 6] = "LsarOpenPolicy",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 9] = "EfsRpcAddUsersToFile",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 11] = "NetrFileClose",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 0] = "RpcSrvEnableDhcp",
   ["12345678-1234-abcd-ef00-0123456789ab", 82] = "RpcDeletePrinterKey",
   ["367abb81-9844-35f1-ad32-98f038001003", 8] = "UnlockServiceDatabase",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 5] = "GetRawReportEx",
   ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 2] = "RpcWaitAsyncNotification",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 8] = "LlsrProductAddW",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 29] = "NetrSetPrimaryComputerName",
   ["12345778-1234-abcd-ef00-0123456789ac", 57] = "SamrConnect2",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 8] = "EvtRpcLocalizeExportLog",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 13] = "R_FtpClearStatistics2",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 3] = "KeyrEnumerateProvContainers",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 64] = "RRPC_FWQueryAuthenticationSets2_20",
   ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 9] = "Reboot",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 4] = "CommitShadowCopySet",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 3] = "GetReport",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 7] = "NetrDfsMove",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 6] = "InitializeSyncHandle",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 14] = "SetICSInterfaces",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 9] = "IsEnabled",
   ["00000143-0000-0000-c000-000000000046", 3] = "RemQueryInterface",
   ["afa8bd80-7d8a-11c9-bef4-08002b102989", 2] = "is_server_listening",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 87] = "R_DhcpSetDnsRegCredentialsV5",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 31] = "Opnum31NotUsedOnWire",
   ["6bffd098-a112-3610-9833-46c3f874532d", 13] = "R_DhcpGetOptionValue",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 47] = "RRPC_FWSetFirewallRule2_10",
   ["338cd001-2244-31f1-aaaa-900038001003", 10] = "BaseRegEnumValue",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 59] = "Opnum59NotUsedOnWire",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 5] = "ResubmitRequest",
   ["12345678-1234-abcd-ef00-01234567cffb", 47] = "unused",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 66] = "ApiOpenNode",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 94] = "R_DhcpV4FailoverAddScopeToRelationship",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 17] = "RpcAsyncGetPrinterDataEx",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 12] = "ComputeEvents",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 70] = "HrGetErrorData",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 55] = "AudioVolumeGetChannelVolumeLevelScalar",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 5] = "RpcGetEnumResult",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 10] = "R_DhcpSetMClientInfo",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 32] = "PolicyConfigSetDeviceFormat",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 52] = "QueryChangePartitionNumbers",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 49] = "RpcAsyncAddPort",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 13] = "NetrWorkstationStatisticsGet",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 13] = "RpcAsyncEndPagePrinter",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 79] = "R_DhcpSetSubnetDelayOffer",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 5] = "CreatePartition",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 16] = "GetProcessList",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 45] = "AudioVolumeConnect",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 69] = "AbortTask",
   ["367abb81-9844-35f1-ad32-98f038001003", 43] = "ScSendTSMessage",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 15] = "RawGetFileDataAsync",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 38] = "SplitMirror",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 12] = "ElfrClearELFA",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 69] = "RpcAsyncResetPrinter",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 9] = "KeyrImportCert",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 7] = "R_InetInfoClearStatistics",
   ["6bffd098-a112-3610-9833-46c3f874532d", 38] = "R_DhcpDeleteSuperScopeV4",
   ["20d15747-6c48-4254-a358-65039fd8c63c", 16] = "GetCompressedReport",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 11] = "RpcQuerySessionData",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 31] = "R_DhcpGetMCastMibInfo",
   ["2f5f6520-ca46-1067-b319-00dd010662da", 0] = "ClientAttach",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 2] = "S_DSGetProps",
   ["12345678-1234-abcd-ef00-01234567cffb", 39] = "NetrLogonSamLogonEx",
   ["29822ab7-f302-11d0-9953-00c04fd919c1", 6] = "AppGetStatus",
   ["12345678-1234-abcd-ef00-0123456789ab", 21] = "RpcAbortPrinter",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 68] = "LlsrProductSecuritySetA",
   ["12345678-1234-abcd-ef00-0123456789ab", 58] = "RpcReplyOpenPrinter",
   ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 8] = "Start",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 16] = "NetrShareGetInfo",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 21] = "AudioSessionSetVolume",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 49] = "NetrDfsDeleteExitPoint",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 15] = "NetrLogonDomainNameDel",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 36] = "AddMirror",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 51] = "AudioVolumeGetMasterVolumeLevelScalar",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 34] = "GrowVolume",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 77] = "AddAccessPath",
   ["00020401-0000-0000-c000-000000000046", 8] = "GetRefTypeOfImplType",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 15] = "GetServerName",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 2] = "AudioServerInitialize",
   ["12345778-1234-abcd-ef00-0123456789ab", 67] = "CredrProfileLoaded",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 57] = "ApiAddNotifyCluster",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 7] = "NetrCharDevQPurgeSelf",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 71] = "RRPC_FWSetFirewallRule2_24",
   ["00020401-0000-0000-c000-000000000046", 4] = "GetTypeComp",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 40] = "UninitializeDisk",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 67] = "ApiCloseNode",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 19] = "RpcAsyncSetPrinterDataEx",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 20] = "FTReplaceParityStripePartition",
   ["86d35949-83c9-4044-b424-db363231fd0c", 15] = "SchRpcScheduledRuntimes",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 6] = "NspiResortRestriction",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 49] = "RestartVolume",
   ["f309ad18-d86a-11d0-a075-00c04fb68820", 3] = "EstablishPosition",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 3] = "I_nsi_entry_object_inq_next",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 3] = "AddToShadowCopySet",
   ["12345678-1234-abcd-ef00-0123456789ab", 46] = "RpcAddMonitor",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 10] = "ElfrReadELW",
   ["20d15747-6c48-4254-a358-65039fd8c63c", 9] = "GetReport",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 47] = "R_DhcpCreateOptionV6",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 16] = "NetrJoinDomain",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 38] = "NetrShareDelCommit",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 17] = "Opnum17NotUsedOnWire",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 42] = "RpcWinStationCheckForApplicationName",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 4] = "KeyrCloseKeyService",
   ["12345678-1234-abcd-ef00-0123456789ab", 38] = "RpcConfigurePort",
   ["338cd001-2244-31f1-aaaa-900038001003", 34] = "BaseRegQueryMultipleValues2",
   ["12345778-1234-abcd-ef00-0123456789ac", 35] = "SamrDeleteUser",
   ["12345778-1234-abcd-ef00-0123456789ab", 25] = "LsarOpenTrustedDomain",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 65] = "AudioVolumeStepUp",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 0] = "LlsrConnect",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 32] = "CreateVolumeAssignAndFormatEx",
   ["12345678-1234-abcd-ef00-0123456789ab", 41] = "RpcPlayGdiScriptOnPrinterIC",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 2] = "I_nsi_lookup_next",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 6] = "EfsRpcQueryUsersOnFile",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 3] = "RpcSrvReleaseLease",
   ["12345778-1234-abcd-ef00-0123456789ab", 35] = "LsarEnumerateAccountsWithUserRight",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 43] = "R_DhcpSetDnsRegCredentials",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 23] = "BackupGetBackupLogs",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 10] = "RpcGetAllSessions",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 96] = "R_DhcpV4FailoverGetScopeRelationship",
   ["01954e6b-9254-4e6e-808c-c9e05d007696", 4] = "Skip",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 3] = "NetrCharDevQEnum",
   ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 3] = "ItSrvSetDetectionParameters",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 11] = "DeleteClassAsync",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 131] = "R_DhcpV4CreateClientInfoEx",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 60] = "Opnum60NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 40] = "RRPC_FWQueryAuthenticationSets",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 39] = "RemoveMirror",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 13] = "EfsRpcDuplicateEncryptionInfoFile",
   ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 4] = "RpcIsListening",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 7] = "LlsrProductEnumA",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 1] = "FrsRpcVerifyPromotionParent",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 58] = "R_DhcpEnumSubnetsV6",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 0] = "RegisterServiceRpc",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 6] = "DenyRequest",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 42] = "GetOfficerRights",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 16] = "LlsrUserEnumW",
   ["12345678-1234-abcd-ef00-01234567cffb", 26] = "NetrServerAuthenticate3",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 51] = "ReplaceRaid5Column",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 34] = "Opnum34NotUsedOnWire",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 28] = "ImportCertificate",
   ["12345678-1234-abcd-ef00-0123456789ab", 76] = "RpcClusterSplIsAlive",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 125] = "R_DhcpV4FailoverGetAddressStatus",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 30] = "EnumBackups",
   ["afa8bd80-7d8a-11c9-bef4-08002b102989", 1] = "inq_stats",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 5] = "DnssrvOperation2",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 15] = "ModifySchedule",
   ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53", 2] = "ItSrvProcessIdleTasks",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 3] = "R_DhcpEnumMScopes",
   ["12345678-1234-abcd-ef00-0123456789ab", 17] = "RpcStartDocPrinter",
   ["d99e6e70-fc88-11d0-b498-00a0c90312f3", 4] = "GetCACert",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 21] = "ExecQueryAsync",
   ["12345778-1234-abcd-ef00-0123456789ab", 3] = "LsarQuerySecurityObject",
   ["338cd001-2244-31f1-aaaa-900038001003", 14] = "BaseRegNotifyChangeKeyValue",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 45] = "ApiGetGroupState",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 9] = "ExecuteAccountingQuery",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 5] = "W32TimeQueryConfiguration",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 16] = "DumpAccountingData",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 0] = "W32TimeSync",
   ["1ff70682-0a51-30e8-076d-740be8cee98b", 3] = "NetrJobGetInfo",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 3] = "EvtRpcRemoteSubscriptionWaitAsync",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 13] = "RpcSrvEnumInterfaces",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 102] = "ApiGetClusterVersion2",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 77] = "RRPC_FWQueryFirewallRules2_25",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 5] = "QueryObjectSink",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 44] = "NetrDfsCreateLocalPartition",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 13] = "ElfrBackupELFA",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 5] = "RpcWinStationQueryInformation",
   ["12345778-1234-abcd-ef00-0123456789ac", 22] = "SamrAddMemberToGroup",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 20] = "nsi_mgmt_inq_exp_age",
   ["d95afe70-a6d5-4259-822e-2c84da1ddb0d", 1] = "WsdrAbortShutdown",
   ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 4] = "WitnessrRegisterEx",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 13] = "LlsrProductServerEnumA",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 1] = "DsRolerDnsNameToFlatName",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 79] = "ApiNodeControl",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 3] = "EfsRpcCloseRaw",
   ["00020401-0000-0000-c000-000000000046", 16] = "CreateInstance",
   ["12345778-1234-abcd-ef00-0123456789ab", 73] = "LsarQueryForestTrustInformation",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 64] = "R_DhcpEnumSubnetClientsV6",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 0] = "DsRolerGetPrimaryDomainInformation",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 47] = "PNP_AddResDes",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 2] = "RRPC_FWRestoreDefaults",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 29] = "ApiCreateKey",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 23] = "ImportFromBlobGetHash",
   ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 4] = "Skip",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 7] = "CreatePartitionAssignandFormatEx",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 12] = "RpcAsyncWritePrinter",
   ["6bffd098-a112-3610-9833-46c3f874532d", 49] = "R_DhcpGetSubnetInfoVQ",
   ["12345778-1234-abcd-ef00-0123456789ab", 74] = "LsarSetForestTrustInformation",
   ["12345778-1234-abcd-ef00-0123456789ab", 81] = "LsarAdtReportSecurityEvent",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 4] = "EfsRpcEncryptFileSrv",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 100] = "R_DhcpV4FailoverTriggerAddrAllocation",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 7] = "RetrieveEventList",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 74] = "PNP_DeleteServiceDevices",
   ["12345678-1234-abcd-ef00-0123456789ab", 57] = "RpcRouterFindFirstPrinterChangeNotificationOld",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 50] = "Opnum50NotUsedOnWire",
   ["00000143-0000-0000-c000-000000000046", 5] = "RemRelease",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 66] = "RpcConnectCallback",
   ["00020400-0000-0000-c000-000000000046", 6] = "Invoke",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 24] = "EnumLocalFileSystems",
   ["12345678-1234-abcd-ef00-0123456789ab", 53] = "RpcGetPrinterDriver2",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 38] = "R_DhcpEnumSubnetElementsV5",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 2] = "ApiSetClusterName",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 63] = "RpcWinStationUpdateClientCachedCredentials",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 8] = "CreatePolicy",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 18] = "RpcAsyncSetPrinterData",
   ["034634fd-ba3f-11d1-856a-00a0c944138c", 8] = "TerminateSession",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 98] = "ApiNetInterfaceControl",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 53] = "NetrServerTransportDelEx",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 6] = "RpcFilterBySessionType",
   ["00000000-0000-0000-c000-000000000046", 2] = "Opnum2NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 104] = "ApiBackupClusterDatabase",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 1] = "ApiCloseCluster",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 21] = "LlsrUserInfoSetA",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 30] = "CreateVolume",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 18] = "FTRegenerateParityStripe",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 31] = "NetrWorkstationResetDfsCache",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 16] = "PNP_CreateKey",
   ["12345678-1234-abcd-ef00-01234567cffb", 42] = "NetrServerTrustPasswordsGet",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 73] = "PNP_SetActiveService",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 0] = "Opnum0NotUsedOnWire",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 17] = "FTResyncMirror",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 8] = "ElfrRegisterEventSourceW",
   ["12345678-1234-abcd-ef00-01234567cffb", 5] = "NetrServerAuthenticate",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 36] = "ApiEnumValue",
   ["6bffd098-a112-3610-9833-46c3f874532d", 8] = "R_DhcpCreateOption",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 9] = "nsi_profile_elt_inq_begin",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 10] = "EvtRpcMessageRenderDefault",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 58] = "PNP_RunDetection",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 0] = "PNP_Disconnect",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 27] = "RpcAsyncEnumPrinterData",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 1] = "NspiUnbind",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 3] = "AuthrzAccessCheck",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 6] = "DsRolerGetDcOperationResults",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 10] = "R_W3QueryStatistics2",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 7] = "GetCAProperty",
   ["12345678-1234-abcd-ef00-0123456789ab", 86] = "RpcDeletePerMachineConnection",
   ["29822ab7-f302-11d0-9953-00c04fd919c1", 8] = "AppRecover",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 29] = "Opnum29NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 78] = "LsarOpenPolicySce",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3", 0] = "nsi_binding_export",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 82] = "R_DhcpAddFilterV4",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 102] = "R_DhcpV4SetOptionValues",
   ["12345778-1234-abcd-ef00-0123456789ac", 23] = "SamrDeleteGroup",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 20] = "Opnum20NotUsedOnWire",
   ["e3d0d746-d2af-40fd-8a7a-0d7078bb7092", 0] = "ExchangePublicKeys",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 1] = "RpcSrvRenewLease",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 58] = "ApiAddNotifyNode",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 76] = "R_DhcpDeleteClassV6",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 42] = "RRPC_FWEnumNetworks",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 37] = "GetMaxAdjustedFreeSpace",
   ["12345778-1234-abcd-ef00-0123456789ac", 62] = "SamrConnect4",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 15] = "Opnum15NotUsedOnWire",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 13] = "GetServiceList",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 127] = "R_DhcpV4GetPolicyEx",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 2] = "AuthrzInitializeCompoundContext",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 70] = "RpcAsyncGetJobNamedPropertyValue",
   ["338cd001-2244-31f1-aaaa-900038001003", 12] = "BaseRegGetKeySecurity",
   ["12345678-1234-abcd-ef00-01234567cffb", 4] = "NetrServerReqChallenge",
   ["12345678-1234-abcd-ef00-0123456789ab", 100] = "RpcUploadPrinterDriverPackage",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 8] = "R_WinsDelDbRecs",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 10] = "ExportXMLFiles",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 42] = "Opnum42NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 21] = "RRPC_FWEnumAuthenticationSets",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 44] = "ApiCloseGroup",
   ["12345678-1234-abcd-ef00-01234567cffb", 35] = "NetrLogonGetTimeServiceParentDomain",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 4] = "RpcSrvSetFallbackParams",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 45] = "NetrDfsDeleteLocalPartition",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 20] = "SaveData",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 49] = "PNP_GetNextResDes",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 1] = "ept_delete",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 40] = "SplitMirror",
   ["deb01010-3a37-4d26-99df-e2bb6ae3ac61", 3] = "RefreshEx",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 69] = "RpcRemoteAssistancePrepareSystemRestore",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 4] = "NspiSeekEntries",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 7] = "GetConfig",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 10] = "FrsRpcVerifyPromotionParentEx",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 2] = "R_DhcpGetMScopeInfo",
   ["12345778-1234-abcd-ef00-0123456789ac", 38] = "SamrChangePasswordUser",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 0] = "CheckConnectivity",
   ["12b81e99-f207-4a4c-85d3-77b42f76fd14", 1] = "SeclCreateProcessWithLogonExW",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 5] = "NetrCharDevQSetInfo",
   ["00020401-0000-0000-c000-000000000046", 9] = "GetImplTypeFlags",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 47] = "ApiGetGroupId",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 13] = "Opnum13NotUsedOnWire",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 12] = "EfsRpcFileKeyInfo",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 17] = "NetrDfsSetDcAddress",
   ["338cd001-2244-31f1-aaaa-900038001003", 15] = "BaseRegOpenKey",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 33] = "R_GetServerGuid",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 0] = "nsi_group_delete",
   ["12345778-1234-abcd-ef00-0123456789ac", 26] = "SamrSetMemberAttributesOfGroup",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 17] = "R_DhcpEnumOptionsV5",
   ["338cd001-2244-31f1-aaaa-900038001003", 18] = "BaseRegReplaceKey",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 0] = "I_nsi_lookup_begin",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 2] = "Opnum2NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 38] = "RRPC_FWQueryConnectionSecurityRules",
   ["12345778-1234-abcd-ef00-0123456789ac", 7] = "SamrOpenDomain",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 48] = "PNP_FreeResDes",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 47] = "AudioVolumeGetChannelCount",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 44] = "Opnum44NotUsedOnWire",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 11] = "RpcGetAllSessionsEx",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 4] = "gfxAddGfx",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 16] = "ElfrOpenBELA",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 42] = "UninitializeDisk",
   ["12345778-1234-abcd-ef00-0123456789ab", 55] = "LsarOpenTrustedDomainByName",
   ["12345678-1234-abcd-ef00-01234567cffb", 10] = "NetrAccountSync",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 10] = "NetrDfsAddFtRoot",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 8] = "NspiGetPropList",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 50] = "AudioVolumeGetMasterVolumeLevel",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 16] = "GetCurrentMemory",
   ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 0] = "RpcOpenListener",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 31] = "CreateVolumeAssignAndFormat",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 57] = "R_DhcpCreateSubnetV6",
   ["12345778-1234-abcd-ef00-0123456789ab", 26] = "LsarQueryInfoTrustedDomain",
   ["6bffd098-a112-3610-9833-46c3f874532d", 45] = "R_DhcpSetClientInfoVQ",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 19] = "RpcWinStationShadowTarget",
   ["12345778-1234-abcd-ef00-0123456789ab", 2] = "LsarEnumeratePrivileges",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 21] = "EfsRpcEncryptFileExServ",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 57] = "RpcAsyncEnumPerMachineConnections",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 0] = "SSCatDBAddCatalog",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 62] = "RRPC_FWAddAuthenticationSet2_20",
   ["57674cd0-5200-11ce-a897-08002b2e9c6d", 0] = "LlsrLicenseRequestW",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 49] = "ApiOnlineGroup",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 27] = "Opnum27NotUsedOnWire",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 10] = "NtFrsApi_Rpc_ForceReplication",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 54] = "AudioVolumeGetChannelVolumeLevel",
   ["367abb81-9844-35f1-ad32-98f038001003", 29] = "QueryServiceConfigA",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 23] = "FreeDriveLetter",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 50] = "LlsrLocalProductInfoGetW",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 5] = "nsi_group_mbr_inq_done",
   ["01954e6b-9254-4e6e-808c-c9e05d007696", 5] = "Reset",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 5] = "EfsDecryptFileSrv",
   ["2f5f3220-c126-1076-b549-074d078619da", 13] = "NDdeGetTrustedShareA",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 38] = "AudioSessionManagerDestroy",
   ["01954e6b-9254-4e6e-808c-c9e05d007696", 3] = "Next",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 40] = "RpcWinStationNtsdDebug",
   ["12345778-1234-abcd-ef00-0123456789ac", 36] = "SamrQueryInformationUser",
   ["367abb81-9844-35f1-ad32-98f038001003", 41] = "EnumServicesStatusExA",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 9] = "LlsrProductAddA",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 75] = "RpcWinStationOpenSessionDirectory",
   ["8298d101-f992-43b7-8eca-5052d885b995", 36] = "Export",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 81] = "LlsrLocalServiceEnumW",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 21] = "EfsRpcEncryptFileExServ",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 70] = "RRPC_FWAddFirewallRule2_24",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 5] = "NspiGetMatches",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 15] = "LlsrProductLicenseEnumA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 56] = "R_DhcpGetAllOptionValuesV6",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 39] = "Opnum39NotUsedOnWire",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 12] = "KeyrEnroll_V2",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 39] = "PNP_RequestEjectPC",
   ["12345678-1234-abcd-ef00-0123456789ab", 0] = "RpcEnumPrinters",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 71] = "Initialize",
   ["86d35949-83c9-4044-b424-db363231fd0c", 10] = "SchRpcStopInstance",
   ["6bffd098-a112-3610-9833-46c3f874532d", 4] = "R_DhcpAddSubnetElement",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 45] = "SetConfigEntry",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 5] = "RpcLicensingGetAvailablePolicyIds",
   ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366", 0] = "RpcNetEventOpenSession",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 64] = "ApiReAddNotifyResource",
   ["1a927394-352e-4553-ae3f-7cf4aafca620", 0] = "WdsRpcMessage",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3", 1] = "nsi_binding_unexport",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 65] = "RRPC_FWAddFirewallRule2_20",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 5] = "KeyrGetDefaultProvider",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 8] = "RpcLogonIdFromWinStationName",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 55] = "RRPC_FWAddCryptoSet2_10",
   ["367abb81-9844-35f1-ad32-98f038001003", 37] = "ChangeServiceConfig2W",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 30] = "PNP_GetDeviceStatus",
   ["6bffd098-a112-3610-9833-46c3f874532d", 36] = "R_DhcpSetSuperScopeV4",
   ["6bffd098-a112-3610-9833-46c3f874532d", 35] = "R_DhcpEnumSubnetClientsV4",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 44] = "GetConfigEntry",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 20] = "EfsRpcFlushEfsCache",
   ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 11] = "RenameResourceGroup",
   ["12345778-1234-abcd-ef00-0123456789ac", 66] = "SamrSetDSRMPassword",
   ["12345678-1234-abcd-ef00-0123456789ab", 95] = "RpcSendRecvBidiData",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 25] = "RpcWinStationQueryLicense",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 5] = "CreatePartition",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 4] = "NetrWkstaUserSetInfo",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 2] = "SfcSrv_FileException",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 9] = "GetProcessMode",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 30] = "LlsrMappingInfoGetW",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 12] = "LnkSearchMachine",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 12] = "NetrSessionEnum",
   ["00000143-0000-0000-c000-000000000046", 1] = "AddRef",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 22] = "EvtRpcGetPublisherList",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 20] = "ExecQuery",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 8] = "GetSystemAffinity",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 33] = "GrowVolume",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 36] = "GetCASecurity",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 82] = "LlsrLocalServiceEnumA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 9] = "R_DhcpCreateMClientInfo",
   ["12345778-1234-abcd-ef00-0123456789ac", 41] = "SamrGetDisplayEnumerationIndex",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 77] = "ShutDownSystem",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 12] = "DeleteAccountingData",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 0] = "NetrDfsManagerGetVersion",
   ["12345778-1234-abcd-ef00-0123456789ab", 52] = "LsarCloseTrustedDomainEx",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 3] = "Opnum3NotUsedOnWire",
   ["12345678-1234-abcd-ef00-01234567cffb", 23] = "NetrLogonGetTrustRid",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 13] = "NetrDfsRemoveStdRoot",
   ["12345678-1234-abcd-ef00-01234567cffb", 48] = "DsrUpdateReadOnlyServerDnsRecords",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 0] = "EvtRpcRegisterRemoteSubscription",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 9] = "GetNotificationRpc",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 86] = "LlsrLocalServiceInfoSetA",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 6] = "nsi_profile_delete",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 10] = "Opnum10NotUsedOnWire",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 11] = "GetNextAccountingDataBatch",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 26] = "AudioSessionGetChannelVolume",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 24] = "R_DhcpCreateClass",
   ["367abb81-9844-35f1-ad32-98f038001003", 13] = "EnumDependentServicesW",
   ["2f5f3220-c126-1076-b549-074d078619da", 0] = "NDdeShareAddW",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 39] = "NetrpGetFileSecurity",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 79] = "RRPC_FWSetFirewallRule2_26",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 46] = "ApiSetGroupName",
   ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 0] = "RpcWaitForSessionState",
   ["e8fb8620-588f-11d2-9d61-00c04f79c5fe", 11] = "Kill",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 55] = "PNP_SetHwProf",
   ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3", 0] = "nsi_binding_lookup_begin",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 65] = "PNP_GetObjectPropKeys",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 37] = "GetAudioSessionManager",
   ["338cd001-2244-31f1-aaaa-900038001003", 2] = "OpenLocalMachine",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 18] = "CreateInstanceEnum",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 8] = "DnssrvEnumRecords2",
   ["12345778-1234-abcd-ef00-0123456789ab", 80] = "LsarAdtUnregisterSecurityEventSource",
   ["12345678-1234-abcd-ef00-01234567cffb", 13] = "NetrGetAnyDCName",
   ["2f5f3220-c126-1076-b549-074d078619da", 12] = "NDdeSetTrustedShareW",
   ["2f5f3220-c126-1076-b549-074d078619da", 5] = "NDdeSetShareSecurityA",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 28] = "ApiGetRootKey",
   ["367abb81-9844-35f1-ad32-98f038001003", 18] = "QueryServiceLockStatusW",
   ["12345778-1234-abcd-ef00-0123456789ab", 33] = "LsarLookupPrivilegeDisplayName",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 114] = "R_DhcpV4RemovePolicyRange",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 51] = "NetrDfsFixLocalVolume",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 36] = "Opnum36NotUsedOnWire",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 38] = "Opnum38NotUsedOnWire",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 3] = "nsi_group_mbr_inq_begin",
   ["367abb81-9844-35f1-ad32-98f038001003", 23] = "ChangeServiceConfigA",
   ["12345778-1234-abcd-ef00-0123456789ab", 21] = "LsarGetQuotasForAccount",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 5] = "NetrDfsEnum",
   ["12345678-1234-abcd-ef00-0123456789ab", 55] = "RpcFindNextPrinterChangeNotification",
   ["86d35949-83c9-4044-b424-db363231fd0c", 14] = "SchRpcRename",
   ["2a3eb639-d134-422d-90d8-aaa1b5216202", 10] = "ExportXml",
   ["6bffd098-a112-3610-9833-46c3f874532d", 7] = "R_DhcpDeleteSubnet",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 18] = "Ping",
   ["12345678-1234-abcd-ef00-0123456789ab", 64] = "RpcResetPrinterEx",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 15] = "CopyData",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 72] = "R_DhcpGetClientInfoV6",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 2] = "NetrDfsRemove",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 23] = "ExecNotificationQueryAsync",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 17] = "NetrUnjoinDomain",
   ["1a1bb35f-abb8-451c-a1ae-33d98f1bef4a", 4] = "ReportError",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 46] = "PNP_GetLogConfPriority",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 14] = "PutInstance",
   ["12345778-1234-abcd-ef00-0123456789ab", 16] = "LsarCreateSecret",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 52] = "PNP_ModifyResDes",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 14] = "CancelAccountingQuery",
   ["fc910418-55ca-45ef-b264-83d4ce7d30e0", 9] = "RefreshRemoteSessionWeights",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 88] = "LlsrLocalServiceInfoGetA",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 74] = "RescanDisks",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 12] = "GetViewDefaultColumnSet",
   ["12345678-1234-abcd-ef00-01234567cffb", 14] = "NetrLogonControl2",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 14] = "NetrShareAdd",
   ["8298d101-f992-43b7-8eca-5052d885b995", 35] = "RestoreWithPasswrd",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 5] = "RpcSrvGetFallbackParams",
   ["12345778-1234-abcd-ef00-0123456789ab", 65] = "CredrDelete",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 8] = "TsProxySetupReceivePipe",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 19] = "Opnum19NotUsedOnWire",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 24] = "DRSQuerySitesByCost",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 5] = "Opnum5NotUsedOnWire",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 14] = "LlsrProductLicenseEnumW",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 12] = "DRSCrackNames",
   ["12345778-1234-abcd-ef00-0123456789ab", 56] = "LsarTestCall",
   ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 9] = "CreateResourceGroup",
   ["53b46b02-c73b-4a3e-8dee-b16b80672fc0", 0] = "RpcGetSessionIP",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 12] = "NetrMessageBufferSend",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 1] = "NetrWkstaSetInfo",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 126] = "R_DhcpV4CreatePolicyEx",
   ["00020401-0000-0000-c000-000000000046", 12] = "GetDocumentation",
   ["2f5f3220-c126-1076-b549-074d078619da", 4] = "NDdeGetShareSecurityW",
   ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 2] = "RpcStopListener",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 16] = "R_DhcpGetOptionInfoV5",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 12] = "R_DhcpDeleteMClientInfo",
   ["bc681469-9dd9-4bf4-9b3d-709f69efe431", 8] = "ModifyResourceGroup",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 17] = "RenameSchedule",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 50] = "RpcAsyncSetPort",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 0] = "KeyrOpenKeyService",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a", 4] = "ResolveOxid2",
   ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57", 0] = "RemoteActivation",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 2] = "DeregisterServiceRpc",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 38] = "ApiQueryInfoKey",
   ["6bffd098-a112-3610-9833-46c3f874532d", 6] = "R_DhcpRemoveSubnetElement",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 37] = "RRPC_FWQueryFirewallRules",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 11] = "DeleteShareMapping",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 20] = "LlsrUserInfoSetW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 67] = "PNP_SetObjectProp",
   ["12345678-1234-abcd-ef00-0123456789ab", 91] = "RpcGetSpoolFileInfo",
   ["6bffd098-a112-3610-9833-012892020162", 11] = "BrowserrServerEnumEx",
   ["338cd001-2244-31f1-aaaa-900038001003", 17] = "BaseRegQueryValue",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 3] = "ApiGetClusterName",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 66] = "R_DhcpServerGetConfigV6",
   ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366", 2] = "RpcNetEventCloseSession",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 59] = "RpcWinStationShadowStop",
   ["12345678-1234-abcd-ef00-0123456789ab", 37] = "RpcAddPort",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 6] = "NetrCharDevQPurge",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 10] = "DeleteMachineGroup",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 35] = "NetprNameCompare",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 4] = "DsRolerDemoteDc",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 9] = "InitializeDiskStyle",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 3] = "EnumDisksEx",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 11] = "ApiCloseResource",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 22] = "S_DSValidateServer",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 8] = "NtFrsApi_Rpc_IsPathReplicated",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 18] = "EfsRpcGetEncryptedFileMetadata",
   ["367abb81-9844-35f1-ad32-98f038001003", 14] = "EnumServicesStatusW",
   ["338cd001-2244-31f1-aaaa-900038001003", 16] = "BaseRegQueryInfoKey",
   ["6bffd098-a112-3610-9833-46c3f874532d", 22] = "R_DhcpGetMibInfo",
   ["6bffd098-a112-3610-9833-46c3f874532d", 10] = "R_DhcpGetOptionInfo",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 34] = "Opnum34NotUsedOnWire",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 22] = "RpcWinStationEnumerateLicenses",
   ["12345778-1234-abcd-ef00-0123456789ac", 44] = "SamrGetUserDomainPasswordInformation",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 3] = "R_InetInfoSetAdminInformation",
   ["6bffd098-a112-3610-9833-012892020162", 4] = "BrowserrDebugTrace",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 82] = "ApiCloseNetwork",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 10] = "RpcWinStationConnect",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 28] = "RpcWinStationCallback",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 11] = "R_DhcpGetMClientInfo",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 25] = "Opnum25NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 60] = "ApiAddNotifyResource",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 69] = "PNP_ApplyPowerSettings",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 74] = "RpcAsyncLogJobInfoForBranchOffice",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 124] = "R_DhcpV6CreateClientInfo",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 32] = "Opnum32NotUsedOnWire",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 2] = "FrsRpcStartPromotionParent",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 128] = "R_DhcpV4SetPolicyEx",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 4] = "nsi_group_mbr_inq_next",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 45] = "LlsrServerEnumA",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 42] = "ApiCreateGroup",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 73] = "RpcWinStationAutoReconnect",
   ["12345678-1234-abcd-ef00-0123456789ab", 71] = "RpcSetPort",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 10] = "Opnum10NotUsedOnWire",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 19] = "EvtRpcGetChannelList",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 14] = "DeleteAllData",
   ["12345778-1234-abcd-ef00-0123456789ab", 0] = "LsarClose",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 34] = "PNP_AddID",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 25] = "GetInstalledFileSystems",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 62] = "Opnum62NotUsedOnWire",
   ["12345678-1234-abcd-ef00-0123456789ab", 18] = "RpcStartPagePrinter",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 18] = "Opnum18NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 24] = "LsarSetSystemAccessAccount",
   ["12345778-1234-abcd-ef00-0123456789ac", 63] = "SamrUnicodeChangePasswordUser3",
   ["811109bf-a4e1-11d1-ab54-00a0c91e9b45", 1] = "R_WinsCheckAccess",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 9] = "R_SetData",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 12] = "IsInstallRemote",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 17] = "RpcSrvSetClientId",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 21] = "nsi_mgmt_inq_set_age",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 6] = "RpcAsyncScheduleJob",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 12] = "RpcSrvDeRegisterParams",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 92] = "R_DhcpV4FailoverGetRelationship",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 2] = "EstablishSession",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 44] = "ImportDiskGroup",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 16] = "GetCertInfoRemote",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 10] = "Opnum10NotUsedOnWire",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 23] = "NetrServerDiskEnum",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 41] = "InitializeDiskEx",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 4] = "I_nsi_ping_locator",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 32] = "LlsrMappingInfoSetW",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 67] = "RpcAsyncDeletePrinterDriverPackage",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 6] = "RequestRecords",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 16] = "DRSDomainControllerInfo",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 16] = "Opnum16NotUsedOnWire",
   ["7c44d7d4-31d5-424c-bd5e-2b3e1f323d22", 1] = "IDL_DSAExecuteScript",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 7] = "Opnum7NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 19] = "ApiAddResourceDependency",
   ["12345778-1234-abcd-ef00-0123456789ac", 60] = "SamrGetBootKeyInformation",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 39] = "R_DhcpRemoveSubnetElementV5",
   ["12345678-1234-abcd-ef00-0123456789ab", 7] = "RpcSetPrinter",
   ["00000131-0000-0000-c000-000000000046", 5] = "RemRelease",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 22] = "DRSReplicaVerifyObjects",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 25] = "RpcAsyncEnumForms",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 23] = "EvtRpcGetPublisherListForChannel",
   ["2f5f3220-c126-1076-b549-074d078619da", 6] = "NDdeSetShareSecurityW",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 13] = "DefragmentDB",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 7] = "EnumerateApplicationsInPool",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 53] = "ApiCreateGroupResourceEnum",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 3] = "DsRolerDcAsReplica",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 9] = "IsPathShadowCopied",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 62] = "AudioMeterGetPeakValue",
   ["12345678-1234-abcd-ef00-0123456789ab", 36] = "RpcEnumMonitors",
   ["12345778-1234-abcd-ef00-0123456789ac", 11] = "SamrEnumerateGroupsInDomain",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 19] = "MoveAfterCalendar",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 2] = "LlsrLicenseEnumW",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 0] = "RRPC_FWOpenPolicyStore",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 1] = "RpcCloseEnum",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 90] = "ApiAddNotifyNetwork",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 4] = "DRSUpdateRefs",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 11] = "RenameCalendar",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 8] = "RawGetFileData",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 77] = "LlsrReplicationCertDbAddW",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 15] = "DeleteMachine",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 2] = "StartShadowCopySet",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 38] = "RpcServerNWLogonSetAdmin",
   ["12345678-1234-abcd-ef00-0123456789ab", 34] = "RpcEnumForms",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 56] = "RpcAsyncDeletePerMachineConnection",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 4] = "RpcGetRemoteAddress",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 3] = "EfsRpcCloseRaw",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 14] = "OpenView",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 12] = "wdmDriverOpenDrvRegKey",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 90] = "R_DhcpV4FailoverSetRelationship",
   ["338cd001-2244-31f1-aaaa-900038001003", 33] = "OpenPerformanceNlsText",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 18] = "RRPC_FWSetAuthenticationSet",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 33] = "RRPC_FWSetMainModeRule",
   ["367abb81-9844-35f1-ad32-98f038001003", 45] = "CreateServiceWOW64W",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 0] = "EcDoConnect",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 28] = "RpcAsyncEnumPrinterDataEx",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 18] = "R_DhcpRemoveOptionV5",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 63] = "ApiReAddNotifyGroup",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 7] = "CreateMachineGroup",
   ["367abb81-9844-35f1-ad32-98f038001003", 11] = "ChangeServiceConfigW",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 6] = "FrsBackupComplete",
   ["12345678-1234-abcd-ef00-01234567cffb", 29] = "NetrLogonGetDomainInfo",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 10] = "DsRolerAbortDownlevelServerUpgrade",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 16] = "ApiFailResource",
   ["034634fd-ba3f-11d1-856a-00a0c944138c", 7] = "GetTelnetSessions",
   ["12345778-1234-abcd-ef00-0123456789ab", 44] = "LsarOpenPolicy2",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 62] = "RpcWinStationGetMachinePolicy",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 4] = "EfsRpcEncryptFileSrv",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 71] = "RescanDisks",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 60] = "R_DhcpEnumSubnetElementsV6",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 19] = "PNP_GetClassName",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 4] = "RpcAsyncEnumJobs",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 42] = "Opnum42NotUsedOnWire",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 7] = "W32TimeLog",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 76] = "LlsrCertificateClaimAddW",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 70] = "RpcWinStationGetAllProcesses_NT6",
   ["6bffd098-a112-3610-9833-46c3f874532d", 50] = "R_DhcpSetSubnetInfoVQ",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 19] = "RpcSrvNotifyMediaReconnected",
   ["12345778-1234-abcd-ef00-0123456789ab", 41] = "LsarDeleteTrustedDomain",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 48] = "DeleteRow",
   ["367abb81-9844-35f1-ad32-98f038001003", 21] = "GetServiceKeyNameW",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 38] = "RpcAsyncEnumPrinters",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 0] = "NetrWkstaGetInfo",
   ["12345778-1234-abcd-ef00-0123456789ac", 61] = "SamrConnect3",
   ["12345678-1234-abcd-ef00-0123456789ab", 51] = "RpcEnumPrintProcessorDatatypes",
   ["027947e1-d731-11ce-a357-000000000001", 4] = "Next",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 31] = "RpcWinStationWaitForConnect",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 26] = "RpcWinStationSetPoolCount",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 10] = "GetRawAccountingData",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 27] = "EvtRpcGetNextEventMetadata",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 18] = "CloseKey",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 43] = "ReConnectDisk",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 58] = "RpcSyncRegisterForRemoteNotifications",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 15] = "EfsRpcAddUsersToFileEx",
   ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 5] = "Reset",
   ["d99e6e70-fc88-11d0-b498-00a0c90312f3", 5] = "Ping",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 11] = "Opnum11NotUsedOnWire",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 7] = "Opnum7NotUsedOnWire",
   ["f309ad18-d86a-11d0-a075-00c04fb68820", 6] = "NTLMLogin",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 1] = "EstablishConnection",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 15] = "NetrShareEnum",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 118] = "R_DhcpV6GetStatelessStatistics",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 51] = "LlsrLocalProductInfoGetA",
   ["12345778-1234-abcd-ef00-0123456789ab", 87] = "LsarEnumerateAuditSubCategories",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 5] = "DRSReplicaAdd",
   ["367abb81-9844-35f1-ad32-98f038001003", 38] = "QueryServiceConfig2A",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 5] = "AudioServerDestroyStream",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 15] = "RpcSrvSetClassId",
   ["86d35949-83c9-4044-b424-db363231fd0c", 6] = "SchRpcEnumFolder",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 27] = "RpcWinStationQueryUpdateRequired",
   ["afa8bd80-7d8a-11c9-bef4-08002b102989", 3] = "stop_server_listening",
   ["12345678-1234-abcd-ef00-0123456789ab", 9] = "RpcAddPrinterDriver",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 2] = "R_InsetInfoGetSites",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 9] = "FrsBackupComplete",
   ["12345778-1234-abcd-ef00-0123456789ab", 75] = "CredrRename",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 63] = "RRPC_FWEnumAuthenticationSets2_20",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 53] = "RpcAsyncDeletePrintProcessor",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 5] = "DeleteChildKEys",
   ["00020401-0000-0000-c000-000000000046", 13] = "GetDllEntry",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 11] = "EfsRpcNotSupported",
   ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3", 3] = "Next",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 70] = "LlsrProductLicensesGetW",
   ["338cd001-2244-31f1-aaaa-900038001003", 6] = "BaseRegCreateKey",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 17] = "FTResyncMirror",
   ["6bffd098-a112-3610-9833-46c3f874532d", 39] = "R_DhcpServerSetConfigV4",
   ["214a0f28-b737-4026-b847-4f9e37d79529", 7] = "QueryDiffAreaOnVolume",
   ["12345778-1234-abcd-ef00-0123456789ab", 1] = "LsarDelete",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 6] = "AudioServerGetStreamLatency",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 21] = "DRSGetMemberships2",
   ["86d35949-83c9-4044-b424-db363231fd0c", 1] = "SchRpcRegisterTask",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 3] = "ElfrDeregisterEventSource",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 58] = "Opnum58NotUsedOnWire",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 43] = "Opnum43NotUsedOnWire",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 35] = "DeleteVolume",
   ["12345778-1234-abcd-ef00-0123456789ab", 47] = "LsarSetInformationPolicy2",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 24] = "AudioSessionGetChannelCount",
   ["12345778-1234-abcd-ef00-0123456789ac", 45] = "SamrRemoveMemberFromForeignDomain",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a", 0] = "ResolveOxid",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426", 3] = "NspiQueryRows",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 1] = "RpcWinStationCloseServer",
   ["338cd001-2244-31f1-aaaa-900038001003", 9] = "BaseRegEnumKey",
   ["6bffd098-a112-3610-9833-46c3f874532d", 11] = "R_DhcpRemoveOption",
   ["12345778-1234-abcd-ef00-0123456789ac", 47] = "SamrQueryInformationUser2",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 9] = "Ping2",
   ["000001a0-0000-0000-c000-000000000046", 1] = "AddRefIRemoteISCMActivator",
   ["12345778-1234-abcd-ef00-0123456789ac", 1] = "SamrCloseHandle",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 21] = "NetrServerGetInfo",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 53] = "AudioVolumeSetChannelVolumeLevelScalar",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 93] = "ApiCloseNetInterface",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 0] = "S_DSGetComputerSites",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 9] = "ImportXMLFiles",
   ["00000131-0000-0000-c000-000000000046", 3] = "RemQueryInterface",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 75] = "EnumAccessPath",
   ["12345678-1234-abcd-ef00-0123456789ab", 103] = "RpcGetPrinterDriverPackagePath",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 10] = "DRSInterDomainMove",
   ["12345678-1234-abcd-ef00-0123456789ab", 43] = "RpcAddPrinterConnection",
   ["6bffd098-a112-3610-9833-46c3f874532d", 40] = "R_DhcpServerGetConfigV4",
   ["12345678-1234-abcd-ef00-0123456789ab", 77] = "RpcSetPrinterDataEx",
   ["112b1dff-d9dc-41f7-869f-d67fee7cb591", 4] = "DestroyVirtualSmartCard",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 16] = "RRPC_FWEnumConnectionSecurityRules",
   ["367abb81-9844-35f1-ad32-98f038001003", 42] = "EnumServicesStatusExW",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 3] = "AddKey",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 72] = "Uninitialize",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 11] = "EfsRpcNotSupported",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 104] = "R_DhcpV4RemoveOptionValue",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 17] = "R_WinsGetDbRecsByName",
   ["12345678-1234-abcd-ef00-0123456789ab", 99] = "RpcInstallPrinterDriverFromPackage",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 22] = "NetrDfsSetInfo2",
   ["12345778-1234-abcd-ef00-0123456789ab", 13] = "LsarEnumerateTrustedDomains",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 22] = "BackupGetAttachmentInformation",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 52] = "RestartVolume",
   ["12345678-1234-abcd-ef00-01234567cffb", 1] = "NetrLogonUasLogoff",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 6] = "Opnum6NotUsedOnWire",
   ["fa7df749-66e7-4986-a27f-e2f04ae53772", 4] = "QueryVolumesSupportedForSnapshots",
   ["367abb81-9844-35f1-ad32-98f038001003", 52] = "ScSendPnPMessage",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 13] = "NetrSessionDel",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 11] = "PNP_GetDeviceListSize",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 13] = "PNP_GetDeviceRegProp",
   ["12345778-1234-abcd-ef00-0123456789ab", 20] = "LsarRemovePrivilegesFromAccount",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 7] = "ElfrOpenELW",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 75] = "RefreshFileSys",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 73] = "ApiResourceControl",
   ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a", 7] = "DeleteObject",
   ["6bffd098-a112-3610-9833-46c3f874532d", 24] = "R_DhcpSetOptionValues",
   ["12345678-1234-abcd-ef00-01234567cffb", 49] = "NetrChainSetClientAttributes",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 10] = "R_GetData",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 6] = "ApiSetQuorumResource",
   ["12345678-1234-abcd-ef00-0123456789ab", 12] = "RpcGetPrinterDriverDirectory",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 19] = "NetrRenameMachineInDomain",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 7] = "TsProxyCloseTunnel",
   ["12345778-1234-abcd-ef00-0123456789ab", 31] = "LsarLookupPrivilegeValue",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 24] = "EnumLocalFileSystems",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 43] = "ApiDeleteGroup",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 18] = "AudioSessionGetSessionClass",
   ["12345778-1234-abcd-ef00-0123456789ac", 8] = "SamrQueryInformationDomain",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 54] = "EncapsulateDiskEx",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 20] = "DRSAddSidHistory",
   ["6bffd098-a112-3610-9833-46c3f874532d", 28] = "R_DhcpGetVersion",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 7] = "R_WinsBackup",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 4] = "EcRRegisterPushNotification",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 97] = "ApiNodeNetInterfaceControl",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 6] = "Opnum6NotUsedOnWire",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 16] = "DeleteSchedule",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 47] = "NetrDfsSetServerInfo",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 48] = "RpcAsyncEnumMonitors",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 7] = "RpcSrvStaticRefreshParams",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 24] = "RpcSrvDeRegisterConnectionStateNotification",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 2] = "RpcGetProtocolStatus",
   ["f612954d-3b0b-4c56-9563-227b7be624b4", 40] = "GetChildPaths",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 24] = "NetrRenameMachineInDomain2",
   ["338cd001-2244-31f1-aaaa-900038001003", 4] = "OpenUsers",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 73] = "LlsrCertificateClaimAddCheckA",
   ["12345778-1234-abcd-ef00-0123456789ab", 63] = "CredrWriteDomainCredentials",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 13] = "MoveAfter",
   ["484809d6-4239-471b-b5bc-61df8c23ac48", 3] = "RpcUnRegisterAsyncNotification",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 16] = "RpcWinStationWaitSystemEvent",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 30] = "CreateVolumeAssignAndFormat",
   ["00000143-0000-0000-c000-000000000046", 4] = "RemAddRef",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 53] = "RRPC_FWSetAuthenticationSet2_10",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 25] = "GetInstalledFileSystems",
   ["12345678-1234-abcd-ef00-0123456789ab", 40] = "RpcCreatePrinterIC",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 4] = "EnumDiskRegionsEx",
   ["12345778-1234-abcd-ef00-0123456789ab", 19] = "LsarAddPrivilegesToAccount",
   ["3c745a97-f375-4150-be17-5950f694c699", 6] = "CreateVirtualSmartCardWithAttestation",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 15] = "FTDeleteVolume",
   ["12345778-1234-abcd-ef00-0123456789ac", 53] = "SamrRemoveMultipleMembersFromAlias",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 59] = "RpcSyncUnRegisterForRemoteNotifications",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 2] = "EfsRpcWriteFileRaw",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 17] = "ApiOnlineResource",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 1] = "AuthzrInitializeContextFromSid",
   ["12345778-1234-abcd-ef00-0123456789ac", 52] = "SamrAddMultipleMembersToAlias",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 11] = "S_DSGetPropsGuid",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 68] = "Initialize",
   ["6bffd098-a112-3610-9833-46c3f874532d", 9] = "R_DhcpSetOptionInfo",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 61] = "RpcAsyncGetRemoteNotifications",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 112] = "R_DhcpV4EnumPolicies",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 48] = "AudioVolumeSetMasterVolumeLevel",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 20] = "BackupPrepare",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 62] = "RpcAsyncInstallPrinterDriverFromPackage",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 5] = "PNP_ReportLogOn",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 61] = "PNP_GetCustomDevProp",
   ["12345678-1234-abcd-ef00-0123456789ab", 54] = "RpcClientFindFirstPrinterChangeNotification",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 20] = "S_DSCreateServersCache",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 40] = "AudioSessionManagerGetCurrentSession",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 63] = "AudioMeterGetChannelsPeakValues",
   ["497d95a6-2d27-4bf5-9bbd-a6046957133c", 1] = "RpcCloseListener",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 7] = "CopyKey",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a", 2] = "ComplexPing",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 1] = "NetrCharDevGetInfo",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 61] = "R_DhcpRemoveSubnetElementV6",
   ["12345678-1234-abcd-ef00-0123456789ab", 63] = "RpcSpoolerInit",
   ["367abb81-9844-35f1-ad32-98f038001003", 54] = "ScOpenServiceStatusHandle",
   ["000001a0-0000-0000-c000-000000000046", 0] = "QueryInterfaceIRemoteSCMActivator",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 14] = "S_DSSetObjectSecurityGuid",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 13] = "WSRMActivate",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 38] = "PNP_IsDockStationPresent",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 22] = "EfsRpcQueryProtectors",
   ["6bffd098-a112-3610-9833-46c3f874532d", 43] = "R_DhcpGetMibInfoVQ",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 64] = "Opnum64NotUsedOnWire",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 19] = "ElfrRegisterClusterSvc",
   ["367abb81-9844-35f1-ad32-98f038001003", 47] = "NotifyServiceStatusChange",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 42] = "PNP_AddEmptyLogConf",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 37] = "ApiCloseKey",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 24] = "ExecMethod",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 15] = "R_IISDisconnectedUser",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 33] = "R_DhcpAuditLogGetParams",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 41] = "Opnum41NotUsedOnWire",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add", 1] = "Opnum1NotUsedOnWire",
   ["fa7df749-66e7-4986-a27f-e2f04ae53772", 3] = "GetProviderMgmtInterface",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 19] = "EfsRpcSetEncryptedFileMetadata",
   ["12345678-1234-abcd-ef00-0123456789ab", 62] = "RpcRemoteFindFirstPrinterChangeNotification",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 9] = "RpcSrvRequestParams",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 42] = "Opnum42NotUsedOnWire",
   ["367abb81-9844-35f1-ad32-98f038001003", 4] = "QueryServiceObjectSecurity",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 21] = "PNP_GetInterfaceDeviceAlias",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 6] = "ept_mgmt_delete",
   ["5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc", 0] = "NetrSendMessage",
   ["12345778-1234-abcd-ef00-0123456789ab", 17] = "LsarOpenAccount",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 7] = "gfxLogon",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 3] = "NetrDfsSetInfo",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 13] = "nsi_entry_object_inq_next",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 4] = "R_InetInfoGetGlobalAdminInformation",
   ["12345678-1234-abcd-ef00-0123456789ab", 27] = "RpcSetPrinterData",
   ["00000000-0000-0000-c000-000000000046", 0] = "Opnum0NotUsedOnWire",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 33] = "SetCAProperty",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 83] = "LlsrLocalServiceAddA",
   ["12345678-1234-abcd-ef00-0123456789ab", 88] = "RpcXcvData",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 100] = "ApiReAddNotifyNetInterface",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 5] = "SSCatDBRebuildDatabase",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 52] = "R_DhcpSetOptionValueV6",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 10] = "RpcSrvPersistentRequestParams",
   ["12345778-1234-abcd-ef00-0123456789ac", 12] = "SamrCreateUserInDomain",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 10] = "EcDoConnectEx",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 22] = "ElfrGetLogInformation",
   ["12345778-1234-abcd-ef00-0123456789ab", 45] = "LsarGetUserName",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 33] = "NetprNameValidate",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 4] = "AudioServerCreateStream",
   ["12345778-1234-abcd-ef00-0123456789ab", 28] = "LsarOpenSecret",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 3] = "SSCatDBRegisterForChangeNotification",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 18] = "RpcSrvGetClientId",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 8] = "FrsBackupComplete",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 60] = "RRPC_FWEnumConnectionSecurityRules2_20",
   ["12345778-1234-abcd-ef00-0123456789ab", 7] = "LsarQueryInformationPolicy",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 3] = "DRSGetNCChanges",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 34] = "R_DhcpServerQueryAttribute",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 72] = "RRPC_FWEnumFirewallRules2_24",
   ["6bffd098-a112-3610-9833-46c3f874532d", 0] = "R_DhcpCreateSubnet",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795", 3] = "W32TimeQuerySource",
   ["12345778-1234-abcd-ef00-0123456789ab", 4] = "LsarSetSecurityObject",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 0] = "EfsRpcOpenFileRaw",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 15] = "EvtRpcAssertConfig",
   ["29822ab7-f302-11d0-9953-00c04fd919c1", 3] = "AppCreate",
   ["12345778-1234-abcd-ef00-0123456789ab", 71] = "LsarGenAuditEvent",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 61] = "Opnum61NotUsedOnWire",
   ["1ff70682-0a51-30e8-076d-740be8cee98b", 0] = "NetrJobAdd",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 14] = "Opnum14NotUsedOnWire",
   ["00020400-0000-0000-c000-000000000046", 3] = "GetTypeInfoCount",
   ["12345678-1234-abcd-ef00-01234567cffb", 21] = "NetrLogonGetCapabilities",
   ["4da1c422-943d-11d1-acae-00c04fc2aa3f", 1] = "LnkSvrMessageCallback",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 38] = "LlsrMappingUserDeleteW",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 4] = "TsProxyCreateChannel",
   ["367abb81-9844-35f1-ad32-98f038001003", 6] = "QueryServiceStatus",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 28] = "EvtRpcGetClassicLogDisplayName",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 76] = "SecureSystemPartition",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 21] = "GetHandleInfo",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 46] = "Opnum46NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 96] = "ApiGetNetInterfaceId",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 78] = "LlsrReplicationProductSecurityAddW",
   ["a8e0653c-2744-4389-a61d-7373df8b2292", 10] = "GetShareMapping",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 14] = "IsExportableRemote",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 44] = "PNP_GetFirstLogConf",
   ["338cd001-2244-31f1-aaaa-900038001003", 21] = "BaseRegSetKeySecurity",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 66] = "AudioVolumeStepDown",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 115] = "R_DhcpV4EnumSubnetClients",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 47] = "RpcWinStationBroadcastSystemMessage",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 16] = "FTBreakMirror",
   ["86d35949-83c9-4044-b424-db363231fd0c", 3] = "SchRpcCreateFolder",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 17] = "ServerControl",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 4] = "NetrDfsGetInfo",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 1] = "S_DSDeleteObject",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 25] = "PNP_UnregisterDeviceClassAssociation",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 4] = "S_DSGetObjectSecurity",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 24] = "Opnum24NotUsedOnWire",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 85] = "R_DhcpGetFilterV4",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 11] = "winmmSessionConnectState",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 3] = "SetExtension",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 19] = "GetServerState",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 9] = "PNP_EnumerateSubKeys",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 22] = "NetrJoinDomain2",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 8] = "GetMachineGroupInfo",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 18] = "LlsrUserInfoGetW",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 30] = "RpcAsyncDeletePrinterData",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 12] = "AddMachine",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 6] = "gfxOpenGfx",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 26] = "Opnum26NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 59] = "LsarCreateTrustedDomainEx2",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 18] = "FTRegenerateParityStripe",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 42] = "NetrServerSetServiceBitsEx",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 12] = "NetrDfsAddStdRoot",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 16] = "Opnum16NotUsedOnWire",
   ["338cd001-2244-31f1-aaaa-900038001003", 25] = "BaseAbortSystemShutdown",
   ["12345778-1234-abcd-ef00-0123456789ab", 62] = "CredrEnumerate",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 37] = "RemoveMirror",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 15] = "SetICSOff",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 49] = "R_DhcpGetOptionInfoV6",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 17] = "Opnum17NotUsedOnWire",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 58] = "LlsrReplConnect",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 7] = "nsi_profile_elt_add",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7", 4] = "AuthrzGetInformationFromContext",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 36] = "PNP_QueryRemove",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 32] = "UnmarshalInterface",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 8] = "R_InetInfoFlushMemoryCache",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 54] = "SetDontShow",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 11] = "EcDoRpcExt2",
   ["12345678-1234-abcd-ef00-0123456789ab", 74] = "RpcClusterSplOpen",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 44] = "AudioSessionManagerAddAudioSessionClientNotification",
   ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 3] = "RpcUnRegisterAsyncNotification",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 71] = "LlsrCertificateClaimEnumA",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 7] = "DnssrvComplexOperation2",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 61] = "RRPC_FWQueryConnectionSecurityRules2_20",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 8] = "PublishCRL",
   ["000001a0-0000-0000-c000-000000000046", 2] = "ReleaseIRemoteISCMActivator",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 6] = "TsProxyCloseChannel",
   ["12345778-1234-abcd-ef00-0123456789ab", 9] = "LsarClearAuditLog",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 85] = "LlsrLocalServiceInfoSetW",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 26] = "EvtRpcGetEventMetadataEnum",
   ["1ff70682-0a51-30e8-076d-740be8cee98b", 1] = "NetrJobDel",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 110] = "R_DhcpV4SetPolicy",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 5] = "Ping",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 31] = "ApiEnumKey",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 43] = "RpcWinStationGetAllProcesses",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 61] = "AudioMeterGetChannelsRMS",
   ["fc910418-55ca-45ef-b264-83d4ce7d30e0", 7] = "GetRemoteUserCategories",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 8] = "RpcGetSessionIds",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 12] = "EnableDeviceHost",
   ["12345778-1234-abcd-ef00-0123456789ab", 90] = "LsarSetAuditSecurity",
   ["12345778-1234-abcd-ef00-0123456789ac", 34] = "SamrOpenUser",
   ["367abb81-9844-35f1-ad32-98f038001003", 35] = "EnumServiceGroupW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 66] = "PNP_GetObjectProp",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 43] = "RpcAsyncDeletePrinterDriverEx",
   ["d2d79df7-3400-11d0-b40b-00aa005ff586", 0] = "ObjectsChanged",
   ["2f5f3220-c126-1076-b549-074d078619da", 9] = "NDdeShareGetInfoW",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 23] = "FreeDriveLetter",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 11] = "LlsrProductUserEnumA",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 5] = "AsyncPoll",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 30] = "Opnum30NotUsedOnWire",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 24] = "RpcWinStationRemoveLicense",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 99] = "R_DhcpV4FailoverGetSystemTime",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 109] = "R_DhcpV4GetPolicy",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 39] = "RpcAsyncAddPrinterDriver",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 69] = "ApiPauseNode",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 40] = "Opnum40NotUsedOnWire",
   ["12345678-1234-abcd-ef00-01234567cffb", 46] = "NetrServerGetTrustInfo",
   ["6bffd098-a112-3610-9833-012892020162", 7] = "NetrBrowserStatisticsClear",
   ["2a3eb639-d134-422d-90d8-aaa1b5216202", 9] = "ImportXml",
   ["6bffd098-a112-3610-9833-012892020162", 10] = "BrowserrQueryEmulatedDomains",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 68] = "RpcAsyncReadPrinter",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 21] = "ElfrWriteClusterEvents",
   ["367abb81-9844-35f1-ad32-98f038001003", 32] = "GetServiceDisplayNameA",
   ["12345678-1234-abcd-ef00-0123456789ab", 81] = "RpcDeletePrinterDataEx",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 36] = "PolicyConfigSetShareMode",
   ["12345778-1234-abcd-ef00-0123456789ac", 51] = "SamrQueryDisplayInformation3",
   ["12345678-1234-abcd-ef00-01234567cffb", 12] = "NetrLogonControl",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 93] = "R_DhcpV4FailoverEnumRelationship",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 15] = "RpcAsyncAbortPrinter",
   ["338cd001-2244-31f1-aaaa-900038001003", 23] = "BaseRegUnLoadKey",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 9] = "R_InetInfoGetServerCapabilities",
   ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72", 4] = "DeleteObject",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 46] = "AudioVolumeDisconnect",
   ["367abb81-9844-35f1-ad32-98f038001003", 3] = "LockServiceDatabase",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 67] = "EnumTasks",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 14] = "AudioSessionGetLastInactivation",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 85] = "ApiCreateNetworkEnum",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 44] = "Opnum44NotUsedOnWire",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 0] = "RpcAsyncOpenPrinter",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 2] = "SSCatDBEnumCatalogs",
   ["12345678-1234-abcd-ef00-01234567cffb", 20] = "DsrGetDcName",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 21] = "BackupEnd",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 15] = "ApiGetResourceType",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 62] = "ApiReAddNotifyNode",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 16] = "RpcSrvGetClassId",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 31] = "CreateVolumeAssignAndFormatEx",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 74] = "RRPC_FWAddFirewallRule2_25",
   ["12345678-1234-abcd-ef00-0123456789ab", 11] = "RpcGetPrinterDriver",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 41] = "SetAuditFilter",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 56] = "DeletePartitionNumberInfoFromRegistry",
   ["6bffd098-a112-3610-9833-46c3f874532d", 16] = "R_DhcpCreateClientInfo",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 28] = "Opnum28NotUsedOnWire",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 11] = "RenameAllocationPolicy",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 73] = "Refresh",
   ["338cd001-2244-31f1-aaaa-900038001003", 35] = "BaseRegDeleteKeyEx",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 29] = "Opnum29NotUsedOnWire",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 76] = "EnumAccessPathForVolume",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426", 4] = "FrsBackupComplete",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 0] = "RpcOpenEnum",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 15] = "RpcWinStationShutdownSystem",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 28] = "Opnum28NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ac", 31] = "SamrAddMemberToAlias",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 89] = "ApiNetworkControl",
   ["367abb81-9844-35f1-ad32-98f038001003", 53] = "ScValidatePnPService",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 74] = "ShutDownSystem",
   ["86d35949-83c9-4044-b424-db363231fd0c", 5] = "SchRpcGetSecurity",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 41] = "LlsrMappingAddA",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 1] = "PNP_Connect",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 9] = "AudioServerGetDevicePeriod",
   ["12345778-1234-abcd-ef00-0123456789ac", 4] = "SamrShutdownSamServer",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 2] = "gfxCreateGfxList",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 9] = "WriteSignature",
   ["12345678-1234-abcd-ef00-01234567cffb", 30] = "NetrServerPasswordSet2",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 8] = "SetConfig",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 5] = "R_InetInfoSetGlobalAdminInformation",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 42] = "RpcAsyncDeletePrinterDriver",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 50] = "GetEncapsulateDiskInfoEx",
   ["a4f1db00-ca47-1067-b31f-00dd010662da", 9] = "EcDoRpcExt",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 0] = "ElfrClearELFW",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 1] = "ElfrBackupELFW",
   ["86d35949-83c9-4044-b424-db363231fd0c", 11] = "SchRpcStop",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 8] = "GetAccountingMetadata",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 66] = "LlsrProductSecurityGetA",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 35] = "RpcWinStationAnnoyancePopup",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 43] = "PNP_FreeLogConf",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 17] = "Opnum17NotUsedOnWire",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 14] = "SetCalDefaultPolicyName",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 51] = "RRPC_FWEnumConnectionSecurityRules2_10",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 11] = "EnumViewColumn",
   ["12345678-1234-abcd-ef00-01234567cffb", 38] = "DsrGetDcSiteCoverageW",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 95] = "R_DhcpV4FailoverDeleteScopeFromRelationship",
   ["6bffd098-a112-3610-9833-46c3f874532d", 32] = "R_DhcpCreateClientInfoV4",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 32] = "Opnum32NotUsedOnWire",
   ["12345778-1234-abcd-ef00-0123456789ab", 69] = "CredrGetSessionTypes",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 31] = "PublishCRLs",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a", 3] = "ServerAlive",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 5] = "ApiGetQuorumResource",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 5] = "NtFrsApi_Rpc_Get_DsPollingIntervalW",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 41] = "RRPC_FWQueryCryptoSets",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 55] = "RpcWinStationQueryLogonCredentials",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 0] = "RpcWinStationOpenServer",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 11] = "ElfrReportEventW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 7] = "PNP_GetRootDeviceInstance",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 14] = "RRPC_FWDeleteConnectionSecurityRule",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 23] = "PNP_GetInterfaceDeviceListSize",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 59] = "ApiAddNotifyGroup",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 6] = "ElfrChangeNotify",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 9] = "Opnum9NotUsedOnWire",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 10] = "MarkActivePartition",
   ["12345778-1234-abcd-ef00-0123456789ac", 56] = "SamrGetDomainPasswordInformation",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 43] = "SetOfficerRights",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 53] = "DeletePartitionNumberInfoFromRegistry",
   ["338cd001-2244-31f1-aaaa-900038001003", 7] = "BaseRegDeleteKey",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90", 8] = "GetCAPropertyInfo",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 17] = "ElfrReadELA",
   ["338cd001-2244-31f1-aaaa-900038001003", 27] = "OpenCurrentConfig",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 3] = "RpcAsyncGetJob",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 32] = "GetVolumeMountName",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 91] = "ApiReAddNotifyNetwork",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 0] = "DnssrvOperation",
   ["12345778-1234-abcd-ef00-0123456789ab", 15] = "LsarLookupSids",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 83] = "ApiGetNetworkState",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 61] = "ApiAddNotifyKey",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 29] = "LlsrMappingEnumA",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 37] = "Opnum37NotUsedOnWire",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 6] = "KeyrSetDefaultProvider",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 3] = "PNP_GetGlobalState",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 18] = "Opnum18NotUsedOnWire",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 1] = "Opnum1NotUsedOnWire",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 105] = "R_DhcpV4GetAllOptionValues",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43", 4] = "KeyrCloseKeyService",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 7] = "EfsRpcQueryRecoveryAgents",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 29] = "PNP_DeviceInstanceAction",
   ["12345778-1234-abcd-ef00-0123456789ab", 27] = "LsarSetInformationTrustedDomain",
   ["86d35949-83c9-4044-b424-db363231fd0c", 17] = "SchRpcGetTaskInfo",
   ["12345778-1234-abcd-ef00-0123456789ac", 27] = "SamrOpenAlias",
   ["12345778-1234-abcd-ef00-0123456789ab", 82] = "CredrFindBestCredential",
   ["6bffd098-a112-3610-9833-46c3f874532d", 25] = "R_DhcpServerSetConfig",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 16] = "AudioSessionGetDisplayName",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 30] = "Opnum30NotUsedOnWire",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 106] = "ApiClusterControl",
   ["12345778-1234-abcd-ef00-0123456789ac", 19] = "SamrOpenGroup",
   ["12345678-1234-abcd-ef00-01234567cffb", 17] = "NetrDatabaseRedo",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 14] = "CreateSchedule",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 67] = "LlsrProductSecuritySetW",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 22] = "AssignDriveLetter",
   ["17fdd703-1827-4e34-79d4-24a55c53bb37", 0] = "NetrMessageNameAdd",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d", 8] = "CreateCalendar",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 15] = "DRSRemoveDsDomain",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 17] = "NetrShareSetInfo",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 4] = "PNP_InitDetection",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 27] = "AudioSessionSetAllVolumes",
   ["12345778-1234-abcd-ef00-0123456789ab", 14] = "LsarLookupNames",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 79] = "LlsrReplicationUserAddExW",
   ["12345678-1234-abcd-ef00-0123456789ab", 4] = "RpcEnumJobs",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 71] = "PNP_DriverStoreDeleteDriverPackage",
   ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28", 0] = "WitnessrGetInterfaceList",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 40] = "GetAuditFilter",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 9] = "NetrDfsManagerSendSiteInfo",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 10] = "R_WinsSetPriorityClass",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 14] = "R_WinsGetBrowserNames_Old",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 4] = "ApiGetClusterVersion",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 5] = "Opnum5NotUsedOnWire",
   ["367abb81-9844-35f1-ad32-98f038001003", 12] = "CreateServiceW",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 11] = "AudioSessionGetProcessId",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 5] = "RRPC_FWAddFirewallRule",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 8] = "PNP_GetRelatedDeviceInstance",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 62] = "PNP_GetVersionInternal",
   ["027947e1-d731-11ce-a357-000000000001", 3] = "Reset",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 11] = "R_WinsResetCounters",
   ["12345678-1234-abcd-ef00-01234567cffb", 8] = "NetrDatabaseSync",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 60] = "AudioMeterGetAverageRMS",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 65] = "GetTaskDetail",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d", 15] = "RegisterAccountingClient",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 19] = "R_WinsDoScavengingNew",
   ["12345778-1234-abcd-ef00-0123456789ac", 13] = "SamrEnumerateUsersInDomain",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 8] = "EfsRpcRemoveUsersFromFile",
   ["86d35949-83c9-4044-b424-db363231fd0c", 16] = "SchRpcGetLastRunInfo",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 34] = "PolicyConfigSetProcessingPeriod",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 5] = "ElfrOldestRecord",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 1] = "EfsRpcReadFileRaw",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 3] = "ept_map",
   ["6bffd098-a112-3610-9833-46c3f874532d", 46] = "R_DhcpGetClientInfoVQ",
   ["12345678-1234-abcd-ef00-0123456789ab", 8] = "RpcGetPrinter",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 28] = "NetrRemoteTOD",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 20] = "FTReplaceParityStripePartition",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 20] = "PNP_DeleteClassKey",
   ["0d72a7d4-6148-11d1-b4aa-00c04fb66ea0", 0] = "SSCertProtectFunction",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 53] = "RpcWinStationGetLanAdapterName",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 15] = "EnumView",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 2] = "DRSReplicaSync",
   ["2f5f3220-c126-1076-b549-074d078619da", 14] = "NDdeGetTrustedShareW",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 51] = "PNP_GetResDesDataSize",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 76] = "ApiNodeGroupControl",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 17] = "AudioSessionSetDisplayName",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 105] = "ApiNodeClusterControl",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 3] = "gfxRemoveGfx",
   ["12345678-1234-abcd-ef00-01234567cffb", 16] = "NetrDatabaseSync2",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa", 2] = "ept_lookup",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 5] = "EfsDecryptFileSrv",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 72] = "PNP_RegisterServiceNotification",
   ["12345778-1234-abcd-ef00-0123456789ab", 54] = "LsarSetDomainInformationPolicy",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 84] = "R_DhcpSetFilterV4",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 24] = "Opnum24NotUsedOnWire",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 7] = "Opnum7NotUsedOnWire",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 6] = "RRPC_FWSetFirewallRule",
   ["29822ab8-f302-11d0-9953-00c04fd919c1", 9] = "AppCreate2",
   ["12345778-1234-abcd-ef00-0123456789ac", 65] = "SamrRidToSid",
   ["12345678-1234-abcd-ef00-0123456789ab", 49] = "RpcAddPrintProvidor",
   ["214a0f28-b737-4026-b847-4f9e37d79529", 3] = "AddDiffArea",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 13] = "ApiSetResourceName",
   ["12345778-1234-abcd-ef00-0123456789ab", 58] = "LsarLookupNames2",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 11] = "RdcGetFileData",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 27] = "LlsrUserProductDeleteA",
   ["12345778-1234-abcd-ef00-0123456789ac", 37] = "SamrSetInformationUser",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 24] = "NetrServerStatisticsGet",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 48] = "Opnum48NotUsedOnWire",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 4] = "EvtRpcRegisterControllableOperation",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 3] = "RpcLicensingUnloadPolicy",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 73] = "RpcAsyncEnumJobNamedProperties",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 130] = "R_DhcpV4EnumSubnetClientsEx",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 12] = "Opnum12NotUsedOnWire",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 15] = "EfsRpcAddUsersToFileEx",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 25] = "ApiChangeResourceGroup",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 41] = "ReConnectDisk",
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b", 9] = "ModifyMachineGroup",
   ["12345778-1234-abcd-ef00-0123456789ac", 21] = "SamrSetInformationGroup",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 71] = "RpcWinStationRegisterNotificationEvent",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673", 14] = "NetrDfsManagerInitialize",
   ["12345678-1234-abcd-ef00-01234567cffb", 33] = "DsrAddressToSiteNamesW",
   ["12345678-1234-abcd-ef00-0123456789ab", 87] = "RpcEnumPerMachineConnections",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 24] = "RRPC_FWDeleteCryptoSet",
   ["367abb81-9844-35f1-ad32-98f038001003", 7] = "SetServiceStatus",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390", 4] = "RpcEnumAddFilter",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 31] = "DeleteBackup",
   ["12345678-1234-abcd-ef00-0123456789ab", 79] = "RpcEnumPrinterDataEx",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 8] = "RRPC_FWDeleteAllFirewallRules",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 25] = "BackupReadFile",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce", 6] = "GetReferenceVersionVectors",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 6] = "CreatePartitionAssignAndFormat",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 11] = "Opnum11NotUsedOnWire",
   ["034634fd-ba3f-11d1-856a-00a0c944138c", 9] = "SendMsgToASession",
   ["12345678-1234-abcd-ef00-0123456789ab", 1] = "RpcOpenPrinter",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 22] = "PNP_GetInterfaceDeviceList",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 38] = "Ping2",
   ["deb01010-3a37-4d26-99df-e2bb6ae3ac61", 4] = "GetVolumeDeviceName",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 24] = "LlsrUserProductEnumW",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 56] = "RRPC_FWSetCryptoSet2_10",
   ["12345678-1234-abcd-ef00-01234567cffb", 18] = "NetrLogonControl2Ex",
   ["12345678-1234-abcd-ef00-01234567cffb", 7] = "NetrDatabaseDeltas",
   ["214a0f28-b737-4026-b847-4f9e37d79529", 4] = "ChangeDiffAreaMaximizeSize",
   ["12345678-1234-abcd-ef00-0123456789ab", 52] = "RpcResetPrinter",
   ["12345778-1234-abcd-ef00-0123456789ac", 10] = "SamrCreateGroupInDomain",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 48] = "R_DhcpSetOptionInfoV6",
   ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce", 1] = "RpcRegisterAsyncNotification",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 4] = "DnssrvUpdateRecord",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 5] = "LlsrLicenseAddA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 7] = "R_DhcpDeleteMScope",
   ["367abb81-9844-35f1-ad32-98f038001003", 5] = "SetServiceObjectSecurity",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe", 18] = "R_WinsStatusWHdl",
   ["12345778-1234-abcd-ef00-0123456789ac", 58] = "SamrSetInformationUser2",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 12] = "R_EnumData",
   ["6bffd098-a112-3610-9833-46c3f874532d", 20] = "R_DhcpEnumSubnetClients",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 19] = "LlsrUserInfoGetA",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 39] = "AudioSessionManagerGetAudioSession",
   ["12345678-1234-abcd-ef00-0123456789ab", 66] = "RpcRouterReplyPrinterEx",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 46] = "ImportKey",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 46] = "RRPC_FWAddFirewallRule2_10",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 1] = "EvtRpcRemoteSubscriptionNextAsync",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 54] = "PNP_QueryResConfList",
   ["338cd001-2244-31f1-aaaa-900038001003", 26] = "BaseRegGetVersion",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6", 3] = "RpcSrvRequestParams",
   ["2f5f3220-c126-1076-b549-074d078619da", 15] = "NDdeTrustedShareEnumA",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 35] = "RRPC_FWDeleteAllMainModeRules",
   ["2f5f3220-c126-1076-b549-074d078619da", 16] = "NDdeTrustedShareEnumW",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 52] = "RpcAsyncDeleteMonitor",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 78] = "EnumAccessPath",
   ["12345778-1234-abcd-ef00-0123456789ab", 57] = "LsarLookupSids2",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 70] = "R_DhcpSetServerBindingInfoV6",
   ["2f5f6520-ca46-1067-b319-00dd010662da", 2] = "ClientDetach",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 52] = "RpcServerQueryInetConnectorInformation",
   ["21546ae8-4da5-445e-987f-627fea39c5e8", 10] = "EnableDisable",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 33] = "Opnum33NotUsedOnWire",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 8] = "RpcAsyncSetPrinter",
   ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a", 8] = "ModifyObject",
   ["338cd001-2244-31f1-aaaa-900038001003", 19] = "BaseRegRestoreKey",
   ["00020401-0000-0000-c000-000000000046", 5] = "GetFuncDesc",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5", 9] = "winmmRegisterSessionNotificationEvent",
   ["338cd001-2244-31f1-aaaa-900038001003", 3] = "OpenPerformanceData",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 21] = "Opnum21NotUsedOnWire",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 19] = "AudioSessionSetSessionClass",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe", 10] = "RpcGetUserCertificates",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 17] = "EvtRpcOpenLogHandle",
   ["c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4", 3] = "GetSerializedBuffer",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 89] = "LlsrCloseEx",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 47] = "ReAttachDisk",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 37] = "NetrShareDelStart",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 31] = "LlsrMappingInfoGetA",
   ["12345678-1234-abcd-ef00-0123456789ab", 24] = "RpcAddJob",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232", 3] = "Opnum3NotUsedOnWire",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 8] = "S_DSLookupEnd",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2", 22] = "ImportFromBlob",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 72] = "RefreshFileSys",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 12] = "ApiGetResourceState",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 71] = "R_DhcpSetClientInfoV6",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 68] = "PNP_InstallDevInst",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 95] = "ApiGetNetInterface",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 3] = "NetrWkstaUserGetInfo",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 1] = "SfcSrv_IsFileProtected",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 23] = "LlsrUserDeleteA",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 88] = "R_DhcpEnumSubnetClientsFilterStatusInfo",
   ["6bffd098-a112-3610-9833-46c3f874532d", 26] = "R_DhcpServerGetConfig",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 43] = "LlsrMappingDeleteA",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd", 47] = "GetMyRoles",
   ["12345678-1234-abcd-ef00-0123456789ab", 48] = "RpcDeletePrintProcessor",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 76] = "RRPC_FWEnumFirewallRules2_25",
   ["12345778-1234-abcd-ef00-0123456789ac", 39] = "SamrGetGroupsForUser",
   ["12345678-1234-abcd-ef00-01234567cffb", 44] = "NetrGetForestTrustInformation",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 24] = "RpcAsyncSetForm",
   ["3a410f21-553f-11d1-8e5e-00a0c92c9d5d", 3] = "CreateRemoteObject",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8", 8] = "RpcLicensingDeactivateCurrentPolicy",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea", 4] = "ElfrNumberOfRecords",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c", 5] = "EvtRpcRegisterLogQuery",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 0] = "S_DSCreateObject",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 25] = "NetrValidateName2",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 16] = "CloseView",
   ["82ad4280-036b-11cf-972c-00aa006887b0", 14] = "R_IISDEnumerateUsers",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 92] = "ApiOpenNetInterface",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 20] = "NetrShareCheck",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 27] = "S_DSGetServerPort",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 54] = "R_DhcpRemoveOptionValueV6",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 0] = "R_DhcpEnumSubnetClientsV5",
   ["2f5f6521-ca47-1068-b319-00dd010662db", 0] = "RemoteSPAttach",
   ["12345778-1234-abcd-ef00-0123456789ac", 46] = "SamrQueryInformationDomain2",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 46] = "LlsrServerProductEnumW",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 123] = "R_DhcpV4GetClientInfo",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2", 0] = "DRSBind",
   ["12345778-1234-abcd-ef00-0123456789ac", 69] = "SamrPerformGenericOperation",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 73] = "R_DhcpDeleteClientInfoV6",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4", 19] = "nsi_mgmt_entry_inq_if_ids",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 12] = "LlsrProductServerEnumW",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 21] = "SetConditionalPolicy",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27", 10] = "RdcPushSourceNeeds",
   ["708cca10-9569-11d1-b2a5-0060977d8118", 8] = "S_DSGetGCListInDomain",
   ["12345778-1234-abcd-ef00-0123456789ab", 12] = "LsarCreateTrustedDomain",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b", 10] = "KeyrEnumerateAvailableCertTypes",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 2] = "NetrWkstaUserEnum",
   ["12345778-1234-abcd-ef00-0123456789ab", 10] = "LsarCreateAccount",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 45] = "RpcAsyncEnumPrintProcessors",
   ["12345678-1234-abcd-ef00-0123456789ab", 15] = "RpcEnumPrintProcessors",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 1] = "RpcAsyncAddPrinter",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 6] = "R_DhcpRemoveMScopeElement",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 19] = "RRPC_FWDeleteAuthenticationSet",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 20] = "AudioSessionGetVolume",
   ["6bffd098-a112-3610-9833-46c3f874532d", 21] = "R_DhcpGetClientOptions",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 19] = "S_DSQMSetMachineProperties",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750", 17] = "OpenKey",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 43] = "ImportDiskGroup",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 84] = "ApiSetNetworkName",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 42] = "AudioSessionManagerAddAudioSessionClientNotification",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15", 12] = "MoveBefore",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 32] = "RpcWinStationNotifyLogon",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 11] = "RpcSrvRegisterParams",
   ["2f5f3220-c126-1076-b549-074d078619da", 8] = "NDdeShareEnumW",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 14] = "R_DhcpCreateOptionV5",
   ["2f5f6520-ca46-1067-b319-00dd010662da", 1] = "ClientRequest",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 50] = "ApiOfflineGroup",
   ["6bffd098-a112-3610-9833-012892020162", 6] = "BrowserrResetStatistics",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18", 5] = "CreateApplicationPool",
   ["12345678-1234-abcd-ef00-0123456789ab", 20] = "RpcEndPagePrinter",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 12] = "Opnum12NotUsedOnWire",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4", 12] = "GetDependencies",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218", 5] = "I_nsi_entry_object_inq_done",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 27] = "Opnum27NotUsedOnWire",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 34] = "RpcWinStationEnumerateProcesses",
   ["12345778-1234-abcd-ef00-0123456789ab", 50] = "LsarEnumerateTrustedDomainsEx",
   ["12345678-1234-abcd-ef00-01234567cffb", 25] = "NetrLogonComputeClientDigest",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b", 35] = "PNP_RegisterDriver",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 73] = "RRPC_FWQueryFirewallRules2_24",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 69] = "RRPC_FWQueryFirewallRules2_20",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 52] = "AudioVolumeSetChannelVolumeLevel",
   ["00020401-0000-0000-c000-000000000046", 18] = "GetContainingTypeLib",
   ["12345778-1234-abcd-ef00-0123456789ab", 85] = "LsarEnumerateAuditPolicy",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 50] = "R_DhcpEnumOptionsV6",
   ["12345678-1234-abcd-ef00-0123456789ab", 5] = "RpcAddPrinter",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5", 14] = "RpcSrvQueryLeaseInfo",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076", 9] = "DnssrvUpdateRecord2",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850", 5] = "SfcSrv_SetCacheSize",
   ["338cd001-2244-31f1-aaaa-900038001003", 22] = "BaseRegSetValue",
   ["12345678-1234-abcd-ef00-01234567cffb", 11] = "NetrGetDCName",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed", 57] = "RpcWinStationUnRegisterConsoleNotification",
   ["6bffd098-a112-3610-9833-46c3f874532d", 30] = "R_DhcpEnumSubnetElementsV4",
   ["3dde7c30-165d-11d1-ab8f-00805f14db40", 0] = "bkrp_BackupKey",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 55] = "RpcAsyncAddPerMachineConnection",
   ["12345778-1234-abcd-ef00-0123456789ac", 16] = "SamrGetAliasMembership",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 5] = "NetrWkstaTransportEnum",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 3] = "TsProxyMakeTunnelCall",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61", 45] = "DiskMergeQuery",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 26] = "Opnum26NotUsedOnWire",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5", 5] = "DsRolerGetDcOperationProgress",
   ["5b821720-f63b-11d0-aad2-00c04fc324db", 21] = "R_DhcpGetOptionValueV5",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 30] = "AudioServerGetMixFormat",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 7] = "RRPC_FWDeleteFirewallRule",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f", 20] = "ApiRemoveResourceDependency",
   ["df1941c5-fe89-4e79-bf10-463657acf44d", 0] = "EfsRpcOpenFileRaw",
   ["77df7a80-f298-11d0-8358-00a024c480a8", 23] = "S_DSCloseServerHandle",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 9] = "EfsRpcAddUsersToFile",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3", 13] = "EnumAttributesOrExtensions",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 48] = "RRPC_FWEnumFirewallRules2_10",
   ["12345778-1234-abcd-ef00-0123456789ab", 64] = "CredrReadDomainCredentials",
   ["6bffd098-a112-3610-9833-46c3f874532d", 17] = "R_DhcpSetClientInfo",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f", 7] = "RemoveSyncHandle",
   ["8298d101-f992-43b7-8eca-5052d885b995", 34] = "BackupWithPasswrd",
   ["17fdd703-1827-4e34-79d4-24a55c53bb37", 2] = "NetrMessageNameGetInfo",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 1] = "TsProxyCreateTunnel",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d", 22] = "LlsrUserDeleteW",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729", 9] = "TsProxySendToServer",
   ["12345778-1234-abcd-ef00-0123456789ac", 3] = "SamrQuerySecurityObject",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 9] = "RRPC_FWEnumFirewallRules",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 26] = "Format",
   ["6bffd098-a112-3610-9833-46c3f87e345a", 27] = "NetrAddAlternateComputerName",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e", 43] = "Opnum43NotUsedOnWire",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 7] = "RpcAsyncDeletePrinter",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 12] = "RRPC_FWAddConnectionSecurityRule",
   ["12345778-1234-abcd-ef00-0123456789ab", 61] = "CredrRead",
   ["76f03f96-cdfd-44fc-a22c-64950a001209", 66] = "RpcAsyncGetPrinterDriverPackagePath",
   ["12345778-1234-abcd-ef00-0123456789ac", 18] = "SamrLookupIdsInDomain",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 12] = "AudioSessionGetState",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 58] = "GetDontShow",
   ["c386ca3e-9061-4a72-821e-498d83be188f", 64] = "AudioVolumeGetStepInfo",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188", 50] = "NetrDfsModifyPrefix",
   ["9556dc99-828c-11cf-a37e-00aa003240c7", 12] = "CreateClassEnum",
   ["027947e1-d731-11ce-a357-000000000001", 6] = "Clone",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586", 28] = "EnumVolumes",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48", 81] = "RRPC_FWQueryFirewallRules2_26"
}
DCE_RPC::pipe_name_to_common_uuid
Type

table [string] of string

Attributes

&redef

Default
{
   ["spoolss"] = "12345678-1234-abcd-ef00-0123456789ab",
   ["srvsvc"] = "4b324fc8-1670-01d3-1278-5a47bf6ee188",
   ["winreg"] = "338cd001-2244-31f1-aaaa-900038001003"
}

This table is to map pipe names to the most common service used over that pipe. It helps in cases where the pipe binding wasn’t seen.

DCE_RPC::uuid_endpoint_map
Type

table [string] of string

Attributes

&redef &default = function

Default
{
   ["943991a5-b3fe-41fa-9696-7f7b656ee34b"] = "IWRMMachineGroup",
   ["fdf8a2b9-02de-47f4-bc26-aa85ab5e5267"] = "ITpmVirtualSmartCardManager2",
   ["3c745a97-f375-4150-be17-5950f694c699"] = "ITpmVirtualSmartCardManager3",
   ["03837543-098b-11d8-9414-505054503030"] = "IFolderAction",
   ["66a2db20-d706-11d0-a37b-00c04fc9da04"] = "IRemoteRouterRestart",
   ["91ae6020-9e3c-11cf-8d7c-00aa00c091be"] = "ICertPassage",
   ["906b0ce0-c70b-1067-b317-00dd010662da"] = "IXnRemote",
   ["03837533-098b-11d8-9414-505054503030"] = "IValueMapItem",
   ["0383751a-098b-11d8-9414-505054503030"] = "IApiTracingDataCollector",
   ["7fe0d935-dda6-443f-85d0-1cfb58fe41dd"] = "ICertAdminD2",
   ["bde95fdf-eee0-45de-9e12-e5a61cd0d4fe"] = "RCMPublic",
   ["5ff9bdf6-bd91-4d8b-a614-d6317acc8dd8"] = "IRemoteSstpCertCheck",
   ["8d9f4e40-a03d-11ce-8f69-08003e30051b"] = "pnp",
   ["76f03f96-cdfd-44fc-a22c-64950a001209"] = "IRemoteWinspool",
   ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53"] = "idletask",
   ["8165b19e-8d3a-4d0b-80c8-97de310db583"] = "IServicedComponentInfo",
   ["6bffd098-a112-3610-9833-46c3f87e345a"] = "wkssvc",
   ["9556dc99-828c-11cf-a37e-00aa003240c7"] = "IWbemServices",
   ["3a410f21-553f-11d1-8e5e-00a0c92c9d5d"] = "IDMRemoteServer",
   ["03837506-098b-11d8-9414-505054503030"] = "IPerformanceCounterDataCollector",
   ["1c1c45ee-4395-11d2-b60b-00104b703efd"] = "IWbemFetchSmartEnum interface",
   ["12345778-1234-abcd-ef00-0123456789ab"] = "lsarpc",
   ["ccd8c074-d0e5-4a40-92b4-d074faa6ba28"] = "Witness",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c4"] = "NsiM",
   ["db90832f-6910-4d46-9f5e-9fd6bfa73903"] = "INtmsLibraryControl2",
   ["03837510-098b-11d8-9414-505054503030"] = "ITraceDataProviderCollection",
   ["51c82175-844e-4750-b0d8-ec255555bc06"] = "KMS",
   ["481e06cf-ab04-4498-8ffe-124a0a34296d"] = "IWRMCalendar",
   ["03837502-098b-11d8-9414-505054503030"] = "IDataCollectorCollection",
   ["03837541-098b-11d8-9414-505054503030"] = "IDataManager",
   ["4da1c422-943d-11d1-acae-00c04fc2aa3f"] = "trksvr",
   ["d2d79df7-3400-11d0-b40b-00aa005ff586"] = "IDMNotify",
   ["894de0c0-0d55-11d3-a322-00c04fa321a1"] = "InitShutdown",
   ["00020400-0000-0000-c000-000000000046"] = "IDispatch",
   ["7c4e1804-e342-483d-a43e-a850cfcc8d18"] = "IIISApplicationAdmin",
   ["00020403-0000-0000-c000-000000000046"] = "ITypeComp",
   ["135698d2-3a37-4d26-99df-e2bb6ae3ac61"] = "IVolumeClient3",
   ["4e934f30-341a-11d1-8fb1-00a024cb6019"] = "INtmsLibraryControl1",
   ["d02e4be0-3419-11d1-8fb1-00a024cb6019"] = "INtmsMediaServices1",
   ["4f7ca01c-a9e5-45b6-b142-2332a1339c1d"] = "IWRMAccounting",
   ["b057dc50-3059-11d1-8faf-00a024cb6019"] = "INtmsObjectManagement1",
   ["8298d101-f992-43b7-8eca-5052d885b995"] = "IMSAdminBase2W",
   ["0b6edbfa-4a24-4fc6-8a23-942b1eca65d1"] = "IRPCAsyncNotify",
   ["afc07e2e-311c-4435-808c-c483ffeec7c9"] = "lsacap",
   ["c49e32c7-bc8b-11d2-85d4-00105a1f8304"] = "IWbemBackupRestore interface",
   ["c5cebee2-9df5-4cdd-a08c-c2471bc144b4"] = "IResourceManager",
   ["03837544-098b-11d8-9414-505054503030"] = "IFolderActionCollection",
   ["82ad4280-036b-11cf-972c-00aa006887b0"] = "inetinfo",
   ["c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4"] = "IManagedObject",
   ["bc681469-9dd9-4bf4-9b3d-709f69efe431"] = "IWRMResourceGroup",
   ["484809d6-4239-471b-b5bc-61df8c23ac48"] = "TermSrvSession",
   ["1a1bb35f-abb8-451c-a1ae-33d98f1bef4a"] = "ITpmVirtualSmartCardManagerStatusCallback",
   ["da5a86c5-12c2-4943-ab30-7f74a813d853"] = "PerflibV2",
   ["038374ff-098b-11d8-9414-505054503030"] = "IDataCollector",
   ["1257b580-ce2f-4109-82d6-a9459d0bf6bc"] = "SessEnvPublicRpc",
   ["e65e8028-83e8-491b-9af7-aaf6bd51a0ce"] = "IServerHealthReport",
   ["f5cc5a18-4264-101a-8c59-08002b2f8426"] = "nspi",
   ["6b5bdd1e-528c-422c-af8c-a4079be4fe48"] = "RemoteFW",
   ["4b112204-0e19-11d3-b42b-0000f81feb9f"] = "ssdpsrv",
   ["3faf4738-3a21-4307-b46c-fdda9bb8c0d5"] = "AudioSrv",
   ["000001a0-0000-0000-c000-000000000046"] = "IRemoteSCMActivator",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6"] = "dhcpcsvc6",
   ["29822ab7-f302-11d0-9953-00c04fd919c1"] = "IWamAdmin",
   ["11899a43-2b68-4a76-92e3-a3d6ad8c26ce"] = "TermServNotification",
   ["2c9273e0-1dc3-11d3-b364-00105a1f8177"] = "IWbemRefreshingServices interface",
   ["44aca675-e8fc-11d0-a07c-00c04fb68820"] = "IWbemCallResult interface",
   ["1ff70682-0a51-30e8-076d-740be8cee98b"] = "atsvc",
   ["a4f1db00-ca47-1067-b31f-00dd010662da"] = "exchange_mapi",
   ["6bffd098-a112-3610-9833-012892020162"] = "browser",
   ["541679AB-2E5F-11d3-B34E-00104BCC4B4A"] = "IWbemLoginHelper interface",
   ["2f5f6521-ca47-1068-b319-00dd010662db"] = "remotesp",
   ["d6d70ef0-0e3b-11cb-acc3-08002b1d29c3"] = "NsiS",
   ["5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc"] = "msgsvcsend",
   ["4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72"] = "IADProxy",
   ["d95afe70-a6d5-4259-822e-2c84da1ddb0d"] = "WindowsShutdown",
   ["0383753d-098b-11d8-9414-505054503030"] = "IScheduleCollection",
   ["03837524-098b-11d8-9414-505054503030"] = "IDataCollectorSetCollection",
   ["8da03f40-3419-11d1-8fb1-00a024cb6019"] = "INtmsSession1",
   ["03837512-098b-11d8-9414-505054503030"] = "ITraceDataProvider",
   ["5b821720-f63b-11d0-aad2-00c04fc324db"] = "dhcpsrv2",
   ["00020404-0000-0000-c000-000000000046"] = "IEnumVARIANT",
   ["112b1dff-d9dc-41f7-869f-d67fee7cb591"] = "ITpmVirtualSmartCardManager",
   ["6139d8a4-e508-4ebb-bac7-d7f275145897"] = "IRemoteIPV6Config",
   ["00020401-0000-0000-c000-000000000046"] = "ITypeInfo",
   ["1088a980-eae5-11d0-8d9b-00a02453c337"] = "qm2qm",
   ["d2d79df5-3400-11d0-b40b-00aa005ff586"] = "IVolumeClient",
   ["367abb81-9844-35f1-ad32-98f038001003"] = "svcctl",
   ["0383753a-098b-11d8-9414-505054503030"] = "ISchedule",
   ["df1941c5-fe89-4e79-bf10-463657acf44d"] = "efsrpc",
   ["2a3eb639-d134-422d-90d8-aaa1b5216202"] = "IResourceManager2",
   ["bd0c73bc-805b-4043-9c30-9a28d64dd7d2"] = "IIISCertObj",
   ["88143fd0-c28d-4b2b-8fef-8d882f6a9390"] = "TermServEnumeration",
   ["2f5f3220-c126-1076-b549-074d078619da"] = "nddeapi",
   ["76d12b80-3467-11d3-91ff-0090272f9ea3"] = "qmcomm2",
   ["fdb3a030-065f-11d1-bb9b-00a024ea5525"] = "qmcomm",
   ["01954e6b-9254-4e6e-808c-c9e05d007696"] = "IVssEnumMgmtObject",
   ["3bbed8d9-2c9a-4b21-8936-acb2f995be6c"] = "INtmsObjectManagement3",
   ["f612954d-3b0b-4c56-9563-227b7be624b4"] = "IMSAdminBase3W",
   ["c49e32c6-bc8b-11d2-85d4-00105a1f8304"] = "IWbemBackupRestoreEx interface",
   ["12b81e99-f207-4a4c-85d3-77b42f76fd14"] = "ISeclogon",
   ["ea0a3165-4834-11d2-a6f8-00c04fa346cc"] = "fax",
   ["d049b186-814f-11d1-9a3c-00c04fc9b232"] = "NtFrsApi",
   ["d99e6e70-fc88-11d0-b498-00a0c90312f3"] = "ICertRequestD",
   ["300f3532-38cc-11d0-a3f0-0020af6b0add"] = "trkwks",
   ["3919286a-b10c-11d0-9ba8-00c04fd92ef5"] = "dssetup",
   ["03837534-098b-11d8-9414-505054503030"] = "IValueMap",
   ["879c8bbe-41b0-11d1-be11-00c04fb6bf70"] = "IClientSink",
   ["338cd001-2244-31f1-aaaa-900038001003"] = "winreg",
   ["895a2c86-270d-489d-a6c0-dc2a9b35280e"] = "INtmsObjectManagement2",
   ["027947e1-d731-11ce-a357-000000000001"] = "IEnumWbemClassObject interface",
   ["e8fb8620-588f-11d2-9d61-00c04f79c5fe"] = "IIisServiceControl",
   ["833e4100-aff7-4ac3-aac2-9f24c1457bce"] = "IPCHCollection",
   ["66a2db22-d706-11d0-a37b-00c04fc9da04"] = "IRemoteICFICSConfig",
   ["f50aac00-c7f3-428e-a022-a6b71bfb9d43"] = "ICatDBSvc",
   ["44e265dd-7daf-42cd-8560-3cdb6e7a2729"] = "TsProxyRpcInterface",
   ["53b46b02-c73b-4a3e-8dee-b16b80672fc0"] = "TSVIPPublic",
   ["70b51430-b6ca-11d0-b9b9-00a0c922e750"] = "IMSAdminBaseW",
   ["86d35949-83c9-4044-b424-db363231fd0c"] = "ITaskSchedulerService",
   ["423ec01e-2e35-11d2-b604-00104b703efd"] = "IWbemWCOSmartEnum interface",
   ["59602eb6-57b0-4fd8-aa4b-ebf06971fe15"] = "IWRMPolicy",
   ["d4781cd6-e5d3-44df-ad94-930efe48a887"] = "IWbemLoginClientID",
   ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57"] = "IActivation",
   ["12345678-1234-abcd-ef00-0123456789ab"] = "spoolss",
   ["57674cd0-5200-11ce-a897-08002b2e9c6d"] = "lls_license",
   ["50abc2a4-574d-40b3-9d66-ee4fd5fba076"] = "dnsserver",
   ["b97db8b2-4c63-11cf-bff6-08002be23f2f"] = "clusapi",
   ["ae33069b-a2a8-46ee-a235-ddfd339be281"] = "IRPCRemoteObject",
   ["d99e6e71-fc88-11d0-b498-00a0c90312f3"] = "ICertAdminD",
   ["12345678-1234-abcd-ef00-01234567cffb"] = "netlogon",
   ["6099fc12-3eff-11d0-abd0-00c04fd91a4e"] = "faxclient",
   ["82273fdc-e32a-18c3-3f78-827929dc23ea"] = "eventlog",
   ["e1af8308-5d1f-11c9-91a4-08002b14a0fa"] = "epmapper",
   ["497d95a6-2d27-4bf5-9bbd-a6046957133c"] = "RCMListener",
   ["20610036-fa22-11cf-9823-00a0c911e5df"] = "rasrpc",
   ["8f09f000-b7ed-11ce-bbd2-00001a181cad"] = "dimsvc",
   ["3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5"] = "RpcSrvDHCPC",
   ["fa7df749-66e7-4986-a27f-e2f04ae53772"] = "IVssSnapshotMgmt",
   ["4590f812-1d3a-11d0-891f-00aa004b2e24"] = "IWbemClassObject unmarshaler",
   ["41208ee0-e970-11d1-9b9e-00e02c064c39"] = "qmmgmt",
   ["081e7188-c080-4ff3-9238-29f66d6cabfd"] = "IMessenger",
   ["5ca4a760-ebb1-11cf-8611-00a0245420ed"] = "winstation_rpc",
   ["7c857801-7381-11cf-884d-00aa004b2e24"] = "IWbemObjectSink interface",
   ["22e5386d-8b12-4bf0-b0ec-6a1ea419e366"] = "NetEventForwarder",
   ["c8cb7687-e6d3-11d2-a958-00c04f682e16"] = "DAV RPC SERVICE",
   ["d3fbb514-0e3b-11cb-8fad-08002b1d29c3"] = "NsiC",
   ["f6beaff7-1e19-4fbb-9f8f-b89e2018337c"] = "IEventService",
   ["77df7a80-f298-11d0-8358-00a024c480a8"] = "dscomm",
   ["83da7c00-e84f-11d2-9807-00c04f8ec850"] = "sfcapi",
   ["bb39332c-bfee-4380-ad8a-badc8aff5bb6"] = "INtmsNotifySink",
   ["6619a740-8154-43be-a186-0319578e02db"] = "IRemoteDispatch",
   ["7c44d7d4-31d5-424c-bd5e-2b3e1f323d22"] = "dsaop",
   ["342cfd40-3c6c-11ce-a893-08002b2e9c6d"] = "llsrpc",
   ["5261574a-4572-206e-b268-6b199213b4e4"] = "AsyncEMSMDB",
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "srvsvc",
   ["674b6698-ee92-11d0-ad71-00c04fd8fdff"] = "IWbemContext unmarshaler",
   ["0d72a7d4-6148-11d1-b4aa-00c04fb66ea0"] = "ICertProtect",
   ["708cca10-9569-11d1-b2a5-0060977d8118"] = "dscomm2",
   ["214a0f28-b737-4026-b847-4f9e37d79529"] = "IVssDifferentialSoftwareSnapshotMgmt",
   ["ae1c7110-2f60-11d3-8a39-00c04f72d8e3"] = "IVssEnumObject",
   ["03837516-098b-11d8-9414-505054503030"] = "IAlertDataCollector",
   ["21546ae8-4da5-445e-987f-627fea39c5e8"] = "IWRMConfig",
   ["034634fd-ba3f-11d1-856a-00a0c944138c"] = "IManageTelnetSessions",
   ["1544f5e0-613c-11d1-93df-00c04fd7bd09"] = "exchange_rfr",
   ["4fc742e0-4a10-11cf-8273-00aa004ae673"] = "netdfs",
   ["f309ad18-d86a-11d0-a075-00c04fb68820"] = "IWbemLevel1Login",
   ["20d15747-6c48-4254-a358-65039fd8c63c"] = "IServerHealthReport2",
   ["f5cc59b4-4264-101a-8c59-08002b2f8426"] = "FrsRpc",
   ["b9785960-524f-11df-8b6d-83dcded72085"] = "ISDKey",
   ["784b693d-95f3-420b-8126-365c098659f2"] = "IOCSPAdminD",
   ["e3514235-4b06-11d1-ab04-00c04fc2dcd2"] = "drsuapi",
   ["6bffd098-a112-3610-9833-46c3f874532d"] = "dhcpsrv",
   ["e3d0d746-d2af-40fd-8a7a-0d7078bb7092"] = "BitsPeerAuth",
   ["fc910418-55ca-45ef-b264-83d4ce7d30e0"] = "IWRMRemoteSessionMgmt",
   ["833e41aa-aff7-4ac3-aac2-9f24c1457bce"] = "ISAFSession",
   ["dc12a681-737f-11cf-884d-00aa004b2e24"] = "IWbemClassObject interface",
   ["00020411-0000-0000-c000-000000000046"] = "ITypeLib2",
   ["1a927394-352e-4553-ae3f-7cf4aafca620"] = "WdsRpcInterface",
   ["0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7"] = "authzr",
   ["8d0ffe72-d252-11d0-bf8f-00c04fd9126b"] = "IKeySvc",
   ["5422fd3a-d4b8-4cef-a12e-e87d4ca22e90"] = "ICertRequestD2",
   ["f1e9c5b2-f59b-11d2-b362-00105a1f8177"] = "IWbemRemoteRefresher interface",
   ["811109bf-a4e1-11d1-ab54-00a0c91e9b45"] = "winsi2",
   ["c386ca3e-9061-4a72-821e-498d83be188f"] = "AudioRpc",
   ["69ab7050-3059-11d1-8faf-00a024cb6019"] = "INtmsObjectInfo1",
   ["a8e0653c-2744-4389-a61d-7373df8b2292"] = "FileServerVssAgent",
   ["0383750b-098b-11d8-9414-505054503030"] = "ITraceDataCollector",
   ["833e4200-aff7-4ac3-aac2-9f24c1457bce"] = "IPCHService",
   ["03837520-098b-11d8-9414-505054503030"] = "IDataCollectorSet",
   ["2f59a331-bf7d-48cb-9ec5-7c090d76e8b8"] = "lcrpc",
   ["00020412-0000-0000-c000-000000000046"] = "ITypeInfo2",
   ["8fb6d884-2388-11d0-8c35-00c04fda2795"] = "W32Time",
   ["f120a684-b926-447f-9df4-c966cb785648"] = "IRASrv",
   ["4bdafc52-fe6a-11d2-93f8-00105a11164a"] = "IVolumeClient2",
   ["c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a"] = "IADProxy2",
   ["03837514-098b-11d8-9414-505054503030"] = "IConfigurationDataCollector",
   ["7d07f313-a53f-459a-bb12-012c15b1846e"] = "IRobustNtmsMediaServices1",
   ["00000131-0000-0000-c000-000000000046"] = "IRemUnknown",
   ["2f5f6520-ca46-1067-b319-00dd010662da"] = "tapsrv",
   ["00020402-0000-0000-c000-000000000046"] = "ITypeLib",
   ["c681d488-d850-11d0-8c52-00c04fd90f7e"] = "efsrpc2",
   ["897e2e5f-93f3-4376-9c9c-fd2277495c27"] = "FrsTransport",
   ["00000143-0000-0000-c000-000000000046"] = "IRemUnknown2",
   ["17fdd703-1827-4e34-79d4-24a55c53bb37"] = "msgsvc",
   ["45f52c28-7f9f-101a-b52b-08002b2efabe"] = "winspipe",
   ["66a2db1b-d706-11d0-a37b-00c04fc9da04"] = "IRemoteNetworkConfig",
   ["a359dec5-e813-4834-8a2a-ba7f1d777d76"] = "IWbemBackupRestoreEx interface",
   ["99fcfec4-5260-101b-bbcb-00aa0021347a"] = "IObjectExporter",
   ["67e08fc2-2984-4b62-b92e-fc1aae64bbbb"] = "IRemoteStringIdConfig",
   ["9a653086-174f-11d2-b5f9-00104b703efd"] = "IWbemClassObject interface",
   ["1a9134dd-7b39-45ba-ad88-44d01ca47f28"] = "RemoteRead",
   ["e33c0cc4-0482-101a-bc0c-02608c6ba218"] = "locator",
   ["deb01010-3a37-4d26-99df-e2bb6ae3ac61"] = "IVolumeClient4",
   ["3d267954-eeb7-11d1-b94e-00c04fa3080d"] = "HydraLsPipe",
   ["66a2db21-d706-11d0-a37b-00c04fc9da04"] = "IRemoteSetDnsConfig",
   ["68b58241-c259-4f03-a2e5-a2651dcbc930"] = "IKeySvc2",
   ["12345778-1234-abcd-ef00-0123456789ac"] = "samr",
   ["44aca674-e8fc-11d0-a07c-00c04fb68820"] = "IWbemContext interface",
   ["f31931a9-832d-481c-9503-887a0e6a79f0"] = "IWRMProtocol",
   ["378e52b0-c0a9-11cf-822d-00aa0051e40f"] = "sasec",
   ["29822ab8-f302-11d0-9953-00c04fd919c1"] = "IWamAdmin2",
   ["00000000-0000-0000-c000-000000000046"] = "IUnknown",
   ["3dde7c30-165d-11d1-ab8f-00805f14db40"] = "BackupKey",
   ["d61a27c6-8f53-11d0-bfa0-00a024151983"] = "CNtmsSvr",
   ["afa8bd80-7d8a-11c9-bef4-08002b102989"] = "mgmt"
}

base/protocols/dce-rpc/main.zeek

DCE_RPC
Namespace

DCE_RPC

Imports

base/frameworks/dpd, base/protocols/conn/removal-hooks.zeek, base/protocols/dce-rpc/consts.zeek

Summary
Runtime Options

DCE_RPC::ignored_operations: table &redef

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.
Types

DCE_RPC::BackingState: record

DCE_RPC::Info: record

DCE_RPC::State: record
Redefinitions

DPD::ignore_violations: set &redef

Log::ID: enum

connection: record
New Fields

connection

dce_rpc: DCE_RPC::Info &optional

dce_rpc_state: DCE_RPC::State &optional

dce_rpc_backing: table [count] of DCE_RPC::BackingState &optional

likely_server_ports: set &redef
Hooks

DCE_RPC::finalize_dce_rpc: Conn::RemovalHook

DCE_RPC finalization hook.

DCE_RPC::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
DCE_RPC::ignored_operations
Type

table [string] of set [string]

Attributes

&redef

Default
{
   ["spoolss"] = {
      "RpcSplOpenPrinter",
      "RpcClosePrinter"
   },
   ["wkssvc"] = {
      "NetrWkstaGetInfo"
   },
   ["winreg"] = {
      "BaseRegCloseKey",
      "BaseRegGetVersion",
      "BaseRegOpenKey",
      "BaseRegDeleteKeyEx",
      "BaseRegEnumKey",
      "OpenLocalMachine",
      "BaseRegQueryValue",
      "OpenClassesRoot"
   }
}

These are DCE-RPC operations that are ignored, typically due to the operations being noisy and low value on most networks.

Types
DCE_RPC::BackingState
Type

record

info: DCE_RPC::Info

state: DCE_RPC::State

DCE_RPC::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

rtt: interval &log &optional

Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null.

named_pipe: string &log &optional

Remote pipe name.

endpoint: string &log &optional

Endpoint name looked up from the uuid.

operation: string &log &optional

Operation seen in the call.

DCE_RPC::State
Type

record

uuid: string &optional

named_pipe: string &optional

ctx_to_uuid: table [count] of string &optional

Hooks
DCE_RPC::finalize_dce_rpc
Type

Conn::RemovalHook

DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it’s called.

DCE_RPC::log_policy
Type

Log::PolicyHook

base/protocols/dhcp/__load__.zeek

Imports

base/protocols/dhcp/consts.zeek, base/protocols/dhcp/main.zeek

Summary
Detailed Interface

base/protocols/dhcp/consts.zeek

DHCP

Types, errors, and fields for analyzing DHCP data. A helper file for DHCP analysis scripts.

Namespace

DHCP

Summary
Constants

DHCP::message_types: table &default = function

Types of DHCP messages.

DHCP::option_types: table &default = function

Option types mapped to their names.
Detailed Interface
Constants
DHCP::message_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "OFFER",
   [14] = "BULKLEASEQUERY",
   [6] = "NAK",
   [15] = "LEASEQUERYDONE",
   [16] = "ACTIVELEASEQUERY",
   [8] = "INFORM",
   [9] = "FORCERENEW",
   [1] = "DISCOVER",
   [11] = "LEASEUNASSIGNED",
   [7] = "RELEASE",
   [5] = "ACK",
   [10] = "LEASEQUERY",
   [4] = "DECLINE",
   [12] = "LEASEUNKNOWN",
   [13] = "LEASEACTIVE",
   [18] = "TLS",
   [3] = "REQUEST",
   [17] = "LEASEQUERYSTATUS"
}

Types of DHCP messages. See RFC 1533, RFC 3203, RFC 4388, RFC 6926, and RFC 7724.

DHCP::option_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [39] = "Keepalive Data",
   [73] = "Finger-Server",
   [46] = "NETBIOS Node Type",
   [28] = "Broadcast Address",
   [212] = "OPTION_6RD",
   [9] = "LPR Server",
   [68] = "Home-Agent-Addrs",
   [53] = "DHCP Msg Type",
   [71] = "NNTP-Server",
   [52] = "Overload",
   [41] = "NIS Servers",
   [17] = "Root Path",
   [119] = "Domain Search",
   [81] = "Client FQDN",
   [88] = "BCMCS Controller Domain Name list",
   [29] = "Mask Discovery",
   [133] = "IEEE 802.1D/p Layer 2 Priority",
   [176] = "IP Telephone (Tentatively Assigned - 2005-06-23)",
   [213] = "OPTION_V4_ACCESS_DOMAIN",
   [54] = "DHCP Server Id",
   [95] = "LDAP",
   [90] = "Authentication",
   [252] = "auto-proxy-config",
   [146] = "RDNSS Selection",
   [86] = "NDS Tree Name",
   [1] = "Subnet Mask",
   [116] = "Auto-Config",
   [158] = "OPTION_V4_PCP_SERVER",
   [35] = "ARP Timeout",
   [135] = "HTTP Proxy for phone-specific applications",
   [3] = "Router",
   [114] = "URL",
   [140] = "OPTION-IPv4_FQDN-MoS",
   [44] = "NETBIOS Name Srv",
   [129] = "PXE - undefined (vendor specific)",
   [34] = "Trailers",
   [45] = "NETBIOS Dist Srv",
   [14] = "Merit Dump File",
   [31] = "Router Discovery",
   [82] = "Relay Agent Information",
   [56] = "DHCP Message",
   [7] = "Log Server",
   [66] = "Server-Name",
   [26] = "MTU Interface",
   [128] = "PXE - undefined (vendor specific)",
   [175] = "Etherboot (Tentatively Assigned - 2005-06-23)",
   [47] = "NETBIOS Scope",
   [70] = "POP3-Server",
   [93] = "Client System",
   [2] = "Time Offset",
   [132] = "IEEE 802.1Q VLAN ID",
   [72] = "WWW-Server",
   [24] = "MTU Timeout",
   [69] = "SMTP-Server",
   [99] = "GEOCONF_CIVIC",
   [161] = "OPTION_MUD_URL_V4 (TEMPORARY - registered 2016-11-17)",
   [61] = "Client Id",
   [60] = "Class Id",
   [51] = "Address Time",
   [37] = "Default TCP TTL",
   [18] = "Extension File",
   [157] = "data-source",
   [0] = "Pad",
   [220] = "Subnet Allocation Option",
   [137] = "OPTION_V4_LOST",
   [94] = "Client NDI",
   [19] = "Forward On/Off",
   [20] = "SrcRte On/Off",
   [33] = "Static Route",
   [75] = "StreetTalk-Server",
   [67] = "Bootfile-Name",
   [30] = "Mask Supplier",
   [15] = "Domain Name",
   [77] = "User-Class",
   [64] = "NIS-Domain-Name",
   [211] = "Reboot Time",
   [91] = "client-last-transaction-time option",
   [156] = "dhcp-state",
   [177] = "PacketCable and CableHome (replaced by 122)",
   [97] = "UUID/GUID",
   [55] = "Parameter List",
   [21] = "Policy Filter",
   [221] = "Virtual Subnet Selection (VSS) Option",
   [4] = "Time Server",
   [124] = "V-I Vendor Class",
   [130] = "PXE - undefined (vendor specific)",
   [12] = "Hostname",
   [155] = "query-end-time",
   [58] = "Renewal Time",
   [134] = "Diffserv Code Point (DSCP) for VoIP signalling and media streams",
   [80] = "Rapid Commit",
   [150] = "TFTP server address",
   [76] = "STDA-Server",
   [25] = "MTU Plateau",
   [142] = "OPTION-IPv4_Address-ANDSF",
   [16] = "Swap Server",
   [255] = "End",
   [59] = "Rebinding Time",
   [210] = "Path Prefix",
   [38] = "Keepalive Time",
   [154] = "query-start-time",
   [63] = "NetWare/IP Option",
   [42] = "NTP Servers",
   [57] = "DHCP Max Msg Size",
   [78] = "Directory Agent",
   [98] = "User-Auth",
   [113] = "Netinfo Tag",
   [11] = "RLP Server",
   [22] = "Max DG Assembly",
   [43] = "Vendor Specific",
   [136] = "OPTION_PANA_AGENT",
   [144] = "GeoLoc",
   [40] = "NIS Domain",
   [151] = "status-code",
   [208] = "PXELINUX Magic",
   [36] = "Ethernet",
   [6] = "Domain Server",
   [141] = "SIP UA Configuration Service Domains",
   [125] = "V-I Vendor-Specific Information",
   [8] = "Quotes Server",
   [23] = "Default IP TTL",
   [27] = "MTU Subnet",
   [145] = "FORCERENEW_NONCE_CAPABLE",
   [83] = "iSNS",
   [122] = "CCC",
   [159] = "OPTION_V4_PORTPARAMS",
   [92] = "associated-ip option",
   [10] = "Impress Server",
   [65] = "NIS-Server-Addr",
   [13] = "Boot File Size",
   [32] = "Router Request",
   [74] = "IRC-Server",
   [62] = "NetWare/IP Domain",
   [101] = "TCode",
   [89] = "BCMCS Controller IPv4 address option",
   [118] = "Subnet Selection Option",
   [138] = "OPTION_CAPWAP_AC_V4",
   [160] = "DHCP Captive-Portal",
   [139] = "OPTION-IPv4_Address-MoS",
   [120] = "SIP Servers DHCP Option",
   [152] = "base-time",
   [50] = "Address Request",
   [79] = "Service Scope",
   [121] = "Classless Static Route Option",
   [48] = "X Window Font",
   [85] = "NDS Servers",
   [49] = "X Window Manager",
   [209] = "Configuration File",
   [112] = "Netinfo Address",
   [5] = "Name Server",
   [100] = "PCode",
   [117] = "Name Service Search",
   [123] = "GeoConf Option",
   [131] = "PXE - undefined (vendor specific)",
   [87] = "NDS Context",
   [153] = "start-time-of-state"
}

Option types mapped to their names.

base/protocols/dhcp/main.zeek

DHCP

Analyze DHCP traffic and provide a log that is organized around the idea of a DHCP “conversation” defined by messages exchanged within a relatively short period of time using the same transaction ID. The log will have information from clients and servers to give a more complete picture of what happened.

Namespace

DHCP

Imports

base/frameworks/cluster, base/protocols/dhcp/consts.zeek

Summary
Runtime Options

DHCP::max_txid_watch_time: interval &redef

The maximum amount of time that a transation ID will be watched for to try and tie messages together into a single DHCP transaction narrative.
State Variables

DHCP::log_info: DHCP::Info

This is a global variable that is only to be used in the DHCP::aggregate_msgs event.
Types

DHCP::Info: record

The record type which contains the column fields of the DHCP log.
Redefinitions

DHCP::Info: record
New Fields

DHCP::Info

last_message_ts: time &optional

Log::ID: enum

connection: record
New Fields

connection

dhcp: DHCP::Info &optional

likely_server_ports: set &redef
Events

DHCP::aggregate_msgs: event

This event is used internally to distribute data around clusters since DHCP doesn’t follow the normal “connection” model used by most protocols.

DHCP::log_dhcp: event

Event that can be handled to access the DHCP record as it is sent on to the logging framework.
Hooks

DHCP::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
DHCP::max_txid_watch_time
Type

interval

Attributes

&redef

Default

30.0 secs

The maximum amount of time that a transation ID will be watched for to try and tie messages together into a single DHCP transaction narrative.

State Variables
DHCP::log_info
Type

DHCP::Info

Default
{
   ts=<uninitialized>
   uids={

   }
   client_addr=<uninitialized>
   server_addr=<uninitialized>
   client_port=<uninitialized>
   server_port=<uninitialized>
   mac=<uninitialized>
   host_name=<uninitialized>
   client_fqdn=<uninitialized>
   domain=<uninitialized>
   requested_addr=<uninitialized>
   assigned_addr=<uninitialized>
   lease_time=<uninitialized>
   client_message=<uninitialized>
   server_message=<uninitialized>
   msg_types=[]
   duration=0 secs
   client_chaddr=<uninitialized>
   last_message_ts=<uninitialized>
   msg_orig=[]
   client_software=<uninitialized>
   server_software=<uninitialized>
   circuit_id=<uninitialized>
   agent_remote_id=<uninitialized>
   subscriber_id=<uninitialized>
}

This is a global variable that is only to be used in the DHCP::aggregate_msgs event. It can be used to avoid looking up the info record for a transaction ID in every event handler for DHCP::aggregate_msgs.

Types
DHCP::Info
Type

record

ts: time &log

The earliest time at which a DHCP message over the associated connection is observed.

uids: set [string] &log

A series of unique identifiers of the connections over which DHCP is occurring. This behavior with multiple connections is unique to DHCP because of the way it uses broadcast packets on local networks.

client_addr: addr &log &optional

IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address.

server_addr: addr &log &optional

IP address of the server involved in actually handing out the lease. There could be other servers replying with OFFER messages which won’t be represented here. Getting an address in this field also requires that the server handing out the lease also sources packets from a non-broadcast IP address.

client_port: port &optional

Client port number seen at time of server handing out IP (expected as 68/udp).

server_port: port &optional

Server port number seen at time of server handing out IP (expected as 67/udp).

mac: string &log &optional

Client’s hardware address.

host_name: string &log &optional

Name given by client in Hostname option 12.

client_fqdn: string &log &optional

FQDN given by client in Client FQDN option 81.

domain: string &log &optional

Domain given by the server in option 15.

requested_addr: addr &log &optional

IP address requested by the client.

assigned_addr: addr &log &optional

IP address assigned by the server.

lease_time: interval &log &optional

IP address lease interval.

client_message: string &log &optional

Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address.

server_message: string &log &optional

Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request.

msg_types: vector of string &log &default = [] &optional

The DHCP message types seen by this DHCP transaction

duration: interval &log &default = 0 secs &optional

Duration of the DHCP “session” representing the time from the first message to the last.

client_chaddr: string &optional

The CHADDR field sent by the client.

last_message_ts: time &optional

msg_orig: vector of addr &log &default = [] &optional

(present if policy/protocols/dhcp/msg-orig.zeek is loaded)

The address that originated each message from the msg_types field.

client_software: string &log &optional

(present if policy/protocols/dhcp/software.zeek is loaded)

Software reported by the client in the vendor_class option.

server_software: string &log &optional

(present if policy/protocols/dhcp/software.zeek is loaded)

Software reported by the server in the vendor_class option.

circuit_id: string &log &optional

(present if policy/protocols/dhcp/sub-opts.zeek is loaded)

Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number.

agent_remote_id: string &log &optional

(present if policy/protocols/dhcp/sub-opts.zeek is loaded)

A globally unique identifier added by relay agents to identify the remote host end of the circuit.

subscriber_id: string &log &optional

(present if policy/protocols/dhcp/sub-opts.zeek is loaded)

The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected.

The record type which contains the column fields of the DHCP log.

Events
DHCP::aggregate_msgs
Type

event (ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)

This event is used internally to distribute data around clusters since DHCP doesn’t follow the normal “connection” model used by most protocols. It can also be handled to extend the DHCP log. DHCP::log_info.

DHCP::log_dhcp
Type

event (rec: DHCP::Info)

Event that can be handled to access the DHCP record as it is sent on to the logging framework.

Hooks
DHCP::log_policy
Type

Log::PolicyHook

base/protocols/dnp3/__load__.zeek

Imports

base/protocols/dnp3/main.zeek

Summary
Detailed Interface

base/protocols/dnp3/main.zeek

DNP3

A very basic DNP3 analysis script that just logs requests and replies.

Namespace

DNP3

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/dnp3/consts.zeek

Summary
Types

DNP3::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

dnp3: DNP3::Info &optional

likely_server_ports: set &redef
Events

DNP3::log_dnp3: event

Event that can be handled to access the DNP3 record as it is sent on to the logging framework.
Hooks

DNP3::finalize_dnp3: Conn::RemovalHook

DNP3 finalization hook.

DNP3::log_policy: Log::PolicyHook
Detailed Interface
Types
DNP3::Info
Type

record

ts: time &log

Time of the request.

uid: string &log

Unique identifier for the connection.

id: conn_id &log

Identifier for the connection.

fc_request: string &log &optional

The name of the function message in the request.

fc_reply: string &log &optional

The name of the function message in the reply.

iin: count &log &optional

The response’s “internal indication number”.

Events
DNP3::log_dnp3
Type

event (rec: DNP3::Info)

Event that can be handled to access the DNP3 record as it is sent on to the logging framework.

Hooks
DNP3::finalize_dnp3
Type

Conn::RemovalHook

DNP3 finalization hook. Remaining DNP3 info may get logged when it’s called.

DNP3::log_policy
Type

Log::PolicyHook

base/protocols/dnp3/consts.zeek

DNP3
Namespace

DNP3

Summary
Redefinable Options

DNP3::function_codes: table &default = function &redef

Standard defined Modbus function codes.
Detailed Interface
Redefinable Options
DNP3::function_codes
Type

table [count] of string

Attributes

&default = function &redef

Default
{
   [19] = "SAVE_CONFIG",
   [20] = "ENABLE_UNSOLICITED",
   [33] = "AUTHENTICATE_REQ_NR",
   [14] = "WARM_RESTART",
   [15] = "INITIALIZE_DATA",
   [6] = "DIRECT_OPERATE_NR",
   [30] = "ABORT_FILE",
   [31] = "ACTIVATE_CONFIG",
   [28] = "GET_FILE_INFO",
   [23] = "DELAY_MEASURE",
   [8] = "IMMED_FREEZE_NR",
   [27] = "DELETE_FILE",
   [9] = "FREEZE_CLEAR",
   [7] = "IMMED_FREEZE",
   [10] = "FREEZE_CLEAR_NR",
   [21] = "DISABLE_UNSOLICITED",
   [4] = "OPERATE",
   [26] = "CLOSE_FILE",
   [13] = "COLD_RESTART",
   [12] = "FREEZE_AT_TIME_NR",
   [32] = "AUTHENTICATE_REQ",
   [130] = "UNSOLICITED_RESPONSE",
   [17] = "START_APPL",
   [25] = "OPEN_FILE",
   [2] = "WRITE",
   [29] = "AUTHENTICATE_FILE",
   [16] = "INITIALIZE_APPL",
   [24] = "RECORD_CURRENT_TIME",
   [1] = "READ",
   [11] = "FREEZE_AT_TIME",
   [5] = "DIRECT_OPERATE",
   [22] = "ASSIGN_CLASS",
   [18] = "STOP_APPL",
   [3] = "SELECT",
   [0] = "CONFIRM",
   [131] = "AUTHENTICATE_RESP",
   [129] = "RESPONSE"
}

Standard defined Modbus function codes.

base/protocols/dns/__load__.zeek

Imports

base/protocols/dns/consts.zeek, base/protocols/dns/main.zeek

Summary
Detailed Interface

base/protocols/dns/consts.zeek

DNS

Types, errors, and fields for analyzing DNS data. A helper file for DNS analysis scripts.

Namespace

DNS

Summary
Constants

DNS::ANY: count

A QTYPE value describing a request for all records.

DNS::EDNS: count

An OPT RR TYPE value described by EDNS.

DNS::PTR: count

RR TYPE value for a domain name pointer.

DNS::algorithms: table &default = function

Possible values of the algorithms used in DNSKEY, DS and RRSIG records

DNS::base_errors: table &default = function

Errors used for non-TSIG/EDNS types.

DNS::classes: table &default = function

Possible values of the CLASS field in resource records or QCLASS field in query messages.

DNS::digests: table &default = function

Possible digest types used in DNSSEC.

DNS::edns_zfield: table &default = "?"

This deciphers EDNS Z field values.

DNS::query_types: table &default = function

Mapping of DNS query type codes to human readable string representation.

DNS::svcparam_keys: table &default = function

SVCB/HTTPS SvcParam keys, as defined in https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-07.txt, sec 14.3.2
Detailed Interface
Constants
DNS::ANY
Type

count

Default

255

A QTYPE value describing a request for all records.

DNS::EDNS
Type

count

Default

41

An OPT RR TYPE value described by EDNS.

DNS::PTR
Type

count

Default

12

RR TYPE value for a domain name pointer.

DNS::algorithms
Type

table [count] of string

Attributes

&default = function

Default
{
   [254] = "PrivateOID",
   [2] = "Diffie_Hellman",
   [15] = "Ed25519",
   [6] = "DSA_NSEC3_SHA1",
   [14] = "ECDSA_curveP384withSHA384",
   [16] = "Ed448",
   [255] = "reserved255",
   [8] = "RSA_SHA256",
   [252] = "Indirect",
   [253] = "PrivateDNS",
   [1] = "RSA_MD5",
   [5] = "RSA_SHA1",
   [7] = "RSA_SHA1_NSEC3_SHA1",
   [10] = "RSA_SHA512",
   [4] = "Elliptic_Curve",
   [12] = "GOST_R_34_10_2001",
   [13] = "ECDSA_curveP256withSHA256",
   [3] = "DSA_SHA1",
   [0] = "reserved0"
}

Possible values of the algorithms used in DNSKEY, DS and RRSIG records

DNS::base_errors
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "BADMODE",
   [3842] = "BADSIG",
   [20] = "BADNAME",
   [2] = "SERVFAIL",
   [14] = "unassigned-14",
   [15] = "unassigned-15",
   [6] = "YXDOMAIN",
   [16] = "BADVERS",
   [8] = "NXRRSet",
   [23] = "BADCOOKIE",
   [9] = "NOTAUTH",
   [1] = "FORMERR",
   [11] = "unassigned-11",
   [7] = "YXRRSET",
   [5] = "REFUSED",
   [10] = "NOTZONE",
   [21] = "BADALG",
   [4] = "NOTIMP",
   [22] = "BADTRUNC",
   [13] = "unassigned-13",
   [12] = "unassigned-12",
   [18] = "BADTIME",
   [17] = "BADKEY",
   [3] = "NXDOMAIN",
   [0] = "NOERROR"
}

Errors used for non-TSIG/EDNS types.

DNS::classes
Type

table [count] of string

Attributes

&default = function

Default
{
   [254] = "C_NONE",
   [2] = "C_CSNET",
   [3] = "C_CHAOS",
   [255] = "C_ANY",
   [4] = "C_HESIOD",
   [1] = "C_INTERNET"
}

Possible values of the CLASS field in resource records or QCLASS field in query messages.

DNS::digests
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "reserved0",
   [2] = "SHA256",
   [4] = "SHA384",
   [1] = "SHA1",
   [3] = "GOST_R_34_11_94"
}

Possible digest types used in DNSSEC.

DNS::edns_zfield
Type

table [count] of string

Attributes

&default = "?"

Default
{
   [0] = "NOVALUE",
   [32768] = "DNS_SEC_OK"
}

This deciphers EDNS Z field values.

DNS::query_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "X25",
   [20] = "ISDN",
   [33] = "SRV",
   [39] = "DNAME",
   [30] = "NXT",
   [46] = "RRSIG",
   [15] = "MX",
   [65422] = "XPF",
   [28] = "AAAA",
   [64] = "SVCB",
   [106] = "L64",
   [9] = "MR",
   [253] = "MAILB",
   [107] = "LP",
   [53] = "SMIMEA",
   [55] = "HIP",
   [52] = "TLSA",
   [251] = "IXFR",
   [21] = "RT",
   [4] = "MF",
   [12] = "PTR",
   [41] = "OPT",
   [58] = "TALINK",
   [17] = "RP",
   [105] = "L32",
   [254] = "MAILA",
   [32768] = "TA",
   [25] = "KEY",
   [32769] = "DLV",
   [65281] = "WINS",
   [29] = "LOC",
   [16] = "TXT",
   [255] = "*",
   [59] = "CDS",
   [38] = "A6",
   [252] = "AXFR",
   [63] = "ZONEMD",
   [42] = "APL",
   [57] = "RKEY",
   [1] = "A",
   [11] = "WKS",
   [35] = "NAPTR",
   [108] = "EUI48",
   [22] = "NSAP",
   [256] = "URI",
   [43] = "DS",
   [102] = "GID",
   [257] = "CAA",
   [65521] = "INTEGRITY",
   [3] = "MD",
   [44] = "SSHFP",
   [34] = "ATMA",
   [45] = "IPSECKEY",
   [40] = "SINK",
   [36] = "KX",
   [250] = "TSIG",
   [14] = "MINFO",
   [6] = "SOA",
   [31] = "EID",
   [23] = "NSAP-PTR",
   [8] = "MG",
   [27] = "GPOS",
   [56] = "NINFO",
   [7] = "MB",
   [10] = "NULL",
   [32] = "NIMLOC",
   [13] = "HINFO",
   [26] = "PX",
   [65] = "HTTPS",
   [62] = "CSYNC",
   [101] = "UID",
   [47] = "NSEC",
   [50] = "NSEC3",
   [2] = "NS",
   [65282] = "WINS-R",
   [48] = "DNSKEY",
   [24] = "SIG",
   [99] = "SPF",
   [49] = "DHCID",
   [109] = "EUI64",
   [249] = "TKEY",
   [103] = "UNSPEC",
   [5] = "CNAME",
   [104] = "NID",
   [61] = "OPENPGPKEY",
   [60] = "CDNSKEY",
   [100] = "UINFO",
   [51] = "NSEC3PARAM",
   [37] = "CERT",
   [18] = "AFSDB"
}

Mapping of DNS query type codes to human readable string representation.

DNS::svcparam_keys
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "no-default-alpn",
   [3] = "port",
   [5] = "ech",
   [0] = "mandatory",
   [6] = "ipv6hint",
   [4] = "ipv4hint",
   [1] = "alpn"
}

SVCB/HTTPS SvcParam keys, as defined in https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-07.txt, sec 14.3.2

base/protocols/dns/main.zeek

DNS

Base DNS analysis script which tracks and logs DNS queries along with their responses.

Namespace

DNS

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/dns/consts.zeek, base/utils/queue.zeek

Summary
Runtime Options

DNS::max_pending_msgs: count &redef

Give up trying to match pending DNS queries or replies for a given query/transaction ID once this number of unmatched queries or replies is reached (this shouldn’t happen unless either the DNS server/resolver is broken, Zeek is not seeing all the DNS traffic, or an AXFR query response is ongoing).

DNS::max_pending_query_ids: count &redef

Give up trying to match pending DNS queries or replies across all query/transaction IDs once there is at least one unmatched query or reply across this number of different query IDs.
Types

DNS::Info: record

The record type which contains the column fields of the DNS log.

DNS::PendingMessages: table

Yields a queue of DNS::Info objects for a given DNS message query/transaction ID.

DNS::State: record

A record type which tracks the status of DNS queries for a given connection.
Redefinitions

Log::ID: enum

The DNS logging stream identifier.

connection: record
New Fields

connection

dns: DNS::Info &optional

dns_state: DNS::State &optional

likely_server_ports: set &redef
Events

DNS::log_dns: event

An event that can be handled to access the DNS::Info record as it is sent to the logging framework.
Hooks

DNS::do_reply: hook

This is called by the specific dns_*_reply events with a “reply” which may not represent the full data available from the resource record, but it’s generally considered a summarization of the responses.

DNS::finalize_dns: Conn::RemovalHook

DNS finalization hook.

DNS::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

DNS::set_session: hook

A hook that is called whenever a session is being set.
Detailed Interface
Runtime Options
DNS::max_pending_msgs
Type

count

Attributes

&redef

Default

50

Give up trying to match pending DNS queries or replies for a given query/transaction ID once this number of unmatched queries or replies is reached (this shouldn’t happen unless either the DNS server/resolver is broken, Zeek is not seeing all the DNS traffic, or an AXFR query response is ongoing).

DNS::max_pending_query_ids
Type

count

Attributes

&redef

Default

50

Give up trying to match pending DNS queries or replies across all query/transaction IDs once there is at least one unmatched query or reply across this number of different query IDs.

Types
DNS::Info
Type

record

ts: time &log

The earliest time at which a DNS protocol message over the associated connection is observed.

uid: string &log

A unique identifier of the connection over which DNS messages are being transferred.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

proto: transport_proto &log

The transport layer protocol of the connection.

trans_id: count &log &optional

A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries.

rtt: interval &log &optional

Round trip time for the query and response. This indicates the delay between when the request was seen until the answer started.

query: string &log &optional

The domain name that is the subject of the DNS query.

qclass: count &log &optional

The QCLASS value specifying the class of the query.

qclass_name: string &log &optional

A descriptive name for the class of the query.

qtype: count &log &optional

A QTYPE value specifying the type of the query.

qtype_name: string &log &optional

A descriptive name for the type of the query.

rcode: count &log &optional

The response code value in DNS response messages.

rcode_name: string &log &optional

A descriptive name for the response code value.

AA: bool &log &default = F &optional

The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.

TC: bool &log &default = F &optional

The Truncation bit specifies that the message was truncated.

RD: bool &log &default = F &optional

The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.

RA: bool &log &default = F &optional

The Recursion Available bit in a response message indicates that the name server supports recursive queries.

Z: count &log &default = 0 &optional

A reserved field that is usually zero in queries and responses.

answers: vector of string &log &optional

The set of resource descriptions in the query answer.

TTLs: vector of interval &log &optional

The caching intervals of the associated RRs described by the answers field.

rejected: bool &log &default = F &optional

The DNS query was rejected by the server.

total_answers: count &optional

The total number of resource records in a reply message’s answer section.

total_replies: count &optional

The total number of resource records in a reply message’s answer, authority, and additional sections.

saw_query: bool &default = F &optional

Whether the full DNS query has been seen.

saw_reply: bool &default = F &optional

Whether the full DNS reply has been seen.

auth: set [string] &log &optional

(present if policy/protocols/dns/auth-addl.zeek is loaded)

Authoritative responses for the query.

addl: set [string] &log &optional

(present if policy/protocols/dns/auth-addl.zeek is loaded)

Additional responses for the query.

original_query: string &log &optional

(present if policy/protocols/dns/log-original-query-case.zeek is loaded)

Query with original letter casing

The record type which contains the column fields of the DNS log.

DNS::PendingMessages
Type

table [count] of Queue::Queue

Yields a queue of DNS::Info objects for a given DNS message query/transaction ID.

DNS::State
Type

record

pending_query: DNS::Info &optional

A single query that hasn’t been matched with a response yet. Note this is maintained separate from the pending_queries field solely for performance reasons – it’s possible that pending_queries contains further queries for which a response has not yet been seen, even for the same transaction ID.

pending_queries: DNS::PendingMessages &optional

Indexed by query id, returns Info record corresponding to queries that haven’t been matched with a response yet.

pending_replies: DNS::PendingMessages &optional

Indexed by query id, returns Info record corresponding to replies that haven’t been matched with a query yet.

A record type which tracks the status of DNS queries for a given connection.

Events
DNS::log_dns
Type

event (rec: DNS::Info)

An event that can be handled to access the DNS::Info record as it is sent to the logging framework.

Hooks
DNS::do_reply
Type

hook (c: connection, msg: dns_msg, ans: dns_answer, reply: string) : bool

This is called by the specific dns_*_reply events with a “reply” which may not represent the full data available from the resource record, but it’s generally considered a summarization of the responses.

C

The connection record for which to fill in DNS reply data.

Msg

The DNS message header information for the response.

Ans

The general information of a RR response.

Reply

The specific response information according to RR type/class.

DNS::finalize_dns
Type

Conn::RemovalHook

DNS finalization hook. Remaining DNS info may get logged when it’s called.

DNS::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

DNS::set_session
Type

hook (c: connection, msg: dns_msg, is_query: bool) : bool

A hook that is called whenever a session is being set. This can be used if additional initialization logic needs to happen when creating a new session value.

C

The connection involved in the new session.

Msg

The DNS message header information.

Is_query

Indicator for if this is being called for a query or a response.

base/protocols/ftp/__load__.zeek

Imports

base/protocols/ftp/files.zeek, base/protocols/ftp/gridftp.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/main.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek

Summary
Detailed Interface

base/protocols/ftp/utils-commands.zeek

FTP
Namespace

FTP

Summary
Runtime Options

FTP::cmd_reply_code: set &redef

Possible response codes for a wide variety of FTP commands.
Types

FTP::CmdArg: record

FTP::PendingCmds: table

Structure for tracking pending commands in the event that the client sends a large number of commands before the server has a chance to reply.
Detailed Interface
Runtime Options
FTP::cmd_reply_code
Type

set [string, count]

Attributes

&redef

Default
{
   ["ABOR", 226] ,
   ["REIN", 120] ,
   ["STOU", 553] ,
   ["MLSD", 150] ,
   ["RNTO", 503] ,
   ["CDUP", 530] ,
   ["CDUP", 501] ,
   ["APPE", 425] ,
   ["SYST", 530] ,
   ["PORT", 421] ,
   ["TYPE", 501] ,
   ["LIST", 125] ,
   ["RNTO", 530] ,
   ["PWD", 501] ,
   ["STOR", 125] ,
   ["CDUP", 200] ,
   ["MLSD", 250] ,
   ["SITE", 500] ,
   ["CWD", 550] ,
   ["CDUP", 550] ,
   ["QUIT", 500] ,
   ["MKD", 257] ,
   ["ALLO", 500] ,
   ["LIST", 425] ,
   ["CLNT", 200] ,
   ["<init>", 0] ,
   ["ABOR", 501] ,
   ["FEAT", 502] ,
   ["MLST", 150] ,
   ["APPE", 150] ,
   ["STOU", 550] ,
   ["USER", 332] ,
   ["PASV", 227] ,
   ["SYST", 421] ,
   ["STRU", 530] ,
   ["EPRT", 501] ,
   ["PASV", 530] ,
   ["USER", 530] ,
   ["APPE", 125] ,
   ["CDUP", 421] ,
   ["STOU", 451] ,
   ["HELP", 214] ,
   ["NLST", 426] ,
   ["RNFR", 450] ,
   ["LPRT", 521] ,
   ["ALLO", 530] ,
   ["STAT", 501] ,
   ["MACB", 550] ,
   ["PASS", 332] ,
   ["SITE", 502] ,
   ["SIZE", 550] ,
   ["LIST", 451] ,
   ["LIST", 426] ,
   ["APPE", 426] ,
   ["SMNT", 530] ,
   ["MLST", 250] ,
   ["TYPE", 530] ,
   ["HELP", 500] ,
   ["RNTO", 553] ,
   ["STOR", 530] ,
   ["NLST", 150] ,
   ["NLST", 451] ,
   ["SMNT", 501] ,
   ["ACCT", 230] ,
   ["MDTM", 550] ,
   ["APPE", 452] ,
   ["LIST", 450] ,
   ["NLST", 250] ,
   ["MDTM", 500] ,
   ["RETR", 450] ,
   ["NLST", 502] ,
   ["TYPE", 504] ,
   ["MLSD", 550] ,
   ["MODE", 421] ,
   ["OPTS", 451] ,
   ["RETR", 426] ,
   ["APPE", 530] ,
   ["STRU", 504] ,
   ["STAT", 502] ,
   ["RETR", 125] ,
   ["EPRT", 200] ,
   ["ALLO", 202] ,
   ["MKD", 502] ,
   ["STOU", 501] ,
   ["SYST", 502] ,
   ["REIN", 220] ,
   ["MLSD", 501] ,
   ["DELE", 530] ,
   ["USER", 421] ,
   ["NLST", 530] ,
   ["TYPE", 200] ,
   ["RMD", 250] ,
   ["DELE", 421] ,
   ["FEAT", 211] ,
   ["APPE", 500] ,
   ["RETR", 501] ,
   ["ABOR", 225] ,
   ["CWD", 250] ,
   ["STOU", 110] ,
   ["ALLO", 504] ,
   ["RNTO", 532] ,
   ["PWD", 500] ,
   ["STOR", 110] ,
   ["MODE", 502] ,
   ["PORT", 200] ,
   ["NLST", 125] ,
   ["RETR", 110] ,
   ["ACCT", 503] ,
   ["RMD", 502] ,
   ["REST", 200] ,
   ["RETR", 226] ,
   ["PASV", 500] ,
   ["STRU", 501] ,
   ["LIST", 502] ,
   ["STAT", 530] ,
   ["RETR", 500] ,
   ["PASS", 501] ,
   ["STOR", 553] ,
   ["APPE", 550] ,
   ["SMNT", 550] ,
   ["PASV", 501] ,
   ["SYST", 501] ,
   ["MKD", 550] ,
   ["PASV", 502] ,
   ["MODE", 530] ,
   ["STAT", 450] ,
   ["APPE", 226] ,
   ["MACB", 500] ,
   ["PASS", 230] ,
   ["STAT", 212] ,
   ["PASV", 421] ,
   ["STOU", 530] ,
   ["PASS", 530] ,
   ["SITE", 202] ,
   ["PASS", 500] ,
   ["APPE", 450] ,
   ["STOR", 450] ,
   ["LIST", 250] ,
   ["NLST", 500] ,
   ["PWD", 502] ,
   ["RNFR", 500] ,
   ["STOR", 501] ,
   ["DELE", 500] ,
   ["HELP", 421] ,
   ["NLST", 425] ,
   ["NLST", 550] ,
   ["STOR", 451] ,
   ["SYST", 215] ,
   ["RETR", 425] ,
   ["APPE", 532] ,
   ["LIST", 150] ,
   ["CWD", 500] ,
   ["USER", 331] ,
   ["OPTS", 501] ,
   ["PASS", 503] ,
   ["STOU", 532] ,
   ["STOU", 150] ,
   ["QUIT", 221] ,
   ["ACCT", 202] ,
   ["STOR", 425] ,
   ["MKD", 421] ,
   ["TYPE", 500] ,
   ["STOU", 125] ,
   ["SYST", 500] ,
   ["CDUP", 502] ,
   ["RETR", 451] ,
   ["RNFR", 502] ,
   ["TYPE", 421] ,
   ["STOR", 500] ,
   ["SIZE", 500] ,
   ["HELP", 211] ,
   ["RNTO", 250] ,
   ["REIN", 502] ,
   ["STRU", 200] ,
   ["RMD", 421] ,
   ["<init>", 421] ,
   ["STAT", 211] ,
   ["<init>", 120] ,
   ["LIST", 550] ,
   ["ABOR", 500] ,
   ["NOOP", 200] ,
   ["REIN", 421] ,
   ["STOR", 150] ,
   ["SMNT", 502] ,
   ["CDUP", 250] ,
   ["PORT", 501] ,
   ["MODE", 504] ,
   ["STAT", 421] ,
   ["MODE", 501] ,
   ["MDTM", 213] ,
   ["MKD", 501] ,
   ["LIST", 421] ,
   ["MLST", 226] ,
   ["STOR", 226] ,
   ["NOOP", 421] ,
   ["PWD", 421] ,
   ["FEAT", 500] ,
   ["APPE", 250] ,
   ["CLNT", 500] ,
   ["LIST", 501] ,
   ["STOU", 425] ,
   ["LIST", 530] ,
   ["SITE", 530] ,
   ["STOU", 250] ,
   ["RETR", 150] ,
   ["RNTO", 500] ,
   ["MLST", 501] ,
   ["REST", 501] ,
   ["MKD", 530] ,
   ["RNFR", 530] ,
   ["ALLO", 200] ,
   ["STRU", 500] ,
   ["MLSD", 500] ,
   ["STOU", 426] ,
   ["STAT", 213] ,
   ["RNFR", 421] ,
   ["ALLO", 501] ,
   ["RETR", 421] ,
   ["APPE", 421] ,
   ["USER", 501] ,
   ["QUIT", 0] ,
   ["USER", 230] ,
   ["RNFR", 350] ,
   ["STOU", 551] ,
   ["MODE", 500] ,
   ["STOR", 426] ,
   ["REST", 530] ,
   ["SMNT", 421] ,
   ["ABOR", 502] ,
   ["ACCT", 421] ,
   ["APPE", 502] ,
   ["SITE", 214] ,
   ["CWD", 421] ,
   ["NLST", 450] ,
   ["STOU", 226] ,
   ["EPRT", 522] ,
   ["REST", 500] ,
   ["RMD", 550] ,
   ["LPRT", 501] ,
   ["EPSV", 501] ,
   ["HELP", 501] ,
   ["DELE", 450] ,
   ["NLST", 501] ,
   ["EPSV", 500] ,
   ["APPE", 552] ,
   ["EPRT", 500] ,
   ["PWD", 257] ,
   ["MODE", 200] ,
   ["NLST", 226] ,
   ["RMD", 500] ,
   ["CWD", 530] ,
   ["APPE", 501] ,
   ["RMD", 530] ,
   ["STOR", 452] ,
   ["<missing>", 0] ,
   ["RETR", 530] ,
   ["NOOP", 500] ,
   ["REIN", 500] ,
   ["STOR", 532] ,
   ["ABOR", 421] ,
   ["APPE", 551] ,
   ["SMNT", 500] ,
   ["STOR", 550] ,
   ["RNFR", 501] ,
   ["USER", 500] ,
   ["ALLO", 421] ,
   ["ACCT", 500] ,
   ["RNTO", 502] ,
   ["MKD", 500] ,
   ["PASS", 421] ,
   ["STOU", 552] ,
   ["STOU", 452] ,
   ["CWD", 501] ,
   ["PORT", 500] ,
   ["MLST", 500] ,
   ["STOU", 450] ,
   ["STOU", 421] ,
   ["ACCT", 530] ,
   ["STRU", 421] ,
   ["STOU", 500] ,
   ["SIZE", 501] ,
   ["MDTM", 501] ,
   ["ACCT", 501] ,
   ["REST", 502] ,
   ["STOR", 421] ,
   ["RNTO", 421] ,
   ["RETR", 250] ,
   ["MLSD", 226] ,
   ["LIST", 500] ,
   ["DELE", 502] ,
   ["SMNT", 250] ,
   ["OPTS", 200] ,
   ["SITE", 501] ,
   ["APPE", 553] ,
   ["PASS", 202] ,
   ["SIZE", 213] ,
   ["STOR", 250] ,
   ["DELE", 250] ,
   ["STOR", 551] ,
   ["PWD", 550] ,
   ["STAT", 500] ,
   ["RMD", 501] ,
   ["RNTO", 501] ,
   ["HELP", 200] ,
   ["MACB", 200] ,
   ["DELE", 501] ,
   ["LPRT", 500] ,
   ["LIST", 226] ,
   ["REST", 350] ,
   ["CDUP", 500] ,
   ["APPE", 451] ,
   ["EPSV", 229] ,
   ["RETR", 550] ,
   ["DELE", 550] ,
   ["PORT", 530] ,
   ["CWD", 502] ,
   ["STOR", 552] ,
   ["NLST", 421] ,
   ["HELP", 502] ,
   ["SITE", 200] ,
   ["<init>", 220] ,
   ["SMNT", 202] ,
   ["RNFR", 550] ,
   ["MLST", 550] ,
   ["REST", 421]
}

Possible response codes for a wide variety of FTP commands.

Types
FTP::CmdArg
Type

record

ts: time

Time when the command was sent.

cmd: string &default = "<unknown>" &optional

Command.

arg: string &default = "" &optional

Argument for the command if one was given.

seq: count &default = 0 &optional

Counter to track how many commands have been executed.

cwd_consumed: bool &default = F &optional

Flag indicating if the arg of this CmdArg has been used to update cwd of c$ftp.

FTP::PendingCmds
Type

table [count] of FTP::CmdArg

Structure for tracking pending commands in the event that the client sends a large number of commands before the server has a chance to reply.

base/protocols/ftp/info.zeek

FTP

Defines data structures for tracking and logging FTP sessions.

Namespace

FTP

Imports

base/protocols/ftp/utils-commands.zeek

Summary
Runtime Options

FTP::default_capture_password: bool &redef

This setting changes if passwords used in FTP sessions are captured or not.
Types

FTP::ExpectedDataChannel: record

The expected endpoints of an FTP data channel.

FTP::Info: record
Detailed Interface
Runtime Options
FTP::default_capture_password
Type

bool

Attributes

&redef

Default

F

This setting changes if passwords used in FTP sessions are captured or not.

Types
FTP::ExpectedDataChannel
Type

record

passive: bool &log

Whether PASV mode is toggled for control channel.

orig_h: addr &log

The host that will be initiating the data connection.

resp_h: addr &log

The host that will be accepting the data connection.

resp_p: port &log

The port at which the acceptor is listening for the data connection.

The expected endpoints of an FTP data channel.

FTP::Info
Type

record

ts: time &log

Time when the command was sent.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

user: string &log &default = "<unknown>" &optional

User name for the current FTP session.

password: string &log &optional

Password for the current FTP session if captured.

command: string &log &optional

Command given by the client.

arg: string &log &optional

Argument for the command if one is given.

mime_type: string &log &optional

Sniffed mime type of file.

file_size: count &log &optional

Size of the file if the command indicates a file transfer.

reply_code: count &log &optional

Reply code from the server in response to the command.

reply_msg: string &log &optional

Reply message from the server in response to the command.

data_channel: FTP::ExpectedDataChannel &log &optional

Expected FTP data channel.

cwd: string &default = "." &optional

Current working directory that this session is in. By making the default value ‘.’, we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.

cmdarg: FTP::CmdArg &optional

Command that is currently waiting for a response.

pending_commands: FTP::PendingCmds

Queue for commands that have been sent but not yet responded to are tracked here.

passive: bool &default = F &optional

Indicates if the session is in active or passive mode.

capture_password: bool &default = FTP::default_capture_password &optional

Determines if the password will be captured for this request.

fuid: string &optional &log

(present if base/protocols/ftp/files.zeek is loaded)

File unique ID.

last_auth_requested: string &optional

(present if base/protocols/ftp/gridftp.zeek is loaded)

base/protocols/ftp/main.zeek

FTP

The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.

Namespace

FTP

Imports

base/frameworks/cluster, base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek, base/utils/addrs.zeek, base/utils/numbers.zeek, base/utils/paths.zeek

Summary
Runtime Options

FTP::guest_ids: set &redef

User IDs that can be considered “anonymous”.

FTP::logged_commands: set &redef

List of commands that should have their command/response pairs logged.

FTP::max_arg_length: count &redef

Truncate the arg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_password_length: count &redef

Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

FTP::max_pending_commands: count &redef

Allow a client to send this many commands before the server sends a reply.

FTP::max_reply_msg_length: count &redef

Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_user_length: count &redef

Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.
Types

FTP::ReplyCode: record

This record is to hold a parsed FTP reply code.
Redefinitions

Log::ID: enum

The FTP protocol logging stream identifier.

connection: record
New Fields

connection

ftp: FTP::Info &optional

ftp_data_reuse: bool &default = F &optional

likely_server_ports: set &redef
Events

FTP::log_ftp: event

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.
Hooks

FTP::finalize_ftp: Conn::RemovalHook

FTP finalization hook.

FTP::finalize_ftp_data: hook

FTP data finalization hook.

FTP::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

FTP::parse_ftp_reply_code: function

Parse FTP reply codes into the three constituent single digit values.
Detailed Interface
Runtime Options
FTP::guest_ids
Type

set [string]

Attributes

&redef

Default
{
   "guest",
   "anonymous",
   "ftpuser",
   "ftp"
}

User IDs that can be considered “anonymous”.

FTP::logged_commands
Type

set [string]

Attributes

&redef

Default
{
   "ACCT",
   "DELE",
   "APPE",
   "RETR",
   "PORT",
   "STOR",
   "EPRT",
   "PASV",
   "STOU",
   "EPSV"
}

List of commands that should have their command/response pairs logged.

FTP::max_arg_length
Type

count

Attributes

&redef

Default

4096

Truncate the arg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_password_length
Type

count

Attributes

&redef

Default

128

Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

FTP::max_pending_commands
Type

count

Attributes

&redef

Default

20

Allow a client to send this many commands before the server sends a reply. If this value is exceeded a weird named FTP_too_many_pending_commands is logged for the connection.

FTP::max_reply_msg_length
Type

count

Attributes

&redef

Default

4096

Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_user_length
Type

count

Attributes

&redef

Default

128

Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

Types
FTP::ReplyCode
Type

record

x: count

y: count

z: count

This record is to hold a parsed FTP reply code. For example, for the 201 status code, the digits would be parsed as: x->2, y->0, z->1.

Events
FTP::log_ftp
Type

event (rec: FTP::Info)

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks
FTP::finalize_ftp
Type

Conn::RemovalHook

FTP finalization hook. Remaining FTP info may get logged when it’s called.

FTP::finalize_ftp_data
Type

hook (c: connection) : bool

FTP data finalization hook. Expected FTP data channel state may get purged when called.

FTP::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
FTP::parse_ftp_reply_code
Type

function (code: count) : FTP::ReplyCode

Parse FTP reply codes into the three constituent single digit values.

base/protocols/ftp/utils.zeek

FTP

Utilities specific for FTP processing.

Namespace

FTP

Imports

base/protocols/ftp/info.zeek, base/utils/addrs.zeek, base/utils/paths.zeek

Summary
Functions

FTP::build_url: function

Creates a URL from an FTP::Info record.

FTP::build_url_ftp: function

Creates a URL from an FTP::Info record.

FTP::describe: function

Create an extremely shortened representation of a log line.
Detailed Interface
Functions
FTP::build_url
Type

function (rec: FTP::Info) : string

Creates a URL from an FTP::Info record.

Rec

An FTP::Info record.

Returns

A URL, not prefixed by "ftp://".

FTP::build_url_ftp
Type

function (rec: FTP::Info) : string

Creates a URL from an FTP::Info record.

Rec

An FTP::Info record.

Returns

A URL prefixed with "ftp://".

FTP::describe
Type

function (rec: FTP::Info) : string

Create an extremely shortened representation of a log line.

base/protocols/ftp/files.zeek

FTP
Namespace

FTP

Imports

base/frameworks/files, base/protocols/ftp/info.zeek, base/protocols/ftp/main.zeek, base/protocols/ftp/utils.zeek, base/utils/conn-ids.zeek

Summary
Redefinitions

FTP::Info: record
New Fields

FTP::Info

fuid: string &optional &log

File unique ID.

fa_file: record &redef
New Fields

fa_file

ftp: FTP::Info &optional
Functions

FTP::describe_file: function

Describe the file being transferred.

FTP::get_file_handle: function

Default file handle provider for FTP.
Detailed Interface
Functions
FTP::describe_file
Type

function (f: fa_file) : string

Describe the file being transferred.

FTP::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for FTP.

base/protocols/ftp/gridftp.zeek

GridFTP

A detection script for GridFTP data and control channels.

GridFTP control channels are identified by FTP control channels that successfully negotiate the GSSAPI method of an AUTH request and for which the exchange involved an encoded TLS/SSL handshake, indicating the GSI mechanism for GSSAPI was used. This analysis is all supported internally, this script simply adds the “gridftp” label to the service field of the control channel’s connection record.

GridFTP data channels are identified by a heuristic that relies on the fact that default settings for GridFTP clients typically mutually authenticate the data channel with TLS/SSL and negotiate a NULL bulk cipher (no encryption). Connections with those attributes are marked as GridFTP if the data transfer within the first two minutes is big enough to indicate a GripFTP data channel that would be undesirable to analyze further (e.g. stop TCP reassembly). A side effect is that true connection sizes are not logged, but at the benefit of saving CPU cycles that would otherwise go to analyzing the large (and likely benign) connections.

Namespace

GridFTP

Imports

base/frameworks/notice, base/protocols/conn, base/protocols/ftp/info.zeek, base/protocols/ftp/main.zeek, base/protocols/ssl

Summary
Runtime Options

GridFTP::max_time: interval &redef

Time during which we check whether a connection’s size exceeds the GridFTP::size_threshold.

GridFTP::size_threshold: count &redef

Number of bytes transferred before guessing a connection is a GridFTP data channel.

GridFTP::skip_data: bool &redef

Whether to skip further processing of the GridFTP data channel once detected, which may help performance.
Redefinitions

FTP::Info: record
New Fields

FTP::Info

last_auth_requested: string &optional
Events

GridFTP::data_channel_detected: event

Raised when a GridFTP data channel is detected.
Functions

GridFTP::data_channel_initial_criteria: function &redef

The initial criteria used to determine whether to start polling the connection for the GridFTP::size_threshold to have been exceeded.
Detailed Interface
Runtime Options
GridFTP::max_time
Type

interval

Attributes

&redef

Default

2.0 mins

Time during which we check whether a connection’s size exceeds the GridFTP::size_threshold.

GridFTP::size_threshold
Type

count

Attributes

&redef

Default

1073741824

Number of bytes transferred before guessing a connection is a GridFTP data channel.

GridFTP::skip_data
Type

bool

Attributes

&redef

Default

T

Whether to skip further processing of the GridFTP data channel once detected, which may help performance.

Events
GridFTP::data_channel_detected
Type

event (c: connection)

Raised when a GridFTP data channel is detected.

C

The connection pertaining to the GridFTP data channel.

Functions
GridFTP::data_channel_initial_criteria
Type

function (c: connection) : bool

Attributes

&redef

The initial criteria used to determine whether to start polling the connection for the GridFTP::size_threshold to have been exceeded. This is called in a ssl_established event handler and by default looks for both a client and server certificate and for a NULL bulk cipher. One way in which this function could be redefined is to make it also consider client/server certificate issuer subjects.

C

The connection which may possibly be a GridFTP data channel.

Returns

true if the connection should be further polled for an exceeded GridFTP::size_threshold, else false.

base/protocols/ssl/__load__.zeek

Imports

base/protocols/ssl/consts.zeek, base/protocols/ssl/ct-list.zeek, base/protocols/ssl/files.zeek, base/protocols/ssl/main.zeek, base/protocols/ssl/mozilla-ca-list.zeek

Summary
Detailed Interface

base/protocols/ssl/consts.zeek

SSL
Namespace

SSL

Summary
Constants

SSL::ALERT: count

SSL::APPLICATION_DATA: count

SSL::CERTIFICATE: count

SSL::CERTIFICATE_REQUEST: count

SSL::CERTIFICATE_STATUS: count

SSL::CERTIFICATE_URL: count

SSL::CERTIFICATE_VERIFY: count

SSL::CHANGE_CIPHER_SPEC: count

SSL::CLIENT_HELLO: count

SSL::CLIENT_KEY_EXCHANGE: count

SSL::DTLSv10: count

SSL::DTLSv12: count

SSL::ENCRYPTED_EXTENSIONS: count

SSL::FINISHED: count

SSL::HANDSHAKE: count

SSL::HEARTBEAT: count

SSL::HELLO_REQUEST: count

SSL::HELLO_RETRY_REQUEST: count

SSL::HELLO_VERIFY_REQUEST: count

SSL::KEY_UPDATE: count

SSL::SERVER_HELLO: count

SSL::SERVER_HELLO_DONE: count

SSL::SERVER_KEY_EXCHANGE: count

SSL::SESSION_TICKET: count

SSL::SSL_EXTENSION_APPLICATION_LAYER_PROTOCOL_NEGOTIATION: count

SSL::SSL_EXTENSION_CACHED_INFO: count

SSL::SSL_EXTENSION_CERTIFICATE_AUTHORITIES: count

SSL::SSL_EXTENSION_CERT_TYPE: count

SSL::SSL_EXTENSION_CHANNEL_ID: count

SSL::SSL_EXTENSION_CHANNEL_ID_NEW: count

SSL::SSL_EXTENSION_CLIENT_AUTHZ: count

SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_TYPE: count

SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_URL: count

SSL::SSL_EXTENSION_CONNECTION_ID: count

SSL::SSL_EXTENSION_COOKIE: count

SSL::SSL_EXTENSION_EARLY_DATA: count

SSL::SSL_EXTENSION_EC_POINT_FORMATS: count

SSL::SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES: count

SSL::SSL_EXTENSION_ENCRYPT_THEN_MAC: count

SSL::SSL_EXTENSION_EXTENDED_MASTER_SECRET: count

SSL::SSL_EXTENSION_EXTERNAL_ID_HASH: count

SSL::SSL_EXTENSION_EXTERNAL_SESSION_ID: count

SSL::SSL_EXTENSION_HEARTBEAT: count

SSL::SSL_EXTENSION_KEY_SHARE: count

SSL::SSL_EXTENSION_KEY_SHARE_OLD: count

SSL::SSL_EXTENSION_MAX_FRAGMENT_LENGTH: count

SSL::SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION: count

SSL::SSL_EXTENSION_OID_FILTERS: count

SSL::SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES: count

SSL::SSL_EXTENSION_PADDING: count

SSL::SSL_EXTENSION_PADDING_TEMP: count

SSL::SSL_EXTENSION_POST_HANDSHAKE_AUTH: count

SSL::SSL_EXTENSION_PRE_SHARED_KEY: count

SSL::SSL_EXTENSION_PSK_KEY_EXCHANGE_MODES: count

SSL::SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS: count

SSL::SSL_EXTENSION_RENEGOTIATION_INFO: count

SSL::SSL_EXTENSION_SERVER_AUTHZ: count

SSL::SSL_EXTENSION_SERVER_CERTIFICATE_TYPE: count

SSL::SSL_EXTENSION_SERVER_NAME: count

SSL::SSL_EXTENSION_SESSIONTICKET_TLS: count

SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS: count

SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT: count

SSL::SSL_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP: count

SSL::SSL_EXTENSION_SRP: count

SSL::SSL_EXTENSION_STATUS_REQUEST: count

SSL::SSL_EXTENSION_STATUS_REQUEST_V2: count

SSL::SSL_EXTENSION_SUPPORTED_GROUPS: count

SSL::SSL_EXTENSION_SUPPORTED_VERSIONS: count

SSL::SSL_EXTENSION_TICKETEARLYDATAINFO: count

SSL::SSL_EXTENSION_TOKEN_BINDING: count

SSL::SSL_EXTENSION_TRANSPARENCY_INFO: count

SSL::SSL_EXTENSION_TRUNCATED_HMAC: count

SSL::SSL_EXTENSION_TRUSTED_CA_KEYS: count

SSL::SSL_EXTENSION_USER_MAPPING: count

SSL::SSL_EXTENSION_USE_SRTP: count

SSL::SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA: count

SSL::SSL_FORTEZZA_KEA_WITH_NULL_SHA: count

SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: count

SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2: count

SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA: count

SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA_2: count

SSL::SSL_RSA_WITH_3DES_EDE_CBC_MD5: count

SSL::SSL_RSA_WITH_DES_CBC_MD5: count

SSL::SSL_RSA_WITH_IDEA_CBC_MD5: count

SSL::SSL_RSA_WITH_RC2_CBC_MD5: count

SSL::SSLv2: count

SSL::SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5: count

SSL::SSLv20_CK_DES_64_CBC_WITH_MD5: count

SSL::SSLv20_CK_IDEA_128_CBC_WITH_MD5: count

SSL::SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5: count

SSL::SSLv20_CK_RC2_128_CBC_WITH_MD5: count

SSL::SSLv20_CK_RC4_128_EXPORT40_WITH_MD5: count

SSL::SSLv20_CK_RC4_128_WITH_MD5: count

SSL::SSLv3: count

SSL::SUPPLEMENTAL_DATA: count

SSL::TLS_AES_128_CCM_8_SHA256: count

SSL::TLS_AES_128_CCM_SHA256: count

SSL::TLS_AES_128_GCM_SHA256: count

SSL::TLS_AES_256_GCM_SHA384: count

SSL::TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_CHACHA20_POLY1305_SHA256: count

SSL::TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA: count

SSL::TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA: count

SSL::TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD: count

SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_AES_128_CBC_RMD: count

SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: count

SSL::TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: count

SSL::TLS_DHE_DSS_WITH_AES_256_CBC_RMD: count

SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: count

SSL::TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: count

SSL::TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: count

SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_DHE_DSS_WITH_DES_CBC_SHA: count

SSL::TLS_DHE_DSS_WITH_RC4_128_SHA: count

SSL::TLS_DHE_DSS_WITH_SEED_CBC_SHA: count

SSL::TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA: count

SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: count

SSL::TLS_DHE_PSK_WITH_AES_128_CCM: count

SSL::TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: count

SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA: count

SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: count

SSL::TLS_DHE_PSK_WITH_AES_256_CCM: count

SSL::TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: count

SSL::TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_DHE_PSK_WITH_NULL_SHA256: count

SSL::TLS_DHE_PSK_WITH_NULL_SHA384: count

SSL::TLS_DHE_PSK_WITH_RC4_128_SHA: count

SSL::TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD: count

SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_AES_128_CBC_RMD: count

SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_DHE_RSA_WITH_AES_128_CCM: count

SSL::TLS_DHE_RSA_WITH_AES_128_CCM_8: count

SSL::TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_DHE_RSA_WITH_AES_256_CBC_RMD: count

SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: count

SSL::TLS_DHE_RSA_WITH_AES_256_CCM: count

SSL::TLS_DHE_RSA_WITH_AES_256_CCM_8: count

SSL::TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: count

SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD: count

SSL::TLS_DHE_RSA_WITH_DES_CBC_SHA: count

SSL::TLS_DHE_RSA_WITH_SEED_CBC_SHA: count

SSL::TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: count

SSL::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5: count

SSL::TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA: count

SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA256: count

SSL::TLS_DH_ANON_WITH_AES_128_GCM_SHA256: count

SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA: count

SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA256: count

SSL::TLS_DH_ANON_WITH_AES_256_GCM_SHA384: count

SSL::TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA: count

SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA: count

SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256: count

SSL::TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_DH_ANON_WITH_DES_CBC_SHA: count

SSL::TLS_DH_ANON_WITH_RC4_128_MD5: count

SSL::TLS_DH_ANON_WITH_SEED_CBC_SHA: count

SSL::TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA256: count

SSL::TLS_DH_DSS_WITH_AES_128_GCM_SHA256: count

SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA256: count

SSL::TLS_DH_DSS_WITH_AES_256_GCM_SHA384: count

SSL::TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: count

SSL::TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_DH_DSS_WITH_DES_CBC_SHA: count

SSL::TLS_DH_DSS_WITH_SEED_CBC_SHA: count

SSL::TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_DH_RSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA256: count

SSL::TLS_DH_RSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: count

SSL::TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_DH_RSA_WITH_DES_CBC_SHA: count

SSL::TLS_DH_RSA_WITH_SEED_CBC_SHA: count

SSL::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: count

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD: count

SSL::TLS_ECDHE_ECDSA_WITH_NULL_SHA: count

SSL::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: count

SSL::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: count

SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: count

SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: count

SSL::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: count

SSL::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_NULL_SHA: count

SSL::TLS_ECDHE_PSK_WITH_NULL_SHA256: count

SSL::TLS_ECDHE_PSK_WITH_NULL_SHA384: count

SSL::TLS_ECDHE_PSK_WITH_RC4_128_SHA: count

SSL::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: count

SSL::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD: count

SSL::TLS_ECDHE_RSA_WITH_NULL_SHA: count

SSL::TLS_ECDHE_RSA_WITH_RC4_128_SHA: count

SSL::TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_ECDH_ANON_WITH_AES_128_CBC_SHA: count

SSL::TLS_ECDH_ANON_WITH_AES_256_CBC_SHA: count

SSL::TLS_ECDH_ANON_WITH_NULL_SHA: count

SSL::TLS_ECDH_ANON_WITH_RC4_128_SHA: count

SSL::TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: count

SSL::TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_ECDH_ECDSA_WITH_NULL_SHA: count

SSL::TLS_ECDH_ECDSA_WITH_RC4_128_SHA: count

SSL::TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: count

SSL::TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_ECDH_RSA_WITH_NULL_SHA: count

SSL::TLS_ECDH_RSA_WITH_RC4_128_SHA: count

SSL::TLS_EMPTY_RENEGOTIATION_INFO_SCSV: count

SSL::TLS_FALLBACK_SCSV: count

SSL::TLS_GOSTR341001_WITH_28147_CNT_IMIT: count

SSL::TLS_GOSTR341001_WITH_NULL_GOSTR3411: count

SSL::TLS_GOSTR341094_WITH_28147_CNT_IMIT: count

SSL::TLS_GOSTR341094_WITH_NULL_GOSTR3411: count

SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5: count

SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA: count

SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5: count

SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA: count

SSL::TLS_KRB5_EXPORT_WITH_RC4_40_MD5: count

SSL::TLS_KRB5_EXPORT_WITH_RC4_40_SHA: count

SSL::TLS_KRB5_WITH_3DES_EDE_CBC_MD5: count

SSL::TLS_KRB5_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_KRB5_WITH_DES_CBC_MD5: count

SSL::TLS_KRB5_WITH_DES_CBC_SHA: count

SSL::TLS_KRB5_WITH_IDEA_CBC_MD5: count

SSL::TLS_KRB5_WITH_IDEA_CBC_SHA: count

SSL::TLS_KRB5_WITH_RC4_128_MD5: count

SSL::TLS_KRB5_WITH_RC4_128_SHA: count

SSL::TLS_NULL_WITH_NULL_NULL: count

SSL::TLS_PSK_DHE_WITH_AES_128_CCM_8: count

SSL::TLS_PSK_DHE_WITH_AES_256_CCM_8: count

SSL::TLS_PSK_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_PSK_WITH_AES_128_CBC_SHA: count

SSL::TLS_PSK_WITH_AES_128_CBC_SHA256: count

SSL::TLS_PSK_WITH_AES_128_CCM: count

SSL::TLS_PSK_WITH_AES_128_CCM_8: count

SSL::TLS_PSK_WITH_AES_128_GCM_SHA256: count

SSL::TLS_PSK_WITH_AES_256_CBC_SHA: count

SSL::TLS_PSK_WITH_AES_256_CBC_SHA384: count

SSL::TLS_PSK_WITH_AES_256_CCM: count

SSL::TLS_PSK_WITH_AES_256_CCM_8: count

SSL::TLS_PSK_WITH_AES_256_GCM_SHA384: count

SSL::TLS_PSK_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_PSK_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_PSK_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_PSK_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_PSK_WITH_NULL_SHA256: count

SSL::TLS_PSK_WITH_NULL_SHA384: count

SSL::TLS_PSK_WITH_RC4_128_SHA: count

SSL::TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: count

SSL::TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5: count

SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_MD5: count

SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: count

SSL::TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: count

SSL::TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: count

SSL::TLS_RSA_EXPORT_WITH_RC4_40_MD5: count

SSL::TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA: count

SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: count

SSL::TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: count

SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA: count

SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: count

SSL::TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: count

SSL::TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: count

SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: count

SSL::TLS_RSA_PSK_WITH_NULL_SHA256: count

SSL::TLS_RSA_PSK_WITH_NULL_SHA384: count

SSL::TLS_RSA_PSK_WITH_RC4_128_SHA: count

SSL::TLS_RSA_WITH_3DES_EDE_CBC_RMD: count

SSL::TLS_RSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_RSA_WITH_AES_128_CBC_RMD: count

SSL::TLS_RSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_RSA_WITH_AES_128_CBC_SHA256: count

SSL::TLS_RSA_WITH_AES_128_CCM: count

SSL::TLS_RSA_WITH_AES_128_CCM_8: count

SSL::TLS_RSA_WITH_AES_128_GCM_SHA256: count

SSL::TLS_RSA_WITH_AES_256_CBC_RMD: count

SSL::TLS_RSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_RSA_WITH_AES_256_CBC_SHA256: count

SSL::TLS_RSA_WITH_AES_256_CCM: count

SSL::TLS_RSA_WITH_AES_256_CCM_8: count

SSL::TLS_RSA_WITH_AES_256_GCM_SHA384: count

SSL::TLS_RSA_WITH_ARIA_128_CBC_SHA256: count

SSL::TLS_RSA_WITH_ARIA_128_GCM_SHA256: count

SSL::TLS_RSA_WITH_ARIA_256_CBC_SHA384: count

SSL::TLS_RSA_WITH_ARIA_256_GCM_SHA384: count

SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: count

SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: count

SSL::TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: count

SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: count

SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: count

SSL::TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: count

SSL::TLS_RSA_WITH_DES_CBC_SHA: count

SSL::TLS_RSA_WITH_IDEA_CBC_SHA: count

SSL::TLS_RSA_WITH_NULL_MD5: count

SSL::TLS_RSA_WITH_NULL_SHA: count

SSL::TLS_RSA_WITH_NULL_SHA256: count

SSL::TLS_RSA_WITH_RC4_128_MD5: count

SSL::TLS_RSA_WITH_RC4_128_SHA: count

SSL::TLS_RSA_WITH_SEED_CBC_SHA: count

SSL::TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: count

SSL::TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: count

SSL::TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: count

SSL::TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: count

SSL::TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: count

SSL::TLS_SRP_SHA_WITH_AES_128_CBC_SHA: count

SSL::TLS_SRP_SHA_WITH_AES_256_CBC_SHA: count

SSL::TLSv10: count

SSL::TLSv11: count

SSL::TLSv12: count

SSL::TLSv13: count

SSL::V2_CLIENT_HELLO: count

SSL::V2_CLIENT_MASTER_KEY: count

SSL::V2_ERROR: count

SSL::V2_SERVER_HELLO: count

SSL::alert_descriptions: table &default = function

Mapping between numeric codes and human readable strings for alert descriptions.

SSL::alert_levels: table &default = function

Mapping between numeric codes and human readable strings for alert levels.

SSL::cipher_desc: table &default = function

This is a table of all known cipher specs.

SSL::ec_curves: table &default = function

Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.

SSL::ec_point_formats: table &default = function

Mapping between numeric codes and human readable string for SSL/TLS EC point formats.

SSL::extensions: table &default = function

Mapping between numeric codes and human readable strings for SSL/TLS extensions.

SSL::hash_algorithms: table &default = function

Mapping between numeric codes and human readable strings for hash algorithms.

SSL::signature_algorithms: table &default = function

Mapping between numeric codes and human readable strings for signature algorithms.

SSL::version_strings: table &default = function

Mapping between the constants and string values for SSL/TLS versions.
Detailed Interface
Constants
SSL::ALERT
Type

count

Default

21

SSL::APPLICATION_DATA
Type

count

Default

23

SSL::CERTIFICATE
Type

count

Default

11

SSL::CERTIFICATE_REQUEST
Type

count

Default

13

SSL::CERTIFICATE_STATUS
Type

count

Default

22

SSL::CERTIFICATE_URL
Type

count

Default

21

SSL::CERTIFICATE_VERIFY
Type

count

Default

15

SSL::CHANGE_CIPHER_SPEC
Type

count

Default

20

SSL::CLIENT_HELLO
Type

count

Default

1

SSL::CLIENT_KEY_EXCHANGE
Type

count

Default

16

SSL::DTLSv10
Type

count

Default

65279

SSL::DTLSv12
Type

count

Default

65277

SSL::ENCRYPTED_EXTENSIONS
Type

count

Default

8

SSL::FINISHED
Type

count

Default

20

SSL::HANDSHAKE
Type

count

Default

22

SSL::HEARTBEAT
Type

count

Default

24

SSL::HELLO_REQUEST
Type

count

Default

0

SSL::HELLO_RETRY_REQUEST
Type

count

Default

6

SSL::HELLO_VERIFY_REQUEST
Type

count

Default

3

SSL::KEY_UPDATE
Type

count

Default

24

SSL::SERVER_HELLO
Type

count

Default

2

SSL::SERVER_HELLO_DONE
Type

count

Default

14

SSL::SERVER_KEY_EXCHANGE
Type

count

Default

12

SSL::SESSION_TICKET
Type

count

Default

4

SSL::SSL_EXTENSION_APPLICATION_LAYER_PROTOCOL_NEGOTIATION
Type

count

Default

16

SSL::SSL_EXTENSION_CACHED_INFO
Type

count

Default

25

SSL::SSL_EXTENSION_CERTIFICATE_AUTHORITIES
Type

count

Default

47

SSL::SSL_EXTENSION_CERT_TYPE
Type

count

Default

9

SSL::SSL_EXTENSION_CHANNEL_ID
Type

count

Default

30031

SSL::SSL_EXTENSION_CHANNEL_ID_NEW
Type

count

Default

30032

SSL::SSL_EXTENSION_CLIENT_AUTHZ
Type

count

Default

7

SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_TYPE
Type

count

Default

19

SSL::SSL_EXTENSION_CLIENT_CERTIFICATE_URL
Type

count

Default

2

SSL::SSL_EXTENSION_CONNECTION_ID
Type

count

Default

53

Type

count

Default

44

SSL::SSL_EXTENSION_EARLY_DATA
Type

count

Default

42

SSL::SSL_EXTENSION_EC_POINT_FORMATS
Type

count

Default

11

SSL::SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES
Type

count

Default

13180

SSL::SSL_EXTENSION_ENCRYPT_THEN_MAC
Type

count

Default

22

SSL::SSL_EXTENSION_EXTENDED_MASTER_SECRET
Type

count

Default

23

SSL::SSL_EXTENSION_EXTERNAL_ID_HASH
Type

count

Default

55

SSL::SSL_EXTENSION_EXTERNAL_SESSION_ID
Type

count

Default

56

SSL::SSL_EXTENSION_HEARTBEAT
Type

count

Default

15

SSL::SSL_EXTENSION_KEY_SHARE
Type

count

Default

51

SSL::SSL_EXTENSION_KEY_SHARE_OLD
Type

count

Default

40

SSL::SSL_EXTENSION_MAX_FRAGMENT_LENGTH
Type

count

Default

1

SSL::SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION
Type

count

Default

13172

SSL::SSL_EXTENSION_OID_FILTERS
Type

count

Default

48

SSL::SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES
Type

count

Default

13175

SSL::SSL_EXTENSION_PADDING
Type

count

Default

21

SSL::SSL_EXTENSION_PADDING_TEMP
Type

count

Default

35655

SSL::SSL_EXTENSION_POST_HANDSHAKE_AUTH
Type

count

Default

49

SSL::SSL_EXTENSION_PRE_SHARED_KEY
Type

count

Default

41

SSL::SSL_EXTENSION_PSK_KEY_EXCHANGE_MODES
Type

count

Default

45

SSL::SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS
Type

count

Default

57

SSL::SSL_EXTENSION_RENEGOTIATION_INFO
Type

count

Default

65281

SSL::SSL_EXTENSION_SERVER_AUTHZ
Type

count

Default

8

SSL::SSL_EXTENSION_SERVER_CERTIFICATE_TYPE
Type

count

Default

20

SSL::SSL_EXTENSION_SERVER_NAME
Type

count

Default

0

SSL::SSL_EXTENSION_SESSIONTICKET_TLS
Type

count

Default

35

SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS
Type

count

Default

13

SSL::SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT
Type

count

Default

50

SSL::SSL_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP
Type

count

Default

18

SSL::SSL_EXTENSION_SRP
Type

count

Default

12

SSL::SSL_EXTENSION_STATUS_REQUEST
Type

count

Default

5

SSL::SSL_EXTENSION_STATUS_REQUEST_V2
Type

count

Default

17

SSL::SSL_EXTENSION_SUPPORTED_GROUPS
Type

count

Default

10

SSL::SSL_EXTENSION_SUPPORTED_VERSIONS
Type

count

Default

43

SSL::SSL_EXTENSION_TICKETEARLYDATAINFO
Type

count

Default

46

SSL::SSL_EXTENSION_TOKEN_BINDING
Type

count

Default

24

SSL::SSL_EXTENSION_TRANSPARENCY_INFO
Type

count

Default

52

SSL::SSL_EXTENSION_TRUNCATED_HMAC
Type

count

Default

4

SSL::SSL_EXTENSION_TRUSTED_CA_KEYS
Type

count

Default

3

SSL::SSL_EXTENSION_USER_MAPPING
Type

count

Default

6

SSL::SSL_EXTENSION_USE_SRTP
Type

count

Default

14

SSL::SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA
Type

count

Default

29

SSL::SSL_FORTEZZA_KEA_WITH_NULL_SHA
Type

count

Default

28

SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
Type

count

Default

65279

SSL::SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2
Type

count

Default

65504

SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA
Type

count

Default

65278

SSL::SSL_RSA_FIPS_WITH_DES_CBC_SHA_2
Type

count

Default

65505

SSL::SSL_RSA_WITH_3DES_EDE_CBC_MD5
Type

count

Default

65411

SSL::SSL_RSA_WITH_DES_CBC_MD5
Type

count

Default

65410

SSL::SSL_RSA_WITH_IDEA_CBC_MD5
Type

count

Default

65409

SSL::SSL_RSA_WITH_RC2_CBC_MD5
Type

count

Default

65408

SSL::SSLv2
Type

count

Default

2

SSL::SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5
Type

count

Default

458944

SSL::SSLv20_CK_DES_64_CBC_WITH_MD5
Type

count

Default

393280

SSL::SSLv20_CK_IDEA_128_CBC_WITH_MD5
Type

count

Default

327808

SSL::SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5
Type

count

Default

262272

SSL::SSLv20_CK_RC2_128_CBC_WITH_MD5
Type

count

Default

196736

SSL::SSLv20_CK_RC4_128_EXPORT40_WITH_MD5
Type

count

Default

131200

SSL::SSLv20_CK_RC4_128_WITH_MD5
Type

count

Default

65664

SSL::SSLv3
Type

count

Default

768

SSL::SUPPLEMENTAL_DATA
Type

count

Default

23

SSL::TLS_AES_128_CCM_8_SHA256
Type

count

Default

4869

SSL::TLS_AES_128_CCM_SHA256
Type

count

Default

4868

SSL::TLS_AES_128_GCM_SHA256
Type

count

Default

4865

SSL::TLS_AES_256_GCM_SHA384
Type

count

Default

4866

SSL::TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384
Type

count

Default

5818

SSL::TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

5816

SSL::TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384
Type

count

Default

5817

SSL::TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

5815

SSL::TLS_CHACHA20_POLY1305_SHA256
Type

count

Default

4867

SSL::TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
Type

count

Default

99

SSL::TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
Type

count

Default

101

SSL::TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Type

count

Default

17

SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD
Type

count

Default

114

SSL::TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Type

count

Default

19

SSL::TLS_DHE_DSS_WITH_AES_128_CBC_RMD
Type

count

Default

115

SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Type

count

Default

50

SSL::TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Type

count

Default

64

SSL::TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Type

count

Default

162

SSL::TLS_DHE_DSS_WITH_AES_256_CBC_RMD
Type

count

Default

116

SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Type

count

Default

56

SSL::TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Type

count

Default

106

SSL::TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Type

count

Default

163

SSL::TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49218

SSL::TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49238

SSL::TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49219

SSL::TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49239

SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
Type

count

Default

68

SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

189

SSL::TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49280

SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
Type

count

Default

135

SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
Type

count

Default

195

SSL::TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49281

SSL::TLS_DHE_DSS_WITH_DES_CBC_SHA
Type

count

Default

18

SSL::TLS_DHE_DSS_WITH_RC4_128_SHA
Type

count

Default

102

SSL::TLS_DHE_DSS_WITH_SEED_CBC_SHA
Type

count

Default

153

SSL::TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
Type

count

Default

143

SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA
Type

count

Default

144

SSL::TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
Type

count

Default

178

SSL::TLS_DHE_PSK_WITH_AES_128_CCM
Type

count

Default

49318

SSL::TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
Type

count

Default

170

SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA
Type

count

Default

145

SSL::TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
Type

count

Default

179

SSL::TLS_DHE_PSK_WITH_AES_256_CCM
Type

count

Default

49319

SSL::TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
Type

count

Default

171

SSL::TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49254

SSL::TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49260

SSL::TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49255

SSL::TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49261

SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49302

SSL::TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49296

SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49303

SSL::TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49297

SSL::TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52397

SSL::TLS_DHE_PSK_WITH_NULL_SHA256
Type

count

Default

180

SSL::TLS_DHE_PSK_WITH_NULL_SHA384
Type

count

Default

181

SSL::TLS_DHE_PSK_WITH_RC4_128_SHA
Type

count

Default

142

SSL::TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Type

count

Default

20

SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD
Type

count

Default

119

SSL::TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

22

SSL::TLS_DHE_RSA_WITH_AES_128_CBC_RMD
Type

count

Default

120

SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Type

count

Default

51

SSL::TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Type

count

Default

103

SSL::TLS_DHE_RSA_WITH_AES_128_CCM
Type

count

Default

49310

SSL::TLS_DHE_RSA_WITH_AES_128_CCM_8
Type

count

Default

49314

SSL::TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Type

count

Default

158

SSL::TLS_DHE_RSA_WITH_AES_256_CBC_RMD
Type

count

Default

121

SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Type

count

Default

57

SSL::TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Type

count

Default

107

SSL::TLS_DHE_RSA_WITH_AES_256_CCM
Type

count

Default

49311

SSL::TLS_DHE_RSA_WITH_AES_256_CCM_8
Type

count

Default

49315

SSL::TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Type

count

Default

159

SSL::TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49220

SSL::TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49234

SSL::TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49221

SSL::TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49235

SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Type

count

Default

69

SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

190

SSL::TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49276

SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Type

count

Default

136

SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
Type

count

Default

196

SSL::TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49277

SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52394

SSL::TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
Type

count

Default

52245

SSL::TLS_DHE_RSA_WITH_DES_CBC_SHA
Type

count

Default

21

SSL::TLS_DHE_RSA_WITH_SEED_CBC_SHA
Type

count

Default

154

SSL::TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA
Type

count

Default

25

SSL::TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5
Type

count

Default

23

SSL::TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA
Type

count

Default

27

SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA
Type

count

Default

52

SSL::TLS_DH_ANON_WITH_AES_128_CBC_SHA256
Type

count

Default

108

SSL::TLS_DH_ANON_WITH_AES_128_GCM_SHA256
Type

count

Default

166

SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA
Type

count

Default

58

SSL::TLS_DH_ANON_WITH_AES_256_CBC_SHA256
Type

count

Default

109

SSL::TLS_DH_ANON_WITH_AES_256_GCM_SHA384
Type

count

Default

167

SSL::TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49222

SSL::TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49242

SSL::TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49223

SSL::TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49243

SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
Type

count

Default

70

SSL::TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

191

SSL::TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49284

SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
Type

count

Default

137

SSL::TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256
Type

count

Default

197

SSL::TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49285

SSL::TLS_DH_ANON_WITH_DES_CBC_SHA
Type

count

Default

26

SSL::TLS_DH_ANON_WITH_RC4_128_MD5
Type

count

Default

24

SSL::TLS_DH_ANON_WITH_SEED_CBC_SHA
Type

count

Default

155

SSL::TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
Type

count

Default

11

SSL::TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Type

count

Default

13

SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA
Type

count

Default

48

SSL::TLS_DH_DSS_WITH_AES_128_CBC_SHA256
Type

count

Default

62

SSL::TLS_DH_DSS_WITH_AES_128_GCM_SHA256
Type

count

Default

164

SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA
Type

count

Default

54

SSL::TLS_DH_DSS_WITH_AES_256_CBC_SHA256
Type

count

Default

104

SSL::TLS_DH_DSS_WITH_AES_256_GCM_SHA384
Type

count

Default

165

SSL::TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49214

SSL::TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49240

SSL::TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49215

SSL::TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49241

SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
Type

count

Default

66

SSL::TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

187

SSL::TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49282

SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
Type

count

Default

133

SSL::TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
Type

count

Default

193

SSL::TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49283

SSL::TLS_DH_DSS_WITH_DES_CBC_SHA
Type

count

Default

12

SSL::TLS_DH_DSS_WITH_SEED_CBC_SHA
Type

count

Default

151

SSL::TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
Type

count

Default

14

SSL::TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

16

SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA
Type

count

Default

49

SSL::TLS_DH_RSA_WITH_AES_128_CBC_SHA256
Type

count

Default

63

SSL::TLS_DH_RSA_WITH_AES_128_GCM_SHA256
Type

count

Default

160

SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA
Type

count

Default

55

SSL::TLS_DH_RSA_WITH_AES_256_CBC_SHA256
Type

count

Default

105

SSL::TLS_DH_RSA_WITH_AES_256_GCM_SHA384
Type

count

Default

161

SSL::TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49216

SSL::TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49236

SSL::TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49217

SSL::TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49237

SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
Type

count

Default

67

SSL::TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

188

SSL::TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49278

SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
Type

count

Default

134

SSL::TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
Type

count

Default

194

SSL::TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49279

SSL::TLS_DH_RSA_WITH_DES_CBC_SHA
Type

count

Default

15

SSL::TLS_DH_RSA_WITH_SEED_CBC_SHA
Type

count

Default

152

SSL::TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49160

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Type

count

Default

49161

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Type

count

Default

49187

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM
Type

count

Default

49324

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
Type

count

Default

49326

SSL::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Type

count

Default

49195

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Type

count

Default

49162

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Type

count

Default

49188

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Type

count

Default

49325

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
Type

count

Default

49327

SSL::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Type

count

Default

49196

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49224

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49244

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49225

SSL::TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49245

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49266

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49286

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49267

SSL::TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49287

SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52393

SSL::TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD
Type

count

Default

52244

SSL::TLS_ECDHE_ECDSA_WITH_NULL_SHA
Type

count

Default

49158

SSL::TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Type

count

Default

49159

SSL::TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49204

SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
Type

count

Default

49205

SSL::TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
Type

count

Default

49207

SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256
Type

count

Default

53251

SSL::TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256
Type

count

Default

53252

SSL::TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
Type

count

Default

53249

SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
Type

count

Default

49206

SSL::TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
Type

count

Default

49208

SSL::TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
Type

count

Default

53250

SSL::TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49264

SSL::TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49265

SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49306

SSL::TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49307

SSL::TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52396

SSL::TLS_ECDHE_PSK_WITH_NULL_SHA
Type

count

Default

49209

SSL::TLS_ECDHE_PSK_WITH_NULL_SHA256
Type

count

Default

49210

SSL::TLS_ECDHE_PSK_WITH_NULL_SHA384
Type

count

Default

49211

SSL::TLS_ECDHE_PSK_WITH_RC4_128_SHA
Type

count

Default

49203

SSL::TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49170

SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Type

count

Default

49171

SSL::TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Type

count

Default

49191

SSL::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Type

count

Default

49199

SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Type

count

Default

49172

SSL::TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Type

count

Default

49192

SSL::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Type

count

Default

49200

SSL::TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49228

SSL::TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49248

SSL::TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49229

SSL::TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49249

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49270

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49290

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49271

SSL::TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49291

SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52392

SSL::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD
Type

count

Default

52243

SSL::TLS_ECDHE_RSA_WITH_NULL_SHA
Type

count

Default

49168

SSL::TLS_ECDHE_RSA_WITH_RC4_128_SHA
Type

count

Default

49169

SSL::TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49175

SSL::TLS_ECDH_ANON_WITH_AES_128_CBC_SHA
Type

count

Default

49176

SSL::TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
Type

count

Default

49177

SSL::TLS_ECDH_ANON_WITH_NULL_SHA
Type

count

Default

49173

SSL::TLS_ECDH_ANON_WITH_RC4_128_SHA
Type

count

Default

49174

SSL::TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49155

SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Type

count

Default

49156

SSL::TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Type

count

Default

49189

SSL::TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Type

count

Default

49197

SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Type

count

Default

49157

SSL::TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Type

count

Default

49190

SSL::TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Type

count

Default

49198

SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49226

SSL::TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49246

SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49227

SSL::TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49247

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49268

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49288

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49269

SSL::TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49289

SSL::TLS_ECDH_ECDSA_WITH_NULL_SHA
Type

count

Default

49153

SSL::TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Type

count

Default

49154

SSL::TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49165

SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Type

count

Default

49166

SSL::TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Type

count

Default

49193

SSL::TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Type

count

Default

49201

SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Type

count

Default

49167

SSL::TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Type

count

Default

49194

SSL::TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Type

count

Default

49202

SSL::TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49230

SSL::TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49250

SSL::TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49231

SSL::TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49251

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49272

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49292

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49273

SSL::TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49293

SSL::TLS_ECDH_RSA_WITH_NULL_SHA
Type

count

Default

49163

SSL::TLS_ECDH_RSA_WITH_RC4_128_SHA
Type

count

Default

49164

SSL::TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Type

count

Default

255

SSL::TLS_FALLBACK_SCSV
Type

count

Default

22016

SSL::TLS_GOSTR341001_WITH_28147_CNT_IMIT
Type

count

Default

129

SSL::TLS_GOSTR341001_WITH_NULL_GOSTR3411
Type

count

Default

131

SSL::TLS_GOSTR341094_WITH_28147_CNT_IMIT
Type

count

Default

128

SSL::TLS_GOSTR341094_WITH_NULL_GOSTR3411
Type

count

Default

130

SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Type

count

Default

41

SSL::TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Type

count

Default

38

SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
Type

count

Default

42

SSL::TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
Type

count

Default

39

SSL::TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Type

count

Default

43

SSL::TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Type

count

Default

40

SSL::TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Type

count

Default

35

SSL::TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Type

count

Default

31

SSL::TLS_KRB5_WITH_DES_CBC_MD5
Type

count

Default

34

SSL::TLS_KRB5_WITH_DES_CBC_SHA
Type

count

Default

30

SSL::TLS_KRB5_WITH_IDEA_CBC_MD5
Type

count

Default

37

SSL::TLS_KRB5_WITH_IDEA_CBC_SHA
Type

count

Default

33

SSL::TLS_KRB5_WITH_RC4_128_MD5
Type

count

Default

36

SSL::TLS_KRB5_WITH_RC4_128_SHA
Type

count

Default

32

SSL::TLS_NULL_WITH_NULL_NULL
Type

count

Default

0

SSL::TLS_PSK_DHE_WITH_AES_128_CCM_8
Type

count

Default

49322

SSL::TLS_PSK_DHE_WITH_AES_256_CCM_8
Type

count

Default

49323

SSL::TLS_PSK_WITH_3DES_EDE_CBC_SHA
Type

count

Default

139

SSL::TLS_PSK_WITH_AES_128_CBC_SHA
Type

count

Default

140

SSL::TLS_PSK_WITH_AES_128_CBC_SHA256
Type

count

Default

174

SSL::TLS_PSK_WITH_AES_128_CCM
Type

count

Default

49316

SSL::TLS_PSK_WITH_AES_128_CCM_8
Type

count

Default

49320

SSL::TLS_PSK_WITH_AES_128_GCM_SHA256
Type

count

Default

168

SSL::TLS_PSK_WITH_AES_256_CBC_SHA
Type

count

Default

141

SSL::TLS_PSK_WITH_AES_256_CBC_SHA384
Type

count

Default

175

SSL::TLS_PSK_WITH_AES_256_CCM
Type

count

Default

49317

SSL::TLS_PSK_WITH_AES_256_CCM_8
Type

count

Default

49321

SSL::TLS_PSK_WITH_AES_256_GCM_SHA384
Type

count

Default

169

SSL::TLS_PSK_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49252

SSL::TLS_PSK_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49258

SSL::TLS_PSK_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49253

SSL::TLS_PSK_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49259

SSL::TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49300

SSL::TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49294

SSL::TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49301

SSL::TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49295

SSL::TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52395

SSL::TLS_PSK_WITH_NULL_SHA256
Type

count

Default

176

SSL::TLS_PSK_WITH_NULL_SHA384
Type

count

Default

177

SSL::TLS_PSK_WITH_RC4_128_SHA
Type

count

Default

138

SSL::TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
Type

count

Default

98

SSL::TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
Type

count

Default

97

SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
Type

count

Default

96

SSL::TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
Type

count

Default

100

SSL::TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
Type

count

Default

8

SSL::TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
Type

count

Default

6

SSL::TLS_RSA_EXPORT_WITH_RC4_40_MD5
Type

count

Default

3

SSL::TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
Type

count

Default

147

SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA
Type

count

Default

148

SSL::TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
Type

count

Default

182

SSL::TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
Type

count

Default

172

SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA
Type

count

Default

149

SSL::TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
Type

count

Default

183

SSL::TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
Type

count

Default

173

SSL::TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49256

SSL::TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49262

SSL::TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49257

SSL::TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49263

SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

49304

SSL::TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49298

SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
Type

count

Default

49305

SSL::TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49299

SSL::TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
Type

count

Default

52398

SSL::TLS_RSA_PSK_WITH_NULL_SHA256
Type

count

Default

184

SSL::TLS_RSA_PSK_WITH_NULL_SHA384
Type

count

Default

185

SSL::TLS_RSA_PSK_WITH_RC4_128_SHA
Type

count

Default

146

SSL::TLS_RSA_WITH_3DES_EDE_CBC_RMD
Type

count

Default

124

SSL::TLS_RSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

10

SSL::TLS_RSA_WITH_AES_128_CBC_RMD
Type

count

Default

125

SSL::TLS_RSA_WITH_AES_128_CBC_SHA
Type

count

Default

47

SSL::TLS_RSA_WITH_AES_128_CBC_SHA256
Type

count

Default

60

SSL::TLS_RSA_WITH_AES_128_CCM
Type

count

Default

49308

SSL::TLS_RSA_WITH_AES_128_CCM_8
Type

count

Default

49312

SSL::TLS_RSA_WITH_AES_128_GCM_SHA256
Type

count

Default

156

SSL::TLS_RSA_WITH_AES_256_CBC_RMD
Type

count

Default

126

SSL::TLS_RSA_WITH_AES_256_CBC_SHA
Type

count

Default

53

SSL::TLS_RSA_WITH_AES_256_CBC_SHA256
Type

count

Default

61

SSL::TLS_RSA_WITH_AES_256_CCM
Type

count

Default

49309

SSL::TLS_RSA_WITH_AES_256_CCM_8
Type

count

Default

49313

SSL::TLS_RSA_WITH_AES_256_GCM_SHA384
Type

count

Default

157

SSL::TLS_RSA_WITH_ARIA_128_CBC_SHA256
Type

count

Default

49212

SSL::TLS_RSA_WITH_ARIA_128_GCM_SHA256
Type

count

Default

49232

SSL::TLS_RSA_WITH_ARIA_256_CBC_SHA384
Type

count

Default

49213

SSL::TLS_RSA_WITH_ARIA_256_GCM_SHA384
Type

count

Default

49233

SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
Type

count

Default

65

SSL::TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
Type

count

Default

186

SSL::TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
Type

count

Default

49274

SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Type

count

Default

132

SSL::TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
Type

count

Default

192

SSL::TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
Type

count

Default

49275

SSL::TLS_RSA_WITH_DES_CBC_SHA
Type

count

Default

9

SSL::TLS_RSA_WITH_IDEA_CBC_SHA
Type

count

Default

7

SSL::TLS_RSA_WITH_NULL_MD5
Type

count

Default

1

SSL::TLS_RSA_WITH_NULL_SHA
Type

count

Default

2

SSL::TLS_RSA_WITH_NULL_SHA256
Type

count

Default

59

SSL::TLS_RSA_WITH_RC4_128_MD5
Type

count

Default

4

SSL::TLS_RSA_WITH_RC4_128_SHA
Type

count

Default

5

SSL::TLS_RSA_WITH_SEED_CBC_SHA
Type

count

Default

150

SSL::TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49180

SSL::TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
Type

count

Default

49183

SSL::TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
Type

count

Default

49186

SSL::TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49179

SSL::TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
Type

count

Default

49182

SSL::TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
Type

count

Default

49185

SSL::TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
Type

count

Default

49178

SSL::TLS_SRP_SHA_WITH_AES_128_CBC_SHA
Type

count

Default

49181

SSL::TLS_SRP_SHA_WITH_AES_256_CBC_SHA
Type

count

Default

49184

SSL::TLSv10
Type

count

Default

769

SSL::TLSv11
Type

count

Default

770

SSL::TLSv12
Type

count

Default

771

SSL::TLSv13
Type

count

Default

772

SSL::V2_CLIENT_HELLO
Type

count

Default

301

SSL::V2_CLIENT_MASTER_KEY
Type

count

Default

302

SSL::V2_ERROR
Type

count

Default

300

SSL::V2_SERVER_HELLO
Type

count

Default

304

SSL::alert_descriptions
Type

table [count] of string

Attributes

&default = function

Default
{
   [40] = "handshake_failure",
   [45] = "certificate_expired",
   [20] = "bad_record_mac",
   [46] = "certificate_unknown",
   [30] = "decompression_failure",
   [71] = "insufficient_security",
   [10] = "unexpected_message",
   [21] = "decryption_failed",
   [41] = "no_certificate",
   [47] = "illegal_parameter",
   [70] = "protocol_version",
   [80] = "internal_error",
   [50] = "decode_error",
   [120] = "no_application_protocol",
   [111] = "certificate_unobtainable",
   [115] = "unknown_psk_identity",
   [48] = "unknown_ca",
   [90] = "user_canceled",
   [42] = "bad_certificate",
   [49] = "access_denied",
   [86] = "inappropriate_fallback",
   [113] = "bad_certificate_status_response",
   [112] = "unrecognized_name",
   [60] = "export_restriction",
   [22] = "record_overflow",
   [100] = "no_renegotiation",
   [51] = "decrypt_error",
   [43] = "unsupported_certificate",
   [114] = "bad_certificate_hash_value",
   [0] = "close_notify",
   [110] = "unsupported_extension",
   [44] = "certificate_revoked"
}

Mapping between numeric codes and human readable strings for alert descriptions.

SSL::alert_levels
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "fatal",
   [1] = "warning"
}

Mapping between numeric codes and human readable strings for alert levels.

SSL::cipher_desc
Type

table [count] of string

Attributes

&default = function

Default
{
   [49279] = "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
   [49235] = "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
   [28] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA",
   [107] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
   [49229] = "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
   [53] = "TLS_RSA_WITH_AES_256_CBC_SHA",
   [49161] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
   [52] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA",
   [49266] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
   [49284] = "TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256",
   [105] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
   [49278] = "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
   [52394] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
   [49231] = "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
   [49306] = "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
   [49178] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
   [188] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
   [29] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
   [196] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
   [5815] = "TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256",
   [115] = "TLS_DHE_DSS_WITH_AES_128_CBC_RMD",
   [176] = "TLS_PSK_WITH_NULL_SHA256",
   [133] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
   [49251] = "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
   [49214] = "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
   [146] = "TLS_RSA_PSK_WITH_RC4_128_SHA",
   [49182] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
   [1] = "TLS_RSA_WITH_NULL_MD5",
   [49226] = "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
   [116] = "TLS_DHE_DSS_WITH_AES_256_CBC_RMD",
   [158] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
   [35] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
   [49217] = "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
   [102] = "TLS_DHE_DSS_WITH_RC4_128_SHA",
   [52393] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
   [3] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
   [183] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
   [49204] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
   [14] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
   [49198] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
   [49239] = "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
   [31] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
   [192] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
   [49283] = "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
   [49291] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
   [49312] = "TLS_RSA_WITH_AES_128_CCM_8",
   [4867] = "TLS_CHACHA20_POLY1305_SHA256",
   [49157] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
   [49295] = "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
   [56] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
   [49262] = "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
   [66] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
   [49213] = "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
   [49268] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
   [174] = "TLS_PSK_WITH_AES_128_CBC_SHA256",
   [49200] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
   [49281] = "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
   [49275] = "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
   [49164] = "TLS_ECDH_RSA_WITH_RC4_128_SHA",
   [22016] = "TLS_FALLBACK_SCSV",
   [70] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA",
   [49218] = "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
   [2] = "TLS_RSA_WITH_NULL_SHA",
   [132] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
   [49153] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
   [4865] = "TLS_AES_128_GCM_SHA256",
   [49290] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
   [49318] = "TLS_DHE_PSK_WITH_AES_128_CCM",
   [49166] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
   [49252] = "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
   [163] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
   [49245] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
   [49205] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
   [49181] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
   [182] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
   [109] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256",
   [49307] = "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
   [161] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
   [196736] = "SSLv20_CK_RC2_128_CBC_WITH_MD5",
   [60] = "TLS_RSA_WITH_AES_128_CBC_SHA256",
   [49276] = "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
   [37] = "TLS_KRB5_WITH_IDEA_CBC_MD5",
   [18] = "TLS_DHE_DSS_WITH_DES_CBC_SHA",
   [185] = "TLS_RSA_PSK_WITH_NULL_SHA384",
   [157] = "TLS_RSA_WITH_AES_256_GCM_SHA384",
   [0] = "TLS_NULL_WITH_NULL_NULL",
   [137] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA",
   [65279] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
   [19] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
   [49236] = "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
   [20] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
   [49187] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
   [49195] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
   [52395] = "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
   [164] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
   [187] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
   [49299] = "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
   [156] = "TLS_RSA_WITH_AES_128_GCM_SHA256",
   [97] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
   [49171] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
   [52392] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
   [49234] = "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
   [65664] = "SSLv20_CK_RC4_128_WITH_MD5",
   [21] = "TLS_DHE_RSA_WITH_DES_CBC_SHA",
   [49196] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
   [12] = "TLS_DH_DSS_WITH_DES_CBC_SHA",
   [49175] = "TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA",
   [169] = "TLS_PSK_WITH_AES_256_GCM_SHA384",
   [155] = "TLS_DH_ANON_WITH_SEED_CBC_SHA",
   [184] = "TLS_RSA_PSK_WITH_NULL_SHA256",
   [49159] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
   [5817] = "TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384",
   [150] = "TLS_RSA_WITH_SEED_CBC_SHA",
   [131200] = "SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
   [25] = "TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA",
   [49256] = "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
   [49324] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
   [49321] = "TLS_PSK_WITH_AES_256_CCM_8",
   [49322] = "TLS_PSK_DHE_WITH_AES_128_CCM_8",
   [49311] = "TLS_DHE_RSA_WITH_AES_256_CCM",
   [255] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
   [59] = "TLS_RSA_WITH_NULL_SHA256",
   [38] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
   [154] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
   [57] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
   [42] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
   [49286] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
   [49193] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
   [49265] = "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
   [49207] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
   [65278] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
   [49261] = "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
   [98] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA",
   [4868] = "TLS_AES_128_CCM_SHA256",
   [108] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256",
   [43] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
   [49303] = "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
   [49309] = "TLS_RSA_WITH_AES_256_CCM",
   [49317] = "TLS_PSK_WITH_AES_256_CCM",
   [49197] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
   [40] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
   [194] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
   [151] = "TLS_DH_DSS_WITH_SEED_CBC_SHA",
   [6] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
   [141] = "TLS_PSK_WITH_AES_256_CBC_SHA",
   [49285] = "TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384",
   [49244] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
   [23] = "TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5",
   [145] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
   [49210] = "TLS_ECDHE_PSK_WITH_NULL_SHA256",
   [10] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
   [49246] = "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
   [53250] = "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
   [13] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
   [65] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
   [148] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
   [49206] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
   [101] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
   [49185] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
   [49233] = "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
   [50] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
   [120] = "TLS_DHE_RSA_WITH_AES_128_CBC_RMD",
   [152] = "TLS_DH_RSA_WITH_SEED_CBC_SHA",
   [49172] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
   [49170] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
   [49202] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
   [49316] = "TLS_PSK_WITH_AES_128_CCM",
   [49260] = "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
   [48] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
   [52398] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
   [49250] = "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
   [49323] = "TLS_PSK_DHE_WITH_AES_256_CCM_8",
   [5] = "TLS_RSA_WITH_RC4_128_SHA",
   [100] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",
   [166] = "TLS_DH_ANON_WITH_AES_128_GCM_SHA256",
   [49168] = "TLS_ECDHE_RSA_WITH_NULL_SHA",
   [65411] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
   [131] = "TLS_GOSTR341001_WITH_NULL_GOSTR3411",
   [49305] = "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
   [53249] = "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
   [149] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
   [96] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",
   [49242] = "TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256",
   [39] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
   [49156] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
   [49319] = "TLS_DHE_PSK_WITH_AES_256_CCM",
   [68] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
   [9] = "TLS_RSA_WITH_DES_CBC_SHA",
   [49243] = "TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384",
   [262272] = "SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5",
   [53251] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
   [49228] = "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
   [180] = "TLS_DHE_PSK_WITH_NULL_SHA256",
   [41] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
   [17] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
   [119] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD",
   [65505] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
   [52243] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
   [52244] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
   [49223] = "TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384",
   [186] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
   [49192] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
   [54] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
   [49264] = "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
   [193] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
   [49249] = "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
   [49315] = "TLS_DHE_RSA_WITH_AES_256_CCM_8",
   [189] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
   [172] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
   [49222] = "TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256",
   [49225] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
   [49267] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
   [135] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
   [49327] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
   [114] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD",
   [140] = "TLS_PSK_WITH_AES_128_CBC_SHA",
   [129] = "TLS_GOSTR341001_WITH_28147_CNT_IMIT",
   [49230] = "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
   [49221] = "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
   [34] = "TLS_KRB5_WITH_DES_CBC_MD5",
   [49191] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
   [49273] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
   [49288] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
   [49292] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
   [49302] = "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
   [49271] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
   [178] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
   [49325] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
   [49216] = "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
   [7] = "TLS_RSA_WITH_IDEA_CBC_SHA",
   [49194] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
   [49201] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
   [26] = "TLS_DH_ANON_WITH_DES_CBC_SHA",
   [128] = "TLS_GOSTR341094_WITH_28147_CNT_IMIT",
   [175] = "TLS_PSK_WITH_AES_256_CBC_SHA384",
   [49269] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
   [181] = "TLS_DHE_PSK_WITH_NULL_SHA384",
   [47] = "TLS_RSA_WITH_AES_128_CBC_SHA",
   [49280] = "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
   [49300] = "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
   [393280] = "SSLv20_CK_DES_64_CBC_WITH_MD5",
   [147] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
   [49254] = "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
   [49190] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
   [49179] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
   [49173] = "TLS_ECDH_ANON_WITH_NULL_SHA",
   [24] = "TLS_DH_ANON_WITH_RC4_128_MD5",
   [49301] = "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
   [69] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
   [190] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
   [99] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
   [5818] = "TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384",
   [162] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
   [103] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
   [126] = "TLS_RSA_WITH_AES_256_CBC_RMD",
   [104] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
   [61] = "TLS_RSA_WITH_AES_256_CBC_SHA256",
   [51] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
   [49258] = "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
   [49188] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
   [167] = "TLS_DH_ANON_WITH_AES_256_GCM_SHA384",
   [49199] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
   [49240] = "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
   [33] = "TLS_KRB5_WITH_IDEA_CBC_SHA",
   [67] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
   [171] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
   [49282] = "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
   [30] = "TLS_KRB5_WITH_DES_CBC_SHA",
   [15] = "TLS_DH_RSA_WITH_DES_CBC_SHA",
   [49241] = "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
   [327808] = "SSLv20_CK_IDEA_128_CBC_WITH_MD5",
   [64] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
   [106] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
   [52397] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
   [177] = "TLS_PSK_WITH_NULL_SHA384",
   [52245] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
   [55] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
   [458944] = "SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5",
   [49289] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
   [49183] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
   [49255] = "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
   [49272] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
   [168] = "TLS_PSK_WITH_AES_128_GCM_SHA256",
   [179] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
   [4] = "TLS_RSA_WITH_RC4_128_MD5",
   [49163] = "TLS_ECDH_RSA_WITH_NULL_SHA",
   [124] = "TLS_RSA_WITH_3DES_EDE_CBC_RMD",
   [130] = "TLS_GOSTR341094_WITH_NULL_GOSTR3411",
   [49158] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
   [5816] = "TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
   [58] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA",
   [49308] = "TLS_RSA_WITH_AES_128_CCM",
   [191] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256",
   [134] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
   [4866] = "TLS_AES_256_GCM_SHA384",
   [49224] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
   [49211] = "TLS_ECDHE_PSK_WITH_NULL_SHA384",
   [49215] = "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
   [49174] = "TLS_ECDH_ANON_WITH_RC4_128_SHA",
   [142] = "TLS_DHE_PSK_WITH_RC4_128_SHA",
   [49209] = "TLS_ECDHE_PSK_WITH_NULL_SHA",
   [49227] = "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
   [16] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
   [49203] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
   [49169] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
   [65408] = "SSL_RSA_WITH_RC2_CBC_MD5",
   [49212] = "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
   [165] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
   [49186] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
   [49162] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
   [63] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
   [173] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
   [49237] = "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
   [52396] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
   [11] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
   [49176] = "TLS_ECDH_ANON_WITH_AES_128_CBC_SHA",
   [22] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
   [49298] = "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
   [143] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
   [49270] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
   [136] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
   [144] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
   [49294] = "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
   [65409] = "SSL_RSA_WITH_IDEA_CBC_MD5",
   [65504] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
   [36] = "TLS_KRB5_WITH_RC4_128_MD5",
   [49180] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
   [125] = "TLS_RSA_WITH_AES_128_CBC_RMD",
   [49326] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
   [8] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
   [27] = "TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA",
   [49287] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
   [195] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
   [4869] = "TLS_AES_128_CCM_8_SHA256",
   [159] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
   [53252] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
   [49296] = "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
   [49248] = "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
   [32] = "TLS_KRB5_WITH_RC4_128_SHA",
   [62] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
   [160] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
   [138] = "TLS_PSK_WITH_RC4_128_SHA",
   [139] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
   [170] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
   [49160] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
   [49259] = "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
   [49219] = "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
   [49247] = "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
   [121] = "TLS_DHE_RSA_WITH_AES_256_CBC_RMD",
   [49297] = "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
   [49253] = "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
   [49155] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
   [49310] = "TLS_DHE_RSA_WITH_AES_128_CCM",
   [49320] = "TLS_PSK_WITH_AES_128_CCM_8",
   [49] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
   [49238] = "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
   [49313] = "TLS_RSA_WITH_AES_256_CCM_8",
   [197] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256",
   [49165] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
   [49277] = "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
   [49189] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
   [49220] = "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
   [49293] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
   [49314] = "TLS_DHE_RSA_WITH_AES_128_CCM_8",
   [49154] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
   [49167] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
   [49263] = "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
   [49274] = "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
   [49177] = "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA",
   [49208] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
   [49257] = "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
   [49304] = "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
   [49232] = "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
   [49184] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
   [65410] = "SSL_RSA_WITH_DES_CBC_MD5",
   [153] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA"
}

This is a table of all known cipher specs. It can be used for detecting unknown ciphers and for converting the cipher spec constants into a human readable format.

SSL::ec_curves
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "secp192r1",
   [20] = "secp224k1",
   [259] = "ffdhe6144",
   [14] = "sect571r1",
   [6] = "sect233k1",
   [15] = "secp160k1",
   [30] = "x448",
   [28] = "brainpoolP512r1",
   [8] = "sect239k1",
   [23] = "secp256r1",
   [9] = "sect283k1",
   [27] = "brainpoolP384r1",
   [260] = "ffdhe8192",
   [7] = "sect233r1",
   [10] = "sect283r1",
   [21] = "secp224r1",
   [4] = "sect193r1",
   [26] = "brainpoolP256r1",
   [12] = "sect409r1",
   [13] = "sect571k1",
   [17] = "secp160r2",
   [25] = "secp521r1",
   [2] = "sect163r1",
   [65281] = "arbitrary_explicit_prime_curves",
   [65282] = "arbitrary_explicit_char2_curves",
   [29] = "x25519",
   [16] = "secp160r1",
   [24] = "secp384r1",
   [1] = "sect163k1",
   [258] = "ffdhe4096",
   [11] = "sect409k1",
   [5] = "sect193r2",
   [22] = "secp256k1",
   [256] = "ffdhe2048",
   [257] = "ffdhe3072",
   [18] = "secp192k1",
   [3] = "sect163r2"
}

Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.

SSL::ec_point_formats
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "uncompressed",
   [2] = "ansiX962_compressed_char2",
   [1] = "ansiX962_compressed_prime"
}

Mapping between numeric codes and human readable string for SSL/TLS EC point formats.

SSL::extensions
Type

table [count] of string

Attributes

&default = function

Default
{
   [40] = "key_share_old",
   [45] = "psk_key_exchange_modes",
   [19] = "client_certificate_type",
   [20] = "server_certificate_type",
   [14] = "use_srtp",
   [15] = "heartbeat",
   [6] = "user_mapping",
   [46] = "TicketEarlyDataInfo",
   [8] = "server_authz",
   [23] = "extended_master_secret",
   [35655] = "padding",
   [9] = "cert_type",
   [53] = "connection_id",
   [55] = "external_id_hash",
   [56] = "external_session_id",
   [13172] = "next_protocol_negotiation",
   [7] = "client_authz",
   [52] = "transparency_info",
   [21] = "padding",
   [10] = "supported_groups",
   [4] = "truncated_hmac",
   [13] = "signature_algorithms",
   [12] = "srp",
   [30031] = "channel_id",
   [41] = "pre_shared_key",
   [13180] = "encrypted_client_certificates",
   [17] = "status_request_v2",
   [47] = "certificate_authorities",
   [13175] = "origin_bound_certificates",
   [50] = "signature_algorithms_cert",
   [30032] = "channel_id_new",
   [2] = "client_certificate_url",
   [25] = "cached_info",
   [65281] = "renegotiation_info",
   [16] = "application_layer_protocol_negotiation",
   [24] = "token_binding",
   [48] = "oid_filters",
   [42] = "early_data",
   [49] = "post_handshake_auth",
   [57] = "quic_transport_parameters",
   [1] = "max_fragment_length",
   [11] = "ec_point_formats",
   [35] = "SessionTicket TLS",
   [5] = "status_request",
   [22] = "encrypt_then_mac",
   [43] = "supported_versions",
   [51] = "key_share",
   [18] = "signed_certificate_timestamp",
   [3] = "trusted_ca_keys",
   [0] = "server_name",
   [44] = "cookie"
}

Mapping between numeric codes and human readable strings for SSL/TLS extensions.

SSL::hash_algorithms
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "sha1",
   [8] = "Intrinsic",
   [5] = "sha384",
   [3] = "sha224",
   [0] = "none",
   [6] = "sha512",
   [4] = "sha256",
   [1] = "md5"
}

Mapping between numeric codes and human readable strings for hash algorithms.

SSL::signature_algorithms
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "dsa",
   [11] = "rsa_pss_sha512",
   [5] = "rsa_pss_sha384",
   [7] = "ed25519",
   [10] = "rsa_pss_sha384",
   [6] = "rsa_pss_sha512",
   [4] = "rsa_pss_sha256",
   [65] = "gostr34102012_256",
   [64] = "gostr34102012_256",
   [8] = "ed448",
   [3] = "ecdsa",
   [0] = "anonymous",
   [9] = "rsa_pss_sha256",
   [1] = "rsa"
}

Mapping between numeric codes and human readable strings for signature algorithms.

SSL::version_strings
Type

table [count] of string

Attributes

&default = function

Default
{
   [769] = "TLSv10",
   [65279] = "DTLSv10",
   [768] = "SSLv3",
   [770] = "TLSv11",
   [772] = "TLSv13",
   [2] = "SSLv2",
   [771] = "TLSv12",
   [65277] = "DTLSv12"
}

Mapping between the constants and string values for SSL/TLS versions.

base/protocols/ssl/main.zeek

SSL

Base SSL analysis script. This script logs information about the SSL/TLS handshaking and encryption establishment process.

Namespace

SSL

Imports

base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/ssl/consts.zeek

Summary
Runtime Options

SSL::ct_logs: table &redef

The Certificate Transparency log bundle.

SSL::disable_analyzer_after_detection: bool &redef

If true, detach the SSL analyzer from the connection to prevent continuing to process encrypted traffic.
Redefinable Options

SSL::root_certs: table &redef

The default root CA bundle.
Types

SSL::CTInfo: record

The record type which contains the field for the Certificate Transparency log bundle.

SSL::Info: record

The record type which contains the fields of the SSL log.
Redefinitions

Log::ID: enum

SSL::Info: record
New Fields

SSL::Info

delay_tokens: set [string] &optional

connection: record
New Fields

connection

ssl: SSL::Info &optional

likely_server_ports: set &redef
Events

SSL::log_ssl: event

Event that can be handled to access the SSL record as it is sent on to the logging framework.
Hooks

SSL::finalize_ssl: Conn::RemovalHook

SSL finalization hook.

SSL::log_policy: Log::PolicyHook

SSL::ssl_finishing: hook

Hook that can be used to perform actions right before the log record is written.
Functions

SSL::delay_log: function

Delays an SSL record for a specific token: the record will not be logged as long as the token exists or until 15 seconds elapses.

SSL::undelay_log: function

Undelays an SSL record for a previously inserted token, allowing the record to be logged.
Detailed Interface
Runtime Options
SSL::ct_logs
Type

table [string] of SSL::CTInfo

Attributes

&redef

Default

{}

Redefinition

from base/protocols/ssl/ct-list.zeek

+=:

)y\xbe\xf0\x9e99!\xf0Vs\x9fc\xa5w\xe5\xbeW}\x9c`\x0a\xf8\xf9M]&\%]\xc7\x84 = SSL::CTInfo($description=Google 'Argon2022' log, $operator=Google, $url=ct.googleapis.com/logs/argon2022/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04x\x83\xdc\xe9\xf1\xa6\xb8\x18:\x00\x99/\xff>\xcd\x15\xc9&\x1e\xf7\xff:\xa9\xa3r\x16I\xeb\x09\xb6\xa8\xdd\xb4\xd2G\x91\x0e\x0d\xf9\xd9\xd5\xa9\x8b\xb0\x87\x9d%y\xd4\x1aP`\x08\xf5\x09\x069&\xe4@\xc2\xba\xc3\xc2), \xe8>\xd0\xda>\xf5\x0652\xe7W(\xbc\x89k\xc9\x03\xd3\xcb\xd1\x11k\xec\xebi\xe1w}m\x06\xbdn = SSL::CTInfo($description=Google 'Argon2023' log, $operator=Google, $url=ct.googleapis.com/logs/argon2023/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xd0\x90\x8fdRNB\xac\x84\xb6.L\xf2=w\x00\xb3w\x08\x05G\xaaEL\xe3,\x8ep\xa5\x82\xbbl\xb2{\x9c\x98z\xa0\xe9\x11v(\x00\xb2 \xb4\xcd\xd3\x98{M\x96'\xe6\xb7\xee"j\xd1\xb0.\x91wx), F\xa5U\xebu\xfa\x91 0\xb5\xa2\x89i\xf4\xf3}\x11,At\xbe\xfdI\xb8\x85\xab\xf2\xfcp\xfemG = SSL::CTInfo($description=Google 'Xenon2022' log, $operator=Google, $url=ct.googleapis.com/logs/xenon2022/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xf9d\xbd\x15,@bP\x95\x138<\xc7!\xb0:\xb9\x8f\xa2z\x15\xd7\x89\xd6\x8e1\x13\x00\x87Y\xbc\xbb\xee\x90\xfc\xc8X\x13\x0a\xbf\xabC6T#\xa4\x81\xcd\xadG\x14\xb7X\xa0D\xfaj\xa0\xa0\xd7\xc3c\x1e+), \xad\xf7\xbe\xfa|\xff\x10\xc8\x8b\x9d=\x9c\x1e>\x18j\xb4g)]\xcf\xb1\x0c$\xca\x85\x864\xeb\xdc\x82\x8a = SSL::CTInfo($description=Google 'Xenon2023' log, $operator=Google, $url=ct.googleapis.com/logs/xenon2023/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04r\x16>\x0b\xef\xef\xce>`\xdd\x95\xcbcz\xb9\xa9\x8dJol\xdca\x80\xa6E^/\x83\xac\x94\xf3\x85\x88\xd0\xa5t\xd0{\x8e\xff\xc5\xeeB\xa2\xf0-\x93\xe3\xc2\xd0\xb2\x99\xe2\xe1B\xe9\xd2\xc6\x00'it\xae\xce), h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4 = SSL::CTInfo($description=Google 'Aviator' log, $operator=Google, $url=ct.googleapis.com/aviator/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xd7\xf4\xcci\xb2\xe4\x0e\x90\xa3\x8a\xeaZp\x09O\xef\x13b\xd0\x8dI`\xff\x1b@P\x07\x0cmq\x86\xda%I\x8de\xe1\x08\x0dG4k\xbd'\xbc\x96!>4\xf5\x87v1\xb1\x7f\x1d\xc9\x85;\x0d\xf7\x1f?\xe9), )<Q\x96T\xc89e\xba\xaaP\xfcX\x07\xd4\xb7o\xbfXz)r\xdc\xa4\xc3\x0c\xf4\xe5EG\xf4x = SSL::CTInfo($description=Google 'Icarus' log, $operator=Google, $url=ct.googleapis.com/icarus/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04N\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c8a\x04\xeb\x95\xe0\x89ThD\xb1f\xbc\x82~OPlo\\xa3\xf0\xaa>\xf4\xec\x80\xf0\xdb\x0a\x9az\xa0[r\x00|%\x0e\x19\xef\xaf\xb2b\x8dtC\xf4&\xf6\x14), \xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10 = SSL::CTInfo($description=Google 'Pilot' log, $operator=Google, $url=ct.googleapis.com/pilot/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04}\xa8K\x12)\x80\xa3=\xad\xd3Zw\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8AF\xe8\x81\x01\x1b\x15\xe1K\xf1\x1bb\xdd6\x0a\x08\x18\xba\xed\x0b5\x84\xd0\x9e@<-\x9e\x9b\x82e\xbd\x1f\x04\x10AL\xa0), \xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb = SSL::CTInfo($description=Google 'Rocketeer' log, $operator=Google, $url=ct.googleapis.com/rocketeer/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04 [\x18\xc8<\xc1\x8b\xb31\x08\x00\xbf\xa0\x90W+\xb7G\x8co\xb5h\xb0\x8e\x90x\xe9\xa0s\xeaO(!.\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3N/R<\x98\x01%F$%(#w-\x05\xc2@z), \xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85 = SSL::CTInfo($description=Google 'Skydiver' log, $operator=Google, $url=ct.googleapis.com/skydiver/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x12l\x86\x0e\xf6\x17\xb1\x12l7%\xd2\xad\x87=\x0e1\xec!\xad\xb1\xcd\xbe\x14G\xb6qV\x85z\x9a\xb7=\x89\x90{\xc62:\xf8\xda\xce\x8b\x01\xfe?\xfcq\x91\x19\x8e\x14n\x89z]\xb4\xab~\xe1N\x1e|\xac), A\xc8\xca\xb1\xdf"FJ\x10\xc6\xa1:\x09B\x87^N1\x8b\x1b\x03\xeb\xebK\xc7h\xf0\x90b\x96\x06\xf6 = SSL::CTInfo($description=Cloudflare 'Nimbus2022' Log, $operator=Cloudflare, $url=ct.cloudflare.com/logs/nimbus2022/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04H\xb2GNP2rbJ\x0d\x0cH\xbf\xad)do \xdfyRc\x16)\x0a.`\xb5\xe2:\x1c\xb7\xafY\xb1U\x09\xdbY\xc7\xe9\xbdo\xed\x0b\xaf\x05\x96\x97\xff;\x9aCM\xeb\x1143\x8a\xe7\xac\x83\xc0\xff), z2\x8cT\xd8\xb7-\xb6 \xea8\xe0R\x1e\xe9\x84\x16p2\x13\x85M;\xd2+\xc1:W\xa3R\xebR = SSL::CTInfo($description=Cloudflare 'Nimbus2023' Log, $operator=Cloudflare, $url=ct.cloudflare.com/logs/nimbus2023/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x8b\xff-\x92\x18\xcbF\x9d\x12^\xb9Yu<\xcd\x917z\x1e\xa9\x9c\x99x\x83'=\xdf\x01\xd5\x8b\x80\xe8c\x9a\xfe&\xa2\x1b\xd1\x87\x05\xee\x97\xd6\xe0[C\x83\x81\x1c\x02\xf5A\x80\x80\x7f\xef\xa4a\xcf\xbc\x84\xb5\xa8), V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd = SSL::CTInfo($description=DigiCert Log Server, $operator=DigiCert, $url=ct1.digicert-ct.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x02F\xc5\xbe\x1b\xbb\x82@\x16\xe8\xc1\xd2\xac\x19i\x13Y\xf8\xf8p\x85F@\xb98\xb0#\x82\xa8dL\x7f\xbf\xbb4\x9fJ_(\x8a\xcf\x19\xc4\x00\xf66\x06\x93e\xedL\xf5\xa9!bZ\xd8\x91\xeb8$@\xac\xe8), \x87u\xbf\xe7Y|\xf8\x8cC\x99_\xbd\xf3n\xffV\x8dGV6\xffJ\xb5`\xc1\xb4\xea\xff^\xa0\x83\x0f = SSL::CTInfo($description=DigiCert Log Server 2, $operator=DigiCert, $url=ct2.digicert-ct.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xcc]9/f\xb8L\x7f\xc1.\x03\xa14\xa3\xe8\x8a\x86\x02\xaeJ\x11\xc6\xf7&j7\x9b\xf08\xf8]\x09\x8dc\xe81k\x86f\xcfy\xb3%<\x1e\xdfx\xb4\xa8\xc5i\xfa\xb7\xf0\x82ybC\xf6\xcc\xfe\x81f\x84), "EE\x07YU$V\x96?\xa1/\xf1\xf7m\x86\xe0#&c\xad\xc0K\x7f]\xc6\x83\n\xe2\x0f\x02 = SSL::CTInfo($description=DigiCert Yeti2022 Log, $operator=DigiCert, $url=yeti2022.ct.digicert.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x9f\xf8\xd8\x1d\xde\xfb[Q\xb5\xfb]\xf5\xb5\xdef\x11\xb0\x9d_\xfdo\xfc\xa8\x98[\x98O-\xc3\x91:\xfb\xfe\xc4\x0f\x0d\xc3`C\x8c\x1e\xf2\xf9\x11\xb2\xba\xd0\xf6\xbc\xa5\xd2\xb6\x9f\xf9\\x87\xa2}\xfc\xd4}\xd6\x13&), \x05\x9c\x01\xd3 \xe0\x07\x84\x13\x95\x80I\x8d\x11|\x902f\xaf\xafrP\xb5\xaf;F\xa4>\x11\x84\x0dJ = SSL::CTInfo($description=DigiCert Yeti2022-2 Log, $operator=DigiCert, $url=yeti2022-2.ct.digicert.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x1di^?\x0a\xf2qw\xcd\x9d]\xc34I\x00\xee`w\xe1rvt\xa8|\}\x09\xf22\x1d\x05~.\xfe[1\xd5:\xfds4nI\x14NPX\x96Z\xc4\xc7\xf4\xbe\x05d\xa4\xf7\xd7\xe5\xb1m3\x0c\xc3), 5\xcf\x19\x1b\xbf\xb1lW\xbf\x0f\xadLmB\xcb\xbb\xb6' &Q\xea?\xe1*\xef\xa8\x03\xc3;\xd6L = SSL::CTInfo($description=DigiCert Yeti2023 Log, $operator=DigiCert, $url=yeti2023.ct.digicert.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04}\x0d\x03\xb1\xd5\x98\x8a\xdc\xf0\x15;\xc6\xdc^\x0dn?\x0d\xbf\x95\xc8U\x8c\xd0\xa6L\x96\xb1N'\xb9&%\x99\xcc+\x02\x9e\xa6\xd3\xdd\x9f\xb1\xd5\xc4\xc3\xac5\x04\x07\x87\x976\xaa\xad(\x0d\x7f+\xd9h\x9fr\xd1), Q\xa3\xb0\xf5\xfd\x01y\x9cVm\xb87x\x8f\x0c\xa4z\xcc\x1b'\xcb\xf7\x9e\x88B\x9a\x0d\xfe\xd4\x8b\x05\xe5 = SSL::CTInfo($description=DigiCert Nessie2022 Log, $operator=DigiCert, $url=nessie2022.ct.digicert.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04'$\xddh\x03(\xcb\xfec\xbe\x0e\x11GM}\x17h\xa1\x11]Lq\xc9A(\xc7\xb6\xa2K\x97\xec\xc0\xaf\xfc/;\xbf\xe9\xf1\xb1\xfc\xf5\x01\xff\xa9\xfbI@\x0cc$\x98\xd7y.\xa6U\xab\x16\xc6\xbeQ\xd8q), \xb3sw\x07\xe1\x84P\xf8c\x86\xd6\x05\xa9\xdc\x11\x09Jy-\xb1g\x0c\x0b\x87\xdc\xf0\x03\x0ey6\xa5\x9a = SSL::CTInfo($description=DigiCert Nessie2023 Log, $operator=DigiCert, $url=nessie2023.ct.digicert.com/log/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x11{\xbc\x89\x0c\x12\x09\x14\x9f\xd8&\xc8LjT\xa4\x1bEV\xdf>#B\x14\xd1\xddB\xdf\xa2\xdf{_\x9fo\x07Z#Fy\x16K_3g\xc1\xa0\x8d[\\x17u\xf2M\xa0\x80\xa1\x98\x1a\x07Y\x06\x02\xcaN), \xdd\xeb\x1d+z\x0dO\xa6 \x8b\x81\xad\x81hp~.\x8e\x9d\x01\xd5\\x88\x8d=\x11\xc4\xcd\xb6\xec\xbe\xcc = SSL::CTInfo($description=Symantec log, $operator=DigiCert, $url=ct.ws.symantec.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x96\xea\xac\x1cF\x0c\x1bU\xdc\x0d\xfc\xb5\x94'FWBp:i\x18\xe2\xbf;\xc4\xdb\xab\xa0\xf4\xb6l\xc0S?MB\x103\xf0X\x97\x8fk\xber\xf4*\xec\x1cB\xaa\x03/\x1a~(5v\x99\x08=!\x14\x86), \xbcx\xe1\xdf\xc5\xf6<hFI3M\xa1\x0f\xa1_\x09yi \x09\xc0\x81\xb4\xf3\xf6\x91\x7f>\xd9\xb8\xa5 = SSL::CTInfo($description=Symantec 'Vega' log, $operator=DigiCert, $url=vega.ws.symantec.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xea\x95\x9e\x02\xff\xee\xf13mK\x87\xbc\xcd\xfd\x19\x17b\xff\x94\xd3\xd0Y\x07?\x02-\x1c\x90\xfe\xc8G0;\xf1\xdd\x0d\xb8\x11\x0c]\x1d\x86\xdd\xab\xd3+Ff\xfbne\xb7;\xfdYh\xac\xdf\xa6\xf8\xce\xd2\x18M), \x15\x97\x04\x88\xd7\xb9\x97\xa0[\xebRQ*\xde\xe8\xd2\xe8\xb4\xa3\x16Rd\x12\x1a\x9f\xab\xfb\xd5\xf8Z\xd9? = SSL::CTInfo($description=Symantec 'Sirius' log, $operator=DigiCert, $url=sirius.ws.symantec.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xa3\x02d\x84"\xbb%\xec\x0d\xe3\xbc\xc2\xc9\x89}\xddE\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x857\xadj\xc5\xd8%\x9d\xfa\xf4\xb4\xf3n\x16(%7\xea\xa37d\xb2\xc7\x0b\xfdQ\xe5\xc1\x05\xf4\x0e\xb5), \xcd\xb5\x17\x9b\x7f\xc1\xc0F\xfe\xea1\x13j?\x8f\x00.a\x82\xfa\xf8\x89o\xec\xc8\xb2\xf5\xb5\xab`I\x00 = SSL::CTInfo($description=Certly.IO log, $operator=Certly, $url=log.certly.io/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x0b#\xcb\x85b\x98aH\x04s\xebT]\xf3\xd0\x07\x8c-\x19-\x8c6\xf5\xeb\x8f\x01B\x0a|\x98&'\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b=\x0c\xd8LN\x1d\xf9\x15\xfbGh{\xbaf\xb7%\x9c\xd0J\xc2f\xdbH), ta\xb4\xa0\x9c\xfb=A\xd7QYW[.vI\xa4E\xa8\xd2w\x09\xb0\xccVJd\x82\xb7\xebA\xa3 = SSL::CTInfo($description=Izenpe log, $operator=Izenpe, $url=ct.izenpe.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04'd9\x0c-\xdcP\x18\xf8!\x00\xa2\x0e\xed,\xea>u\xba\x9f\x93d\x09\x00\x11\xc4\x11\x17\xab\\xcf\x0ft\xac\xb5\x97\x90\x93\x00[\xb8\xeb\xf7'=\xd9\xb2\x0a\x81_/\x0du8\x947\x99\x1e\xf6\x07v\xe0\xee\xbe), A\xb2\xdc.\x89\xe6<\xe4\xaf\x1b\xa7\xbb)\xbfh\xc6\xde\xe6\xf9\xf1\xcc\x04~0\xdf\xfa\xe3\xb3\xba%\x92c = SSL::CTInfo($description=WoSign log, $operator=WoSign, $url=ctlog.wosign.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xcc\x11\x88{-f\xcb\xae\x8fM0f'\x19%"\x93!F\xb4/\x01\xd3\xc6\xf9+\xd5\xc8\xbas\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0kF\x180\x85\xba\xe9$\x8b\x0e\xd1[p(\x0c~\xf1:E\x7fZ\xf3\x82B`1), \xac;\x9a\xed\x7f\xa9gGW\x15\x9em}WVr\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa11;ux- = SSL::CTInfo($description=Venafi log, $operator=Venafi, $url=ctlog.api.venafi.com/, $maximum_merge_delay=86400, $key=0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xa2ZH\x1f\x17R\x955\xcb\xa3[:\x1fS\x82v\x94\xa3\xff\x80\xf2\x1c7<\xc0\xb1\xbd\xc1Y\x8b\xab-e\x93\xd7\xf3\xe0\x04\xd5\x9ao\xbf\xd6#v6O#\x99\xcbT(\xad\x8c\x15KeYvAJ\x9c\xa6\xf7\xb3;~\xb1\xa5I\xa4\x17Ql\x80\xdc*\x90PK\x88$\xe9\xa5\x122\x93\x04H\x90\x02\xfa_\x0e0\x87\x8eUv\x05\xee*L\xce\xa3ji\x09n%\xad\x82v\x0f\x84\x92\xfa8\xd6\x86N$\x8f\x9b\xb0r\xcb\x9e\xe2k?\xe1m\xc9%u#\x88\xa1\x18X\x06#3x\xda\x00\xd08\x91g\xd2\xa6}'\x97gZ\xc1\xf3/\x17\xe6\xea\xd2[\xe8\x81\xcd\xfd\x92h\xe7\xf3\x06\xf0\xe9r\x84\xee\x01\xa5\xb1\xd83\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16~\x90u\x18\xbf\x16\xdc2;m\x8d\xab\x82\x17\x1f\x89 \x8d\x1d\x9a\xe6M#\x08\xdfxo\xc6\x05\xbf_\xae\x94\x97\xdb_d\xd4\xee\x16\x8b\xa3\x84lq+\xf1\xab\x7f]\x0d2\xee\x04\xe2\x90\xecA\x9f\xfb9\xc1\x02\x03\x01\x00\x01), \xa5w\xac\x9c\xeduH\xdd\x8f\x02[g\xa2A\x08\x9d\xf8n\x0fGn\xc2\x03\xc2\xec\xbe\xdb\x18_(&8 = SSL::CTInfo($description=CNNIC CT log, $operator=CNNIC, $url=ctserver.cnnic.cn/, $maximum_merge_delay=86400, $key=0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08a\x9a)2\x04\xd3%c\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6^\x9a\xf73;\x80\x1b\xe7\xb6>_-\xa1f\xf6\x95J\x84\xa6!Vy\xe8\xf7\x85\xee]\xe3|\x12\xc0\xe0\x89"\x09">\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2z\xd6a.\x87\x11\xb9x@\x89u\xdb\x0c\xdc\x90\xe0\xa4y\xd6\xd5^n\xd1*\xdb4\xf4\x99?e\x89;F\xc2),\x15\x07\x1c\xc9K\x1aT\xf8l\x1e\xaf`'b\x0ae\xd5\x9a\xb9P6\x16nq\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6!\xa3)\x90\x86-w\xde\xbbL\xd4\xcf\xfd\xd2\xcf\x82,M\xd4\xf2\xc2-\xac\xa9\xbe\xea\xc3\x19%C\xb2\xe5\x9al\x0d\xc5\x1c\xa5\x8b\xf7?0\xaf\xb9\x01\x91\xb7i\x12\x12\xe5\x83a\xfe4\x00\xbe\xf6q\x8a\xc7\xebP\x92\xe8Y\xfe\x15\x91\xeb\x96\x97\xf8#T?-\x8e\x07\xdf\xee\xda\xb3O\xc8<\x9do\xdf<,CW\xa1G\x0c\x91\x04\xf4uM\xda\x89\x81\xa4\x14\x064\xb9\x98\xc3\xda\xf1\xfd\xed36\xd3\x16-5\x02\x03\x01\x00\x01), 4\xbbj\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xffx\x91Hl\x9d^\\xac\x92\xd0\x1f{\xfd\x1b\xce\x19\xdbH\xef = SSL::CTInfo($description=StartCom log, $operator=StartCom, $url=ct.startssl.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04H\xf3Y\xf3\xf6\x05\x18\xd3\xdb\xb2\xedF~\xcf\xc8\x11\xb5W\xb1\xa8\xd6L\xe6\x9f\xb7J\x1a\x14\x86C\xa9H\xb0\xcbZ?<J\xca\xdf\xc4\x82\x14U\x9a\xf8\xf7\x8e@U\xdc\xf4\xd2\xaf\xeaut\xfbN\x7f`\x86.Q), U\x81\xd4\xc2\x16\x906\x01J\xea\x0b\x9bW<S\xf0\xc0\xe48xp%\x08\x17/\xa3\xaa\x1d\x07\x13\xd3\x0c = SSL::CTInfo($description=Sectigo 'Sabre' CT log, $operator=Sectigo, $url=sabre.ct.comodo.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xf2o\xd2\x89\x0f?\xc5\xf8\x87\x1e\xabe\xb3\xd9\xbb\x17#\x8c\x06\x0e\x09U\x96=\x0a\x08\xa2\xc5q\xb3\xd1\xa9/(>\x83\x10\xbf\x12\xd0Df\x15\xefT\xe1\x98\x80\xd0\xce$m>g\x9a\xe97#\xceR\x93\x86\xda\x80), oSv\xac1\xf01\x19\xd8\x99\x00\xa4Q\x15\xffw\x15\x1c\x11\xd9\x02\xc1\x00)\x06\x8d\xb2\x08\x9a7\xd9\x13 = SSL::CTInfo($description=Sectigo 'Mammoth' CT log, $operator=Sectigo, $url=mammoth.ct.comodo.com/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xef\xe4}t.\x15\x15\xb6\xe9\xbb#\x8b\xfb,\xb5\xe1\xc7\x80\x98G\xfb@ih\xfcI\xadaN\x83G<\x1a\xb7\x8d\xdf\xff{0\xb4\xba\xff/\xcb\xa0\x14\xe3\xad\xd5\x85?DY\x8c\x8c`\x8b\xd7\xb8\xb1\xbf\xae\x8cg), \xdf\xa5^\xabh\x82O\x1fl\xad\xee\xb8_N>Z\xea\xcd\xa2\x12\xa4j^\x8e;\x12\xc0 D\*s = SSL::CTInfo($description=Let's Encrypt 'Oak2022' log, $operator=Let's Encrypt, $url=oak.ct.letsencrypt.org/2022/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x86<\xb1\x0dR#Z\xden\xf6\xc0\x7f\xa3d\xbc\xad\xc1\x89\xda\x97YL`<\xf8\x8aW\x84\x8f\xed\xbc\xa0c\x12Q\x84\xe6\xbd\xdd{\x8c\x80}\xe3\x8f\x86\xa4\xea\xa9\xcf\xa8\xee\xf3\xe0^p\xe0\xbb\xf6\xbd\xfc\x1f\x91.), \xb7>\xfb$\xdf\x9cM\xbau\xf29\xc5\xbaX\xf4l]\xfcB\xcfz\x9f5\xc4\x9e\x1d\x09\x81%\xed\xb4\x99 = SSL::CTInfo($description=Let's Encrypt 'Oak2023' log, $operator=Let's Encrypt, $url=oak.ct.letsencrypt.org/2023/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xb3=\x0ex\xbe\xe3\xad\D\\x9b\xbe\xa3\x84\x16A\x82\xca\xca\x89\x17\x1e#\xce8\xa5T/\x7f\xd34Qj\xb9\\xc3I\xea\xfb\x91\x9d\xe0\x8a<s\x06\x9f|e8\x11\x80\xc4\x9aZ\x00\xa6g\xc3\x83\xef\x89\x85Q), \xc3e\xf9\xb3eO2\x83\xc7\x9d\xa9\x8e\x93\xd7A\x8f[\xab{\xe3%,\x98\xe1\xd2\xf0K\xb9\xebB}# = SSL::CTInfo($description=Trust Asia Log2022, $operator=TrustAsia, $url=ct.trustasia.com/log2022/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xbbR\xf2\x16\xcf\x92\x0b\xcey\xe6Tm\xc27S\xa4\xf5\xf9:\xa9\xb3\x05\xec\x1d\xbd\x16\xec0\xac.\xf8yb5\x15\x8e\x1a\xd8\x16.\xe4Hk\xf6\xc6\x13\xf1\x96.\\x10\xfe\x19\x1e\xa8\x18\xb8\x0f-\xc3\xa4\x86Q\x97), \xe8~\xa7f\x0b\xc2l\xf6\x00.\xf5r]?\xe0\xe31\xb99;\xb9/\xbfX\xeb;\x90I\xda\xf5CZ = SSL::CTInfo($description=Trust Asia Log2023, $operator=TrustAsia, $url=ct.trustasia.com/log2023/, $maximum_merge_delay=86400, $key=0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xa4\x11R\xdb\x17AN\x90\xd4VQ\x120R\xf8\x9b\x03\xcfL\x9f\xf8.8\xb5\xf1Z\xba\xfa8\xb9\xd2\x8f\x1a\x81\xda\x95\xcc3\xec!(f\xc6V>`6! \xd9\xd4\xac]\xfa\\x19\xa1\x05}\xfe #\xfc\xf5)

The Certificate Transparency log bundle. By default, the ct-list.zeek script sets this to the current list of known logs. Entries are indexed by (binary) log-id.

SSL::disable_analyzer_after_detection
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/ssl/decryption.zeek

=:

F
Redefinition

from policy/protocols/ssl/heartbleed.zeek

=:

F

If true, detach the SSL analyzer from the connection to prevent continuing to process encrypted traffic. Helps with performance (especially with large file transfers).

Redefinable Options
SSL::root_certs
Type

table [string] of string

Attributes

&redef

Default

{}

Redefinition

from base/protocols/ssl/mozilla-ca-list.zeek

+=:

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE = 0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x0b\x04\x00\x00\x00\x00\x01\x15KZ\xc3\x940\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000W1\x0b0\x09\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\x0a\x13\x10GlobalSign nv-sa1\x100\x0e\x06\x03U\x04\x0b\x13\x07Root CA1\x1b0\x19\x06\x03U\x04\x03\x13\x12GlobalSign Root CA0\x1e\x17\x0d980901120000Z\x17\x0d280128120000Z0W1\x0b0\x09\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\x0a\x13\x10GlobalSign nv-sa1\x100\x0e\x06\x03U\x04\x0b\x13\x07Root CA1\x1b0\x19\x06\x03U\x04\x03\x13\x12GlobalSign Root CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xda\x0e\xe6\x99\x8d\xce\xa3\xe3O\x8a~\xfb\xf1\x8b\x83%k\xeaH\x1f\xf1*\xb0\xb9\x95\x11\x04\xbd\xf0c\xd1\xe2gf\xcf\x1c\xdd\xcf\x1bH+\xee\x8d\x89\x8e\x9a\xaf)\x80e\xab\xe9\xc7-\x12\xcb\xab\x1cLp\x07\xa1=\x0a0\xcd\x15\x8dO\xf8\xdd\xd4\x8cP\x15\x1c\xefP\xee\xc4.\xf7\xfc\xe9R\xf2\x91}\xe0m\xd550\x8e^Cs\xf2A\xe9\xd5j\xe3\xb2\x89:V98o\x06<\x88i[*M\xc5\xa7T\xb8l\x89\xcc\x9b\xf9<\xca\xe5\xfd\x89\xf5\x12<\x92x\x96\xd6\xdctn\x93Da\xd1\x8d\xc7F\xb2u\x0e\x86\xe8\x19\x8a\xd5ml\xd5x\x16\x95\xa2\xe9\xc8\x0a8\xeb\xf2$\x13OsT\x93\x13\x85:\x1b\xbc\x1e4\xb5\x8b\x05\x8c\xb9w\x8b\xb1\xdb\x1f \x91\xab\x09Sn\x90\xce{7t\xb9pG\x91"Qc\x16y\xae\xb1\xaeA&\x08\xc8\x19+\xd1F\xaaH\xd6d*\xd7\x834\xff,*\xc1l\x19CJ\x07\x85\xe7\xd3|\xf6!h\xef\xea\xf2R\x9f\x7f\x93\x90\xcf\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14`{f\x1aE\x0d\x97\xca\x89P/}\x04\xcd4\xa8\xff\xfc\xfdK0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xd6s\xe7|Ov\xd0\x8d\xbf\xec\xba\xa2\xbe4\xc5(2\xb5|\xfcl\x9c,+\xbd\x09\x9eS\xbfk^\xaa\x11H\xb6\xe5\x08\xa3\xb3\xca=aM\xd3F\x09\xb3>\xc3\xa0\xe3cU\x1b\xf2\xba\xef\xad9\xe1C\xb98\xa3\xe6/\x8a&;\xef\xa0PV\xf9\xc6\x0a\xfd8\xcd\xc4\x0bpQ\x94\x97\x98\x04\xdf\xc3_\x94\xd5\x15\xc9\x14A\x9c\xc4]ud\x15\x0d\xffU0\xec\x86\x8f\xff\x0d\xef,\xb9cF\xf6\xaa\xfc\xdf\xbci\xfd.\x12Hd\x9a\xe0\x95\xf0\xa6\xef)\x8f\x01\xb1\x15\xb5\x0c\x1d\xa5\xfei,i$x\x1e\xb3\xa7\x1cqb\xee\xca\xc8\x97\xac\x17]\x8a\xc2\xf8G\x86n*\xc4V1\x95\xd0g\x89\x85+\xf9l\xa6]F\x9d\x0c\xaa\x82\xe4\x99Q\xddp\xb7\xdbV=a\xe4j\xe1\\xd6\xf6\xfe=\xdeA\xcc\x07\xaecR\xbfSS\xf4+\xe9\xc7\xfd\xb6\xf7\x82_\x85\xd2A\x18\xdb\x81\xb3\x04\x1c\xc5\x1f\xa4\x80o\x15 \xc9\xde\x0c\x88\x0a\x1d\xd6fU\xe2\xfcH\xc9)&i\xe0, CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net = 0\x82\x04*0\x82\x03\x12\xa0\x03\x02\x01\x02\x02\x048c\xde\xf80\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000\x81\xb41\x140\x12\x06\x03U\x04\x0a\x13\x0bEntrust.net1@0>\x06\x03U\x04\x0b\x147www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#\x06\x03U\x04\x0b\x13\x1c(c) 1999 Entrust.net Limited1301\x06\x03U\x04\x03\x13*Entrust.net Certification Authority (2048)0\x1e\x17\x0d991224175051Z\x17\x0d290724141512Z0\x81\xb41\x140\x12\x06\x03U\x04\x0a\x13\x0bEntrust.net1@0>\x06\x03U\x04\x0b\x147www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#\x06\x03U\x04\x0b\x13\x1c(c) 1999 Entrust.net Limited1301\x06\x03U\x04\x03\x13*Entrust.net Certification Authority (2048)0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xadMK\xa9\x12\x86\xb2\xea\xa3 \x07\x15\x16d*+K\xd1\xbf\x0bJM\x8e\xed\x80v\xa5g\xb7x@\xc0sB\xc8h\xc0\xdbS+\xdd^\xb8v\x985\x93\x8b\x1a\x9d|\x13:\x0e\x1f[\xb7\x1e\xcf\xe5$\x14\x1e\xb1\x81\xa9\x8d}\xb8\xcckK\x03\xf1\x02\x0c\xdc\xab\xa5@$\x00\x7ft\x94\xa1\x9d\x08)\xb3\x88\x0b\xf5\x87w\x9dU\xcd\xe4\xc3~\xd7jd\xab\x85\x14\x86\x95[\x972Po=\xc8\xbaf\x0c\xe3\xfc\xbd\xb8I\xc1v\x89I\x19\xfd\xc0\xa8\xbd\x89\xa3g/\xc6\x9f\xbcq\x19`\xb8-\xe9,\xc9\x90vf{\x94\xe2\xafx\xd6eS]<\xd6\x9c\xb2\xcf)\x03\xf9/\xa4P\xb2\xd4H\xce\x052U\x8a\xfd\xb2dL\x0e\xe4\x98\x07u\xdb\x7f\xdf\xb9\x08U`\x850)\xf9{H\xa4i\x86\xe35?\x1e\x86]zz\x15\xbd\xef\x00\x8e\x15"T\x17\x00\x90&\x93\xbc\x0eIh\x91\xbf\xf8G\xd3\x9d\x95B\xc1\x0eM\xdfo&\xcf\xc3\x18!bfCp\xd6\xd5\xc0\x07\xe1\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14U\xe4\x81\xd1\x11\x80\xbe\xd8\x89\xb9\x08\xa31\xf9\xa1$\x09\x16\xb9p0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00;\x9b\x8fV\x9b0\xe7S\x99|zy\xa7M\x97\xd7\x19\x95\x90\xfb\x06\x1f\xca3|Fc\x8f\x96f$\xfa@\x1b!'\xca\xe6rs\xf2O\xfe1\x99\xfd\xc8\x0cLhS\xc6\x80\x82\x13\x98\xfa\xb6\xad\xda]=\xf1\xcen\xf6\x15\x11\x94\x82\x0c\xee?\x95\xaf\x11\xab\x0f\xd7/\xde\x1f\x03\x8fW,\x1e\xc9\xbb\x9a\x1aD\x95\xeb\x18O\xa6\x1f\xcd}W\x10/\x9b\x04\x09Z\x84\xb5n\xd8\x1d:\xe1\xd6\x9e\xd1ly^y\x1c\x14\xc5\xe3\xd0L\x93;e<\xed\xdf=\xbe\xa6\xe5\x95\x1a\xc3\xb5\x19\xc3\xbd^[\xbb\xff#\xefh\x19\xcb\x12\x93'\\x03-o0\xd0\x1e\xb6\x1a\xac\xdeZ\xf7\xd1\xaa\xa8'\xa6\xfey\x81\xc4y\x993W\xba\x12\xb0\xa9\xe0Bl\x93\xcaV\xde\xfem\x84\x0b\x08\x8b~\x8d\xea\xd7\x98!\xc6\xf3\xe7<y/^\x9c\xd1L\x15\x8d\xe1\xec"7\xcc\x9aC\x0b\x97\xdc\x80\x90\x8d\xb3g\x9boH\x08\x15V\xcf\xbf\xf1+|^\x9av\xe9Y\x90\xc5|\x835\x11eQ, CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE = 0\x82\x03w0\x82\x02_\xa0\x03\x02\x01\x02\x02\x04\x02\x00\x00\xb90\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000Z1\x0b0\x09\x06\x03U\x04\x06\x13\x02IE1\x120\x10\x06\x03U\x04\x0a\x13\x09Baltimore1\x130\x11\x06\x03U\x04\x0b\x13\x0aCyberTrust1"0 \x06\x03U\x04\x03\x13\x19Baltimore CyberTrust Root0\x1e\x17\x0d000512184600Z\x17\x0d250512235900Z0Z1\x0b0\x09\x06\x03U\x04\x06\x13\x02IE1\x120\x10\x06\x03U\x04\x0a\x13\x09Baltimore1\x130\x11\x06\x03U\x04\x0b\x13\x0aCyberTrust1"0 \x06\x03U\x04\x03\x13\x19Baltimore CyberTrust Root0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xa3\x04\xbb"\xab\x98=W\xe8&r\x9a\xb5y\xd4)\xe2\xe1\xe8\x95\x80\xb1\xb0\xe3[\x8e+)\x9ad\xdf\xa1]\xed\xb0\x09\x05m\xdb(.\xceb\xa2b\xfe\xb4\x88\xda\x12\xeb8\xeb!\x9d\xc0A+\x01R{\x88w\xd3\x1c\x8f\xc7\xba\xb9\x88\xb5j\x09\xe7s\xe8\x11@\xa7\xd1\xcc\xcab\x8d-\xe5\x8f\x0b\xa6P\xd2\xa8P\xc3(\xea\xf5\xab%\x87\x8a\x9a\x96\x1c\xa9g\xb8?\x0c\xd5\xf7\xf9R\x13/\xc2\x1b\xd5pp\xf0\x8f\xc0\x12\xca\x06\xcb\x9a\xe1\xd9\xca3zw\xd6\xf8\xec\xb9\xf1hDBH\x13\xd2\xc0\xc2\xa4\xae^`\xfe\xb6\xa6\x05\xfc\xb4\xdd\x07Y\x02\xd4Y\x18\x98c\xf5\xa5c\xe0\x90\x0c}]\xb2\x06z\xf3\x85\xea\xeb\xd4\x03\xae^\x84>_\xff\x15\xedi\xbc\xf996ru\xcfwRM\xf3\xc9\x90,\xb9=\xe5\xc9#S?\x1f$\x98!\\x07\x99)\xbd\xc6:\xec\xe7n\x86:k\x97tc3\xbdh\x181\xf0x\x8dv\xbf\xfc\x9e\x8e]*\x86\xa7M\x90\xdc'\x1a9\x02\x03\x01\x00\x01\xa3E0C0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xe5\x9dY0\x82GX\xcc\xac\xfa\x08T6\x86{:\xb5\x04M\xf00\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x030\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x0c]\x8e\xe4oQhB\x05\xa0\xdd\xbbO'%\x84\x03\xbd\xf7d\xfd-\xd70\xe3\xa4\x10\x17\xeb\xda))\xb6y?v\xf6\x19\x13#\xb8\x10\x0a\xf9X\xa4\xd4ap\xbd\x04aj\x12\x8a\x17\xd5\x0a\xbd\xc5\xbc0|\xd6\xe9\x0c%\x8d\x86@O\xec\xcc\xa3~8\xc67\x11O\xed\xddh1\x8eL\xd2\xb3\x01t\xee\xbeu^\x07H\x1a\x7fp\xff\x16\\x84\xc0y\x85\xb8\x05\xfd\x7f\xbee\x11\xa3\x0f\xc0\x02\xb4\xf8R79\x04\xd5\xa91z\x18\xbf\xa0*\xf4\x12\x99\xf7\xa3E\x82\xe3<^\xf5\x9d\x9e\xb5\xc8\x9e|.\xc8\xa4\x9eN\x08\x14Km\xfdpmk\x1ac\xbdd\xe6\x1f\xb7\xce\xf0\xf2\x9f.\xbb\x1b\xb7\xf2P\x88s\x92\xc2\xe2\xe3\x16\x8d\x9a2\x02\xab\x8e\x18\xdd\xe9\x10\x11\xee~5\xab\x90\xaf>0\x94z\xd03=\xa7e\x0f\xf5\xfc\x8e\x9eb\xcfGD,\x01]\xbb\x1d\xb52\xd2G\xd28.\xd0\xfe\x81\xdc2j\x1e\xb5\xee<\xd5\xfc\xe7\x81\x1d\x19\xc3$B\xeac9\xa9, CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US = 0\x82\x04\x910\x82\x03y\xa0\x03\x02\x01\x02\x02\x04EkPT0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000\x81\xb01\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1907\x06\x03U\x04\x0b\x130www.entrust.net/CPS is incorporated by reference1\x1f0\x1d\x06\x03U\x04\x0b\x13\x16(c) 2006 Entrust, Inc.1-0+\x06\x03U\x04\x03\x13$Entrust Root Certification Authority0\x1e\x17\x0d061127202342Z\x17\x0d261127205342Z0\x81\xb01\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1907\x06\x03U\x04\x0b\x130www.entrust.net/CPS is incorporated by reference1\x1f0\x1d\x06\x03U\x04\x0b\x13\x16(c) 2006 Entrust, Inc.1-0+\x06\x03U\x04\x03\x13$Entrust Root Certification Authority0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb6\x95\xb6CB\xfa\xc6m*oH\xdf\x94L9W\x05\xee\xc3y\x11Ah6\xed\xec\xfe\x9a\x01\x8f\xa18(\xfc\xf7\x10Ff.M\x1e\x1a\xb1\x1aN\xc6\xd1\xc0\x95\x88\xb0\xc9\xff1\x8b3\x03\xdb\xb7\x83{> \x84^\xed\xb2V(\xa7\xf8\xe0\xb9@q7\xc5\xcbG\x0e\x97*h\xc0"\x95b\x15\xdbG\xd9\xf5\xd0+\xff\x82K\xc9\xad>\xdeL\xdb\x90\x80P?\x09\x8a\x84\x00\xec0\x0a=\x18\xcd\xfb\xfd*Y\x9a#\x95\x17,E\x9e\x1fnCym\x0c\\x98\xfeH\xa7\xc5#G\^\xfdn\xe7\x1e\xb4\xf6hE\xd1\x86\x83[\xa2\x8a\x8d\xb1\xe3)\x80\xfe%q\x88\xad\xbe\xbc\x8f\xacR\x96K\xaaQ\x8d\xe4\x131\x19\xe8NM\x9f\xdb\xac\xb3j\xd5\xbc9Tq\xcazz\x7f\x90\xdd}\x1d\x80\xd9\x81\xbbY&\xc2\x11\xfe\xe6\x93\xe2\xf7\x80\xe4e\xfb47\x0e)\x80pM\xaf8\x86.\x9e\x7fW\xaf\x9e\x17\xae\xeb\x1c\xcb(!_\xb6\x1c\xd8\xe7\xa2\x04"\xf9\xd3\xda\xd8\xcb\x02\x03\x01\x00\x01\xa3\x81\xb00\x81\xad0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0+\x06\x03U\x1d\x10\x04$0"\x80\x0f20061127202342Z\x81\x0f20261127205342Z0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14h\x90\xe4g\xa4\xa6S\x80\xc7\x86f\xa4\xf1\xf7KC\xfb\x84\xbdm0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14h\x90\xe4g\xa4\xa6S\x80\xc7\x86f\xa4\xf1\xf7KC\xfb\x84\xbdm0\x1d\x06\x09*\x86H\x86\xf6}\x07A\x00\x04\x100\x0e\x1b\x08V7.1:4.0\x03\x02\x04\x900\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x93\xd40\xb0\xd7\x03 *\xd0\xf9c\xe8\x91\x0c\x05 \xa9_\x19\xca{rN\xd4\xb1\xdb\xd0\x96\xfbTZ\x19,\x0c\x08\xf7\xb2\xbc\x85\xa8\x9d\x7fm;R\xb3*\xdb\xe7\xd4\x84\x8cc\xf6\x0f\xcb&\x01\x91Pl\xf4_\x14\xe2\x93t\xc0\x13\x9e0:P\xe3\xb4`\xc5\x1c\xf0"D\x8dqG\xac\xc8\x1a\xc9\xe9\x9b\x9a\x00`\x13\xffp~_\x11MI\x1b\xb3\x15R{\xc9T\xda\xbf\x9d\x95\xafk\x9a\xd8\x9e\xe9\xf1\xe4C\x8d\xe2\x11D:\xbf\xaf\xbd\x83BsR\x8b\xaa\xbb\xa7)\xcf\xf5d\x1c\x0aM\xd1\xbc\xaa\xac\x9f*\xd0\xff\x7f\x7f\xda}\xea\xb1\xed0%\xc1\x84\xda4\xd2[x\x83V\xec\x9c6\xc3&\xe2\x11\xf6gI\x1d\x92\xab\x8c\xfb\xeb\xffz\xee\x85J\xa7P\x80\xf0\xa7\J\x94._\x05\x99<RA\xe0\xcd\xb4c\xcf\x01C\xba\x9c\x83\xdc\x8f`;\xf3Z\xb4\xb4{\xae\xda\x0b\x908u\xef\x81\x1df\xd2\xf7Wp6\xb3\xbf\xfc(\xafq%\x85[\x13\xfe\x1e\x7fZ\xb4<, CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB = 0\x82\x0420\x82\x03\x1a\xa0\x03\x02\x01\x02\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000{1\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x0c\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x0c\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x0c\x11Comodo CA Limited1!0\x1f\x06\x03U\x04\x03\x0c\x18AAA Certificate Services0\x1e\x17\x0d040101000000Z\x17\x0d281231235959Z0{1\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x0c\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x0c\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x0c\x11Comodo CA Limited1!0\x1f\x06\x03U\x04\x03\x0c\x18AAA Certificate Services0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbe@\x9d\xf4n\xe1\xeav\x87\x1cMED\x8e\xbeF\xc8\x83\x06\x9d\xc1*\xfe\x18\x1f\x8e\xe4\x02\xfa\xf3\xab]P\x8a\x161\x0b\x9a\x06\xd0\xc5p"\xcdI-Tc\xcc\xb6nhF\x0bS\xea\xcbL$\xc0\xbcrN\xea\xf1\x15\xae\xf4T\x9a\x12\x0a\xc3z\xb23`\xe2\xda\x89U\xf3"X\xf3\xde\xdc\xcf\xef\x83\x86\xa2\x8c\x94O\x9fh\xf2\x98\x90F\x84'\xc7v\xbf\xe3\xcc5,\x8b^\x07de\x82\xc0H\xb0\xa8\x91\xf9a\x9fv P\xa8\x91\xc7f\xb5\xebxb\x03V\xf0\x8a\x1a\x13\xea1\xa3\x1e\xa0\x99\xfd8\xf6\xf6'2Xo\x07\xf5k\xb8\xfb\x14+\xaf\xb7\xaa\xcc\xd6c_s\x8c\xda\x05\x99\xa88\xa8\xcb\x17x6Q\xac\xe9\x9e\xf4x:\x8d\xcf\x0f\xd9B\xe2\x98\x0c\xab/\x9f\x0e\x01\xde\xef\x9f\x99I\xf1-\xdf\xactM\x1b\x98\xb5G\xc5\xe5)\xd1\xf9\x90\x18\xc7b\x9c\xbe\x83\xc7&{>\x8a%\xc7\xc0\xdd\x9d\xe65h\x10 \x9d\x8f\xd8\xde\xd2\xc3\x84\x9c\x0d^\xe8/\xc9\x02\x03\x01\x00\x01\xa3\x81\xc00\x81\xbd0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa0\x11\x0a#>\x96\xf1\x07\xec\xe2\xaf)\xef\x82\xa5\x7f\xd00\xa4\xb40\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0{\x06\x03U\x1d\x1f\x04t0r08\xa06\xa04\x862http://crl.comodoca.com/AAACertificateServices.crl06\xa04\xa02\x860http://crl.comodo.net/AAACertificateServices.crl0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x08V\xfc\x02\xf0\x9b\xe8\xff\xa4\xfa\xd6{\xc6D\x80\xceO\xc4\xc5\xf6\x00X\xcc\xa6\xb6\xbc\x14Ih\x04v\xe8\xe6\xee]\xec\x02\x0f`\xd6\x8dP\x18O&N\x01\xe3\xe6\xb0\xa5\xee\xbf\xbctTA\xbf\xfd\xfc\x12\xb8\xc7OZ\xf4\x89`\x05\x7f`\xb7\x05J\xf3\xf6\xf1\xc2\xbf\xc4\xb9t\x86\xb6-}k\xcc\xd2\xf3F\xdd/\xc6\xe0j\xc3\xc34\x03,}\x96\xddZ\xc2\x0e\xa7\x0a\x99\xc1\x05\x8b\xab\x0c/\xf3\:\xcfl7U\x09\x87\xdeS@lX\xef\xfc\xb6\xaben\x04\xf6\x1b\xdc<\xe0Z\x15\xc6\x9e\xd9\xf1YH0!e\x03l\xec\xe9!s\xec\x9b\x03\xa1\xe07\xad\xa0\x15\x18\x8f\xfa\xba\x02\xce\xa7,\xa9\x10\x13,\xd4\xe5\x08&\xab"\x97`\xf8\x90^t\xd4\xa2\x9aS\xbd\xf2\xa9h\xe0\xa2n\xc2\xd7l\xb1\xa3\x0f\x9e\xbf\xebh\xe7V\xf2\xae\xf2\xe3+8:\x09\x81\xb5k\x85\xd7\xbe-\xed?\x1a\xb7\xb2c\xe2\xf5b,\x82\xd4j\x00AP\xf19\x83\x9f\x95\xe96\x96\x98n, CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM = 0\x82\x05\xb70\x82\x03\x9f\xa0\x03\x02\x01\x02\x02\x02\x05\x090\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000E1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1b0\x19\x06\x03U\x04\x03\x13\x12QuoVadis Root CA 20\x1e\x17\x0d061124182700Z\x17\x0d311124182333Z0E1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1b0\x19\x06\x03U\x04\x03\x13\x12QuoVadis Root CA 20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x9a\x18\xcaK\x94\x0d\x00-\xaf\x03)\x8a\xf0\x0f\x81\xc8\xaeL\x19\x85\x1d\x08\x9f\xab)D\x85\xf3/\x81\xad2\x1e\x90F\xbf\xa3\x86&\x1a\x1e\xfe~\x1c\x18:\\x9c`\x17*:t\x8330}aT\x11\xcb\xed\xab\xe0\xe6\xd2\xa2~\xf5ko\x18\xb7\x0a\x0b-\xfd\xe9>\xef\x0a\xc6\xb3\x10\xe9\xdc\xc2F\x17\xf8]\xfd\xa4\xda\xff\x9eIZ\x9c\xe63\xe6$\x96\xf7?\xba[+\x1cz5\xc2\xd6g\xfe\xabfP\x8bm(`+\xef\xd7`\xc3\xc7\x93\xbc\x8d6\x91\xf3\x7f\xf8\xdb\x11\x13\xc4\x9cwv\xc1\xae\xb7\x02j\x81z\xa9E\x83\xe2\x05\xe6\xb9V\xc1\x947\x8fHqc"\xec\x17e\x07\x95\x8aK\xdf\x8f\xc6Z\x0a\xe5\xb0\xe3_^k\x11\xab\x0c\xf9\x85\xebD\xe9\xf8\x04s\xf2\xe9\xfe\\x98\x8c\xf5s\xafk\xb4~\xcd\xd4\\x02+L9\xe1\xb2\x95\x95-B\x87\xd7\xd5\xb3\x90C\xb7l\x13\xf1\xde\xdd\xf6\xc4\xf8\x89?\xd1u\xf5\x92\xc3\x91\xd5\x8a\x88\xd0\x90\xec\xdcm\xde\x89\xc2eq\x96\x8b\x0d\x03\xfd\x9c\xbf[\x16\xac\x92\xdb\xea\xfey|\xad\xeb\xaf\xf7\x16\xcb\xdb\xcd%+\xe5\x1f\xfb\x9a\x9f\xe2Q\xcc:S\x0cH\xe6\x0e\xbd\xc9\xb4v\x06R\xe6\x11\x13\x85rc\x03\x04\xe0\x046+ \x19\x02\xe8t\xa7\x1f\xb6\xc9Vf\xf0u%\xdcg\xc1\x0ea`\x88\xb3>\xd1\xa8\xfc\xa3\xda\x1d\xb0\xd1\xb1#T\xdfDvm\xedA\xd8\xc1\xb2"\xb6S\x1c\xdf5\x1d\xdc\xa1w*1\xe4-\xf5\xe5\xe5\xdb\xc8\xe0\xff\xe5\x80\xd7\x0bc\xa0\xff3\xa1\x0f\xba,\x15\x15\xea\x97\xb3\xd2\xa2\xb5\xbe\xf2\x8c\x96\x1e\x1a\x8f\x1dl\xa4a7\xb9\x86s3\xd7\x97\x96\x9e#}\x82\xa4L\x81\xe2\xa1\xd1\xbag_\x95\x07\xa3'\x11\xee\x16\x10{\xbcEJL\xb2\x04\xd2\xab\xef\xd5\xfd\x0cQ\xcePj\x081\xf9\x91\xda\x0c\x8fd\\x03\xc3:\x8b ?n\x8dg=:\xd6\xfe}[\x88\xc9^\xfb\xcca\xdc\x8b3w\xd3D25\x09b\x04\x92\x16\x10\xd8\x9e'G\xfb;!\xe3\xf8\xeb\x1d[\x02\x03\x01\x00\x01\xa3\x81\xb00\x81\xad0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x1a\x84b\xbcHL3%\x04\xd4\xee\xd0\xf6\x03\xc4\x19F\xd1\x94k0n\x06\x03U\x1d#\x04g0e\x80\x14\x1a\x84b\xbcHL3%\x04\xd4\xee\xd0\xf6\x03\xc4\x19F\xd1\x94k\xa1I\xa4G0E1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1b0\x19\x06\x03U\x04\x03\x13\x12QuoVadis Root CA 2\x82\x02\x05\x090\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00>\x0a\x16M\x9f\x06[\xa8\xaeq]/\x05/g\xe6\x13E\x83\xc46\xf6\xf3\xc0&\x0c\x0d\xb5Gd]\xf8\xb4r\xc9F\xa5\x03\x18'U\x89x}v\xea\x964\x80\x17 \xdc\xe7\x83\xf8\x8d\xfc\x07\xb8\xda_M.g\xb2\x84\xfd\xd9D\xfcwP\x81\xe6|\xb4\xc9\x0d\x0brS\xf8v\x07\x07AG\x96\x0c\xfb\xe0\x82&\x93U\x8c\xfe"\x1f`e|_\xe7&\xb3\xf72\x90\x98P\xd47qU\xf6\x92!x\xf7\x95y\xfa\xf8-&\x87fV0w\xa67x3R\x10X\xae?a\x8e\xf2j\xb1\xef\x18~JYc\xca\x8d\xa2V\xd5\xa7/\xbcV\x1f\xcf9\xc1\xe2\xfb\x0a\xa8\x15,}Mzc\xc6l\x97D<\xd2o\xc3J\x17\x0a\xf8\x90\xd2W\xa2\x19Q\xa5-\x97A\xda\x07O\xa9P\xda\x90\x8d\x94F\xe1>\xf0\x94\xfd\x10\x008\xf5;\xe8@\xe1\xb4nV\x1a \xccoX\x8d\xed.E\x8f\xd6\xe9\x93?\xe7\xb1,\xdf:\xd6"\x8c\xdc\x84\xbb"o\xd0\xf8\xe4\xc69\xe9\x04\x88<\xc3\xba\xebUzm\x80\x99$\xf5l\x01\xfb\xf8\x97\xb0\x94[\xeb\xfd\xd2o\xf1wh\x0d5d#\xac\xb8U\xa1\x03\xd1MB\x19\xdc\xf8uYV\xa3\xf9\xa8Iy\xf8\xaf\x0e\xb9\x11\xa0|\xb7j\xed4\xd0\xb6&b8\x1a\x87\x0c\xf8\xe8\xfd.\xd3\x90\x7f\x07\x91*\x1d\xd6~\\x85\x83\x99\xb08\x08?\xe9^\xf95\x07\xe4\xc9bnW\x7f\xa7P\x95\xf7\xba\xc8\x9b\xe6\x8e\xa2\x01\xc5\xd6f\xbfya\xf3<\x1c\xe1\xb9\x82\]\xa0\xc3\xe9\xd8H\xbd\x19\xa2\x11\x14\x19n\xb2\x86\x1bh>H7\x1a\x88\xb7]\x96^\x9c\xc7\xef'b\x08\xe2\x91\x19\\xd2\xf1!\xdd\xba\x17B\x82\x97q\x81S1\xa9\x9f\xf6}b\xbfr\xe1\xa3\x93\x1d\xcc\x8a&Z\x098\xd0\xce\xd7\x0d\x80\x16\xb4x\xa5:\x87L\x8d\x8a\xa5\xd5F\x97\xf2,\x10\xb9\xbcT"\xc0\x01PiC\x9e\xf4\xb2\xefm\xf8\xec\xda\xf1\xe3\xb1\xef\xdf\x91\x8fT*\x0b%\xc1&\x19\xc4R\x10\x05e\xd5\x82\x10\xea\xc21\xcd., CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM = 0\x82\x06\x9d0\x82\x04\x85\xa0\x03\x02\x01\x02\x02\x02\x05\xc60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000E1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1b0\x19\x06\x03U\x04\x03\x13\x12QuoVadis Root CA 30\x1e\x17\x0d061124191123Z\x17\x0d311124190644Z0E1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1b0\x19\x06\x03U\x04\x03\x13\x12QuoVadis Root CA 30\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xccWB\x16T\x9c\xe6\x98\xd3\xd3M\xee\xfe\xed\xc7\x9fC9Je\xb3\xe8\x16\x884\xdb\x0dY\x91t\xcf\x92\xb8\x04@\xad\x02K1\xab\xbc\x8d\x91h\xd8 \x0e\x1a\x01\xe2\x1a{N\x17]\xe2\x8a\xb7?\x99\x1a\xcd\xeba\xab\xc2e\xa6\x1f\xb7\xb7\xbd\xb7\x8f\xfc\xfdp\x8f\x0b\xa0g\xbe\x01\xa2Y\xcfq\xe6\x0f)v\xff\xb1VyE+\x1f\x9ezT\xe8\xa3)5h\xa4\x01O\x0f\xa4.7\xef\x1b\xbf\xe3\x8f\x10\xa8r\xabXW\xe7T\x86\xc8\xc9\xf3[\xda,\xda]\x8en<\xa3>\xda\xfb\x82\xe5\xdd\xf2\\xb2\x053o\x8a6\xce\xd0\x13N\xff\xbfJ\x0c4L\xa6\xc3!\xbdP\x04U\xeb\xb1\xbb\x9d\xfbE\x1ed\x15\xdeU\x01\x8c\x02v\xb5\xcb\xa1?Bi\xbc/\xbdhC\x16V\x89*7a\x91\xfd\xa6\xaeN\xc0\xcb\x14e\x947K\x92\x06\xef\x04\xd0\xc8\x9c\x88\xdb\x0b{\x81\xaf\xb1=*\xc4e:x\xb6\xee\xdc\x80\xb1\xd2\xd3\x99\x9c:\xeekZk\xb3\x8d\xb7\xd5\xce\x9c\xc2\xbe\xa5K/\x16\xb1\x9eh;\x06o\xae}\x9f\xf8\xde\xec\xcc)\xa7\x98\xa3%C/\xef\xf1_&\xe1\x88M\xf8^n\xd7\xd9\x14n\x193i\xa7;\x84\x89\x93\xc4SU\x13\xa1Qx@\xf8\xb8\xc9\xa2\xee{\xbaRB\x83\x9e\x14\xed\x05RZYV\xa7\x97\xfc\x9d?\x0a)\xd8\xdcO\x91\x0e\x13\xbc\xde\x95\xa4\xdf\x8b\x99\xbe\xac\x9b3\x88\xef\xb5\x81\xaf\x1b\xc6"S\xc8\xf6\xc7\xee\x97\x14\xb0\xc5|xR\xc8\xf0\xcenw`\x84\xa6\xe9*v \xedX\x01\x170\x93\xe9\x1a\x8b\xe0sc\xd9j\x92\x94IN\xb4\xadJ\x85\xc4\xa3"0\xfc\x09\xedh"s\xa6\x88\x0cU!X\xc5\xe1:\x9f*\xdd\xca\xe1\x90\xe0\xd9s\xabl\x80\xb8\xe8\x0bd\x93\xa0\x9c\x8c\x19\xff\xb3\xd2\x0c\xec\x91&\x87\x8a\xb3\xa2\xe1p\x8f,\x0a\xe5\xcdmhQ\xeb\xda?\x05\x7f\x8b2\xe6\x13\k\xfe_@\xe2"\xc8\xb4\xb4dO\xd6\xba}H>\xa8i\x0c\xd7\xbb\x86q\xc9s\xb8?;\x9d%K\xda\xff@\xeb\x02\x03\x01\x00\x01\xa3\x82\x01\x950\x82\x01\x910\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x81\xe1\x06\x03U\x1d \x04\x81\xd90\x81\xd60\x81\xd3\x06\x09+\x06\x01\x04\x01\xbeX\x00\x030\x81\xc50\x81\x93\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x86\x1a\x81\x83Any use of this Certificate constitutes acceptance of the QuoVadis Root CA 3 Certificate Policy / Certification Practice Statement.0-\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16!http://www.quovadisglobal.com/cps0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xf2\xc0\x13\xe0\x82C>\xfb\xee/g2\x965\\xdb\xb8\xcb\x02\xd00n\x06\x03U\x1d#\x04g0e\x80\x14\xf2\xc0\x13\xe0\x82C>\xfb\xee/g2\x965\\xdb\xb8\xcb\x02\xd0\xa1I\xa4G0E1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1b0\x19\x06\x03U\x04\x03\x13\x12QuoVadis Root CA 3\x82\x02\x05\xc60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00O\xad\xa0,L\xfa\xc0\xf2o\xf7fU\xab#4\xee\xe7)\xda\xc3[\xb6\xb0\x83\xd9\xd0\xd0\xe2!\xfb\xf3`\xa7;]`S'\xa2\x9b\xf6\x08"*\xe7\xbf\xa0r\xe5\x9c$j1\xb1\x90z'\xdb\x84\x11\x89'\xa6wZ8\xd7\xbf\xac\x86\xfc\xee]\x83\xbc\x06\xc6\xd1wk\x0fm$/Kzl\xa7\x07\x96\xca\xe3\x84\x9f\xad\x88\x8b\x1d\xab\x16\x8d[f\x17\xd9\x16\xf4\x8b\x80\xd2\xdd\xf8\xb2v\xc3\xfc8\x13\xaa\x0c\xdeBi+n\xf3<\xeb\x80'\xdb\xf5\xa6D\x0d\x9fZUY\x0b\xd5\x0dRH\xc5\xae\x9f\xf2/\x80\xc5\xea2P5\x12\x97.\xc1\xe1\xff\xf1#\x88Q8\x9f\xf2fVv\xe7\x0fQ\x97\xa5R\x0cMIQ\x956=\xbf\xa2K\x0c\x10\x1d\x86\x99L\xaa\xf3r\x11\x93\xe4\xea\xf6\x9b\xda\xa8]\xa7M\xb7\x9e\x02\xaes\x00\xc8\xda#\x03\xe8\xf9\xea\x19tb\x00\x94\xcb" \xbe\x94\xa7Y\xb5\x82j\xbe\x99yz\xa9\xf2J$R\xf7t\xfd\xbaN\xe6\xa8\x1d\x02n\xb1\x0d\x80D\xc1\xae\xd3#7_\xbb\x85|+\x92.\xe8~\xa5\x8b\xdd\x99\xe1\xbf'o-]\xaa{\x87\xfe\x0a\xddK\xfc\x8e\xf5&\xe4npBn3\xec1\x9e{\x93\xc1\xe4\xc9i\x1a=\xc0kN"m\xee\xabXM\xc6\xd0A\xc1+\xeaO\x12\x87^\xebE\xd8l\xf5\x98\x02\xd3\xa0\xd8U\x8a\x06\x99\x19\xa2\xa0w\xd10\x9e\xac\xccu\xee\x83\xf5\xb0b9\xcflW\xe2L\xd2\x91\x0b\x0eu(\x1b\x9a\xbf\xfd\x1aC\xf1\xcaw\xfb;\x8fa\xb8i(\x16B\x04^p*\x1c!\xd8\x8f\xe1\xbd#[-t@\x92\xd9c\x19\x0ds\xddi\xbcbG\xbc\xe0t+\xb2\xeb}\xbeA\x1b\xb5\xc0F\xc5\xa1"\xcb_N\xc1(\x92\xde\x18\xba\xd5*(\xbb\x11\x8b\x17\x93\x98\x99`\x94\#\xcfZ'\x97^\x0b\x05\x06\x937\x1e;i6\xeb\xa9\x9ea\x1d\x8f2\xda\x8e\x0c\xd6t>{\x09$\xda\x01wG\xc4;\xcd4\x8c\x99\xf5\xca\xe1%a3\xb2Y\x1b\xe2n\xd77W\xb6\x0d\xa9\x12\xda, OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP = 0\x82\x03Z0\x82\x02B\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000P1\x0b0\x09\x06\x03U\x04\x06\x13\x02JP1\x180\x16\x06\x03U\x04\x0a\x13\x0fSECOM Trust.net1'0%\x06\x03U\x04\x0b\x13\x1eSecurity Communication RootCA10\x1e\x17\x0d030930042049Z\x17\x0d230930042049Z0P1\x0b0\x09\x06\x03U\x04\x06\x13\x02JP1\x180\x16\x06\x03U\x04\x0a\x13\x0fSECOM Trust.net1'0%\x06\x03U\x04\x0b\x13\x1eSecurity Communication RootCA10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb3\xb3\xfe\x7f\xd3m\xb1\xef\x16|W\xa5\x0cmv\x8a/K\xbfd\xfbL\xee\x8a\xf0\xf3)|\xf5\xff\xee*\xe0\xe9\xe9\xba[d"\x9a\x9ao,:&iQ\x05\x99&\xdc\xd5\x1cjq\xc6\x9a}\x1e\x9d\xdd|l\xc6\x8cggJ>\xf8q\xb0\x19'\xa9\x09\x0c\xa6\x95\xbfK\x8c\x0c\xfaU\x98;\xd8\xe8"\xa1Kq8y\xac\x97\x92i\xb3\x89~\xea!h\x06\x98\x14\x96\x87\xd2a6\xbcm'V\x9eW\xee\xc0\xc0V\xfd2\xcf\xa4\xd9\x8e\xc2#\xd7\x8d\xa8\xf3\xd8%\xac\x97\xe4p8\xf4\xb6:\xb4\x9d;\x97&C\xa3\xa1\xbcIYrL#0\x87\x01X\xf6N\xbe\x1chVf\xaf\xcdA]\xc8\xb3M*UF\xab\x1f\xda\x1e\xe2@=\xdb\xcd}\xb9\x92\x80\x9c7\xdd\x0c\x96d\x9d\xdc"\xf7d\x8b\xdfa\xde\x15\x94R\x15\xa0}R\xc9K\xa8!\xc9\xc6\xb1\xed\xcb\xc3\x95`\xd1\x0f\xf0\xabp\xf8\xdf\xcbM~\xec\xd6\xfa\xab\xd9\xbd\x7fT\xf2\xa5\xe9y\xfa\xd9\xd6v$(s\x02\x03\x01\x00\x01\xa3?0=0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa0sI\x99h\xdc\x85[e\xe3\x9b(/W\x9f\xbd3\xbc\x07H0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00h@\xa9\xa8\xbb\xe4O]y\xb3\x05\xb5\x17\xb3`\x13\xeb\xc6\x92]\xe0\xd1\xd3j\xfe\xfb\xbe\x9bm\xbf\xc7\x05mY \xc4\x1c\xf0\xb7\xda\x84X\x02c\xfaH\x16\xefO\xa5\x0b\xf7J\x98\xf2?\x9e\x1b\xadGkc\xce\x08G\xebR?x\x9c\xafM\xae\xf8\xd5O\xcf\x9a\x98*\x10A9R\xc4\xdd\xd9\x9b\x0e\xef\x93\x01\xae\xb2.\xcahB$Bl\xb0\xb3:>\xcd\xe9\xdaH\xc4\x15\xcb\xe9\xf9\x07\x0f\x92PI\x8a\xdd1\x97_\xc9\xe97\xaa;Ye\x97\x942\xc9\xb3\x9f>:bX\xc5I\xadb\x0eq\xa52\xaa/\xc6\x89vC@\x13\x13g=\xa2T%\x10\xcb\xf1:\xf2\xd9\xfa\xdbIV\xbb\xa6\xfe\xa7A5\xc3\xe0\x88a\xc9\x88\xc7\xdf6\x10"\x98Y\xea\xb0J\xfbV\x16sn\xacM\xf7"\xa1O\xad\x1dz-E'\xe50\xc1^\xf2\xda\x13\xcb%BQ\x95G\x03\x8cl!\xcctB\xedS\xff3\x8b\x8f\x0fW\x01\x16/\xcf\xa6\xee\xc9p"\x14\xbd\xfd\xbel\x0b\x03, CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US = 0\x82\x0400\x82\x03\x18\xa0\x03\x02\x01\x02\x02\x10P\x94l\xec\x18\xea\xd5\x9cM\xd5\x97\xefu\x8f\xa0\xad0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x1e0\x1c\x06\x03U\x04\x0b\x13\x15www.xrampsecurity.com1$0"\x06\x03U\x04\x0a\x13\x1bXRamp Security Services Inc1-0+\x06\x03U\x04\x03\x13$XRamp Global Certification Authority0\x1e\x17\x0d041101171404Z\x17\x0d350101053719Z0\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x1e0\x1c\x06\x03U\x04\x0b\x13\x15www.xrampsecurity.com1$0"\x06\x03U\x04\x0a\x13\x1bXRamp Security Services Inc1-0+\x06\x03U\x04\x03\x13$XRamp Global Certification Authority0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\x98$\x1e\xbd\x15\xb4\xba\xdf\xc7\x8c\xa5'\xb68\x0bi\xf3\xb6N\xa8,.!\x1d\D\xdf!]~#t\xfe^~\xb4J\xb7\xa6\xad\x1f\xae\xe0\x06\x16\xe2\x9b[\xd9gtk]\x80\x8f)\x9d\x86\x1b\xd9\x9c\x0d\x98mv\x10(X\xe4e\xb0\x7fJ\x98y\x9f\xe0\xc31~\x80+\xb5\x8c\xc0@;\x11\x86\xd0\xcb\xa2\x866`\xa4\xd50\x82m\xd9n\xd0\x0f\x12\x043\x97_OaZ\xf0\xe4\xf9\x91\xab\xe7\x1d;\xbc\xe8\xcf\xf4k-4|\xe2Ha\x1c\x8e\xf3aD\xcco\xa0J\xa9\x94\xb0M\xda\xe7\xa94zr8\xa8A\xcc<\x94\x11}\xeb\xc8\xa6\x8c\xb7\x86\xcb\xca3;\xd9=7\x8b\xfbz>\x86,\xe7s\xd7\x0aW\xacd\x9b\x19\xeb\xf4\x0f\x04\x08\x8a\xac\x03\x17\x19d\xf4Z%"\x8d4,\xb2\xf6h\x1d\x12m\xd3\x8a\x1e\x14\xda\xc4\x8f\xa6\xe2#\x85\xd5z\x0d\xbdj\xe0\xe9\xec\xec\x17\xbbB\x1bg\xaa%\xedE\x83!\xfc\xc1\xc9|\xd5b>\xfa\xf2\xc5-\xd3\xfd\xd4e\x02\x03\x01\x00\x01\xa3\x81\x9f0\x81\x9c0\x13\x06\x09+\x06\x01\x04\x01\x827\x14\x02\x04\x06\x1e\x04\x00C\x00A0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc6O\xa2=\x06c\x84\x09\x9c\xceb\xe4\x04\xac\x8d\\xb5\xe9\xb6\x1b06\x06\x03U\x1d\x1f\x04/0-0+\xa0)\xa0'\x86%http://crl.xrampsecurity.com/XGCA.crl0\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x91\x159\x03\x01\x1bg\xfbJ\x1c\xf9\x0a`[\xa1\xdaM\x97b\xf9$S'\xd7\x82dN\x90.\xc3I\x1b+\x9a\xdc\xfc\xa8xg5\xf1\x1d\xf0\x11\xbd\xb7H\xe3\x10\xf6\x0d\xdf?\xd2\xc9\xb6\xaaU\xa4H\xba\x02\xdb\xdeY.\x15[;\x9d\x16}G\xd77\xea_Mv\x126\xbb\x1f\xd7\xa1\x81\x04F \xa3,m\xa9\x9e\x01~?)\xce\x00\x93\xdf\xfd\xc9\x92s\x89\x89d\x9e\xe7+\xe4\x1c\x91,\xd2\xb9\xce}\xceo1\x99\xd3\xe6\xbe\xd2\x1e\x90\xf0\x09\x14y\#\xabM\xd2\xda!\x1fM\x99y\x9d\xe1\xcf'\x9f\x10\x9b\x1c\x88\x0d\xb0\x8adA1\xb8\x0el\x90$\xa4\x9b\q\x8f\xba\xbb~\x1c\x1b\xdbj\x80\x0f!\xbc\xe9\xdb\xa6\xb7@\xf4\xb2\x8b\xa9\xb1\xe4\xef\x9a\x1a\xd0=i\x99\xee\xa8(\xa3\xe1<\xb3\xf0\xb2\x11\x9c\xcf|@\xe6\xdd\xe7C}\xa2\xd8:\xb5\xa9\x8d\xf24\x99\xc4\xd4\x10\xe1\x06\xfd\x09\x84\x10;\xee\xc4L\xf4\xec'|B\xc2t|\x82\x8a\x09\xc9\xb4\x03%\xbc, OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US = 0\x82\x04\x000\x82\x02\xe8\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000c1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1!0\x1f\x06\x03U\x04\x0a\x13\x18The Go Daddy Group, Inc.110/\x06\x03U\x04\x0b\x13(Go Daddy Class 2 Certification Authority0\x1e\x17\x0d040629170620Z\x17\x0d340629170620Z0c1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1!0\x1f\x06\x03U\x04\x0a\x13\x18The Go Daddy Group, Inc.110/\x06\x03U\x04\x0b\x13(Go Daddy Class 2 Certification Authority0\x82\x01 0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0d\x000\x82\x01\x08\x02\x82\x01\x01\x00\xde\x9d\xd7\xeaW\x18I\xa1[\xeb\xd7_H\x86\xea\xbe\xdd\xff\xe4\xefg\x1c\xf4eh\xb3Wq\xa0^w\xbb\xed\x9bI\xe9p\x80=V\x18c\x08o\xda\xf2\xcc\xd0?\x7f\x02T"T\x10\xd8\xb2\x81\xd4\xc0u=K\x7f\xc7w\xc3>x\xab\x1a\x03\xb5 k/j+\xb1\xc5\x88~\xc4\xbb\x1e\xb0\xc1\xd8E'o\xaa7X\xf7\x87&\xd7\xd8-\xf6\xa9\x17\xb7\x1fr6N\xa6\x17?e\x98\x92\xdb*n]\xa2\xfe\x88\xe0\x0b\xde\x7f\xe5\x8d\x15\xe1\xeb\xcb:\xd5\xe2\x12\xa2\x13-\xd8\x8e\xaf_\x12=\xa0\x08\x05\x08\xb6\\xa5e8\x04E\x99\x1e\xa3``t\xc5A\xa5rb\x1bb\xc5\x1fo_\x1aB\xbe\x02Qe\xa8\xae#\x18j\xfcx\x03\xa9M\x7f\x80\xc3\xfa\xabZ\xfc\xa1@\xa4\xca\x19\x16\xfe\xb2\xc8\xef^s\x0d\xeew\xbd\x9a\xf6y\x98\xbc\xb1\x07g\xa2\x15\x0d\xdd\xa0X\xc6D{\x0a>b(_\xbaA\x07SX\xcf\x11~8t\xc5\xf8\xff\xb5i\x90\x8f\x84t\xea\x97\x1b\xaf\x02\x01\x03\xa3\x81\xc00\x81\xbd0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd2\xc4\xb0\xd2\x91\xd4L\x11q\xb3a\xcb=\xa1\xfe\xdd\xa8j\xd4\xe30\x81\x8d\x06\x03U\x1d#\x04\x81\x850\x81\x82\x80\x14\xd2\xc4\xb0\xd2\x91\xd4L\x11q\xb3a\xcb=\xa1\xfe\xdd\xa8j\xd4\xe3\xa1g\xa4e0c1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1!0\x1f\x06\x03U\x04\x0a\x13\x18The Go Daddy Group, Inc.110/\x06\x03U\x04\x0b\x13(Go Daddy Class 2 Certification Authority\x82\x01\x000\x0c\x06\x03U\x1d\x13\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x002K\xf3\xb2\xca>\x91\xfc\x12\xc6\xa1\x07\x8c\x8ew\xa03\x06\x14\\x90\x1e\x18\xf7\x08\xa6=\x0a\x19\xf9\x87\x80\x11ni\xe4\x96\x170\xff4\x91cr8\xee\xcc\x1c\x01\xa3\x1d\x94(\xa41\xf6z\xc4T\xd7\xf6\xe51X\x03\xa2\xcc\xceb\xdb\x94Es\xb5\xbfE\xc9$\xb5\xd5\x82\x02\xad#yi\x8d\xb8\xb6M\xce\xcfL\xca3#\xe8\x1c\x88\xaa\x9d\x8bAn\x16\xc9 \xe5\x89\x9e\xcd;\xdap\xf7~\x99& \x14T%\xabns\x85\xe6\x9b!\x9d\x0al\x82\x0e\xa8\xf8\xc2\x0c\xfa\x10\x1el\x96\xef\x87\x0d\xc4\x0fa\x8b\xad\xee\x83+\x95\xf8\x8e\x92\x84r9\xeb \xea\x83\xed\x83\xcd\x97n\x08\xbc\xebN&\xb6s+\xe4\xd3\xf6L\xfe&q\xe2a\x11tJ\xffW\x1a\x87\x0fuH.\xcfQi\x17\xa0\x02\x12a\x95\xd5\xd1@\xb2\x10L\xee\xc4\xac\x10C\xa6\xa5\x9e\x0a\xd5\x95b\x9a\x0d\xcf\x88\x82\xc52\x0c\xe4+\x9fE\xe6\x0d\x9f(\x9c\xb1\xb9*ZW\xad7\x0f\xaf\x1d\x7f\xdb\xbd\x9f, OU=Starfield Class 2 Certification Authority,O=Starfield Technologies, Inc.,C=US = 0\x82\x04\x0f0\x82\x02\xf7\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000h1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1200\x06\x03U\x04\x0b\x13)Starfield Class 2 Certification Authority0\x1e\x17\x0d040629173916Z\x17\x0d340629173916Z0h1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1200\x06\x03U\x04\x0b\x13)Starfield Class 2 Certification Authority0\x82\x01 0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0d\x000\x82\x01\x08\x02\x82\x01\x01\x00\xb72\xc8\xfe\xe9q\xa6\x04\x85\xad\x0c\x11d\xdf\xceM\xef\xc8\x03\x18\x87?\xa1\xab\xfb<\xa6\x9f\xf0\xc3\xa1\xda\xd4\xd8n+S\x90\xfb$\xa4>\x84\xf0\x9e\xe8_\xec\xe5'D\xf5(\xa6?{\xde\xe0*\xf0\xc8\xafS/\x9e\xca\x05\x01\x93\x1e\x8ff\x1c9\xa7M\xfaZ\xb6s\x04%f\xebw\x7f\xe7Y\xc6J\x99%\x14T\xeb&\xc7\xf3\x7f\x19\xd50p\x8f\xaf\xb0F*\xff\xad\xeb)\xed\xd7\x9f\xaa\x04\x87\xa3\xd4\xf9\x89\xa54_\xdbC\x91\x826\xd9f<\xb1\xb8\xb9\x82\xfd\x9c:>\x10\xc8;\xef\x06efz\x9b\x19\x18=\xffqQ<0._\xbe=ws\xb2]\x06l\xc3#V\x9a+\x85&\x92\x1c\xa7\x02\xb3\xe4?\x0d\xaf\x08y\x82\xb86=\xea\x9c\xd35\xb3\xbci\xca\xf5\xcc\x9d\xe8\xfdd\x8d\x17\x803n^J]\x99\xc9\x1e\x87\xb4\x9d\x1a\xc0\xd5n\x135#^\xdf\x9b_=\xef\xd6\xf7v\xc2\xea>\xbbx\x0d\x1cBgk\x04\xd8\xf8\xd6\xdao\x8b\xf2D\xa0\x01\xab\x02\x01\x03\xa3\x81\xc50\x81\xc20\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xbf_\xb7\xd1\xce\xdd\x1f\x86\xf4[U\xac\xdc\xd7\x10\xc2\x0e\xa9\x88\xe70\x81\x92\x06\x03U\x1d#\x04\x81\x8a0\x81\x87\x80\x14\xbf_\xb7\xd1\xce\xdd\x1f\x86\xf4[U\xac\xdc\xd7\x10\xc2\x0e\xa9\x88\xe7\xa1l\xa4j0h1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1200\x06\x03U\x04\x0b\x13)Starfield Class 2 Certification Authority\x82\x01\x000\x0c\x06\x03U\x1d\x13\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\x9d?\x88\x9d\xd1\xc9\x1aU\xa1\xaci\xf3\xf3Y\xda\x9b\x01\x87\x1aOW\xa9\xa1y\x09*\xdb\xf7/\xb2\x1e\xcc\xc7^j\xd8\x83\x87\xa1\x97\xefI5>w\x06AXb\xbf\x8eX\xb8\x0ag?\xec\xb3\xdd!f\x1f\xc9T\xfar\xcc=L@\xd8\x81\xafw\x9e\x83z\xbb\xa2\xc7\xf54\x17\x8e\xd9\x11@\xf4\xfc,*M\x15\x7f\xa7b].%\xd3\x00\x0b \x1a\x1dh\xf9\x17\xb8\xf4\xbd\x8b\xed(Y\xddM\x16\x8b\x17\x83\xc8\xb2e\xc7-z\xa5\xaa\xbcS\x86m\xddW\xa4\xca\xf8 A\x0bh\xf0\xf4\xfbt\xbeV]zy\xf5\xf9\x1d\x85\xe3-\x95\xbe\xf5q\x90C\xcc\x8d\x1f\x9a\x00\x0a\x87)\xe9U"X\x00#\xea\xe3\x12C)[G\x08\xdd\x8cAje\x06\xa8\xe5!\xaaA\xb4\x95!\x95\xb9}\xd14\xab\x13\xd6\xad\xbc\xdc\xe2=9\xcd\xbd>up\xa1\x18Y\x03\xc9"\xb4\x8f\x9c\xd5^*\xd7\xa5\xb6\xd4\x0am\xf8\xb7@\x11F\x9a\x1fy\x0eb\xbf\x0f\x97\xec\xe0/\x1f\x17\x94, CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x03\xb70\x82\x02\x9f\xa0\x03\x02\x01\x02\x02\x10\x0c\xe7\xe0\xe5\x17\xd8F\xfe\x8f\xe5`\xfc\x1b\xf0090\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1$0"\x06\x03U\x04\x03\x13\x1bDigiCert Assured ID Root CA0\x1e\x17\x0d061110000000Z\x17\x0d311110000000Z0e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1$0"\x06\x03U\x04\x03\x13\x1bDigiCert Assured ID Root CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xad\x0e\x15\xce\xe4C\x80\\xb1\x87\xf3\xb7`\xf9q\x12\xa5\xae\xdc&\x94\x88\xaa\xf4\xce\xf5 9(X`\x0c\xf8\x80\xda\xa9\x15\x952a<\xb5\xb1(\x84\x8a\x8a\xdc\x9f\x0a\x0c\x83\x17z\x8f\x90\xac\x8a\xe7yS\1\x84*\xf6\x0f\x9826v\xcc\xde\xdd<\xa8\xa2\xefj\xfb!\xf2Ra\xdf\x9f \xd7\x1f\xe2\xb1\xd9\xfe\x18d\xd2\x12[_\xf9X\x185\xbcG\xcd\xa16\xf9k\x7f\xd4\xb08>\xc1\x1b\xc3\x8c3\xd9\xd8/\x18\xfe(\x0f\xb3\xa7\x83\xd6\xc3nD\xc0a5\x96\x16\xfeY\x9c\x8bvm\xd7\xf1\xa2K\x0d+\xff\x0br\xda\x9e`\xd0\x8e\x905\xc6xU\x87 \xa1\xcf\xe5m\x0a\xc8I|1\x983l"\xe9\x87\xd02Z\xa2\xba\x13\x82\x11\xed9\x17\x9d\x99:r\xa1\xe6\xfa\xa4\xd9\xd5\x171u\xae\x85}"\xae?\x01F\x86\xf6(y\xc8\xb1\xda\xe4W\x17\xc4~\x1c\x0e\xb0\xb4\x92\xa6V\xb3\xbd\xb2\x97\xed\xaa\xa7\xf0\xb7\xc5\xa8?\x95\x16\xd0\xff\xa1\x96\xeb\x08_\x18wO\x02\x03\x01\x00\x01\xa3c0a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14E\xeb\xa2\xaf\xf4\x92\xcb\x821-Q\x8b\xa7\xa7!\x9d\xf3m\xc8\x0f0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14E\xeb\xa2\xaf\xf4\x92\xcb\x821-Q\x8b\xa7\xa7!\x9d\xf3m\xc8\x0f0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xa2\x0e\xbc\xdf\xe2\xed\xf0\xe3rszd\x94\xbf\xf7rf\xd82\xe4Bub\xae\x87\xeb\xf2\xd5\xd9\xdeV\xb3\x9f\xcc\xce\x14(\xb9\x0d\x97`\\x12LX\xe4\xd3=\x83IEX\x975i\x1a\xa8G\xeaV\xc6y\xab\x12\xd8g\x81\x84\xdf\x7f\x09<\x94\xe6\xb8&, \xbd=\xb3(\x89\xf7_\xff"\xe2\x97\x84\x1f\xe9e\xef\x87\xe0\xdf\xc1gI\xb3]\xeb\xb2\x09*\xeb&\xedx\xbe}?+\xf3\xb7&5m_\x89\x01\xb6I[\x9f\x01\x05\x9b\xab=%\xc1\xcc\xb6\x7f\xc2\xf1o\x86\xc6\xfadh\xeb\x81-\x94\xebB\xb7\xfa\x8c\x1e\xddb\xf1\xbePg\xb7l\xbd\xf3\xf1\x1fk\x0c6\x07\x16\x7f7|\xa9[mz\xf1\x12F`\x83\xd7'\x04\xbeK\xce\x97\xbe\xc3g*h\x11\xdf\x80\xe7\x0c3f\xbf\x13\x0d\x14n\xf3\x7f\x1fc\x10\x1e\xfa\x8d\x1b%ml\x8f\xa5\xb7a\x01\xb1\xd2\xa3&\xa1\x10q\x9d\xad\xe2\xc3\xf9\xc3\x99Q\xb7+\x07\x08\xce.\xe6P\xb2\xa7\xfa\x0aE/\xa2\xf0\xf2, CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x03\xaf0\x82\x02\x97\xa0\x03\x02\x01\x02\x02\x10\x08;\xe0V\x90BF\xb1\xa1uj\xc9Y\x91\xc7J0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000a1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1 0\x1e\x06\x03U\x04\x03\x13\x17DigiCert Global Root CA0\x1e\x17\x0d061110000000Z\x17\x0d311110000000Z0a1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1 0\x1e\x06\x03U\x04\x03\x13\x17DigiCert Global Root CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xe2;\xe1\x11r\xde\xa8\xa4\xd3\xa3W\xaaP\xa2\x8f\x0bw\x90\xc9\xa2\xa5\xee\x12\xce\x96[\x01\x09 \xcc\x01\x93\xa7N0\xb7S\xf7C\xc4i\x00W\x9d\xe2\x8d"\xdd\x87\x06@\x00\x81\x09\xce\xce\x1b\x83\xbf\xdf\xcd;qF\xe2\xd6f\xc7\x05\xb3v'\x16\x8f{\x9e\x1e\x95}\xee\xb7H\xa3\x08\xda\xd6\xafz\x0c9\x06e\x7fJ]\x1f\xbc\x17\xf8\xab\xbe\xee(\xd7t\x7fzx\x99Y\x85hn\#2K\xbfN\xc0\xe8Zm\xe3p\xbfw\x10\xbf\xfc\x01\xf6\x85\xd9\xa8D\x10X2\xa9u\x18\xd5\xd1\xa2\xbeG\xe2'j\xf4\x9a3\xf8I\x08`\x8b\xd4_\xb4:\x84\xbf\xa1\xaaJL}>\xcfO_lv^\xa0K7\x91\x9e\xdc"\xe6m\xce\x14\x1a\x8ej\xcb\xfe\xcd\xb3\x14d\x17\xc7[)\x9e2\xbf\xf2\xee\xfa\xd3\x0bB\xd4\xab\xb7A2\xda\x0c\xd4\xef\xf8\x81\xd5\xbb\x8dX?\xb5\x1b\xe8I(\xa2p\xda1\x04\xdd\xf7\xb2\x16\xf2L\x0aN\x07\xa8\xedJ=^\xb5\x7f\xa3\x90\xc3\xaf'\x02\x03\x01\x00\x01\xa3c0a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x03\xdeP5V\xd1L\xbbf\xf0\xa3\xe2\x1b\x1b\xc3\x97\xb2=\xd1U0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x03\xdeP5V\xd1L\xbbf\xf0\xa3\xe2\x1b\x1b\xc3\x97\xb2=\xd1U0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xcb\x9c7\xaaH\x13\x12\x0a\xfa\xddD\x9cOR\xb0\xf4\xdf\xae\x04\xf5yy\x08\xa3$\x18\xfcK+\x84\xc0-\xb9\xd5\xc7\xfe\xf4\xc1\x1fX\xcb\xb8m\x9czt\xe7\x98)\xab\x11\xb5\xe3p\xa0\xa1\xcdL\x88\x99\x93\x8c\x91p\xe2\xab\x0f\x1c\xbe\x93\xa9\xffc\xd5\xe4\x07`\xd3\xa3\xbf\x9d[\x09\xf1\xd5\x8e\xe3S\xf4\x8ec\xfa?\xa7\xdb\xb4f\xdfbf\xd6\xd1nA\x8d\xf2-\xb5\xeawJ\x9f\x9dX\xe2+Y\xc0@#\xed-(\x82E>yT\x92&\x98\xe0\x80H\xa87\xef\xf0\xd6y`\x16\xde\xac\xe8\x0e\xcdn\xacD\x178/I\xda\xe1E>*\xb96S\xcf:P\x06\xf7.\xe8\xc4WIla!\x18\xd5\x04\xadx<,:\x80k\xa7\xeb\xaf\x15\x14\xe9\xd8\x89\xc1\xb98l\xe2\x91l\x8a\xffd\xb9w%W0\xc0\x1b$\xa3\xe1\xdc\xe9\xdfG|\xb5\xb4$\x08\x050\xec-\xbd\x0b\xbfE\xbfP\xb9\xa9\xf3\xeb\x98\x01\x12\xad\xc8\x88\xc6\x984_\x8d\x0a<\xc6\xe9\xd5\x95\x95m\xde, CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x03\xc50\x82\x02\xad\xa0\x03\x02\x01\x02\x02\x10\x02\xac\&j\x0b@\x9b\x8f\x0by\xf2\xaeF%w0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000l1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1+0)\x06\x03U\x04\x03\x13"DigiCert High Assurance EV Root CA0\x1e\x17\x0d061110000000Z\x17\x0d311110000000Z0l1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1+0)\x06\x03U\x04\x03\x13"DigiCert High Assurance EV Root CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xc6\xcc\xe5s\xe6\xfb\xd4\xbb\xe5--2\xa6\xdf\xe5\x81?\xc9\xcd%I\xb6q*\xc3\xd5\x944g\xa2\x0a\x1c\xb0_i\xa6@\xb1\xc4\xb7\xb2\x8f\xd0\x98\xa4\xa9AY:\xd3\xdc\x94\xd6<\xdbt8\xa4J\xccM%\x82\xf7J\xa5S\x128\xee\xf3Imq\x91~c\xb6\xab\xa6_\xc3\xa4\x84\xf8ObQ\xbe\xf8\xc5\xec\xdb8\x92\xe3\x06\xe5\x08\x91\x0c\xc4(AU\xfb\xcbZ\x89\x15~q\xe85\xbfMr\x09=\xbe:8P[w1\x1b\x8d\xb3\xc7$E\x9a\xa7\xacm\x00\x14Z\x04\xb7\xba\x13\xebQ\x0a\x98AA"Nea\x87\x81AP\xa6y\\x89\xde\x19JW\xd5.\xe6]\x1cS,~\x98\xcd\x1a\x06\x16\xa4hs\xd04\x04\x13\\xa1q\xd3Z|U\xdb^d\xe17\x870V\x04\xe5\x11\xb4)\x80\x12\xf1y9\x88\xa2\x02\x11|'f\xb7\x88\xb7x\xf2\xca\x0a\xa88\xab\x0ad\xc2\xbff]\x95\x84\xc1\xa1%\x1e\x87]\x1aP\x0b \x12\xccA\xbbn\x0bQ8\xb8K\xcb\x02\x03\x01\x00\x01\xa3c0a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb1>\xc3i\x03\xf8\xbfG\x01\xd4\x98&\x1a\x08\x02\xefcd+\xc30\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xb1>\xc3i\x03\xf8\xbfG\x01\xd4\x98&\x1a\x08\x02\xefcd+\xc30\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1c\x1a\x06\x97\xdc\xd7\x9c\x9f<\x88f\x06\x08W!\xdb!G\xf8*g\xaa\xbf\x182v@\x10W\xc1\x8a\xf3z\xd9\x11e\x8e5\xfa\x9e\xfcE\xb5\x9e\xd9L1K\xb8\x91\xe8C,\x8e\xb3x\xce\xdb\xe3Syq\xd6\xe5!\x94\x01\xdaU\x87\x9a$d\xf6\x8af\xcc\xde\x9c7\xcd\xa84\xb1i\x9b#\xc8\x9ex"+pC\xe3UG1a\x19\xefX\xc5\x85/N0\xf6\xa01\x16#\xc8\xe7\xe2e\x163\xcb\xbf\x1a\x1b\xa0=\xf8\xca^\x8b1\x8b`\x08\x89-\x0c\x06\R\xb7\xc4\xf9\x0a\x98\xd1\x15_\x9f\x12\xbe|6c8\xbdD\xa4\x7f\xe4&+\x0a\xc4\x97i\x0d\xe9\x8c\xe2\xc0\x10W\xb8\xc8v\x12\x91U\xf2Hi\xd8\xbc*\x02[\x0fD\xd4 1\xdb\xf4\xbap&]\x90`\x9e\xbcK\x17\x09/\xb4\xcb\x1eCh\xc9\x07'\xc1\xd2\\xf7\xea!\xb9h\x12\x9c<\x9c\xbf\x9e\xfc\x80\\x9bc\xcd\xecG\xaa%'g\xa07\xf3\x00\x82}T\xd7\xa9\xf8\xe9.\x13\xa3w\xe8\x1fJ, CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH = 0\x82\x05\xba0\x82\x03\xa2\xa0\x03\x02\x01\x02\x02\x09\x00\xbb@\x1cC\xf5^O\xb00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000E1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x150\x13\x06\x03U\x04\x0a\x13\x0cSwissSign AG1\x1f0\x1d\x06\x03U\x04\x03\x13\x16SwissSign Gold CA - G20\x1e\x17\x0d061025083035Z\x17\x0d361025083035Z0E1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x150\x13\x06\x03U\x04\x0a\x13\x0cSwissSign AG1\x1f0\x1d\x06\x03U\x04\x03\x13\x16SwissSign Gold CA - G20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xaf\xe4\xee~\x8b$\x0e\x12n\xa9P-\x16D;\x92\x92\\xca\xb8]\x84\x92B\x13*\xbceW\x82@>W$\xcdP\x8b%*\xb7o\xfc\xef\xa2\xd0\xc0\x1f\x02$J\x13\x96\x8f#\x13\xe6(X\x00\xa3G\xc7\x06\xa7\x84#+\xbb\xbd\x96+\x7fU\xcc\x8b\xc1W\x1f\x0ebe\x0f\xdd=V\x8as\xda\xae~m\xba\x81\x1c~B\x8c 5\xd9CM\x84\xfa\x84\xdbR,\xf3\x0e'w\x0bk\xbf\x11/rx\x9f.\xd8>\xe6\x187Z*r\xf9\xdab\x90\x92\x95\xca\x1f\x9c\xe9\xb3<+\xcb\xf3\x01\x13\xbfZ\xcf\xc1\xb5\x0a`\xbd\xdd\xb5\x99dS\xb8\xa0\x96\xb3o\xe2&w\x91\x8c\xe0b\x10\x02\x9f4\x0f\xa4\xd5\x923Q\xde\xbe\x8d\xba\x84z`<j\xdb\x9f+\xec\xde\xde\x01?nM\xe5P\x86\xcb\xb4\xaf\xedD@\xc5\xcaZ\x8c\xda\xd2+|\xa8\xee\xbe\xa6\xe5\x0a\xaa\x0e\xa5\xdf\x05R\xb7U\xc7"]2j\x97\x97c\x13\xdb\xc9\xdby6{\x85:J\xc5R\x89\xf9$\xe7\x9dw\xa9\x82\xffU\x1c\xa5qi+\xd1\x02$\xf2\xb3&\xd4k\xda\x04U\xe5\xc1\x0a\xc7m07\x90*\xe4\x9e\x143^\x16\x17U\xc5[\xb5\xcb4\x89\x92\xf1\x9d&\x8f\xa1\x07\xd4\xc6\xb2xP\xdb\x0c\x0c\x0b|\x0b\x8cA\xd7\xb9\xe9\xdd\x8c\x88\xf7\xa3M\xb22\xcc\xd8\x17\xda\xcd\xb7\xcef\x9d\xd4\xfd^\xff\xbd\x97>)u\xe7~\xa7bX\xaf%4\xa5A\xc7=\xbc\x0dP\xca\x03\x03\x0f\x08Z\x1f\x95sxb\xbf\xafr\x14i\x0e\xa5\xe5\x03\x0ex\x8e&(B\xf0\x07\x0bb \x10g9F\xfa\xa9\x03\xcc\x048zf\xef \x83\xb5\x8cJV\x8e\x91\x00\xfc\x8e\\x82\xde\x88\xa0\xc3\xe2hn}\x8d\xef<\xdde\xf4]\xacQ\xef$\x80\xae\xaaV\x97o\xf9\xad}\xdaa?\x98w<\xa5\x91\xb6\x1c\x8c&\xdae\xa2\x09m\xc1\xe2T\xe3\xb9\xcaLL\x80\x8fw{`\x9a\x1e\xdf\xb6\xf2H\x1e\x0e\xbaNTm\x98\xe0\xe1\xa2\x1a\xa2wP\xcf\xc4c\x92\xecG\x19\x9d\xeb\xe6k\xce\xc1\x02\x03\x01\x00\x01\xa3\x81\xac0\x81\xa90\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14[%{\x96\xa4eQ~\xb89\xf3\xc0xf^\xe8:\xe7\xf0\xee0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14[%{\x96\xa4eQ~\xb89\xf3\xc0xf^\xe8:\xe7\xf0\xee0F\x06\x03U\x1d \x04?0=0;\x06\x09`\x85t\x01Y\x01\x02\x01\x010.0,\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16 http://repository.swisssign.com/0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00'\xba\xe3\x94|\xf1\xae\xc0\xde\x17\xe6\xe5\xd8\xd5\xf5T\xb0\x83\xf4\xbb\xcd^\x05{O\x9fuf\xaf<\xe8V~\xfcrx8\x03\xd9+b\x1b\x00\xb9\xf8\xe9`\xcd\xcc\xceQ\x8a\xc7P1n\xe1J~\x18/iY\xb6=d\x81+\xe3\x83\x84\xe6"\x87\x8e}\xe0\xee\x02\x99a\xb8\x1e\xf4\xb8+\x88\x12\x16\x84\xc21\x938\x961\xa6\xb9;S?\xc3$\x93V[i\x92\xec\xc5\xc1\xbb8\x00\xe3\xec\x17\xa9\xb8\xdc\xc7|\x01\x83\x9f2G\xbaR"4\x1d2z\x09V\xa7|%6\xa9=K\xda\xc0\x82o\x0a\xbb\x12\xc8\x87K'\x11\xf9\x1e-\xc7\x93?\x9e\xdb_&kR\xd9.\x8a\xf1\x14\xc6D\x8d\x15\xa9\xb7\xbf\xbd\xde\xa6\x1a\xee\xae-\xfbHw\x17\xfe\xbb\xec\xaf\x18\xf5*Q\xf09\x84\x97\x95ln\x1b\xc3+\xc4t`y%\xb0\x0a'\xdf\xdf^\xd29\xcfE}BK\xdf\xb3,\x1e\xc5\xc6]\xcaU:\xa0\x9ci\x9a\x8f\xda\xef\xb2\xb0<\x9f\x87l\x12+ep\x15R1\x1a$\xcfo1#P\x1f\x8cO\x8f#\xc3tAc\x1cU\xa8\x14\xdd>\xe0QP\xcf\xf1\x1b0V\x0e\x92\xb0\x82\x85\xd8\x83\xcb"d\xbc-\xb8%\xd5T\xa2\xb8\x06\xea\xad\x92\xa4$\xa0\xc1\x86\xb5J\x13jG\xcf.\x0bV\x95T\xcb\xce\x9a\xdbj\xb4\xa6\xb2\xdbA\x08\x86'w\xf7j\xa0Bl\x0b8\xce\xd7uP2\x92\xc2\xdf+0"H\xd0\xd5A8%]\xa4\xe9]\x9f\xc6\x94u\xd0E\xfd0\x97C\x8f\x90\xab\x0a\xc7\x86s`Ji-\xde\xa5x\xd7\x06\xdaj\x9eK>w: \x13"\x01\xd0\xbfh\x9ec`k5M\x0bm\xba\xa1=\xc0\x93\xe0\x7f#\xb3U\xadr%NF\xf9\xd2\x16\xef\xb0d\xc1\x01\x9e\xe9\xca\xa0j\x98\x0e\xcf\xd8`\xf2/I\xb8\xe4B\xe185\x16\xf4\xc8nO\xf7\x81V\xe8\xba\xa3\xbe#\xaf\xae\xfdo\x03\xe0\x02;0v\xfa\x1bmA\xcf\x01\xb1\xe9\xb8\xc9f\xf4\xdb&\xf3:\xa4t\xf2I$[\xc9\xb0\xd0W\xc1\xfa>z\xe1\x97\xc9, CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH = 0\x82\x05\xbd0\x82\x03\xa5\xa0\x03\x02\x01\x02\x02\x08O\x1b\xd4/T\xbb/K0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000G1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x150\x13\x06\x03U\x04\x0a\x13\x0cSwissSign AG1!0\x1f\x06\x03U\x04\x03\x13\x18SwissSign Silver CA - G20\x1e\x17\x0d061025083246Z\x17\x0d361025083246Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x150\x13\x06\x03U\x04\x0a\x13\x0cSwissSign AG1!0\x1f\x06\x03U\x04\x03\x13\x18SwissSign Silver CA - G20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc4\xf1\x87\x7f\xd3x1\xf78\xc9\xf8\xc3\x99C\xbc\xc7\xf7\xbc7\xe7Nq\xbaK\x8f\xa5s\x1d\n\x98\xae\x03W\xae87C/\x17=\x1f\xc8\xceh\x10\xc1x\xae\x19\x03+\x10\xfa,y\x83\xf6\xe8\xb9h\xb9U\xf2\x04D\xa79\xf9\xfc\x04\x8b\x1e\xf1\xa2M'\xf9a{\xba\xb7\xe5\xa2\x13\xb6\xeba>\xd0l\xd1\xe6\xfb\xfa^\xed\x1d\xb4\x9e\xa05[\xa1\x92\xcb\xf0I\x92\xfe\x85\x0a\x05>\xe6\xd9\x0b\xe2O\xbb\xdc\x957\xfc\x91\xe925"\xd1\x1f:N'\x85\x9d\xb0\x15\x942\xdaa\x0dGM`B\xae\x92G\xe8\x83ZPX\xe9\x8a\x8b\xb9]\xa1\xdc\xdd\x99J\x1f6g\xbbH\xe4\x83\xb67\xebH:\xaf\x0fg\x8f\x17\x07\xe8\x04\xca\xefj1\x87\xd4\xc0\xb6\xf9\x94q{gd\xb8\xb6\x91JB{e.0j\x0c\xf5\x90\xee\x95\xe6\xf2\xcd\x82\xec\xd9\xa1J\xec\xf6\xb2K\xe5E\x85\xe6mx\x93\x04.\x9c\x82m6\xa9\xc41d\x1f\x86\x83\x0b*\xf45\x0ax\xc9U\xcfA\xb0G\xe90\x9f\x99\xbea\xa8\x06\x84\xb9(z_8\xd9\x1b\xa98\xb0\x83\x7fs\xc1\xc3;H*\x82\x0f!\x9b\xb8\xcc\xa85\xc3\x84\x1b\x83\xb3>\xbe\xa4\x95i\x01:\x89\x00x\x04\xd9\xc9\xf4\x99\x19\xabV~[\x8b\x869\x15\x91\xa4\x10,\x092\x80`\xb3\x93\xc0*\xb6\x18\x0b\x9d~\x8dI\xf2\x10J\x7f\xf9\xd5F/\x19\x92\xa3\x99\xa7&\xac\xbb\x8c<\xe6\x0e\xbcG\x07\xdcsQ\xf1pd/\x08\xf9\xb4G\x1d0lD\xea)7\x85\x92hf\xbc\x838\xfe{9.\xd3P\xf0\x1f\xfb^`\xb6\xa9\xa6\xfa'A\xf1\x9b\x18r\xf2\xf5\x84tJ\xc9g\xc4T\xaeHd\xdf\x8c\xd1n\xb0\x1d\xe1\x07\x8f\x08\x1e\x99\x9cq\xe9L\xd8\xa5\xf7G\x12\x1ft\xd1Q\x9e\x86\xf3\xc2\xa2#@\x0bs\xdbK\xa6\xe7s\x06\x8c\xc1\xa0\xe9\xc1Y\xacF\xfa\xe6/\xf8\xcfq\x9cFm\xb9\xc4\x15\x8d8y\x03EH\xef\xc4]\xd7\x08\xee\x879"\x86\xb2\x0d\x0fXC\xf7q\xa9H.\xfd\xea\xd6\x1f\x02\x03\x01\x00\x01\xa3\x81\xac0\x81\xa90\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x17\xa0\xcd\xc1\xe4A\xb6:[;\xcbE\x9d\xbd\x1c\xc2\x98\xfa\x86X0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x17\xa0\xcd\xc1\xe4A\xb6:[;\xcbE\x9d\xbd\x1c\xc2\x98\xfa\x86X0F\x06\x03U\x1d \x04?0=0;\x06\x09`\x85t\x01Y\x01\x03\x01\x010.0,\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16 http://repository.swisssign.com/0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00s\xc6\x81\xe0'\xd2-\x0f\xe0\x950\xe2\x9aA\x7fP,__ba\xa9\x86ji\x18\x0ctI\xd6]\x84\xeaAR\x18oX\xadPV j\xc6\xbd(iX\x91\xdc\x91\x115\xa9:\x1d\xbc\x1a\xa5`\x9e\xd8\x1f\x7fE\x91i\xd9~\xbbxr\xc1\x06\x0f*\xce\x8f\x85pa\xac\xa0\xcd\x0b\xb89)V\x842N\x86\xbb=\xc4*\xd9\xd7\x1fr\xee\xfeQ\xa1"A\xb1q\x02c\x1a\x82\xb0b\xab^W\x12\x1f\xdf\xcb\xddu\xa0\xc0]y\x90\x8c\x1b\xe0P\xe6\xde1\xfe\x98{p_\xa5\x90\xd8\xad\xf8\x02\xb6o\xd3`\xdd@K"\xc5=\xad:z\x9f\x1a\x1aG\x91y3\xba\x82\xdc2i\x03\x96n\x1fK\xf0q\xfe\xe3gr\xa0\xb1\xbf\\x8b\xe4\xfa\x99"\xc7\x84\xb9\x1b\x8d#\x97?\xed%\xe0\xcfe\xbb\xf5a\x04\xef\xdd\x1e\xb2ZA"Z\xa1\x9f],\xe8[\xc9m\xa9\x0c\x0cx\xaa`\xc6V\x8f\x01Z\x0ch\xbci\x19y\xc4\x1f~\x97\x05\xbf\xc5\xe9$Q^\xd4\xd5KS\xed\xd9#Z6\x03e\xa3\xc1\x03\xadA0\xf3F\x1b\x85\x90\xafe\xb5\xd5\xb1\xe4\x16[xu\x1d\x97zmY\xa9*\x8f{\xde\xc3\x87\x89\x10\x99Isx\xc8=\xbdQ5t*\xd5\xf1~i\x1b*\xbb;\xbd%\xb8\x9aZ=ra\x90f\x87\xee\x0c\xd6M\xd4\x11t\x0bj\xfe\x0b\x03\xfc\xa3UW\x89\xfeJ\xcb\xae[\x17\x05\xc8\xf2\x8d#1S8\xd2-j?\x82\xb9\x8d\x08j\xf7^Atn\xc3\x11~\x07\xac)`\x91?8\xcaW\x10\x0d\xbd0/\xc7\xa5\xe6A\xa0\xda\xae\x05\x87\x9a\xa0\xa4elL\x09\x0c\x89\xba\xb8\xd3\xb9\xc0\x93\x8a0\xfa\x8d\xe5\x9ak\x15\x01Ng\xaa\xdabV>\x84\x08f\xd2\xc46}\xa7>\x10\xfc\x88\xe0\xd4\x80\xe5\x00\xbd\xaa\xf3N\x06\xa3zj\xf9br\xe3\x09O\xeb\x9b\x0e\x01#\xf1\x9f\xbb|\xdc\xdcl\x11\x97%\xb2\xf2\xb4c\x14\xd2\x06*g\x8c\x83\xf5\xce\xea\x07\xd8\x9aj\x1e\xec\xe4\x0a\xbb*L\xeb\x09`9\xce\xcab\xd8.n, CN=SecureTrust CA,O=SecureTrust Corporation,C=US = 0\x82\x03\xb80\x82\x02\xa0\xa0\x03\x02\x01\x02\x02\x10\x0c\xf0\x8e\\x08\x16\xa5\xadB\x7f\xf0\xeb'\x18Y\xd00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000H1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1 0\x1e\x06\x03U\x04\x0a\x13\x17SecureTrust Corporation1\x170\x15\x06\x03U\x04\x03\x13\x0eSecureTrust CA0\x1e\x17\x0d061107193118Z\x17\x0d291231194055Z0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1 0\x1e\x06\x03U\x04\x0a\x13\x17SecureTrust Corporation1\x170\x15\x06\x03U\x04\x03\x13\x0eSecureTrust CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xab\xa4\x81\xe5\x95\xcd\xf5\xf6\x14\x8e\xc2O\xca\xd4\xe2x\x95X\x9cA\xe1\x0d\x99@$\x179\x913f\xe9\xbe\xe1\x83\xafb\\x89\xd1\xfc$[a\xb3\xe0\x11\x11A\x1c\x1dn\xf0\xb8\xbb\xf8\xde\xa7\x81\xba\xa6H\xc6\x9f\x1d\xbd\xbe\x8e\xa9A>\xb8\x94\xed)\x1a\xd4\x8e\xd2\x03\x1d\x03\xefm\x0dg\x1cW\xd7\x06\xad\xca\xc8\xf5\xfe\x0e\xaff%H\x04\x96\x0b]\xa3\xba\x16\xc3\x08O\xd1F\xf8\x14\\xf2\xc8^\x01\x99m\xfd\x88\xcc\x86\xa8\xc1o1BlR>h\xcb\xf3\x194\xdf\xbb\x87\x18V\x80&\xc4\xd0\xdc\xc0o\xdf\xde\xa0\xc2\x91\x16\xa0d\x11KD\xbc\x1e\xf6\xe7\xfac\xdef\xacv\xa4q\xa3\xec6\x94hzw\xa4\xb1\xe7\x0e/\x81z\xe2\xb5r\x86\xef\xa2k\x8b\xf0\x0f\xdb\xd3Y?\xbar\xbcD$\x9c\xe3s\xb3\xf7\xafW/B&\x9d\xa9t\xba\x00R\xf2K\xcdS|G\x0b6\x85\x0ef\xa9\x08\x97\x164W\xc1f\xf7\x80\xe3\xedpT\xc7\x93\xe0.(\x15Y\x87\xba\xbb\x02\x03\x01\x00\x01\xa3\x81\x9d0\x81\x9a0\x13\x06\x09+\x06\x01\x04\x01\x827\x14\x02\x04\x06\x1e\x04\x00C\x00A0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14B2\xb6\x16\xfa\x04\xfd\xfe]Kz\xc3\xfd\xf7L@\x1dZC\xaf04\x06\x03U\x1d\x1f\x04-0+0)\xa0'\xa0%\x86#http://crl.securetrust.com/STCA.crl0\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x000\xedOJ\xe1X:Rr[\xb5\xa6\xa3e\x18\xa6\xbbQ;w\xe9\x9d\xea\xd3\x9f\\xe0Ee{\x0d\xca[\xe2pP\xb2\x94\x05\x14\xaeI\xc7\x8dA\x07\x12s\x94~\x0c#!\xfd\xbc\x10\x7f`\x10Zr\xf5\x98\x0e\xac\xec\xb9\x7f\xddzo]\xd3\x1c\xf4\xff\x88\x05iB\xa9\x05q\xc8\xb7\xac&\xe8.\xb4\x8cj\xffq\xdc\xb8\xb1\xdf\x99\xbc|!T+\xe4X\xa2\xbbW)\xae\x9e\xa9\xa3\x19&\x0f\x99.\x08\xb0\xef\xfdi\xcf\x99\x1a\x09\x8d\xe3\xa7\x9f+\xc964{$\xb3xL\x95\x17\xa4\x06&\x1e\xb6dR6_`g\xd9\x9c\xc5\x05t\x0b\xe7g#\xd2\x08\xfc\x88\xe9\xae\x8b\x7f\xe10\xf47~\xfd\xc62\xda-\x9eD00l\xee\x07\xde\xd24\xfc\xd2\xff@\xf6K\xf4fF\x06T\xa6\xf22\x0ac&0k\x9b\xd1\xdc\x8bG\xba\xe1\xb9\xd5b\xd0\xa2\xa0\xf4g\x05x)c\x1ao\x04\xd6\xf8\xc6L\xa3\x9a\xb17\xb4\x8d\xe5(K\x1d\x9e,\xc2\xb8h\xbc\xed\x02\xee1, CN=Secure Global CA,O=SecureTrust Corporation,C=US = 0\x82\x03\xbc0\x82\x02\xa4\xa0\x03\x02\x01\x02\x02\x10\x07V"\xa4\xe8\xd4\x8a\x89M\xf4\x13\xc8\xf0\xf8\xea\xa50\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000J1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1 0\x1e\x06\x03U\x04\x0a\x13\x17SecureTrust Corporation1\x190\x17\x06\x03U\x04\x03\x13\x10Secure Global CA0\x1e\x17\x0d061107194228Z\x17\x0d291231195206Z0J1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1 0\x1e\x06\x03U\x04\x0a\x13\x17SecureTrust Corporation1\x190\x17\x06\x03U\x04\x03\x13\x10Secure Global CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xaf5.\xd8\xaclUi\x06q\xe5\x13h$\xb3O\xd8\xcc!G\xf8\xf1`8\x89\x89\x03\xe9\xbd\xea^FS\x09\xdc\\xf5Z\xe8\xf7E*\x02\xeb1a\xd7)3L\xce\xc7|\x0a7~\x0f\xba2\x98\xe1\x1d\x97\xaf\x8f\xc7\xdc\xc98\x96\xf3\xdb\x1a\xfcQ\xedh\xc6\xd0n\xa4|$\xd1\xaeB\xc8\x96Pc.\xe0\xfeu\xfe\x98\xa7_I.\x95\xe393d\x8e\x1e\xa4_\x90\xd2g<\xb2\xd9\xfeA\xb9U\xa7\x09\x8er\x05\x1e\x8b\xddD\x85\x82B\xd0I\xc0\x1d`\xf0\xd1\x17,\x95\xeb\xf6\xa5\xc1\x92\xa3\xc5\xc2\xa7\x08`\x0d`\x04\x10\x96y\x9e\x164\xe6\xa9\xb6\xfa%E9\xc8\x1ee\xf9\x93\xf5\xaa\xf1R\xdc\x99\x98=\xa5\x86\x1a\x0c53\xfaK\xa5\x04\x06\x15\x1c1\x80\xef\xaa\x18k\xc2{\xd7\xda\xce\xf93 \xd5\xf5\xbdj3-\x81\x04\xfb\xb0\\xd4\x9c\xa3\xe2\\x1d\xe3\xa9Bu^{\xd4w\xef9T\xba\xc9\x0a\x18\x1b\x12\x99I/\x88K\xfdPb\xd1s\xe7\x8fzC\x02\x03\x01\x00\x01\xa3\x81\x9d0\x81\x9a0\x13\x06\x09+\x06\x01\x04\x01\x827\x14\x02\x04\x06\x1e\x04\x00C\x00A0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xafD\x04\xc2A~H\x83\xdbN9\x02\xec\xec\x84z\xe6\xce\xc9\xa404\x06\x03U\x1d\x1f\x04-0+0)\xa0'\xa0%\x86#http://crl.securetrust.com/SGCA.crl0\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00c\x1a\x08@}\xa4^S\x0dw\xd8z\xae\x1f\x0d\x0bQ\x16\x03\xef\x18|\xc8\xe3\xafjX\x93\x14`\x91\xb2\x84\xdc\x88N\xbe9\x8a:\xf3\xe6\x82\x89]\x017\xb3\xab$\xa4\x15\x0e\x925ZJD^NW\xfau\xce\x1fH\xcef\xf4<@&\x92\x98l\x1b\xee$F\x0c\x17\xb3R\xa5\xdb\xa5\x91\x91\xcf7\xd3o\xe7'\x08:N\x19\x1f:\xa7X\\x17\xcfy?\x8b\xe4\xa7\xd3&#\x9d&\x0fXi\xfcG~\xb2\xd0\x8d\x8b\x93\xbf)OCitvgK\xcf\x07\x8c\xe6\x02\xf7\xb5\xe1\xb4C\xb5K-\x14\x9f\xf9\xdc&\x0d\xbf\xa6Gt\x06\xd8\x88\xd1:)0\x84\xce\xd29\x80b\x1b\xa8\xc7WI\xbcjUQg\x15J\xbe5\x07\xe4\xd5u\x987y0\x14\xdb)\x9dl\xc5i\xccGU\xa20\xf7\xcc\\x7f\xc2\xc3\x98\x1ckN\x16\x80\xebzxeE\xa2\x00\x1a\xaf\x0c\x0dUd4H\xb8\x92\xb9\xf1\xb4P)\xf2O#\x1f\xdal\xac\x1fD\xe1\xdd#xQ[\xc7\x16, CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB = 0\x82\x04\x1d0\x82\x03\x05\xa0\x03\x02\x01\x02\x02\x10N\x81-\x8a\x82e\xe0\x0b\x02\xee>5\x02F\xe5=0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000\x81\x811\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x13\x11COMODO CA Limited1'0%\x06\x03U\x04\x03\x13\x1eCOMODO Certification Authority0\x1e\x17\x0d061201000000Z\x17\x0d291231235959Z0\x81\x811\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x13\x11COMODO CA Limited1'0%\x06\x03U\x04\x03\x13\x1eCOMODO Certification Authority0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0@\x8b\x8br\xe3\x91\x1b\xf7Q\xc1\x1bT\x04\x98\xd3\xa9\xbf\xc1\xe6\x8a];\x87\xfb\xbb\x88\xce\x0d\xe3/?\x06\x96\xf0\xa2)P\x99\xae\xdb;\xa1W\xb0tQq\xcd\xedB\x91MA\xfe\xa9\xc8\xd8j\x86wD\xbbYf\x97P^\xb4\xd4,pD\xcf\xda7\x95Bi<0\xc4q\xb3R\xf0!M\xa1\xd8\xba9|\x1c\x9e\xa3$\x9d\xf2\x83\x16\x98\xaa\x16|C\x9b\x15[\xb7\xae4\x91\xfe\xd4b&\x18F\x9a?\xeb\xc1\xf9\xf1\x90W\xeb\xacz\x0d\x8b\xdbr0jf\xd5\xe0F\xa3p\xdch\xd9\xff\x04H\x89w\xde\xb5\xe9\xfbgmA\xe9\xbc9\xbd2\xd9b\x02\xf1\xb1\xa8=n7\x9c\xe2/\xe2\xd3\xa2&\x8b\xc6\xb8UC\x88\xe1#>\xa5\xd2$9jG\xab\x00\xd4\xa1\xb3\xa9%\xfe\x0d?\xa7\x1d\xba\xd3Q\xc1\x0b\xa4\xda\xac8\xefUP$\x05eF\x934O-\x8d\xad\xc6\xd4!\x19\xd2\x8e\xca\x05aq\x07sG\xe5\x8a\x19\x12\xbd\x04M\xceN\x9c\xa5H\xac\xbb&\xf7\x02\x03\x01\x00\x01\xa3\x81\x8e0\x81\x8b0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x0bX\xe5\x8b\xc6L\x157\xa4@\xa90\xa9!\xbeG6ZV\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0I\x06\x03U\x1d\x1f\x04B0@0>\xa0<\xa0:\x868http://crl.comodoca.com/COMODOCertificationAuthority.crl0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00>\x98\x9e\x9b\xf6\x1b\xe9\xd79\xb7x\xae\x1dr\x18I\xd3\x87\xe4C\x82\xeb?\xc9\xaa\xf5\xa8\xb5\xefU|!Re\xf9\xd5\x0d\xe1l\xf4>\x8c\x93s\x91.\x02\xc4N\x07qo\xc0\x8f8a\x08\xa8\x1e\x81\x0a\xc0/ /A\x8b\x91\xdcHE\xbc\xf1\xc6\xde\xbavk3\xc8\x00-1FL\xed\xe7\x9d\xcf\x88\x94\xff3\xc0V\xe8$\x86&\xb8\xd888\xdf*k\xdd\x12\xcc\xc7?G\x17L\xa2\xc2\x06\x96\x09\xd6\xdb\xfe?<FA\xdfX\xe2V\x0f<;\xc1\x1c\x935\xd98R\xac\xee\xc8\xec.0N\x945\xb4$\x1fKxi\xda\xf2\x028\xcc\x95R\x93\xf0p%Y\x9c g\xc4\xee\xf9\x8bWa\xf4\x92v}?\x84\x8dU\xb7\xe8\xe5\xac\xd5\xf1\xf5\x19V\xa6Z\xfb\x90\x1c\xaf\x93\xeb\xe5\x1c\xd4g\x97]\x04\x0e\xbe\x0b\x83\xa6\x17\x83\xb90\x12\xa0\xc53\x15\x05\xb9\x0d\xfb\xc7\x05v\xe3\xd8J\x8d\xfc4\x17\xa3\xc6!(\xbe0E1\x1e\xc7x\xbeXa8\xac;\xe2\x01e, CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US = 0\x82\x03\xe60\x82\x02\xce\xa0\x03\x02\x01\x02\x02\x10W\xcb3o\xc2\\x16\xe6G\x16\x17\xe3\x901h\xe00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000b1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1!0\x1f\x06\x03U\x04\x0a\x13\x18Network Solutions L.L.C.100.\x06\x03U\x04\x03\x13'Network Solutions Certificate Authority0\x1e\x17\x0d061201000000Z\x17\x0d291231235959Z0b1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1!0\x1f\x06\x03U\x04\x0a\x13\x18Network Solutions L.L.C.100.\x06\x03U\x04\x03\x13'Network Solutions Certificate Authority0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xe4\xbc~\x920m\xc6\xd8\x8e+\x0b\xbcF\xce\xe0'\x96\xde\xde\xf9\xfa\x12\xd3<3s\xb3\x04/\xbcq\x8c\xe5\x9f\xb6"`>_]\xce\x09\xff\x82\x0c\x1b\x9aQP\x1a&\x89\xdd\xd5a]\x19\xdc\x12\x0f-\x0a\xa2C]\x17\xd04\x92 \xeas\xcf8,\x06&\x09zr\xf7\xfaP2\xf8\xc2\x93\xd3i\xa2#\xceA\xb1\xcc\xe4\xd5\x1f6\xd1\x8a:\xf8\x8cc\xe2\x14Yi\xed\x0d\xd3\x7fk\xe8\xb8\x03\xe5Oj\xe5\x98ciH\x05\xbe.\xff3\xb6\xe9\x97Yi\xf8g\x19\xae\x93a\x96D\x15\xd3r\xb0?\xbcj}\xecH\x7f\x8d\xc3\xab\xaaq+SiAS4\xb5\xb0\xb9\xc5\x06\x0a\xc4\xb0E\xf5A]n\x89E{=;&\x8ct\xc2\xe5\xd2\xd1}\xb2\x11\xd4\xfbX2"\x9a\x80\xc9\xdc\xfd\x0c\xe9\x7f^\x03\x97\xce;\x00\x14\x87'p8\xa9\x8en\xb3'v\x98Q\xe0\x05\xe3!\xab\x1a\xd5\x85"<)\xb5\x9a\x16\xc5\x80\xa8\xf4\xbbk0\x8f/F\x02\xa2\xb1\x0c"\xe0\xd3\x02\x03\x01\x00\x01\xa3\x81\x970\x81\x940\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14!0\xc9\xfb\x00\xd7N\x98\xda\x87\xaa*\xd0\xa7.\xb1@1\xa7L0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0R\x06\x03U\x1d\x1f\x04K0I0G\xa0E\xa0C\x86Ahttp://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xbb\xaeK\xe7\xb7W\xeb\x7f\xaa-\xb7sG\x85j\xc1\xe4\xa5\x1d\xe4\xe7<\xe9\xf4Yew\xb5z[Z\x8d%6\xe0z\x97.8\xc0W`\x83\x98\x06\x83\x9f\xb9vznP\xe0\xba\x88,\xfcE\xcc\x18\xb0\x99\x95Q\x0e\xec\x1d\xb8\x88\xff\x87P\x1c\x82\xc2\xe3\xe02\x80\xbf\xa0\x0bG\xc8\xc31\xef\x99g2\x80O\x17!y\x0ci\\xde^4\xae\x02\xb5&\xeaP\xdf\x7f\x18e,\xc9\xf2c\xe1\xa9\x07\xfe|q\x1fk3$j\x1e\x05\xf7\x05h\xc0j\x12\xcb.^a\xcb\xae(\xd3~\xc2\xb4f\x91&_<.$_\xcbX\x0f\xeb(\xec\xaf\x11\x96\xf3\xdc{o\xc0\xa7\x88\xf2Sw\xb3`^\xae\xae(\xda5,o4E\xd3&\xe1\xde\xec[O'k\x16|\xbdD\x04\x18\x82\xb3\x89y\x17\x10q=z\xa2\x16N\xf5\x01\xcd\xa4leh\xa1Iv\C\xc9\xd8\xbc6gl\xa5\x94\xb5\xd4\xcc\xb9\xbdj5V!\xde\xd8\xc3\xeb\xfb\xcb\xa4`L\xb0U\xa0\xa0{W\xb2, CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB = 0\x82\x02\x890\x82\x02\x0f\xa0\x03\x02\x01\x02\x02\x10\x1fG\xaf\xaab\x00pPTL\x01\x9e\x9bc\x99*0\x0a\x06\x08*\x86H\xce=\x04\x03\x030\x81\x851\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO ECC Certification Authority0\x1e\x17\x0d080306000000Z\x17\x0d380118235959Z0\x81\x851\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO ECC Certification Authority0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x03G{/u\xc9\x82\x15\x85\xfbu\xe4\x91\x16\xd4\xabb\x99\xf5>R\x0b\x06\xceA\x00\x7f\x97\xe1\x0a$<\x1d\x01\x04\xee=\xd2\x8d\x09\x97\x0c\xe0u\xe4\xfa\xfbw\x8a*\xf5\x03`K6\x8b\x16#\x16\xad\x09q\xf4J\xf4(P\xb4\xfe\x88\x1cn?l//\x09Y[\xa5[\x0b3\x99\xe2\xc3=\x89\xf9j,\xef\xb2\xd3\x06\xe9\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14uq\xa7\x19H\x19\xbc\x9d\x9d\xeaAG\xdf\x94\xc4Hw\x99\xd3y0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xef\x03[z\xac\xb7x\x0ar\xb7\x88\xdf\xff\xb5F\x14\x09\x0a\xfa\xa0\xe6}\x08\xc6\x1a\x87\xbd\x18\xa8s\xbd&\xca`\x0c\x9d\xce\x99\x9f\xcf\\x0f0\xe1\xbe\x141\xea\x020\x14\xf4\x93<I\xa73z\x90FG\xb3c}\x13\x9bN\xb7o\x187\x80S\xfe\xdd \xe05\x9a6\xd1\xc7\x01\xb9\xe6\xdc\xdd\xf3\xff\x1d,:\x16W\xd9\x929\xd6, CN=Certigna,O=Dhimyotis,C=FR = 0\x82\x03\xa80\x82\x02\x90\xa0\x03\x02\x01\x02\x02\x09\x00\xfe\xdc\xe3\x01\x0f\xc9H\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00041\x0b0\x09\x06\x03U\x04\x06\x13\x02FR1\x120\x10\x06\x03U\x04\x0a\x0c\x09Dhimyotis1\x110\x0f\x06\x03U\x04\x03\x0c\x08Certigna0\x1e\x17\x0d070629151305Z\x17\x0d270629151305Z041\x0b0\x09\x06\x03U\x04\x06\x13\x02FR1\x120\x10\x06\x03U\x04\x0a\x0c\x09Dhimyotis1\x110\x0f\x06\x03U\x04\x03\x0c\x08Certigna0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xc8h\xf1\xc9\xd6\xd6\xb34u&\x82\x1e\xec\xb4\xbe\xea\\xe1&\xed\x11Ga\xe1\xa2|\x16x@!\xe4`\x9eZ\xc8c\xe1\xc4\xb1\x96\x92\xff\x18mi#\xe1+b\xf7\xdd\xe26/\x91\x07\xb9H\xcf\x0e\xecy\xb6,\xe74Kp\x08%\xa3<\x87\x1b\x19\xf2\x81\x07\x0f8\x90\x19\xd3\x11\xfe\x86\xb4\xf2\xd1^\x1e\x1e\x96\xcd\x80l\xce;1\x93\xb6\xf2\xa0\xd0\xa9\x95\x12}\xa5\x9a\xcck\xc8\x84V\x8a3\xa9\xe7"\x15S\x16\xf0\xcc\x17\xecW_\xe9\xa2\x0a\x98\x09\xde\xe3_\x9co\xdcH\xe3\x85\x0b\x15Z\xa6\xba\x9f\xacH\xe3\x09\xb2\xf7\xf42\xde^4\xbe\x1cx]B[\xce\x0e"\x8fM\x90\xd7}2\x18\xb3\x0b,j\xbf\x8e?\x14\x11\x89 \x0ew\x14\xb5=\x94\x08\x87\xf7%\x1e\xd5\xb2`\x00\xeco*(%n*>\x18c\x17%?>D \x16\xf6&\xc8%\xae\x05J\xb4\xe7c,\xf3\x8c\x16S~\\xfb\x11\x1a\x08\xc1Fb\x9f"\xb8\xf1\xc2\x8di\xdc\xfa:X\x06\xdf\x02\x03\x01\x00\x01\xa3\x81\xbc0\x81\xb90\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x1a\xed\xfeA9\x90\xb4$Y\xbe\x01\xf2R\xd5E\xf6Z9\xdc\x110d\x06\x03U\x1d#\x04]0[\x80\x14\x1a\xed\xfeA9\x90\xb4$Y\xbe\x01\xf2R\xd5E\xf6Z9\xdc\x11\xa18\xa46041\x0b0\x09\x06\x03U\x04\x06\x13\x02FR1\x120\x10\x06\x03U\x04\x0a\x0c\x09Dhimyotis1\x110\x0f\x06\x03U\x04\x03\x0c\x08Certigna\x82\x09\x00\xfe\xdc\xe3\x01\x0f\xc9H\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x11\x06\x09`\x86H\x01\x86\xf8B\x01\x01\x04\x04\x03\x02\x00\x070\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x03\x1e\x92q\xf6B\xaf\xe1\xa3a\x9e\xeb\xf3\xc0\x0f\xf2\xa5\xd4\xda\x95\xe6\xd6\xbeh6=~n\x1fL\x8a\xef\xd1\x0f!m^\xa5Rc\xce\x12\xf8\xef*\xdao\xeb7\xfe\x13\x02\xc7\xcb;>"k\xdaa.\x7f\xd4r=\xdd0\xe1\x1eL@\x19\x8c\x0f\xd7\x9c\xd1\x830{\x98Y\xdc}\xc6\xb9\x0c)L\xa13\xa2\xebg:e\x84\xd3\x96\xe2\xedvEp\x8f\xb5+\xde\xf9#\xd6In<\x14\xb5\xc6\x9f5\x1eP\xd0\xc1\x8fjpD\x02b\xcb\xae\x1dhA\xa7\xaaW\xe8S\xaa\x07\xd2\x06\xf6\xd5\x14\x06\x0b\x91\x03u,lr\xb5a\x95\x9a\x0d\x8b\xb9\x0d\xe7\xf5\xdfT\xcd\xde\xe6\xd8\xd6\x09\x08\x97c\xe5\xc1.\xb0\xb7D&\xc0&\xc0\xafU0\x9e;\xd56*\x19\x04\xf4\\x1e\xff\xcf,\xb7\xff\xd0\xfd\x87@\x11\xd5\x11#\xbbH\xc0!\xa9\xa4(-\xfd\x15\xf8\xb0N+\xf40[!\xfc\x11\x914\xbeA\xef{\x9d\x97u\xff\x97\x95\xc0\x96X/\xea\xbbF\xd7\xbb\xe4\xd9., OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW = 0\x82\x05\xb00\x82\x03\x98\xa0\x03\x02\x01\x02\x02\x10\x15\xc8\xbdeG\\xaf\xb8\x97\x00^\xe4\x06\xd2\xbc\x9d0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000^1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1#0!\x06\x03U\x04\x0a\x0c\x1aChunghwa Telecom Co., Ltd.1*0(\x06\x03U\x04\x0b\x0c!ePKI Root Certification Authority0\x1e\x17\x0d041220023127Z\x17\x0d341220023127Z0^1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1#0!\x06\x03U\x04\x0a\x0c\x1aChunghwa Telecom Co., Ltd.1*0(\x06\x03U\x04\x0b\x0c!ePKI Root Certification Authority0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xe1%\x0f\xee\x8d\xdb\x883ug\xcd\xad\x1f}:Nm\x9d\xd3/\x14\xf3ct\xcb\x01!j7\xea\x84P\x07K&[\x09Cl!\x9ej\xc8\xd5\x03\xf5`i\x8f\xcc\xf0"\xe4\x1f\xe7\xf7j"1\xb7,\x15\xf2\xe0\xfe\x00jC\xff\x87e\xc6\xb5\x1a\xc1\xa7Lm"p!\x8a1\xf2\x97t\x89\x09\x12&\x1c\x9e\xca\xd9\x12\xa2\x95<\xda\xe9g\xbf\x08\xa0d\xe3\xd6B\xb7E\xef\x97\xf4\xf6\xf5\xd7\xb5J\x15\x02X}\x98XK`\xbc\xcd\xd7\x0d\x9a\x133S\xd1a\xf9z\xd5\xd7x\xb3\x9a3\xf7\x00\x86\xce\x1dM\x948\xaf\xa8\xecxQp\x8a\\x10\x83Q!\xf7\x11=4\x86^\xe5H\xcd\x97\x81\x825L\x19\xece\xf6k\xc5\x05\xa1\xeeG\x13\xd6\xb3!'\x94\x10\x0a\xd9$;\xba\xbeD\x13F0?\x97<\xd8\xd7\xd7j\xee;8\xe3+\xd4\x97\x0e\xb9\x1b\xe7\x07I\x7f7*\xf9wx\xcfT\xed[F\x9d\xa3\x80\x0e\x91C\xc1\xd6[_\x14\xba\x9f\xa6\x8d$G@Y\xbfr8\xb26l7\xff\x99\xd1]\x0eY\x0a\xabi\xf7\xc0\xb2\x04EzT\x00\xae\xbeS\xf6\xb5\xe7\xe1\xf8<\xa31\xd2\xa9\xfe!Rd\xc5\xa6g\xf0u\x07\x06\x94\x14\x81U\xc6'\xe4\x01\x8f\x17\xc1jq\xd7\xbeK\xfb\x94X}~\x113\xb1B\xf7bl\x18\xd6\xcf\x09h>\x7fl\xf6\x1e\x8fb\xad\xa5c\xdb\x09\xa7\x1f"BA\x1eo\x99\x8a>\xd7\xf9?@zy\xb0\xa5\x01\x92\xd2\x9d=\x08\x15\xa5\x10\x01-\xb32v\xa8\x95\x0d\xb3z\x9a\xfb\x07\x10x\x11o\xe1\x8f\xc7\xba\x0f%\x1at*\xe5\x1c\x98A\x99\xdf!\x87\xe8\x95\x06j\x0a\xb3jGve\xf6:\xcf\x8fb\x17\x19{\x0a(\xcd\x1a\xd2\x83\x1e!\xc7,\xbf\xbe\xffah\xb7g\x1b\xbbxM\x8d\xceg\xe5\xe4\xc1\x8e\xb7#f\xe2\x9d\x90u4\x98\xa96+\x8a\x9a\x94\xb9\x9d\xec\xcc\x8a\xb1\xf8%\x89\Z\xb6/\x8c\x1fmy$\xa7Rh\xc3\x845\xe2f\x8dc\x0e%M\xd5\x19\xb2\xe6y7\xa7"\x9dT1\x02\x03\x01\x00\x01\xa3j0h0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x1e\x0c\xf7\xb6g\xf2\xe1\x92&\x09E\xc0U9.w?BJ\xa20\x0c\x06\x03U\x1d\x13\x04\x050\x03\x01\x01\xff09\x06\x04g*\x07\x00\x0410/0-\x02\x01\x000\x09\x06\x05+\x0e\x03\x02\x1a\x05\x000\x07\x06\x05g*\x03\x00\x00\x04\x14E\xb0\xc2\xc7\x0aV|\xee[x\x0c\x95\xf9\x18S\xc1\xa6\x1c\xd8\x100\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x09\xb3\x83SY\x01>\x95I\xb9\xf1\x81\xba\xf9v #\xb5'`t\xd4j\x994^l\x00S\xd9\x9f\xf2\xa6\xb1$\x07Dj*\xc6\xa5\x8ex\x12\xe8G\xd9X\x1b\x13*^y\x9b\x9f\x0a*g\xa6%?\x06iVs\xc3\x8afH\xfb)\x81Wt\x06\xca\x9c\xea(\xe88g&+\xf1\xd5\xb5?e\x93\xf86]\x8e\x8d\x8d@ \x87\x19\xea\xef'\xc0=\xb49\x0f%{hPtU\x9c\x0cY}Z=A\x94%R\x08\xe0G,\x151\x19\xd5\xbf\x07U\xc6\xbb\x12\xb5\x97\xf4_\x83\x85\xbaq\xc1\xd9l\x81\x11v\x0a\x0a\xb0\xbf\x82\x97\xf7\xea=\xfa\xfa\xec-\xa9(\x94;V\xdd\xd2Q.\xae\xc0\xbd\x08\x15\x8cwR4\x96\xd6\x9b\xac\xd3\x1d\x8ea\x0f5{\x9b\xae9i\x0bb`@ 6\x8f\xaf\xfb6\xee-\x08J\x1d\xb8\xbf\x9b\\xf8\xea\xa5\x1b\xa0s\xa6\xd8\xf8n\xe03\x04_h\xaa'\x87\xed\xd9\xc1\x90\x9c\xed\xbd\xe3j5\xafc\xdf\xab\x18\xd9\xba\xe6\xe9J\xeaP\x8a\x0fa\x93\x1e\xe2-\x19\xe20\x945\x92]\x0e\xb6\x07\xaf\x19\x80\x8fG\x90QK.M\xdd\x85\xe2\xd2\x0aR\x0a\x17\x9a\xfc\x1a\xb0P\x02\xe5\x01\xa3c7!LD\xc4\x9bQ\x99\x11\x0es\x9c\x06\x8fT.\xa7(^D9\x87V-7\xbd\x85D\x94\xe1\x0cK,\x9c\xc3\x92\x854a\xcb\x0f\xb8\x9bJCR\xfe4:}\xb8\xe9)\xdcv\xa9\xc80\xf8\x14q\x80\xc6\x1e6Ht"A\\x87\x82\xe8\x18q\x8bA\x89D\xe7~X[\xa8\xb8\x8d\x13\xe9\xa7l\xc3G\xed\xb3\x1a\x9db\xae\x8d\x82\xea\x94\x9e\xddY\x10\xc3\xad\xdd\xe2M\xe31\xd5\xc7\xec\xe8\xf2\xb0\xfe\x92\x1e\x16\x0a\x1a\xfc\xd9\xf3\xf8'\xb6\xc9\xbe\x1d\xb4ld\x90\x7f\xf4\xe4\xc4[\xd77\xaeB\x0e\xdd\xa4\x1ao|\x88T\xc5\x16n\xe1zh.\xf8:\xbf\x0d\xa4<\x89;x\xa7Nc\x83\x04!\x08g\x8d\xf2\x82I\xd0[\xfd\xb1\xcd\x0f\x83\x84\xd4> \x85\xf7J=+\x9c\xfd*\x0a\x09M\xea\x81\xf8\x11\x9c, OU=certSIGN ROOT CA,O=certSIGN,C=RO = 0\x82\x0380\x82\x02 \xa0\x03\x02\x01\x02\x02\x06 \x06\x05\x16p\x020\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000;1\x0b0\x09\x06\x03U\x04\x06\x13\x02RO1\x110\x0f\x06\x03U\x04\x0a\x13\x08certSIGN1\x190\x17\x06\x03U\x04\x0b\x13\x10certSIGN ROOT CA0\x1e\x17\x0d060704172004Z\x17\x0d310704172004Z0;1\x0b0\x09\x06\x03U\x04\x06\x13\x02RO1\x110\x0f\x06\x03U\x04\x0a\x13\x08certSIGN1\x190\x17\x06\x03U\x04\x0b\x13\x10certSIGN ROOT CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb73\xb9~\xc8%J\x8e\xb5\xdb\xb4(\x1b\xaaW\x90\xe8\xd1"\xd3d\xba\xd3\x93\xe8\xd4\xac\x86a@j`WhT\x84M\xbcjT\x02\x05\xff\xdf\x9b\x9a*\xae]\x07\x8fJ\xc3(\x7f\xef\xfb+\xfay\xf1\xc7\xad\xf0\x10S$\x90\x8bf\xc9\xa8\x88\xab\xafZ\xa3\x00\xe9\xbe\xbaF\xee[s{,\x17\x82\x81^b,\xa1\x02e\xb3\xbd\xc5+\x00~\xc4\xfc\x033W\x0d\xed\xe2\xfa\xce]E\xd68\xcd5\xb6\xb2\xc1\xd0\x9c\x81J\xaa\xe4\xb2\x01\\x1d\x8f_\x99\xc4\xb1\xad\xdb\x88!\xeb\x90\x08\x82\x80\xf30\xa3C\xe6\x90\x82\xaeU(I\xed[\xd7\xa9\x108\x0e\xfe\x8fL[\x9bF\xeaA\xf5\xb0\x08t\xc3\xd0\x883\xb6|\xd7t\xdf\xdc\x84\xd1C\x0eu9\xa1%@(\xeax\xcb\x0e,.9\x9d\x8c\x8bn\x16\x1c/&\x82\x10\xe2\xe3e\x94\x0a\x04\xc0^\xf7][\xf8\x10\xe2\xd0\xbazK\xfb\xde7\x00\x00\x1a[(\xe3\xd2\x9cs>2\x87\x98\xa1\xc9Q/\xd7\xde\xac3\xb3O\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xe0\x8c\x9b\xdb%I\xb3\xf1|\x86\xd6\xb2B\x87\x0b\xd0k\xa0\xd9\xe40\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00>\xd2\x1c\x89.5\xfc\xf8u\xdd\xe6\x7fe\x88\xf4rL\xc9,\xd72N\xf3\xdd\x19yG\xbd\x8e;[\x93\x0fPI$\x13k\x14\x06r\xef\x09\xd3\xa1\xa1\xe3@\x84\xc9\xe7\x182t<Hn\x0f\x9fK\xd4\xf7\x1e\xd3\x93\x86dT\x97crP\xd5U\xcf\xfa \x93\x02\xa2\x9b\xc3#\x93N\x16Uv\xa0pym\xcd!\x1f\xcf/-\xbc\x19\xe3\x881\xf8Y\x1a\x81\x09\xc8\x97\xa6t\xc7`\xc4[\xccW\x8e\xb2u\xfd\x1b\x02\x09\xdbYor\x93i\xf71A\xd6\x888\xbf\x87\xb2\xbd\x16y\xf9\xaa\xe4\xbe\x88%\xdda'#\x1c\xb51\x07\x046\xb4\x1a\x90\xbd\xa0tqP\x89m\xbc\x14\xe3\x0f\x86\xae\xf1\xab>\xc7\xa0\x09\xcc\xa3H\xd1\xe0\xdbd\xe7\x92\xb5\xcf\xafrCp\x8b\xf9\xc3\x84<\x13\xaa~\x92\x9bWS\x93\xfap\xc2\x91\x0e1\xf9\x9bg]\xe9\x968^_\xb3sN\x88\x15g\xde\x9ev\x10b \xbeUi\x95C\x009M\xf6\xee\xb0ZNIDTX_B\x83, CN=NetLock Arany (Class Gold) FC591tanC3BAsC3ADtvC3A1ny,OU=TanC3BAsC3ADtvC3A1nykiadC3B3k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU = 0\x82\x04\x150\x82\x02\xfd\xa0\x03\x02\x01\x02\x02\x06IA,\xe4\x00\x100\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xa71\x0b0\x09\x06\x03U\x04\x06\x13\x02HU1\x110\x0f\x06\x03U\x04\x07\x0c\x08Budapest1\x150\x13\x06\x03U\x04\x0a\x0c\x0cNetLock Kft.1705\x06\x03U\x04\x0b\x0c.Tan\xc3\xbas\xc3\xadtv\xc3\xa1nykiad\xc3\xb3k (Certification Services)1503\x06\x03U\x04\x03\x0c,NetLock Arany (Class Gold) F\xc5\x91tan\xc3\xbas\xc3\xadtv\xc3\xa1ny0\x1e\x17\x0d081211150821Z\x17\x0d281206150821Z0\x81\xa71\x0b0\x09\x06\x03U\x04\x06\x13\x02HU1\x110\x0f\x06\x03U\x04\x07\x0c\x08Budapest1\x150\x13\x06\x03U\x04\x0a\x0c\x0cNetLock Kft.1705\x06\x03U\x04\x0b\x0c.Tan\xc3\xbas\xc3\xadtv\xc3\xa1nykiad\xc3\xb3k (Certification Services)1503\x06\x03U\x04\x03\x0c,NetLock Arany (Class Gold) F\xc5\x91tan\xc3\xbas\xc3\xadtv\xc3\xa1ny0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xc4$^s\xbeKm\x14\xc3\xa1\xf4\xe3\x97\x90n\xd20E\x1e<\xeeg\xd9d\xe0\x1a\x8a\x7f\xca0\xca\x83\xe3 \xc1\xe3\xf4:\xd3\x94_\x1a|[m\xbf0O\x84'\xf6\x9f\x1fI\xbc\xc6\x99\x0a\x90\xf2\x0f\xf5\x7fC\x847cQ\x8bz\xa5p\xfczX\xcd\x8e\x9b\xed\xc3Fl\x84p]\xda\xf3\x01\x90#\xfcN0\xa9~\xe1'c\xe7\xedd<\xa0\xb8\xc93c\xfe\x16\x90\xff\xb0\xb8\xfd\xd7\xa8\xc0\xc0\x94C\x0b\xb6\xd5Y\xa6\x9eV\xd0$\x1fpy\xaf\xdb9T\x0deu\xd9\x15A\x94\x01\xaf^\xec\xf6\x8d\xf1\xff\xadd\xfe \x9a\xd7\\xeb\xfe\xa6\x1f\x08d\xa3\x8bvU\xad\x1e;(`.\x87%\xe8\xaa\xaf\x1f\xc6dF \xb7p\x7f<\xdeH\xdb\x96S\xb79w\xe4\x1a\xe2\xc7\x16\x84v\x97[/\xbb\x19\x15\x85\xf8i\x85\xf5\x99\xa7\xa9\xf24\xa7\xa9\xb6\xa6\x03\xfco\x86=T|v\x04\x9bk\xf9@]\x004\xc7.\x99u\x9d\xe5\x88\x03\xaaM\xf8\x03\xd2Bv\xc0\x1b\x02\x03\x00\xa8\x8b\xa3E0C0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x040\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xcc\xfag\x93\xf0\xb6\xb8\xd0\xa5\xc0\x1e\xf3S\xfd\x8cS\xdf\x83\xd7\x960\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xab\x7f\xee\x1c\x16\xa9\x9c<Q\x00\xa0\xc0\x11\x08\x05\xa7\x99\xe6o\x01\x88Tan\xf1\xb9\x18\xadJ\xad\xfe\x81@#\x94/\xfbu|/(Kb$\x81\x82\x0b\xf5a\xf1\x1cn\xb8a8\xeb\x81\xfab\xa1;Zb\xd3\x94e\xc4\xe1\xe6m\x82\xf8/%p\xb2!&\xc1rQ\x1f\x8c,\xc3\x84\x90\xc3Z\x8f\xba\xcf\xf4\xa7e\xa5\xeb\x98\xd1\xfb\x05\xb2Fu\x15#jo\x85c0\x80\xf0\xd5\x9e\x1f)\x1c\xc2l\xb0PY]\x90[;\xa8\x0d0\xcf\xbf}\x7f\xce\xf1\x9d\x83\xbd\xc9Fn \xa6\xf9aQ\xba!/{\xbe\xa5\x15c\xa1\xd4\x95\x87\xf1\x9e\xb9\xf3\x89\xf3=\x85\xb8\xb8\xdb\xbe\xb5\xb9)\xf9\xda7\x05\x00I\x94\x03\x84D\xe7\xbfC1\xcfu\x8b%\xd1\xf4\xa6d\xf5\x92\xf6\xab\x05\xeb=\xe9\xa5\x0b6b\xda\xcc\x06_6\x8b\xb6^1\xb8*\xfb^\xf6q\xdfD&\x9e\xc4\xe6\x0d\x91\xb4.u\x95\x80QjK0\xa6\xb0b\xa1\x93\xf1\x9b\xd8\xce\xc4cu?YG\xb1, CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK = 0\x82\x0300\x82\x02\x18\xa0\x03\x02\x01\x02\x02\x02\x03\xe80\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000G1\x0b0\x09\x06\x03U\x04\x06\x13\x02HK1\x160\x14\x06\x03U\x04\x0a\x13\x0dHongkong Post1 0\x1e\x06\x03U\x04\x03\x13\x17Hongkong Post Root CA 10\x1e\x17\x0d030515051314Z\x17\x0d230515045229Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02HK1\x160\x14\x06\x03U\x04\x0a\x13\x0dHongkong Post1 0\x1e\x06\x03U\x04\x03\x13\x17Hongkong Post Root CA 10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xff8\xb6\xe9f\x02I\xe3\xa2\xb4\xe1\x90\xf9@\x8fy\xf9\xe2\xbdy\xfe\x02\xbd\xee$\x92\x1d"\xf6\xda\x85ri\xfe\xd7?\x09\xd4\xdd\x91\xb5\x02\x9c\xd0\x8dZ\xe1U\xc3P\x86\xb9)&\xc2\xe3\xd9\xa0\xf1i\x03( \x80E"-V\xa7;T\x95V"Y\x1f(\xdf\x1f =m\xa26\xbe#\xa0\xb1n\xb5\xb1'?9S\x09\xea\xabj\xe8t\xb2\xc2e\\x8e\xbf|\xc3x\x84\xcd\x9e\x16\xfc\xf5.O *\x08\x9fw\xf3\xc5\x1e\xc4\x9aRf\x1eH^\xe3\x10\x06\x8f"\x98\xe1e\x8e\x1b]#f;\xb8\xa52Q\xc8\x86\xaa\xa1\xa9\x9e\x7fv\x94\xc2\xa6l\xb7A\xf0\xd5\xc8\x068\xe6\xd4\x0c\xe2\xf3;LmP\x8c\xc4\x83'\xc1\x13\x84Y=\x9eut\xb6\xd8\x02^:\x90z\xc0B6r\xecjM\xdc\xef\xc4\x00\xdf\x13\x18W_&x\xc8\xd6\x0ayw\xbf\xf7\xaf\xb7v\xb9\xa5\x0b\x84\x17]\x10\xeao\xe1\xab\x95\x11_m<\xa3\M\x83[\xf2\xb3\x19\x8a\x80\x8b\x0b\x87\x02\x03\x01\x00\x01\xa3&0$0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x030\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0eF\xd5<\xae\xe2\x87\xd9^\x81\x8b\x02\x98A\x08\x8cL\xbc\xda\xdb\xee'\x1b\x82\xe7jE\xec\x16\x8bO\x85\xa0\xf3\xb2p\xbdZ\x96\xba\xcanm\xeeF\x8bn\xe7*.\x96\xb3\x193\xeb\xb4\x9f\xa8\xb27\xee\x98\xa8\x97\xb6.\xb6g'\xd4\xa6I\xfd\x1c\x93ev\x9eB/\xdc"l\x9aO\xf2Z\x159\xb1q\xd7+Q\xe8m\x1c\x98\xc0\xd9*\xf4\xa1\x82{\xd5\xc9A\xa2#\x01t8U\x8b\x0f\xb9.g\xa2 \x047\xda\x9c\x0b\xd3\x17!\xe0\x8f\x97y4o\x84H\x02 3\x1b\xe64D\x9f\x91p\xf4\x80^\x84C\xc2)\xd2l\x12\x14\xe4a\x8d\xac\x10\x90\x9e\x84P\xbb\xf0\x96oE\x9f\x8a\xf3\xcalO\xfa\x11:\x15\x15F\xc3\xcd\x1f\x83[-A\x12\xedPgA\x13=!\xab\x94\x8a\xaaN|\xc1\xb1\xfb\xa7\xd6\xb5'/\x97\xabn\xe0\x1d\xe2\xd1\x1c,\x1fD\xe2\xfc\xbe\x91\xa1\x9c\xfb\xd6)Ss\x86\x9fS\xd8C\x0e]\xd6c\x82q\x1d\x80t\xca\xf6\xe2\x02k\xd9Z, CN=SecureSign RootCA11,O=Japan Certification Services, Inc.,C=JP = 0\x82\x03m0\x82\x02U\xa0\x03\x02\x01\x02\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000X1\x0b0\x09\x06\x03U\x04\x06\x13\x02JP1+0)\x06\x03U\x04\x0a\x13"Japan Certification Services, Inc.1\x1c0\x1a\x06\x03U\x04\x03\x13\x13SecureSign RootCA110\x1e\x17\x0d090408045647Z\x17\x0d290408045647Z0X1\x0b0\x09\x06\x03U\x04\x06\x13\x02JP1+0)\x06\x03U\x04\x0a\x13"Japan Certification Services, Inc.1\x1c0\x1a\x06\x03U\x04\x03\x13\x13SecureSign RootCA110\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xfdw\xaa\xa5\x1c\x90\x05;\xcbL\x9b3\x8bZ\x14E\xa4\xe7\x90\x16\xd1\xdfW\xd2!\x10\xa4\x17\xfd\xdf\xac\xd6\x1f\xa7\xe4\xdb|\xf7\xec\xdf\xb8\x03\xda\x94X\xfd]r|\x8c?_\x01gt\x15\x96\xe3\x02<\x87\xdb\xae\xcb\x01\x8e\xc2\xf3f\xc6\x85E\xf4\x02\xc6:\xb5b\xb2\xaf\xfa\x9c\xbf\xa4\xe6\xd4\x800\x98\xf3\x0d\xb6\x93\x8f\xa9\xd4\xd86\xf2\xb0\xfc\x8a\xca,\xa1\x153\x951\xda\xc0\x1b\xf2\xeeb\x99\x86c?\xbf\xdd\x93*\x83\xa8v\xb9\x13\x1f\xb7\xceNB\x85\x8f"\xe7.\x1a\xf2\x95\x09\xb2\x05\xb5DNw\xa1 \xbd\xa9\xf2N\x0a}P\xad\xf5\x05\x0dEOFq\xfd(>S\xfb\x04\xd8-\xd7e\x1dJ\x1b\xfa\xcf;\xb01\x9a5n\xc8\x8b\x06\xd3\x00\x91\xf2\x94\x08eL\xb14\x06\x00z\x89\xe2\xf0\xc7\x03Y\xcf\xd5\xd6\xe8\xa72\xb3\xe6\x98@\x86\xc5\xcd'\x12\x8b\xcc{\xce\xb7\x11<b`\x07#>+@n\x94\x80\x09m\xb6\xb3owo5\x08P\xfb\x02\x87\xc5>\x89\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14[\xf8MO\xb2\xa5\x86\xd4:\xd2\xf1c\x9a\xa0\xbe\x09\xf6W\xb7\xde0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xa0\xa18\x16f.\xa7V\x1f!\x9c\x06\xfa\x1d\xed\xb9"\xc58&\xd8NO\xec\xa3\x7fy\xdeF!\xa1\x87w\x8f\x07\x08\x9a\xb2\xa4\xc5\xaf\x0f2\x98\x0b|f)\xb6\x9b}%RIC\xabL.+nzp\xaf\x16\x0e\xe3\x02l\xfbB\xe6\x18\x9dE\xd8U\xc8\xe8;\xdd\xe7\xe1\xf4.\x0b\x1c4\lXJ\xfb\x8c\x88P_\x95\x1c\xbf\xed\xab"\xb5e\xb3\x85\xba\x9e\x0f\xb8\xad\xe5z\x1b\x8aP:\x1d\xbd\x0d\xbc{TP\x0b\xb9B\xafU\xa0\x18\x81\xade\x99\xef\xbe\xe4\x9c\xbf\xc4\x85\xabA\xb2To\xdc%\xcd\xedx\xe2\x8e\x0c\x8d\x09I\xddc{Zi\x96\x02!\xa8\xbdRY\xe9}5\xcb\xc8R\xca\x7f\x81\xfe\xd9k\xd3\xf7\x11\xed%\xdf\xf8\xe7\xf9\xa4\xfar\x97\x84S\x0d\xa5\xd02\x18QvY\x14l\x0f\xeb\xec_\x80\x8cuC\x83\xc3\x85\x98\xffL\x9e-\x0d\xe4w\x83\x93N\xb5\x96\x07\x8b(\x13\x9b\x8c\x19\x8dA'I@\xee\xde\xe6#D9\xdc\xa1"\xd6\xba\x03\xf2, emailAddress=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU = 0\x82\x04\x0a0\x82\x02\xf2\xa0\x03\x02\x01\x02\x02\x09\x00\xc2~C\x04NG?\x190\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02HU1\x110\x0f\x06\x03U\x04\x07\x0c\x08Budapest1\x160\x14\x06\x03U\x04\x0a\x0c\x0dMicrosec Ltd.1'0%\x06\x03U\x04\x03\x0c\x1eMicrosec e-Szigno Root CA 20091\x1f0\x1d\x06\x09*\x86H\x86\xf7\x0d\x01\x09\x01\x16\x10info@e-szigno.hu0\x1e\x17\x0d090616113018Z\x17\x0d291230113018Z0\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02HU1\x110\x0f\x06\x03U\x04\x07\x0c\x08Budapest1\x160\x14\x06\x03U\x04\x0a\x0c\x0dMicrosec Ltd.1'0%\x06\x03U\x04\x03\x0c\x1eMicrosec e-Szigno Root CA 20091\x1f0\x1d\x06\x09*\x86H\x86\xf7\x0d\x01\x09\x01\x16\x10info@e-szigno.hu0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xe9\xf8\x8f\xf3c\xad\xda\x86\xd8\xa7\xe0B\xfb\xcf\x91\xde\xa6&\xf8\x99\xa5cp\xad\x9b\xae\xca3@}m\x96n\xa1\x0eD\xee\xe1\x13\x9d\x94BR\x9a\xbdu\x85t,\xa8\x0e\x1d\x93\xb6\x18\xb7\x8c,\xa8\xcf\xfb\q\xb9\xda\xec\xfe\xe8~\x8f\xe4/\x1d\xb2\xa8u\x87\xd8\xb7\xa1\xe5;\xcf\x99JF\xd0\x83\x19}\xc0\xa1\x12\x1c\x95mJ\xf4\xd8\xc7\xa5M3.\x859@u~\x14|\x80\x12\x98P\xc7Ag\xb8\xa0\x80aT\xa6lN\x1f\xe0\x9d\x0e\x07\xe9\xc9\xba3\xe7\xfe\xc0U(,\x02\x80\xa7\x19\xf5\x9e\xdcUS\x03\x97{\x07H\xff\x99\xfb7\x8a$\xc4Y\xccP\x10c\x8e\xaa\xa9\x1a\xb0\x84\x1a\x86\xf9_\xbb\xb1Pn\xa4\xd1\x0a\xcc\xd5q~\x1f\xa7\x1b|\xf5Sn"_\xcb+\xe6\xd4|]\xae\xd6\xc2\xc6L\xe5\x05\x01\xd9\xedW\xfc\xc1#y\xfc\xfa\xc8$\x83\x95\xf3\xb5jQ\x01\xd0w\xd6\xe9\x12\xa1\xf9\x1a\x83\xfb\x82\x1b\xb9\xb0\x97\xf4v\x063CI\xa0\xff\x0b\xb5\xfa\xb5\x02\x03\x01\x00\x01\xa3\x81\x800~0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xcb\x0f\xc6\xdfBC\xcc=\xcb\xb5H#\xa1\x1az\xa6*\xbb4h0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xcb\x0f\xc6\xdfBC\xcc=\xcb\xb5H#\xa1\x1az\xa6*\xbb4h0\x1b\x06\x03U\x1d\x11\x04\x140\x12\x81\x10info@e-szigno.hu0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xc9\xd1\x0e^.\xd5\xcc\xb3|>\xcb\xfc=\xff\x0d(\x95\x93\x04\xc8\xbf\xda\xcdy\xb8C\x90\xf0\xa4\xbe\xef\xf2\xef!\x98\xbc\xd4\xd4]\x06\xf6\xeeB\xec0l\xa0\xaa\xa9\xca\xf1\xaf\x8a\xfa?\x0bsj>\xea.@~\x1f\xaeTay\xeb.\x087\xd7#\xf3\x8c\x9f\xbe\x1d\xb1\xe1\xa4u\xdb\xa0\xe2T\x14\xb1\xba\x1c)\xa4\x18\xf6\x12\xba\xa2\x14\x14\xe315\xc8@\xff\xb7\xe0\x05vW\xc1\x1cY\xf2\xf8\xbf\xe4\xed%b\\x84\xf0~~\x1f\xb3\xbe\xf9\xb7!\x11\xcc\x03\x01Vp\xa7\x10\x92\x1e\x1b4\x81\x1e\xad\x9c\x1a\xc3\x04<\xed\x02a\xd6\x1e\x06\xf3_:\x87\xf2+\xf1E\x87\xe5=\xac\xd1\xc7W\x84\xbdk\xae\xdc\xd8\xf9\xb6\x1bbp\x0b=6\xc9B\xf22\xd7za\xe6\xd2\xdb=\xcf\xc8\xa9\xc9\x9b\xdc\xdbXD\xd7o8\xaf\x7fx\xd3\xa3\xad\x1au\xba\x1c\xc16|\x8f\x1em\x1c\xc3uF\xae5\x05\xa6\xf6\=!\xeeV\xf0\xc9\x82"-zT\xabp\xc3}"e\x82p\x96, CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 = 0\x82\x03_0\x82\x02G\xa0\x03\x02\x01\x02\x02\x0b\x04\x00\x00\x00\x00\x01!XS\x08\xa20\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000L1 0\x1e\x06\x03U\x04\x0b\x13\x17GlobalSign Root CA - R31\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0\x1e\x17\x0d090318100000Z\x17\x0d290318100000Z0L1 0\x1e\x06\x03U\x04\x0b\x13\x17GlobalSign Root CA - R31\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xcc%v\x90y\x06x"\x16\xf5\xc0\x83\xb6\x84\xca(\x9e\xfd\x05v\x11\xc5\xad\x88r\xfcF\x02C\xc7\xb2\x8a\x9d\x04_$\xcb.K\xe1`\x82F\xe1R\xab\x0c\x81Gpl\xddd\xd1\xeb\xf5,\xa3\x0f\x82=\x0c+\xae\x97\xd7\xb6\x14\x86\x10y\xbb;\x13\x80w\x8c\x08\xe1I\xd2jb/\x1f^\xfa\x96h\xdf\x89'\x958\x9f\x06\xd7>\xc9\xcb&Y\x0ds\xde\xb0\xc8\xe9&\x0e\x83\x15\xc6\xef[\x8b\xd2\x04`\xcaI\xa6(\xf6i;\xf6\xcb\xc8(\x91\xe5\x9d\x8aaW7\xact\x14\xdct\xe0:\xeer/.\x9c\xfb\xd0\xbb\xbf\xf5=\x00\xe1\x063\xe8\x82+\xaeS\xa6:\x16s\x8c\xddA\x0e :\xc0\xb4\xa7\xa1\xe9\xb2O\x90.2`\xe9W\xcb\xb9\x04\x92hh\xe58&`u\xb2\x9fw\xff\x91\x14\xef\xae I\xfc\xad@\x15H\xd1\x021a\x19^\xb8\x97\xef\xadw\xb7d\x9az\xbf_\xc1\x13\xef\x9bb\xfb\x0dl\xe0Ti\x16\xa9\x03\xdan\xe9\x83\x93qv\xc6i\x85\x82\x17\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8f\xf0K\x7f\xa8.E$\xaeMP\xfac\x9a\x8b\xde\xe2\xdd\x1b\xbc0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00K@\xdb\xc0P\xaa\xfe\xc8\x0c\xef\xf7\x96TEI\xbb\x96\x00\x09A\xac\xb3\x13\x86\x86(\x073\xcak\xe6t\xb9\xba\x00-\xae\xa4\x0a\xd3\xf5\xf1\xf1\x0f\x8a\xbfsgJ\x83\xc7D{x\xe0\xafnlo\x03)\x8e39E\xc3\x8e\xe4\xb9Wl\xaa\xfc\x12\x96\xecS\xc6-\xe4$l\xb9\x94c\xfb\xdcShgV>\x83\xb8\xcf5!\xc3\xc9h\xfe\xce\xda\xc2S\xaa\xcc\x90\x8a\xe9\xf0]F\x8c\x95\xddzX(\x1a/\x1d\xde\xcd\x007A\x8f\xedDm\xd7S(\x97~\xf3g\x04\x1e\x15\xd7\x8a\x96\xb4\xd3\xdeL'\xa4L\x1bssv\xf4\x17\x99\xc2\x1fz\x0e\xe3-\x08\xad\x0a\x1c,\xff<\xabU\x0e\x0f\x91~6\xeb\xc3WI\xbe\xe1.-|`\x8b\xc3AQ\x13#\x9d\xce\xf72k\x94\x01\xa8\x99\xe7,3\x1f:;%\xd2\x86@\xce;,\x86x\xc9a/\x14\xba\xee\xdbUo\xdf\x84\xee\x05\x09M\xbd(\xd8r\xce\xd3bPe\x1e\xeb\x92\x97\x831\xd9\xb3\xb5\xcaGX?_, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES = 0\x82\x06\x140\x82\x03\xfc\xa0\x03\x02\x01\x02\x02\x08S\xec;\xee\xfb\xb2H_0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000Q1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1B0@\x06\x03U\x04\x03\x0c9Autoridad de Certificacion Firmaprofesional CIF A626340680\x1e\x17\x0d090520083815Z\x17\x0d301231083815Z0Q1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1B0@\x06\x03U\x04\x03\x0c9Autoridad de Certificacion Firmaprofesional CIF A626340680\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xca\x96k\x8e\xea\xf8\xfb\xf1\xa25\xe0\x7fL\xda\xe0\xc3R\xd7}\xb6\x10\xc8\x02^\xb3C*\xc4Oj\xb2\xca\x1c](\x9ax\x11\x1aiYW\xaf\xb5 B\xe4\x8b\x0f\xe6\xdf[\xa6\x03\x92/\xf5\x11\xe4b\xd72q8\xd9\x04\x0cq\xab=Q~\x0f\x07\xdfc\x05\\xe9\xbf\x94o\xc1)\x82\xc0\xb4\xdaQ\xb0\xc1<\xbb\xad7J\\xca\xf1K6\x0e$\xab\xbf\xc3\x84w\xfd\xa8P\xf4\xb1\xe7\xc6/\xd2-Y\x8dz\x0aN\x96iR\x02\xaa6\x98\xec\xfc\xfa\x14\x83\x0c7\x1f\xc9\x927\x7f\xd7\x81-\xe5\xc4\xb9\xe0>4\xfeg\xf4>f\xd1\xd3\xf4@\xcf^b4\x0fp\x06> \x18Z\xce\xf7r\x1b%l\x93t\x14\x93\xa3s\xb1\x0e\xaa\x87\x10#Y_ \x05\x19G\xedh\x8e\x92\x12\xca]\xfc\xd6+\xb2\x92< \xcf\xe1_\xaf \xbe\xa0v\x7fv\xe5\xec\x1a\x86a3>\xe7{\xb4?\xa0\x0f\x8e\xa2\xb9jo\xb9\x87&oAl\x88\xa6P\xfdjc\x0b\xf5\x93\x16\x1b\x19\x8f\xb2\xed\x9b\x9b\xc9\x90\xf5\x01\x0c\xdf\x19=\x0f>8#\xc9/\x8f\x0c\xd1\x02\xfe\x1bU\xd6N\xd0\x8d<\xafO\xa4\xf3\xfe\xaf*\xd3\x05\x9dy\x08\xa1\xcbW1\xb4\x9c\xc8\x90\xb2g\xf4\x18\x16\x93:\xfcG\xd8\xd1x\x961\x1f\xba+\x0c_]\x99\xadc\x89Z$ v\xd8\xdf\xfd\xabN\xa6"\xaa\x9d^\xe6'\x8a}h)\xa3\xe7\x8a\xb8\xda\x11\xbb\x17-\x99\x9d\x13$F\xf7\xc5\xe2\xd8\x9f\x8e\x7f\xc7\x8ftmZ\xb2\xe8r\xf5\xac\xee$\x10\xad/\x14\xda\xff-\x9aFqG\xbeB\xdf\xbb\x01\xdb\xf4\x7f\xd3(\x8f1Y[\xd3\xc9\x02\xa6\xb4R\xcan\x97\xfbC\xc5\x08&o\x8a\xf4\xbb\xfd\x9f(\xaa\x0d\xd5E\xf3\x13:\x1d\xd8\xc0x\x8fAg<\x1e\x94d\xae{\x0b\xc5\xe8\xd9\x01\x889\x1a\x97\x86dA\xd5;\x87\x0cn\xfa\x0f\xc6\xbdH\x14\xbf9M\xd4\x9eA\xb6\x8f\x96\x1dc\x96\x93\xd9\x95\x06x1h\x9e7\x06;\x80\x89Ea9#\xc7\x1bD\xa3\x15\xe5\x1c\xf8\x920\xbb\x02\x03\x01\x00\x01\xa3\x81\xef0\x81\xec0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x010\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14e\xcd\xeb\xab5\x1e\x00>~\xd5t\xc0\x1c\xb4sG\x0e\x1ad/0\x81\xa6\x06\x03U\x1d \x04\x81\x9e0\x81\x9b0\x81\x98\x06\x04U\x1d \x000\x81\x8f0/\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16#http://www.firmaprofesional.com/cps0\\x06\x08+\x06\x01\x05\x05\x07\x02\x020P\x1eN\x00P\x00a\x00s\x00e\x00o\x00 \x00d\x00e\x00 \x00l\x00a\x00 \x00B\x00o\x00n\x00a\x00n\x00o\x00v\x00a\x00 \x004\x007\x00 \x00B\x00a\x00r\x00c\x00e\x00l\x00o\x00n\x00a\x00 \x000\x008\x000\x001\x0070\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x17}\xa0\xf9\xb4\xdd\xc5\xc5\xeb\xadK$\xb5\xa1\x02\xab\xdd\xa5\x88J\xb2\x0fUK+W\x8c;\xe51\xdd\xfe\xc42\xf1\xe7[d\x9662\x18\xec\xa52w\xd7\xe3D\xb6\xc0\x11*\x80\xb9=jn|\x9b\xd3\xad\xfc\xc3\xd6\xa3\xe6d)|\xd1\xe18\x1e\x82+\xff'e\xaf\xfb\x16\x15\xc4.q\x84\xe5\xb5\xff\xfa\xa4G\xbdd2\xbb\xf6%\x84\xa2'B\xf5 \xb0\xc2\x13\x10\x11\xcd\x10\x15\xbaB\x90*\xd2D\xe1\x96&\xeb1H\x12\xfd*\xda\xc9\x06\xcft\x1e\xa9K\xd5\x87(\xf9y4\x92>.D\xe8\xf6\x8fO\x8f5?%\xb39\xdcc*\x90k _\xc4R\x12N\x97,*\xac\x9d\x97\xdeH\xf2\xa3f\xdb\xc2\xd2\x83\x95\xa6f\xa7\x9e%\x0f\xe9\x0b3\x91e\x0aZ\xc3\xd9T\x12\xdd\xaf\xc3N\x0e\x1f&^\x0d\xdc\xb3\x8d\xec\xd5\x81p\xde\xd2O$\x05\xf3lN\xf5LIf\x8d\xd1\xff\xd2\x0b%AH\xfeQ\x84\xc6B\xaf\x80\x04\xcf\xd0~dI\xe4\xf2\xdf\xa2\xec\xb1L\xc0*\x1d\xe7\xb4\xb1e\xa2\xc4\xbc\xf1\x98\xf4\xaap\x07c\xb4\xb8\xda;L\xfa@"0[\x11\xa6\xf0\x05\x0e\xc6\x02\x03H\xab\x86\x9b\x85\xdd\xdb\xdd\xea\xa2v\x80s}\xf5\x9c\x04\xc4E\x8d\xe7\xb9\x1c\x8b\x9e\xea\xd7u\xd1r\xb1\xdeuD\xe7B}\xe2Wk}\xdc\x99\xbc=\x83(\xea\x80\x93\x8d\xc5Le\xc1p\x81\xb88\xfcC1\xb2\xf6\x034G\xb2\xac\xfb"\x06\xcb\x1e\xdd\x17G\x1c_f\xb9\xd3\x1a\xa2\xda\x11\xb1\xa4\xbc#\xc9\xe4\xbe\x87\xff\xb9\x94\xb6\xf8] J\xd4_\xe7\xbdh{e\xf2\x15\x1e\xd2:\xa9-\xe9\xd8k$\xac\x97XDG\xadY\x18\xf1!ep\xde\xce4`\xa8@\xf1\xf3<\xa4\xc3(#\x8c\xfe'3C@\xa0\x17<\xeb\xea;\xb0r\xa6\xa3\xb9JK^\x16H\xf4\xb2\xbc\xc8\x8c\x92\xc5\x9d\x9f\xacr6\xbc4\x804k\xa9\x8b\x92\xc0\xb8\x17\xed\xecvS\xf5$\x01\x8c\xb3"\xe8K|U\xc6\x9d\xfa\xa3\x14\xbbe\x85nnO\x12~\x0a<\x9d\x95, CN=Izenpe.com,O=IZENPE S.A.,C=ES = 0\x82\x05\xf10\x82\x03\xd9\xa0\x03\x02\x01\x02\x02\x10\x00\xb0\xb7Z\x16H_\xbf\xe1\xcb\xf5\x8b\xd7\x19\xe6}0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00081\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1\x140\x12\x06\x03U\x04\x0a\x0c\x0bIZENPE S.A.1\x130\x11\x06\x03U\x04\x03\x0c\x0aIzenpe.com0\x1e\x17\x0d071213130828Z\x17\x0d371213082725Z081\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1\x140\x12\x06\x03U\x04\x0a\x0c\x0bIZENPE S.A.1\x130\x11\x06\x03U\x04\x03\x0c\x0aIzenpe.com0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc9\xd3z\xca\x0f\x1e\xac\xa7\x86\xe8\x16ej\xb1\xc2\x1bE2q\x95\xd9\xfe\x10[\xcc\xaf\xe7\xa5y\x01\x8f\x89\xc3\xca\xf2Uq\xf7w\xbew\x94\xf3r\xa4,D\xd8\x9e\x92\x9b\x14:\xa1\xe7$\x90\x0a\x0aV\x8e\xc5\xd8&\x94\xe1\xd9H\xe1->\xda\x0ar\xdd\xa3\x99\x15\xda\x81\xa2\x87\xf4{n&w\x89X\xad\xd6\xeb\x0c\xb2Azsnm\xdbzxA\xe9\x08\x88\x12~\x87.f\x11clT\xfb<\x9dr\xc0\xbc.\xff\xc2\xb7\xdd\x0dv\xe3:\xd7\xf7\xb4h\xbe\xa2\xf5\xe3\x81n\xc1Fo]\x8d\xe0M\xc6TU\x89\x1a31\x0a\xb1W\xb9\xa3\x8a\x98\xc3\xec;4\xc5\x95Ai~u\xc2< \xc5a\xbaQG\xa0 \x90\x93\xa1\x90K\xf3N|\x85ET\x9a\xd1\x05&A\xb0\xb5M\x1d3\xbe\xc4\x03\xc8%|\xc1p\xdb;\xf4\x09-T'H\xac/\xe1\xc4\xac>\xc8\xcb\x92LS97#\xec\xd3\x01\xf9\xe0\x09DMMd\xc0\xe1\x0dZ\x87"\xbc\xad\x1b\xa3\xfe&\xb5\x15\xf3\xa7\xfc\x84\x19\xe9\xec\xa1\x88\xb4Di\x84\x83\xf3\x89\xd1t\x06\xa9\xcc\x0b\xd6\xc2\xde'\x85P&\xca\x17\xb8\xc9z\x87V,\x1a\x01\x1el\xbe\x13\xad\x10\xac\xb5$\xf58\x91\xa1\xd6K\xda\xf1\xbb\xd2\xdeG\xb5\xf1\xbc\x81\xf6Yk\xcf\x19S\xe9\x8d\x15\xcbJ\xcb\xa9oD\xe5\x1bA\xcf\xe1\x86\xa7\xca\xd0j\x9f\xbcL\x8d\x063Z\xa2\x85\xe5\x905\xa0b\\x16N\xf0\xe3\xa2\xfa\x03\x1a\xb4,q\xb3X,\xde{\x0b\xdb\x1a\x0f\xeb\xde!\x1f\x06w\x06\x03\xb0\xc9\xef\x99\xfc\xc0\xb9O\x0b\x86(\xfe\xd2\xb9\xea\xe3\xda\xa5\xc3Gi\x12\xe0\xdb\xf0\xf6\x19\x8b\xed{p\xd7\x02\xd6\xed\x87\x18(,\x04$Lw\xe4H\x8a\x1a\xc6;\x9a\xd4\x0f\xca\xfau\xd2\x01@Z\x8dy\xbf\x8b\xcfK\xcf\xaa\x16\xc1\x95\xe4\xadL\x8a>\x17\x91\xd4\xb1b\xe5\x82\xe5\x80\x04\xa4\x03~\x8d\xbf\xda\x7f\xa2\x0f\x97O\x0c\xd3\x0d\xfb\xd7\xd1\xe5r~\x1c\xc8w\xff[\x9a\x0f\xb7\xae\x05F\xe5\xf1\xa8\x16\xecG\xa4\x17\x02\x03\x01\x00\x01\xa3\x81\xf60\x81\xf30\x81\xb0\x06\x03U\x1d\x11\x04\x81\xa80\x81\xa5\x81\x0finfo@izenpe.com\xa4\x81\x910\x81\x8e1G0E\x06\x03U\x04\x0a\x0c>IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S81C0A\x06\x03U\x04\x09\x0c:Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x1d\x1ce\x0e\xa8\xf2%{\xb4\x91\xcf\xe4\xb1\xb1\xe6\xbdUtl\x050\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00x\xa6\x0c\x16J\x9fL\x88:\xc0\xcb\x0e\xa5\x16}\x9f\xb9H_\x18\x8f\x0db6\xf6\xcd\x19k\xac\xab\xd5\xf6\x91}\xaeq\xf3?\xb3\x0ex\x85\x9b\x95\xa4'!GBJ|H:\xf5E|\xb3\x0c\x8eQx\xac\x95\x13\xde\xc6\xfd}\xb8\x1a\x90L\xab\x92\x03\xc7\xedB\x01\xce\x0f\xd8\xb1\xfa\xa2\x92\xe1`m\xaezk\x09\xaa\xc6)\xeehIg0\x80$z1\x169[~\xf1\x1c.\xddl\x09\xad\xf21\xc1\x82N\xb9\xbb\xf9\xbe\xbf*\x85?\xc0@\xa3:Y\xfcYK<($\xdb\xb4\x15u\xae\x0d\x88\xba.s\xc0\xbdX\x87\xe5B\xf2\xeb^\xee\x1e0"\x99\xcb7\xd1\xc4!l\x81\xec\xbem&\xe6\x1c\xe4B \x9eG\xb0\xac\x83Yp,5\xd6\xaf64\xb4\xcd;\xf82\xa8\xef\xe3x\x89\xfb\x8dE,\xda\x9c\xb8~@\x1ca\xe7>\xa2\x92,K\xf2\xcd\xfa\x98\xb6)\xff\xf3\xf2{\xa9\x1f.\xa0\x93W+\xde\x85\x03\xf9i7\xcb\x9exj\x05\xb4\xc51x\x89\xecz\xa7\x85\xe1\xb9{<\xde\xbe\x1ey\x84\xce\x9fp\x0eY\xc25.\x90*1\xd9\xe4EzA\xa4.\x13\x9b4\x0ef{I\xabd\x97\xd0F\xc3y\x9drPc\xa6\x98[\x06\xbdHm\xd89\x83p\xe85\xf0\x05\xd1\xaa\xbc\xe3\xdb\xc8\x02\xea|\xfd\x82\xda\xc2[R5\xae\x98:\xad\xba5\x93#\xa7\x1fH\xdd5F\x98\xb2\x10h\xe4\xa51\xc2\x0aX.\x19\x81\x10\xc9Pu\xfc\xeaZ\x16\xce\x11\xd7\xee\xefP\x88-a\xff?Bs\x05\x94C\xd5\x8e<N\x01:\x19\xa5\x1fFNw\xd0]\xe5\x81"!\x87\xfe\x94}\x84\xd8\x93\xad\xd6hCH\xb2\xdb\xebs$\xe7\x91\x7fT\xa4\xb6\x80>\x9d\xa3<Lr\xc2W\xc4\xa0\xd4\xcc8'\xce\xd5\x06\x9e\xa2H\xd9\xe9\x9f\xce\x82p6\x93\x9a;\xdf\x96!\xe3Y\xb7\x0c\xda\x917\xf0\xfdYZ\xb3\x99\xc8ilC&\x015c`U\x89\x03:u\xd8\xbaJ\xd9T\xff\xee\xde\x80\xd8-\xd18\xd5^-\x0b\x98}>l\xdb\xfc&\x88\xc7, CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US = 0\x82\x03\xc50\x82\x02\xad\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x831\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x100\x0e\x06\x03U\x04\x08\x13\x07Arizona1\x130\x11\x06\x03U\x04\x07\x13\x0aScottsdale1\x1a0\x18\x06\x03U\x04\x0a\x13\x11GoDaddy.com, Inc.110/\x06\x03U\x04\x03\x13(Go Daddy Root Certificate Authority - G20\x1e\x17\x0d090901000000Z\x17\x0d371231235959Z0\x81\x831\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x100\x0e\x06\x03U\x04\x08\x13\x07Arizona1\x130\x11\x06\x03U\x04\x07\x13\x0aScottsdale1\x1a0\x18\x06\x03U\x04\x0a\x13\x11GoDaddy.com, Inc.110/\x06\x03U\x04\x03\x13(Go Daddy Root Certificate Authority - G20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbfqb\x08\xf1\xfaY4\xf7\x1b\xc9\x18\xa3\xf7\x80IX\xe9"\x83\x13\xa6\xc5 C\x01;\x84\xf1\xe6\x85I\x9f'\xea\xf6\x84\x1bN\xa0\xb4\xdbp\x98\xc72\x01\xb1\x05>\x07N\xee\xf4\xfaO/Y0"\xe7\xab\x19Vk\xe2\x80\x07\xfc\xf3\x16u\x809Q{\xe5\xf95\xb6tN\xa9\x8d\x82\x13\xe4\xb6?\xa9\x03\x83\xfa\xa2\xbe\x8a\x15j\x7f\xde\x0b\xc3\xb6\x19\x14\x05\xca\xea\xc3\xa8\x04\x94;F|2\x0d\xf3\x00f"\xc8\x8dim6\x8c\x11\x18\xb7\xd3\xb2\x1c`\xb48\xfa\x02\x8c\xce\xd3\xddF\x07\xde\x0a>\xeb]|\xc8|\xfb\xb0+S\xa4\x92biQ%\x05a\x1aD\x81\x8c,\xa9C\x96#\xdf\xac:\x81\x9a\x0e)\xc5\x1c\xa9\xe9]\x1e\xb6\x9e\x9e0\x0a9\xce\xf1\x88\x80\xfbK]\xcc2\xec\x85bC%4\x02V'\x01\x91\xb4;p*?n\xb1\xe8\x9c\x88\x01}\x9f\xd4\xf9\xdbSm`\x9d\xbf,\xe7X\xab\xb8_F\xfc\xce\xc4\x1b\x03<\x09\xebI1\iF\xb3\xe0G\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14:\x9a\x85\x07\x10g(\xb6\xef\xf6\xbd\x05An \xc1\x94\xda\x0f\xde0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x99\xdb]y\xd5\xf9\x97Yg\x03a\xf1~;\x061u-\xa1 \x8eOe\x87\xb4\xf7\xa6\x9c\xbc\xd8\xe9/\xd0\xdbZ\xee\xcft\x8cs\xb48B\xda\x05{\xf8\x02u\xb8\xfd\xa5\xb1\xd7\xae\xf6\xd7\xde\x13\xcbS\x10~\x8aF\xd1\x97\xfa\xb7.+\x11\xab\x90\xb0'\x80\xf9\xe8\x9fZ\xe97\x9f\xab\xe4\xdfl\xb3\x85\x17\x9d=\xd9$Oy\x915\xd6_\x04\xeb\x80\x83\xab\x9a\x02-\xb5\x10\xf4\xd8\x90\xc7\x04s@\xedr%\xa0\xa9\x9f\xec\x9e\xabh\x12\x99W\xc6\x8f\x12:\x09\xa4\xbdD\xfd\x06\x157\xc1\x9b\xe42\xa3\xed8\xe8\xd8d\xf3,~\x14\xfc\x02\xea\x9f\xcd\xff\x07h\x17\xdb"\x908-z\x8d\xd1T\xf1i\xe3_3\xcaz={\x0a\xe3\xca\x7f_9\xe5\xe2u\xba\xc5v\x183\xce,\xf0/L\xad\xf7\xb1\xe7\xceO\xa8\xc4\x9bJT\x06\xc5\x7f}\xd5\x08\x0f\xe2\x1c\xfe~\x17\xb8\xac^\xf6\xd4\x16\xb2C\x09\x0cM\xf6\xa7k\xb4\x99\x84e\xcaz\x88\xe2\xe2D\xbe\\xf7\xea\x1c\xf5, CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US = 0\x82\x03\xdd0\x82\x02\xc5\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x8f1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x100\x0e\x06\x03U\x04\x08\x13\x07Arizona1\x130\x11\x06\x03U\x04\x07\x13\x0aScottsdale1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1200\x06\x03U\x04\x03\x13)Starfield Root Certificate Authority - G20\x1e\x17\x0d090901000000Z\x17\x0d371231235959Z0\x81\x8f1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x100\x0e\x06\x03U\x04\x08\x13\x07Arizona1\x130\x11\x06\x03U\x04\x07\x13\x0aScottsdale1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1200\x06\x03U\x04\x03\x13)Starfield Root Certificate Authority - G20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbd\xed\xc1\x03\xfc\xf6\x8f\xfc\x02\xb1o[\x9fH\xd9\x9dy\xe2\xa2\xb7\x03aV\x18\xc3G\xb6\xd7\xca=5.\x89C\xf7\xa1i\x9b\xde\x8a\x1a\xfd\x13 \x9c\xb4Iw2)V\xfd\xb9\xec\x8c\xdd"\xfar\xdc'a\x97\xee\xf6Z\x84\xecn\x19\xb9\x89,\xdc\x84[\xd5t\xfbk_\xc5\x89\xa5\x10R\x89FU\xf4\xb8u\x1c\xe6\x7f\xe4T\xaeK\xf8UrW\x02\x19\xf8\x17qY\xeb\x1e(\x07t\xc5\x9dH\xbel\xb4\xf4\xa4\xb0\xf3d7y\x92\xc0\xecF^\x7f\xe1mSLb\xaf\xcd\x1f\x0bc\xbb:\x9d\xfb\xfcy\x00\x98at\xcf&\x82@c\xf3\xb2rj\x19\x0d\x99\xca\xd4\x0eu\xcc7\xfb\x8b\x89\xc1Y\xf1b\x7f_\xb3_e0\xf8\xa7\xb7MvZ\x1ev^4\xc0\xe8\x96V\x99\x8a\xb3\xf0\x7f\xa4\xcd\xbd\xdc21|\x91\xcf\xe0_\x11\xf8k\xaaI\\xd1\x99\x94\xd1\xa2\xe3c[\x09v\xb5Vb\xe1Kt\x1d\x96\xd4&\xd4\x08\x04Y\xd0\x98\x0e\x0e\xe6\xde\xfc\xc3\xec\x1f\x90\xf1\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14|\x0c2\x1f\xa7\xd90\x7f\xc4}h\xa3b\xa8\xa1\xce\xab\x07['0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x11Y\xfa%O\x03o\x94\x99;\x9a\x1f\x82\x859\xd4v\x05\x94^\xe1(\x93mb]\x09\xc2\xa0\xa8\xd4\xb0u8\xf14j\x9d\xe4\x9f\x8a\x86&Q\xe6,\xd1\xc6-n\x95 J\x92\x01\xec\xb8\x8ag{1\xe2g.\x8c\x95\x03&.C\x9dJ1\xf6\x0e\xb5\x0c\xbb\xb7\xe27\x7f"\xba\x00\xa3\x0e{R\xfbk\xbb;\xc4\xd3yQN\xcd\x90\xf4g\x07\x19\xc8<Fz\x0d\x01}\xc5X\xe7m\xe6\x850\x17\x9a$\xc4\x10\xe0\x04\xf7\xe0\xf2\x7f\xd4\xaa\x0a\xffB\x1d7\xed\x94\xe5dY\x12 w8\xd32>8\x81u\x96s\xfah\x8f\xb1\xcb\xce\x1f\xc5\xec\xfa\x9c~\xcf~\xb1\xf1\x07-\xb6\xfc\xbf\xca\xa4\xbf\xd0\x97\x05J\xbc\xea\x18(\x02\x90\xbdTx\x09!q\xd3\xd1}\x1d\xd9\x16\xb0\xa9a=\xd0\x0a\x00"\xfc\xc7{\xcb\x09dE\x0b;@\x81\xf7}|2\xf5\x98\xcaX\x8e}*\xee\x90Ysd\xf96t^%\xa1\xf5f\x05.\x7f9\x15\xa9*\xfbP\x8b\x8e\x85i\xf4, CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US = 0\x82\x03\xef0\x82\x02\xd7\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x981\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x100\x0e\x06\x03U\x04\x08\x13\x07Arizona1\x130\x11\x06\x03U\x04\x07\x13\x0aScottsdale1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1;09\x06\x03U\x04\x03\x132Starfield Services Root Certificate Authority - G20\x1e\x17\x0d090901000000Z\x17\x0d371231235959Z0\x81\x981\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x100\x0e\x06\x03U\x04\x08\x13\x07Arizona1\x130\x11\x06\x03U\x04\x07\x13\x0aScottsdale1%0#\x06\x03U\x04\x0a\x13\x1cStarfield Technologies, Inc.1;09\x06\x03U\x04\x03\x132Starfield Services Root Certificate Authority - G20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd5\x0c:\xc4*\xf9N\xe2\xf5\xbe\x19\x97_\x8e\x88S\xb1\x1f?\xcb\xcf\x9f \x13m):\xc8\x0f}<\xf7kv8c\xd96`\xa8\x9b^\\x00\x80\xb2/Y\x7f\xf6\x87\xf9%C\x86\xe7i\x1bR\x9a\x90\xe1q\xe3\xd8-\x0dNo\xf6\xc8I\xd9\xb6\xf3\x1aV\xae+\xb6t\x14\xeb\xcf\xfb&\xe3\x1a\xba\x1d\x96.j;X\x94\x89GV\xff%\xa0\x93pS\x83\xda\x84t\x14\xc3g\x9e\x04h:\xdf\x8e@Z\x1dJN\xcfC\x91;\xe7V\xd6\x00p\xcbR\xee{}\xae:\xe7\xbc1\xf9E\xf6\xc2`\xcf\x13Y\x02+\x80\xcc4G\xdf\xb9\xde\x90em\x02\xcf,\x91\xa6\xa6\xe7\xde\x85\x18I|fN\xa3:m\xa9\xb5\xee4.\xba\x0d\x03\xb83\xdfG\xeb\xb1k\x8d%\xd9\x9b\xce\x81\xd1EF2\x96p\x87\xde\x02\x0eIC\x85\xb6ls\xbbd\xeaaA\xac\xc9\xd4T\xdf\x87/\xc7"\xb2&\xcc\x9fYTh\x9f\xfc\xbe*/\xc4U\x1cu@`\x17\x85\x02U9\x8b\x7f\x05\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9c_\x00\xdf\xaa\x01\xd70+8\x88\xa2\xb8mJ\x9c\xf2\x11\x91\x830\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00K6\xa6\x84wi\xdd;\x19\x9fg#\x08o\x0ea\xc9\xfd\x84\xdc_\xd86\x81\xcd\xd8\x1bA-\x9f`\xdd\xc7\x1ah\xd9\xd1n\x86\xe1\x88#\xcf\x13\xdeC\xcf\xe24\xb3\x04\x9d\x1f)\xd5\xbf\xf8^\xc8\xd5\xc1\xbd\xee\x92o2t\xf2\x91\x82/\xbd\x82Bz\xad*\xb7 }M\xbczU\x12\xc2\x15\xea\xbd\xf7j\x95.lt\x9f\xcf\x1c\xb4\xf2\xc5\x01\xa3\x85\xd0r>\xads\xab\x0b\x9bu\x0cmE\xb7\x8e\x94\xac\x967\xb5\xa0\xd0\x8f\x15G\x0e\xe3\xe8\x83\xdd\x8f\xfd\xefA\x01w\xcc'\xa9b\x853\xf27\x08\xefq\xcfw\x06\xde\xc8\x19\x1d\x88@\xcf}F\x1d\xff\x1e\xc7\xe1\xce\xff#\xdb\xc6\xfa\x8dUN\xa9\x02\xe7G\x11F>\xf4\xfd\xbd{)&\xbb\xa9ab7(\xb6-*\xf6\x10\x86d\xc9p\xa7\xd2\xad\xb7)py\xea<\xdac%\x9f\xfdh\xb70\xecp\xfbu\x8a\xb7m`g\xb2\x1e\xc8\xb9\xe9\xd8\xa8o\x02\x8bg\x0dM&Wq\xda \xfc\xc1JP\x8d\xb1(\xba, CN=AffirmTrust Commercial,O=AffirmTrust,C=US = 0\x82\x03L0\x82\x024\xa0\x03\x02\x01\x02\x02\x08ww\x06'&\xa9\xb1|0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000D1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16AffirmTrust Commercial0\x1e\x17\x0d100129140606Z\x17\x0d301231140606Z0D1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16AffirmTrust Commercial0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xf6\x1bOg\x07+\xa1\x15\xf5\x06"\xcb\x1f\x01\xb2\xe3sE\x06DI,\xbbI%\x14\xd6\xce\xc3\xb7\xab,O\xc6A2\x94W\xfa\x12\xa7[\x0e\xe2\x8f\x1f\x1e\x86\x19\xa7\xaa\xb5-\xb9_\x0d\x8a\xc2\xaf\x855y2-\xbb\x1cb7\xf2\xb1[J=\xca\xcdq_\xe9B\xbe\x94\xe8\xc8\xde\xf9"Hd\xc6\xe5\xab\xc6+m\xad\x05\xf0\xfa\xd5\x0b\xcf\x9a\xe5\xf0P\xa4\x8b;G\xa5#[zz\xf83?\xb8\xef\x99\x97\xe3 \xc1\xd6(\x89\xcf\x94\xfb\xb9E\xed\xe3@\x17\x11\xd4t\xf0\x0b1\xe2+&j\x9bLW\xae\xac >\xbaEz\x05\xf3\xbd\x9bi\x15\xae}N c\xc45v:\x07\x02\xc97\xfd\xc7G\xee\xe8\xf1v\x1ds\x15\xf2\x97\xa4\xb5\xc8zy\xd9B\xaa+\x7f\\xfe\xce&O\xa3f\x815\xafD\xbaT\x1e\x1c02e\x9d\xe6<\x93^PNz\xe3:\xd4n\xcc\x1a\xfb\xf9\xd27\xae$*\xabW\x03"(\x0dIu\x7f\xb7(\xdau\xbf\x8e\xe3\xdc\x0ey1\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9d\x93\xc6S\x8b^\xca\xaf?\x9f\x1e\x0f\xe5\x99\x95\xbc$\xf6\x94\x8f0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00X\xac\xf4\x04\x0e\xcd\xc0\x0d\xff\x0a\xfd\xd4\xba\x16_)\xbd{h\x99XI\xd2\xb4\x1d7M\x7f'}F\x06]C\xc6\x86.>s\xb2&}O\x93\xa9\xb6\xc4*\x9a\xab!\x97\x14\xb1\xde\x8c\xd3\xab\x89\x15\xd8k$\xd4\xf1\x16\xae\xd8\xa4\\xd4\x7fQ\x8e\xed\x18\x01\xb1\x93c\xbd\xbc\xf8a\x80\x9a\x9e\xb1\xceBp\xe2\xa9}\x06%}'\xa1\xfeo\xec\xb3\x1e$\xda\xe3KU\x1a\x00;5\xb4;\xd9\xd7]0\xfd\x81\x13\x89\xf2\xc2\x06+\xedg\xc4\x8e\xc9C\xb2\k\x15\x89\x02\xbcb\xfcN\xf2\xb53\xaa\xb2o\xd3\x0a\xa2P\xe3\xf6;\xe8.D\xc2\xdbf8\xa93VH\xf1m\x1b3\x8d\x0d\x8c?`7\x9d\xd3\xcam~4~\x0d\x9frv\x8b\x1b\x9fr\xfdR5AE\x02\x96/\x1c\xb2\x9asI!\xb1IGEG\xb4\xefj4\x11\xc9M\x9a\xccY\xb7\xd6\x02\x9eZNe\xb5\x94\xae\x1b\xdf)\xb0\x16\xf1\xbf\x00\x9e\x07:\x17d\xb5\x04\xb5#!\x99\x0a\x95;\x97|\xef, CN=AffirmTrust Networking,O=AffirmTrust,C=US = 0\x82\x03L0\x82\x024\xa0\x03\x02\x01\x02\x02\x08|O\x049\x1c\xd4\x99-0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000D1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16AffirmTrust Networking0\x1e\x17\x0d100129140824Z\x17\x0d301231140824Z0D1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16AffirmTrust Networking0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb4\x84\xcc3\x17.k\x94lkaR\xa0\xeb\xa3\xcfy\x94L\xe5\x94\x80\x99\xcbUdDe\x8fgd\xe2\x06\xe3\7I\xf6/\x9b\x84\x84\x1e-\xf2`\x9d0N\xcc\x84\x85\xe2,\xcf\x1e\x9e\xfe6\xab3w5D\xd85\x96\x1a=6\xe8z\x0e\xd8\xd5G\xa1ji\x8b\xd9\xfc\xbb:\xaeyZ\xd5\xf4\xd6q\xbb\x9a\x90#k\x9a\xb7\x88t\x87\x0c\x1e_\xb9\x9e-\xfa\xabS+\xdc\xbbv>\x93L\x08\x08\x8c\x1e\xa2#\x1c\xd4j\xad"\xba\x99\x01.me\xcb\xbe$fU$K@D\xb1\x1b\xd7\xe1\xc2\x85\xc0\xde\x10?=\xed\xb8\xfc\xf1\xf1#S\xdc\xbfe\x97o\xd9\xf9@q\x8d}\xbd\x95\xd4\xce\xbe\xa0^'#\xde\xfd\xa6\xd0&\x0e\x00)\xeb<F\xf0=`\xbf?P\xd2\xdc&AQ\x9e\x147B\x04\xa3pW\xa8\x1b\x87\xed-\xfa{\xee\x8c\x0a\xe3\xa9f\x89\x19\xcbA\xf9\xddD6a\xcf\xe2wF\xc8}\xf6\xf4\x92\x816\xfd\xdb4\xf1r~\xf3\x0c\x16\xbd\xb4\x15\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x07\x1f\xd2\xe7\x9c\xda\xc2n\xa2@\xb4\xb0zP\x10Pt\xc4\xc8\xbd0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x89W\xb2\x16z\xa8\xc2\xfd\xd6\xd9\x9b\x9b4\xc2\x9c\xb42\x14M\xa7\xa4\xdf\xec\xbe\xa7\xbe\xf8C\xdb\x917\xce\xb42.PU\x1a5NvCq \xef\x93wN\x15p.\x87\xc3\xc1\x1dm\xdc\xcb\xb5'\xd4,V\xd1RS:D\xd2s\xc8\xc4\x1b\x05eZb\x92\x9c\xeeA\x8d1\xdb\xe74\xeaY!\xd5\x01z\xd7d\xb8d9\xcd\xc9\xed\xaf\xedK\x03H\xa7\xa0\x99\x01\x80\xdce\xa36\xaeeYHO\x82K\xc8e\xf1W\x1d\xe5Y.\x0a?l\xd8\xd1\xf5\xe5\x09\xb4lT\x00\x0a\xe0\x15M\x87um\xb7X\x96Z\xddm\xd2\x00\xa0\xf4\x9bH\xbe\xc37\xa4\xba6\xe0|\x87\x85\x97\x1a\x15\xa2\xde.\xa2[\xbd\xaf\x18\xf9\x90P\xcdpY\xf8'gG\xcb\xc7\xa0\x07:}\xd1,]l\x19:f\xb5}\xfd\x91o\x82\xb1\xbe\x08\x93\xdb\x14G\xf1\xa27\xc7E\x9e<\xc7w\xafd\xa8\x93\xdf\xf6i\x83\x82`\xf2IB4\xedZ\x00T\x85\x1c\x166\x92\x0c\\xfa\xa6\xad\xbf\xdb, CN=AffirmTrust Premium,O=AffirmTrust,C=US = 0\x82\x05F0\x82\x03.\xa0\x03\x02\x01\x02\x02\x08m\x8c\x14F\xb1\xa6\x0a\xee0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000A1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1\x1c0\x1a\x06\x03U\x04\x03\x0c\x13AffirmTrust Premium0\x1e\x17\x0d100129141036Z\x17\x0d401231141036Z0A1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1\x1c0\x1a\x06\x03U\x04\x03\x0c\x13AffirmTrust Premium0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc4\x12\xdf\xa9_\xfeA\xdd\xdd\xf5\x9f\x8a\xe3\xf6\xac\xe1<x\x9a\xbc\xd8\xf0\x7fz\xa03*\xdc\x8d [\xae-o\xe7\x93\xd96pjh\xcf\x8eQ\xa3\x85[g\x04\xa0\x10$o](\x82\xc1\x97W\xd8H)\x13\xb6\xe1\xbe\x91M\xdf\x85\x0cS\x18\x9a\x1e$\xa2O\x8f\xf0\xa2\x85\x0b\xcb\xf4)\x7f\xd2\xa4X\xee&M\xc9\xaa\xa8{\x9a\xd9\xfa8\xdeDW\x15\xe5\xf8\x8c\xc8\xd9H\xe2\x0d\x16'\x1d\x1e\xc8\x83\x85%\xb7\xba\xaaUA\xcc\x03"K-\x91\x8d\x8b\xe6\x89\xaff\xc7\xe9\xff+\xe9<\xac\xda\xd2\xb3\xc3\xe1h\x9c\x89\xf8z\x00V\xde\xf4U\x95l\xfb\xbad\xddb\x8b\xdf\x0bw2\xebb\xcc&\x9a\x9b\xbb\xaab\x83L\xb4\x06z0\xc8)\xbf\xed\x06M\x97\xb9\x1c\xc41+\xd5_\xbcS\x12\x17\x9c\x99W)fwa!1\x07.%I\x9d\x18\xf2\xee\xf3+q\x8c\xb5\xba9\x07Iw\xfc\xef.\x92\x90\x05\x8d-/w{\xefC\xbf5\xbb\x9a\xd8\xf9s\xa7,\xf2\xd0W\xee(N&_\x8f\x90h\x09/\xb8\xf8\xdc\x06\xe9.\x9a>Q\xa7\xd1"\xc4\x0a\xa78Hl\xb3\xf9\xff}\xab\x86W\xe3\xba\xd6\x85xw\xbaC\xeaH\x7f\xf6\xd8\xbe#m\x1e\xbf\xd16lX\\xf1\xee\xa4\x19T\x1a\xf5\x03\xd2v\xe6\xe1\x8c\xbd<\xb3\xd3HK\xe2\xc8\xf8\x7f\x92\xa8vF\x9cBe>\xa4\x1e\xc1\x07\x03ZF-\xb8\x97\xf3\xb7\xd5\xb2U!\xef\xba\xdcL\x00\x97\xfb\x14\x95'3\xbf\xe8CGF\xd2\x08\x99\x16`;\x9a~\xd2\xe6\xed8\xea\xec\x01\x1e<HVI\x09\xc7L7\x00\x9e\x88\x0e\xc0s\xe1of\xe9rG0>\x10\xe5\x0b\x03\xc9\x9aB\x00l\xc5\x94~a\xc4\x8a\xdf\x7f\x82\x1a\x0bY\xc4Y2w\xb3\xbc`iV9\xfd\xb4\x06{,\xd6d6\xd9\xbdH\xed\x84\x1f~\xa5"\x8f*\xb8B\xf4\x82\xb7\xd4S\x90xN-\x1a\xfd\x81oD\xd7;\x01t\x96B\xe0\x00\xe2.k\xea\xc5\xeer\xac\xbb\xbf\xfe\xea\xaa\xa8\xf8\xdc\xf6\xb2y\x8a\xb6g\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9d\xc0g\xa6\x0c"\xd9&\xf5E\xab\xa6eR\x11'\xd8E\xacc0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\xb3WM\x10bN:\xe4\xac\xea\xb8\x1c\xaf2#\xc8\xb3IZQ\x9cv(\x8dy\xaaWF\x17\xd5\xf5R\xf6\xb7D\xe8\x08D\xbf\x18\x84\xd2\x0b\x80\xcd\xc5\x12\xfd\x00U\x05a\x87A\xdc\xb5$\x9e<\xc4\xd8\xc8\xfbp\x9e/x\x96\x83 6\xde|\x0fi\x13\x88\xa5u6\x98\x08\xa6\xc6\xdf\xac\xce\xe3X\xd6\xb7>\xde\xba\xf3\xeb4@\xd8\xa2\x81\xf5x?/\xd5\xa5\xfc\xd9\xa2\xd4^\x04\x0e\x17\xad\xfeA\xf0\xe5\xb2r\xfaD\x823B\xe8-X\xf7V\x8cb?\xbaB\xb0\x9c\x0c\~.e&\SO\x00\xb2x~\xa1\x0d\x99-\x8d\xb8\x1d\x8e\xa2\xc4\xb0\xfd`\xd00\xa4\x8e\xc8\x04b\xa9\xc4\xed5\xdez\x97\xed\x0e8^\x92/\x93p\xa5\xa9\x9co\xa7}\x13\x1d~\xc6\x08H\xb1^g\xebQ\x08%\xe9\xe6%kR)\x91\x9c\xd29s\x08W\xde\x99\x06\xb4[\x9d\x10\x06\xe1\xc2\x00\xa8\xb8\x1cJ\x02\x0a\x14\xd0\xc1A\xca\xfb\x8c5!}\x828\xf2\xa9T\x91\x195\x93\x94mj:\xc5\xb2\xd0\xbb\x89\x86\x93\xe8\x9b\xc9\x0f:\xa7z\xb8\xa1\xf0xF\xfa\xfc7/\xe5\x8a\x84\xf3\xdf\xfe\x04\xd9\xa1h\xa0/$\xe2\x09\x95\x06\xd5\x95\xca\xe1$\x96\xeb|\xf6\x93\x05\xbb\xeds\xe9-\xd1u9\xd7\xe7$\xdb\xd8N_C\x8f\x9e\xd0\x149\xbfUpH\x99W1\xb4\x9c\xeeJ\x98\x03\x960\x1f`\x06\xee\x1b#\xfe\x81`#\x1aGb\x85\xa5\xcc\x194\x80o\xb3\xac\x1a\xe3\x9f\xf0{H\xad\xd5\x01\xd9g\xb6\xa9r\x93\xea-f\xb5\xb2\xb8\xe4=<\xb2\xefL\x8c\xea\xeb\x07\xbf\xab5\x9aU\x86\xbc\x18\xa6\xb5\xa8^\xb4\x83lki@\xd3\x9f\xdc\xf1\xc3ik\xb9\xe1m\x09\xf4\xf1\xaaPv\x0az}z\x17\xa1U\x96B\x991\x09\xdd`\x11\x8d\x050~\xe6\x8eF\xd1\x9d\x14\xda\xc7\x17\xe4\x05\x96\x8c\xc4$\xb5\x1b\xcf\x14\x07\xb2@\xf8\xa3\x9eA\x86\xbc\x04\xd0k\x96\xc8*\x804\xfd\xbf\xef\x06\xa3\xddX\xc5\x85=>\x8f\xfe\x9e)\xe0\xb6\xb8\x09h\x19\x1c\x18C, CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US = 0\x82\x01\xfe0\x82\x01\x85\xa0\x03\x02\x01\x02\x02\x08t\x97%\x8a\xc7?zT0\x0a\x06\x08*\x86H\xce=\x04\x03\x030E1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1 0\x1e\x06\x03U\x04\x03\x0c\x17AffirmTrust Premium ECC0\x1e\x17\x0d100129142024Z\x17\x0d401231142024Z0E1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x140\x12\x06\x03U\x04\x0a\x0c\x0bAffirmTrust1 0\x1e\x06\x03U\x04\x03\x0c\x17AffirmTrust Premium ECC0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x0d0^\x1b\x15\x9d\x03\xd0\xa1y5\xb7:<\x92z\xca\x15\x1c\xcdb\xf3\x9c&\\x07=\xe5T\xfa\xa3\xd6\xcc\x12\xea\xf4\x14_\xe8\x8e\x19\xab/.H\xe6\xac\x18Cx\xac\xd07\xc3\xbd\xb2\xcd,\xe6G\xe2\x1a\xe6c\xb8=./x\xc4O\xdb\xf4\x0f\xa4hLUrk\x95\x1dN\x18B\x95x\xcc7<\x91\xe2\x9be+)\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9a\xaf)z\xc0\x1155&Q0\x00\xc3j\xfe@\xd5\xae\xd6<0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03g\x000d\x020\x17\x09\xf3\x87\x88PZ\xaf\xc8\xc0B\xbfG_\xf5lj\x86\xe0\xc4't\xe48S\xd7\x05\x7f\x1b4\xe3\xc6/\xb3\xca\x09<7\x9d\xd7\xe7\xb8F\xf1\xfd\xa1\xe2q\x020BY\x87C\xd4Q\xdf\xba\xd3\x092Z\xce\x88~W=\x9c_Bk\xf5\x07-\xb5\xf0\x82\x93\xf9Yo\xaed\xfaX\xe5\x8b\x1e\xe3c\xbe\xb5\x81\xcdo\x02\x8cy, CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL = 0\x82\x03\xbb0\x82\x02\xa3\xa0\x03\x02\x01\x02\x02\x03\x04D\xc00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000~1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\x0a\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1"0 \x06\x03U\x04\x03\x13\x19Certum Trusted Network CA0\x1e\x17\x0d081022120737Z\x17\x0d291231120737Z0~1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\x0a\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1"0 \x06\x03U\x04\x03\x13\x19Certum Trusted Network CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xe3\xfb}\xa3r\xba\xc2\xf0\xc9\x14\x87\xf5k\x01N\xe1n@\x07\xbam']\x7f\xf7[-\xb3Z\xc7Q_\xab\xa42\xa6a\x87\xb6n\x0f\x86\xd20\x02\x97\xf8\xd7iW\xa1\x189]jdy\xc6\x01Y\xac<1J8|\xd2\x04\xd2K(\xe8 _;\x07\xa2\xccMs\xdb\xf3\xaeO\xc7V\xd5Z\xa7\x96\x89\xfa\xf3\xabh\xd4#\x86Y'\xcf\x09'\xbc\xacnr\x83\x1c0r\xdf\xe0\xa2\xe9\xd2\xe1tu\x19\xbd*\x9e{\x15T\x04\x1b\xd7C9\xadU(\xc5\xe2\x1a\xbb\xf4\xc0\xe4\xae8I3\xccv\x85\x9f9E\xd2\xa4\x9e\xf2\x12\x8cQ\xf8|\xe4-\x7f\xf5\xac_\xeb\x16\x9f\xb1-\xd1\xba\xcc\x91BwL%\xc9\x908o\xdb\xf0\xcc\xfb\x8e\x1e\x97Y>\xd5`N\xe6\x05(\xedIy\x13K\xbaH\xdb/\xf9r\xd39\xca\xfe\x1f\xd84r\xf5\xb4@\xcf1\x01\xc3\xec\xde\x11-\x17]\x1f\xb8P\xd1^\x19\xa7i\xde\x073(\xcaP\x95\xf9\xa7T\xcbT\x86PE\xa9\xf9I\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x08v\xcd\xcb\x07\xff$\xf6\xc5\xcd\xed\xbb\x90\xbc\xe2\x847Fu\xf70\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xa6\xa8\xad"\xce\x01=\xa6\xa3\xffb\xd0H\x9d\x8b^r\xb0xD\xe3\xdc\x1c\xaf\x09\xfd#H\xfa\xbd*\xc4\xb9U\x04\xb5\x10\xa3\x8d'\xde\x0b\x82c\xd0\xee\xde\x0c7yA["\xb2\xb0\x9aA\\xa6p\xe0\xd4\xd0w\xcb#\xd3\x00\xe0lV/\xe1i\x0d\x0d\xd9\xaa\xbf!\x81P\xd9\x06\xa5\xa8\xff\x957\xd0\xaa\xfe\xe2\xb3\xf5\x99-E\x84\x8a\xe5B\x09\xd7t\x02/\xf7\x89\xd8\x99\xe9\xbc'\xd4G\x8d\xba\x0dF\x1cw\xcf\x14\xa4\x1c\xb9\xa41\xc4\x9c(t\x034\xff3\x19&\xa5\xe9\x0dt\xb7>\x97\xc6v\xe8'\x96\xa3f\xdd\xe1\xae\xf2A[\xca\x98V\x83sp\xe4\x86\x1a\xd21A\xba/\xbe-\x13ZvoN\xe8N\x81\x0e?[\x03"\xa0\x12\xbefX\x11J\xcb\x03\xc4\xb4**-\x96\x17\xe09T\xbcH\xd3v'\x9d\x9a-\x06\xa6\xc9\xec9\xd2\xab\xdb\x9f\x9a\x0b'\x025)\xb1@\x95\xe7\xf9\xe8\x9cU\x88\x19F\xd6\xb74\xf5~\xce9\x9a\xd98\xf1Q\xf7O,, CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW = 0\x82\x03{0\x82\x02c\xa0\x03\x02\x01\x02\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000_1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1\x120\x10\x06\x03U\x04\x0a\x0c\x09TAIWAN-CA1\x100\x0e\x06\x03U\x04\x0b\x0c\x07Root CA1*0(\x06\x03U\x04\x03\x0c!TWCA Root Certification Authority0\x1e\x17\x0d080828072433Z\x17\x0d301231155959Z0_1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1\x120\x10\x06\x03U\x04\x0a\x0c\x09TAIWAN-CA1\x100\x0e\x06\x03U\x04\x0b\x0c\x07Root CA1*0(\x06\x03U\x04\x03\x0c!TWCA Root Certification Authority0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb0~r\xb8\xa4\x03\x94\xe6\xa7\xde\x098\x91J\x11@\x87\xa7|Yd\x14{\xb5\x11\x10\xdd\xfe\xbf\xd5\xc0\xbbV\xe2\x85%\xf45r\x0f\xf8S\xd0A\xe1D\x01\xc2\xb4\x1c\xc31B\x16G\x853"v\xb2\x0ao\x0f\xe5%PO\x85\x86\xbe\xbf\x98.\x10g\x1e\xbe\x11\x05\x86\x05\x90\xc4Y\xd0|x\x10\xb0\x80\\xb7\xe1\xc7+u\xcb|\x9f\xae\xb5\xd1\x9d#7c\xa7\xdcB\xa2-\x92\x04\x1bP\xc1{\xb8>\x1b\xc9V\x04\x8b/R\x9b\xad\xa9V\xe9\xc1\xff\xad\xa9X\x870\xb6\x81\xf7\x97E\xfc\x19W;+o\xe4G\xf4\x99E\xfe\x1d\xf1\xf8\x97\xa3\x88\x1d7\x1c\\x8f\xe0v%\x9aP\xf8\xa0T\xffD\x90v#\xd22\xc6\xc3\xab\x06\xbf\xfc\xfb\xbf\xf3\xad}\x92b\x02[)\xd35\xa3\x93\x9aCd`]\xb2\xfa2\xff;\x04\xafM@j\xf9\xc7\xe3\xef#\xfdk\xcb\xe5\x0f\x8b8\x0d\xee\x0a\xfc\xfe\x0f\x98\x9f01\xddlRe\xf9\x8b\x81\xbe"\xe1\x1cX\x03\xba\x91\x1b\x89\x07\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14j8[&\x8d\xde\x8bZ\xf2OzT\x83\x19\x18\xe3\x085\xa6\xba0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00<\xd5w=\xda\xdf\x89\xba\x87\x0c\x08Tj P\x92\xbe\xb0A=\xb9&d\x83\x0a/\xe8@\xc0\x97('\x820J\xc9\x93\xffj\xe7\xa6\x00\x7f\x89B\x9a\xd6\x11\xe5S\xce/\xcc\xf2\xda\x05\xc4\xfe\xe2P\xc4:\x86}\xcc\xda~\x10\x09;\x925*S\xb2\xfe\xeb+\x05\xd9l]\xe6\xd0\xef\xd3jf\x9e\x15(\x85z\xe8\x82\x00\xac\x1e\xa7\x09iVB\xd3hQ\x18\xbeT\x9a\xbfDA\xbaI\xbe \xbai\\xee\xb8w\xcd\xcel\x1f\xad\x83\x96\x18}\x0e\xb5\x149\x84\xf1(\xe9-\xa3\x9e{\x1ezrZ\x83\xb3yo\xef\xb4\xfc\xd0\x0a\xa5XOF\xdf\xfbmyY\xf2\x84"R\xae\x0f\xcc\xfb|;\xe7j\xcaGa\xc3z\xf8\xd3\x92\x04\x1f\xb8 \x84\xe16T\x16\xc7@\xde;\x8as\xdc\xdf\xc6\x09L\xdf\xec\xda\xff\xd4SB\xa1\xc9\xf2b\x1d"\x83<\x97\xc5\xf9\x19b'\xace"\xd7\xd3<\xc6\xe5\x8e\xb2S\xccI\xce\xbc0\xfe{\x0e3\x90\xfb\xed\xd2\x14\x91\x1f\x07\xaf, OU=Security Communication RootCA2,O=SECOM Trust Systems CO.,LTD.,C=JP = 0\x82\x03w0\x82\x02_\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000]1\x0b0\x09\x06\x03U\x04\x06\x13\x02JP1%0#\x06\x03U\x04\x0a\x13\x1cSECOM Trust Systems CO.,LTD.1'0%\x06\x03U\x04\x0b\x13\x1eSecurity Communication RootCA20\x1e\x17\x0d090529050039Z\x17\x0d290529050039Z0]1\x0b0\x09\x06\x03U\x04\x06\x13\x02JP1%0#\x06\x03U\x04\x0a\x13\x1cSECOM Trust Systems CO.,LTD.1'0%\x06\x03U\x04\x0b\x13\x1eSecurity Communication RootCA20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x159R\xb1R\xb3\xba\xc5Y\x82\xc4]R\xae:Ce\x80K\xc7\xf2\x96\xbc\xdb6\x97\xd6\xa6d\x8c\xa8^\xf0\xe3\x0a\x1c\xf7\xdf\x97=K\xae\xf6]\xec!\xb5A\xab\xcd\xb9~v\x9f\xbe\xf9>64\xa0;\xc1\xf61\x11Et\x93=W\x80\xc5\xf9\x89\x99\xca\xe5\xabj\xd4\xb5\xdaA\x90\x10\xc1\xd6\xd6B\x89\xc2\xbf\xf48\x12\x95LT\x05\xf76\xe4E\x83{\x14e\xd6\xdc\x0cM\xd1\xde~\x0c\xab;\xc4\x15\xbe:V\xa6ZoviR\xa9z\xb9\xc8\xebj\x9a]R\xd0-\x0ak5\x16\x09\x10\x84\xd0j\xca:\x06\x007G\xe4~WO?\x8b\xebg\xb8\x88\xaa\xc5\xbeSU\xb2\x91\xc4}\xb9\xb0\x85\x19\x06x.\xdba\x1a\xfa\x85\xf5J\x91\xa1\xe7\x16\xd5\x8e\xa29\xdf\x94\xb8p\x1f(?\x8b\xfc@^c\x83<\x83*\x1a\x99k\xcf\xdeYj;\xfco\x16\xd7\x1f\xfdJ\x10\xebN\x82\x16:\xac'\x0cS\xf1\xad\xd5$\xb0k\x03P\xc1-<\x16\xddD4'\x1au\xfb\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x0a\x85\xa9we\x05\x98|@\x81\xf8\x0f\x97,8\xf1\x0a\xec<\xcf0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00L:\xa3D\xac\xb9E\xb1\xc7\x93~\xc8\x0b\x0aB\xdfd\xea\x1c\xeeYl\x08\xba\x89_j\xcaJ\x95\x9ez\x8f\x07\xc5\xdaEr\x82q\x0e:\xd2\xcco\xa7\xb4\xa1#\xbb\xf6$\x9f\xcb\x17\xfe\x8c\xa6\xce\xc2\xd2\xdb\xcc\x8d\xfcq\xfc\x03)\xc1l]3_d\xb6e;\x89o\x18vx\xf5\xdc\xa2H\x1f\x19?\x8e\x93\xeb\xf1\xfa\x17\xee\xcdN\xe3\x04\x12U\xd6\xe5\xe4\xdd\xfb>\x05|\xe2\x1d^\xc6\xa7\xbc\x97Oh:\xf5\xe9.\x0aC\xb6\xafW\bh|\xb7\xfd\xa3\x8a\x84\xa0\xacb\xbe+\x09\x874\xf0j\x01\xbb\x9b)V<\xfe\x007\xcf#l\xf1N\xaa\xb6tF\x12l\x91\xee4\xd5\xec\x9a\x91\xe7D\xbe\x901r\xd5I\x02\xf6\x02\xe5\xf4\x1f\xeb|\xd9\x96U\xa9\xff\xec\x8a\xf9\x99G\xff5Z\x02\xaa\x04\xcb\x8a[\x87q)\x91\xbd\xa4\xb4z\x0d\xbd\x9a\xf5W#\x00\x07!\x17?J9\xd1\x05I\x0b\xa7\xb67\x81\xa5]\x8c\xaa3^\x81(|\xa7}'\xeb\x00\xae\x8d7, CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES = 0\x82\x05V0\x82\x04>\xa0\x03\x02\x01\x02\x02\x10\xee+=\xeb\xd4!\xde\x14\xa8b\xac\x04\xf3\xdd\xc4\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000\x81\xf31\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1;09\x06\x03U\x04\x0a\x132Agencia Catalana de Certificacio (NIF Q-0801176-I)1(0&\x06\x03U\x04\x0b\x13\x1fServeis Publics de Certificacio1503\x06\x03U\x04\x0b\x13,Vegeu https://www.catcert.net/verarrel (c)031503\x06\x03U\x04\x0b\x13,Jerarquia Entitats de Certificacio Catalanes1\x0f0\x0d\x06\x03U\x04\x03\x13\x06EC-ACC0\x1e\x17\x0d030107230000Z\x17\x0d310107225959Z0\x81\xf31\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1;09\x06\x03U\x04\x0a\x132Agencia Catalana de Certificacio (NIF Q-0801176-I)1(0&\x06\x03U\x04\x0b\x13\x1fServeis Publics de Certificacio1503\x06\x03U\x04\x0b\x13,Vegeu https://www.catcert.net/verarrel (c)031503\x06\x03U\x04\x0b\x13,Jerarquia Entitats de Certificacio Catalanes1\x0f0\x0d\x06\x03U\x04\x03\x13\x06EC-ACC0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb3"\xc7O\xe2\x97B\x95\x88G\x83@\xf6\x1d\x17\xf3\x83s$\x1eQ\xf3\x98\x8a\xc3\x92\xb8\xff@\x90\x05p\x87`\xc9\x00\xa9\xb5\x94e\x19"\x15\x17\xc2ClfD\x9a\x0d\x04>9o\xa5Kz\xaac\xb7\x8aD\x9d\xd9c\x91\x84f\xe0(\x0f\xbaB\xe3n\x8e\xf7\x14'\x93i\xee\x91\x0e\xa3_\x0e\xb1\xebf\xa2rO\x12\x13\x86ez>\xdbO\x07\xf4\xa7\x09`\xda:B\x99\xc7\xb2\x7f\xb3\x16\x95\x1c\xc7\xf94\xb5\x94\x85\xd5\x99^\xa0H\xa0~\xe7\x17e\xb8\xa2u\xb8\x1e\xf3\xe5B}\xaf\xed\xf3\x8aHd]\x82\x14\x93\xd8\xc0\xe4\xff\xb3Pr\xf2v\xf6\xb3]BPy\xd0\x94>k\x0c\x00\xbe\xd8k\x0eN*\xec>\xd2\xcc\x82\xa2\x18e3\x13w\x9e\x9a]\x1a\x13\xd8\xc3\xdb=\xc8\x97z\xeep\xed\xa7\xe6|\xdbq\xcf-\x94b\xdfm\xd6\xf58\xbe?\xa5\x85\x0a\x19\xb8\xa8\xd8\x09uBp\xc4\xea\xef\xcb\x0e\xc84\xa8\x12"\x98\x0c\xb8\x13\x94\xb6K\xec\xf0\xd0\x90\xe7'\x02\x03\x01\x00\x01\xa3\x81\xe30\x81\xe00\x1d\x06\x03U\x1d\x11\x04\x160\x14\x81\x12ec_acc@catcert.net0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa0\xc3\x8bD\xaa7\xa5E\xbf\x97\x80Z\xd1\xf1x\xa2\x9b\xe9]\x8d0\x7f\x06\x03U\x1d \x04x0v0t\x06\x0b+\x06\x01\x04\x01\xf5x\x01\x03\x01\x0a0e0,\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16 https://www.catcert.net/verarrel05\x06\x08+\x06\x01\x05\x05\x07\x02\x020)\x1a'Vegeu https://www.catcert.net/verarrel 0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xa0H[\x82\x01\xf6MH\xb89U5\x9c\x80zS\x99\xd5Z\xff\xb1q;\xcc9\x09\x94^\xd6\xda\xef\xbe\x01[]\xd3\x1e\xd8\xfd}O\xcd\xa0A\xe04\x93\xbf\xcb\xe2\x86\x9c7\x92\x90V\x1c\xdc\xeb)\x05\xe5\xc4\x9e\xc75\xdf\x8a\x0c\xcd\xc5!C\xe9\xaa\x88\xe55\xc0\x19BcZ\x02^\xa4H\x18:\x85o\xdc\x9d\xbc?\x9d\x9c\xc1\x87\xb8za\x08\xe9w\x0b\x7fp\xabz\xdd\xd9\x97,d\x1e\x85\xbf\xbct\x96\xa1\xc3z\x12\xec\x0c\x1an\x83\x0c<\xe8rF\x9f\xfbH\xd5^\x97\xe6\xb1\xa1\xf8\xe4\xefF%\x94\x9c\x89\xdbi8\xbe\xec\\x0eV\xc7eQ\xe5P\x88\x88\xbfB\xd5+=\xe5\xf9\xba\x9e.\xb3\xca\xf4s\x92\x02\x0b\xbeLf\xeb \xfe\xb9\xcb\xb5\x99\x7f\xe6\xb6\x13\xfa\xcaKM\xd9\xeeSF\x06;\xc6N\xad\x93Z\x81~l*Kj\x05E\x8c\xf2!\xa41\x90\x87le\x9c\x9d\xa5`\x95:R\x7f\xf5\xd1\xab\x08n\xf3\xee[\xf9\x88=~\xb8on\x03\xe4B, CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR = 0\x82\x0410\x82\x03\x19\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000\x81\x951\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1D0B\x06\x03U\x04\x0a\x13;Hellenic Academic and Research Institutions Cert. Authority1@0>\x06\x03U\x04\x03\x137Hellenic Academic and Research Institutions RootCA 20110\x1e\x17\x0d111206134952Z\x17\x0d311201134952Z0\x81\x951\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1D0B\x06\x03U\x04\x0a\x13;Hellenic Academic and Research Institutions Cert. Authority1@0>\x06\x03U\x04\x03\x137Hellenic Academic and Research Institutions RootCA 20110\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xa9S\x00\xe3.\xa6\xf6\x8e\xfa`\xd8-\x95>\xf8,*TN\xcd\xb9\x84a\x94XO\x8f=\x8b\xe4C\xf3u\x89\x8dQ\xe4\xc37\xd2\x8a\x88My\x1e\xb7\x12\xddCxJ\x8a\x92\xe6\xd7H\xd5\x0f\xa4:)D5\xb8\x07\xf6h\x1dU\xcd8Q\xf0\x8c$1\x85\xaf\x83\xc9}\xe9w\xaf\xed\x1a{\x9d\x17\xf9\xb3\x9d8P\x0f\xa6Zy\x91\x80\xaf7\xae\xa6\xd31\xfb\xb5&\x09\x9d<Z\xefQ\xc5+\xdf\x96]\xeb2\x1e\x02\xdapI\xecn\x0c\xc8\x9a7\x8d\xf7\xf16`K&,\x82\x9e\xd0x\xf3\x0d\x0fc\xa4Q0\xe1\xf9+'\x12\x07\xd8\xea\xbd\x18b\x98\xb0Y7}\xbe\xee\xf3 QBZ\x83\xef\x93\xbai\x15\xf1b\x9d\x9f\x999\x82\xa1\xb7t.\x8b\xd4\xc5\x0b{/\xf0\xc8\x0a\xda=y\x0a\x9a\x93\x1c\xa5(rs\x91C\x9a\xa7\xd1M\x85\x84\xb9\xa9t\x8f\x14@\xc7\xdc\xde\xacAdl\xb4\x19\x9b\x02cm$d\x8fD\xb2%\xea\xce]t\x0cc2\\x8d\x87\xe5\x02\x03\x01\x00\x01\xa3\x81\x890\x81\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa6\x91B\xfd\x13aJ#\x9e\x08\xa4)\xe5\xd8\x13\x04#\xeeA%0G\x06\x03U\x1d\x1e\x04@0>\xa0<0\x05\x82\x03.gr0\x05\x82\x03.eu0\x06\x82\x04.edu0\x06\x82\x04.org0\x05\x81\x03.gr0\x05\x81\x03.eu0\x06\x81\x04.edu0\x06\x81\x04.org0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1f\xefyA\xe1{n?\xb2\x8c\x867BJN\x1c7\x1e\x8df\xba$\x81\xc9O\x12\x0f!\xc0\x03\x97\x86%m]\xd3")\xa8l\xa2\x0d\xa9\xeb=\x06[\x99:\xc7\xcc\xc3\x9a4\x7f\xab\x0e\xc8N\x1c\xe1\xfa\xe4\xdc\xcd\x0d\xbe\xbf$\xfel\xe7k\xc2\x0d\xc8\x06\x9eN\x8da(\xa6j\xfd\xe5\xf6b\xea\x18<N\xa0S\x9d\xb2:\x9c\xeb\xa5\x9c\x91\x16\xb6M\x82\xe0\x0c\x05H\xa9l\xf5\xcc\xf8\xcb\x9dI\xb4\xf0\x02\xa5\xfdp\x03\xed\x8a!\xa5\xae\x13\x86I\xc33s\xbe\x87;t\x8b\x17E&L\x16\x91\x83\xfeg}\xcdMcg\xfa\xf3\x03\x12\x96x\x06\x8d\xb1g\xed\x8e?\xbe\x9fO\x02\xf5\xb3\x09/\xf3L\x87\xdf*\xcb\x95|\x01\xcc\xac6z\xbf\xa2sz\xf7\x8f\xc1\xb5\x9a\xa1\x14\xb2\x8f3\x9f\x0d\xef"\xdcf{\x84\xbdE\x17\x06=<\xca\xb9w4\x8f\xca\xea\xcf?1>\xe3\x88\xe3\x80I%\xc8\x97\xb5\x9d\x9a\x99M\xb0<\xf8J\x00\x9bd\xdd\x9f9K\xd1'\xd7\xb8, CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT = 0\x82\x05\xbb0\x82\x03\xa3\xa0\x03\x02\x01\x02\x02\x08W\x0a\x11\x97B\xc4\xe3\xcc0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000k1\x0b0\x09\x06\x03U\x04\x06\x13\x02IT1\x0e0\x0c\x06\x03U\x04\x07\x0c\x05Milan1#0!\x06\x03U\x04\x0a\x0c\x1aActalis S.p.A./033585209671'0%\x06\x03U\x04\x03\x0c\x1eActalis Authentication Root CA0\x1e\x17\x0d110922112202Z\x17\x0d300922112202Z0k1\x0b0\x09\x06\x03U\x04\x06\x13\x02IT1\x0e0\x0c\x06\x03U\x04\x07\x0c\x05Milan1#0!\x06\x03U\x04\x0a\x0c\x1aActalis S.p.A./033585209671'0%\x06\x03U\x04\x03\x0c\x1eActalis Authentication Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa7\xc6\xc4\xa5)\xa4,\xef\xe5\x18\xc5\xb0P\xa3oQ;\x9f\x0aZ\xc9\xc2H8\x0a\xc2\x1c\xa0\x18\x7f\x91\xb5\x87\xb9@?\xdd\x1dh\x1f\x08\x83\xd5-\x1e\x88\xa0\xf8\x8fV\x8fm\x99\x02\x92\x90\x16\xd5_\x08l\x89\xd7\xe1\xac\xbc \xc2\xb1\xe0\x83Q\x8aiM\x00\x96Zo/\xc0D~\xa3\x0e\xe4\x91\xcdX\xee\xdc\xfb\xc7\x1eEG\xdd'\xb9\x08\x01\x9f\xa6!\x1d\xf5A-/L\xfd(\xad\xe0\x8a\xad"\xb4Ve\x8e\x86T\x8f\x93C)\xde9Fx\xa30#\xba\xcd\xf0}\x13W\xc0]\xd2\x83kHL\xc4\xab\x9f\x80Z[:\xbd\xc9\xa7"?\x80'3[\x0e\xb7\x8a\x0c]\x077\x08\xcbl\xd2zG"D5\xc5\xcc\xcc.\x8e\xdd*\xed\xb7}f\x0d_aQ"U\x1b\xe3F\xe3\xe3=\xd05b\x9a\xdb\xaf\x14\xc8[\xa1\xcc\x89\x1b\xe10&\xfc\xa0\x9b\x1f\x81\xa7G\x1f\x04\xeb\xa39\x92\x06\x9f\x99\xd3\xbf\xd3\xeaOP\x9c\x19\xfe\x96\x87\x1e<e\xf6\xa3\x18$\x83\x86\x10\xe7T>\xa8:v$O\x81!\xc5\xe3\x0f\x02\xf8\x93\x94G \xbb\xfe\xd4\x0e\xd3h\xb9\xdd\xc4z\x84\x82\xe3STy\xdd\xdb\x9c\xd2\xf2\x07\x9b.\xb6\xbc>\xed\x85m\xef%\x11\xf2\x97\x1aBa\xf7J\x97\xe8\x8b\xb1\x10\x07\xfae\x81\xb2\xa29\xcf\xf7<\xff\x18\xfb\xc6\xf1Z\x8bY\xe2\x02\xac{\x92\xd0N\x14OYE\xf6\x0c^(_\xb0\xe8?E\xcf\xcf\xaf\x9bo\xfb\x84\xd3wZ\x95o\xac\x94\x84\x9e\xee\xbc\xc0J\x8fJ\x93\xf8D!\xe21EaPN\x10\xd8\xe35|L\x19\xb4\xde\x05\xbf\xa3\x06\x9f\xc8\xb5\xcd\xe4\x1f\xd7\x17\x06\x0dz\x95tU\x0dh\x1a\xfc\x10\x1bbd\x9dm\xe0\x95\xa0\xc3\x94\x07W\x0d\x14\xe6\xbd\x05\xfb\xb8\x9f\xe6\xdf\x8b\xe2\xc6\xe7~\x96\xf6S\xc5\x804P(X\xf0\x12Pq\x170\xba\xe6xc\xbc\xf4\xb2\xad\x9b+\xb2\xfe\xe19\x8c^\xba\x0b \x94\xde{\x83\xb8\xff\xe3V\x8d\xb7\x11\xe9;\x8c\xf2\xb1\xc1]\x9d\xa4\x0bL+\xd9\xb2\x18\xf5\xb5\x9fK\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14R\xd8\x88:\xc8\x9fxf\xed\x89\xf3{8p\x94\xc9\x02\x026\xd00\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14R\xd8\x88:\xc8\x9fxf\xed\x89\xf3{8p\x94\xc9\x02\x026\xd00\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x0b{r\x87\xc0`\xa6IL\x88X\xe6\x1d\x88\xf7\x14dH\xa6\xd8X\x0a\x0eO\x135\xdf5\x1d\xd4\xed\x061\xc8\x81>j\xd5\xdd;\x1a2\xee\x90=\x11\xd2.\xf4\x8e\xc3c.#f\xb0g\xbeo\xb6\xc0\x139`\xaa\xa24%\x93uR\xde\xa7\x9d\xad\x0e\x87\x89Rqj\x16<\x19\x1d\x83\xf8\x9a)e\xbe\xf4?\x9a\xd9\xf0\xf3Z\x87!q\x80M\xcb\xe08\x9b?\xbb\xfa\xe00M\xcf\x86\xd3e\x10\x19\x18\xd1\x97\x02\xb1+rBh\xac\xa0\xbdNZ\xda\x18\xbfk\x98\x81\xd0\xfd\x9a\xbe^\x15H\xcd\x11\x15\xb9\xc0)\\xb4\xe8\x88\xf7>6\xae\xb7b\xfd\x1eb\xdepx\x10\x1cH[\xda\xbc\xa48\xbag\xedU>^W\xdf\xd4\x03@L\x81\xa4\xd2Oc\xa7\x09B\x09\x14\xfc\x00\xa9\xc2\x80sO.\xc0@\xd9\x11{H\xeaz\x02\xc0\xd3\xeb(\x01&Xt\xc1\xc0s"m\x93\x95\xfd9}\xbb*\xe3\xf6\x82\xe3,\x97_N\x1f\x91\x94\xfa\xfe,\xa3\xd8v\x1a\xb8M\xb28O\x9b\xfa\x1dH`y&\xe2\xf3\xfd\xa9\xd0\x9a\xe8p\x8fIz\xd6\xe5\xbd\x0a\x0e\xdb-\xf3\x8d\xbf\xeb\xe3\xa4}\xcb\xc7\x95q\xe8\xda\xa3|\xc5\xc2\xf8t\x92\x04\x1b\x86\xac\xa4"S@\xb6\xac\xfeLv\xcf\xfb\x942\xc05\x9fv?n\xe5\x90n\xa0\xa6&\xa2\xb8,\xbe\xd1+\x85\xfd\xa7h\xc8\xba\x01+\xb1lt\x1d\xb8s\x95\xe7\xee\xb7\xc7%\xf0\x00L\x00\xb2~\xb6\x0b\x8b\x1c\xf3\xc0P\x9e%\xb9\xe0\x08\xde6f\xff7\xa5\xd1\xbbTd,\xc9'\xb5K\x92~e\xff\xd3-\xe1\xb9N\xbc\x7f\xa4A!\x90Aw\xa69\x1f\xea\x9e\xe3\x9f\xd0fo\x05\xec\xaav~\xbfk\x16\xa0\xeb\xb5\xc7\xfc\x92T/+\x11'%7xLQj\xb0\xf3\xccX]\x14\xf1jH\x15\xff\xc2\x07\xb6\xb1\x8d\x0f\x8e\PF\xb3=\xbf\x01\x98O\xb2YTG>4{xmV\x93.s\xeaf(x\xcd\x1d\x14\xbf\xa0\x8f/.\xb8.\x8e\xf2\x14\x8a\xcc\xe9\xb5|\xfbl\x9d\x0c\xa5\xe1\x96, CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO = 0\x82\x05Y0\x82\x03A\xa0\x03\x02\x01\x02\x02\x01\x020\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000N1\x0b0\x09\x06\x03U\x04\x06\x13\x02NO1\x1d0\x1b\x06\x03U\x04\x0a\x0c\x14Buypass AS-9831633271 0\x1e\x06\x03U\x04\x03\x0c\x17Buypass Class 2 Root CA0\x1e\x17\x0d101026083803Z\x17\x0d401026083803Z0N1\x0b0\x09\x06\x03U\x04\x06\x13\x02NO1\x1d0\x1b\x06\x03U\x04\x0a\x0c\x14Buypass AS-9831633271 0\x1e\x06\x03U\x04\x03\x0c\x17Buypass Class 2 Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xd7\xc7^\xf7\xc1\x07\xd4w\xfbC!\xf4\xf4\xf5i\xe4\xee2\x01\xdb\xa3\x86\x1f\xe4Y\x0d\xba\xe7u\x83R\xeb\xea\x1ca\x15H\xbb\x1d\x07\xca\x8c\xae\xb0\xdc\x96\x9d\xea\xc3`\x92\x86\x82(s\x9cV\x06\xffKd\xf0\x0c*7I\xb5\xe5\xcf\x0c|\xee\xf1J\xbbs0e\xf3\xd5/\x83\xb6~\xe3\xe7\xf5\x9e\xab`\xf9\xd3\xf1\x9d\x92t\x8a\xe4\x1c\x96\xac[\x80\xe9\xb5\xf41\x87\xa3Q\xfc\xc7~\xa1o\x8eSw\xd4\x97\xc1U3\x92>\x18/u\xd4\xad\x86I\xcb\x95\xafT\x06l\xd8\x06\x13\x8d[\xff\xe1&\x19Y\xc0$\xba\x81qy\x90DPh$\x94_\xb8\xb3\x11\xf1)Aa\xa3A\xcb#6\xd5\xc1\xf12P\x10N\x7f\xf4\x86\x93\xec\x84\xd3\x8e\xbcK\xbf\\x01N\x07=\xdc\x14\x8a\x94\x0a\xa4\xeas\xfb\x0bQ\xe8\x13\x07\x18\xfa\x0e\xf1+\xd1T\x15}<\xe1\xf7\xb4\x19Bgb^w\xe0\xa2U\xec\xb6\xd9i\x17\xd5:\xafD\xedJ\xc5\x9e\xe4z'|\xe5u\xd7\xaa\xcb%\xe7\xdfk\x0a\xdb\x0fM\x93N\xa8\xa0\xcd{.\xf2Y\x01j\xb7\x0d\xb8\x07\x81~\x8b8\x1b8\xe6\x0aW\x99=\xee!\xe8\xa3\xf5\x0c\x16\xdd\x8b\xec4\x8e\x9c*\x1c\x00\x15\x17\x8dh\x83\xd2p\x9f\x18\x08\xcd\x11h\xd5\xc9kR\xcd\xc4F\x8f\xdc\xb5\xf3\xd8Ws\x1e\xe9\x949\x04\xbf\xd3\xde8\xde\xb4S\xeci\x1c\xa2~\xc4\x8f\xe4\x1bp\xad\xf2\xa2\xf9\xfb\xf7\x16dfi\x9fIQ\xa2\xe2\x15\x18g\x06J\x7f\xd5l\xb5M\xb33\xe0a\xeb]\xbe\xe9\x98\x0f2\xd7\x1dK<.Z\x01R\x91\x09\xf2\xdf\xea\x8d\xd8\x06@c\xaa\x11\xe4\xfe\xc37\x9e\x14R?\xf4\xe2\xcc\xf2a\x93\xd1\xfdgk\xd7R\xae\xbfh\xab@C\xa0W5Sx\xf0S\xf8aB\x07d\xc6\xd7o\x9bL8\x0dc\xacb\xaf6\x8b\xa2s\x0a\x0d\xf5!\xbdt\xaaM\xear\x03I\xdb\xc7_\x1dbc\xc7\xfd\xdd\x91\xec3\xee\xf5m\xb4n0h\xde\xc8\xd6&\xb0u^{\xb4\x07 \x98\xa1v2\xb8MlO\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc9\x80w\xe0b\x92\x82\xf5F\x9c\xf3\xba\xf7L\xc3\xde\xb8\xa3\xad90\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00S_!\xf5\xba\xb0:R9,\x92\xb0l\x00\xc9\xef\xce \xef\x06\xf2\x96\x9e\xe9\xa4t\x7fz\x16\xfc\xb7\xf5\xb6\xfb\x15\x1b?\xab\xa6\xc0r]\x10\xb1q\xee\xbcO\xe3\xad\xac\x03m.q.\xaf\xc4\xe3\xad\xa3\xbd\x0c\x11\xa7\xb4\xffJ\xb2{\x10\x10\x1f\xa7WA\xb2\xc0\xae\xf4,Y\xd6G\x10\x88\xf3!Q)0\xca`\x86\xafF\xab\x1d\xed:[\xb0\x94\xdeD\xe3A\x08\xa2\xc1\xec\x1d\xd6\xfdO\xb6\xd6G\xd0\x14\x0b\xca\xe6\xca\xb5{w~A\x1f^\x83\xc7\xb6\x8c9\x96\xb0?\x96\x81Ao`\x90\xe2\xe8\xf9\xfb"q\xd9}\xb3=F\xbf\xb4\x84\xaf\x90\x1c\x0f\x8f\x12j\xaf\xef\xee\x1ez\xae\x02J\x8a\x17+v\xfe\xacT\x89$,O?\xb6\xb2\xa7N\x8c\xa8\x91\x97\xfb)\xc6{\-\xb9\xcbf\xb6\xb7\xa8[\x12Q\x85\xb5\x09~bxp\xfe\xa9j`\xb6\x1d\x0ey\x0c\xfd\xca\xea$\x80r\xc3\x97?\xf2w\xabC"\x0a\xc7\xeb\xb6\x0c\x84\x82,\x80kA\x8a\x08\xc0\xeb\xa5k\xdf\x99\x12\xcb\x8a\xd5^\x80\x0c\x91\xe0&\x086H\xc5\xfa8\x115\xff%\x83-\xf2z\xbf\xda\xfd\x8e\xfe\xa5\xcbE,\x1f\xc4\x88S\xaew\x0e\xd9\x9av\xc5\x8e,\x1d\xa3\xba\xd5\xec2\xae\xc0\xaa\xac\xf7\xd1zM\xeb\xd4\x07\xe2H\xf7"\x8e\xb0\xa4\x9fj\xce\x8e\xb2\xb2`\xf4\xa3"\xd0#\xeb\x94Zzi\xdd\x0f\xbf@W\xackYP\xd9\xa3\x99\xe1n\xfe\x8d\x01y'#\x15\xde\x92\x9d{\x09MZ\xe7KH0Z\x18\xe6\x0am\xe6\x8f\xe0\xd2\xbb\xe6\xdf|n!\x82\xc1h9M\xb4\x98Xfb\xccJ\x90^\xc3\xfa'\x04\xb1y\x15t\x99\xcc\xbe\xad \xde&`\x1c\xebVQ\xa6\xa3\xea\xe4\xa3?\xa7\xffa\xdc\xf1ZMl2#C\xee\xac\xa8\xee\xeeJ\x12\x09<]q\xc2\xbey\xfa\xc2\x87h\x1d\x0b\xfd\i\xcc\x06\xd0\x9a}T\x99*\xc99\x1a\x19\xafK*C\xf3c]ZX\xe2/\xe3\x1d\xe4\xa9\xd6\xd0\x0a\xd0\x9e\xbf\xd7\x81\x09\xf1\xc9\xc7&\x0d\xac\x98\x16V\xa0, CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO = 0\x82\x05Y0\x82\x03A\xa0\x03\x02\x01\x02\x02\x01\x020\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000N1\x0b0\x09\x06\x03U\x04\x06\x13\x02NO1\x1d0\x1b\x06\x03U\x04\x0a\x0c\x14Buypass AS-9831633271 0\x1e\x06\x03U\x04\x03\x0c\x17Buypass Class 3 Root CA0\x1e\x17\x0d101026082858Z\x17\x0d401026082858Z0N1\x0b0\x09\x06\x03U\x04\x06\x13\x02NO1\x1d0\x1b\x06\x03U\x04\x0a\x0c\x14Buypass AS-9831633271 0\x1e\x06\x03U\x04\x03\x0c\x17Buypass Class 3 Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa5\xda\x0a\x95\x16P\xe3\x95\xf2^\x9dv1\x062z\x9b\xf1\x10v\xb8\x00\x9a\xb5R6\xcd$G\xb0\x9f\x18d\xbc\x9a\xf6\xfa\xd5y\xd8\x90bL"/\xde8=\xd6\xe0\xa8\xe9\x1c,\xdbx\x11\xe9\x8ehQ\x15r\xc7\xf33\x87\xe4\xa0]\x0b\\xe0W\x07*0\xf5\xcd\xc47w(M\x18\x91\xe6\xbf\xd5R\xfdq-p>\xe7\xc6\xc4\x8a\xe3\xf0(\x0b\xf4v\x98\xa1\x8b\x87U\xb2:\x13\xfc\xb7>'7\x8e"\xe3\xa8O*\xef`\xbb=\xb79\xc3\x0e\x01G\x99]\x12O\xdbC\xfaW\xa1\xed\xf9\x9d\xbe\x11G&[\x13\x98\xab]\x16\x8a\xb07\x1cW\x9dE\xff\x88\x966\xbf\xbb\xca\x07{o\x87c\xd7\xd02j\xd6]l\x0c\xf1\xb3n9\xe2k1.9\x00'\x14\xde8\xc0\xec\x19f\x86\x12\xe8\x9dr\x16\x13dR\xc7\xa97\x1c\xfd\x820\xed\x84\x18\x1d\xf4\xae\\xffp\x13\x00\xeb\xb1\xf53zK\xd6U\xf8\x05\x8dKi\xb0\xf5\xb3(6\\x14\xc4QsMk\x0b\xf14\x07\xdb\x179\xd7\xdc({k\xf5\x9f\xf3.\xc1O\x17*\x10\xf3\xcc\xca\xe8\xeb\xfdk\xab.\x9a\x9f-\x82n\x04\xd4R\x01\x93-=\x86\xfc~\xfc\xdf\xefB\x1d\xa6k\xef\xb9 \xc6\xf7\xbd\xa0\xa7\x95\xfd\xa7\xe6\x89$\xd8\xcc\x8c4l\xe2#/\xd9\x12\x1a!\xb9U\x91o\x0b\x91y\x19\x0c\xad@\x88\x0bp\xe2z\xd2\x0e\xd8hH\xbb\x82\x139\x10X\xe9\xd8*\x07\xc6\x12\xdbX\xdb\xd2;U\x10G\x05\x15gb~\x18c\xa6F?\x09\x0eT2^\xbf\x0dbz'\xef\x80\xe8\xdb\xd9K\x06Z7Z%\xd0\x08\x12w\xd4o\x09P\x97=\xc8\x1d\xc3\xdf\x8cE0V\xc6\xd3d\xabf\xf3\xc0^\x96\x9c\xc3\xc4\xef\xc3|k\x8b:y\x7f\xb3I\xcf=\xe2\x89\x9f\xa00K\x85\xb9\x9c\x94$y\x8f}k\xa9Eh\x0f+\xd0\xf1\xda\x1c\xcbi\xb8\xcaIbm\xc8\xd0cb\xdd`\x0fX\xaa\x8f\xa1\xbc\x05\xa5f\xa2\xcf\x1bv\xb2\x84d\xb1L9R\xc00\xba\xf0\x8cK\x02\xb0\xb6\xb7\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14G\xb8\xcd\xff\xe5o\xee\xf8\xb2\xec/N\x0e\xf9%\xb0\x8e<k\xc30\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x00 #A5\x04\x90\xc2@b`\xef\xe25L\xd7?\xac\xe24\x90\xb8\xa1ov\xfa\x16\x16\xa4H7,\xe9\x90\xc2\xf2<\xf8\x0a\x9f\xd8\x81\xe5\xbb[\xda%,\xa4\xa7Uq$2\xf6\xc8\x0b\xf2\xbcj\xf8\x93\xac\xb2\x07\xc2_\x9f\xdb\xcc\xc8\x8a\xaa\xbejo\xe1I\x10\xcc1\xd7\x80\xbb\xbb\xc8\xd8\xa2\x0edW\xea\xa2\xf5\xc2\xa91\x15\xd2 j\xec\xfc"\x01(\xcf\x86\xb8\x80\x1e\xa9\xcc\x11\xa5<\xf2\x16\xb3G\x9d\xfc\xd2\x80!\xc4\xcb\xd0GpA\xa1\xca\x83\x19\x08,m\xf2]w\x9c\x8a\x14\x13\xd46\x1c\x92\xf0\xe5\x067\xdc\xa6\xe6\x90\x9b8\x8f\k\x1bF\x86CB_>\x01\x07ST]e}\xf7\x8as\xa1\x9aTZ\x1f)C\x14'\xc2\x85\x0f\xb5\x88{\x1a;\x94\xb7\x1d`\xa7\xb5\x9c\xe7)iWZ\x9b\x93zC0\x1b\x03\xd7b\xc8@\xa6\xaa\xfcd\xe4J\xd7\x91S\x01\xa8 \x88n\x9c_D\xb9\xcb`\x814\xeco\xd3}\xdaH_\xeb\xb4\x90\xbc-\xa9\x1c\x0b\xac\x1c\xd5\xa2h \x80\x04\xd6\xfc\xb1\x8f/\xbbJ1\x0dJ\x86\x1c\xeb\xe26)&\xf5\xda\xd8\xc4\xf2ua\xcf~\xaevcJz@e\x93\x87\xf8\x1e\x80\x8c\x86\xe5\x86\xd6\x8f\x0e\xfcS,`\xe8\x16a\x1a\xa2>C{\xcd9`Tj\xf5\xf2\x89&\x01h\x83H\xa23\xe8\xc9\x04\x91\xb2\x114\x11>\xea\xd0C\x19\x1f\x03\x93\x90\x0c\xffQ=W\xf4An\xe1\xcb\xa0\xbe\xeb\xc9c\xcdm\xcc\xe4\xf86\xaah\x9d\xed\xbd]\x97pD\x0d\xb6\x0e5\xdc\xe1\x0c]\xbb\xa0Q\x94\xcb~\x16\xeb\x11/\xa3\x92E\xc8Lq\xd9\xbc\xc9\x99RWF/P\xcf\xbd5i\xf4=\x15\xce\x06\xa5,\x0f>\xf6\x81\xba\x94\xbb\xc3\xbb\xbfex\xd2\x86y\xffI;\x1a\x83\x0c\xf0\xdex\xec\xc8\xf2ML\x1a\xde\x82)\xf8\xc1Z\xda\xed\xee\xe6'^\xe8E\xd0\x9d\x1cQ\xa8h\xabD\xe3\xd0\x8bj\xe3\xf8;\xbb\xdcM\xd7d\xf2Q\xbe\xe6\xaa\xabZ\xe91\xee\x06\xbcs\xbf\x13b\x0a\x9f\xc7\xb9\x97, CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE = 0\x82\x03\xc30\x82\x02\xab\xa0\x03\x02\x01\x02\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1+0)\x06\x03U\x04\x0a\x0c"T-Systems Enterprise Services GmbH1\x1f0\x1d\x06\x03U\x04\x0b\x0c\x16T-Systems Trust Center1%0#\x06\x03U\x04\x03\x0c\x1cT-TeleSec GlobalRoot Class 30\x1e\x17\x0d081001102956Z\x17\x0d331001235959Z0\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1+0)\x06\x03U\x04\x0a\x0c"T-Systems Enterprise Services GmbH1\x1f0\x1d\x06\x03U\x04\x0b\x0c\x16T-Systems Trust Center1%0#\x06\x03U\x04\x03\x0c\x1cT-TeleSec GlobalRoot Class 30\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbdu\x93\xf0b"o$\xae\xe0zv\xac}\xbd\xd9$\xd5\xb8\xb7\xfc\xcd\xf0B\xe0\xebx\x88V^\x9b\x9aT\x1dM\x0c\x8a\xf6\xd3\xcfp\xf4R\xb5\xd8\x93\x04\xe3F\x86qAJ+\xf0*,U\x03\xd6H\xc3\xe098\xed\xf2\<?D\xbc\x93=a\xabN\xcd\x0d\xbe\xf0 'X\x0eD\x7f\x04\x1a\x87\xa5\xd7\x96\x146\x90\xd0I{\xa1u\xfb\x1aks\xb1\xf8\xce\xa9\x09,\xf2S\xd5\xc3\x14D\xb8\x86\xa5\xf6\x8b+9\xda\xa33T\xd9\xfar\x1a\xf7"\x15\x1c\x88\x91k\x7ff\xe5\xc3j\x80\xb0$\xf3\xdf\x86E\x88\xfd\x19\x7fu\x87\x1f\x1f\xb1\x1b\x0as$[\xb9e\xe0,T\xc8`\xd3f\x17?\xe1\xccT3s\x91\x02:\xa6\x7f{v9\xa2\x1f\x96\xb68\xae\xb5\xc8\x93t\x1d\x9e\xb9\xb4\xe5`\x9d/V\xd1\xe0\xeb^[L\x12p\x0clD \xab\x11\xd8\xf4\x19\xf6\xd2\x9cR7\xe7\xfa\xb6\xc21;J\xd4\x14\x99\xad\xc7\x1a\xf5]_\xfa\x07\xb8|\x0d\x1f\xd6\x83\x1e\xb3\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb5\x03\xf7v;a\x82j\x12\xaa\x18S\xeb\x03!\x94\xbf\xfe\xce\xca0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00V=\xef\x94\xd5\xbd\xdas\xb2X\xbe\xae\x90\xad\x98'\x97\xfe\x01\xb1\xb0R\x00\xb8M\xe4\x1b!t\x1b~\xc0\xee^i*%\xaf\\xd6\x1d\xda\xd2y\xc9\xf3\x97)\xe0\x86\x87\xde\x04Y\x0f\xf1Y\xd4d\x85K\x99\xaf%\x04\x1e\xc9F\xa9\x97\xde\x82\xb2\x1bp\x9f\x9c\xf6\xafq1\xdd{\x05\xa5,\xd3\xb9\xcaG\xf6\xca\xf2\xf6\xe7\xad\xb9H?\xbc\x16\xb7\xc1m\xf4\xea\x09\xaf\xec\xf3\xb5\xe7\x05\x9e\xa6\x1e\x8aSQ\xd6\x93\x81\xcct\x93\xf6\xb9\xda\xa6%\x05tyZ~@>\x82K&\x110n\xe1?A\xc7G\x005\xd5\xf5\xd3\xf7T>\x81=\xdaIj\x9a\xb3\xef\x10=\xe6\xebo\xd1\xc8"G\xcb\xcc\xcf\x011\x92\xd9\x18\xe3"\xbe\x09\x1e\x1a>Z\xb2\xe4k\x0cTz}CN\xb8\x89\xa5{\xd7\xa2=\x96\x86\xcc\xf2&4-j\x92\x9d\x9a\x1a\xd00\xe2]N\x04\xb0_\x8b ~w\xc1=\x95\x82\xd1F\x9a;<x\xb8o\xa1\xd0\x0dd\xa2x\x1e)N\x93\xc3\xa4T\x14[, CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE = 0\x82\x0430\x82\x03\x1b\xa0\x03\x02\x01\x02\x02\x03\x09\x83\xf30\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000M1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x0c\x0cD-Trust GmbH1'0%\x06\x03U\x04\x03\x0c\x1eD-TRUST Root Class 3 CA 2 20090\x1e\x17\x0d091105083558Z\x17\x0d291105083558Z0M1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x0c\x0cD-Trust GmbH1'0%\x06\x03U\x04\x03\x0c\x1eD-TRUST Root Class 3 CA 2 20090\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd3\xb2J\xcfzG\xefu\x9b#\xfa:/\xd6PE\x895:\xc6k\xdb\xfe\xdb\x00h\xa8\xe0\x03\x11\x1d7P\x08\x9fMJh\x945\xb3S\xd1\x94c\xa7 V\xaf\xdeQx\xec*=\xf3HHP>\x0a\xdfFU\x8b'm\xc3\x10M\x0d\x91RC\xd8\x87\xe0]N6\xb5!\xca_9@\x04_[~\xcc\xa3\xc6+\xa9@\x1e\xd96\x84\xd6H\xf3\x92\x1e4F $\xc1\xa4Q\x8eJ\x1a\xefP?i]\x19\x7fE\xc3\xc7\x01\x8fQ\xc9#\xe8r\xae\xb4\xbcV\x09\x7f\x12\xcb\x1c\xb1\xaf)\x90\x0a\xc9U\xcc\x0f\xd3\xb4\x1a\xedG5ZJ\xed\x9cs\x04!\xd0\xaa\xbd\x0c\x13\xb5\x00\xca&l\xc4k\x0c\x94Z\x95\x94\xdaP\x9a\xf1\xff\xa5+f1\xa4\xc98\xa0\xdf\x1d\x1f\xb8\x09.\xf3\xa7\xe8gR\xab\x95\x1f\xe0F>\xd8\xa4\xc3\xcaZ\xc51\x80\xe8H\x9a\x9f\x94i\xfe\x19\xdd\xd8s|\x81\xca\x96\xde\x8e\xed\xb32\x05e\x844\xe6\xe6\xfdW\x10\xb5_v\xbf/\xb0\x10\x0d\xc5\x02\x03\x01\x00\x01\xa3\x82\x01\x1a0\x82\x01\x160\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xfd\xda\x14\xc4\x9f0\xde!\xbd\x1eB9\xfc\xabc#I\xe0\xf1\x840\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x81\xd3\x06\x03U\x1d\x1f\x04\x81\xcb0\x81\xc80\x81\x80\xa0~\xa0|\x86zldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist0C\xa0A\xa0?\x86=http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_2009.crl0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x7f\x97\xdb0\xc8\xdf\xa4\x9c}!z\x80p\xce\x14\x12i\x88\x14\x95`D\x01\xac\xb2\xe90O\x9bP\xc2f\xd8~\x8d0\xb5p1\xe9\xe2i\xc7\xf3p\xdb \x15\x86\xd0\x0d\xf0\xbe\xac\x01u\x84\xce~\x9fM\xbf\xb7`;\x9c\xf3\xca\x1d\xe2^h\xd8\xa3\x9d\x97\xe5@`\xd26!\xfe\xd0\xb4\xb8\x17\xdat\xa3\x7f\xd4\xdf\xb0\x98\x02\xacokk,%$r\xa1e\xee%Z\xe5\xe62\xe7\xf2\xdf\xabI\xfa\xf3\x90i#\xdb\x04\xd9\xe7\X\xfce\xd4\x97\xbe\xcc\xfc.\x0a\xcc%*5\x04\xf8`\x91\x15u=A\xff#\x1f\x19\xc8l\xeb\x82S\x04\xa6\xe4L"M\x8d\x8c\xba\xce[s\xecdTPm\xd1\x9cU\xfbi\xc36\xc3\x8c\xbc<\x85\xa6k\x0a&\x0d\xe0\x93\x98`\xae~\xc6$\x97\x8aa_\x91\x8ef\x92\x09\x876\xcd\x8b\x9b->\xf6Q\xd4P\xd4Y(\xbd\x83\xf2\xcc({S\x86m\xd8&\x88p\xd7\xea\x91\xcd>\xb9\xca\xc0\x90nZ\xc6^te\xd7\\xfe\xa3\xe2, CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE = 0\x82\x04C0\x82\x03+\xa0\x03\x02\x01\x02\x02\x03\x09\x83\xf40\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000P1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x0c\x0cD-Trust GmbH1*0(\x06\x03U\x04\x03\x0c!D-TRUST Root Class 3 CA 2 EV 20090\x1e\x17\x0d091105085046Z\x17\x0d291105085046Z0P1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x0c\x0cD-Trust GmbH1*0(\x06\x03U\x04\x03\x0c!D-TRUST Root Class 3 CA 2 EV 20090\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\x99\xf1\x844p\xba/\xb70\xa0\x8e\xbd|\x04\xcf\xbeb\xbc\x99\xfd\x82\x97\xd2z\x0ag\x968\x09\xf6\x10N\x95"s\x99\x8d\xda\x15-\xe7\x05\xfc\x19s"\xb7\x8e\x98\x00\xbc<=\xac\xa1l\xfb\xd6y%K\xad\xf0\xccd\xda\x88>)\xb8\x0f\x09\xd34\xdd3\xf5b\xd1\xe1\xcd\x19\xe9\xee\x18OLX\xae\xe2\x1e\xd6\x0c[\x15Z\xd8:\xb8\xc4\x18d\x1e\xe33\xb2\xb5\x89wN\x0c\xbf\xd9\x94k\x13\x97o\x12\xa3\xfe\x99\xa9\x04\xcc\x15\xec`h6\xed\x08{\xb7\xf5\xbf\x93\xedf1\x83\x8c\xc6q4\x87N\x17\xea\xaf\x8b\x91\x8d\x1cVA\xae"7^7\xf2\x1d\xd9\xd1-\x0d/iQ\xa7\xbef\xa6\x8a:*\xbd\xc7\x1a\xb1\xe1\x14\xf0\xbe:\x1d\xb9\xcf[\xb1j\xfe\xb4\xb1F \xa2\xfb\x1e;p\xef\x93\x98}\x8cs\x96\xf2\xc5\xef\x85p\xad)&\xfc\x1e\x04>\x1c\xa0\xd8\x0f\xcbR\x83b|\xee\x8bS\x95\x90\xa9W\xa2\xeaa\x05\xd8\xf9M\xc4'\xfan\xad\xed\xf9\xd7Q\xf7k\xa5\x02\x03\x01\x00\x01\xa3\x82\x01$0\x82\x01 0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd3\x94\x8aLb\x13*\x19.\xcc\xafr\x8a}6\xd7\x9a\x1c\xdcg0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x81\xdd\x06\x03U\x1d\x1f\x04\x81\xd50\x81\xd20\x81\x87\xa0\x81\x84\xa0\x81\x81\x86\x7fldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist0F\xa0D\xa0B\x86@http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x004\xed{Z<\xa4\x94\x88\xef\x1a\x11u\x07/\xb3\xfe<\xfa\x1eQ&\xeb\x87\xf6)\xde\xe0\xf1\xd4\xc6$\x09\xe9\xc1\xcfU\x1b\xb40\xd9\xce\x1a\xfe\x06Q\xa6\x15\xa4-\xef\xb2K\xbf (%I\xd1\xa66w4\xe8d\xdfR\xb1\x11\xc7sz\xcd9\x9e\xc2\xad\x8cq!\xf2Zk\xaf\xdf<NU\xaf\xb2\x84e\x14\x89\xb9w\xcb*1\xbe\xcf\xa3m\xcfoH\x942Fo\xe7q\x8c\xa0\xa6\x84\x197\x07\xf2\x03E\x09+\x86u|\xdf_iW\x00\xdbn\xd8\xa6r"KP\xd4u\x98V\xdf\xb7\x18\xffCCP\xaezD{\xf0yQ\xd7C=\xa7\xd3\x81\xd3\xf0\xc9O\xb9\xda\xc6\x97\x86\xd0\x82\xc3\xe4Bm\xfe\xb0\xe2dN\x0e&\xe7@4&\xb5\x08\x89\xd7\x08cc8'u\x1e3\xean\xa8\xdd\x9f\x99OtM\x81\x89\x80K\xdd\x9a\x97)\/\xbe\x81A\xb9\x8c\xff\xea}`\x06\x9e\xcd\xd7=\xd3.\xa3\x15\xbc\xa8\xe6&\xe5o\xc3\xdc\xb8\x03!\xea\x9f\x16\xf1,T\xb5, CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK = 0\x82\x05i0\x82\x03Q\xa0\x03\x02\x01\x02\x02\x09\x00\x92\xb8\x88\xdb\xb0\x8a\xc1c0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000R1\x0b0\x09\x06\x03U\x04\x06\x13\x02SK1\x130\x11\x06\x03U\x04\x07\x13\x0aBratislava1\x130\x11\x06\x03U\x04\x0a\x13\x0aDisig a.s.1\x190\x17\x06\x03U\x04\x03\x13\x10CA Disig Root R20\x1e\x17\x0d120719091530Z\x17\x0d420719091530Z0R1\x0b0\x09\x06\x03U\x04\x06\x13\x02SK1\x130\x11\x06\x03U\x04\x07\x13\x0aBratislava1\x130\x11\x06\x03U\x04\x0a\x13\x0aDisig a.s.1\x190\x17\x06\x03U\x04\x03\x13\x10CA Disig Root R20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa2\xa3\xc4\x00\x09\xd6\x85]-m\x14\xf6\xc2\xc3s\x9e5\xc2qU~\x81\xfb\xabFP\xe0\xc1|Ix\xe6\xabyX<\xda\xff|\x1c\x9f\xd8\x97\x02x>kA\x04\xe9A\xbd\xbe\x03,E\xf6/d\xd4\xab]\xa3G=d\x9b\xe9h\x9a\xc6\xcc\x1b?\xba\xbe\xb2\x8b4\x02.\x98U\x19\xfc\x8co\xaa_\xdaL\xceM\x03!\xa3\xd8\xd24\x93V\x96\xcbL\x0c\x00\x16<_\x1a\xcd\xc8\xc7l\xa6\xad\xd31\xa7\xbc\xe8\xe5\xe1f\xd6\xd2\xfb\x03\xb4Ae\xc9\x10\xae\x0e\x05c\xc6\x80ji0\xfd\xd2\xee\x90\xef\x0d'\xdf\x9f\x95s\xf4\xe1%\xdal\x16\xdeA84\xea\x8b\xfc\xd1\xe8\x04\x14a-A~\xac\xc7wN\xcbQT\xfb^\x92\x18\x1b\x04Zh\xc6\xc9\xc4\xfa\xb7\x13\xa0\x98\xb7\x11+\xb7\xd6W\xcc|\x9e\x17\xd1\xcb%\xfe\x86N$.V\x0cxM\x9e\x01\x12\xa6+\xa7\x01en|b\x1d\x84\x84\xdf\xea\xc0k\xb5\xa5*\x95\x83\xc3S\x11\x0cs\x1d\x0b\xb2F\x90\xd1B:\xce@n\x95\xad\xff\xc6\x94\xadn\x97\x84\x8e}o\x9e\x8a\x80\x0dIms\xe2{\x92\x1e\xc3\xf3\xc1\xf3\xeb.\x05o\xd9\x1b\xcf7v\x04\xc8\xb4Z\xe4\x17\xa7\xcb\xddv\x1f\xd0\x19v\xe8,\x05\xb3\xd6\x9c4\xd8\x96\xdca\x87\x91\x05\xe4D\x083\xc1\xda\xb9\x08e\xd4\xae\xb26\x0d\xeb\xba8\xba\x0c\xe5\x9b\x9e\xeb\x8df\xdd\x99\xcf\xd6\x89A\xf6\x04\x92\x8a))mk:\x1c\xe7u}\x02q\x0e\xf3\xc0\xe7\xbd\xcb\x19\xdd\x9d`\xb2\xc2f`\xb6\xb1\x04\xee\xc9\xe6\x86\xb9\x9af@\xa8\xe7\x11\xed\x81E\x03\x8b\xf6gY\xe8\xc1\x06\x11\xbd\xdd\xcf\x80\x02Oe@x\GP\xc8\x9b\xe6\x1f\x81{\xe4D\xa8[\x85\x9a\xe2\xdeZ\xd5\xc7\xf9:DfK\xe42T|\xe4l\x9c\xb3\x0e=\x17\xa2\xb24\x12\xd6~\xb2\xa8I\xbb\xd1z(@\xbe\xa2\x16\x1f\xdf\xe47\x1f\x11s\xfb\x90\x0aeC\xa2\x0d|\xf8\x06\x01U3}\xb0\x0d\xb8\xf4\xf5\xae\xa5BW|6\x11\x8c{^\xc4\x03\x9d\x8cy\x9d\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb5\x99\xf8\xaf\xb0\x94\xf5\xe3 \xd6\x0a\xad\xceNV\xa4.nB\xed0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00&\x06^p\xe7e3\xc8\x82n\xd9\x9c\x17:\x1bzf\xb2\x01\xf6x;i^/\xea\xffN\xf9(\xc3\x98*aL\xb4$\x12\x8a}m\x11\x14\xf7\x9c\xb5\xca\xe6\xbc\x9e'\x8eL\x19\xc8\xa9\xbdz\xc0\xd76\x0em\x85rn\xa8\xc6\xa2m\xf6\xfasc\x7f\xbcny\x08\x1c\x9d\x8a\x9f\x1a\x8aS\xa6\xd8\xbb\xd95U\xb1\x11\xc5\xa9\x03\xb3V;\xb9\x84\x93"^~\xc1\xf6\x12R\x8b\xea,g\xbc\xfe6L\xf5\xb8\xcf\xd1\xb3I\x92;\xd3)\x0e\x99\x1b\x96\xf7a\xb8;\xc4+\xb6xl\xb4#o\xf0\xfd\xd3\xb2^u\x1f\x99\x95\xa8\xac\xf6\xda\xe1\xc51{\xfb\xd1F\xb3\xd2\xbcg\xb4bT\xba\x09\xf7c\xb0\x93\xa2\x9a\xf9\xe9R.\x8b`\x12\xab\xfc\xf5`V\xef\x10\\x8b\xc4\x1aB\xdc\x83[d\x0e\xcb\xb5\xbc\xd6O\xc1|<n\x8d\x13m\xfb{\xeb0\xd0\xdcM\xaf\xc5\xd5\xb6\xa5L[q\xc9\xe81\xbe\xe88\x06H\xa1\x1a\xe2\xea\xd2\xde\x129X\x1a\xff\x80\x0e\x82u\xe6\xb7\xc9\x07l\x0e\xef\xff8\xf1\x98q\xc4\xb7\x7f\x0e\x15\xd0%i\xbd"\x9d+\xed\x05\xf6FG\xac\xed\xc0\xf0\xd4;\xe2\xec\xee\x96[\x90\x13N\x1eV:\xeb\xb0\xef\x96\xbb\x96#\x11\xba\xf2C\x86td\x95\xc8(u\xdf\x1d5\xba\xd27\x838S86;\xcfl\xe9\xf9k\x0e\xd0\xfb\x04\xe8Ow\xd7e\x01x\x86\x0cz>!b\xf1\x7fcq\x0c\xc9\x9fD\xdb\xa8'\xa2u\xben\x81>\xd7\xc0\xeb\x1b\x98\x0fp\4\xb2\x8a\xcc\xc0\x85\x18\xebnz\xb3\xf7Z\xa1\x07\xbf\xa9B\x92\xf3`"\x97\xe4\x14\xa1\x07\x9bNv\xc0\x8e}\xfd\xa4%\xc7G\xed\xff\x1fs\xac\xcc\xc3\xa5\xe9o\x0a\x8e\x9be\xc2P\x85\xb5\xa3\xa0S\x12\xccU\x87a\xf3\x81\xae\x10Fa\xbdD!\xb8\xc2=t\xcf~$5\xfa\x1c\x07\x0e\x9b="\xca\xef1/\x8c\xac\x12\xbd\xef@(\xfc)g\x9f\xb2\x13Of$\xc4S\x19\xe9\x1e)\x15\xef\xe6m\xb0\x7f-g\xfd\xf3l\x1buF\xa3\xe5J\x17\xe9\xa4\xd7\x0b, C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 = 0\x82\x07\xd30\x82\x05\xbb\xa0\x03\x02\x01\x02\x02\x08^\xc3\xb7\xa6C\x7f\xa4\xe00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x000B1\x120\x10\x06\x03U\x04\x03\x0c\x09ACCVRAIZ11\x100\x0e\x06\x03U\x04\x0b\x0c\x07PKIACCV1\x0d0\x0b\x06\x03U\x04\x0a\x0c\x04ACCV1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES0\x1e\x17\x0d110505093737Z\x17\x0d301231093737Z0B1\x120\x10\x06\x03U\x04\x03\x0c\x09ACCVRAIZ11\x100\x0e\x06\x03U\x04\x0b\x0c\x07PKIACCV1\x0d0\x0b\x06\x03U\x04\x0a\x0c\x04ACCV1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x9b\xa9\xab\xbfaJ\x97\xaf/\x97f\x9at_\xd0\xd9\x96\xfd\xcf\xe2\xe4f\xef\x1f\x1fG3\xc2D\xa3\xdf\x9a\xde\x1f\xb5T\xdd\x15|i5\x11o\xbb\xc8\x0c\x8ej\x18\x1e\xd8\x8f\xd9\x16\xbc\x10H6\\xf0c\xb3\x90Z\$7\xd7\xa3\xd6\xcb\x09q\xb9\xf1\x01r\x84\xb0}\xdbM\x80\xcd\xfc\xd3o\xc9\xf8\xda\xb6\x0e\x82\xd2E\x85\xa8\x1bh\xa8=\xe8\xf4Dl\xbd\xa1\xc2\xcb\x03\xbe\x8c>\x13\x00\x84\xdfJH\xc0\xe3"\x0a\xe8\xe97\xa7\x18L\xb1\x09\x0d#V\x7f\x04M\xd9\x17\x84\x18\xa5\xc8\xda@\x94s\xeb\xce\x0eW<\x03\x81:\x9d\x0a\xa1WCi\xacWmy\x90x\xe5\xb5\xb4;\xd8\xbcL\x8d(\xa1\xa7\xa3\xa7\xba\x02N%\xd1*\xae\xed\xae\x03"\xb8k \x0f0(T\x95\x7f\xe0\xee\xce\x0af\x9d\xd1@-n"\xaf\x9d\x1a\xc1\x05\x19\xd2o\xc0\xf2\x9f\xf8{\xb3\x02B\xfbP\xa9\x1d-\x93\x0f#\xab\xc6\xc1\x0f\x92\xff\xd0\xa2\x15\xf5S\x09q\x1c\xffE\x13\x84\xe6&^\xf8\xe0\x88\x1c\x0a\xfc\x16\xb6\xa8s\x06\xb8\xf0c\x84\x02\xa0\xc6Z\xec\xe7t\xdfp\xae\xa3\x83%\xea\xd6\xc7\x97\x87\x93\xa7\xc6\x8a\x8a3\x97`7\x10>\x97>n)\x15\xd6\xa1\x0f\xd1\x88,\x12\x9fo\xaa\xa4\xc6B\xebA\xa2\xe3\x95C\xd3\x01\x85m\x8e\xbb;\xf3#6\xc7\xfe;\xe0\xa1%\x07H\xab\xc9\x89t\xff\x08\x8f\x80\xbf\xc0\x96e\xf3\xee\xecKh\xbd\x9d\x88\xc31\xb3@\xf1\xe8\xcf\xf68\xbb\x9c\xe4\xd1\x7f\xd4\xe5X\x9b|\xfa\xd4\xf3\x0e\x9bu\x91\xe4\xbaR.\x19~\xd1\xf5\xcdZ\x19\xfc\xba\x06\xf6\xfbR\xa8K\x99\x04\xdd\xf8\xf9\xb4\x8bP\xa3Nb\x89\xf0\x87$\xfa\x83B\xc1\x87\xfa\xd5-)*Zqzdj\xd7'`c\x0d\xdb\xceI\xf5\x8d\x1f\x90\x892\x17\xf8sC\xb8\xd2Z\x93\x86a\xd6\xe1u\x0a\xeayfv\x88Oq\xeb\x04%\xd6\x0aZz\x93\xe5\xb9K\x17@\x0f\xb1\xb6\xb9\xf5\xdeO\xdc\xe0\xb3\xac;\x11p`\x84JCn\x99 \xc0)q\x0a\xc0e\x02\x03\x01\x00\x01\xa3\x82\x02\xcb0\x82\x02\xc70}\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04q0o0L\x06\x08+\x06\x01\x05\x05\x070\x02\x86@http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0\x1f\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x13http://ocsp.accv.es0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd2\x87\xb4\xe3\xdf7'\x93U\xf6V\xea\x81\xe56\xcc\x8c\x1e?\xbd0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd2\x87\xb4\xe3\xdf7'\x93U\xf6V\xea\x81\xe56\xcc\x8c\x1e?\xbd0\x82\x01s\x06\x03U\x1d \x04\x82\x01j0\x82\x01f0\x82\x01b\x06\x04U\x1d \x000\x82\x01X0\x82\x01"\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x82\x01\x14\x1e\x82\x01\x10\x00A\x00u\x00t\x00o\x00r\x00i\x00d\x00a\x00d\x00 \x00d\x00e\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00c\x00i\x00\xf3\x00n\x00 \x00R\x00a\x00\xed\x00z\x00 \x00d\x00e\x00 \x00l\x00a\x00 \x00A\x00C\x00C\x00V\x00 \x00(\x00A\x00g\x00e\x00n\x00c\x00i\x00a\x00 \x00d\x00e\x00 \x00T\x00e\x00c\x00n\x00o\x00l\x00o\x00g\x00\xed\x00a\x00 \x00y\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00c\x00i\x00\xf3\x00n\x00 \x00E\x00l\x00e\x00c\x00t\x00r\x00\xf3\x00n\x00i\x00c\x00a\x00,\x00 \x00C\x00I\x00F\x00 \x00Q\x004\x006\x000\x001\x001\x005\x006\x00E\x00)\x00.\x00 \x00C\x00P\x00S\x00 \x00e\x00n\x00 \x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00a\x00c\x00c\x00v\x00.\x00e\x00s00\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16$http://www.accv.es/legislacion_c.htm0U\x06\x03U\x1d\x1f\x04N0L0J\xa0H\xa0F\x86Dhttp://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x17\x06\x03U\x1d\x11\x04\x100\x0e\x81\x0caccv@accv.es0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x971\x02\x9f\xe7\xfdCgHD\x14\xe4)\x87\xedL(f\xd0\x8f5\xdaMa\xb7J\x97M\xb5\xdb\x90\xe0\x05.\x0e\xc6y\xd0\xf2\x97i\x0f\xbd\x04G\xd9\xbe\xdb\xb5)\xda\x9b\xd9\xae\xa9\x99\xd5\xd3<0\x93\xf5\x8d\xa1\xa8\xfc\x06\x8dD\xf4\xca\x16\x95|3\xdcb\x8b\xa87\xf8'\xd8\x09-\x1b\xef\xc8\x14' \xa9dD\xff.\xd6u\xaalM`@\x19ICTc\xda\xe2\xcc\xbaf\xe5ODz[\xd9j\x81+@\xd5\x7f\xf9\x01'X,\xc8\xedH\x91|?\xa6\x00\xcf\xc4)s\x116\xde\x86\x19>\x9d\xee\x19\x8a\x1b\xd5\xb0\xed\x8e=\x9c*\xc0\x0d\xd8=f\xe3<\x0d\xbd\xd5\x94\\xe2\xe2\xa75\x1b\x04\x00\xf6?Z\x8d\xeaC\xbd_\x89\x1d\xa9\xc1\xb0\xcc\x99\xe2M\x00\x0a\xda\xc9'[\xe7\x13\x90\\xe4\xf53\xa2Um\xdc\xe0\x09M/\xb1&['u\x00\x09\xc4bw)\x08_\x9eY\xac\xb6~\xad\x9fT0"\x03\xc1\x1eqd\xfe\xf98\x0a\x96\x18\xdd\x02\x14\xac#\xcb\x06\x1c\x1e\xa4}\x8d\x0d\xde'A\xe8\xad\xda\x15\xb7\xb0#\xdd+\xa8\xd3\xda%\x87\xed\xe8UDM\x88\xf46~\x84\x9ax\xac\xf7\x0eVI\x0e\xd63%\xd6\x84PBl \x12\x1d*\xd5\xbe\xbc\xf2p\x81\xa4p`\xbe\x05\xb5\x9b\x9e\x04D\xbea#\xac\xe9\xa5$\x8c\x11\x80\x94Z\xa2\xa2\xb9I\xd2\xc1\xdc\xd1\xa7\xed1\x11,\x9e\x19\xa6\xee\xe1U\xe1\xc0\xea\xcf\x0d\x84\xe4\x17\xb7\xa2|\xa5\xdeU%\x06\xee\xcc\xc0\x87\@\xda\xcc\x95?U\xe05\xc7\xb8\x84\xbe\xb4]\xcdz\x83\x01r\xee\x87\xe6_\x1d\xae\xb5\x85\xc6&\xdf\xe6\xc1\x9a\xe9\x1e\x02G\x9f*\xa8m\xa9[\xcf\xecEw\x7f\x98'\x9a2]*\xe3\x84\xee\xc5\x98f/\x96 \x1d\xdd\xd8\xc3'\xd7\xb0\xf9\xfe\xd9}\xcd\xd0\x9f\x8f\x0b\x14XQ\x9f/\x8b\xc38-\xde\xe8\x8f\xd6\x8d\x87\xa4\xf5VC\x16\x99,\xf4\xa4V\xb44\xb8a7\xc9\xc2X\x80\x1b\xa0\x97\xa1\xfcY\x8d\xe9\x11\xf6\xd1\x0fKU4F*\x8b\x86;, CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW = 0\x82\x05A0\x82\x03)\xa0\x03\x02\x01\x02\x02\x02\x0c\xbe0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000Q1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1\x120\x10\x06\x03U\x04\x0a\x13\x09TAIWAN-CA1\x100\x0e\x06\x03U\x04\x0b\x13\x07Root CA1\x1c0\x1a\x06\x03U\x04\x03\x13\x13TWCA Global Root CA0\x1e\x17\x0d120627062833Z\x17\x0d301231155959Z0Q1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1\x120\x10\x06\x03U\x04\x0a\x13\x09TAIWAN-CA1\x100\x0e\x06\x03U\x04\x0b\x13\x07Root CA1\x1c0\x1a\x06\x03U\x04\x03\x13\x13TWCA Global Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb0\x05\xdb\xc8\xeb\x8c\xc4n\x8a!\xef\x8eM\x9cq\x0a\x1fRp\xedm\x82\x9c\x97\xc5\xd7LNEI\xcb@B\xb5\x124l\x19\xc2t\xa41_\x85\x02\x97\xecC3\x0aS\xd2\x9c\x8c\x8e\xb7\xb8y\xdb+\xd5j\xf2\x8ef\xc4\xee+\x01\x07\x92\xd4\xb3\xd0\x02\xdfP\xf6U\xaff\x0e\xcb\xe0G`/+295R:(\x83\xf8{\x16\xc6\x18\xb8b\xd6G%\x91\xce\xf0\x19\x12M\xadc\xf5\xd3?u_)\xf0\xa10\x1c*\xa0\x98\xa6\x15\xbd\xee\xfd\x196\xf0\xe2\x91C\x8f\xfa\xca\xd6\x10'IL\xef\xdd\xc1\xf1\x85p\x9b\xca\xea\xa8ZC\xfcm\x86os\xe97E\xa9\xf06\xc7\xcc\x88u\x1e\xbbl\x06\xff\x9bk>\x17\xeca\xaaq|\xc6\x1d\xa2\xf7I\xe9\x15\xb5<\xd6\xa1a\xf5\x11\xf7\x05o\x1d\xfd\x11\xbe\xd00\x07\xc2)\xb0\x09N&\xdc\xe3\xa2\xa8\x91j\x1f\xc2\x91E\x88\\xe5\x98\xb8q\xa5\x15\x19\xc9|u\x11\xccptO-\x9b\x1d\x91D\xfdV(\xa0\xfe\xbb\x86j\xc8\xfa\\x0bX\xdc\xc6Kv\xc8\xab"\xd9s\x0f\xa5\xf4Z\x02\x89?O\x9e"\x82\xee\xa2tS*=S'i\x1dl\x8e2,d\x00&ca6N\xa3F\xb7?}\xb3-\xacm\x90\xa2\x95\xa2\xce\xcf\xda\x82\xe7\x074\x19\x96\xe9\xb8!\xaa)~\xa68\xbe\x8e)J!fy\x1f\xb3\xc3\xb5\x09g\xde\xd6\xd4\x07F\xf3*\xda\xe6"7`\xcb\x81\xb6\x0f\xa0\x0f\xe9\xc8\x95\x7f\xbfU\x91\x05z\xcf=\x15\xc0o\xde\x09\x94\x01\x83\xd74\x1b\xcc@\xa5\xf0\xb8\x9bg\xd5\x98\x91;\xa7\x84x\x95&\xa4Z\x08\xf8+t\xb4\x00\x04<\xdf\xb8\x14\x8e\xe8\xdf\xa9\x8dlg\x923\x1d\xc0\xb7\xd2\xec\x92\xc8\xbe\x09\xbf,)\x05o\x02k\x9e\xef\xbc\xbf*\xbc[\xc0P\x8fApq\x87\xb2M\xb7\x04\xa9\x84\xa32\xaf\xae\xeek\x17\x8b\xb2\xb1\xfel\xe1\x90\x8c\x88\xa8\x97H\xce\xc8M\xcb\xf3\x06\xcf_j\x0aB\xb1\x1e\x1ew/\x8e\xa0\xe6\x92\x0e\x06\xfc\x05"\xd2&\xe11Q}2\xdc\x0f\x02\x03\x01\x00\x01\xa3#0!0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00_4\x81v\xef\x96\x1d\xd5\xe5\xb5\xd9\x02c\x84\x16\xc1\xae\xa0pQ\xa7\xf7LG5\xc8\x0b\xd7(=\x89q\xd9\xaa3A\xea\x14\x1bl!\x00\xc0lB\x19~\x9fi[ B\xdf\xa2\xd2\xda\xc4|\x97K\x8d\xb0\xe8\xac\xc8\xee\xa5i\x04\x99\x0a\x92\xa6\xab'.\x1aM\x81\xbf\x84\xd4p\x1e\xadG\xfe\xfdJ\x9d3\xe0\xf2\xb9\xc4E\x08!\x0a\xdaiisr\x0d\xbe4\xfe\x94\x8b\xad\xc3\x1e5\xd7\xa2\x83\xef\xe58\xc7\xa5\x85\x1f\xab\xcf4\xec?(\xfe\x0c\xf1W\x86N\xc9U\xf7\x1c\xd4\xd8\xa5}\x06zo\xd5\xdf\x10\xdf\x81N!e\xb1\xb6\xe1\x17y\x95E\x06\xce_\xcc\xdcF\x89chD\x8d\x93\xf4dp\xa0=\x9d(\x05\xc39p\xb8b{ \xfd\xe4\xdb\xe9\x08\xa1\xb8\x9e=\x09\xc7O\xfb,\xf8\x93vA\xdeR\xe0\xe1W\xd2\x9d\x03\xbcw\x9e\xfe\x9e)^\xf7\xc1Q`\x1f\xde\xda\x0b\xb2-u\xb7CH\x93\xe7\xf6y\xc6\x84]\x80Y`\x94\xfcx\x98\x8f<\x93Q\xed@\x90\x07\xdfdc$\xcbNq\x05\xa1\xd7\x94\x1a\x882\xf1"t"\xae\xa5\xa6\xd8\x12iL`\xa3\x02\xee+\xec\xd4c\x92\x0b^\xbe/vk\xa3\xb6&\xbc\x8f\x03\xd8\x0a\xf2LdF\xbd9b\xe5\x96\xeb4c\x11(\xcc\x95\xf1\xad\xef\xef\xdc\x80XH\xe9K\xb8\xeae\xac\xe9\xfc\x80\xb5\xb5\xc8E\xf9\xac\xc1\x9f\xd9\xb9\xeab\x88\x8e\xc4\xf1K\x83\x12\xad\xe6\x8b\x84\xd6\x9e\xc2\xeb\x83\x18\x9fj\xbb\x1b$`3p\xcc\xec\xf72\xf3\\xd9y}\xef\x9e\xa4\xfe\xc9#\xc3$\xee\x15\x92\xb1=\x91O&\x86\xbdfs$\x13\xea\xa4\xaec\xc1\xad}\x84\x03<\x10x\x86\x1by\xe3\xc4\xf3\xf2\x04\x95 \xae#\x82\xc4\xb3:\x00b\xbf\xe66$\xe1W\xba\xc7\x1e\x90u\xd5_?\x95a+\xc1;\xcd\xe5\xb3ha\xd0F&\xa9!Ri-\xeb.\xc7\xebw\xce\xa6:\xb5\x033Ov\xd1\xe7\T\x01]\xcbx\xf4\xc9\x0c\xbf\xcf\x12\x8e\x17-#h\x94\xe7\xab\xfe\xa9\xb2+\x06\xd0\x04\xcd, CN=TeliaSonera Root CA v1,O=TeliaSonera = 0\x82\x0580\x82\x03 \xa0\x03\x02\x01\x02\x02\x11\x00\x95\xbe\x16\xa0\xf7.F\xf1{9\x82r\xfa\x8b\xcd\x960\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00071\x140\x12\x06\x03U\x04\x0a\x0c\x0bTeliaSonera1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16TeliaSonera Root CA v10\x1e\x17\x0d071018120050Z\x17\x0d321018120050Z071\x140\x12\x06\x03U\x04\x0a\x0c\x0bTeliaSonera1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16TeliaSonera Root CA v10\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc2\xbe\xeb'\xf0!\xa3\xf3i&U~\x9d\xc5U\x16\x91\\xfd\xef!\xbfS\x80z-\xd2\x91\x8cc1\xf0\xec$\xf0\xc3\xa5\xd2r|\x10m\xf47\xb7\xe5\xe6|y\xea\x8c\xb5\x82\x8b\xaeH\xb6\xac\x00\xdceu\xec*M_\xc1\x87\xf5 e+\x81\xa8G>\x89#\x950\x16\x90\x7f\xe8W\x07H\xe7\x19\xae\xbfEg\xb17\x1b\x06*\xfe\xde\xf9\xac}\x83\xfb^\xba\xe4\x8f\x97g\xbeK\x8e\x8dd\x07W8Ui46=\x13H\xefO\xe2\xd3f\x1e\xa4\xcf\x1a\xb7^63\xd4\xb4\x06\xbd\x18\x01\xfdw\x84P\x00E\xf5\x8c]\xe8#\xbc~\xfe5\xe1\xedP{\xa90\x8d\x19\xd3\x09\x8ehg]\xbf<\x97\x18S\xbb)b\xc5\xca^r\xc1\xc7\x96\xd4\xdb-\xa0\xb4\x1fi\x03\xec\xea\xe2P\xf1\x0c<\xf0\xac\xf3S-\xf0\x1c\xf5\xedl99s\x80\x16\xc8R\xb0#\xcd\xe0>\xdc\xdd<G\xa0\xbb5\x8a\xe2\x98h\x8b\xbe\xe5\xbfr\xee\xd2\xfa\xa5\xed\x12\xed\xfc\x98\x18\xa9&v\xdc(K\x10 \x1c\xd3\x7f\x16w-\xedo\x80\xf7I\xbbS\x05\xbb]h\xc7\xd4\xc8u\x16?\x89Z\x8b\xf7\x17G\xd4L\xf1\xd2\x89y>M=\x98\xa8a\xde:\x1e\xd2\xf8^\x03\xe0\xc1\xc9\x1c\x8c\xd3\x8dM\xd3\x956\xb37_cc\x9b3\x14\xf0-&kS|\x89\x8c2\xc2n\xec=!\x009\xc9\xa1h\xe2P\x83.\xb0:+\xf36\xa0\xac/\xe4oa\xc2Q\x099>\x8bS\xb9\xbbg\xda\xdcS\xb9vY6\x9dC\xe5 \xe0=2`\x85"Q\xb7\xc73\xbb\xdd\x15/\xa4x\xa6\x07{\x81F6\x04\x86\xddy5\xc7\x95,;\xb0\xa3\x175\xe5s\x1f\xb4\Y\xef\xda\xea\x10e{z\xd0\x7f\x9f\xb3\xb4*7;p\x8b\x9b[\xb9+\xb7\xec\xb2Q\x12\x97S)Z\xd4\xf0\x12\x10\xdcO\x02\xbb\x12\x92/b\xd4?iC|\x0d\xd6\xfcXu\x01\x88\x9dX\x16K\xde\xba\x90\xffG\x01\x89\x06j\xf6_\xb2\x90j\xb3\x02\xa6\x02\x88\xbf\xb3G~*\xd9\xd5\xfahx5M\x02\x03\x01\x00\x01\xa3?0=0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xf0\x8fY8\x00\xb3\xf5\x8f\x9a\x96\x0c\xd5\xeb\xfa{\xaa\x17\xe8\x13\x120\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xbe\xe4\bN$\xf4\x0c\x08\xff\xf0\xd3\x0ch\xe4\x93I"?D'o\xbbm\xde\x83f\xce\xa8\xcc\x0d\xfc\xf5\x9a\x06\xe5w\x14\x91\xeb\x9dA{\x99*\x84\xe5\xff\xfc!\xc1]\xf0\xe4\x1fW\xb7u\xa9\xa1_\x02&\xff\xd7\xc7\xf7N\xdeO\xf8\xf7\x1cF\xc0zO@,"5\xf0\x19\xb1\xd0kg,\xb0\xa8\xe0\xc0@75\xf6\x84\\\xe3\xafBx\xfe\xa7\xc9\x0dP\xea\x0d\x84v\xf6Q\xef\x83S\xc6z\xff\x0eVI.\x8fz\xd6\x0c\xe6'T\xe3M\x0a`rb\xcd\x91\x07\xd6\xa5\xbf\xc8\x99k\xed\xc4\x19\xe6\xabL\x118\xc5o1\xe2nI\xc8?v\x80&\x03&)\xe06\xf6\xf6 S\xe3\x17p4\x17\x9dch\x1ek\xec\xc3M\x86\xb8\x130/]F\x0dGC\xd5\x1b\xaaY\x0e\xb9\\x8d\x06H\xadt\x87_\xc7\xfc1TA\x13\xe2\xc7!\x0e\x9e\xe0\x1e\x0d\xe1\xc0{C\x85\x90\xc5\x8aX\xc6e\x0axW\xf2\xc6#\x0f\x01\xd9 K\xde\x0f\xfb\x92\x85u*\s\x8dm{%\x91\xca\xeeE\xae\x06K\x00\xcc\xd3\xb1YP\xda:\x88;)CF^\x97+T\xceSo\x8dJ\xe7\x96\xfa\xbfq\x0eB\x8b|\xfd(\xa0\xd0H\xca\xda\xc4\x81L\xbb\xa2s\x93&\xc8\xeb\x0c\xd6&\x88\xb6\xc0$\xcf\xbb\xbd[\xebu}\xe9\x08\x8e\x863,yw\x09i\xa5\x89\xfc\xb3p\x90\x87v\x8f\xd3"\xbbB\xce\xbds\x0b &*\xd0\x9b=p\x1e$l\xcd\x87v\xa9\x17\x96\xb7\xcf\x0d\x92\xfb\x8e\x18\xa9\x98I\xd1\x9e\xfe`Dr!\xb9\x19\xed\xc2\xf51\xf19H\x88\x90$uT\x16\xad\xce\xf4\xf8i\x14d9\xfb\xa3\xb8\xbap@\xc7'\x1c\xbf\xc4VS\xface\xd0\xf3\x1c\x0e\x16\xf5k\x86XM\x18\xd4\xe4\x0d\x8e\xa5\x9d[\x91\xdcv$P?\xc6*\xfb\xd9\xb7\x9c\xb5\xd6\xe6\xd0\xd9\xe8\x19\x8b\x15qH\xad\xb7\xea\xd8Y\x88\xd4\x90\xbf\x16\xb3\xd9\xe9\xacYaT\xc8\x1c\xba\xca\xc1\xca\xe1\xb9 L\x8f:\x93\x89\xa5\xa0\xcc\xbf\xd3\xf6u\xa4u\x96mV, CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-TuC49Fra EBG BiliC59Fim Teknolojileri ve Hizmetleri A.C59E.,L=Ankara,C=TR = 0\x82\x06K0\x82\x043\xa0\x03\x02\x01\x02\x02\x08jh>\x9cQ\x9b\xcbS0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xb21\x0b0\x09\x06\x03U\x04\x06\x13\x02TR1\x0f0\x0d\x06\x03U\x04\x07\x0c\x06Ankara1@0>\x06\x03U\x04\x0a\x0c7E-Tu\xc4\x9fra EBG Bili\xc5\x9fim Teknolojileri ve Hizmetleri A.\xc5\x9e.1&0$\x06\x03U\x04\x0b\x0c\x1dE-Tugra Sertifikasyon Merkezi1(0&\x06\x03U\x04\x03\x0c\x1fE-Tugra Certification Authority0\x1e\x17\x0d130305120948Z\x17\x0d230303120948Z0\x81\xb21\x0b0\x09\x06\x03U\x04\x06\x13\x02TR1\x0f0\x0d\x06\x03U\x04\x07\x0c\x06Ankara1@0>\x06\x03U\x04\x0a\x0c7E-Tu\xc4\x9fra EBG Bili\xc5\x9fim Teknolojileri ve Hizmetleri A.\xc5\x9e.1&0$\x06\x03U\x04\x0b\x0c\x1dE-Tugra Sertifikasyon Merkezi1(0&\x06\x03U\x04\x03\x0c\x1fE-Tugra Certification Authority0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xe2\xf5?\x93\x05Q\x1e\x85bT^z\x0b\xf5\x18\x07\x83\xae~\xaf|\xf7\xd4\x8ak\xa5cC9\xb9K\xf7\xc3\xc6d\x89=\x94.T\x80R99\x07KK\xdd\x85\x07v\x87\xcc\xbf/\x95L\xcc}\xa7=\xbcG\x0f\x98p\xf8\x8c\x85\x1et\x8e\x92m\x1b@\xd1\x99\x0d\xbbun\xc8\xa9k\x9a\xc0\x841\xaf\xcaC\xcb\xeb+4\xe8\x8f\x97k\x01\x9b\xd5\x0eJ\x08\xaa[\x92t\x85C\xd3\x80\xae\xa1\x88[\xae\xb3\xea^\xcb\x16\x9awD\xc8\xa1\xf6Th\xce\xde\x8f\x97+\xba[@\x02\x0cd\x17\xc0\xb5\x93\xcd\xe1\xf1\x13f\xce\x0cy\xef\xd1\x91(\xab_\xa0\x12R0s\x19\x8e\x8f\xe1\x8c\x07\xa2\xc3\xbbJ\xf0\xea\x1f\x15\xa8\xee%\xcc\xa4F\xf8\x1b"\xef\xb3\x0eC\xba,$\xb8\xc5,\\xd4\x1c\xf8]d\xbd\xc3\x93^(\xa7?'\xf1\x8e\x1e\xd3*P\x05\xa3U\xd9\xcb\xe79S\xc0\x98\x9e\x8cTb\x8b&\xb0\xf7}\x8d|\xe4\xc6\x9efBU\x82G\xe7\xb2X\x8df\xf7\x07|.6\xe6P\x1c?\xdbC$\xc5\xbf\x86Gy\xb3y\x1c\xf7Z\xf4\x13\xecl\xf8?\xe2Y\x1f\x95\xeeB>\xb9\xad\xa82\x85I\x97F\xfeK1\x8fZ\xcb\xadtG\x1f\xe9\x91\xb7\xdf(\x04"\xa0\xd4\x0f]\xe2yO\xeal\x85\x86\xbd\xa8\xa6\xce\xe4\xfa\xc3\xe1\xb3\xae\xde<Q\xee\xcb\x13|\x01\x7f\x84\x0e]Q\x94\x9e\x13\x0c\xb6.\xa5L\xf99p6o\x96\xca.\x0cDU\xc5\xca\xfa]\x02\xa3\xdf\xd6d\x8cZ\xb3\x01\x0a\xa9\xb5\x0aG\x17\xff\xef\x91@*\x8e\xa1F:1\x98\xe5\x11\xfc\xcc\xbbIV\x8a\xfc\xb9\xd0a\x9aoel\xe6\xc3\xcb>uI\xfe\x8f\xa7\xe2\x89\xc5g\xd7\x9dF\x13N1v;$\xb3\x9e\x11e\x86\xab\x7f\xef\x1d\xd4\xf8\xbc\xe7\xacZ\\xb7ZG\U\xceU\xb4"q[[\x0b\xf0\xcf\xdc\xa0ad\xea\xa9\xd7h\x0ac\xa7\xe0\x0d?\xa0\xaf\xd3\xaa\xd2~\xefQ\xa0\xe6Q+U\x92\x15\x17S\xcb\xb7f\x0efL\xf8\xf9uL\x90\xe7\x12p\xc7E\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14.\xe3\xdb\xb2I\xd0\x9cTy\\xfa'*\xfe\xccN\xd2\xe8NT0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14.\xe3\xdb\xb2I\xd0\x9cTy\\xfa'*\xfe\xccN\xd2\xe8NT0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x057:\xf4M\xb7E\xe2Eu$\x8f\xb6wR\xe8\x1c\xd8\x10\x93e\xf3\xf2Y\x06\xa4>\x1e)\xec]\xd1\xd0\xab|\xe0\x0a\x90Hx\xedN\x98\x03\x99\xfe(`\x91\x1d0\x1d\xb8c|\xa8\xe65\xb5\xfa\xd3av\xe6\xd6\x07K\xcai\x9a\xb2\x84zw\x93E\x17\x15\x9f$\xd0\x98\x13\x12\xff\xbb\xa0.\xfdNL\x87\xf8\xce\\xaa\x98\x1b\x05\xe0\x00FJ\x82\x80\xa53\x8b(\xdc\xed8\xd3\xdf\xe5>\xe9\xfe\xfbY\xdda\x84O\xd2T\x96\x13a\x13>\x8f\x80i\xbe\x93G\xb55C\xd2Z\xbb=\\xef\xb3BG\xcd;U\x13\x06\xb0\x09\xdb\xfdc\xf6:\x88\x0a\x99o~\xe1\xce\x1bSjDf#Q\x08{\xbc[R\xa2\xfd\x0678@a\x8fJ\x96\xb8\x907\xf8f\xc7x\x90\x00\x15.\x8b\xadQ5S\x07\xa8kh\xae\xf9N<\x07&\xcd\x08\x05p\xcc9?v\xbd\xa5\xd3g&\x01\x86\xa6S\xd2`;|C\x7fU\x8a\xbc\x95\x1a\xc1(9L\x1fC\xd2\x91\xf4rY\x8a\xb9V\xfc?\xb4\x9d\xdap\x9cvZ\x8cCP\xee\x8e0rM\xdf\xffI\xf7\xc6\xa9g\xd9m\xac\x02\x11\xe2:\x16%\xa7X\x08\xcboSA\x9cH8Gh3\xd1\xd7\xc7\x8f\xd4t!\xd4\xc3\x05\x90z\xff\xce\x96\x88\xb1\x15)]#\xab\xd0`\xa1\x12O\xde\xf4\x17\xcd2\xe5\xc9\xbf\xc8C\xad\xfd.\x8e\xf1\xaf\xe2\xf4\x98\xfa\x12\x1f \xd8\xc0\xa7\x0c\x85\xc5\x90\xf4;-\x96&\xb1,\xbeL\xab\xeb\xb1\xd2\x8a\xc9\xdbx\x13\x0f\x1e\x09\x9dm\x8f\x00\x9f\x02\xda\xc1\xfa\x1fzz\x09\xc4J\xe6\x88*\x97\x9f\x89\x8b\xfd7__:\xce8Y\x86K\xafq\x0b\xb4\xd8\xf2pO\x9f2\x13\xe3\xb0\xa7W\xe5\xda\xdaC\xcb\x844\xf2(\xc4\xeam\xf4*\xef\xc1kv\xda\xfb~\xbb\x85<\xd2S\xc2M\xbeq\xe1E\xd1\xfd#g\x0d\x13u\xfb\xcfeg"\x9d\xae\xb0\x09\xd1\x09\xff\x1d4\xbf\xfe#\x977\xd29\xfa=\x0d\x06\x0b\xb4\xdb;\xa3\xabo\\x1d\xb6~\xe8\xb3\x824\xed\x06\$, CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE = 0\x82\x03\xc30\x82\x02\xab\xa0\x03\x02\x01\x02\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1+0)\x06\x03U\x04\x0a\x0c"T-Systems Enterprise Services GmbH1\x1f0\x1d\x06\x03U\x04\x0b\x0c\x16T-Systems Trust Center1%0#\x06\x03U\x04\x03\x0c\x1cT-TeleSec GlobalRoot Class 20\x1e\x17\x0d081001104014Z\x17\x0d331001235959Z0\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1+0)\x06\x03U\x04\x0a\x0c"T-Systems Enterprise Services GmbH1\x1f0\x1d\x06\x03U\x04\x0b\x0c\x16T-Systems Trust Center1%0#\x06\x03U\x04\x03\x0c\x1cT-TeleSec GlobalRoot Class 20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xaa_\xda\x1b_\xe8s\x91\xe5\xda\\xf4\xa2\xe6G\xe5\xf3hU`\x05\x1d\x02\xa4\xb3\x9bY\xf3\x1e\x8a\xaf4\xad\xfc\x0d\xc2\xd9H\x19\xeei\x8f\xc9 \xfc!\xaa\x07\x19\xed\xb0\\xace\xc7_\xed\x02|{|-\x1b\xd6\xba\xb9\x80\xc2\x18\x82\x16\x84\xfaf\xb0\x08\xc6T#\x81\xe4\xcd\xb9I?\xf6On7H(8\x0f\xc5\xbe\xe7hp\xfd9\x97M\xd2\xc7\x98\x91P\xaa\xc4D\xb3#}9G\xe9Rb\xd6\x12\x93^\xb71\x96B\x05\xfbv\xa7\x1e\xa3\xf5\xc2\xfc\xe9z\xc5l\xa9qO\xea\xcbx\xbc`\xaf\xc7\xde\xf4\xd9\xcb\xbe~3\xa5n\x94\x83\xf04\xfa!\xab\xea\x8er\xa0?\xa4\xde0[\xef\x86Mj\x95[CD\xa8\x10\x15\x1c\xe5\x01W\xc5\x98\xf1\xe6\x06(\x91\xaa \xc5\xb7S&QC\xb2\x0b\x11\x95X\xe1\xc0\x0fv\xd9\xc0\x8d|\x81\xf3rp\x9eo\xfe\x1a\x8e\xd9_5\xc6\xb2o4|\xbeHO\xe2Z9\xd7\xd8\x9dx\x9e\x9f\x86>\x03^\x19\x8bD\xa2\xd5\xc7\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xbfY 6\x00y\xa0\xa0"k\x8c\xd5\xf2a\xd2\xb8,\xcb\x82J0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x001\x03\xa2a\x0b\x1ft\xe8r6\xc6m\xf9M\x9e\xfa"\xa8\xe1\x81V\xcf\xcd\xbb\x9f\xea\xab\x91\x198\xaf\xaa|\x15M\xf3\xb6\xa3\x8d\xa5\xf4\x8e\xf6D\xa9\xa7\xe8!\x95\xad>\x00b\x16\x88\xf0\x02\xba\xfca#\xe63\x9b0zk6b{\xad\x04#\x84Xe\xe2\xdb+\x8a\xe7%S7bS_\xbc\xda\x01b)\xa2\xa6'q\xe6:"~\xc1o\x1d\x95p J\x074\xdf\xea\xff\x15\x80\xe5\xba\xd7z\xd8[u|\x05z)G~@\xa81\x13w\xcd@;\xb4QGz.\x11\xe3G\x11\xde\x9df\xd0\x8b\xd5Tf\xfa\x83U\xea|\xc2)\x89\x1b\xe9o\xb3\xce\xe2\x05\x84\xc9/>x\x85bn\xc9_\xc1xctX\xc0H\x18\x0c\x999\xeb\xa4\xcc\x1a\xb5yZ\x8d\x15\x9c\xd8\x14\x0d\xf6z\x07W\xc7"\x83\x05-<\x9b%&=\x18\xb3\xa9C|\xc8\xc8\xabd\x8f\x0e\xa3\xbf\x9c\x1b\x9d0\xdb\xda\xd0\x19.\xaa<\xf1\xfb3\x80v\xe4\xcd\xad\x19O\x05'\x8e\x13\xa1n\xc2, C=DE,O=Atos,CN=Atos TrustedRoot 2011 = 0\x82\x03w0\x82\x02_\xa0\x03\x02\x01\x02\x02\x08\3\xcbb,_\xb320\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000<1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Atos TrustedRoot 20111\x0d0\x0b\x06\x03U\x04\x0a\x0c\x04Atos1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE0\x1e\x17\x0d110707145830Z\x17\x0d301231235959Z0<1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Atos TrustedRoot 20111\x0d0\x0b\x06\x03U\x04\x0a\x0c\x04Atos1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\x95\x85;\x97o*;.;\xcf\xa6\xf3)5\xbe\xcf\x18\xac>\xaa\xd9\xf8M\xa0>\x1aG\xb9\xbc\x9a\xdf\xf2\xfe\xcc>G\xe8z\x96\xc2$\x8e5\xf4\xa9\x0c\xfc\x82\xfdm\xc1rb'\xbd\xeak\xeb\xe7\x8a\xccT>\x90P\xcf\x80\xd4\x95\xfb\xe8\xb5\x82\xd4\x14\xc5\xb6\xa9U%W\xdb\xb1P\xf6\xb0`dYzi\xcf\x03\xb7o\x0d\xbe\xca>otr\xea\xaa0*sb\xbeI\x91a\xc8\x11\xfe\x0e\x03*\xf7j \xdc\x02\x15\x0d^\x15j\xfc\xe3\x82\xc1\xb5\xc5\x9dd\x09l\xa3Y\x98\x07'\xc7\x1b\x96+atqlC\xf1\xf75\x89\x10\xe0\x9e\xecU\xa17"\xa2\x87\x04\x05,G}\xb4\x1c\xb9b)f(\xca\xb7\xe1\x93\xf5\xa4\x94\x03\x99\xb9p\x85\xb5\xe6H\xea\x8dP\xfc\xd9\xde\xcco\x07\x0e\xdd\x0br\x9d\x800\x16\x07\x95?(\x0e\xfd\xc5uOS\xd6t\x9a\xb4$.\x8e\x02\x91\xcfv\xc5\x9b\x1eUt\x9cx!\xb1\xf0-\xf1\x0b\x9f\xc2\xd5\x96\x18\x1f\xf0T"z\x8c\x07\x02\x03\x01\x00\x01\xa3}0{0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa7\xa5\x06\xb1,\xa6\x09`\xee\xd1\x97\xe9p\xae\xbc;\x19l\xdb!0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xa7\xa5\x06\xb1,\xa6\x09`\xee\xd1\x97\xe9p\xae\xbc;\x19l\xdb!0\x18\x06\x03U\x1d \x04\x110\x0f0\x0d\x06\x0b+\x06\x01\x04\x01\xb0-\x03\x04\x01\x010\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00&w4\xdb\x94H\x86*A\x9d,>\x06\x90`\xc4\x8c\xac\x0bT\xb8\x1f\xb9{\xd3\x079\xe4\xfa>{\xb2=N\xed\x9f#\xbd\x97\xf3k\\xef\xee\xfd@\xa6\xdf\xa1\x93\xa1\x0a\x86\xac\xef \xd0y\x01\xbdx\xf7\x19\xd8$14\x04\x01\xa6\xba\x15\x9a\xc3'\xdc\xd8O\x0f\xcc\x18c\xff\x99\x0f\x0e\x91ku\x16\xe1!\xfc\xd8&\xc7G\xb7\xa6\xcfXrq~\xba\xe1M\x95G;\xc9\xafm\xa1\xb4\xc1\xec\x89\xf6\xb4\x0f8\xb5\xe2d\xdc%\xcf\xa6\xdb\xeb\x9a\\x99\xa1\xc5\x08\xde\xfd\xe6\xda\xd5\xd6ZE\x0c\xc4\xb7\xc2\xb5\x14\xef\xb4\x11\xff\x0e\x15\xb5\xf5\xf5\xdb\xc6\xbd\xebZ\xa7\xf0V"\xa9<eT\xc6\x15\xa8\xbd\x86\x9e\xcd\x83\x96hzq\x81\x89\xe1\x0b\xe1\xea\x11\x1bh\x08\xcci\x9e\xec\x9eA\x9eD2&z\xe2\x87\x0aq=\xeb\xe4Z\xa4\xd2\xdb\xc5\xcd\xc6\xde`\x7f\xb9\xf3OD\x92\xef*\xb7\x18>\xa7\x19\xd9\x0b}\xb17AB\xb0\xba`\x1d\xf2\xfe\x09\x11\xb0\xf0\x87{\xa7\x9d, CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM = 0\x82\x05`0\x82\x03H\xa0\x03\x02\x01\x02\x02\x14xX_.\xad,\x19K\xe37\x0754\x13(\xb5\x96\xd4e\x930\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000H1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1e0\x1c\x06\x03U\x04\x03\x13\x15QuoVadis Root CA 1 G30\x1e\x17\x0d120112172744Z\x17\x0d420112172744Z0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1e0\x1c\x06\x03U\x04\x03\x13\x15QuoVadis Root CA 1 G30\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa0\xbeP\x10\x8e\xe9\xf2l@\xb4\x04\x9c\x85\xb91\xca\xdc-\xe4\x11\xa9\x04<\x1bU\xc1\xe7X0\x1d$\xb4\xc3\xef\x85\xde\x8c,\xe1\xc1=\xdf\x82\xe6O\xadG\x87l\xec[I\xc1J\xd5\xbb\x8f\xec\x87\xac\x7f\x82\x9a\x86\xec=\x03\x99R\x01\xd25\x9e\xac\xda\xf0S\xc9f<\xd4\xac\x02\x01\xda$\xd3;\xa8\x02F\xaf\xa4\x1c\xe3\xf8sXv\xb7\xf6\x0e\x90\x0d\xb5\xf0\xcf\xcc\xfa\xf9\xc6L\xe5\xc3\x860\x0a\x8d\x17~5\xeb\xc5\xdf\xbb\x0e\x9c\xc0\x8d\x87\xe3\x888\x85g\xfa>\xc7\xab\xe0\x13\x9c\x05\x18\x98\xcf\x93\xf5\xb1\x92\xb4\xfc#\xd3\xcf\xd5\xc4'I\xe0\x9e<\x9b\x08\xa3\x8b]*!\xe0\xfc9\xaaS\xda}~\xcf\x1a\x09S\xbc]\x05\x04\xcf\xa1J\x8f\x8bv\x82\x0d\xa1\xf8\xd2\xc7\x14w[\x906\x07\x81\x9b>\x06\xfaR^c\xc5\xa6\x00\xfe\xa5\xe9R\x1bR\xb5\x929r\x03\x09b\xbd\xb0`\x16n\xa6\xdd%\xc2\x03f\xdd\xf3\x04\xd1@\xe2N\x8b\x86\xf4o\xe5\x83\xa0'\x84^\x04\xc1\xf5\x90\xbd0=\xc4\xef\xa8i\xbc8\x9b\xa4\xa4\x96\xd1b\xdai\xc0\x01\x96\xae\xcb\xc4Q4\xea\x0c\xaa\xff!\x8eY\x8fJ\\xe4a\x9a\xa7\xd2\xe9*x\x8dQ=:\x15\xee\xa2Y\x8e\xa9\\xde\xc5\xf9\x90"\xe5\x88Eq\xdd\x91\x99lz\x9f==\x98|^\xf6\xbe\x16h\xa0^\xae\x0b#\xfcZ\x0f\xaa"v-\xc9\xa1\x10\x1d\xe4\xd3D#\x90\x88\x9f\xc6*\xe6\xd7\xf5\x9a\xb3X\x1e/0\x89\x08\x1bT\xa2\xb5\x98#\xec\x08w\x1c\x95]a\xd1\xcb\x89\x9c_\xa2J\x91\x9a\xef!\xaaI\x16\x08\xa8\xbda(1\xc9t\xad\x85\xf6\xd9\xc5\xb1\x8b\xd1\xe5\x102M_\x8b :<I\x1f3\x85Y\x0d\xdb\xcb\x09uCis\xfbkq}\xf0\xdf\xc4L}\xc6\xa3.\xc8\x95y\xcbs\xa2\x8eNM$\xfb^\xe4\x04\xber\x1b\xa6'-IZ\x99z\xd7\\x09 \xb7\x7f\x94\xb9O\xf1\x0d\x1c^\x88B\x1b\x11\xb7\xe7\x91\xdb\x9el\xf4j\xdf\x8c\x06\x98\x03\xad\xcc(\xef\xa5G\xf3S\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa3\x97\xd6\xf3^\xa2\x10\xe1\xabE\x9f<\x17d<\xee\x01p\x9c\xcc0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x18\xfa[u\xfc>z\xc7_w\xc7\xca\xdf\xcf_\xc3\x12\xc4@]\xd42\xaa\xb8j\xd7\xd5\x15\x15F\x98#\xa5\xe6\x90[\x18\x99L\xe3\xadB\xa3\x8216\x88\xcd\xe9\xfb\xc4\x04\x96H\x8b\x01\xc7\x8d\x01\xcf[3\x06\x96Fft\x1dO\xed\xc1\xb6\xb9\xb4\x0da\xccc~\xd7.w\x8c\x96\x1c*#hk\x85Wvp3\x13\xfe\xe1O\xa6#w\x18\xfa\x1a\x8c\xe8\xbde\xc9\xcf?\xf4\xc9\x17\xdc\xeb\xc7\xbc\xc0\x04.-F/if\xc3\x1b\x8f\xfe\xec>\xd3\xca\x94\xbfv\x0a%\x0d\xa9{\x02\x1c\xa9\xd0;_\x0b\xc0\x81:=d\xe1\xbf\xa7-N\xbdM\xc4\xd8)\xc6"\x18\xd0\xc5\xacr\x02\x82?\xaa:\xa2:"\x971\xdd\x08c\xc3u\x14\xb9`(-[h\xe0\x16\xa9f\x82#Q\xf5\xebS\xd81\x9b{\xe9\xb7\x9dK\xeb\x88\x16\xcf\xf9]8\x8aI0\x8f\xed\xf1\xeb\x19\xf4w\x1a1\x18MgTl/oe\xf9\xdb=\xec!\xec^\xf4\xf4\x8b\xca`eT\xd1qd\xf4\xf9\xa6\xa3\x81363q\xf0\xa4x_N\xad\x83!\xde4I\x8d\xe8Y\xac\x9d\xf2vZ6\xf2\x13\xf4\xaf\xe0\x09\xc7a*l\xf7\xe0\x9d\xae\xbb\x86J(o.\xee\xb4y\xcd\x903\xc3\xb3v\xfa\xf5\xf0l\x9d\x01\x90\xfa\x9e\x90\xf6\x9cr\xcfG\xda\xc3\x1f\xe45 S\xf2T\xd1\xdfa\x83\xa6\x02\xe2%8\xde\x852-^s\x90R]B\xc4\xce=K\xe1\xf9\x19\x84\x1d\xd5\xa2P\xccA\xfbA\x14\xc3\xbd\xd6\xc9Z\xa3cf\x02\x80\xbd\x05:;G\x9c\xec\x00&L\xf5\x88Q\xbf\xa8#\x7f\x18\x07\xb0\x0b\xed\x8b&\xa1d\xd3aJ\xeb\\x9f\xde\xb3\xafg\x03\xb3\x1f\xddm]ihi\xab^:\xec|i\xbc\xc7;\x85N\x9e\x15\xb9\xb4\x15O\xc3\x95zX\xd7\xc9l\xe9l\xb9\xf3)c^\xb4,\xf0-=\xedZe\xe0\xa9[@\xc2H\x99\x81m\x9e\x1f\x06*<\x12\xb4\x8b\x0f\x9b\xa2$\xf0\xa6\x8d\xd6z\xe0K\xb6d\x96c\x95\x84\xc2J\xcd\x1c.$\x873`\xe5\xc3, CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM = 0\x82\x05`0\x82\x03H\xa0\x03\x02\x01\x02\x02\x14DW4$[\x81\x89\x9b5\xf2\xce\xb8+;[\xa7&\xf0u(0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000H1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1e0\x1c\x06\x03U\x04\x03\x13\x15QuoVadis Root CA 2 G30\x1e\x17\x0d120112185932Z\x17\x0d420112185932Z0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1e0\x1c\x06\x03U\x04\x03\x13\x15QuoVadis Root CA 2 G30\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa1\xae%\xb2\x01\x18\xdcW\x88?F\xeb\xf9\xaf\xe2\xeb#q\xe2\x9a\xd1af!_\xaa\xaf'Q\xe5n\x1b\x16\xd4-}P\xb0Sw\xbdx:`\xe2d\x02\x9b|\x86\x9b\xd6\x1a\x8e\xad\xff\x1f\x15\x7f\xd5\x95\x1e\x12\xcb\xe6\x14\x84\x04\xc1\xdf6\xb3\x16\x9f\x8a\xe3\xc9\xdb\x984\xce\xd83\x17(F\xfc\xa7\xc9\xf0\xd2\xb4\xd5M\x09rI\xf9\xf2\x87\xe3\xa9\xda}\xa1}k\xb2:%\xa9mRD\xac\xf8\xben\xfb\xdc\xa6s\x91\x90a\xa6\x03\x14 \xf2\xe7\x87\xa3\x88\xad\xad\xa0\x8c\xff\xa6\x0b%R%\xe7\x16\x01\xd5\xcb\xb85\x81\x0c\xa3;\xf0\xe1\xe1\xfcZ]\xce\x80qm\xf8I\xab>;\xba\xb8\xd7\x80\x01\xfb\xa5\xeb[\xb3\xc5^`*1\xa0\xaf7\xe8 :\x9f\xa82,\x0c\xcc\x09\x1d\xd3\x9e\x8e]\xbcL\x98\xee\xc5\x1ah{\xecS\xa6\xe9\x145\xa3\xdf\xcd\x80\x9f\x0cH\xfb\x1c\xf4\xf1\xbfJ\xb8\xfa\xd5\x8cqJ\xc7\x1f\xad\xfeA\x9a\xb3\x83]\xf2\x84V\xef\xa5WC\xce)\xad\x8c\xabU\xbf\xc4\xfb[\x01\xdd#!\xa1X\x00\x8e\xc3\xd0j\x13\xed\x13\xe3\x12+\x80\xdcg\xe6\x95\xb2\xcd\x1e"n*\xf8A\xd4\xf2\xca\x14\x07\x8d\x8aU\x12\xc6i\xf5\xb8\x86h/S^\xb0\xd2\xaa!\xc1\x98\xe60\xe3gU\xc7\x9bn\xac\x19\xa8U\xa6E\x06\xd0#:\xdb\xebe]*\x11\x11\xf0;O\xcam\xf44\xc4q\xe4\xff\x00Z\xf6\\xae#`\x85s\xf1\xe4\x10\xb1%\xae\xd5\x92\xbb\x13\xc1\x0c\xe09\xda\xb49W\xb5\xab5\xaar!;\x835\xe71\xdfz!n\xb82\x08}\x1d2\x91\x15Jbr\xcf\xe3w\xa1\xbc\xd5\x11\x1bv\x01g\x08\xe0A\x0b\xc3\xeb\x15n\xf8\xa4\x19\xd9\xa2\xab\xaf\xe2'RV+\x02\x8a,\x14$\xf9\xbfB\x02\xbf&\xc8\xc6\x8f\xe0n8}S-\xe5\xed\x98\xb3\x95ch\x7f\xf95\xf4\xdf\x88\xc5`5\x92\xc0|i\x1ca\x95\x16\xd0\xeb\xde\x0b\xaf>\x04\x10EeXP8\xafH\xf2Y\xb6\x16\xf2<\x0d\x90\x02\xc6p.\x01\xad<\x15\xd7\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xed\xe7ovZ\xbf`\xecI[\xc6\xa5w\xbbr\x16q\x9b\xc4=0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x91\xdf\x80?C\x09~q\xc2\xf7\xeb\xb3\x88\x8f\xe1Q\xb2\xbc=u\xf9(]\xc8\xbc\x99\x9b{]\xaa\xe5\xca\xe1\x0a\xf7\xe8\xb2\xd3\x9f\xddg1~\xba\x01\xaa\xc7jA;\x90\xd4\x08\\xb2`j\x90\xf0\xc8\xce\x03b\xf9\x8b\xed\xfbn*\xdc\x06M<)\x0f\x89\x16\x8aXLH\x0f\xe8\x84a\xea<r\xa6w\xe4B\xae\x88\xa3CXy~\xae\xca\xa5S\x0d\xa9=p\xbd \x19a\xa4l8\xfcC2\xe1\xc1G\xff\xf8\xec\xf1\x11"2\x96\x9c\xc2\xf6[i\x96{ \x0cCA\x9a[\xf6Y\x19\x88\xdeU\x887Q\x0bx\\x0a\x1e\xa3B\xfd\xc7\x9d\x88\x0f\xc0\xf2x\x02$T\x93\xaf\x89\x87\x88\xc9J\x80\x1d\xea\xd0n>a.6\xbb5\x0e'\x96\xfdf4;ars\xf1\x16\G\x06TI\x00zX\x12\xb0\x0a\xef\x85\xfd\xb1\xb83uj\x93\x1c\x12\xe6`^o\x1d\x7f\xc9\x1f#\xcb\x84a\x9f\x1e\x82D\xf9_\xadbU$\x9aR\x98\xedQ\xe7\xa1~\x97:\xe6/\x1f\x11\xdaS\x80,\x85\x9e\xab5\x10\xdb"_j\xc5^\x97S\xf22\x02\x090\xa3X\xf0\x0d\x01\xd5r\xc6\xb1|i{\xc3\xf56E\xccan^L\x94\xc5^\xae\xe8\x0e^\x8b\xbf\xf7\xcd\xe0\xed\xa1\x0e\x1b3\xeeT\x18\xfe\x0f\xbe\xef~\x84kC\xe3p\x98\xdb]u\xb2\x0dY\x07\x85\x15#9\xd6\xf1\xdf\xa9&\x0f\xd6H\xc7\xb3\xa6"\xf537Z\x95G\x9f{\xba\x18\x15o\xff\xd6\x14d\x83I\xd2\x0ag!\xdb\x0f5c`("\xe3\xb1\x95\x83\xcd\x85\xa6\xdd/\x0f\xe7gRn\xbb/\x85|\xf5Js\xe7\xc5>\xc0\xbd!\x12\x05?\xfc\xb7\x03I\x02[\xc8%\xe6\xe2T8\xf5y\x87\x8c\x1dS\xb2N\x85{\x068\xc7,\xf8\xf8\xb0r\x8d%\xe5wR\xf4\x03\x1cH\xa6P_\x88 0n\xf2\x82C\xab=\x97\x84\xe7S\xfb!\xc1O\x0f"\x9a\x86\xb8Y*\xf6G=\x19\x88-\xe8\x85\xe1\x9e\xec\x85\x08j\xb1l4\xc9\x1d\xecH+;x\xedf\xc4\x8eyi\x83\xde\x7f\x8c, CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM = 0\x82\x05`0\x82\x03H\xa0\x03\x02\x01\x02\x02\x14.\xf5\x9b\x02(\xa7\xdbz\xff\xd5\xa3\xa9\xee\xbd\x03\xa0\xcf\x12j\x1d0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000H1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1e0\x1c\x06\x03U\x04\x03\x13\x15QuoVadis Root CA 3 G30\x1e\x17\x0d120112202632Z\x17\x0d420112202632Z0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02BM1\x190\x17\x06\x03U\x04\x0a\x13\x10QuoVadis Limited1\x1e0\x1c\x06\x03U\x04\x03\x13\x15QuoVadis Root CA 3 G30\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb3\xcb\x0e\x10g\x8e\xea\x14\x97\xa72*\x0aV6\x7fhL\xc7\xb3o:#\x14\x91\xff\x19\x7f\xa5\xca\xac\xee\xb3v\x9dz\xe9\x8b\x1b\xabk1\xdb\xfa\x0bSL\xaf\xc5\xa5\x1ay<\x8aL\xff\xac\xdf%\xdeN\xd9\x822\x0bD\xde\xca\xdb\x8c\xac\xa3n\x16\x83;\xa6dK2\x89\xfb\x16\x168~\xebC\xe2\xd3tJ\xc2b\x0as\x0a\xddI\xb3W\xd2\xb0\x0a\x85\x9dq<\xde\xa3\xcb\xc02\xf3\x019 C\x1b5\xd1S\xb3\xb1\xee\xc5\x93i\x82>\x16\xb5(F\xa1\xde\xea\x89\x09\xedC\xb8\x05F\x8a\x86\xf5YG\xbe\x1bo\x01!\x10\xb9\xfd\xa9\xd2(\xca\x109\x09\xca\x136\xcf\x9c\xad\xad@ty+\x02?4\xff\xfa i}\xd3\xeea\xf5\xba\xb3\xe70\xd07#\x86raE)HYhow\xa6.\x81\xbe\x07Mo\xaf\xce\xc4E\x13\x91\x14p\x06\x8f\x1f\x9f\xf8\x87i\xb1\x0e\xef\xc3\x89\x19\xeb\xea\x1ca\xfczl\x8a\xdc\xd6\x03\x0b\x9e&\xba\x12\xdd\xd4T9\xab&\xa33\xeau\x81\xda-\xcd\x0fO\xe4\x03\xd1\xef\x15\x97\x1bk\x90\xc5\x02\x90\x93f\x02!\xb1G\xde\x8b\x9aJ\x80\xb9U\x8f\xb5\xa2/\xc0\xd63g\xda~\xc4\xa7\xb4\x04D\xebG\xfb\xe6X\xb9\xf7\x0c\xf0{+\xb1\xc0p)\xc3@b-;Hi\xdc#<H\xeb{\x09y\xa9m\xda\xa80\x98\xcf\x80r\x03\x88\xa6[F\xaery|\x08\x03!e\xae\xb7\xe1\x1c\xa5\xb1*\xa21\xdef\x04\xf7\xc0t\xe8q\xde\xff=Y\xcc\x96&\x12\x8b\x85\x95W\x1a\xabku\x0bD=\x11(<{a\xb7\xe2\x8fgO\xe5\xec<L`\x80iW8\x1e\x01[\x8dU\xe8\xc7\xdf\xc0\xccw#4Iu|\xf6\x98\x11\xeb-\xde\xedA.\x14\x05\x02\x7f\xe0\xfe \xeb5\xe7\x11\xac"\xceW=\xde\xc90m\x10\x03\x85\xcd\xf1\xff\x8c\x16\xb5\xc1\xb2>\x88l`\x7f\x90O\x95\xf7\xf6-\xad\x019\x07\x04\xfau\x80}\xbfIP\xed\xef\xc9\xc4|\x1c\xeb\x80~\xdb\xb6\xd0\xdd\x13\xfe\xc9\xd3\x9c\xd7\xb2\x97\xa9\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc6\x17\xd0\xbc\xa8\xea\x02C\xf2\x1b\x06\x99]+\x90 \xb9\xd7\x9c\xe40\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x004a\xd9V\xb5\x12\x87UM\xdd\xa351F\xbb\xa4\x07r\xbc_ab\xe8\xa5\xfb\x0b7\xb1<\xb6\xb3\xfa)\x9d\x7f\x02\xf5\xa4\xc9\xa8\x93\xb7zq(i\x8fs\xe1R\x90\xda\xd5\xbe:\xe5\xb7vjV\x80!\xdf]\xe6\xe9:\x9e\xe5>\xf6\xa2i\xc7*\x0a\xb0\x18G\xdc p}R\xa3>Y|\xc1\xba\xc9\xc8\x15@a\xcar\xd6p\xac\xd2\xb7\xf0\x1c\xe4\x86)\xf0\xce\xefhc\xd0\xb5 \x8a\x15a\x9a~\x86\x98\xb4\xc9\xc2v\xfb\xcc\xba0\x16\xcc\xa3a\xc6t\x13\xe5k\xef\xa3\x15\xea\x03\xfe\x13\x8bd\xe4\xd3\xc1\xd2\xe8\x84\xfbI\xd1\x10Myf\xeb\xaa\xfd\xf4\x8d1\x1ep\x14\xad\xdc\xdeg\x13L\x81\x15a\xbc\xb7\xd9\x91wq\x19\x81`\xbb\xf0X\xa5\xb5\x9c\x0b\xf7\x8f"U'\xc0K\x01m;\x99\x0d\xd4\x1d\x9bcg/\xd0\xee\x0d\xcaf\xbc\x94O\xa6\xad\xed\xfc\xeec\xacW?e%\xcf\xb2\x86\x8f\xd0\x08\xff\xb8v\x14n\xde\xe5'\xec\xabx\xb5S\xb9\xb6?\xe8 \xf9\xd2\xa8\xbeaF\xca\x87\x8c\x84\xf3\xf9\xf1\xa0h\x9b"\x1e\x81&\x9b\x10\x04\x91q\xc0\x06\x1f\xdc\xa0\xd3\xb9V\xa7\xe3\x98-\x7f\x83\x9d\xdf\x8c+\x9c2\x8e2\x94\xf0\x01<"*\x9fC\xc2.\xc3\x989\x078{\xfc^\x00B\x1f\xf32&y\x83\x84\xf6\xe5\xf0\xc1Q\x12\xc0\x0b\x1e\x04#\x0cT\xa5L/I\xc5J\xd1\xb6n`\x0dk\xfck\x8b\x85$d\xb7\x89\x0e\xab%G[<\xcf~I\xbd\xc7\xe9\x0a\xc6\xda\xf7~\x0e\x17\x08\xd3H\x97\xd0q\x92\xf0\x0f9>4j\x1c}\xd8\xf2"\xae\xbbi\xf43\xb4\xa6HU\xd1\x0f\x0e&\xe8\xec\xb6\x0b-\xa7\x855\xcd\xfdY\xc8\x9f\xd1\xcd>Z)4\xb9=\x84\xce\xb1e\xd4Y\x91\x91Vu!\xc1w\x9e\xf9z\xe1`\x9d\xd3\xad\x04\x18\xf4|\xeb^\x93\x8fSJ")\xf8H+>M\x86\xac[\x7f\xcb\x06\x99Y`\xd8Xe\x95\x8dD\xd1\xf7\x7f~'\x7f}\xae\x80\xf5\x07L\xb6>\x9cqT\x99\x04K\xfdX\xf9\x98\xf4, CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x03\x960\x82\x02~\xa0\x03\x02\x01\x02\x02\x10\x0b\x93\x1c:\xd69g\xeag#\xbf\xc3\xaf\x9a\xf4K0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1$0"\x06\x03U\x04\x03\x13\x1bDigiCert Assured ID Root G20\x1e\x17\x0d130801120000Z\x17\x0d380115120000Z0e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1$0"\x06\x03U\x04\x03\x13\x1bDigiCert Assured ID Root G20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd9\xe7(/R?6rI\x88\x934\xf3\xf8j\x1e1T\x80\x9f\xadTA\xb5G\xdf\x96\xa8\xd4\xaf\x80-\xb9\x0a\xcfu\xfd\x89\xa5}$\xfa\xe3"\x0c+\xbc\x95\x17\x0b3\xbf\x19MA\x06\x90\x00\xbd\x0cM\x10\xfe\x07\xb5\xe7\x1cn"U1e\x97\xbd\xd3\x17\xd2\x1eb\xf3\xdb\xealP\x8c?\x84\x0c\x96\xcf\xb7\xcb\x03\xe0\xcam\xa1\x14L\x1b\x89\xdd\xed\x00\xb0R|\xaf\x91l\xb18\x13\xd1\xe9\x12\x08\xc0\x00\xb0\x1c+\x11\xdawp6\x9b\xae\xcey\x87\xdc\x82p\xe6\x09tpUi\xaf\xa3h\x9f\xbf\xdd\xb6y\xb3\xf2\x9dp)U\xf4\xab\xff\x95a\xf3\xc9@o\x1d\xd1\xbe\x93\xbb\xd3\x88*\xbb\x9d\xbfrZVq;?\xd4\xf3\xd1\x0a\xfe(\xef\xa3\xee\xd9\x99\xaf\x03\xd3\x8f`\xb7\xf2\x92\xa1\xb1\xbd\x89\x89\x1f0\xcd\xc3\xa6.b3\xae\x16\x02wDZ\xe7\x81\x0a<\xa7D.y\xb8?\x04\xbc\\xa0\x87\xe1\x1b\xafQ\x8e\xcd\xec,\xfa\xf8\xfem\xf0:|\xaa\x8b\xe4g\x951\x8d\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xce\xc3J\xb9\x99U\xf2\xb8\xdb`\xbf\xa9~\xbdV\xb5\x976\xa7\xd60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xca\xa5U\x8c\xe3\xc8Ani'\xa7u\x11\xef<\x866o\xd2\x9d\xc6x8\x1di\x96\xa2\x92i.8l\x9b}\x04\xd4\x89\xa5\xb117\x8a\xc9!\xcc\xabl\xcd\x8b\x1c\x9a\xd6\xbfH\xd22f\xc1\x8a\xc0\xf3/:\xef\xc0\xe3\xd4\x91\x86\xd1P\xe3\x03\xdbswoJ9S\xed\xde&\xc7\xb5}\xaf+B\xd1ub\xe3J+\x02\xc7PK\xe0i\xe2\x96l\x0eDf\x10D\x8f\xad\x05\xeb\xf8y\xac\xa6\x1b\xe874\x9dS\xc9a\xaa\xa2R\xafJp\x16\x86\xc2:\xc8\xb1\x13p6\xd8\xcf\xee\xf4\x0a4\xd5[L\xfd\x07\x9c\xa2\xba\xd9\x01r\\xf3M\xc1\xdd\x0e\xb1\x1c\x0d\xc4c\xbe\xad\xf4\x14\xfb\x89\xec\xa2A\x0eL\xcc\xc8W@\xd0n\x03\xaa\xcd\x0c\x8e\x89\x99\x99l\xf0<0\xaf8\xdfo\xbc\xa3\xbe) '\xabt\xff\x13"x\xde\x97RU\x1e\x83\xb5T \x03\xee\xae\xc0OV\xde7\xcc\xc3\x7f\xaa\x04'\xbb\xd3w\xb8b\xdb\x17|\x9c("\x13sl\xcf&\xf5\x8a)\xe7, CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x02F0\x82\x01\xcd\xa0\x03\x02\x01\x02\x02\x10\x0b\xa1Z\xfa\x1d\xdf\xa0\xb5ID\xaf\xcd$\xa0l\xec0\x0a\x06\x08*\x86H\xce=\x04\x03\x030e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1$0"\x06\x03U\x04\x03\x13\x1bDigiCert Assured ID Root G30\x1e\x17\x0d130801120000Z\x17\x0d380115120000Z0e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1$0"\x06\x03U\x04\x03\x13\x1bDigiCert Assured ID Root G30v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x19\xe7\xbc\xacDe\xed\xcd\xb8?X\xfb\x8d\xb1W\xa9D-\x05\x15\xf2\xef\x0b\xff\x10t\x9f\xb5bR_f~\x1f\xe5\xdc\x1bEy\x0b\xcc\xc6S\x0a\x9d\x8d]\x02\xd9\xa9Y\xde\x02Z\xf6\x95*\x0e\x8d8J\x8aI\xc6\xbc\xc6\x038\x07_U\xda~\x09n\xe2\x7f^\xd0E \x0fYv\x10\xd6\xa0$\xf0-\xde6\xf2l)9\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xcb\xd0\xbd\xa9\xe1\x98\x05Q\xa1M7\xa2\x83y\xce\x8d\x1d*\xe4\x840\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03g\x000d\x020%\xa4\x81E\x02k\x12KutO\xc8#\xe3p\xf2ur\xde|\x89\xf0\xcf\x91ra\x9e^\x10\x92YV\xb9\x83\xc7\x10\xe78\xe9X&6}\xd5\xe44\x869\x020|6S\xf00\xe5bc:\x99\xe2\xb6\xa3;\x9b4\xfa\x1e\xda\x10\x92q^\x91\x13\xa7\xdd\xa4n\x92\xcc2\xd6\xf5!f\xc7/\xea\x96cjeE\x92\x95\x01\xb4, CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x03\x8e0\x82\x02v\xa0\x03\x02\x01\x02\x02\x10\x03:\xf1\xe6\xa7\x11\xa9\xa0\xbb(d\xb1\x1d\x09\xfa\xe50\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000a1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1 0\x1e\x06\x03U\x04\x03\x13\x17DigiCert Global Root G20\x1e\x17\x0d130801120000Z\x17\x0d380115120000Z0a1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1 0\x1e\x06\x03U\x04\x03\x13\x17DigiCert Global Root G20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbb7\xcd4\xdc{k\xc9\xb2h\x90\xadJu\xffF\xba!\x0a\x08\x8d\xf5\x19T\xc9\xfb\x88\xdb\xf3\xae\xf2:\x89\x91<z\xe6\xab\x06\x1ak\xcf\xac-\xe8^\x09$D\xbab\x9a~\xd6\xa3\xa8~\xe0Tu \x05\xacP\xb7\x9cc\x1al0\xdc\xda\x1f\x19\xb1\xd7\x1e\xde\xfd\xd7\xe0\xcb\x94\x837\xae\xec\x1fCN\xdd{,\xd2\xbd.\xa5/\xe4\xa9\xb8\xad:\xd4\x99\xa4\xb6%\xe9\x9bk\x00`\x92`\xffO!I\x18\xf7g\x90\xaba\x06\x9c\x8f\xf2\xba\xe9\xb4\xe9\x922k\xb5\xf3W\xe8]\x1b\xcd\x8c\x1d\xab\x95\x04\x95I\xf35-\x96\xe3Im\xddw\xe3\xfbIK\xb4\xacU\x07\xa9\x8f\x95\xb3\xb4#\xbbLmE\xf0\xf6\xa9\xb2\x950\xb4\xfdLU\x8c'JW\x14|\x82\x9d\xcds\x92\xd3\x16J\x06\x0c\x8cP\xd1\x8f\x1e\x09\xbe\x17\xa1\xe6!\xca\xfd\x83\xe5\x10\xbc\x83\xa5\x0a\xc4g(\xf6s\x14\x14=Fv\xc3\x87\x14\x89!4M\xaf\x0fE\x0c\xa6I\xa1\xba\xbb\x9c\xc5\xb13\x83)\x85\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14N"T \x18\x95\xe6\xe3n\xe6\x0f\xfa\xfa\xb9\x12\xed\x06\x17\x8f90\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00`g(\x94o\x0eHc\xeb1\xdd\xeag\x18\xd5\x89}<\xc5\x8bJ\x7f\xe9\xbe\xdb+\x17\xdf\xb0_sw*2\x139\x81gB\x84#\xf2Eg5\xec\x88\xbf\xf8\x8f\xb0a\x0c4\xa4\xae L\x84\xc6\xdb\xf85\xe1v\xd9\xdf\xa6B\xbb\xc7D\x08\x86\x7f6t$Z\xdal\x0d\x14Y5\xbd\xf2I\xdd\xb6\x1f\xc9\xb3\x0dG*=\x99/\xbb\\xbb\xb5\xd4 \xe1\x99_SF\x15\xdbh\x9b\xf0\xf30\xd5>1\xe2\x8d\x84\x9e\xe3\x8a\xda\xda\x96>5\x13\xa5_\xf0\xf9pPpGA\x11W\x19N\xc0\x8f\xae\x06\xc4\x95\x13\x17/\x1b%\x9fu\xf2\xb1\x8e\x99\xa1o\x13\xb1Aq\xfe\x88*\xc8O\x10 U\xd7\xf3\x14E\xe5\xe0D\xf4\xea\x87\x952\x93\x0e\xfeSF\xfa,\x9d\xff\x8b"\xb9K\xd9\x09E\xa4\xde\xa4\xb8\x9aX\xdd\x1b}R\x9f\x8eYC\x88\x81\xa4\x9e&\xd5o\xad\xdd\x0d\xc67}\xed\x03\x92\x1b\xe5w_v\xee<\x8d\xc4]V[\xa2\xd9fn\xb357\xe52\xb6, CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x02?0\x82\x01\xc5\xa0\x03\x02\x01\x02\x02\x10\x05UV\xbc\xf2^\xa455\xc3\xa4\x0f\xd5\xabEr0\x0a\x06\x08*\x86H\xce=\x04\x03\x030a1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1 0\x1e\x06\x03U\x04\x03\x13\x17DigiCert Global Root G30\x1e\x17\x0d130801120000Z\x17\x0d380115120000Z0a1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1 0\x1e\x06\x03U\x04\x03\x13\x17DigiCert Global Root G30v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xdd\xa7\xd9\xbb\x8a\xb8\x0b\xfb\x0b\x7f!\xd2\xf0\xbe\xbes\xf33]\x1a\xbc4\xea\xde\xc6\x9b\xbc\xd0\x95\xf6\xf0\xcc\xd0\x0b\xbaa[QF~\x9e-\x9f\xee\x8ec\x0c\x17\xec\x07p\xf5\xcf\x84.@\x83\x9c\xe8?Am;\xad\xd3\xa4\x14Y6x\x9d\x03C\xee\x10\x13lr\xde\xae\x88\xa7\xa1k\xb5C\xceg\xdc#\xff\x03\x1c\xa3\xe2>\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb3\xdbH\xa4\xf9\xa1\xc5\xd8\xae6A\xcc\x11cib)\xbcK\xc60\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xad\xbc\xf2l?\x12J\xd1-9\xc3\x0a\x09\x97s\xf4\x886\x8c\x88'\xbb\xe6\x88\x8dP\x85\xa7c\xf9\x9e2\xdef\x93\x0f\xf1\xcc\xb1\x09\x8f\xddl\xab\xfak\x7f\xa0\x0209f[\xc2d\x8d\xb8\x9eP\xdc\xa8\xd5I\xa2\xed\xc7\xdc\xd1I\x7f\x17\x01\xb8\xc8\x86\x8fN\x8c\x88+\xa8\x9a\xa9\x8a\xc5\xd1\x00\xbd\xf8T\xe2\x9a\xe5[|\xb3'\x17, CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US = 0\x82\x05\x900\x82\x03x\xa0\x03\x02\x01\x02\x02\x10\x05\x9b\x1bW\x9e\x8e!2\xe29\x07\xbd\xa7wu\0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000b1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1!0\x1f\x06\x03U\x04\x03\x13\x18DigiCert Trusted Root G40\x1e\x17\x0d130801120000Z\x17\x0d380115120000Z0b1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x150\x13\x06\x03U\x04\x0a\x13\x0cDigiCert Inc1\x190\x17\x06\x03U\x04\x0b\x13\x10www.digicert.com1!0\x1f\x06\x03U\x04\x03\x13\x18DigiCert Trusted Root G40\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xbf\xe6\x90sh\xde\xbb\xe4]J<0"0i3\xec\xc2\xa7%.\xc9!=\xf2\x8a\xd8Y\xc2\xe1)\xa7=X\xabv\x9a\xcd\xae{\x1b\x84\x0d\xc40\x1f\xf3\x1b\xa48\x16\xebV\xc6\x97m\x1d\xab\xb2y\xf2\xca\x11\xd2\xe4_\xd6\x05<R\x0fR\x1f\xc6\x9e\x15\xa5~\xbe\x9f\xa9W\x16YUr\xafh\x93p\xc2\xb2\xbau\x99js2\x94\xd1\x10D\x10.\xdf\x82\xf3\x07\x84\xe6t;mq\xe2-\x0c\x1b\xee \xd5\xc9 \x1dc)-\xce\xec^N\xc8\x93\xf8!a\x9b4\xeb\x05\xc6^\xec[\x1a\xbc\xeb\xc9\xcf\xcd\xac4@_\xb1zf\xeew\xc8H\xa8fWW\x9fTX\x8e\x0c+\xb7O\xa70\xd9V\xee\xca{]\xe3\xad\xc9O^\xe55\xe71\xcb\xda\x93^\xdc\x8e\x8f\x80\xda\xb6\x91\x98@\x90y\xc3x\xc7\xb6\xb1\xc4\xb5j\x188\x03\x10\x8d\xd8\xd47\xa4.\x05}\x88\xf5\x82>\x10\x91p\xabU\x82A2\xd7\xdb\x04s*n\x91\x01|!L\xd4\xbc\xae\x1b\x03u]xf\xd9:1D\x9a3@\xbf\x08\xd7ZI\xa4\xc2\xe6\xa9\xa0g\xdd\xa4'\xbc\xa1O9\xb5\x11X\x17\xf7$\F\x8fd\xf7\xc1i\x88v\x98v=Y]Bv\x87\x89\x97izH\xf0\xe0\xa2\x12\x1bf\x9at\xca\xdeK\x1e\xe7\x0ec\xae\xe6\xd4\xef\x92\x92:\x9e=\xdc\x00\xe4E%\x89\xb6\x9aD\x19+~\xc0\x94\xb4\xd2am\xeb3\xd9\xc5\xdfK\x04\x00\xcc}\x1c\x95\xc3\x8f\xf7!\xb2\xb2\x11\xb7\xbb\x7f\xf2\xd5\x8cp,A`\xaa\xb1c\x18D\x95\x1avb~\xf6\x80\xb0\xfb\xe8d\xa63\xd1\x89\x07\xe1\xbd\xb7\xe6C\xa4\x18\xb8\xa6w\x01\xe1\x0f\x94\x0c!\x1d\xb2T)%\x89l\xe5\x0eRQGt\xbe&\xac\xb6Au\xdez\xac_\x8d?\xc9\xbc\xd3A\x11\x12[\xe5\x10P\xeb1\xc5\xcar\x16"\x09\xdf|Lu?c\xec!_\xc4 Qko\xb1\xab\x86\x8bO\xc2\xd6E_\x9d \xfc\xa1\x1e\xc5\xc0\x8f\xa2\xb1~\x0a&\x99\xf5\xe4i/\x98\x1d-\xf5\xd9\xa9\xb2\x1d\xe5\x1b\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xec\xd7\xe3\x82\xd2q]dL\xdf.g?\xe7\xba\x98\xae\x1c\x0fO0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\xbba\xd9}\xa9l\xbe\x17\xc4\x91\x1b\xc3\xa1\xa2\x00\x8d\xe3dh\x0fV\xcfw\xaep\xf9\xfd\x9aJ\x99\xb9\xc9x\\x0c\x0c_\xe4\xe6\x14)V\x0b6I]Dc\xe0\xad\x9c\x96\x18f\x1b#\x0d=y\xe9mk\xd6T\xf8\xd2<\xc1C@\xae\x1dP\xf5R\xfc\x90;\xbb\x98\x99ik\xc7\xc1\xa7\xa8h\xa4'\xdc\x9d\xf9'\xae0\x85\xb9\xf6gM:>\x8fY9"SD\xeb\xc8]\x03\xca\xedPz}b!\x0a\x80\xc8sf\xd1\xa0\x05`_\xe8\xa5\xb4\xa7\xaf\xa8\xf7m5\x9c|Z\x8a\xd6\xa28\x99\xf3x\x8b\xf4M\xd2 \x0b\xde\x04\xee\x8c\x9bG\x81r\x0d\xc0\x142\xef0Y.\xae\xe0q\xf2V\xe4j\x97o\x92Pm\x96\x8dhz\x9a\xb26\x14z\x06\xf2$\xb9\x09\x11P\xd7\x08\xb1\xb8\x89z\x84#aB)\xe5\xa3\xcd\xa2 A\xd7\xd1\x9cd\xd9\xea&\xa1\x8b\x14\xd7L\x19\xb2PAq=?Mp#\x86\x0cJ\xdc\x81\xd2\xcc2\x94\x84\x0d\x08\x09\x97\x1cO\xc0\xeek t0\xd2\xe094\x10\x85!\x15\x01\x08\xe8U2\xdeqI\xd9(\x17PM\xe6\xbeM\xd1u\xac\xd0\xca\xfbA\xb8C\xa5\xaa\xd3\xc3\x05DO,6\x9b\xe2\xfa\xe2E\xb8#Sl\x06ogU\x7fF\xb5L?n(Zy&\xd2\xa4\xa8b\x97\xd2\x1e\xe2\xedJ\x8b\xbc\x1b\xfdGJ\x0d\xdfgf~\xb2[A\xd0;\xe4\xf4;\xf4\x04c\xe9\xef\xc2T\x00Q\xa0\x8a*\xc9\xcex\xcc\xd5\xea\x87\x04\x18\xb3\xce\xafI\x88\xaf\xf3\x92\x99\xb6\xb3\xe6a\x0f\xd2\x85\x00\xe7P\x1a\xe4\x1b\x95\x9d\x19\xa1\xb9\x9c\xb1\x9b\xb1\x00\x1e\xef\xd0\x0fOBl\xc9\x0a\xbc\xeeC\xfa:q\xa5\xc8M&\xa55\xfd\x89]\xbc\x85b\x1d2\xd2\xa0+T\xed\x9aW\xc1\xdb\xfa\x10\xcf\x19\xb7\x8bJ\x1b\x8f\x01\xb6'\x95S\xe8\xb6\x89m[\xbch\xd4#\xe8\x8bQ\xa2V\xf9\xf0\xa6\x80\xa0\xd6\x1e\xb3\xbc\x0f\x0fSu)\xaa\xea\x13w\xe4\xde\x8c\x81!\xad\x07\x10G\x11\xad\x87=\x07\xd1u\xbc\xcf\xf3f~, CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB = 0\x82\x05\xd80\x82\x03\xc0\xa0\x03\x02\x01\x02\x02\x10L\xaa\xf9\xca\xdbco\xe0\x1f\xf7N\xd8[\x03\x86\x9d0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000\x81\x851\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO RSA Certification Authority0\x1e\x17\x0d100119000000Z\x17\x0d380118235959Z0\x81\x851\x0b0\x09\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\x0a\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO RSA Certification Authority0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x91\xe8T\x92\xd2\x0aV\xb1\xac\x0d$\xdd\xc5\xcfDgt\x99+7\xa3}#p\x00q\xbcS\xdf\xc4\xfa*\x12\x8fK\x7f\x10V\xbd\x9fpr\xb7a\x7f\xc9K\x0f\x17\xa7=\xe3\xb0\x04a\xee\xff\x11\x97\xc7\xf4\x86>\x0a\xfa>\\xf9\x93\xe64z\xd9\x14k\xe7\x9c\xb3\x85\xa0\x82zv\xafq\x90\xd7\xec\xfd\x0d\xfa\x9cl\xfa\xdf\xb0\x82\xf4\x14~\xf9\xbe\xc4\xa6/O\x7f\x99\x7f\xb5\xfcgCr\xbd\x0c\x00\xd6\x89\xebk,\xd3\xed\x8f\x98\x1c\x14\xab~\xe5\xe3n\xfc\xd8\xa8\xe4\x92$\xdaCkb\xb8U\xfd\xea\xc1\xbcl\xb6\x8b\xf3\x0e\x8d\x9a\xe4\x9bli\x99\xf8xH0E\xd5\xad\xe1\x0d<E`\xfc2\x96Q'\xbcg\xc3\xca.\xb6k\xeaF\xc7\xc7 \xa0\xb1\x1fe\xdeH\x08\xba\xa4N\xa9\xf2\x83F7\x84\xeb\xe8\xcc\x81HCgNr*\x9b\\xbdL\x1b(\x8a\"{\xb4\xab\x98\xd9\xee\xe0Q\x83\xc3\x09FNm>\x99\xfa\x95\x17\xda|3WA<\x8dQ\xed\x0b\xb6\\xaf,c\x1a\xdfW\xc8?\xbc\xe9]\xc4\x9b\xafE\x99\xe2\xa3Z$\xb4\xba\xa9V=\xcfo\xaa\xffIX\xbe\xf0\xa8\xff\xf4\xb8\xad\xe97\xfb\xba\xb8\xf4\x0b:\xf9\xe8CB\x1e\x89\xd8\x84\xcb\x13\xf1\xd9\xbb\xe1\x89`\xb8\x8c(V\xac\x14\x1d\x9c\x0a\xe7q\xeb\xcf\x0e\xdd=\xa9\x96\xa1H\xbd<\xf7\xaf\xb5\x0d"L\xc0\x11\x81\xecV;\xf6\xd3\xa2\xe2[\xb7\xb2\x04"R\x95\x80\x93i\xe8\x8eLe\xf1\x91\x03-pt\x02\xea\x8bg\x15)iR\x02\xbb\xd7\xdfPjUF\xbf\xa0\xa3(a\x7fp\xd0\xc3\xa2\xaa,!\xaaG\xce(\x9c\x06Ev\xbf\x82\x18'\xb4\xd5\xae\xb4\xcbP\xe6k\xf4L\x86q0\xe9\xa6\xdf\x16\x86\xe0\xd8\xff@\xdd\xfb\xd0B\x88\x7f\xa33:.\\x1eA\x11\x81c\xce\x18qk+\xec\xa6\x8a\xb71\:jG\xe0\xc3yY\xd6 \x1a\xaf\xf2j\x98\xaar\xbcWJ\xd2K\x9d\xbb\x10\xfc\xb0LA\xe5\xed\x1d=^(\x9d\x9c\xcc\xbf\xb3Q\xda\xa7G\xe5\x84S\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xbb\xaf~\x02=\xfa\xa6\xf1<\x84\x8e\xad\xee8\x98\xec\xd922\xd40\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\x0a\xf1\xd5F\x84\xb7\xaeQ\xbbl\xb2MA\x14\x00\x93L\x9c\xcb\xe5\xc0T\xcf\xa0%\x8e\x02\xf9\xfd\xb0\xa2\x0d\xf5 \x98<\x13-\xacV\xa2\xb0\xd6~\x11\x92\xe9.\xba\x9e.\x9ar\xb1\xbd\x19Dla5\xa2\x9a\xb4\x16\x12iZ\x8c\xe1\xd7>\xa4\x1a\xe8/\x03\xf4\xaea\x1d\x10\x1b*\xa4\x8bz\xc5\xfe\x05\xa6\xe1\xc0\xd6\xc8\xfe\x9e\xae\x8f+\xba=\x99\xf8\xd8s\x09XFn\xa6\x9c\xf4\xd7'\xd3\x95\xda7\x83r\x1c\xd3s\xe0\xa2G\x99\x038]\xd5Iy\x00)\x1c\xc7\xec\x9b \x1c\x07$iWx\xb29\xfc:\x84\xa0\xb5\x9c|\x8d\xbf.\x93b'\xb79\xda\x17\x18\xae\xbd<\x09h\xff\x84\x9b<\xd5\xd6\x0b\x03\xe3W\x9e\x14\xf7\xd1\xebO\xc8\xbd\x87#\xb7\xb6ICy\x85\\xba\xeb\x92\x0b\xa1\xc6\xe8h\xa8L\x16\xb1\x1a\x99\x0a\xe8S,\x92\xbb\xa1\x09\x18u\x0ce\xa8{\xcb#\xb7\x1a\xc2(\x85\xc3\x1b\xff\xd0+b\xef\xa4{\x09\x91\x98g\x8c\x14\x01\xcdh\x06jc!u\x03\x80\x88\x8an\x81\xc6\x85\xf2\xa9\xa4-\xe7\xf4\xa5$\x10G\x83\xca\xcd\xf4\x8dyX\xb1\x06\x9b\xe7\x1a*\xd9\x9d\x01\xd7\x94}\xed\x03J\xca\xf0\xdb\xe8\xa9\x01>\xf5V\x99\xc9\x1e\x8eI=\xbb\xe5\x09\xb9\xe0OI\x92=\x16\x82@\xcc\xccY\xc6\xe6:\xed\x12.i<l\x95\xb1\xfd\xaa\x1d{\x7f\x86\xbe\x1e\x0e2F\xfb\xfb\x13\x8fu\x7fL\x8bKFc\xfe\x004@p\xc1\xc3\xb9\xa1\xdd\xa6p\xe2\x04\xb3A\xbc\xe9\x80\x91\xead\x9cz\xe1"\x03\xa9\x9cno\x0eeOl\x87\x87^\xf3n\xa0\xf9u\xa5\x9b@\xe8S\xb2'\x9dJ\xb9\xc0w!\x8d\xff\x87\xf2\xde\xbc\x8c\xef\x17\xdf\xb7I\x0b\xd1\xf2n0\x0b\x1a\x0eNv\xed\x11\xfc\xf5\xe9V\xb2}\xbf\xc7m\x0a\x93\x8c\xa5\xd0\xc0\xb6\x1d\xbe:N\x94\xa2\xd7nl\x0b\xc2\x8a|\xfa \xf3\xc4\xe4\xe5\xcd\x0d\xa8\xcb\x91\x92\xb1|\x85\xec\xb5\x14if\x0e\x82\xe7\xcd\xce\xc8-\xa6Q\x7f!\xc15S\x85\x06J]\x9f\xad\xbb\x1b_t, CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US = 0\x82\x05\xde0\x82\x03\xc6\xa0\x03\x02\x01\x02\x02\x10\x01\xfdm0\xfc\xa3\xcaQ\xa8\x1b\xbcd\x0e5\x03-0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000\x81\x881\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\x0aNew Jersey1\x140\x12\x06\x03U\x04\x07\x13\x0bJersey City1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15The USERTRUST Network1.0,\x06\x03U\x04\x03\x13%USERTrust RSA Certification Authority0\x1e\x17\x0d100201000000Z\x17\x0d380118235959Z0\x81\x881\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\x0aNew Jersey1\x140\x12\x06\x03U\x04\x07\x13\x0bJersey City1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15The USERTRUST Network1.0,\x06\x03U\x04\x03\x13%USERTrust RSA Certification Authority0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x80\x12e\x176\x0e\xc3\xdb\x08\xb3\xd0\xacW\x0dv\xed\xcd'\xd3L\xadP\x83a\xe2\xaa M\x09-d\x09\xdc\xce\x89\x9f\xcc=\xa9\xec\xf6\xcf\xc1\xdc\xf1\xd3\xb1\xd6{7(\x11+G\xda9\xc6\xbc:\x19\xb4_\xa6\xbd}\x9d\xa3cB\xb6v\xf2\xa9;+\x91\xf8\xe2o\xd0\xec\x16 \x90\x09>\xe2\xe8t\xc9\x18\xb4\x91\xd4bd\xdb\x7f\xa3\x06\xf1\x88\x18j\x90"<\xbc\xfe\x13\xf0\x87\x14{\xf6\xe4\x1f\x8e\xd4\xe4Q\xc6\x11gF\x08Q\xcb\x86\x14T?\xbc3\xfe~l\x9c\xff\x16\x9d\x18\xbdQ\x8e5\xa6\xa7f\xc8rg\xdb!f\xb1\xd4\x9bx\x03\xc0P:\xe8\xcc\xf0\xdc\xbc\x9eL\xfe\xaf\x05\x965\x1fWZ\xb7\xff\xce\xf9=\xb7,\xb6\xf6T\xdd\xc8\xe7\x12:M\xaeL\x8a\xb7\\x9a\xb4\xb7 =\xca\x7f"4\xae~;hf\x01D\xe7\x01NFS\x9b3`\xf7\x94\xbeS7\x90sC\xf32\xc3S\xef\xdb\xaa\xfetNi\xc7k\x8c`\x93\xde\xc4\xc7\x0c\xdf\xe12\xae\xcc\x93;Qx\x95g\x8b\xee=V\xfe\x0c\xd0i\x0f\x1b\x0f\xf3%&k3m\xf7nG\xfasC\xe5~\x0e\xa5f\xb1)|2\x84cU\x89\xc4\x0d\xc1\x93T0\x19\x13\xac\xd3}7\xa7\xeb]:l5\\xdbA\xd7\x12\xda\xa9I\x0b\xdf\xd8\x80\x8a\x09\x93b\x8e\xb5f\xcf%\x88\xcd\x84\xb8\xb1?\xa49\x0f\xd9\x02\x9e\xeb\x12L\x95|\xf3k\x05\xa9^\x16\x83\xcc\xb8g\xe2\xe8\x13\x9d\xcc[\x82\xd3L\xb3\xed[\xff\xde\xe5s\xac#;-\x00\xbf5Ut\x09I\xd8IX\x1a\x7f\x926\xe6Q\x92\x0e\xf3&}\x1cM\x17\xbc\xc9\xecC&\xd0\xbfA_@\xa9DD\xf4\x99\xe7W\x87\x9eP\x1fWT\xa8>\xfdtc/\xb1Pe\x09\xe6XB.C\x1aL\xb4\xf0%GY\xfa\x04\x1e\x93\xd4&FJP\x81\xb2\xde\xbex\xb7\xfcg\x15\xe1\xc9W\x84\x1e\x0fc\xd6\xe9b\xba\xd6_U.\xea\\xc6(\x08\x04%9\xb8\x0e+\xa9\xf2L\x97\x1c\x07?\x0dR\xf5\xed\xef/\x82\x0f\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14Sy\xbfZ\xaa+J\xcfT\x80\xe1\xd8\x9b\xc0\x9d\xf2\xb2\x03f\xcb0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\\xd4|\x0d\xcf\xf7\x01}A\x99e\x0cs\xc5R\x9f\xcb\xf8\xcf\x99\x06\x7f\x1b\xdaC\x15\x9f\x9e\x02UW\x96\x14\xf1R<'\x87\x94(\xed\x1f:\x017\xa2v\xfcSP\xc0\x84\x9b\xc6kN\xba\x8c!O\xa2\x8eUb\x91\xf3i\x15\xd8\xbc\x88\xe3\xc4\xaa\x0b\xfd\xef\xa8\xe9KU*\x06 mUx)\x19\xee_0\K$\x11U\xff$\x9an^*+\xee\x0bM\x9f\x7f\xf7\x018\x94\x14\x95C\x07\x09\xfb`\xa9\xee\x1c\xab\x12\x8c\xa0\x9a^\xa7\x98jYm\x8b?\x08\xfb\xc8\xd1E\xaf\x18\x15d\x90\x12\x0fs(.\xc5\xe2$N\xfcX\xec\xf0\xf4E\xfe"\xb3\xeb/\x8e\xd2\xd9Ea\x05\xc1\x97o\xa8vr\x8f\x8b\x8c6\xaf\xbf\x0d\x05\xceq\x8d\xe6\xa6o\x1fl\xa6qb\xc5\xd8\xd0\x83r\x0c\xf1g\x11\x89\x0c\x9c\x13Lr4\xdf\xbc\xd5q\xdf\xaaq\xdd\xe1\xb9l\x8c<\x12]e\xda\xbdW\x12\xb6Ck\xff\xe5\xdeMf\x11Q\xcf\x99\xae\xec\x17\xb6\xe8q\x91\x8c\xdeI\xfe\xdd5q\xa2\x15'\x94\x1c\xcfa\xe3&\xbbo\xa3g%!]\xe6\xdd\x1d\x0b.h\x1b;\x82\xaf\xec\x83g\x85\xd4\x98Qt\xb1\xb9\x99\x80\x89\xff\x7fx\x19\yJ`.\x92@\xaeL7*,\xc9\xc7b\xc8\x0e]\xf76[\xca\xe0%%\x01\xb4\xdd\x1a\x07\x9cw\x00?\xd0\xdc\xd5\xec=\xd4\xfa\xbb?\xcc\x85\xd6o\x7f\xa9-\xdf\xb9\x02\xf7\xf5\x97\x9a\xb55\xda\xc3g\xb0\x87J\xa9(\x9e#\x8e\xff\'k\xe1\xb0O\xf3\x07\xee\x00.\xd4Y\x87\xcbRA\x95\xea\xf4G\xd7\xeedAU|\x8dY\x02\x95\xddb\x9d\xc2\xb9\xeeZ(t\x84\xa5\x9b\xb7\x90\xc7\x0c\x07\xdf\xf5\x896t2\xd6(\xc1\xb0\xb0\x0b\xe0\x9cL\xc3\x1c\xd6\xfc\xe3i\xb5GF\x81/\xa2\x82\xab\xd3cDp\xc4\x8d\xff-3\xba\xad\x8f{\xb5p\x88\xae>\x19\xcf@(\xd8\xfc\xc8\x90\xbb]\x99"\xf5R\xe6X\xc5\x1f\x881C\xee\x88\x1d\xd7\xc6\x8e<Cj\x1d\xa7\x18\xde}=\x16\xf1b\xf9\xca\x90\xa8\xfd, CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US = 0\x82\x02\x8f0\x82\x02\x15\xa0\x03\x02\x01\x02\x02\x10\\x8b\x99\xc5Z\x94\xc5\xd2qV\xde\xcd\x89\x80\xcc&0\x0a\x06\x08*\x86H\xce=\x04\x03\x030\x81\x881\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\x0aNew Jersey1\x140\x12\x06\x03U\x04\x07\x13\x0bJersey City1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15The USERTRUST Network1.0,\x06\x03U\x04\x03\x13%USERTrust ECC Certification Authority0\x1e\x17\x0d100201000000Z\x17\x0d380118235959Z0\x81\x881\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\x0aNew Jersey1\x140\x12\x06\x03U\x04\x07\x13\x0bJersey City1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15The USERTRUST Network1.0,\x06\x03U\x04\x03\x13%USERTrust ECC Certification Authority0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x1a\xacTZ\xa9\xf9h#\xe7z\xd5$oS\xc6Z\xd8K\xab\xc6\xd5\xb6\xd1\xe6sq\xae\xdd\x9c\xd6\x0ca\xfd\xdb\xa0\x89\x03\xb8\x05\x14\xecW\xce\xee]?\xe2!\xb3\xce\xf7\xd4\x8ay\xe0\xa3\x83~-\x97\xd0a\xc4\xf1\x99\xdc%\x91c\xab\x7f0\xa3\xb4p\xe2\xc7\xa13\x9c\xf3\xbf.\S\xb1_\xb3}2\x7f\x8a4\xe3yy\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14:\xe1\x09\x86\xd4\xcf\x19\xc2\x96vtIv\xdc\xe05\xc6cc\x9a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x0206g\xa1\x16\x08\xdc\xe4\x97\x00A\x1dN\xbe\xe1c\x01\xcf;\xaaB\x11d\xa0\x9d\x949\x02\x11y\{\x1d\xfad\xb9\xee\x16B\xb3\xbf\x8a\xc2\x09\xc4\xec\xe4\xb1M\x021\x00\xe9*aG\x8cRJKN\x18p\xf6\xd6D\xd6n\xf5\x83\xbamX\xbd$\xd9VH\xea\xef\xc4\xa2F\x81\x88j:F\xd1\xa9\x9bM\xc9a\xda\xd1]Wj\x18, CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 = 0\x82\x02\x1e0\x82\x01\xa4\xa0\x03\x02\x01\x02\x02\x11`YI\xe0&.\xbbU\xf9\x0aw\x8aq\xf9J\xd8l0\x0a\x06\x08*\x86H\xce=\x04\x03\x030P1$0"\x06\x03U\x04\x0b\x13\x1bGlobalSign ECC Root CA - R51\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0\x1e\x17\x0d121113000000Z\x17\x0d380119031407Z0P1$0"\x06\x03U\x04\x0b\x13\x1bGlobalSign ECC Root CA - R51\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04GE\x0e\x96\xfb}]\xbf\xe99\xd1!\xf8\x9f\x0b\xb6\xd5{\x1e\x92:HY\x1c\xf0b1-\xc0z(\xfe\x1a\xa7\\xb3\xb6\xcc\x97\xe7E\xd4X\xfa\xd1wmC\xa2\xc0\x87e4\x0a\x1fz\xdd\xeb<3\xa1\xc5\x9dM\xa4oA\x958\x7f\xc9\x1e\x84\xeb\xd1\x9eI\x92\x87\x94\x87\x0c:\x85Jf\x9f\x9dY\x93M\x97a\x06\x86J\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14=\xe6)H\x9b\xea\x07\xca!DJ&\xden\xde\xd2\x83\xd0\x9fY0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xe5i\x12\xc9n\xdb\xc61\xba\x09A\xe1\x97\xf8\xfb\xfd\x9a\xe2}\x12\xc9\xed|d\xd3\xcb\x05%\x8bV\xd9\xa0\xe7^]N\x0b\x83\x9c[v)\xa0\x09&!jb\x020q\xd2\xb5\x8f\\xea;\xe1x\x09\x85\xa8u\x92;\xc8\\xfdH\xef\x0dt"\xa8\x08\xe2n\xc5I\xce\xc7\x0c\xbc\xa7ai\xf1\xf7;\xe1*\xcb\xf9+\xf3f\x907, CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL = 0\x82\x05p0\x82\x03X\xa0\x03\x02\x01\x02\x02\x04\x00\x98\x96\x8d0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000X1\x0b0\x09\x06\x03U\x04\x06\x13\x02NL1\x1e0\x1c\x06\x03U\x04\x0a\x0c\x15Staat der Nederlanden1)0'\x06\x03U\x04\x03\x0c Staat der Nederlanden EV Root CA0\x1e\x17\x0d101208111929Z\x17\x0d221208111028Z0X1\x0b0\x09\x06\x03U\x04\x06\x13\x02NL1\x1e0\x1c\x06\x03U\x04\x0a\x0c\x15Staat der Nederlanden1)0'\x06\x03U\x04\x03\x0c Staat der Nederlanden EV Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xe3\xc7~\x89\xf9$K:\xd23\x835,i\xec\xdc\x09\xa4\xe3Q\xa8%+y\xb8\x08=\xe0\x91\xba\x84\x85\xc6\x85\xa4\xca\xe6\xc9.S\xa4\xc9$\x1e\xfdUfq],\xc5`h\x04\xb7\xd9\xc2R&8\x88\xa4\xd6;@\xa6\xc2\xcd?\xcd\x98\x93\xb3T\x14X\x96U\xd5P\xfe\x86\xad\xa4c\x7f\\x87\xf6\x8e\xe6'\x92g\x17\x92\x02\x03,\xdc\xd6ft\xed\xddg\xff\xc1a\x8dcO\x0f\x9bm\x170&\xef\xab\xd2\x1f\x10\xa0\xf9\xc5\x7f\x16i\x81\x03G\xed\x1eh\x8dr\xa1M\xb2&\xc6\xbal_m\xd6\xaf\xd1\xb1\x13\x8e\xa9\xad\xf3^iu&\x18>A+!\x7f\xee\x8b]\x07\x06\x9dC\xc4)\x0a+\xfc*>\x86\xcb<\x83:\xf9\xc9\x0d\xda\xc5\x99\xe2\xbcxA3v\xe1\xbf/]\xe5\xa4\x98P\x0c\x15\xdd\xe0\xfa\x9c\x7f8h\xd0\xb2\xa6z\xa7\xd11\xbd~\x8aX'C\xb3\xba3\x91\xd3\xa7\x98\x15\\x9a\xe6\xd3\x0fu\xd9\xfcA\x98\x97>\xaa%\xdb\x8f\x92.\xb0{\x0c_\xf1c\xa97\xf9\x9buiL(&%\xda\xd5\xf2\x12pEU\xe3\xdfs^7\xf5!l\x90\x8e5Z\xc9\xd3#\xeb\xd3\xc0\xbex\xacB(Xf\xa5Fmp\x02\xd7\x10\xf9KT\xfc]\x86J\x87\xcf\x7f\xcaE\xac\x11Z\xb5 Q\x8d/\x88G\x979\xc0\xcf\xba\xc0B\x01@\x99H!\x0bk\xa7\xd2\xfd\x96\xd5\xd1\xbeF\x9dI\xe0\x0b\xa6\xa0"N8\xd0\xc1<0\xbcp\x8f,u\xcc\xd0\xc5\x8cQ;=\x94\x08d&a}\xb9\xc3e\x8f\x14\x9c!\xd0\xaa\xfd\x17r\x03\x8f\xbd\x9b\x8c\xe6^S\x9e\xb9\x9d\xef\x82\xbb\xe1\xbc\xe2rA[!\x94\xd3E7\x94\xd1\xdf\x099]\xe7#\xaa\x9a\x1d\xcam\xa8\x0a\x86\x85\x8a\x82\xbeB\x07\xd6\xf28\x82s\xda\x87[\xe5<\xd3\x9e>\xa7;\x9e\xf4\x03\xb3\xf9\xf1}\x13t\x02\xff\xbb\xa1\xe5\xfa\x00y\x1c\xa6fA\x88\`W\xa6.\x09\xc4\xba\xfd\x9a\xcf\xa7\x1f@\xc3\xbb\xccZ\x0aUK;8vQ\xb8c\x8b\x84\x94\x16\xe6V\xf3\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xfe\xab\x00\x90\x98\x9e$\xfc\xa9\xcc\x1a\x8a\xfb'\xb8\xbf0n\xa8;0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\xcfw,nV\xbeN\xb3\xb6\x84\x00\x94\xabG\xc9\x0d\xd2v\xc7\x86\x9f\x1d\x07\xd3\xb6\xb4\xbb\x08x\xafi\xd2\x0bI\xde3\xc5\xac\xad\xc2\x88\x02}\x06\xb75\x02\xc1`\xc9\xbf\xc4\xe8\x94\xde\xd4\xd3\xa9\x13%Z\xfen\xa2\xae}\x05\xdc}\xf3l\xf0~\xa6\x8d\xee\xd9\xd7\xceX\x17\xe8\xa9)\xaesH\x87\xe7\x9b\xcan)\xa1d_\x19\x13\xf7\xae\x06\x10\xffQ\xc6\x9bMU%O\x93\x99\x10\x01Su\xf1\x13\xce\xc7\xa6AA\xd2\xbf\x88\xa5\x7fE\xfc\xac\xb8\xa5\xb53\x0c\x82\xc4\xfb\x07\xf6j\xe5%\x84_\x06\xca\xc1\x869\x11\xdbX\xcdw;,\xc2L\x0f^\x9a\xe3\xf0\xab>a\x1bP$\xc2\xc0\xf4\xf1\x19\xf0\x11)\xb6\xa5\x18\x02\x9b\xd7cLp\x8cG\xa3\x03C\\xb9]F\xa0\x0do\xffY\x8e\xbe\xdd\x9fr\xc3[+\xdf\x8c[\xce\xe5\x0cFl\x92\xb2\x0a\xa3LTB\x18\x15\x12\x18\xbd\xda\xfc\xbatn\xff\xc1\xb6\xa0d\xd8\xa9_U\xae\x9f\jv\x96\xd8sg\x87\xfbM\x7f\\xeei\xcas\x10\xfb\x8a\xa9\xfd\x9e\xbd68II\x87\xf4\x0e\x14\xf0\xe9\x87\xb8?\xa7OzZ\x8ey\xd4\x93\xe4\xbbhR\x84\xacl\xe9\xf3\x98pUr2\xf94\xab+I\xb5\xcd b\xe4:zgc\xab\x96\xdcm\xae\x97\xec\xfc\x9fvV\x88.f\xcf[\xb6\xc9\xa4\xb0\xd7\x05\xba\xe1'/\x93\xbb&*\xa2\x93\xb0\x1b\xf3\x8e\xbe\x1d@\xa3\xb96\x8f>\x82\x1a\x1a^\x88\xeaP\xf8Y\xe2\x83F)\x0b\xe3D\\xe1\x95\xb6i\x90\x9a\x14o\x97\xae\x81\xcfh\xef\x99\x9a\xbe\xb5\xe7\xe1\x7f\xf8\xfa\x13G\x16L\xccm\x08@\xe7\x8bxoP\x82DP?f\x06\x8a\xabC\x84VJ\x0f -\x86\x0e\xf5\xd2\xdb\xd2z\x8aK\xcd\xa5\xe8N\xf1^&%\x01Y#\xa0~\xd2\xf6~!W\xd7'\xbc\x15WL\xa4F\xc1\xe0\x83\x1e\x0cLM\x1fO\x06\x19\xe2\xf9\xa8\xf4:\x82\xa1\xb2yCy\xd6\xadoz'\x90\x03\xa4\xea$\x87?\xd9\xbd\xd9\xe9\xf2_PI\x1c\xee\xec\xd7., CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US = 0\x82\x05`0\x82\x03H\xa0\x03\x02\x01\x02\x02\x10\x0a\x01B\x80\x00\x00\x01E#\xc8D\xb5\x00\x00\x00\x020\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000J1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x120\x10\x06\x03U\x04\x0a\x13\x09IdenTrust1'0%\x06\x03U\x04\x03\x13\x1eIdenTrust Commercial Root CA 10\x1e\x17\x0d140116181223Z\x17\x0d340116181223Z0J1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x120\x10\x06\x03U\x04\x0a\x13\x09IdenTrust1'0%\x06\x03U\x04\x03\x13\x1eIdenTrust Commercial Root CA 10\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa7P\x19\xde?\x99=\xd43F\xf1oQa\x82\xb2\xa9O\x8fg\x89]\x84\xd9S\xdd\x0c(\xd9\xd7\xf0\xff\xae\x95Cr\x99\xf9\xb5]|\x8a\xc1B\xe11Pt\xd1\x81\x0d|\xcd\x9b!\xabC\xe2\xac\xad^\x86n\xf3\x09\x8a\x1fZ2\xbd\xa2\xeb\x94\xf9\xe8\\x0a\xec\xff\x98\xd2\xafq\xb3\xb4S\x9fN\x87\xef\x92\xbc\xbd\xecO20\x88K\x17^W\xc4S\xc2\xf6\x02\x97\x8d\xd9b+\xbf$\x1fb\x8d\xdf\xc3\xb8)KIx<\x93`\x88"\xfc\x99\xda6\xc8\xc2\xa2\xd4,T\x00g5ns\xbf\x02X\xf0\xa4\xdd\xe5\xb0\xa2&z\xca\xe06\xa5\x19\x16\xf5\xfd\xb7\xef\xae?@\xf5mZ\x04\xfd\xce4\xca$\xdct#\x1b]3\x13\x12]\xc4\x01%\xf60\xdd\x02]\x9f\xe0\xd5G\xbd\xb4\xeb\x1b\xa1\xbbII\xd8\x9f[\x02\xf3\x8a\xe4$\x90\xe4bOO\xc1\xaf\x8b\x0et\x17\xa8\xd1r\x88jz\x01I\xcc\xb4Fy\xc6\x17\xb1\xda\x98\x1e\x07Y\xfau!\x85e\xdd\x90V\xce\xfb\xab\xa5`\x9d\xc4\x9d\xf9R\xb0\x8b\xbd\x87\xf9\x8f+#\x0a#v;\xf73\xe1\xc9\x00\xf3i\xf9K\xa2\xe0N\xbc~\x939\x84\x07\xf7Dp~\xfe\x07Z\xe5\xb1\xac\xd1\x18\xcc\xf25\xe5II\x08\xcaV\xc9=\xfb\x0f\x18}\x8b;\xc1\x13\xc2M\x8f\xc9O\x0e7\xe9\x1f\xa1\x0ej\xdfb.\xcb5\x06Qy,\xc8%8\xf4\xfaK\xa7\x89\\x9c\xd2\xe3\x0d9\x86Jt|\xd5Y\x87\xc2?N\x0c\R\xf4=\xf7R\x82\xf1\xea\xa3\xac\xfdI4\x1a(\xf3A\x88:\x13\xee\xe8\xde\xff\x99\x1d_\xba\xcb\xe8\x1e\xf2\xb9P`\xc01\xd3s\xe5\xef\xbe\xa0\xed3\x0bt\xbe  \xc4gl\xf0\x08\x03zU\x80\x7fFN\x96\xa7\xf4\x1e>\xe1\xf6\xd8\x09\xe13d+c\xd72^\x9f\xf9\xc0{\x0fxo\x97\xbc\x93\x9a\xf9\x9c\x12\x90xz\x80\x87\x15\xd7rt\x9cUtx\xb1\xba\xe1np\x04\xbaO\xa0\xbah\xc3{\xff1\xf0s==\x94*\xb1\x0bA\x0e\xa0\xfeM\x88eky3\xb4\xd7\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xedD\x19\xc0\xd3\xf0\x06\x8b\xee\xa4{\xbeB\xe7&T\xc8\x8e6v0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x0d\xae\x902\xf6\xa6K|Dv\x19a\x1e'(\xcd^T\xef%\xbc\xe3\x08\x90\xf9)\xd7\xaeh\x08\xe1\x94\x00X\xef..~SR\x8c\xb6\\x07\xea\x88\xba\x99\x8bP\x94\xd7\x82\x80\xdfa\x09\x00\x93\xad\x0d\x14\xe6\xce\xc1\xf27\x94x\xb0_\x9c\xb3\xa2s\xb8\x8f\x05\x938\xcd\x8d>\xb0\xb8\xfb\xc0\xcf\xb1\xf2\xec--\x1b\xcc\xec\xaa\x9a\xb3\xaa`\x82\x1b-;\xc3\x84=W\x8a\x96\x1e\x9cu\xb8\xd30\xcd`\x08\x83\x90\xd3\x8eT\xf1Mf\xc0]t\x03@\xa3\xee\x85~\xc2\x1fw\x9c\x06\xe8\xc1\xa7\x18]R\x95\xed\xc9\xdd%\x9em\xfa\xa9\xed\xa3:4\xd0Y{\xda\xedP\xf35\xbf\xed\xeb\x14M1\xc7`\xf4\xda\xf1\x87\x9c\xe2H\xe2\xc6\xc57\xfb\x06\x10\xfauYf1G)\xdav\x9a\x1c\xe9\x82\xae\xef\x9a\xb9Q\xf7\x88#\x9ai\x95b<\xe5U\x806\xd7T\x02\xff\xf1\xb9]\xce\xd4#o\xd8E\x84J[e\xef\x89\x0c\xdd\x14\xa7 \xcb\x18\xa5%\xb4\x0d\xf9\x01\xf0\xa2\xd2\xf4\x00\xc8t\x8e\xa1*H\x8ee\xdb\x13\xc4\xe2%\x17}\xeb\xbe\x87[\x17 TQ\x93JS\x03\x0b\xec]\xca3\xedb\xfdE\xc7/[\xdcX\xa0\x809\xe6\xfa\xd7\xfe\x13\x14\xa6\xed=\x94JBt\xd4\xc3wYs\xcd\x8fF\xbeU8\xef\xfa\xe8\x912\xea\x97X\x04"\xde8\xc3\xcc\xbcm\xc93:j\x0ai?\xa0\xc8\xear\x8f\x8cc\x86#\xbdm<\x96\x9e\x95\xe0IL\xaa\xa2\xb9*\x1b\x9c6\x81x\xed\xc3\xe8F\xe2&YDu\x1e\xd9u\x89Q\xcd\x10\x84\x9da`\xcb]\xf9\x97"M\x8e\x98\xe6\xe3\x7f\xf6[\xbb\xae\xcd\xcaJ\x81k^\x0b\xf3Q\xe1t+\xe9~'\xa7\xd9\x99IN\xf8\xa5\x80\xdb%\x0f\x1ccb\x8a\xc93gk<\x10\x83\xc6\xad\xde\xa8\xcd\x16\x8e\x8d\xf0\x077q\x9f\xf2\xab\xfcA\xf5\xc1\x8b\xec\x007]\x09\xe5N\x80\xef\xfa\xb1\8\x06\xa5\x1bJ\xe1\xdc8-<\xdc\xab\x1f\x90\x1a\xd5J\x9c\xee\xd1pl\xcc\xee\xf4W\xf8\x18\xba\x84n\x87, CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US = 0\x82\x05f0\x82\x03N\xa0\x03\x02\x01\x02\x02\x10\x0a\x01B\x80\x00\x00\x01E#\xcfF|\x00\x00\x00\x020\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000M1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x120\x10\x06\x03U\x04\x0a\x13\x09IdenTrust1*0(\x06\x03U\x04\x03\x13!IdenTrust Public Sector Root CA 10\x1e\x17\x0d140116175332Z\x17\x0d340116175332Z0M1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x120\x10\x06\x03U\x04\x0a\x13\x09IdenTrust1*0(\x06\x03U\x04\x03\x13!IdenTrust Public Sector Root CA 10\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb6"\x94\xfc\xa4H\xaf\xe8Gk\x0a\xfb'v\xe4\xf2?\x8a;zJ,1*\x8c\x8d\xb0\xa9\xc31k\xa8wv\x84&\xb6\xac\x81B\x0d\x08\xebUX\xbbz\xf8\xbce}\xf2\xa0m\x8b\xa8G\xe9bv\x1e\x11\xee\x08\x14\xd1\xb2D\x16\xf4\xea\xd0\xfa\x1e/^\xdb\xcbsA\xae\xbc\x00\xb0J+@\xb2\xac\xe1;K\xc2-\x9d\xe4\xa1\x9b\xec\x1a:\x1e\xf0\x08\xb3\xd0\xe4$5\x07\x9f\x9c\xb4\xc9Rm\xdb\x07\xca\x8f\xb5[\xf0\x83\xf3O\xc7-\xa5\xc8\xad\xcb\x95 \xa41(WXZ\xe4\x8d\x1b\x9a\xab\x9e\x0d\x0c\xf2\x0a39"9\x0a\x97.\xf3Sw\xb9DE\xfd\x84\xcb6 \x81Y-\x9aomHHa\xcaL\xdfS\xd1\xafR\xbcD\x9f\xab/k\x83r\xefu\x80\xda\x063\x1b]\xc8\xdac\xc6M\xcd\xacf1\xcd\xd1\xde>\x87\x106\xe1\xb9\xa4z\xef`P\xb2\xcb\xca\xa6V\xe07\xaf\xab4\x139%\xe89f\xe4\x98z\xaa\x12\x98\x9cYf\x86>\xad\xf1\xb0\xca>\x06\x0f{\xf0\x11K7\xa0Dm{\xcb\xa8\x8cq\xf4\xd5\xb5\x916\xcc\xf0\x15\xc6+\xdeQ\x17\xb1\x97LP=\xb1\x95Y|\x05}-!\xd5\x00\xbf\x01g\xa2^{\xa6\\xf2\xf7"\xf1\x90\x0d\x93\xdb\xaaDQf\xcc}v\x03\xebj\xa8*8\x19\x97v\x0dk\x8aa\xf9\xbc\xf6\xeev\xfdp+\xdd)<\xf8\x0a\x1e[B\x1c\x8bV/U\x1b\x1c\xa1.\xb5\xc7\x16\xe6\xf8\xaa<\x92\x8ei\xb6\x01\xc1\xb5\x86\x9d\x89\x0f\x0b8\x94T\xe8\xea\xdc\x9e=%\xbcS&\xed\xd5\xab9\xaa\xc5@LT\xab\xb2\xb4\xd9\xd9\xf8\xd7r\xdb\x1c\xbcm\xbde_\xef\x885*f/\xee\xf6\xb3e\xf03\x8d|\x98AiF\x0fC\x1ci\xfa\x9b\xb5\xd0aj\xcd\xcaK\xd9L\x90F\xab\x15Y\xa1GT).\x83(_\x1c\xc2\xa2\xabr\x17\x00\x06\x8eE\xec\x8b\xe23=\x7f\xda\x19D\xe4br\xc3\xdf"\xc6\xf2V\xd4\xdd_\x95r\xedm_\xf7H\x03[\xfd\xc5*\xa0\xf6s#\x84\x10\x1b\x01\xe7\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xe3q\xe0\x9e\xd8\xa7B\xd9\xdbq\x91k\x94\x93\xeb\xc3\xa3\xd1\x14\xa30\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00G\xfa\xdd\x0a\xb0\x11\x918\xadM]\xf7\xe5\x0e\x97T\x19\x82H\x87T\x8c\xaad\x99\xd8Z\xfe\x88\x01\xc5X\xa5\x99\xb1#T#\xb7j\x1d W\xe5\x01bA\x17\xd3\x09\xdbu\xcbnT\x90u\xfe\x1a\x9f\x81\x0a\xc2\xdd\xd7\xf7\x09\xd0[r\x15\xe4\x1e\x09j=3\xf3!\x9a\xe6\x15~\xadQ\xd5\x0d\x10\xed}B\xc0\x8f\xee\xc0\x9a\x08\xd5A\xd6\\x0e!in\x80a\x0e\x15\xc0\xb8\xcf\xc5I\x12R\xcc\xbe:\xcc\xd4.8\x05\xde5\xfd\x1fo\xb8\x80h\x98=M\xa0\xca@e\xd2s|\xf5\x8b\xd9\x0a\x95?\xd8?#m\x1a\xd1*$\x19\xd9\x85\xb3\x17\xefxn\xa9X\xd1#\xd3\xc7\x13\xedr%\x7f]\xb1sp\xd0\x7f\x06\x97\x09\x84)\x80a\x1d\xfa^\xffs\xac\xa0\xe3\x89\xb8\x1cq\x15\xc6\xde1\x7f\x12\xdc\xe1m\x9b\xaf\xe7\xe8\x9fuxL\xabF;\x9a\xce\xbf\x05\x18]M\x15<\x16\x9a\x19P\x04\x9a\xb2\x9aoe\x8bR_<X\x04(%\xc0fa1~\xb9\xe0u\xb9\x1a\xa8\x81\xd6r\x17\xb3\xc5\x0315\x11xx\xa2\xe0\xe90\x8c\x7f\x80\xdfX\xdf<\xba'\x96\xe2\x804m\xe3\x98\xd3d'\xacH~(w\\xc6%a%\xf8\x85\x0ce\xfa\xc42/\xa5\x98\x05\xe4\xf8\x0bg\x16\x16\xc6\x82\xb82\x19\xf9\xf9\xb9y\xdc\x1f\xcd\xeb\xaf\xab\x0e\xdd\x1b\xdbE\xe4z\xe7\x02\xe2\x95]\xfci\xf0Sia\x95uy\x0b^U\xe68\x1c\x94\xa9Y3\x9e\xc8qty\x7fQ\x89\xb6\xc8j\xb80\xc8j8\xc3n\x9e\xe17\x16\xea\x05bL[\x12G\xed\xa7\xb4\xb3XV\xc7I\xf3\x7f\x12h\x091q\xf0m\xf8NG\xfb\xd6\x85\xee\xc5X@\x19\xa4\x1d\xa7\xf9KC7\xdchZO\xcf\xeb\xc2dt\xde\xb4\x15\xd9\xf4TT\x1a/\x1c\xd7\x97qT\x90\x8e\xd9 \x9dS+\x7f\xab\x8f\xe2\xea0\xbcP7\xef\xf1G\xb5}|,\x04\xech\x9d\xb4ID\x10\xf4rK\x1cd\xe7\xfc\xe6k\x90\xddi}i\xfd\x00V\xa5\xb7\xac\xb6\xad\xb7\xca>\x01\xef\x9c, CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US = 0\x82\x04>0\x82\x03&\xa0\x03\x02\x01\x02\x02\x04JS\x8c(0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xbe1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1(0&\x06\x03U\x04\x0b\x13\x1fSee www.entrust.net/legal-terms1907\x06\x03U\x04\x0b\x130(c) 2009 Entrust, Inc. - for authorized use only1200\x06\x03U\x04\x03\x13)Entrust Root Certification Authority - G20\x1e\x17\x0d090707172554Z\x17\x0d301207175554Z0\x81\xbe1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1(0&\x06\x03U\x04\x0b\x13\x1fSee www.entrust.net/legal-terms1907\x06\x03U\x04\x0b\x130(c) 2009 Entrust, Inc. - for authorized use only1200\x06\x03U\x04\x03\x13)Entrust Root Certification Authority - G20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xba\x84\xb6r\xdb\x9e\x0ck\xe2\x99\xe90\x01\xa7v\xea2\xb8\x95A\x1a\xc9\xdaaNXr\xcf\xfe\xf6\x82y\xbfsa\x06\x0a\xa5'\xd8\xb3_\xd3EN\x1cr\xd6N2\xf2r\x8a\x0f\xf7\x83\x19\xd0j\x80\x80\x00E\x1e\xb0\xc7\xe7\x9a\xbf\x12W'\x1c\xa3h/\x0a\x87\xbdjk\x0e^e\xf3\x1cw\xd5\xd4\x85\x8dp!\xb4\xb32\xe7\x8b\xa2\xd5\x869\x02\xb1\xb8\xd2G\xce\xe4\xc9I\xc4;\xa7\xde\xfbT}W\xbe\xf0\xe8n\xc2y\xb2:\x0bU\xe2P\x98\x162\x13\/xV\xc1\xc2\x94\xb3\xf2Z\xe4'\x9a\x9f$\xd7\xc6\xec\xd0\x9b%\x82\xe3\xcc\xc2\xc4E\xc5\x8c\x97z\x06k*\x11\x9f\xa9\x0anH;o\xdb\xd4\x11\x19B\xf7\x8f\x07\xbf\xf5S_\x9c>\xf4\x17,\xe6i\xacN2Lbw\xea\xb7\xe8\xe5\xbb4\xbc\x19\x8b\xae\x9cQ\xe7\xb7~\xb5S\xb13"\xe5m\xcfp<\x1a\xfa\xe2\x9bg\xb6\x83\xf4\x8d\xa5\xafbLM\xe0X\xacd4\x12\x03\xf8\xb6\x8d\x94c$\xa4q\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14jr&z\xd0\x1e\xef}\xe7;iQ\xd4l\x8d\x9f\x90\x12f\xab0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00y\x9f\x1d\x96\xc6\xb6y?"\x8d\x87\xd3\x87\x03\x04`jk\x9a.Y\x89s\x11\xacC\xd1\xf5\x13\xff\x8d9+\xc0\xf2\xbdOp\x8c\xa9/\xea\x17\xc4\x0bT\x9e\xd4\x1b\x96\x983<\xa8\xadb\xa2\x00v\xabYin\x06\x1d~\xc4\xb9D\x8d\x98\xaf\x12\xd4a\xdb\x0a\x19FG\xf3\xeb\xf7c\xc1@\x05@\xa5\xd2\xb7\xf4\xb5\x9a6\xbf\xa9\x88v\x88\x04U\x04+\x9c\x87\x7f\x1a7<~-\xa5\x1a\xd8\xd4\x89^\xca\xbd\xac=l\xd8m\xaf\xd5\xf3v\x0f\xcd;\x888"\x9dl\x93\x9a\xc4=\xbf\x82\x1be?\xa6\x0f]\xaa\xfc\xe5\xb2\x15\xca\xb5\xad\xc6\xbc=\xd0\x84\xe8\xea\x06r\xb0M92x\xbf>\x11\x9c\x0b\xa4\x9d\x9a!\xf3\xf0\x9b\x0b0x\xdb\xc1\xdc\x87C\xfe\xbcc\x9a\xca\xc5\xc2\x1c\xc9\xc7\x8d\xff;\x12X\x08\xe6\xb6=\xecz,N\xfb\x83\x96\xce\x0c<i\x87Ts\xa4s\xc2\x93\xffQ\x10\xac\x15T\x01\xd8\xfc\x05\xb1\x89\xa1\x7ft\x83\x9aI\xd7\xdcN{\x8aHo\x8bE\xf6, CN=Entrust Root Certification Authority - EC1,OU=(c) 2012 Entrust, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US = 0\x82\x02\xf90\x82\x02\x80\xa0\x03\x02\x01\x02\x02\x0d\x00\xa6\x8by)\x00\x00\x00\x00P\xd0\x91\xf90\x0a\x06\x08*\x86H\xce=\x04\x03\x030\x81\xbf1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1(0&\x06\x03U\x04\x0b\x13\x1fSee www.entrust.net/legal-terms1907\x06\x03U\x04\x0b\x130(c) 2012 Entrust, Inc. - for authorized use only1301\x06\x03U\x04\x03\x13*Entrust Root Certification Authority - EC10\x1e\x17\x0d121218152536Z\x17\x0d371218155536Z0\x81\xbf1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1(0&\x06\x03U\x04\x0b\x13\x1fSee www.entrust.net/legal-terms1907\x06\x03U\x04\x0b\x130(c) 2012 Entrust, Inc. - for authorized use only1301\x06\x03U\x04\x03\x13*Entrust Root Certification Authority - EC10v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x84\x13\xc9\xd0\xbamA{\xe2l\xd0\xebU_f\x02\x1a$\xf4[\x89iG\xe3\xb8\xc2}\xf1\xf2\x02\xc5\x9f\xa0\xf6[\xd5\x8b\x06\x19\x86OS\x10m\x07$'\xa1\xa0\xf8\xd5G\x19aL}\xca\x93'\xeat\x0c\xefo\x96\x09\xfec\xecp]6\xadgw\xae\xc9\x9d|UD:\xa2cQ\x1f\xf5\xe3b\xd4\xa9G\x07>\xcc \xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb7c\xe7\x1a\xdd\x8d\xe9\x08\xa6U\x83\xa4\xe0jPAe\x11BI0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03g\x000d\x020ay\xd8\xe5BG\xdf\x1c\xaeS\x99\x17\xb6o\x1c}\xe1\xbf\x11\x94\xd1\x03\x88u\xe4\x8d\x89\xa4\x8awF\xdema\xef\x02\xf5\xfb\xb5\xdf\xcc\xfeN\xff\xfe\xa9\xe6\xa7\x020[\x99\xd7\x857\x06\xb5{\x08\xfd\xeb'\x8bJ\x94\xf9\xe1\xfa\xa7\x8e&\x08\xe8|\x92hms\xd8o&\xac!\x02\xb8\x99\xb7&A[%`\xae\xd0H\x1a\xee\x06, CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN = 0\x82\x05\x8d0\x82\x03u\xa0\x03\x02\x01\x02\x02\x04\x18J\xcc\xd60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000V1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN100.\x06\x03U\x04\x0a\x0c'China Financial Certification Authority1\x150\x13\x06\x03U\x04\x03\x0c\x0cCFCA EV ROOT0\x1e\x17\x0d120808030701Z\x17\x0d291231030701Z0V1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN100.\x06\x03U\x04\x0a\x0c'China Financial Certification Authority1\x150\x13\x06\x03U\x04\x03\x0c\x0cCFCA EV ROOT0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xd7]k\xcd\x10?\x1f\x05Y\xd5\x05M7\xb1\x0e\xec\x98+\x8e\x15\x1d\xfa\x93K\x17\x82!q\x10R\xd7Qdp\x16\xc2UiM\x8e\x15m\x9f\xbf\x0c\x1b\xc2\xe0\xa3g\xd6\x0c\xac\xcf"\xae\xafwT*KL\x8aSRz\xc3\xee.\xde\xb3q%\xc1\xe9]=\xee\xa1/\xa3\xf7*<\xc9#\x1dj\xab\x1d\xa1\xa7\xf1\xf3\xec\xa0\xd5D\xcf\x15\xcfr/\x1dc\x97\xe8\x99\xf9\xfd\x93\xa4T\x80LR\xd4R\xab.I\xdf\x90\xcd\xb8_\xbe?\xde\xa1\xcaM \xd4%\xe8\x84)S\xb7\xb1\x88\x1f\xff\xfa\xda\x90\x9f\x0a\xa9-A?\xb1\xf1\x18)\xee\x16Y,4I\x1a\xa8\x06\xd7\xa8\x88\xd2\x03rz2\xe2\xeahMn,\x96e{\xcaY\xfa\xf2\xe2\xdd\xee0,\xfb\xccF\xac\xc4c\xebo\x7f6+4s\x12\x94\x7f\xdf\xcc&\x9e\xf1r]PeY\x8fi\xb3\x87^2o\xc3\x18\x8a\xb5\x95\x8f\xb0z7\xdeZE;\xc76\xe1\xefg\xd19\xd3\x97[sb\x19H-\x87\x1c\x06\xfbt\x98 Is\xf0\x05\xd2\x1b\xb1\xa0\xa3\xb7\x1bp\xd3\x88i\xb9Z\xd68\xf4b\xdc%\x8bx\xbf\xf8\xe8~\xb8\\xc9\x95O_\xa7-\xb9 k\xcfk\xdd\xf5\x0d\xf4\x82\xb7\xf4\xb2f.\x10(\xf6\x97Z{\x96\x16\x8f\x01\x19-ln\x7f9X\x06d\x83\x01\x83\x83\xc3M\x92\xdd2\xc6\x87\xa47\xe9\x16\xce\xaa-h\xaf\x0a\x81e:p\xc1\x9b\xadMmT\xca*-K\x85\x1b\xb3\x80\xe6pE\x0dk^5\xf0\x7f;\xb8\x9c\xe4\x04p\x89\x12%\x93\xda\x0a\x99"`jc`Nv\x06\x98N\xbd\x83\xad\x1dX\x8a%\x85\xd2\xc7e\x1e-\x8e\xc6\xdf\xb6\xc6\xe1\x7f\x8a\x04!\x15)t\xf0>\x9c\x90\x9d\x0c.\xf1\x8a>Z\xaa\x0c\x09\x1e\xc7\xd5<\xa3\xed\x97\xc3\x1e4\xfa8\xf9\x08\x0e\xe3\xc0]+\x83\xd1Vj\xc9\xb6\xa8TS.x2g=\x82\x7ft\xd0\xfb\xe1\xb6\x05`\xb9p\xdb\x8e\x0b\xf9\x13Xoq`\x10R\x10\xb9\xc1A\x09\xefr\x1fg1x\xff\x96\x05\x8d\x02\x03\x01\x00\x01\xa3c0a0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xe3\xfe-\xfd(\xd0\x0b\xb5\xba\xb6\xa2\xc4\xbf\x06\xaa\x05\x8c\x93\xfb/0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xe3\xfe-\xfd(\xd0\x0b\xb5\xba\xb6\xa2\xc4\xbf\x06\xaa\x05\x8c\x93\xfb/0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00%\xc6\xbak\xeb\x87\xcb\xde\x829\x96=\xf0D\xa7k\x84s\x03\xde\x9d+O\xba \x7f\xbcx\xb2\xcf\x97\xb0\x1b\x9c\xf3\xd7y.\xf5H\xb6\xd2\xfb\x17\x88\xe6\xd3z?\xedS\x13\xd0\xe2/jy\xcb\x00#(\xe6\x1e7W5\x89\x84\xc2vO46\xadg\xc3\xceA\x06\x88\xc5\xf7\xee\xd8\x1a\xb8\xd6\x0b\x7fP\xff\x93\xaa\x17K\x8c\xec\xedR`\xb2\xa4\x06\xeaN\xeb\xf4k\x19\xfd\xeb\xf5\x1a\xe0%*\x9a\xdc\xc7A6\xf7\xc8t\x05\x849\x959\xd6\x0b;\xa4'\xfa\x08\xd8\\x1e\xf8\x04`R\x11((\x03\xff\xefSf\x00\xa5J4\x16f|\xfd\x09\xa4\xae\x9eg\x1aoA\x0bk\x06\x13\x9b\x8f\x86q\x05\xb4/\x8d\x89f3)vT\x9a\x11\xf8'\xfa\xb2?\x91\xe0\xce\x0d\x1b\xf30\x1a\xad\xbf"]\x1b\xd3\xbf%\x05M\xe1\x92\x1a\x7f\x99\x9f<D\x93\xca\xd4@Il\x80\x87\xd7\x04:\xc32R5\x0eV\xf8\xa5\xdd}\xc4\x8b\x0d\x11\x1fS\xcb\x1e\xb2\x17\xb6hwZ\xe0\xd4\xcb\xc8\x07\xae\xf5:.\x8e7\xb7\xd0\x01KC)w\x8c9\x97\x8f\x82Z\xf8Q\xe5\x89\xa0\x18\xe7h\x7f]\x0a.\xfb\xa3G\x0e=\xa6#z\xc6\x01\xc7\x8f\xc8^\xbfm\x80V\xbe\x8a$\xba3\xea\x9f\xe12\x11\x9e\xf1\xd2O\x80\xf6\x1b@\xaf8\x9e\x11Pys\x12\x12\xcd\xe6l\x9d,\x88r<0\x81\x06\x91"\xeaY\xad\xda\x19."\xc2\x8d\xb9\x8c\x87\xe0f\xbcs#_!dc\x80H\xf5\xa0<\x18=\x94\xc8HA\x1d@\xba^\xfe\xfeV9\xa1\xc8\xcf^\x9e\x19dF\x10\xda\x17\x91\xb7\x05\x80\xac\x8b\x99\x92}\xe7\xa2\xd8\x07\x0b6'\xe7Hy`\x8a\xc3\xd7\x13\\xf8r@\xdfJ\xcb\xcf\x99\x00\x0a\x00\x0b\x11\x95\xdaVE\x03\x88\x0a\x9fg\xd0\xd5y\xb1\xa8\x8d@m\x0d\xc2z@\xfa\xf3_dG\x92\xcbS\xb9\xbbY\xceO\xfd\xd0\x15S\x01\xd8\xdf\xeb\xd9\xe6v\xef\xd0#\xbb;\xa9y\xb3\xd5\x02)\xcd\x89\xa3\x96\x0fJ5\xe7NB\xc0u\xcd\x07\xcf\xe6,\xeb{., CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH = 0\x82\x03\xb50\x82\x02\x9d\xa0\x03\x02\x01\x02\x02\x10v\xb1 Rt\xf0\x85\x87F\xb3\xf8#\x1a\xf6\xc2\xc00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000m1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x100\x0e\x06\x03U\x04\x0a\x13\x07WISeKey1"0 \x06\x03U\x04\x0b\x13\x19OISTE Foundation Endorsed1(0&\x06\x03U\x04\x03\x13\x1fOISTE WISeKey Global Root GB CA0\x1e\x17\x0d141201150032Z\x17\x0d391201151031Z0m1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x100\x0e\x06\x03U\x04\x0a\x13\x07WISeKey1"0 \x06\x03U\x04\x0b\x13\x19OISTE Foundation Endorsed1(0&\x06\x03U\x04\x03\x13\x1fOISTE WISeKey Global Root GB CA0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd8\x17\xb7\x1cJ$*\xd6\x97\xb1\xca\xe2\x1e\xfb}8\xef\x98\xf5\xb29\x98N'\xb8\x11]{\xd2%\x94\x88\x82\x15&j\x1b1\xbb\xa8[!!+\xd8\x0fN\x9fZ\xf1\xb1Z\xe4y\xd62#+\xe1S\xcc\x99E\{O\xad\xbc\xbf\x87J\x0bK\x97Z\xa8\xf6H\xec}{\x0d\xcd!\x06\xdf\x9e\x15\xfdA\x8aH\xb7 \xf4\xa1z\x1bW\xd4]P\xff\xbag\xd8#\x99\x1f\xc8?\xe3\xde\xffo[w\xb1kn\xb8\xc9d\xf7\xe1\xcaAF\x0e)q\xd0\xb9#\xfc\xc9\x81_N\xf7o\xdf\xbf\x84\xadsd\xbb\xb7B\x8ei\xf6\xd4v\x1d~\x9d\xa7\xb8W\x8aQgr\xd7\xd4\xa8\xb8\x95T@s\x03\xf6\xea\xf4\xeb\xfe(Bw?\x9d#\x1b\xb2\xb6=\x80\x14\x07L.O\xf7\xd5\x0a\x16\x0d\xbdfC7~#Cy\xc3@\x86\xf5L)\xda\x8e\x9a\xad\x0d\xa5\x04\x87\x88\x1e\x85\xe3\xe9S\xd5\x9b\xc8\x8b\x03cx\xeb\xe0\x19Jn\xbb/k3dX\x93\xadi\xbf\x8f\x1b\xef\x82H\xc7\x02\x03\x01\x00\x01\xa3Q0O0\x0b\x06\x03U\x1d\x0f\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x145\x0f\xc86c^\xe2\xa3\xec\xf9;f\x15\xceQR\xe3\x91\x9a=0\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@L\xfb\x87\xb2\x99\x81\x90~\x9d\xc5\xb0\xb0&\xcd\x88{+2\x8dn\xb8!qX\x97}\xae7\x14\xaf>\xe7\xf7\x9a\xe2}\xf6q\x98\x99\x04\xaaCtx\xa3\xe3Ia>s\x8cM\x94\xe0\xf9q\xc4\xb6\x16\x0eSx\x1f\xd6\xa2\x87/\x029\x81)<\xaf\x15\x98!0\xfe(\x90\x00\x8c\xd1\xe1\xcb\xfa^\xc8\xfd\xf8\x10F;\xa2xB\x91\x17tU\x0a\xdePgMf\xd1\xa7\xff\xfd\xd9\xc0\xb5\xa8\xa3\x8a\xcef\xf5\x0fC\xcd\xa7+W{cFj\xaa.R\xd8\xf4\xed\xe1m\xad)\x90xH\xba\xe1#\xaa\xa3\x89\xec\xb5\xab\x96\xc0\xb4K\xa2\x1d\x97\x9ez\xf2n@q\xdfh\xf1eM\xce|\x05\xdfSe\xa9\xa5\xf0\xb1\x97\x04p\x15F\x03\x98\xd4\xd2\xbfT\xb4\xa0X}Ro\xdaV&b\xd4\xd8\xdb\x891o\x1c\xf0"\xc2\xd3b\x1c5\xcdLi\x15T\x1a\x90\x98\xde\xeb\x1e_\xcaw\xc7\xcb\x8e=Ci\x9c\x9aX\xd0$;\xdf\x1b@\x96~5\xad\x81\xc7Nq\xba\x88\x13, CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL = 0\x82\x03r0\x82\x02Z\xa0\x03\x02\x01\x02\x02\x14>\x8a]\x07\xecU\xd22\xd5\xb7\xe3\xb6_\x01\xeb-\xdc\xe4\xd6\xe40\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000Q1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1(0&\x06\x03U\x04\x0a\x0c\x1fKrajowa Izba Rozliczeniowa S.A.1\x180\x16\x06\x03U\x04\x03\x0c\x0fSZAFIR ROOT CA20\x1e\x17\x0d151019074330Z\x17\x0d351019074330Z0Q1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1(0&\x06\x03U\x04\x0a\x0c\x1fKrajowa Izba Rozliczeniowa S.A.1\x180\x16\x06\x03U\x04\x03\x0c\x0fSZAFIR ROOT CA20\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb7\xbc>P\xa8K\xcd@\xb5\xcea\xe7\x96\xca\xb4\xa1\xda\x0c"\xb0\xfa\xb5{v\x00w\x8c\x0b\xcf}\xa8\x86\xcc&Q\xe4 =\x85\x0c\xd6X\xe3\xe7\xf4*\x18\x9d\xda\xd1\xae&\xee\xebS\xdc\xf4\x90\xd6\x13J\x0c\x90<\xc3\xf4\xda\xd2\x8e\x0d\x92:\xdc\xb1\xb1\xff8\xde\xc3\xba-_\x80\xb9\x02\xbdJ\x9d\x1b\x0f\xb4\xc3\xc2\xc1g\x03\xdd\xdc\x1b\x9c=\xb3\xb0\xde\x00\x1e\xa84G\xbb\x9a\xeb\xfe\x0b\x14\xbd6\x84\xda\x0d \xbf\xfa[\xcb\xa9\x16 \xad9`\xee/u\xb6\xe7\x97\x9c\xf9>\xfd~MoM/\xef\x88\x0dj\xfa\xdd\xf1=n \xa5\xa0\x12\xb4Mp\xb9\xce\xd7r;\x89\x93\xa7\x80\x84\x1c'IrI\xb5\xff;\x95\x9e\xc1\xcc\xc8\x01\xec\xe8\x0e\x8a\x0a\x96\xe7\xb3\xa6\x87\xe5\xd6\xf9\x05+\x0d\x97@p<\xba\xacuZ\x9c\xd5M\x9d\x02\x0a\xd2K\x9bfKF\x07\x17e\xad\x9fl\x88\x00\xdc"\x89\xe0\xe1d\xd4g\xbc1ya<\xbb\xcaA\xcd\j\x00\xc8<8\x8eX\xaf\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14.\x16\xa9J\x18\xb5\xcb\xcc\xf5oP\xf3#_\xf8]\xe7\xac\xf0\xc80\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xb5s\xf8\x03\xdcY[\x1dv\xe9\xa3*{\x90(\xb2M\xc03O\xaa\x9a\xb1\xd4\xb8\xe4'\xff\xa9\x96\x99\xceF\xe0m|L\xa28\xa4\x06p\xf0\xf4A\x11\xec?G\x8d?r\x87\xf9;\xfd\xa4o+S\x00\xe0\xff9\xb9j\x07\x0e\xeb\x1d\x1c\xf6\xa2r\x90\xcb\x82=\x11\x82\x8b\xd2\xbb\x9f*\xaf!\xe6c\x86\x9dy\x19\xef\xf7\xbb\x0c5\x90\xc3\x8a\xedO\x0f\xf5\xcc\x12\xd9\xa4>\xbb\xa0\xfc \x95_O&/\x11#\x83Nu\x07\x0f\xbf\x9b\xd1\xb4\x1d\xe9\x10\x04\xfe\xca`\x8f\xa2L\xb8\xad\xcf\xe1\x90\x0f\xcd\xae\x0a\xc7]{\xb7P\xd2\xd4a\xfa\xd5\x15\xdb\xd7\x9f\x87QT\xeb\xa5\xe3\xeb\xc9\x85\xa0% 7\xfb\x8e\xce\x0c4\x84\xe1<\x81\xb2wNC\xa5\x88_\x86g\xa1=\xe6\xb4\a\xb6>\xdb\xfe\xb7(\xc5\xa2\x07\xae\xb5\xca\xca\x8d*\x12\xef\x97\xed\xc20\xa4\xc9*z\xfb\xf3M#\x1b\x9934\xa0.\xf5\xa9\x0b?\xd4]\xe1\xcf\x84\x9f\xe2\x19\xc2_\x8a\xd6 \x1e\xe3s\xb7, CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL = 0\x82\x05\xd20\x82\x03\xba\xa0\x03\x02\x01\x02\x02\x10!\xd6\xd0JO%\x0f\xc927\xfc\xaa^\x12\x8d\xe90\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0d\x05\x000\x81\x801\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\x0a\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1$0"\x06\x03U\x04\x03\x13\x1bCertum Trusted Network CA 20"\x18\x0f20111006083956Z\x18\x0f20461006083956Z0\x81\x801\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1"0 \x06\x03U\x04\x0a\x13\x19Unizeto Technologies S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1$0"\x06\x03U\x04\x03\x13\x1bCertum Trusted Network CA 20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xbd\xf9x\xf8\xe6\xd5\x80\x0cd\x9d\x86\x1b\x96dg?":\x1eu\x01}\xef\xfb\g\x8c\xc9\xcc\k\xa9\x91\xe6\xb9B\xe5 K\x9b\xda\x9b{\xb9\x99]\xd9\x9b\x80K\xd7\x84@+'\xd3\xe8\xba0\xbb>\x09\x1a\xa7I\x95\xef+@$\xc2\x97\xc7\xa7\xee\x9b%\xef\xa8\x0a\x00\x97\x85Z\xaa\x9d\xdc)\xc9\xe25\x07\xebpMJ\xd6\xc1\xb3V\xb8\xa1A8\x9b\xd1\xfb1\x7f\x8f\xe0_\xe1\xb1?\x0f\x8e\x16I`\xd7\x06\x8d\x18\xf9\xaa&\x10\xab*\xd3\xd0\xd1g\x8d\x1bF\xbeG0\xd5.r\xd1\xc5c\xda\xe7cyD~Kc$\x89\x86.4?)LR\x8b*\xa7\xc0\xe2\x91(\x89\xb9\xc0[\xf9\x1d\xd9\xe7'\xad\xff\x9a\x02\x97\xc1\xc6P\x92\x9b\x02,\xbd\xa9\xb94Y\x0a\xbf\x84J\xff\xdf\xfe\xb3\x9f\xeb\xd9\x9e\xe0\x98#\xec\xa6kw\x16*\xdb\xcc\xad;\x1c\xa4\x87\xdcFs^\x19bhEW\xe4\x90\x82B\xbbB\xd6\xf0a\xe0\xc1\xa3=f\xa3]\xf4\x18\xee\x88\xc9\x8d\x17E)\x992u\x021\xee)&\xc8k\x02\xe6\xb5bE\x7f7\x15Z#h\x89\xd4>\xdeN'\xb0\xf0@\x0c\xbcM\x17\xcbM\xa2\xb3\x1e\xd0\x06Z\xdd\xf6\x93\xcfWu\x99\xf5\xfa\x86\x1agx\xb3\xbf\x96\xfe4\xdc\xbd\xe7RV\xe5\xb3\xe5u{\xd7A\x91\x05\xdc]i\xe3\x95\x0dC\xb9\xfc\x83\x969\x95{l\x80ZO\x13r\xc6\xd7})zD\xbaR\xa4*\xd5AF\x09 \xfe"\xa0\xb6[0\x8d\xbc\x89\x0c\xd5\xd7p\xf8\x87R\xfd\xda\xef\xacQ.\x07\xb3N\xfe\xd0\x09\xdap\xef\x98\xfaV\xe6m\xdb\xb5WK\xdc\xe5,%\x15\xc8\x9e.xN\xf8\xda\x9c\x9e\x86,\xcaW\xf3\x1a\xe5\xc8\x92\x8b\x1a\x82\x96z\xc3\xbcP\x12i\xd8\x0eZF\x8b:\xeb&\xfa#\xc9\xb6\xb0\x81\xbeB\x00\xa4\xf8\xd6\xfe0.\xc7\xd2F\xf6\xe5\x8eu\xfd\xf2\xcc\xb9\xd0\x87[\xcc\x06\x10`\xbb\x835\xb7^g\xdeG\xec\x99H\xf1\xa4\xa1\x15\xfe\xad\x8cb\x8e9UO9\x16\xb9\xb1c\x9d\xff\xb7\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb6\xa1T9\x02\xc3\xa0?\x8e\x8a\xbc\xfa\xd4\xf8\x1c\xa6\xd1:\x0e\xfd0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0d\x05\x00\x03\x82\x02\x01\x00q\xa5\x0e\xce\xe4\xe9\xbf?8\xd5\x89Z\xc4\x02a\xfbL\xc5\x14\x17-\x8bOSk\x10\x17\xfce\x84\xc7\x10I\x90\xde\xdb\xc7&\x93\x88&op\xd6\x02^9\xa0\xf7\x8f\xab\x96\xb5\xa5\x13\\x81\x14m\x0e\x81\x82\x11\x1b\x8aN\xc6O\xa5\xddb\x1eD\xdf\x09Y\xf4[w\x0b7\xe9\x8b \xc6\xf8\x0aN.X\x1c\xeb3\xd0\xcf\x86`\xc9\xda\xfb\x80/\x9eL`\x84x=!d\xd6\xfbA\x1f\x18\x0f\xe7\xc9uq\xbd\xbd\\xde4\x87>A\xb0\x0e\xf6\xb9\xd6?\x09\x13\x96\x14/\xde\x9a\x1dZ\xb9V\xce5:\xb0_pM^\xe3)\xf1#(rY\xb6\xab\xc2\x8cf&\x1cw,&v5\x8b(\xa7i\xa0\xf9;\xf5#\xdd\x85\x10t\xc9\x90\x03V\x91\xe7\xaf\xbaG\xd4\x12\x97\x11"\xe3\xa2I\x94l\xe7\xb7\x94K\xba-\xa4\xda3\x8bL\xa6D\xffZ<\xc6\x1dd\xd8\xb51\xe4\xa6<z\xa8W\x0b\xdb\xeda\x1a\xcb\xf1\xceswc\xa4\x87oLQ8\xd6\xe4_\xc7\x9f\xb6\x81*\xe4\x85HyX^;\xf8\xdb\x02\x82g\xc19\xdb\xc3tK=6\x1e\xf9)\x93\x88h[\xa8D\x19!\xf0\xa7\xe8\x81\x0d,\xe8\x936\xb47\xb2\xca\xb0\x1b&z\x9a%\x1f\x9a\x9a\x80\x9eK*?\xfb\xa3\x9a\xfes2q\xc2\x9e\xc6r\xe1\x8ah'\xf1\xe4\x0f\xb4\xc4L\xa5a\x93\xf8\x97\x10\x07*0%\xa9\xb9\xc8q\xb8\xefh\xcc-~\xf5\xe0~\x0f\x82\xa8o\xb6\xbal\x83Cw\xcd\x8a\x92\x17\xa1\x9e[x\x16=E\xe23r\xdd\xe1f\xca\x99\xd3\xc9\xc5&\xfd\x0dh\x04F\xae\xb6\xd9\x9b\x8c\xbe\x19\xbe\xb1\xc6\xf2\x19\xe3\\x02\xca,\xd8oJ\x07\xd9\xc95\xda@u\xf2\xc4\xa7\x19o\x9eB\x10\x98u\xe6\x95\x8b`\xbc\xed\xc5\x12\xd7\x8a\xce\xd5\x98\V\x96\x03\xc5\xeew\x065\xff\xcf\xe4\xee?\x13a\xee\xdb\xda-\x85\xf0\xcd\xae\x9d\xb2\x18\x09E\xc3\x92\xa1r\x17\xfcG\xb6\xa0\x0b,\xf1\xc4\xdeCh\x08j_;\xf0vc\xfb\xcc\x06,\xa6\xc6\xe2\x0e\xb5\xb9\xbe$\x8f, CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR = 0\x82\x06\x0b0\x82\x03\xf3\xa0\x03\x02\x01\x02\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xa61\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1\x0f0\x0d\x06\x03U\x04\x07\x13\x06Athens1D0B\x06\x03U\x04\x0a\x13;Hellenic Academic and Research Institutions Cert. Authority1@0>\x06\x03U\x04\x03\x137Hellenic Academic and Research Institutions RootCA 20150\x1e\x17\x0d150707101121Z\x17\x0d400630101121Z0\x81\xa61\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1\x0f0\x0d\x06\x03U\x04\x07\x13\x06Athens1D0B\x06\x03U\x04\x0a\x13;Hellenic Academic and Research Institutions Cert. Authority1@0>\x06\x03U\x04\x03\x137Hellenic Academic and Research Institutions RootCA 20150\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc2\xf8\xa9?\x1b\x89\xfc<<\x04]=\x906\xb0\x91:y<fZ\xefm9\x01I\x1a\xb4\xb7\xcf\x7fM#S\xb7\x90\x00\xe3\x13*(\xa61\xf1\x91\x00\xe3(\xec\xae!A\xce\x1f\xda\xfd}\x12[\x01\x83\x0f\xb9\xb0_\x99\xe1\xf2\x12\x83\x80M\x06>\xdf\xac\xaf\xe7\xa1\x88k1\xaf\xf0\x8b\xd0\x183\xb8\xdbEj4\xf4\x02\x80$(\x0a\x02\x15\x95^v*\x0d\x99:\x14[\xf6\xcb\xcbS\xbc\x13M\x01\x887\x94%\x1bB\xbc"\xd8\x8e\xa3\x96^:\xd92\xdb>\xe8\xf0\x10e\xedt\xe1/\xa7|\xaf'4\xbb)}\x9b\xb6\xcf\x09\xc8\xe5\xd3\x0a\xfc\x88eet\x0a\xdcs\x1c\\xcd@\xb1\x1c\xd4\xb6\x84\x8cLP\xcfh\x8e\xa8Y\xae\xc2'N\x82\xa25\xdd\x14\xf4\x1f\xff\xb2w\xd5\x87/\xaan}$'\xe7\xc6\xcb&\xe6\xe5\xfeg\x07c\xd8E\x0d\xdd:Ye9Xz\x92\x99r=\x9c\x84^\x88!\xb8\xd5\xf4,\xfc\xd9pROx\xb8\xbd<+\x8b\x95\x98\xf5\xb3\xd1h\xcf \x14~L\_\xe7\x8b\xe5\xf55\x81\x197\xd7\x11\x08\xb7f\xbe\xd3J\xce\x83W\x00:\xc3\x81\xf8\x17\xcb\x926]\xd1\xa3\xd8u\x1b\xe1\x8b'\xeazHA\xfdE\x19\x06\xad'\x99N\xc1pG\xdd\xb5\x9f\x81S\x12\xe5\xb1\x8cH]1C\x17\xe3\x8c\xc6zc\x96K)0N\x84Nb\x19^<\xce\x97\x90\xa5\x7f\x01\xeb\x9d\xe0\xf8\x8b\x89\xdd%\x98=\x92\xb6~\xef\xd9\xf1QQ}-&\xc8iYa\xe0\xacj\xb8*6\x11\x04zP\xbd2\x84\xbe/\xdcr\xd5\xd7\x1d\x16G\xe4Gf ?\xf4\x96\xc5\xaf\x8e\x01z\xa5\x0fzd\xf5\x0d\x18\x87\xd9\xae\x88\xd5\xfa\x84\xc1:\xc0i(-\xf2\x0dhQ\xaa\xe3\xa5w\xc6\xa4\x90\x0e\xa17\x8b1#G\xc1\x09\x08\xebn\xf7x\x9b\xd7\x82\xfc\x84 \x99I\x19\xb6\x12F\xb1\xfbEU\x16\xa9\xa3e\xac\x9c\x07\x0f\xeak\xdc\x1f.\x06r\xec\x86\x88\x12\xe4-\xdb_\x05/\xe4\xf0\x03\xd3&3\xe7\x80\xc2\xcdB\xa1\x174\x0b\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14q\x15g\xc8\xc8\xc9\xbdu]r\xd08\x18j\x9d\xf3q$T\x0b0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00u\xbbmTK\xaa\x10XF4\xf2b\xd7\x166]\x08^\xd5l\xc8\x87\xbd\xb4.F\xf21\xf8|\xeaB\xb5\x93\x16U\xdc\xa1\x0c\x12\xa0\xdaa~\x0fXXsdr\xc7\xe8E\x8e\xdc\xa9\xf2&?\xc6y\x8c\xb1S\x083\x81\xb0V\x13\xbe\xe6Q\\xd8\x9b\x0aOK\x9cVS\x02\xe9O\xf6\x0d`\xeaMBU\xe8|\x1b!!\xd3\x1b:\xccw\xf2\xb8\x90\xf1h\xc7\xf9Z\xfe\xfa-\xf4\xbf\xc9\xf5E\x1b\xce8\x10*7\x8ay\xa3\xb4\xe3\x09l\x85\x86\x93\xff\x89\x96'x\x81\x8fg\xe3FtT\x8e\xd9\x0di\xe2J\xf4Mt\x03\xff\xb2w\xed\x95g\x97\xe4\xb1\xc5\xab\xbfj#\xe8\xd4\x94\xe2D(b\xc4K\xe2\xf0\xd8\xe2)k\x1ap~$a\x93{O\x032%\x0dE$+\x96\xb4Fj\xbfJ\x0b\xf7\x9a\x8f\xc1\xac\x1a\xc5g\xf3o4\xd2\xfasc\x8c\xef\x16\xb0\xa8\xa4F*\xf8\xeb\x12\xecr\xb4\xef\xf8+~\x8cR\xc0\x8b\x84T\xf9/>\xe3U\xa8\xdcf\xb1\xd9\xe1_\xd8\xb3\x8cY4Y\xa4\xabOl\xbb\x1f\x18\xdbu\xab\xd8\xcb\x92\xcd\x948a\x0e\x07\x06\x1fKF\x10\xf1\x15\xbe\x8d\x85\;J+\x81y\x0f\xb4i\x9fIP\x97M\xf7\x0eV]\xc0\x95j\xc26\xc3\x1bh\xc9\xf5*\xdcG\x9a\xbe\xb2\xce\xc5%\xe8\xfa\x03\xb9\xda\xf9\x16n\x91\x84\xf5\x1c(\xc8\xfc&\xcc\xd7\x1c\x90V\xa7_o:\x04\xbc\xcdx\x89\x0b\x8e\x0f/\xa3\xaaO\xa2\x1b\x12=\x16\x08@\x0f\xf1FL\xd7\xaa{\x08\xc1\x0a\xf5m'\xde\x02\x8f\xca\xc3\xb5+\xca\xe9\xeb\xc8!S8\xa5\xcc;\xd8w70\xa2O\xd9o\xd1\xf2@\xadAz\x17\xc5\xd6J5\x89\xb7A\xd5|\x86\x7fUM\x83J\xa5s \xc0:\xaf\x90\xf1\x9a$\x8e\xd9\x8eq\xca{\xb8\x86\xda\xb2\x8f\x99>\x1d\x13\x0d\x12\x11\xee\xd4\xab\xf0\xe9\x15v\x02\xe4\xe0\xdf\xaa \x1e[a\x85d@\xa9\x90\x97\x0d\xadS\xd2Z\x1d\x87j\x00\x97eb\xb4\xbeoj\xa7\xf5,B\xed2\xad\xb6!\x9e\xbe\xbc, CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR = 0\x82\x02\xc30\x82\x02J\xa0\x03\x02\x01\x02\x02\x01\x000\x0a\x06\x08*\x86H\xce=\x04\x03\x020\x81\xaa1\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1\x0f0\x0d\x06\x03U\x04\x07\x13\x06Athens1D0B\x06\x03U\x04\x0a\x13;Hellenic Academic and Research Institutions Cert. Authority1D0B\x06\x03U\x04\x03\x13;Hellenic Academic and Research Institutions ECC RootCA 20150\x1e\x17\x0d150707103712Z\x17\x0d400630103712Z0\x81\xaa1\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1\x0f0\x0d\x06\x03U\x04\x07\x13\x06Athens1D0B\x06\x03U\x04\x0a\x13;Hellenic Academic and Research Institutions Cert. Authority1D0B\x06\x03U\x04\x03\x13;Hellenic Academic and Research Institutions ECC RootCA 20150v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x92\xa0A\xe8K\x82\x84\\xe2\xf81\x11\x99\x86dN\x09%/\x9dA/\x0a\xae5Ot\x95\xb2Qdk\x8dk\xe6?p\x95\xf0\x05DG\xa6r8Pv\x95\x02Z\x8e\xae(\x9e\xf9-N\x99\xef,HoL%)\xe8\xd1q[\xdf\x1d\xc1u7\xb4\xd7\xfa{zB\x9cj\x0aVZ|i\x0b\xaa\x80\x09$l~\xc1F\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb4"\x0b\x82\x99$\x01\x0e\x9c\xbb\xe4\x0e\xfd\xbf\xfb\x97 \x93\x99*0\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03g\x000d\x020g\xce\x16b8\xa2\xacbE\xa7\xa9\x95$\xc0\x1a'\x9c2;\xc0\xc0\xd5\xba\xa9\xe7\xf8\x04CS\x85\xeeR!\xde\x9d\xf5%\x83>\x9eXK/\xd7g\x13\x0e!\x020\x05\xe1u\x01\xdeh\xed*\x1fML\x09\x08\x0d\xecK\xadd\x17(\xe7u\xceEer!\x17\xcb"A\x0e\x8c\x13\x988\x9aTm\x9b\xca\xe2|\xea\x02X"\x91, CN=ISRG Root X1,O=Internet Security Research Group,C=US = 0\x82\x05k0\x82\x03S\xa0\x03\x02\x01\x02\x02\x11\x00\x82\x10\xcf\xb0\xd2@\xe3YDc\xe0\xbbc\x82\x8b\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000O1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\x0a\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\x0cISRG Root X10\x1e\x17\x0d150604110438Z\x17\x0d350604110438Z0O1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\x0a\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\x0cISRG Root X10\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xad\xe8$s\xf4\x147\xf3\x9b\x9e+W(\x1c\x87\xbe\xdc\xb7\xdf8\x90\x8cn<\xe6W\xa0x\xf7u\xc2\xa2\xfe\xf5jn\xf6\x00O(\xdb\xdeh\x86lD\x93\xb6\xb1c\xfd\x14\x12k\xbf\x1f\xd2\xea1\x9b!~\xd13<\xbaH\xf5\xddy\xdf\xb3\xb8\xff\x12\xf1!\x9aK\xc1\x8a\x86qiJffl\x8f~<p\xbf\xad)"\x06\xf3\xe4\xc0\xe6\x80\xae\xe2K\x8f\xb7\x99~\x94\x03\x9f\xd3G\x97|\x99H#S\xe88\xaeO\x0ao\x83.\xd1IW\x8c\x80t\xb6\xda/\xd08\x8d{\x03p!\x1bu\xf20<\xfa\x8f\xae\xdd\xdac\xab\xeb\x16O\xc2\x8e\x11K~\xcf\x0b\xe8\xff\xb5w.\xf4\xb2{J\xe0L\x12%\x0cp\x8d\x03)\xa0\xe1S$\xec\x13\xd9\xee\x19\xbf\x10\xb3J\x8c?\x89\xa3aQ\xde\xac\x87\x07\x94\xf4cq\xec.\xe2o[\x98\x81\xe1\x89\4ylv\xef;\x90by\xe6\xdb\xa4\x9a/&\xc5\xd0\x10\xe1\x0e\xde\xd9\x10\x8e\x16\xfb\xb7\xf7\xa8\xf7\xc7\xe5\x02\x07\x98\x8f6\x08\x95\xe7\xe27\x96\x0d6u\x9e\xfb\x0er\xb1\x1d\x9b\xbc\x03\xf9I\x05\xd8\x81\xdd\x05\xb4*\xd6A\xe9\xac\x01v\x95\x0a\x0f\xd8\xdf\xd5\xbd\x12\x1f5/(\x17l\xd2\x98\xc1\xa8\x09dwnG7\xba\xce\xacY^h\x9d\x7fr\xd6\x89\xc5\x06A)>Y>\xdd&\xf5$\xc9\x11\xa7Z\xa3L@\x1fF\xa1\x99\xb5\xa7:Qn\x86;\x9e}r\xa7\x12\x05xY\xed>Qx\x15\x0b\x03\x8f\x8d\xd0/\x05\xb2>{J\x1cKs\x05\x12\xfc\xc6\xea\xe0P\x13|C\x93t\xb3\xcat\xe7\x8e\x1f\x01\x08\xd00\xd4[q6\xb4\x07\xba\xc100\H\xb7\x82;\x98\xa6}`\x8a\xa2\xa3)\x82\xcc\xba\xbd\x83\x04\x1b\xa2\x83\x03A\xa1\xd6\x05\xf1\x1b\xc2\xb6\xf0\xa8|\x86;F\xa8H*\x88\xdcv\x9av\xbf\x1fj\xa5=\x19\x8f\xeb8\xf3d\xde\xc8+\x0d\x0a(\xff\xf7\xdb\xe2\x15B\xd4"\xd0']\xe1y\xfe\x18\xe7p\x88\xadN\xe6\xd9\x8b:\xc6\xdd'Qn\xff\xbcd\xf53CO\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14y\xb4Y\xe6{\xb6\xe5\xe4\x01s\x80\x08\x88\xc8\x1aX\xf6\xe9\x9bn0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00U\x1fX\xa9\xbc\xb2\xa8P\xd0\x0c\xb1\xd8\x1ai ')\x08\xacau\\x8an\xf8\x82\xe5i/\xd5\xf6VK\xb9\xb8s\x10Y\xd3!\x97~\xe7Lq\xfb\xb2\xd2`\xad9\xa8\x0b\xea\x17!V\x85\xf1P\x0eY\xeb\xce\xe0Y\xe9\xba\xc9\x15\xef\x86\x9d\x8f\x84\x80\xf6\xe4\xe9\x91\x90\xdc\x17\x9bb\x1bE\xf0f\x95\xd2|o\xc2\xea;\xef\x1f\xcf\xcb\xd6\xae'\xf1\xa9\xb0\xc8\xae\xfd}~\x9a\xfa"\x04\xeb\xff\xd9\x7f\xea\x91+"\xb1\x17\x0e\x8f\xf2\x8a4[X\xd8\xfc\x01\xc9T\xb9\xb8&\xcc\x8a\x883\x89L-\x84<\x82\xdf\xee\x96W\x05\xba,\xbb\xf7\xc4\xb7\xc7N;\x82\xbe1\xc8"ss\x92\xd1\xc2\x80\xa499\x103#\x82L<\x9f\x86\xb2U\x98\x1d\xbe)\x86\x8c"\x9b\x9e\xe2k;W:\x82pM\xdc\x09\xc7\x89\xcb\x0a\x07Ml\xe8]\x8e\xc9\xef\xce\xab\xc7\xbb\xb5+NE\xd6J\xd0&\xcc\xe5r\xca\x08j\xa5\x95\xe3\x15\xa1\xf7\xa4\xed\xc9,_\xa5\xfb\xff\xac(\x02.\xbe\xd7{\xbb\xe3q{\x90\x16\xd3\x07^FS|7\x07B\x8c\xd3\xc4\x96\x9c\xd5\x99\xb5*\xe0\x95\x1a\x80H\xaeL9\x07\xce\xccG\xa4R\x95+\xba\xb8\xfb\xad\xd23S}\xe5\x1dMm\xd5\xa1\xb1\xc7Bo\xe6@'5\\xa3(\xb7\x07\x8d\xe7\x8d3\x90\xe7#\x9f\xfbP\x9cylF\xd5\xb4\x15\xb3\x96n~\x9b\x0c\x96:\xb8R-?\xd6[\xe1\xfb\x08\xc2\x84\xfe$\xa8\xa3\x89\xda\xacj\xe1\x18*\xb1\xa8Ca[\xd3\x1f\xdc;\x8dv\xf2-\xe8\x8du\xdf\x173l=S\xfb{\xcbA_\xff\xdc\xa2\xd0a8\xe1\x96\xb8\xac]\x8b7\xd7u\xd53\xc0\x99\x11\xae\x9dA\xc1ru\x84\xbe\x02AB_g$H\x94\xd1\x9b'\xbe\x07?\xb9\xb8O\x81tQ\xe1z\xb7\xed\x9d#\xe2\xbe\xe0\xd5(\x04\x13<1\x03\x9e\xddzl\x8f\xc6\x07\x18\xc6\x7f\xdeG\x8e?(\x9e\x04\x06\xcf\xa5T4w\xbd\xec\x89\x9b\xe9\x17C\xdf[\xdb_\xfe\x8e\x1eW\xa2\xcd@\x9d~b"\xda\xde\x18', OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES = 0\x82\x05\x830\x82\x03k\xa0\x03\x02\x01\x02\x02\x0f]\x93\x8d0g6\xc8\x06\x1d\x1a\xc7T\x84i\x070\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000;1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1\x110\x0f\x06\x03U\x04\x0a\x0c\x08FNMT-RCM1\x190\x17\x06\x03U\x04\x0b\x0c\x10AC RAIZ FNMT-RCM0\x1e\x17\x0d081029155956Z\x17\x0d300101000000Z0;1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1\x110\x0f\x06\x03U\x04\x0a\x0c\x08FNMT-RCM1\x190\x17\x06\x03U\x04\x0b\x0c\x10AC RAIZ FNMT-RCM0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xbaq\x80zL\x86n\x7f\xc8\x13m\xc0\xc6}\x1c\x00\x97\x8f,\x0c#\xbb\x10\x9a@\xa9\x1a\xb7\x87\x88\xf8\x9bVj\xfb\xe6{\x8e\x8b\x92\x8e\xa7%]Y\x11\xdb6.\xb7Q\x17\x1f\xa9\x08\x1f\x04\x17$X\xaa7J\x18\xdf\xe59\xd4W\xfd\xd7\xc1,\x91\x01\x91\xe2"\xd4\x03\xc0X\xfcwG\xec\x8f>tC\xba\xac4\x8dM8vg\x8e\xb0\xc8o03Xq\\xb4\xf5kn\xd4\x01P\xb8\x13~lJ\xa3I\xd1 \x19\xee\xbc\xc0)\x18e\xa7\xde\xfe\xef\xdd\x0a\x90!\xe7\x1ag\x92B\x10\x98_O0\xbc>\x1cE\xb4\x10\xd7h@\x14\xc0@\xfa\xe7w\x17z\xe6\x0b\x8fe[<\xd9\x9aR\xdb\xb5\xbd\x9eF\xcf=\xeb\x91\x05\x02\xc0\x96\xb2vLM\x10\x96;\x92\xfa\x9c\x7f\x0f\x99\xdf\xbe#5E\x1e\x02\\xfe\xb5\xa8\x9b\x99%\xda^\xf3"\xc39\xf5\xe4*.\xd3\xc6\x1f\xc4l\xaa\xc5\x1cj\x01\x05J/\xd2\xc5\xc1\xa84&]f\xa5\xd2\x02!\xf9\x18\xb7\x06\xf5N\x99o\xa8\xabLQ\xe8\xcfP\x18\xc5w\xc89\x09,I\x922\x99\xa8\xbb\x17\x17y\xb0Z\xc5\xe6\xa3\xc4YeG5\x83^\xa9\xe85\x0b\x99\xbb\xe4\xcd \xc6\x9bJ\x069\xb5h\xfc"\xba\xeeU\x8c+N\xea\xf3\xb1\xe3\xfc\xb6\x99\x9a\xd5B\xfaqM\x08\xcf\x87\x1ejq}\xf9\xd3\xb4\xe9\xa5q\x81{\xc2NG\x96\xa5\xf6v\x85\xa3(\x8f\xe9\x80n\x81S\xa5m_\xb8H\xf9\xc2\xf96\xa6.I\xff\xb8\x96\xc2\x8c\x07\xb3\x9b\x88X\xfc\xeb\x1b\x1c\xde-p\xe2\x97\x920\xa1\x89\xe3\xbcU\xa8'\xd6K\xed\x90\xad\x8b\xfac%Y-\xa85\xdd\xca\x973\xbc\xe5\xcd\xc7\x9d\xd1\xec\xef^\x0eJ\x90\x06&c\xad\xb9\xd95-\x07\xbave,\xacW\x8f}\xf4\x07\x94\xd7\x81\x02\x96]\xa3\x07I\xd5z\xd0W\xf9\x1b\xe7SFu\xaa\xb0yB\xcbhq\x08\xe9`\xbd9i\xce\xf4\xaf\xc3V@\xc7\xadR\xa2\x09\xe4o\x86G\x8a\x1f\xeb(']\x83 \xaf\x04\xc9lV\x9a\x8bF\xf5\x02\x03\x01\x00\x01\xa3\x81\x830\x81\x800\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xf7}\xc5\xfd\xc4\xe8\x9a\x1bwd\xa7\xf5\x1d\xa0\xcc\xbf\x87`\x9am0>\x06\x03U\x1d \x0470503\x06\x04U\x1d \x000+0)\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16\x1dhttp://www.cert.fnmt.es/dpcs/0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x07\x90J\xdf\xf3#N\xf0\xc3\x9cQe\x9b\x9c"\xa2\x8a\x0c\x85\xf3s)kM\xfe\x01\xe2\xa9\x0cc\x01\xbf\x04g\xa5\x9d\x98_\xfd\x01\x13\xfa\xec\x9ab\xe9\x86\xfe\xb6b\xd2nL\x94\xfb\xc0uE|e\x0c\xf8\xb27\xcf\xac\x0f\xcf\x8do\xf9\x19\xf7\x8f\xec\x1e\xf2p\x9e\xf0\xca\xb8\xef\xb7\xffv7v[\xf6n\x88\xf3\xafb2"\x93\x0d:j\x8e\x14f\x0c-StWe\x1e\xd5\xb2\xdd#\x81;\xa5f#'g\x09\x8f\xe1w\xaaC\xcdeQ\x08\xedQX\xfe\xe69\xf9\xcbG\x84\xa4\x15\xf1v\xbb\xa4\xee\xa4;\xc4_\xef\xb23\x96\x11\x18\xb7\xc9e\xbe\x18\xe1\xa3\xa4\xdc\xfa\x18\xf9\xd3\xbc\x13\x9b9z4\xba\xd3A\xfb\xfa2\x8a*\xb7+\x86\x0bi\x838\xbe\xcd\x8a.\x0bp\xad\x8d&\x92\xee\x1e\xf5\x01+\x0a\xd9\xd6\x97\x9bn\xe0\xa8\x19\x1c:!\x8b\x0c\x1e@\xad\x03\xe7\xddf~\xf5\xb9 \x0d\x03\xe8\x96\xf9\x82E\xd49\xe0\xa0\x00]\xd7\x98\xe6}\x9egs\xc3\x9a*\xf7\xab\x8b\xa1:\x14\xef4\xbcR\x0e\x89\x98\x9a\x04@\x84\x1d~Ei\x93W\xce\xeb\xce\xf8P|O\x1cn\x04C\x9b\xf9\xd6;#\x18\xe9\xea\x8e\xd1MF\x8d\xf1;\xe4j\xca\xba\xfb#\xb7\x9b\xfa\x99\x01)ZXZ-\xe3\xf9\xd4m\x0e&\xad\xc1n4\xbc2\xf8\x0c\x05\xfae\xa3\xdb;7\x83"\xe9\xd6\xdcr3\xfd]\xf2 \xbdv<#\xda(\xf7\xf9\x1b\xebYd\xd5\xdc_r~ \xfc\xcd\x89\xb5\x90gMbz?N\xad\x1d\xc39\xfez\xf4(\x16\xdfA\xf6H\x80\x05\xd7\x0fQy\xac\x10\xab\xd4\xec\x03f\xe6j\xb0\xba1\x92B@j\xbe:\xd3r\xe1j7U\xbc\xac\x1d\x95\xb7ia\xf2C\x91t\xe6\xa0\xd3\x0a$F\xa1\x08\xaf\xd6\xdaE\x19\x96\xd4S\x1d[\x84y\xf0\xc0\xf7G\xef\x8b\x8f\xc5\x06\xae\x9dLb\x9d\xffF\x04\xf8\xd3\xc9\xb6\x10%@u\xfe\x16\xaa\xc9J`\x86/\xba\xef0w\xe4T\xe2\xb8\x84\x99X\x80\xaa\x13\x8bQ:OH\xf6\x8b\xb6\xb3, CN=Amazon Root CA 1,O=Amazon,C=US = 0\x82\x03A0\x82\x02)\xa0\x03\x02\x01\x02\x02\x13\x06l\x9f\xcf\x99\xbf\x8c\x0a9\xe2\xf0x\x8aC\xe6\x966[\xca0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 10\x1e\x17\x0d150526000000Z\x17\x0d380117000000Z091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb2x\x80q\xcax\xd5\xe3q\xafG\x80Pt}n\xd8\xd7\x88v\xf4\x99h\xf7X!`\xf9t\x84\x01/\xac\x02-\x86\xd3\xa0CzN\xb2\xa4\xd06\xba\x01\xbe\x8d\xdbH\xc8\x07\x176L\xf4\xee\x88#\xc7>\xeb7\xf5\xb5\x19\xf8Ih\xb0\xde\xd7\xb9v8\x1da\x9e\xa4\xfe\x826\xa5\xe5JV\xe4E\xe1\xf9\xfd\xb4\x16\xfat\xda\x9c\x9b59/\xfa\xb0 P\x06lz\xd0\x80\xb2\xa6\xf9\xaf\xecG\x19\x8fP8\x07\xdc\xa2\x879X\xf8\xba\xd5\xa9\xf9Hg0\x96\xee\x94x^o\x89\xa3Q\xc00\x86f\xa1Ef\xbaT\xeb\xa3\xc3\x91\xf9H\xdc\xff\xd1\xe80-}-tp5\xd7\x88$\xf7\x9e\xc4Yn\xbbs\x87\x17\xf22F(\xb8C\xfa\xb7\x1d\xaa\xca\xb4\xf2\x9f$\x0e-K\xf7q\^i\xff\xea\x95\x02\xcb8\x8a\xaeP8o\xdb\xfb-b\x1b\xc5\xc7\x1eT\xe1w\xe0g\xc8\x0f\x9c\x87#\xd6?@ \x7f \x80\xc4\x80L>;$&\x8e\x04\xael\x9a\xc8\xaa\x0d\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x84\x18\xcc\x854\xec\xbc\x0c\x94\x94.\x08Y\x9c\xc7\xb2\x10N\x0a\x080\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x98\xf27ZA\x90\xa1\x1a\xc5vQ( 6#\x0e\xae\xe6(\xbb\xaa\xf8\x94\xaeH\xa40\x7f\x1b\xfc$\x8dK\xb4\xc8\xa1\x97\xf6\xb6\xf1zp\xc8S\x93\xcc\x08(\xe3\x98%\xcf#\xa4\xf9\xde!\xd3|\x85\x09\xadN\x9au:\xc2\x0bj\x89xvDG\x18el\x8dA\x8e;\x7f\x9a\xcb\xf4\xb5\xa7P\xd7\x05,7\xe8\x03K\xad\xe9a\xa0\x02n\xf5\xf2\xf0\xc5\xb2\xed[\xb7\xdc\xfa\x94\w\x9e\x13\xa5\x7fR\xad\x95\xf2\xf8\x93;\xde\x8b\[\xcaZR[`\xaf\x14\xf7K\xef\xa3\xfb\x9f@\x95m1T\xfcB\xd3\xc7F\x1f#\xad\xd9\x0fHp\x9a\xd9uxq\xd1rC4unWY\xc2\x02\&`)\xcf#\x19\x16\x8e\x88C\xa5\xd4\xe4\xcb\x08\xfb#\x11C\xe8C)rb\xa1\xa9]^\x08\xd4\x90\xae\xb8\xd8\xce\x14\xc2\xd0U\xf2\x86\xf6\xc4\x93Cwfa\xc0\xb9\xe8A\xd7\x97x`\x03nJr\xae\xa5\xd1}\xba\x10\x9e\x86l\x1b\x8a\xb9Y3\xf8\xeb\xc4\x90\xbe\xf1\xb9, CN=Amazon Root CA 2,O=Amazon,C=US = 0\x82\x05A0\x82\x03)\xa0\x03\x02\x01\x02\x02\x13\x06l\x9f\xd2\x965\x86\x9f\x0a\x0f\xe5\x86x\xf8[&\xbb\x8a70\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 20\x1e\x17\x0d150526000000Z\x17\x0d400526000000Z091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xad\x96\x9f-\x9cJLJ\x81yQ\x99\xec\x8a\xcbk`Q\x13\xbcMm\x06\xfc\xb0\x08\x8d\xdd\x19\x10j\xc7&\x0c5\xd8\xc0o \x84\xe9\x94\xb1\x9b\x85\x03\xc3[\xdbJ\xe8\xc8\xf8\x90v\xd9[O\xe3L\xe8\x066M\xcc\x9a\xac=\x0c\x90+\x92\xd4\x06\x19`\xac7Dy\x85\x81\x82\xadZ7\xe0\x0d\xcc\x9d\xa6LRv\xeaC\x9d\xb7\x04\xd1P\xf6U\xe0\xd5\xd2\xa6I\x85\xe97\xe9\xca~\xae\\x95MH\x9a?\xae Zm\x88\x95\xd94\xb8R\x1aC\x90\xb0\xbfl\x05\xb9\xb6x\xb7\xea\xd0\xe4:<\x12Sb\xffJ\xf2{\xbe5\x05\xa9\x124\xe3\xf3dtb,=\x00IZ(\xfe2D\xbb\x87\xdde'\x02q;\xdaJ\xf7\x1f\xda\xcd\xf7!U\x90O\x0f\xec\xae\x82\xe1\x9fk\xd9E\xd3\xbb\xf0_\x87\xed<,9\x86\xda?\xde\xecrU\xeby\xa3\xad\xdb\xdd|\xb0\xba\x1c\xce\xfc\xdeO5v\xcf\x0f\xf8x\x1fj6QF'a[\xe9\x9e\xcf\xf0\xa2U}|%\x8ao/\xb4\xc5\xcf\x84.+\xfd\x0dQ\x10l\xfb_\x1b\xbc\x1b~\xc5\xae;\x98\x011\x92\xff\x0bW\xf4\x9a\xb2\xb9W\xe9\xab\xef\x0dv\xd1\xf0\xee\xf4\xce\x86\xa7\xe0n\xe9\xb4i\xa1\xdfi\xf63\xc6i.\x97\x13\x9e\xa5\x87\xb0W\x10\x817\xc9S\xb3\xbb\x7f\xf6\x92\xd1\x9c\xd0\x18\xf4\x92n\xda\x83O\xa6c\x99L\xa5\xfb^\xef!dz _ld\x85\x15\xcb7\xe9b\x0c\x0b*\x16\xdc\x01.2\xda>K\xf5\x9e:\xf6\x17@\x94\xef\x9e\x91\x08\x86\xfa\xbec\xa8Z3\xec\xcbtC\x95\xf9liR6\xc7)o\xfcU\x03\\x1f\xfb\x9f\xbdG\xeb\xe7IG\x95\x0bN\x89"\x09I\xe0\xf5a\x1e\xf1\xbf.\x8arn\x80Y\xffW:\xf9u2\xa3N_\xec\xed(b\xd9Ms\xf2\xcc\x81\x17`\xed\xcd\xeb\xdc\xdb\xa7\xca\xc5~\x02\xbd\xf2T\x08T\xfd\xb4-\x09,\x17TJ\x98\xd1T\xe1Qg\x08\xd2\xedn~o?\xd2-\x81Y)f\xcb\x909\x95\x11\x1et'\xfe\xdd\xeb\xaf\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xb0\x0c\xf0L0\xf4\x05X\x02H\xfd3\xe5R\xafK\x84\xe3fR0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\xaa\xa8\x80\x8f\x0ex\xa3\xe0\xa2\xd4\xcd\xe6\xf5\x98z;\xea\x00\x03\xb0\x97\x0e\x93\xbcZ\xa8\xf6,\x8cr\x87\xa9\xb1\xfc\x7fs\xfdcqx\xa5\x87Y\xcf0\xe1\x0d\x10\xb2\x13Zm\x82\xf5j\xe6\x80\x9f\xa0\x05\x0bh\xe4Gk\xc7j\xdf\xb6\xfdw2r\xe5\x18\xfa\x09\xf4\xa0\x93,]\xd2\x8cu\x85ve\x90\x0c\x03y\xb71#c\xadx\x83\x09\x86h\x84\xca\xff\xf9\xcf&\x9a\x92y\xe7\xcdK\xc5\xe7a\xa7\x17\xcb\xf3\xa9\x12\x93\x93k\xa7\xe8/S\x92\xc4`X\xb0\xcc\x02Q\x18[\x85\x8dbYc\xb6\xad\xb4\xde\x9a\xfb&\xf7\x00'\xc0]U7t\x99\xc9P\x7f\xe3Y.D\xe3,%\xee\xecL2w\xb4\x9f\x1a\xe9K] \xc5\xda\xfd\x1c\x87\x16\xc6C\xe8\xd4\xbb&\x9aEp^\xa9\x0b7S\xe2F{'\xfd\xe0F\xf2\x89\xb7\xccB\xb6\xcb(&n\xd9\xa5\xc9:\xc8A\x13`\xf7P\x8c\x15\xae\xb2m\x1a\x15\x1aWx\xe6\x92*\xd9e\x90\x82?l\x02\xaf\xae\x12:'\x966\x04\xd7\x1d\xa2\x80c\xa9\x9b\xf1\xe5\xba\xb4|\x14\xb0N\xc9\xb1\x1ft_8\xf6Q\xea\x9b\xfa,\xa2\x11\xd4\xa9-'\x1aE\xb1\xaf\xb2Nq\x0d\xc0XF\xd6i\x06\xcbS\xcb\xb3\xfekA\xcdA~}L\x0f|ryzY\xcd^J\x0e\xac\x9b\xa9\x98sy|\xb4\xf4\xcc\xb9\xb8\x07\x0c\xb2t\\xb8\xc7o\x88\xa1\x90\xa7\xf4\xaa\xf9\xbfg:\xf4\x1a\x15b\x1e\xb7\x9f\xbe=\xb1)\xafg\xa1\x12\xf2X\x10\x19S\x030\x1b\xb8\x1a\x89\xf6\x9c\xbd\x97\x03\x8e\xa3\x09\xf3\x1d\x8b!\xf1\xb4\xdf\xe4\x1c\xd1\x9fe\x02\x06\xea\\xd6\x13\xb3\x84\xef\xa2\xa5\\x8cw)\xa7h\xc0k\xae@\xd2\xa8\xb4\xea\xcd\xf0\x8dK8\x9c\x19\x9a\x1b(T\xb8\x89\x90\xef\xcau\x81>\x1e\xf2d$\xc7\x18\xafN\xffG\x9e\x07\xf65e\xa4\xd3\x0aV\xff\xf5\x17dl\xef\xa8"%I\x93\xb6\xdf\x00\x17\xdaX~]\xee\xc5\x1b\xb0\xd1\xd1_!\x10\xc7\xf9\xf3\xba\x02\x0a'\x07\xc5\xf1\xd6\xc7\xd3\xe0\xfb\x09`l, CN=Amazon Root CA 3,O=Amazon,C=US = 0\x82\x01\xb60\x82\x01[\xa0\x03\x02\x01\x02\x02\x13\x06l\x9f\xd5t\x976f?;\x0b\x9a\xd9\xe8\x9ev\x03\xf2J0\x0a\x06\x08*\x86H\xce=\x04\x03\x02091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 30\x1e\x17\x0d150526000000Z\x17\x0d400526000000Z091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 30Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04)\x97\xa7\xc6A\x7f\xc0\x0d\x9b\xe8\x01\x1bV\xc6\xf2R\xa5\xba-\xb2\x12\xe8\xd2.\xd7\xfa\xc9\xc5\xd8\xaam\x1fs\x81;;\x98k9|3\xa5\xc5N\x86\x8e\x80\x17hbEW}DX\x1d\xb37\xe5g\x08\xebf\xde\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xab\xb6\xdb\xd7\x06\x9e7\xac0\x86\x07\x91p\xc7\x9c\xc4\x19\xb1x\xc00\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03I\x000F\x02!\x00\xe0\x85\x92\xa3\x17\xb7\x8d\xf9+\x06\xa5\x93\xac\x1a\x98har\xfa\xe1\xa1\xd0\xfb\x1cx`\xa6C\x99\xc5\xb8\xc4\x02!\x00\x9c\x02\xef\xf1\x94\x9c\xb3\x96\xf9\xeb\xc6*\xf8\xb6,\xfe:\x90\x14\x16\xd7\x8cc$H\x1c\xdf0}\xd5h;, CN=Amazon Root CA 4,O=Amazon,C=US = 0\x82\x01\xf20\x82\x01x\xa0\x03\x02\x01\x02\x02\x13\x06l\x9f\xd7\xc1\xbb\x10L)C\xe5q{{,\xc8\x1a\xc1\x0e0\x0a\x06\x08*\x86H\xce=\x04\x03\x03091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 40\x1e\x17\x0d150526000000Z\x17\x0d400526000000Z091\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0f0\x0d\x06\x03U\x04\x0a\x13\x06Amazon1\x190\x17\x06\x03U\x04\x03\x13\x10Amazon Root CA 40v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xd2\xab\x8a7O\xa3S\x0d\xfe\xc1\x8a{K\xa8{FKc\xb0b\xf6-\x1b\xdb\x08q!\xd2\x00\xe8c\xbd\x9a'\xfb\xf09n]\xea=\xa5\xc9\x81\xaa\xa3[ \x98E]\x16\xdb\xfd\xe8\x10m\xe3\x9c\xe0\xe3\xbd_\x84b\xf3pd3\xa0\xcb$/p\xba\x88\xa1*\xa0u\xf8\x81\xaeb\x06\xc4\x81\xdb9n)\xb0\x1e\xfa.\\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd3\xec\xc7:en\xcc\xe1\xdav\x9aV\xfb\x9c\xf3\x86mW\xe5\x810\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x020:\x8b!\xf1\xbd~\x11\xad\xd0\xefX\x96/\xd6\xeb\x9d~\x90\x8d+\xcffU\xc3,\xe3(\xa9p\x0aG\x0e\xf07Y\x12\xff-\x99\x94(N*O5M3Z\x021\x00\xeau\x00N;\xc4:\x94\x12\x91\xc9XF\x9d!\x13r\xa7\x88\x9c\x8a\xe4LJ\xdb\x96\xd4\xac\x8bkkI\x12S3\xad\xd7\xe4\xbe$\xfc\xb5\x0av\xd4\xa5\xbc\x10, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR = 0\x82\x04c0\x82\x03K\xa0\x03\x02\x01\x02\x02\x01\x010\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xd21\x0b0\x09\x06\x03U\x04\x06\x13\x02TR1\x180\x16\x06\x03U\x04\x07\x13\x0fGebze - Kocaeli1B0@\x06\x03U\x04\x0a\x139Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK1-0+\x06\x03U\x04\x0b\x13$Kamu Sertifikasyon Merkezi - Kamu SM1604\x06\x03U\x04\x03\x13-TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 10\x1e\x17\x0d131125082555Z\x17\x0d431025082555Z0\x81\xd21\x0b0\x09\x06\x03U\x04\x06\x13\x02TR1\x180\x16\x06\x03U\x04\x07\x13\x0fGebze - Kocaeli1B0@\x06\x03U\x04\x0a\x139Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK1-0+\x06\x03U\x04\x0b\x13$Kamu Sertifikasyon Merkezi - Kamu SM1604\x06\x03U\x04\x03\x13-TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xafu03\xaa\xbbk\xd3\x99,\x127\x84\xd9\x8d{\x97\x80\xd3n\xe7\xff\x9bP\x95>\x90\x95VB\xd7\x19|&\x84\x8d\x92\xfa\x01\x1d:\x0f\xe2d8\xb7\x8c\xbc\xe8\x88\xf9\x8b$\xab.\xa3\xf57\xe4@\x8e\x18%y\x83u\x1f;\xffl\xa8\xc5\xc6V\xf8\xb4\xed\x8aD\xa3\xablL\xfc\x1d\xd0\xdc\xefh\xbd\xcf\xe4\xaa\xce\xf0U\xf7\xa24\xd4\x83k7|\x1c\xc2\xfe\xb5\x03\xecW\xce\xbc\xb4\xb5\xc5\xed\x00\x0fS7*M\xf4O\x0c\x83\xfb\x86\xcf\xcb\xfe\x8cN\xbd\x87\xf9\xa7\x8b!W\x9cz\xdf\x03g\x89,\x9d\x97a\xa7\x10\xb8U\x90\x7f\x0e-'8t\xdf\xe7\xfd\xdaN\x12\xe3M\x15"\x02\xc8\xe0\xe0\xfc\x0f\xad\x8a\xd7\xc9TP\xcc;\x0f\xca\x16\x80\x84\xd0QV\xc3\x8eV\x7f\x89"3/\xe6\x85\x0a\xbd\xa5\xa8\x1b6\xde\xd3\xdc,m;\xc7\x13\xbdY#,\xe6\xe5\xa4\xf7\xd8\x0b\xed\xea\x90@D\xa8\x95\xbb\x93\xd5\xd0\x804\xb6Fx\x0e\x1f\x00\x93F\xe1\xee\xe9\xf9\xecO\x17\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14e?\xc7\x8a\x86\xc6<\xdd<T\5\xf8:\xedR\x0cGW\xc80\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00*?\xe1\xf12\x8e\xae\xe1\x98\K^\xcfk\x1ej\x09\xd2"\xa9\x12\xc7^W}sVd\x80\x84z\x93\xe4\x09\xb9\x10\xcd\x9f*'\xe1\x00w\xbeH\xc85\xa8\x81\x9f\xe4\xb8,\xc9\x7f\x0e\xb0\xd2K7]\xea\xb9\xd5\x0b^4\xbd\xf4s)\xc3\xed&\x15\x9c~\x08S\x8aX\x8d\xd0K(\xdf\xc1\xb3\xdf \xf3\xf9\xe3\xe3:\xdf\xcc\x9c\x94\xd8NO\xc3k\x17\xb7\xf7r\xe8\xadf3\xb5%S\xab\xe0\xf8L\xa9\x9d\xfd\xf2\x0d\xba\xae\xb9\xd9\xaa\xc6k\xf9\x93\xbb\xae\xab\xb8\x97<\x03\x1a\xbaC\xc6\x96\xb9Er8\xb3\xa7\xa1\x96=\x91{~\xc0!SL\x87\xed\xf2\x0bT\x95Q\x93\xd5"\xa5\x0d\x8a\xf1\x93\x0e>T\x0e\xb0\xd8\xc9N\xdc\xf212V\xead\xf9\xea\xb5\x9d\x16fBr\xf3\x7f\xd3\xb11C\xfc\xa4\x8e\x17\xf1m#\xab\x94f\xf8\xad\xfb\x0f\x08n&-\x7f\x17\x07\x09\xb2\x8c\xfbP\xc0\x9f\x96\x8d\xcf\xb6\xfd\x00\x9dZ\x14\x9a\xbf\x02D\xf5\xc1\xc2\x9f"^\xa2\x0f\xa1\xe3, CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.,C=CN = 0\x82\x05\x880\x82\x03p\xa0\x03\x02\x01\x02\x02\x08}\x09\x97\xfe\xf0G\xeaz0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1200\x06\x03U\x04\x0a\x0c)GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16GDCA TrustAUTH R5 ROOT0\x1e\x17\x0d141126051315Z\x17\x0d401231155959Z0b1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1200\x06\x03U\x04\x0a\x0c)GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16GDCA TrustAUTH R5 ROOT0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xd9\xa3\x16\xf0\xc8ttw\x9b\xef3\x0d;\x06~U\xfc\xb5`\x8fv\x86\x12B}Vf>\x88\x82\xedrc\x0e\x9e\x8b\xdd4,\x02QQ\xc3\x19\xfdYT\x84\xc9\xf1k\xb3L\xb0\xe9\xe8F]8\xc6\xa2\xa7.\x11W\xba\x82\x15\xa2\x9c\x8fm\xb0\x99J\x0a\xf2\xeb\x89pcNy\xc4\xb7[\xbd\xa2]\xb1\xf2A\x02+\xad\xa9:\xa3\xecy\x0a\xec_:\xe3\xfd\xef\x80<\xad4\x9b\x1a\xab\x88&{V\xa2\x82\x86\x1f\xeb5\x89\x83\x7f_\xae)N=\xb6n\xec\xae\xc1\xf0'\x9b\xae\xe3\xf4\xec\xef\xae\x7f\xf7\x86=rz\xeb\xa5\xfbYN\xa7\xeb\x95\x8c"9y\xe1-\x08\x8f\xcc\xbc\x91\xb8A\xf7\x14\xc1#\xa9\xc3\xad\x9aED\xb3\xb2\xd7,\xcd\xc6)\xe2P\x10\xae\\xcb\x82\x8e\x17\x186}\x97\xe6\x88\x9a\xb0M4\x09\xf4,\xb9Zf*\xb0\x17\x9b\x9e\x1ev\x9dJf1A\xdf?\xfb\xc5\x06\xef\x1b\xb6~\x1aF6\xf7dc;\xe39\x18#\xe7gu\x14\xd5uW\x927\xbd\xbej\x1b&P\xf26&\x06\x90\xc5p\x01dmvf\xe1\x91\xdbn\x07\xc0a\x80.\xb2./\x8cp\xa7\xd1;<\xb3\x91\xe4n\xb6\xc4;p\xf2l\x92\x97\x09\xcdG}\x18\xc0\xf3\xbb\x9e\x0f\xd6\x8b\xae\x07\xb6Z\x0f\xce\x0b\x0cG\xa7\xe5>\xb8\xbd}\xc7\x9b5\xa0a\x97:Au\x17\xcc+\x96w*\x92!\x1e\xd9\x95v gh\xcf\x0d\xbd\xdf\xd6\x1f\x09j\x9a\xe2\xccsq\xa4/}\x12\x80\xb7S0F^KT\x99\x0fg\xc9\xa5\xc8\xf2 \xc1\x82\xec\x9d\x11\xdf\xc2\x02\xfb\x1a;\xd1\xed \x9a\xefed\x92\x10\x0d*\xe2\xdep\xf1\x18g\x82\x8ca\xde\xb8\xbc\xd1/\x9c\xfb\x0f\xd0+\xed\x1bv\xb9\xe49U\xf8\xf8\xa1\x1d\xb8\xaa\x80\x00L\x82\xe7\xb2\x7f\x09\xb8\xbc0\xa0/\x0d\xf5R\x9e\x8e\xf7\x92\xb3\x0a\x00\x1d\x00T\x97\x06\xe0\xb1\x07\xd9\xc7\x0f\e}<mYW\xe4\xed\xa5\x8d\xe9@S\x9f\x15K\xa0q\xf6\x1a!\xe3\xdap\x06!X\x14\x87\x85wy\xaa\x82y\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xe2\xc9@\x9fM\xce\xe8\x9a\xa1|\xcf\x0e?e\xc5)\x88j\x19Q0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\xd1IW\xe0\xa7\xcchX\xba\x01\x0f+\x19\xcd\x8d\xb0aE\xac\x11\xedcPi\xf8\x1f\x7f\xbe\x16\x8f\xfd\x9d\xeb\x0b\xaa2Gv\xd2g$\xed\xbd|32\x97*\xc7\x05\x86f\x0d\x17}\x14\x15\x1b\xd4\xeb\xfd\x1f\x9a\xf6^\x97i\xb7\x1a%\xa4\x0a\xb3\x91?_6\xac\x8b\xecW\xa8>\xe7\x81\x8a\x18W9\x85t\x1aB\xc7\xe9[\x13_\x8f\xf9\x08\xe9\x92t\x8d\xf5G\xd2\xab;\xd6\xfbxfN6}\xf9\xe9\x92\xe9\x04\xde\xfdIc\xfcm\xfb\x14q\x93g/GJ\xb7\xb9\xff\x1e*spF0\xbfZ\xf2/y\xa5\xe1\x8d\x0c\xd9\xf9\xb2c7\x8c7e\x85pj\[\x09r\xb9\xadc<\xb1\xdd\xf8\xfc2\xbf7\x86\xe4\xbb\x8e\x98'~\xba\x1f\x16\xe1p\x11\xf2\x03\xdf%b2'&\x182\x84\x9f\xff\x00:\x13\xba\x9aM\xf4O\xb8\x14p"\xb1\xca+\x90\xce)\xc1p\xf4/\x9d\x7f\xf2\x90\x1e\xd6Z\xdf\xb7F\xfc\xe6\x86\xfa\xcb\xe0 vz\xba\xa6\xcb\xf5|\xdeb\xa5\xb1\x8b\xee\xde\x82f\x8aN:0\x1f?\x80\xcb\xad'\xba\x0c^\xd7\xd0\xb1V\xcawq\xb2\xb5u\xa1P\xa9@C\x17\xc2(\xd9\xcfR\x8b[\xc8c\xd4B>\xa03zF.\xf7\x0a FT~jO1\xf1\x81~Bt8es'\xee\xc6|\xb8\x8e\xd7\xa5:\xd7\x98\xa1\x9c\x8c\x10U\xd3\xdbK\xec@\x90\xf2\xcdnW\xd2b\x0e|W\x93\xb1\xa7m\xcd\x9d\x83\xbb*\xe7\xe5\xb6;qX\xad\xfd\xd1E\xbcZ\x91\xeeS\x15o\xd3E\x09un\xba\x90]\x1e\x04\xcf7\xdf\x1e\xa8f\xb1\x8c\xe6 j\xef\xfcHNt\x98B\xaf)o.j\xc7\xfb}\xd1f1"\xcc\x86\x00~f\x83\x0cB\xf4\xbd4\x92\xc3\x1a\xeaO\xca~rM\x0bp\x8c\xa6H\xbb\xa6\xa1\x14\xf6\xfbXD\x99\x14\xae\xaa\x0b\x93i\xa0)%J\xa5\xcb+\xdd\x8af\x07\x16x\x15Wq\x1b\xec\xf5G\x84\xf3\x9e17z\xd5\x7f$\xad\xe4\xbc\xfd\xfd\xccn\x83\xe8\x0c\xa8\xb7Al\x07\xdd\xbd<\x86\x97/\xd2, CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA = 0\x82\x0400\x82\x03\x18\xa0\x03\x02\x01\x02\x02\x09\x00\xda\x9b\xecq\xf3\x03\xb0\x190\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xa41\x0b0\x09\x06\x03U\x04\x06\x13\x02PA1\x0f0\x0d\x06\x03U\x04\x08\x0c\x06Panama1\x140\x12\x06\x03U\x04\x07\x0c\x0bPanama City1$0"\x06\x03U\x04\x0a\x0c\x1bTrustCor Systems S. de R.L.1'0%\x06\x03U\x04\x0b\x0c\x1eTrustCor Certificate Authority1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16TrustCor RootCert CA-10\x1e\x17\x0d160204123216Z\x17\x0d291231172316Z0\x81\xa41\x0b0\x09\x06\x03U\x04\x06\x13\x02PA1\x0f0\x0d\x06\x03U\x04\x08\x0c\x06Panama1\x140\x12\x06\x03U\x04\x07\x0c\x0bPanama City1$0"\x06\x03U\x04\x0a\x0c\x1bTrustCor Systems S. de R.L.1'0%\x06\x03U\x04\x0b\x0c\x1eTrustCor Certificate Authority1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16TrustCor RootCert CA-10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\x8e\xb7\x95\xe2\xc2&\x12k3\x19\xc7@X\x0a\xabY\xaa\x8d\x00\xa3\xfc\x80\xc7P{\x8e\xd4 &\xba2\x12\xd8#TI%\x10"\x98\x9dF\xd2\xc1\xc9\x9eN\x1b.,\x0e8\xf3\x1a%h\x1c\xa6Z\x05\xe6\x1e\x8bH\xbf\x98\x96t>i\xca\xe9\xb5x\xa5\x06\xbc\xd5\x00^\x09\x0a\xf2'zR\xfc-\xd5\xb1\xea\xb4\x89a$\xf3\x1a\x13\xdb\xa9\xcfR\xed\x0c$\xba\xb9\x9e\xec~\x00t\xfa\x93\xadl)\x92\xaeQ\xb4\xbb\xd3W\xbf\xb3\xf3\xa8\x8d\x9c\xf4$K*\xd6\x99\x9e\xf4\x9e\xfe\xc0~B:\xe7\x0b\x95S\xda\xb7h\x0e\x90L\xfbp?\x8fJ,\x94\xf3&\xddci\xa9\x94\xd8\x10N\xc5G\x08\x90\x99\x1b\x17M\xb9ln\xef`\x95\x11\x8e!\x80\xb5\xbd\xa0s\xd8\xd0\xb2w\xc4E\xeaZ&\xfbfvv\xf8\x06\x1fam\x0fU\xc5\x83\xb7\x10Vr\x06\x07\xa5\xf3\xb1\x1a\x03\x05d\x0e\x9dZ\x8a\xd6\x86p\x1b$\xde\xfe(\x8a+\xd0j\xb0\xfcz\xa2\xdc\xb2y\x0e\x8be\x0f\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xeekI<z?\x0d\xe3\xb1\x09\xb7\x8a\xc8\xab\x19\x9fs3P\xe70\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xeekI<z?\x0d\xe3\xb1\x09\xb7\x8a\xc8\xab\x19\x9fs3P\xe70\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00%\x18\xd4\x91\x8f\x13\xee\x8f\x1e\x1d\x11S\xda-D)\x19\xa0\x1ek1\x9eM\x0e\x9e\xad=\Ao\x95+$\xa1y\x98:86\xfb\xbbf\x9eH\xff\x90\x90\xef=\xd4\xb8\x9b\xb4\x87u? \x9b\xcer\xcf\xa1U\xc1Md\xa2\x19\x06\xa1\x073\x0c\x0b)\xe5\xf1\xea\xab\xa3\xec\xb5\x0at\x90\xc7}r\xf2\xd7\\x9f\x91\xef\x91\x8b\xb7\xdc\xedf\xa2\xcf\x8ef;\xbc\x9f:\x02\xe0'\xdd\x16\x98\xc0\x95\xd4\x0a\xa4\xe4\x81\x9au\x945\x9c\x90_\x887\x06\xadY\x95\x0a\xb0\xd1g\xd3\x19\xca\x89\xe72Z6\x1c>\x82\xa8Z\x93\xbe\xc6\xd0d\x91\xb6\xcf\xd9\xb6\x18\xcf\xdb~\xd2e\xa3\xa6\xc4\x8e\x171\xc1\xfb~v\xdb\xd3\x85\xe3X\xb2wzv;l/P\x1c\xe7\xdb\xf6gy\x1f\xf5\x82\x95\x9a\x07\xa7\x14\xaf\x8f\xdc(!g\x09\xd2\xd6MZ\x1c\x19\x1c\x8ew\\xc3\x94$=2kK~\xd4x\x94\x83\xbe7M\xce_\xc7\x1eN<\xe0\x893\x95\x0b\x0f\xa52\xd6<Zy,\x19, CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA = 0\x82\x06/0\x82\x04\x17\xa0\x03\x02\x01\x02\x02\x08%\xa1\xdf\xca3\xcbY\x020\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xa41\x0b0\x09\x06\x03U\x04\x06\x13\x02PA1\x0f0\x0d\x06\x03U\x04\x08\x0c\x06Panama1\x140\x12\x06\x03U\x04\x07\x0c\x0bPanama City1$0"\x06\x03U\x04\x0a\x0c\x1bTrustCor Systems S. de R.L.1'0%\x06\x03U\x04\x0b\x0c\x1eTrustCor Certificate Authority1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16TrustCor RootCert CA-20\x1e\x17\x0d160204123223Z\x17\x0d341231172639Z0\x81\xa41\x0b0\x09\x06\x03U\x04\x06\x13\x02PA1\x0f0\x0d\x06\x03U\x04\x08\x0c\x06Panama1\x140\x12\x06\x03U\x04\x07\x0c\x0bPanama City1$0"\x06\x03U\x04\x0a\x0c\x1bTrustCor Systems S. de R.L.1'0%\x06\x03U\x04\x0b\x0c\x1eTrustCor Certificate Authority1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16TrustCor RootCert CA-20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa7 n\xc2*\xa2b$\x95\x90v\xc88~\x80\xd2\xab\xc1\x9be\x05\x94\xf4\xc1\x0a\x10\xd5\x02\xac\xed\x9f\x93\xc7\x87\xc8\xb0'+B\x0c=\x0a>AZ\x9eu\xdd\x8d\xca\xe0\x9b\xech2\xa4i\x92h\x8c\x0b\x81\x0eV\xa0>\x1a\xdd,%\x14\x82/\x97\xd3dF\xf4T\xa9\xdc:T-1+\x99\x82\xf2\xd9*\xd7\xefq\x00\xb81\xa4\xbez$\x07\xc3B \xf2\x8a\xd4\x92\x04\x1beVLl\xd4\xfb\xb6aZG#\xb4\xd8i\xb4\xb7:\xd0t<\x0cu\xa1\x8cNv\xa1\xe9\xdb*\xa5;\xfa\xce\xb0\xff~j(\xfd'\x1c\xc8\xb1\xe9)\xf1Wnd\xb4\xd0\xc1\x15m\x0e\xbe.\x0eF\xc8^\xf4Q\xfe\xef\x0ec:;q\xba\xcfoY\xca\x0c\xe3\x9b]I\xb8L\xe2W\xb1\x98\x8aBW\x9cv\xef\xef\xbd\xd1h\xa8\xd2\xf4\x09\xbbw5\xbe%\x82\x08\xc4\x16,D V\xa9D\x11w\xef]\xb4\x1d\xaa^k>\x8b2\xf6\x07/W\x04\x92\xca\xf5\xfe\x9d\xc2\xe9\xe8\xb3\x8eLK\x021\xd9\xe4<H\x82'\xf7\x18\x82vH:q\xb1\x13\xa19\xd5.\xc54\xc2\x1db\x85\xdf\x03\xfeM\xf4\xaf=\xdf\[\x8d\xfap\xe1\xa5~'\xc7\x86.j\x8f\x12\xc6\x84^CQP\x9c\x19\x9bx\xe6\xfc\xf6\xedG~{=f\xef\x13\x13\x88_<\xa1c\xfb\xf9\xac\x875\x9f\xf3\x82\x9e\xa4?\x0a\x9c1i\x8b\x99\xa4\x88J\x8enfM\xef\x16\xc4\x0fy(!`\x0d\x85\x16}\xd7T8\xf1\x92V\xfd\xb53L\x83\xdc\xd7\x10\x9fK\xfd\xc6\xf8B\xbd\xba|s\x02\xe0\xff}\xcd[\xe1\xd4\xaca{W\xd5J{[\xd4\x85X']\xbf\xf8+`\xac\xa0&\xae\x14!'\xc6w\x9a3\x80<^F?\xf7\xc3\xb1\xa3\x863\xc6\xe8^\x0d\xb95,\xaaF\xc1\x85\x02u\x80\xa0\xeb$\xfb\x15\xaa\xe4g\x7fnw?\xf4\x04\x8a/|{\xe3\x17a\xf0\xdd\x09\xa9 \xc8\xbe\x09\xa4\xd0~D\xc3\xb20J8\xaa\xa9\xec\x18\x9a\x07\x82+\xdb\xb8\x9c\x18\xad\xda\xe0F\x17\xac\xcf]\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd9\xfe!@n\x94\x9e\xbc\x9b=\x9c}\x98 \x19\xe5\x8c0b\xb20\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd9\xfe!@n\x94\x9e\xbc\x9b=\x9c}\x98 \x19\xe5\x8c0b\xb20\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x9eE\x9e\x0c;\xb6\xef\xe1:\xc8|\xd1\x00=\xcf\xe2\xea\x06\xb5\xb2:\xbb\x06Khz\xd0#\x97t\xa7,\xf0\x08\xd8yZ\xd7Z\x84\x8a\xd8\x12\x9a\x1b\xd9}\Mp\xc5\xa5\xf9\xab\xe5\xa3\x89\x89\xdd\x01\xfa\xec\xdd\xf9\xe9\x92\x97\xdb\xb0FB\xf3\xd3b\xaa\x95\xfe1g\x14iX\x90\x0a\xaa\x0b\xee7#\xc7PQ\xb4\xf5~\x9e\xe3{\xf7\xe4\xccB2-I\x0c\xcb\xffI\x0c\x9b\x1e4\xfdnn\x96\x8ay\x03\xb6o\xdb\x09\xcb\xfd_e\x147\xe18\xf5\xf3a\x16X\xe4\xb5m\x0d\x0b\x04\x1b?P-\x7f\xb3\xc7z\x1a\x16\x80`\xf8\x8a\x1f\xe9\x1b*\xc6\xf9\xba\x01\x1ai\xbf\xd2X\xc7TW\x08\x8f\xe19`wK\xacY\x84\x1a\x88\xf1\xdd\xcbOx\xd7\xe7\xe13-\xfc\xeeA\xfa \xb0\xbe\xcb\xf78\x94\xc0\xe1\xd0\x85\x0f\xbb\xed,s\xab\xed\xfe\x92v\x1ad\x7f[\x0d3\x09\x073{\x06?\x11\xa4\p<\x85\xc0\xcf\xe3\x90\xa8\x83w\xfa\xdb\xe6\xc5\x8chg\x10g\xa5R-\xf0\xc4\x99\x8f\x7f\xbf\xd1k\xe2\xb5G\xd6\xd9\xd0\x85\x99M\x94\x9b\x0fK\x8d\xee\x00ZG\x1d\x11\x03\xacA\x18\xaf\x87\xb7o\x0c:\x8f\xca\xcf\xdc\x03\xc1\xa2\x09\xc8\xe5\xfd\x80^\xc8`B\x01\x1b\x1aSZ\xbb7\xa6\xb7\xbc\xba\x84\xe9\x1el\x1a\xd4d\xda\xd4C\xfe\x93\x8bK\xf2,y\x16\x10\xd4\x93\x0b\x88\x8f\xa1\xd8\x86\x14F\x91G\x9b($\xefWRN\B\x9c\xaa\xf7I\xec'\xe8@\x1e\xb3\xa6\x89"r\x9c\xf5\x0d3\xb4X\xa30;\xdd\xd4jT\x93\xbe\x1aM\xf3\x93\x94\xf7\xfc\x84\x0b?\x84 \4\x03D\xc5\xda\xad\xbc\x0a\xc1\x02\xcf\x1e\xe5\x94\xd9\xf3\x8e[\xd8L\xf0\x9d\xeca\x17\xbb\x142T\x0c\x02)\x93\x1e\x92\x86\xf6\x7f\xef\xe7\x92\x05\x0eY\xdd\x99\x08..\xfa\x9c\x00R\xd3\xc5f)\xe4\xa7\x97D\xa4\x0e(\x81\x135\xc5\xf6od\xe6A\xc4\xd5/\xcc4E%\xcfA\x00\x96=J.\xc2\x96\x98ONJ\x9c\x97\xb7\xdb\x1f\x922\xc8\xff\x0fQn\xd6\xec\x09, CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA = 0\x82\x04 0\x82\x03\x08\xa0\x03\x02\x01\x02\x02\x09\x00\x84\x82,_\x1cb\xd0@0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x9c1\x0b0\x09\x06\x03U\x04\x06\x13\x02PA1\x0f0\x0d\x06\x03U\x04\x08\x0c\x06Panama1\x140\x12\x06\x03U\x04\x07\x0c\x0bPanama City1$0"\x06\x03U\x04\x0a\x0c\x1bTrustCor Systems S. de R.L.1'0%\x06\x03U\x04\x0b\x0c\x1eTrustCor Certificate Authority1\x170\x15\x06\x03U\x04\x03\x0c\x0eTrustCor ECA-10\x1e\x17\x0d160204123233Z\x17\x0d291231172807Z0\x81\x9c1\x0b0\x09\x06\x03U\x04\x06\x13\x02PA1\x0f0\x0d\x06\x03U\x04\x08\x0c\x06Panama1\x140\x12\x06\x03U\x04\x07\x0c\x0bPanama City1$0"\x06\x03U\x04\x0a\x0c\x1bTrustCor Systems S. de R.L.1'0%\x06\x03U\x04\x0b\x0c\x1eTrustCor Certificate Authority1\x170\x15\x06\x03U\x04\x03\x0c\x0eTrustCor ECA-10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xcf\x8f\xe0\x11\xb5\x9f\xa8vv\xdb\xdf\x0fT\xefsc)\x82\xadG\xc6\xa3k\xed\xfe_3\xf8CQ\xe9\x1a3\x911\x17\xa0t\xc4\xd4\xa7\x01\xe6\xb2\x92>j\x9d\xed\x0e\xf9t\x98@\xd3?\x03\x80\x06\x82@\xe8\xb1\xe2\xa7Q\xa7\x1d\x83&k\xab\xde\xfa\x17\x91+\xd8\xc6\xac\x1e\xb1\x9e\x19\x01\xd5\x97\xa6\xea\x0d\xb7\xc4U\x1f'|\xd2\x08\xd5v\x1f)\x15\x87@9\xdd8E\x11u\xd0\x9a\xa74\xe0\xbf\xcd\xc8R\x1d\xb9G~\x0d\xb8\xbb\xc6\x0c\xf6sW\x16Z~C\x91\x1fU:\xc6mD\x04\xaa\x9c\xa9\x9c\xa7L\x89\x17\x83\xae\xa3\x04^R\x80\x8b\x1e\x12%\x11\x19\xd7\x0c}}1DA\xea\xdb\xaf\xb0\x1c\xef\x81\xd0,\xc5\x9a!\x9b=\xedB;P&\xf2\xec\xceqa\x06b!TN\x7f\xc1\x9d>\x7f \x8c\x80\xcb*\xd8\x97b\xc8\x833\x91}\xb0\xa2Z\x0fW\xe8;\xcc\xf2%\xb2\xd4|/\xecM\xc6\xa1:\x15z\xe7\xb6]5\xf5\xf6HJ6Ef\xd4\xba\x98X\xc1\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14D\x9eH\xf5\xccmH\xd4\xa0K\x7f\xfeY$/\x83\x97\x99\x9a\x860\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14D\x9eH\xf5\xccmH\xd4\xa0K\x7f\xfeY$/\x83\x97\x99\x9a\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x05>5\\x15p\x9b\xc9\xc7saor+\xd4\xc2\x8f\xf2C]\x02\xce\xc4\x94\xb9\x94\x11\x83g]\xe2gluv\xbf\xbb\x0c\xaa6\xc6\xadG\x93c\xdc\x1e~\xd6\xde.\xfe\xe9\x1928\x03\x7f\x14\xf6\x00s,Y\xb1!\x06\xe1\xfb\xac\x18\x95\x0c\xa3\xff\x99\x96\xf7+'\x9b\xd5$\xcc\x1d\xdd\xc1:\xe0\x98D\xb0\xc4\xe4>w\xb1s\xa9d,\xf6\x1c\x01|?]E\x85\xc0\x85\xe7%\x8f\x95\xdc\x17\xf3<\x9f\x1an\xb0\xca\xe3\x1d*\xe9Lc\xfa$ab\xd6\xda~\xb6\x1cl\xf5\x02\x1d\xd4*\xddU\x90\xeb*\x11G<.^t\xb2\x82"\xa5}S\x1fE\xec'\x91}\xe7"\x16\xe8\xc0h6\xd8\xc6\xf1O\x80D2\xf9\xe1\xd1\xd1\x1d\xaa\xde\xa8\xab\x9c\x04\xaf\xad \x0ed\x98M\xa5k\xc0HX\x96iM\xdc\x07\x8cQ\x93\xa2\xdf\x9f\x0f=\x8b`\xb4\x82\x8d\xaa\x08NbE\xe0\xf9\x0b\xd2\xe0\xe0<[\xde\q'%\xc2\xe6\x03\x81\x8b\x10S\xe3\xc7U\xa2\xb4\x9f\xd7\xe6, CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US = 0\x82\x05\xdd0\x82\x03\xc5\xa0\x03\x02\x01\x02\x02\x08{,\x9b\xd3\x16\x802\x990\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000|1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation110/\x06\x03U\x04\x03\x0c(SSL.com Root Certification Authority RSA0\x1e\x17\x0d160212173939Z\x17\x0d410212173939Z0|1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation110/\x06\x03U\x04\x03\x0c(SSL.com Root Certification Authority RSA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xf9\x0f\xdd\xa3+}\xcb\xd0*\xfe\xecg\x85\xa6\xe7.\x1b\xbaw\xe1\xe3\xf5\xaf\xa4\xec\xfaJ]\x91\xc4WGk\x18wkv\xf2\xfd\x93\xe4=\x0f\xc2\x16\x9e\x0bf\xc3V\x94\x9e\x17\x83\x85\xceV\xef\xf2\x16\xfd\x00b\xf5"\x09T\xe8e\x17NA\xb9\xe0OF\x97\xaa\x1b\xc8\xb8nb^i\xb1_\xdb*\x02~\xfcl\xca\xf3A\xd8\xed\xd0\xe8\xfc?aH\xed\xb0\x03\x14\x1d\x10\x0eK\x19\xe0\xbbN\xec\x86e\xff6\xf3^g\x02\x0b\x9d\x86Ua\xfdz8\xed\xfe\xe2\x19\x00\xb7o\xa1Pbut<\xa0\xfa\xc8%\x92\xb4nz"\xc7\xf8\x1e\xa1\xe3\xb2\xdd\x911\xab+\x1d\x04\xff\xa5J\x047\xe9\x85\xa43+\xfd\xe2\xd6U4|\x19\xa4Jh\xc7\xb2\xa8\xd3\xb7\xca\xa1\x93\x88\xeb\xc1\x97\xbc\x8c\xf9\x1d\xd9"\x84$t\xc7\x04=j\xa9)\x93\xcc\xeb\xb8[\xe1\xfe_%\xaa4X\xc8\xc1#T\x9d\x1b\x98\x11\xc38\x9c~=\x86l\xa5\x0f@\x86|\x02\xf4\\x02O(\xcb\xaeq\x9f\x0f:\xc83\xfe\x11%5\xea\xfc\xba\xc5`=\xd9|\x18\xd5\xb2\xa9\xd3ux\x03r"\xca:\xc3\x1f\xef,\xe5.\xa9\xfa\x9e,\xb6QF\xfd\xaf\x03\xd6\xea`h\xea\x85\x166k\x85\xe9\x1e\xc0\xb3\xdd\xc4$\xdc\x80*\x81Am\x94>\xc8\xe0\xc9\x81A\x00\x9e^\xbf\x7f\xc5\x08\x98\xa2\x18,B@\xb3\xf9o8'KN\x80\xf4=\x81G\xe0\x88|\xea\x1c\xce\xb5u\Q.\x1c+\x7f\x1ar(\xe7\x00\xb5\xd1t\xc6\xd7\xe4\x9f\xad\x07\x93\xb6S55\xfc7\xe4\xc3\xf6]\x16\xbe!s\xde\x92\x0a\xf8\xa0cj\xbc\x96\x92j>\xf8\xbceU\x9b\xde\xf5\x0d\x89&\x04\xfc%\x1a\xa6%i\xcb\xc2m\xca|\xe2Y_\x97\xac\xeb\xef.\xc8\xbc\xd7\x1bY<+\xcc\xf2\x19\xc8\x93k'c\x19\xcf\xfc\xe9&\xf8\xcaq\x9b\x7f\x93\xfe4g\x84N\x99\xeb\xfc\xb3x\x093p\xbaf\xa6v\xed\x1bs\xeb\x1a\xa5\x0d\xc4"\x13 \x94V\x0aN,lN\xb1\xfd\xcf\x9c\x09\xba\xa23\xed\x87\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xdd\x04\x09\x07\xa2\xf5z}RS\x12\x92\x95\xee8\x80%\x0d\xa6Y0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xdd\x04\x09\x07\xa2\xf5z}RS\x12\x92\x95\xee8\x80%\x0d\xa6Y0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00 \x18\x11\x94)\xfb&\x9d\x1c\x1e\x1epa\xf1\x95r\x93q$\xadh\x93X\x8e2\xaf\x1b\xb3p\x03\xfc%+t\x85\x90=xj\xf4\xb9\x8b\xa5\x97;\xb5\x18\x91\xbb\x1e\xa7\xf9@[\x91\xf9U\x99\xaf\x1e\x11\xd0\\x1d\xa7f\xe3\xb1\x94\x07\x0c29\xa6\xea\x1b\xb0y\xd8\x1d\x9cpD\xe3\x8a\xdd\xc4\xf9\x95\x1f\x8a8C?\x01\x85\xa5G\xa7=F\xb2\xbc\xe5"h\xf7{\x9c\xd8,>\x0a!\xc8-3\xac\xbf\xc5\x81\x991t\xc1uq\xc5\xbe\xb1\xf0#E\xf4\x9dk\xfc\x19c\x9d\xa3\xbc\x04\xc6\x18\x0b%\xbbS\x89\x0f\xb3\x80P\xdeE\xeeD\x7f\xab\x94xd\x98\xd3\xf6(\xdd\x87\xd8pet\xfb\x0e\xb9\x13\xeb\xa7\x0fa\xa92\x96\xcc\xde\xbb\xedcL\x18\xbb\xa9@\xf7\xa0Tn \x88qu\x18\xeaz\xb44r\xe0#'w\\xb6\x90\xea\x86%@\xab\xef3\x0f\xcb\x9f\x82\xbe\xa2 \xfb\xf6\xb5-\x1a\xe6\xc2\x85\xb1t\x0f\xfb\xc8e\x02\xa4R\x01G\xddI"\xc1\xbf\xd8\xebk\xac~\xde\xecc3\x15\xb7#\x08\x8f\xc6\x0f\x8dAZ\xdd\x8e\xc5\xb9\x8f\xe5E?x\xdb\xba\xd2\x1b@\xb1\xfeqM?\xe0\x81\xa2\xba^\xb4\xec\x15\xe0\x93\xdd\x08\x1f~\xe1U\x99\x0b!\xde\x93\x9e\x0a\xfb\xe6\xa3I\xbd60\xfe\xe7w\xb2\xa0u\x97\xb5-\x81\x88\x17e \xf7\xda\x90\x00\x9f\xc9R\xcc2\xca5|\xf5=\x0f\xd8+\xd7\xf5&l\xc9\x064\x96\x16\xeapY\x1a2yy\x0b\xb6\x88\x7f\x0fRH=\xbfl\xd8\xa2D.\xd1N\xb7rX\xd3\x89\x13\x95\xfeD\xab\xf8\xd7\x8b\x1bn\x9c\xbc,\xa0[\xd5j\x00\xaf_7\xe1\xd5\xfa\x10\x0b\x98\x9c\x86\xe7&\x8f\xce\xf0\xecn\x8aW\x0b\x80\xe3N\xb2\xc0\xa0ca\x90\xbaUh7tj\xb6\x92\xdb\x9f\xa1\x86"\xb6e'\x0e\xec\xb6\x9fB`\xe4g\xc2\xb5\xdaA\x0b\xc4\xd3\x8ba\x1b\xbc\xfa\x1f\x91+\xd7D\x07^\xba)\xac\xd9\xc5\xe9\xefSHZ\xeb\x80\xf1(X!\xcd\xb0\x06U\xfb'?S\x90p\xa9\x04\x1eW'\xb9, CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US = 0\x82\x02\x8d0\x82\x02\x14\xa0\x03\x02\x01\x02\x02\x08u\xe6\xdf\xcb\xc1h[\xa80\x0a\x06\x08*\x86H\xce=\x04\x03\x020|1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation110/\x06\x03U\x04\x03\x0c(SSL.com Root Certification Authority ECC0\x1e\x17\x0d160212181403Z\x17\x0d410212181403Z0|1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation110/\x06\x03U\x04\x03\x0c(SSL.com Root Certification Authority ECC0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04En\xa9P\xc4\xa6#6\x9e_(\x8d\x17\xcb\x96"d?\xdcz\x8e\x1d\xcc\x08\xb3\xa2q$\xba\x8eI\xb9\x04\x1bG\x96X\xab-\x95\xc8\xed\x9e\x085\xc8'\xeb\x89\x8cSX\xebb\x8a\xfe\xf0[\x0fk1RcA;\x89\xcd\xec\xec\xb6\x8d\x19\xd34\x07\xdc\xbb\xc6\x06\x7f\xc2E\x95\xec\xcb\x7f\xa8#\xe0\x09\xe9\x81\xfa\xf3G\xd3\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x82\xd1\x85s0\xe75\x04\xd3\x8e\x02\x92\xfb\xe5\xa4\xd1\xc4!\xe8\xcd0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x82\xd1\x85s0\xe75\x04\xd3\x8e\x02\x92\xfb\xe5\xa4\xd1\xc4!\xe8\xcd0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03g\x000d\x020o\xe7\xebY\x11\xa4`\xcfa\xb0\x96{\xed\x05\xf9/\x13\x91\xdc\xed\xe5\xfcPk\x11FF\xb3\x1c!\x00b\xbb\xbe\xc3\xe7\xe8\xcd\x07\x99\xf9\x0d\x0b]r>\xc4\xaa\x020\x1f\xbc\xba\x0b\xe20$\xfb|m\x80U\x0a\x99>\x80\x0d3\xe5f\xa3\xb3\xa3\xbb\xa5\xd5\x8b\x8f\x09,\xa6]~\xe2\xf0\x07\x08hm\xd2|in_\xdf\xe5je, CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US = 0\x82\x05\xeb0\x82\x03\xd3\xa0\x03\x02\x01\x02\x02\x08V\xb6)\xcd4\xbcx\xf60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation1705\x06\x03U\x04\x03\x0c.SSL.com EV Root Certification Authority RSA R20\x1e\x17\x0d170531181437Z\x17\x0d420530181437Z0\x81\x821\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation1705\x06\x03U\x04\x03\x0c.SSL.com EV Root Certification Authority RSA R20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x8f6e@\xe1\xd6M\xc0\xd7\xb4\xe9F\xdak\xea3G\xcdL\xf9}}\xbe\xbd-=\xf0\xdbx\xe1\x86\xa5\xd9\xba\x09Wh\xedW>\xa0\xd0\x08A\x83\xe7(A$\x1f\xe3r\x15\xd0\x01\x1a\xfb^p#\xb2\xcb\x9f9\xe3\xcf\xc5N\xc6\x92m&\xc6{\xbb\xb3\xda'\x9d\x0a\x86\xe9\x817\x05\xfe\xf0qq\xec\xc3\x1c\xe9c\xa2\x17\x14\x9d\xef\x1bg\xd3\x85U\x02\x02\xd6I\xc9\xccZ\xe1\xb1\xf7o2\x9f\xc9\xd4;\x88A\xa8\x9c\xbd\xcb\xab\xdbm{\x09\x1f\xa2Lr\x90\xda+\x08\xfc\xcf<T\xceg\x0f\xa8\xcf]\x96\x19\x0b\xc4\xe3r\xeb\xad\xd1}\x1d'\xef\x92\xeb\x10\xbf[\xeb;\xaf\xcf\x80\xdd\xc1\xd2\x96\x04[z~\xa4\xa9<8v\xa4b\x8e\xa09^\xeaw\xcf]\x00Y\x8ff,>\x07\xa2\xa3\x05&\x11i\x97\xea\x85\xb7\x0f\x96\x0bK\xc8@\xe1P\xba.\x8a\xcb\xf7\x0f\x9a"\xe7\x7f\x9a7\x13\xcd\xf2M\x13k!\xd1\xc0\xcc"\xf2\xa1F\xf6Di\x9c\xcaa5\x07\x00o\xd6a\x08\x11\xea\xba\xb8\xf6\xe9\xb3`\xe5M\xb9\xec\x9f\x14f\xc9WX\xdb\xcd\x87i\xf8\x8a\x86\x12\x03G\xbff\x13v\xacw}4$\x85\x83\xcd\xd7\xaa\x9c\x90\x1a\x9f!,\x7fx\xb7d\xb8\xd8\xe8\xa6\xf4x\xb3U\xcb\x84\xd22\xc4x\xae\xa3\x8fa\xdd\xce\x08S\xad\xec\x88\xfc\x15\xe4\x9a\x0d\xe6\x9f\x1aw\xceL\x8f\xb8\x14\x15=b\x9c\x868\x06\x00f\x12\xe4YvZS\xc0\x02\x98\xa2\x10+hD{\x8ey\xce3Jv\xaa[\x81\x16\x1b\xb5\x8a\xd8\xd0\x00{^b\xb4\x09\xd6\x86c\x0e\xa6\x05\x95I\xba(\x8b\x88\x93\xb24\x1c\xd8\xa4Un\xb7\x1c\xd0\xde\x99U;#\xf4"\xe0\xf9)f&\xec Pw\xdbJ\x0b\x8f\xbe\xe5\x02`pA^\xd4\xaeP9"\x14&\xcb\xb2;stUG\x07y\x819\xa80\x13D\xe5\x04\x8a\xae\x96\x13%B\x0f\xb9S\xc4\x9b\xfc\xcd\xe4\x1c\xde<\xfa\xab\xd6\x06J\x1fg\xa6\x980\x1c\xdd,\xdb\xdc\x18\x95Wf\xc6\xff\\x8bV\xf5w\x02\x03\x01\x00\x01\xa3c0a0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xf9`\xbb\xd4\xe3\xd54\xf6\xb8\xf5\x06\x80%\xa7s\xdbFi\xa8\x9e0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xf9`\xbb\xd4\xe3\xd54\xf6\xb8\xf5\x06\x80%\xa7s\xdbFi\xa8\x9e0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00V\xb3\x8e\xcb\x0a\x9dI\x8e\xbf\xa4\xc4\x91\xbbf\x17\x05Q\x98u\xfb\xe5P,z\x9e\xf1\x14\xfa\xab\xd3\x8a>\xff\x91)\x8fc\x8b\xd8\xb4\xa9T\x01\x0d\xbe\x93\x86/\xf9Jm\xc7^\xf5W\xf9\xcaU\x1c\x12\xbeG\x0f6\xc5\xdfj\xb7\xdbu\xc2G%\x7f\xb9\xf1c\xf8h-U\x04\xd1\xf2\x8d\xb0\xa4\xcf\xbc<^\x1fx\xe7\xa5\xa0 p\xb0\x04\xc5\xb7\xf7r\xa7\xde"\x0d\xbd3%F\x8cd\x92&\xe3>.c\x96\xda\x9b\x8c=\xf8\x18\x09\xd7\x03\xcc}\x86\x82\xe0\xca\x04\x07QP\xd7\xff\x92\xd5\x0c\xef\xda\x86\x9f\x99\xd7\xeb\xb7\xafh\xe29&\x94\xbah\xb7\xbf\x83\xd3\xeazg=bg\xae%\xe5r\xe8\xe2\xe4\xec\xae\x12\xf6K+<\x9f\xe9\xb0@\xf38T\xb3\xfd\xb7h\xc8\xda\xc6\x8fQ<\xb2\xfb\x91\xdc\x1c\xe7\x9b\x9d\xe1\xb7\x0dr\x8f\xe2\xa4\xc4\xa9x\xf9\xeb\x14\xac\xc6C\x05\xc2e9(\x18\x02\xc3\x82\xb2\x9d\x05\xbee\xed\x96_et<\xfb\x095.{\x9c\x13\xfd\x1b\x0f]\xc7m\x81:V\x0f\xcc;\xe1\xaf\x02/"\xacF\xcaF<\xa0\x1cL\xd6D\xb4^.\\x15f\x09\xe1&)\xfe\xc6Ra\xba\xb1s\xff\xc3\x0c\x9c\xe5lj\x94?\x14\xca@\x16\x95\x84\xf3Y\xa9\xac_La\x93m\xd1;\xcc\xa2\x95\x0c"\xa6ggD.\xb9\xd9\xd2\x8aA\xb3f\x0bZ\xfb}#\xa5\xf2\x1a\xb0\xff\xde\x9b\x83\x94.\xd1?\xdf\x92\xb7\x91\xaf\x05;e\xc7\xa0l\xb1\xcdb\x12\xc3\x90\x1b\xe3%\xce4\xbcowv\xb1\x10\xc3\xf7\x05\x1a\xc0\xd6\xaftbH\x17w\x92i\x90a\x1c\xde\x95\x80tT\x8f\x18\x1c\xc3\xf3\x03\xd0\xbf\xa4Cu\x86S\x18z\x0a.\x09\x1c6\x9f\x91\xfd\x82\x8a"K\xd1\x0eP%\xdd\xcb\x03\x0c\x17\xc9\x83\x00\x08N5M\x8a\x8b\xed\xf0\x02\x94f,D\x7f\xcb\x95'\x96\x17\xad\x090\xac\xb6q\x17n\x8b\x17\xf6\x1c\x09\xd4-;\x98\xa5q\xd3T\x13\xd9`\xf3\xf5KfO\xfa\xf1\xee \x12\x8d\xb4\xacW\xb1Ec\xa1\xacv\xa9\xc2\xfb, CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US = 0\x82\x02\x940\x82\x02\x1a\xa0\x03\x02\x01\x02\x02\x08,)\x9c[\x16\xed\x05\x950\x0a\x06\x08*\x86H\xce=\x04\x03\x020\x7f1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation1402\x06\x03U\x04\x03\x0c+SSL.com EV Root Certification Authority ECC0\x1e\x17\x0d160212181523Z\x17\x0d410212181523Z0\x7f1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x0c\x05Texas1\x100\x0e\x06\x03U\x04\x07\x0c\x07Houston1\x180\x16\x06\x03U\x04\x0a\x0c\x0fSSL Corporation1402\x06\x03U\x04\x03\x0c+SSL.com EV Root Certification Authority ECC0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xaa\x12G\x90\x98\x1b\xfb\xef\xc3@\x07\x83 N\xf10\x82\xa2\x06\xd1\xf2\x92\x86a\xf2\xf6!h\xca\x00\xc4\xc7\xeaC\x00T\x86\xdc\xfd\x1f\xdf\x00\xb8Ab\\xdcp\x162\xde\x1f\x99\xd4\xcc\xc5\x07\xc8\x08\x1fa\x16\x07Q=}\\x07S\xe358\x8c\xdf\xcd\x9f\xd9.\x0dJ\xb6\x19.ZpZ\x06\xed\xbe\xf0\xa1\xb0\xca\xd0\x09)\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14[\xca^\xe5\xde\xd2\x81\xaa\xcd\xa8-dQ\xb6\xd9r\x9b\x97\xe6O0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14[\xca^\xe5\xde\xd2\x81\xaa\xcd\xa8-dQ\xb6\xd9r\x9b\x97\xe6O0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03h\x000e\x021\x00\x8a\xe6@\x897\xeb\xe9\xd5\x13\xd9\xca\xd4k$\xf3\xb0=\x87FX\x1a\xec\xb1\xdfo\xfbV\xbapk\xc78\xcc\xe8\xb1\x8cO\x0f\xf7\xf1gv\x0e\x83\xd0\x1eQ\x8f\x020=\xf6#(&L\xc6`\x87\x93&\x9b\xb25\x1e\xba\xd6\xf7<\xd1\x1c\xce\xfa%<\xa6\x1a\x81\x15[\xf3\x12\x0fl\xeee\x8a\xc9\x87\xa8\xf9\x07\xe0b\x9a\x8c\J, CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 = 0\x82\x05\x830\x82\x03k\xa0\x03\x02\x01\x02\x02\x0eE\xe6\xbb\x03\x833\xc3\x85eH\xe6\xffEQ0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000L1 0\x1e\x06\x03U\x04\x0b\x13\x17GlobalSign Root CA - R61\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0\x1e\x17\x0d141210000000Z\x17\x0d341210000000Z0L1 0\x1e\x06\x03U\x04\x0b\x13\x17GlobalSign Root CA - R61\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x95\x07\xe8s\xcaf\xf9\xec\x14\xca{<\xf7\x0d\x08\xf1\xb4E\x0b,\x82\xb4H\xc6\xeb[<\xae\x83\xb8A\x923\x14\xa4o\x7f\xe9*\xcc\xc6\xb0\x88k\xc5\xb6\x89\xd1\xc6\xb2\xff\x14\xceQ\x14!\xecJ\xdd\x1bZ\xc6\xd6\x87\xeeM:\x15\x06\xeddf\x0b\x92\x80\xcaD\xdes\x94N\xf3\xa7\x89\x7fOxc\x08\xc8\x12PmBf/M\xb9y(MR\x1a\x8a\x1a\x80\xb7\x19\x81\x0e~\xc4\x8a\xbcdL!\x1cCh\xd7=<\x8a\xc5\xb2f\xd5\x90\x9a\xb71\x06\xc5\xbe\xe2m2\x06\xa6\x1e\xf9\xb9\xeb\xaa\xa3\xb8\xbf\xbe\x82cP\xd0\xf0\x18\x89\xdf\xe4\x0fy\xf5\xea\xa2\x1f*\xd2p.{\xe7\xbc\x93\xbbmS\xe2H|\x8c\x10\x078\xfff\xb2wa~\xe0\xea\x8c<\xaa\xb4\xa4\xf6\xf3\x95J\x12\x07m\xfd\x8c\xb2\x89\xcf\xd0\xa0aw\xc8Xt\xb0\xd4#:\xf7]:\xca\xa2\xdb\x9d\x09\xde]D-\x90\xf1\x81\xcdW\x92\xfa~\xbcP\x04c4\xdfk\x93\x18\xbek6\xb29\xe4\xac$6\xb7\xf0\xef\xb6\x1c\x13W\x93\xb6\xde\xb2\xf8\xe2\x85\xb7s\xa2\xb85\xaaE\xf2\xe0\x9d6\xa1oT\x8a\xf1rVn.\x88\xc5QBD\x15\x94\xee\xa3\xc58\x96\x9bNNZ\x0bG\xf3\x066Iw0\xbcq7\xe5\xa6\xec!\x08u\xfc\xe6a\x16?w\xd5\xd9\x91\x97\x84\x0al\xd4\x02Mt\xc0\x14\xed\xfd9\xfb\x83\xf2^\x14\xa1\x04\xb0\x0b\xe9\xfe\xee\x8f\xe1n\x0b\xb2\x08\xb3af\x09j\xb1\x06:e\x96Y\xc0\xf05\xfd\xc9\xda(\x8d\x1a\x11\x87p\x81\x0a\xa8\x9au\x1d\x9e:\x86\x05\x00\x9e\xdb\x80\xd6%\xf9\xdc\x05\x9e'YLv9[\xea\xf9\xa5\xa1\xd8\x83\x0f\xd1\xff\xdf0\x11\xf9\x85\xcf3H\xf5\xcamd\x14,zXO\xd3K\x08I\xc5\x95d\x1ac\x0ey=\xf5\xb3\x8c\xcaX\xad\x9cBEyn\x0e\x87\x19\T\xb1e\xb6\xbf\x8c\x9b\xdc\x13\xe9\x0do\xb8.\xdcgn\xc9\x8b\x11\xb5\x84\x14\x8a\x00\x19p\x83y\x91\x97\x91\xd4\x1a'\xbf7\x1e2\x07\xd8\x14c<(L\xaf\x02\x03\x01\x00\x01\xa3c0a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xael\x05\xa3\x93\x13\xe2\xa2\xe7\xe2\xd7\x1c\xd6\xc7\xf0\x7f\xc8gS\xa00\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xael\x05\xa3\x93\x13\xe2\xa2\xe7\xe2\xd7\x1c\xd6\xc7\xf0\x7f\xc8gS\xa00\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\x83%\xed\xe8\xd1\xfd\x95R\xcd\x9e\xc0\x04\xa0\x91i\xe6\\xd0\x84\xde\xdc\xad\xa2O\xe8Gx\xd6e\x98\xa9[\xa8<\x87|\x02\x8a\xd1n\xb7\x16s\xe6_\xc0T\x98\xd5t\xbe\xc1\xcd\xe2\x11\x91\xad#\x18=\xdd\xe1rD\x96\xb4\x95^\xc0{\x8e\x99x\x16C\x13VW\xb3\xa2\xb3;\xb5w\xdc@r\xac\xa3\xeb\x9b5>\xb1\x08!\xa1\xe7\xc4C7y2\xbe\xb5\xe7\x9c,L\xbcC)\x99\x8e0\xd3\xac!\xe0\xe3\x1d\xfa\xd8\x073vT\x00"*\xb9M .ph\xda\xe5S\xfc\x83\\xd3\x9d\xf2\xffD\x0cDf\xf2\xd2\xe3\xbdF\x00\x1am\x02\xba%]\x8d\xa11Q\xddTF\x1cM\xdb\x99\x96\xef\x1a\x1c\x04\\xa6\x15\xefx\xe0y\xfe]\xdb>\xaaLU\xfd\x9a\x15\xa9o\xe1\xa6\xfb\xdfp0\xe9\xc3\xeeBF\xed\xc2\x93\x05\x89\xfa}c{?\xd0q\x81|\x00\xe8\x98\xae\x0ex4\xc3%\xfb\xaf\x0a\x9f k\xdd;\x13\x8f\x12\x8c\xe2A\x1aHzs\xa0wi\xc7\xb6\\x7f\x82\xc8\x1e\xfeX\x1b(+\xa8l\xad^m\xc0\x05\xd2{\xb7\xeb\x80\xfe%7\xfe\x02\x9bh\xacB]\xc3\xee\xf5\xcc\xdc\xf0Pu\xd26i\x9c\xe6{\x04\xdfn\x06i\xb6\xde\x0a\x09HY\x87\xeb{\x14`zd\xaaiC\xef\x91\xc7L\xec\x18\xddl\xefS-\x8c\x99\xe1^\xf2r>\xcfT\xc8\xbdg\xec\xa4\x0fLE\xff\xd3\xb90#\x07L\x8f\x10\xbf\x86\x96\xd9\x99Z\xb4\x99W\x1c\xa4\xcc\xbb\x15\x89S\xba,\x05\x0f\xe4\xc4\x9e\x19\xb1\x184\xd5L\x9d\xba\xed\xf7\x1f\xaf$\x95\x04x\xa8\x03\xbb\xee\x81\xe5\xda_|\x8bJ\xa1\x90t%\xa7\xb3>K\xc8,V\xbd\xc7\xc8\xef8\xe2\\x92\xf0y\xf7\x9c\x84\xbat-a\x01 ~~\xd1\xf2O\x07Y_\x8b-CR\xebF\x0c\x94\xe1\xf5fGyw\xd5T[\x1f\xad$7\xcbEZN\xa0DH\xc8\xd8\xb0\x99\xc5\x15\x84\x09\xf6\xd6II\xc0e\xb8\xe6\x1aqn\xa0\xa8\xf1\x82\xe8E>l\xd6\x02\xd7\x0ag\x83\x05Z\xc9\xa4\x10, CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH = 0\x82\x02i0\x82\x01\xef\xa0\x03\x02\x01\x02\x02\x10!*V\x0c\xae\xda\x0c\xab@E\xbf+\xa2-:\xea0\x0a\x06\x08*\x86H\xce=\x04\x03\x030m1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x100\x0e\x06\x03U\x04\x0a\x13\x07WISeKey1"0 \x06\x03U\x04\x0b\x13\x19OISTE Foundation Endorsed1(0&\x06\x03U\x04\x03\x13\x1fOISTE WISeKey Global Root GC CA0\x1e\x17\x0d170509094834Z\x17\x0d420509095833Z0m1\x0b0\x09\x06\x03U\x04\x06\x13\x02CH1\x100\x0e\x06\x03U\x04\x0a\x13\x07WISeKey1"0 \x06\x03U\x04\x0b\x13\x19OISTE Foundation Endorsed1(0&\x06\x03U\x04\x03\x13\x1fOISTE WISeKey Global Root GC CA0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04L\xe9P\xc0\xc6\x0fr\x18\xbc\xd8\xf1\xba\xb3\x89\xe2yJ\xa3\x16\xa7kT$\xdbQ\xff\xea\xf4\x09$\xc3\x0b"\x9f\xcbj'\x82\x81\x0d\xd2\xc0\xaf1\xe4t\x82n\xca%\xd9\x8cu\x9d\xf1\xdb\xd0\x9a\xa2K!~\x16\xa7c\x90\xd29\xd4\xb1\x87x_\x18\x96\x0fP\x1b57\x0fj\xc6\xdc\xd9\x13M\xa4\x8e\x907\xe6\xbd[1\x91\xa3T0R0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14H\x87\x14\xac\xe3\xc3\x9e\x90`:\xd7\xca\x89\xee\xd3\xad\x8c\xb4Pf0\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x000\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x020&\xc7i[\xdc\xd5\xe7\xb2\xe7\xc8\x0c\x8c\x8c\xc3\xddy\x8c\x1bc\xd5\xc9R\x94NM\x82Js\x1e\xb2\x80\x84\xa9%\xc0LZmI)`x\x13\xe2~H\xebd\x021\x00\xdb4 2\x08\xff\x9aI\x02\xb6\x88\xde\x14\xaf]l\x99q\x8d\x1a?\x8b\xd7\xe0\xa26\x86\x1c\x07\x82:vS\xfd\xc2\xa2\xed\xef{\xb0\x80OX\x0fKS9\xbd, CN=UCA Global G2 Root,O=UniTrust,C=CN = 0\x82\x05F0\x82\x03.\xa0\x03\x02\x01\x02\x02\x10]\xdf\xb1\xdaZ\xa3\xed]\xbeZe e\x03\x90\xef0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000=1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x110\x0f\x06\x03U\x04\x0a\x0c\x08UniTrust1\x1b0\x19\x06\x03U\x04\x03\x0c\x12UCA Global G2 Root0\x1e\x17\x0d160311000000Z\x17\x0d401231000000Z0=1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x110\x0f\x06\x03U\x04\x0a\x0c\x08UniTrust1\x1b0\x19\x06\x03U\x04\x03\x0c\x12UCA Global G2 Root0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc5\xe6+o|\xef&\x05'\xa3\x81$\xdao\xcb\x01\xf9\x99\x9a\xa92\xc2"\x87aA\x91;\xcb\xc3h\x1b\x06\xc5L\xa9+\xc1g\x17"\x1d+\xed\xf9)\x89\x93\xa2x\xbd\x92k\xa0\xa3\x0d\xa2~\xca\x93\xb3\xa6\xd1\x8c5\xd5u\xf9\x17\xf6\xcfE\xc5\xe5z\xecw\x93\xa0\x8f#\xae\x0e\x1a\x03\x7f\xbe\xd4\xd0\xed.{\xabF#[\xff,\xe6Tz\x94\xc0*\x15\xf0\xc9\x8d\xb0z;$\xe1\xd7h\xe21<\x063F\xb6T\x11\xa6\xa5/"T*X\x0d\x01\x02\xf1\xfa\x15Qgl\xc0\xfa\xd7\xb6\x1b\x7f\xd1V\x88/\x1a:\x8d;\xbb\x82\x11\xe0G\x00\xd0R\x87\xab\xfb\x86~\x0f$k@\x9d4g\xbc\x8d\xc7-\x86oy>\x8e\xa9<\x17K\x7f\xb0\x99\xe3\xb0q`\xdc\x0b\xf5d\xc3\xceC\xbcmq\xb9\xd2\xde'[\x8a\xe8\xd8\xc6\xae\xe1Y}\xcf(-5\xb8\x95V\x1a\xf1\xb2XK\xb7\x127\xc8|\xb3\xedK\x80\xe1\x8d\xfa2#\xb6o\xb7H\x95\x08\xb1DN\x85\x8c:\x02T /\xdf\xbfWO;:\x90!\xd7\xc1&5T \xec\xc7?G\xec\xefZ\xbfKz\xc1\xad;\x17P\b\xd8\x0fKJ\xdc+\xfan\xbcs\x92\xcd\xec\xc7P\xe8A\x96\xd7\xa9~m\xd8\xe9\x1d\x8f\x8a\xb5\xb9X\x92\xbaJ\x92+\x0cV\xfd\x80\xeb\x08\xf0^)n\x1b\x1c\x0c\xaf\x8f\x93\x89\xad\xdb\xbd\xa3\x9e!\xca\x89\x19\xec\xdf\xb5\xc3\x1a\xeb\x16\xfex6L\xd6n\xd0>\x17\x1c\x90\x17k&\xba\xfbz/\xbf\x11\x1c\x18\x0e-s\x03\x8f\xa0\xe55\xa0Z\xe2Lu\x1dq\xe198Sx@\xcc\x83\x93\xd7\x0a\x9e\x9d[\x8f\x8a\xe4\xe5\xe0H\xe4H\xb2G\xcdN*u*{\xf2"\xf6\xc9\xbe\x09\x91\x96Wz\x88\x88\xac\xeep\xac\xf9\xdc)\xe3\x0c\x1c;\x12ND\xd6\xa7N\xb0&\xc8\xf3\xd9\x1a\x97\x91h\xea\xef\x8dF\x06\xd2VEX\x9a<\x0c\x0f\x83\xb8\x05%\xc39\xcf;\xa44\x89\xb7y\x12/G\xc5\xe7\xa9\x97i\xfc\xa6wg\xb5\xdf{\xf1ze\x15\xe4aVe\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x81\xc4\x8c\xcc\xf5\xe40\xff\xa5\x0c\x08_\x8c\x15g!t\x01\xdf\xdf0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x13e"\xf5\x8e+\xadD\xe4\xcb\xff\xb9h\xe6\xc3\x80H=\x04{\xfa#/z\xed6\xda\xb2\xcem\xf6\xe6\x9e\xe5_X\x8f\xcb72\xa1\xc8e\xb6\xae8=5\x1b>\xbc;\xb6\x04\xd0\xbc\xf9I\xf5\x9b\xf7\x85\xc56\xb6\xcb\xbc\xf8\xc89\xd5\xe4_\x07\xbd\x15T\x97t\xca\xca\xedO\xba\xbadv\x9f\x81\xb8\x84EIL\x8do\xa2\xeb\xb1\xcc\xd1\xc3\x94\xdaD\xc2\xe6\xe2\xea\x18\xe8\xa2\x1f'\x05\xba\xd7\xe5\xd6\xa9\xcd\xdd\xefv\x98\x8d\x00\x0e\xcd\x1b\xfa\x03\xb7\x8e\x80X\x0e'?R\xfb\x94\xa2\xca^e\xc9\xd6\x84\xda\xb95q\xf3&\xc0Ow\xe6\x81'\xd2w;\x9a\x14oy\xf4\xf6\xd0\xe1\xd3\x94\xba\xd0WQ\xbd'\x05\x0d\xc1\xfd\xc8\x120\xeeo\x8d\x11+\x08\x9d\xd4\xd4\xbf\x80E\x14\x9a\x88D\xda0\xea\xb4\xa7\xe3\xee\xef[\x82\xd5>\xd6\xadx\x92\xdb\<\xf3\xd8\xad\xfa\xb8k\x7f\xc46(\xb6\x02\x15\x8aT,\x9c\xb0\x17s\x8e\xd07\xa3\x14<\x98\x95\x00\x0c)\x05[\x9eII\xb1_\xc7\xe3\xcb\xcf'e\x8e5\x17\xb7W\xc80\xd9A[\xb9\x14\xb6\xe8\xc2\x0f\x941\xa7\x94\x98\xccj\xeb\xb5\xe1'\xf5\x10\xa8\x01\xe8\x8e\x12b\xe8\x88\xcc\xb5\x7fF\x97\xc0\x9b\x10f8\x1a6F_"h=\xdf\xc9\xc6\x13'\xabS\x06\xac\xa2<\x86\x06eo\xb1~\xb1)D\x9a\xa3\xbaIi(i\x8f\xd7\xe5_\xad\x04\x86do\x1a\xa0\x0c\xc5\x08b\xce\x80\xa3\xd0\xf3\xech\xde\xbe3\xc7\x17[\x7f\x80\xc4LL\xb1\xa6\x84\x8a\xc3;\xb8\x09\xcd\x14\x81\xba\x18\xe3TW6\xfe\xdb/|G\xa1:3\xc8\xf9X;DO\xb1\xca\x02\x89\x04\x96(h\xc5K\xb8&\x89\xbb\xd63/P\xd5\xfe\x9a\x89\xba\x182\x92T\xc6[\xe0\x9d\xf9^\xe5\x0d"\x9b\xf6\xda\xe2\xc8!\xb2b!\xaa\x86@\xb2.d\xd3_\xc8\xe3~\x11gE\x1f\x05\xfe\xe3\xa2\xef\xb3\xa8\xb3\xf3}\x8f\xf8\x0c\x1f"\x1f-p\xb4\xb8\x014v0\x00\xe5#x\xa7V\xd7P\x1f\x8a\xfb\x06\xf5\xc2\x19\xf0\xd0, CN=UCA Extended Validation Root,O=UniTrust,C=CN = 0\x82\x05Z0\x82\x03B\xa0\x03\x02\x01\x02\x02\x10O\xd2+\x8f\xf5d\xc83\x9eO4Xf#p`0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000G1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x110\x0f\x06\x03U\x04\x0a\x0c\x08UniTrust1%0#\x06\x03U\x04\x03\x0c\x1cUCA Extended Validation Root0\x1e\x17\x0d150313000000Z\x17\x0d381231000000Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x110\x0f\x06\x03U\x04\x0a\x0c\x08UniTrust1%0#\x06\x03U\x04\x03\x0c\x1cUCA Extended Validation Root0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xa9\x09\x07(\x13\x02\xb0\x99\xe0d\xaa\x1eC\x16zs\xb1\x91\xa0u>\xa8\xfa\xe38\x00z\xec\x89j \x0f\x8b\xc5\xb0\x9b3\x03Z\x86\xc6X\x86\xd5\xc1\x85\xbbO\xc6\x9c@M\xca\xbe\xeei\x96\xb8\xad\x810\x9a|\x92\x05\xeb\x05+\x9aH\xd0\xb8v>\x96\xc8 \xbb\xd2\xb0\xf1\x8f\xd8\xacEF\xff\xaag`\xb4w~j\x1f<\x1aRz\x04=\x07<\x85\x0d\x84\xd0\x1fv\x0a\xf7j\x14\xdfr\xe34|WNV\x01>y\xf1\xaa);l\xfa\xf8\x8fmM\xc85\xdf\xae\xeb\xdc$\xeeyE\xa7\x85\xb6\x05\x88\xde\x88]%|\x97dg\x09\xd9\xbfZ\x15\x05\x86\xf3\x09\x1e\xecX23\x11\xf3wd\xb0v\x1f\xe4\x105\x17\x1b\xf2\x0e\xb1l\xa4*\xa3s\xfc\x09\x1f\x1e2\x19S\x11\xe7\xd9\xb3,.v.\xa1\xa3\xde~j\x88\x09\xe8\xf2\x07\x8a\xf8\xb2\xcd\x10\xe7\xe2s@\x93\xbb\x08\xd1?\xe1\xfc\x0b\x94\xb3%\xef|\xa6\xd7\xd1\xaf\x9f\xff\x96\x9a\xf5\x91{\x98\x0bw\xd4~\xe8\x07\xd2b\xb5\x959\xe3\xf3\xf1m\x0f\x0ee\x84\x8acT\xc5\x80\xb6\xe0\x9eK}G&\xa7\x01\x08]\xd1\x88\x9e\xd7\xc32D\xfa\x82J\x0ahT\x7f8S\x03\xcc\xa4\x003dQY\x0b\xa3\x82\x91z^\xec\x16\xc2\xf3*\xe6b\xda*\xdbYb\x10%J*\x81\x0bG\x07C\x06p\x87\xd2\xfa\x93\x11)zHM\xeb\x94\xc7pM\xafg\xd5Q\xb1\x80 \x01\x01\xb4z\x08\xa6\x90\x7fN\xe0\xef\x07A\x87\xafj\xa5^\x8b\xfb\xcfP\xb2\x9aT\xaf\xc3\x89\xbaX-\xf50\x98\xb16r9~I\x04\xfd)\xa7Ly\xe4\x05W\xdb\x94\xb9\x16S\x8dF\xb3\x1d\x95aWV\x7f\xaf\xf0\x16[aXo6P\x11\x0b\xd8\xac+\x95\x16\x1a\x0e\x1f\x08\xcd64e\x10bf\xd5\x80_\x14 _-\x0c\xa0x\x0ah\xd6,\xd7\xe9o+\xd2J\x05\x93\xfc\x9eokg\xff\x88\xf1N\xa5iJR7\x05\xea\xc6\x16\x8d\xd2\xc4\x99\xd1\x82+;\xba5u\xf7QQX\xf3\xc8\x07\xdd\xe4\xb4\x03\x7f\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd9t:\xe40=\x0d\xf7\x12\xdc~Z\x05\x9f\x1e4\x9a\xf7\xe1\x140\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x006\x8d\x97\xccB\x15d)7\x9b&,\xd6\xfb\xae\x15i,k\x1a\x1a\xf7_\xb6\xf9\x07LY\xea\xf3\xc9\xc8\xb9\xae\xcc\xba.z\xdc\xc0\xf5\xb0-\xc0;\xaf\x9fp\x05\x11j\x9f%O\x01)p\xe3\xe5\x0c\xe1\xeaZ|\xdcI\xbb\xc1\x1e*\x81\xf5\x16Kr\x91\xc8\xa21\xb9\xaa\xda\xfc\x9d\x1f\xf3]@\x02\x13\xfcN\x1c\x06\xca\xb3\x14\x90T\x17\x19\x12\x1a\xf1\x1f\xd7\x0ciZ\xf6qx\xf4\x94}\x91\x0b\x8e\xec\x90T\x8e\xbco\xa1L\xab\xfctd\xfdq\x9a\xf8A\x07\xa1\xcd\x91\xe4<\x9a\xe0\x9b29s\xab*\xd5i\xc8x\x91&1}\xe2\xc70\xf1\xfc\x14xw\x12\x0e\x13\xf4\xdd\x16\x94\xbfKg{pS\x85\xca\xb0\xbb\xf38M,\x909\xc0\x0d\xc2]k\xe9\xe2\xe5\xd5\x88\x8d\xd6,\xbf\xab\x1b\xbe\xb5(\x87\x12\x17tn\xfc}\xfc\x8f\xd0\x87&\xb0\x1b\xfb\xb9l\xab\xe2\x9e=\x15\xc1;.g\x02X\x91\x9f\xef\xf8B\x1f,\xb7h\xf5u\xad\xcf\xb5\xf6\xff\x11}\xc2\xf0$\xa5\xad\xd3\xfa\xa0<\xa9\xfa]\xdc\xa5\xa0\xefD\xa4\xbe\xd6\xe8\xe5\xe4\x13\x96\x17{\x06>2\xed\xc7\xb7B\xbcv\xa3\xd8e8+85Q!\x0e\x0eo.4\x13@\xe1+g\x0cmJA0\x18#Z2U\x99\xc9\x17\xe0<\xde\xf6\xecy\xad+X\x19\xa2\xad,"\x1a\x95\x8e\xbe\x96\x90]BW\xc4\xf9\x14\x035+\x1c-QW\x08\xa7:\xde?\xe4\xc8\xb4\x03s\xc2\xc1&\x80\xbb\x0bB\x1f\xad\x0d\xaf&r\xda\xcc\xbe\xb3\xa3\x83X\x0d\x82\xc5\x1fFQ\xe3\x9c\x18\xcc\x8d\x9b\x8d\xecI\xebuP\xd5\x8c(Y\xcat4\xda\x8c\x0b!\xab\x1e\xea\x1b\xe5\xc7\xfd\x15>\xc0\x17\xaa\xfb#n&F\xcb\xfa\xf9\xb1rki\xcf"\x84\x0bb\x0f\xac\xd9\x19\x00\x94\xa2v<\xd4-\x9a\xed\x04\x9e-\x06b\x107R\x1c\x85r\x1b'\xe5\xcc\xc61\xec7\xeccY\x9b\x0b\x1dv\xcc~2\x9a\x88\x95\x086R\xbb\xdev_vII\xad\x7f\xbde \xb2\xc9\xc1+v\x18v\x9fV\xb1, CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR = 0\x82\x06[0\x82\x04C\xa0\x03\x02\x01\x02\x02\x11\x00\xca\xe9\x1b\x89\xf1U\x03\x0d\xa3\xe6Am\xc4\xe3\xa6\xe10\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000Z1\x0b0\x09\x06\x03U\x04\x06\x13\x02FR1\x120\x10\x06\x03U\x04\x0a\x0c\x09Dhimyotis1\x1c0\x1a\x06\x03U\x04\x0b\x0c\x130002 481463081000361\x190\x17\x06\x03U\x04\x03\x0c\x10Certigna Root CA0\x1e\x17\x0d131001083227Z\x17\x0d331001083227Z0Z1\x0b0\x09\x06\x03U\x04\x06\x13\x02FR1\x120\x10\x06\x03U\x04\x0a\x0c\x09Dhimyotis1\x1c0\x1a\x06\x03U\x04\x0b\x0c\x130002 481463081000361\x190\x17\x06\x03U\x04\x03\x0c\x10Certigna Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xcd\x189e\x1aY\xb1\xead\x16\x0e\x8c\x94$\x95|\x83\xd3\xc59&\xdc\x0c\xef\x16W\x8d\xd7\xd8\xac\xa3B\x7f\x82\xca\xed\xcd[\xdb\x0e\xb7-\xedE\x08\x17\xb2\xd9\xb3\xcb\xd6\x17Rr(\xdb\x8eN\x9e\x8a\xb6\x0b\xf9\x9e\x84\x9aMv\xde")\\xd2\xb3\xd2\x06>09\xa9t\xa3\x92V\x1c\xa1oL\x0a m\x9f#z\xb4\xc6\xda,\xe4\x1d,\xdc\xb3(\xd0\x13\xf2LN\x02I\xa1T@\x9e\xe6\xe5\x05\xa0-\x84\xc8\xff\x98l\xd0\xeb\x8a\x1a\x84\x08\x1e\xb7h#\xee#\xd5p\xcemQi\x10\xee\xa1z\xc2\xd1"1\xc2\x82\x85\xd2\xf2UvP|%z\xc9\x84\\x0b\xac\xddBN+\xe7\x82\xa2$\x89\xcb\x90\xb2\xd0\xee#\xbafL\xbbb\xa4\xf9SZd{|\x98\xfa\xa3H\x9e\x0f\x95\xae\xa7\x18\xf4j\xec.\x03E\xaf\xf0t\xf8*\xcdz]\xd1\xbeD&2)\xf1\xf1\xf5l\xcc~\x02!\x0b\x9fo\xa4?\xbe\x9dS\xe2\xcf}\xa9,|X\x1a\x97\xe1=77\x18f(\xd2@\xc5Q\x8a\x8c\xc3-\xceS\x88$Xd0\x16\xc5\xaa\xe0\xd6\x0a\xa6@\xdfx\xf6\xf5\x04|i\x13\x84\xbc\xd1\xd1\xa7\x06\xcf\x01\xf7h\xc0\xa8W\xbb:a\xad\x04\x8c\x93\xe3\xad\xfc\xf0\xdbDmY\xdcIY\xae\xac\x9a\x9960A{v3"\x87\xa3\xc2\x92\x86n\xf9p\xee\xae\x87\x87\x95\x1b\xc4z\xbd1\xf3\xd4\xd2\xe5\x99\xff\xbeH\xecu\xf5x\x16\x1d\xa6p\xc1\x7f<\x1b\xa1\x92\xfb\xcf\xc8<\xd6\xc5\x93\x0a\x8f\xf5U:v\x95\xceY\x98\x8a\x09\x95w2\x9a\x83\xba,\x04:\x97\xbd\xd4/\xbe\xd7l\x9b\xa2\xca}m&\xc9U\xd5\xcf\xc3yR\x08\x09\x99\x07$-d%k\xa6!i\x9bj\xddtMk\x97zA\xbd\xab\x17\xf9\x90\x17H\x8f6\xf9-\xd5\xc5\xdb\xee\xaa\x85EA\xfa\xcd:E\xb1h\xe66L\x9b\x90W\xec#\xb9\x87\x08\xc2\xc4\x09\xf1\x97\x86*(M\xe2t\xc0\xda\xc4\x8c\xdb\xdf\xe2\xa1\x17Y\xce$Yt1\xda\x7f\xfd0m\xd9\xdc\xe1j\xe1\xfc_\x02\x03\x01\x00\x01\xa3\x82\x01\x1a0\x82\x01\x160\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x18\x87V\xe0nw\xee$5<Ns\x9a\x1f\xd6\xe1\xe2y~+0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x18\x87V\xe0nw\xee$5<Ns\x9a\x1f\xd6\xe1\xe2y~+0D\x06\x03U\x1d \x04=0;09\x06\x04U\x1d \x00010/\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16#https://wwww.certigna.fr/autorites/0m\x06\x03U\x1d\x1f\x04f0d0/\xa0-\xa0+\x86)http://crl.certigna.fr/certignarootca.crl01\xa0/\xa0-\x86+http://crl.dhimyotis.com/certignarootca.crl0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x94\xb8\x9eO\xf0\xe3\x95\x08"\xe7\xcdhA\xf7\x1cU\xd5|\x00\xe2-:\x89]h8/Q"\x0bJ\x8d\xcb\xe9\xbb]>\xbb\=\xb1(\xfe\xe4SU\x13\xcf\xa1\x90\x1b\x02\x1d_fF\x093(\xe1\x0d$\x97p\xd3\x10\x1f\xeadW\x96\xbb]\xda\xe7\xc4\x8cOLdF\x1d\\x87\xe3Y\xdeB\xd1\x9b\xa8~\xa6\x89\xdd\x8f\x1c\xc90\x82\xed;\x9c\xcd\xc0\xe9\x19\xe0j\xd8\x02u7\xab\xf74((\x91\xf2\x04\x0aO5\xe3`&\x01\xfa\xd0\x11\x8c\xf9\x11j\xee\xaf=\xc3P\xd3\x8f_3y<\x86\xa8sE\x90\x8c \xb6rs\x17#\xbe\x07e\xe5x\x92\x0d\xba\x01\xc0\xeb\x8c\x1cf\xbf\xac\x86w\x01\x94\x0d\x9c\xe6\xe99\x8d\x1f\xa6Q\x8c\x99\x0c9w\xe1\xb4\x9b\xfa\x1cgWojj\x8e\xa9+LWyzW"\xcf\xcd_cF\x8d\Y:\x86\xf82Gb\xa3g\x0d\x18\x91\xdc\xfb\xa6k\xf5Has#Y\x8e\x02\xa7\xbcD\xea\xf4I\x9d\xf1TX\xf9`\xaf\xda\x18\xa4/(E\xdcz\xa0\x88\x86]\xf3;\xe7\xff)5\x80\xfcdC\x94\xe6\xe3\x1co\xbe\xad\x0e*c\x99+\xc9~\x85\xf6q\xe8\x06\x03\x95\xfe\xde\x8fH\x1cZ\xd4\x92\xe8+\xee\xe71\xdb\xba\x04j\x87\x98\xe7\xc5_\xef}\xa7"\xf7\x01\xd8M\xf9\x89\xd0\x0e\x9a\x05Y\xa4\x9e\x98\xd9o+\xcap\xbed\xc2U\xa3\xf4\xe9\xaf\xc3\x92)\xdc\x88\x16$\x99<\x8d&\x98\xb6[\xb7\xcc\xce\xb77\x07\xfd&\xd9\x98\x85$\xffY#\x03\x9a\xed\x9d\x9d\xa8\xe4^8\xce\xd7R\x0do\xd2?m\xb1\x05kI\xce\x8a\x91Fs\xf4\xf6/\xf0\xa8sw\x0ee\xac\xa1\x8dfRi~Kh\x0c\xc7\x1e7'\x83\xa5\x8c\xc7\x02\xe4\x14\xcdI\x01\xb0s\xb3\xfd\xc6\x90:o\xd2l\xed;\xee\xec\x91\xbe\xa2C]\x8b\x00Jf%Dp\xde@\x0f\xf8|\x15\xf7\xa2\xce<\xd7^\x13\x8c\x81\x17\x18\x17\xd1\xbd\xf1w\x10:\xd4e9\xc1'\xacW,%T\xff\xa2\xdaO\x8aa9^\xae=J\x8c\xbd, CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN = 0\x82\x03\x940\x82\x02|\xa0\x03\x02\x01\x02\x02\x0a1\xf5\xe4b\x0clX\xed\xd6\xd80\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000g1\x0b0\x09\x06\x03U\x04\x06\x13\x02IN1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1%0#\x06\x03U\x04\x0a\x13\x1ceMudhra Technologies Limited1\x1c0\x1a\x06\x03U\x04\x03\x13\x13emSign Root CA - G10\x1e\x17\x0d180218183000Z\x17\x0d430218183000Z0g1\x0b0\x09\x06\x03U\x04\x06\x13\x02IN1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1%0#\x06\x03U\x04\x0a\x13\x1ceMudhra Technologies Limited1\x1c0\x1a\x06\x03U\x04\x03\x13\x13emSign Root CA - G10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\x93K\xbb\xe9f\x8a\xee\x9d[\xd54\x93\xd0\x1b\x1e\xc3\xe7\x9e\xb8d3\x7fcxh\xb4\xcd.qu\xd7\x9b \xc6M)\xbc\xb6h`\x8a\xf7!\x9aV5Z\xf3v\xbd\xd8\xcd\x9a\xff\x93VK\xa5Y\x06\xa1\x934)\xdd\x164uN\xf2\x81\xb4\xc7\x96N\xad\x19\x15RJ\xfe<pup\xcd\xaf+\xab\x15\x9a3<\xaa\xb3\x8b\xaa\xcdC\xfd\xf5\xeap\xff\xed\xcf\x11;\x94\xceN2\x16\xd3#@*w\xb3\xaf<\x01,l\xed\x99,\x8b\xd9Ni\x98\xb2\xf7\x8fA\xb02xa\xd6\x0d_\xc3\xfa\xa2@\x92\x1d\\x17\xe6p>5\xe7\xa2\xb7\xc2b\xe2\xab\xa48L\xb595o\xea\x03i\xfa:Th\x85m\xd6\xf2/CU\x1e\x91\x0d\x0e\xd8\xd5j\xa4\x96\xd1\x13<,xP\xe8:\x92\xd2\x17V\xe55\x1a@\x1c>\x8d,\xed9\xdfB\xe0\x83At\xdf\xa3\xcd\xc2\x86`Hh\xe3i\x0bT\x00\x8b\xe4vi!\x0dyN4\x08^\x14\xc2\xcc\xb1\xb7\xad\xd7|p\x8a\xc7\x85\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xfb\xef\x0d\x86\x9e\xb0\xe3\xdd\xa9\xb9\xf1!\x17\x7f>\xfc\xf0w+\x1a0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00Y\xff\xf2\x8c\xf5\x87}q=\xa3\x9f\x1b[\xd1\xda\xf8\xd3\x9ck6\xbd\x9b\xa9a\xeb\xde\x16,t=\x9e\xe6u\xda\xd7\xba\xa7\xbcB\x17\xe7=\x91\xeb\xe5}\xdd>\x9c\xf1\xcf\x92\xaclH\xcc\xc2"?i;\xc5\xb6\x15/\xa35\xc6h*\x1cW\xaf9\xef\x8d\xd05\xc3\x18\x0c{\x00V\x1c\xcd\x8b\x19t\xde\xbe\x0f\x12\xe0\xd0\xaa\xa1?\x024\xb1p\xce\x9d\x18\xd6\x08\x03\x09F\xee`\xe0~\xb6\xc4I\x04Q}p`\xbc\xaa\xb2\xffyrz\xa6\x1d=_*\xf8\xca\xe2\xfd9\xb7G\xb9\xeb~\xdf\x04#\xaf\xfa\x9c\x06\x07\xe9\xfbc\x93\x80@\xb5\xc6l\x0a1(\xce\x0c\x9f\xcf\xb3#5\x80A\x8dl\xc47{\x81/\x80\xa1@B\x85\xe9\xd98\x8d\xe8\xa1S\xcd\x01\xbfi\xe8Z\x06\xf2E\x0b\x90\xfa\xae\xe1\xbf\x9d\xf2\xaeW<\xa5\xae\xb2V\xf4\x8be@\xe9\xfd1\x81,\xf49\x09\xd8\xeek\xa7\xb4\xa6\x1d\x15\xa5\x98\xf7\x01\x81\xd8\x85}\xf3Q\q\x88\xde\xba\xcc\x1f\x80~J, CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN = 0\x82\x02N0\x82\x01\xd3\xa0\x03\x02\x01\x02\x02\x0a<\xf6\x07\xa9hp\x0e\xda\x8b\x840\x0a\x06\x08*\x86H\xce=\x04\x03\x030k1\x0b0\x09\x06\x03U\x04\x06\x13\x02IN1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1%0#\x06\x03U\x04\x0a\x13\x1ceMudhra Technologies Limited1 0\x1e\x06\x03U\x04\x03\x13\x17emSign ECC Root CA - G30\x1e\x17\x0d180218183000Z\x17\x0d430218183000Z0k1\x0b0\x09\x06\x03U\x04\x06\x13\x02IN1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1%0#\x06\x03U\x04\x0a\x13\x1ceMudhra Technologies Limited1 0\x1e\x06\x03U\x04\x03\x13\x17emSign ECC Root CA - G30v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04#\xa5\x0c\xb8-\x12\xf5(\xf3\xb1\xb2\xdd\xe2\x02\x12\x80\x9e9_IM\x9f\xc9%4Yt\xec\xbb\x06\x1c\xe7\xc0r\xaf\xe8\xae/\xe1AT\x87\x14\xa8J\xb2\xe8|\x82\xe6[j\xb5\xdc\xb3u\xce\x8b\x06\xd0\x86#\xbfF\xd5\x8e\x0f?\x04\xf4\xd7\x1c\x92~\xf6\xa5c\xc2\xf5_\x8e.O\xa1\x18\x19\x02+2\x0a\x82d}\x16\x93\xd1\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14|]\x02\x84\x13\xd4\xcc\x8a\x9b\x81\xce\x17\x1c.)\x1e\x9cHcB0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xbe\xf3a\xcf\x02\x10\x1dd\x95\x07\xb8\x18n\x88\x85\x05/\x83\x08\x17\x90\xca\x1f\x8aL\xe8\x0d\x1bz\xb1\xad\xd5\x81\x09G\xef;\xac\x08\x04|\\x99\xb1\xedG\x07\xd2\x021\x00\x9d\xbaU\xfc\xa9J\xe8\xed\xed\xe6v\x01B{\xc8\xf8`\xd9\x8dQ\x8bU;\xfb\x8c{\xebe\x09\xc3\xf8\x96\xcdG\xa8\x82\xf2\x16Uw$~\x12\x10\x95\x04,\xa3, CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US = 0\x82\x03s0\x82\x02[\xa0\x03\x02\x01\x02\x02\x0b\x00\xae\xcf\x00\xba\xc4\xcf2\xf8C\xb20\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000V1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1\x140\x12\x06\x03U\x04\x0a\x13\x0beMudhra Inc1\x1c0\x1a\x06\x03U\x04\x03\x13\x13emSign Root CA - C10\x1e\x17\x0d180218183000Z\x17\x0d430218183000Z0V1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1\x140\x12\x06\x03U\x04\x0a\x13\x0beMudhra Inc1\x1c0\x1a\x06\x03U\x04\x03\x13\x13emSign Root CA - C10\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xcf\xeb\xa9\xb9\xf1\x99\x05\xcc\xd8(!J\xf3s4Q\x84V\x10\xf5\xa0O,\x12\xe3\xfa\x13\x9a'\xd0\xcf\xf9y\x1at_\x1dy9\xfc[\xf8p\x8e\xe0\x92R\xf7\xe4%\xf9T\x83\xd9\x1d\xd3\xc8Z\x85?^\xc7\xb6\x07\xee>\xc0\xce\x9a\xaf\xacVB*9%p\xd6\xbf\xb5{6\xad\xac\xf6s\xdc\xcd\xd7\x1d\x8a\x83\xa5\xfb+\x90\x157k\x1c&G\xdc;)V\x93j\xb3\xc1j:\x9d=\xf5\xc1\x978X\x05\x8b\x1c\x11\xe3\xe4\xb4\xb8]\x85\x1d\x83\xfex_\x0bEh\x18H\xa5Fs4;\xfe\x0f\xc8v\xbb\xc7\x18\xf3\x05\xd1\x86\xf3\x85\xed\xe7\xb9\xd92\xadU\x88\xce\xa6\xb6\x91\xb0O\xac~\x15#\x96\xf6?\xf0 4\x16\xde\x0a\xc6\xc4\x04Ey\x7f\xa7\xfd\xbe\xd2\xa9\xa5\xaf\x9c\xc5#*\xf7<!l\xbd\xaf\x8fN\xc5:\xb2\xf34\x12\xfc\xdf\x80\x1aI\xa4\xd4\xa9\x95\xf7\x9e\x89^\xa2\x89\xac\x94\xcb\xa8h\x9b\xaf\x8ae'\xcd\x89\xee\xdd\x8c\xb5k)pC\xa0i\x0b\xe4\xb9\x0f\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xfe\xa1\xe0p\x1e*\x039RZB\xbe\\x91\x85z\x18\xaaM\xb50\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\xc2JV\xfa\x15!{(\xa2\xe9\xe5\x1d\xfb\xf8-\xc49\x96AL;',\xc4l\x18\x15\x80\xc6\xac\xafGY/&\x0b\xe36\xb0\xef;\xfeC\x97I2\x99\x12\x15[\xdf\x11)\xff\xabS\xf8\xbb\xc1x\x0f\xac\x9cS\xafW\xbdh\x8c=i3\xf0\xa3\xa0#c;dg"D\xad\xd5q\xcbV*x\x92\xa3O\x12166\xe2\xde\xfe\x00\xc4\xa3`\x0f'\xad\xa0\xb0\x8a\xb56zR\xa1\xbd'\xf4 'b\xe8M\x94$\x13\xe4\x0a\x04\xe9<\xab.\xc8C\x09J\xc6a\x04\xe5I4~\xd3\xc4\xc8\xf5\x0f\xc0\xaa\xe9\xbaT^\xf3c+OOP\xd4\xfe\xb9{\x99\x8c=\xc0.\xbc\x02+\xd3\xc4@\xe4\x8a\x071\x1e\x9b\xce&\x99\x13\xfb\x11\xea\x9a"\x0c\x11\x19\xc7^\x1b\x81P0\xc8\x96\x12n\xe7\xcbA\x7f\x91;\xa2G\xb7T\x80\x1b\xdc\x00\xcc\x9a\x90\xea\xc3\xc3P\x06b\x0c0\xc0\x15H\xa7\xa8Y|\xe1\xae"\xa2\xe2\x0az\x0f\xfab\xabRL\xe1\xf1\xdf\xca\xbe\x83\x0dB, CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US = 0\x82\x02+0\x82\x01\xb1\xa0\x03\x02\x01\x02\x02\x0a{q\xb6\x82V\xb8\x12|\x9c\xa80\x0a\x06\x08*\x86H\xce=\x04\x03\x030Z1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1\x140\x12\x06\x03U\x04\x0a\x13\x0beMudhra Inc1 0\x1e\x06\x03U\x04\x03\x13\x17emSign ECC Root CA - C30\x1e\x17\x0d180218183000Z\x17\x0d430218183000Z0Z1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x0b\x13\x0aemSign PKI1\x140\x12\x06\x03U\x04\x0a\x13\x0beMudhra Inc1 0\x1e\x06\x03U\x04\x03\x13\x17emSign ECC Root CA - C30v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xfd\xa5a\xae{&\x10\x1d\xe9\xb7"0\xae\x06\xf4\x81\xb3\xb1Bq\x959\xbc\xd3R\xe3\xaf\xaf\xf9\xf2\x975\x926F\x0e\x87\x95\x8d\xb99Z\xe9\xbb\xdf\xd0\xfe\xc8\x07A<\xbbUo\x83\xa3j\xfbb\xb0\x81\x89\x02p}H\xc5J\xe3\xe9"T"M\x93\xbbB\x0c\xafw\x9c#\xa6}\xd7a\x11\xcee\xc7\xf8\x7f\xfe\xf5\xf2\xa9\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xfbZH\xd0\x80 @\xf2\xa8\xe9\x00\x07i\x19w\xa7\xe6\xc3\xf4\xcf0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xb4\xd8/\x02\x89\xfd\xb6Lb\xbaCN\x13\x84r\xb5\xae\xdd\x1c\xde\xd6\xb5\xdcV\x8fX@Z-\xde L"\x83\xca\x93\xa8~\xee\x12@\xc7\xd6\x87O\xf8\xdf\x85\x020\x1c\x14d\xe4|\x96\x83\x11\x9c\xb0\xd1ZaK\xa6\x0fI\xd3\x00\xfc\xa1\xfc\xe4\xa5\xff\x7f\xad\xd70\xd0\xc7w\x7f\xbe\x81\x07U0P \x14\xf5W8\x0a\xa81Q, CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK = 0\x82\x05\xcf0\x82\x03\xb7\xa0\x03\x02\x01\x02\x02\x14\x08\x16_\x8aL\xa5\xec\x00\xc9\x93@\xdf\xc4\xc6\xae#\xb8\x1cZ\xa40\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000o1\x0b0\x09\x06\x03U\x04\x06\x13\x02HK1\x120\x10\x06\x03U\x04\x08\x13\x09Hong Kong1\x120\x10\x06\x03U\x04\x07\x13\x09Hong Kong1\x160\x14\x06\x03U\x04\x0a\x13\x0dHongkong Post1 0\x1e\x06\x03U\x04\x03\x13\x17Hongkong Post Root CA 30\x1e\x17\x0d170603022946Z\x17\x0d420603022946Z0o1\x0b0\x09\x06\x03U\x04\x06\x13\x02HK1\x120\x10\x06\x03U\x04\x08\x13\x09Hong Kong1\x120\x10\x06\x03U\x04\x07\x13\x09Hong Kong1\x160\x14\x06\x03U\x04\x0a\x13\x0dHongkong Post1 0\x1e\x06\x03U\x04\x03\x13\x17Hongkong Post Root CA 30\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb3\x88\xd7\xea\xce\x0f N\xbe\xe6\xd6\x03m\xeeY\xfc\xc2W\xdf)h\xa1\x83\x0e>h\xc7hX\x9c\x1c`K\x89C\x0c\xb9\xd4\x15\xb2\xee\xc1Nu\xe9\xb5\xa7\xef\xe5\xe95\x99\xe4\xcc\x1c\xe7K_\x8d30 3S\xd9\xa6\xbb\xd5>\x13\x8e\xe9\x1f\x87I\xadP-P\xca\x18\xbe\x01X\xa2\x13p\x96\xbb\x89\x88V\x80\\xf8\xbd,<\xe1LW\x88\xbb\xd3\xb9\x95\xef\xcb\xc7\xf6\xda1t(\xa6\xe6T\x89\xf5A1\xca\xe5&\x1a\xcd\x82\xe0p\xda;)\xbb\xd5\x03\xf5\x99\xbaU\xf5d\xd1`\x0e\xb3\x89I\xb8\x8a/\x05\xd2\x84E(|\x8fhP\x12x\xfc\x0b\xb5S\xcb\xc2\x98\x1c\x84\xa3\x9e\xb0\xbe#\xa4\xda\xdc\xc8+\x1e\xdanE\x1e\x89\x98\xda\xf9\x00.\x06\xe9\x0c;p\xd5P%\x88\x99\xcb\xcds`\xf7\xd5\xff5g\xc5\xa1\xbc^\xab\xcdJ\xb8E\xeb\xc8h\x1e\x0d\x0d\x14F\x12\xe3\xd2db\x8aB\x98\xbc\xb4\xc6\x08\x08\xf8\xfd\xa8Ld\x9cv\x01\xbd/\xa9l3\x0f\xd8?(\xb8<i\x01B\x86~i\xc1\xc9\x06\xca\xe5zFe\xe9\xc2\xd6PA.?\xb7\xe4\xedl\xd7\xbf&\x01\x11\xa2\x16)Jk4\x06\x90\xec\x13\xd2\xb6\xfbjv\xd2<\xed\xf0\xd6-\xdd\xe1\x15\xec\xa3\x9b/,\xc9>+\xe4i;\xffr%\xb16\x86[\xc7\x7fk\x8bU\x1bJ\xc5 a=\xae\xcbP\xe1\x08:\xbe\xb0\x8fcAS0\x08Y<\x98\x1dw\xbac\x91z\xca\x10P`\xbf\xf0\xd7\xbc\x95\x87\x8f\x97\xc5\xfe\x97j\x01\x94\xa3|[\x85\x1d*9:\xd0T\xa1\xd19q\x9d\xfd!\xf9\xb5{\xf0\xe2\xe0\x02\x8fn\x96$%,\xa0\x1e,\xa8\xc4\x89\xa7\xef\xed\x99\x06/\xb6\x0aLO\xdb\xa2\xcc7\x1a\xafG\x85-\x8a_\xc444L\x00\xfd\x18\x93g\x13\xd17\xe6H\xb4\x8b\x06\xc5W{\x19\x86\x0ay\xcb\x00\xc9R\xafB\xff7\x8f\xe1\xa3\x1ez=P\xabc\x06\xe7\x15\xb5?\xb6E7\x947\xb1~\xf2H\xc3\x7f\xc5u\xfe\x97\x8dE\x8f\x1a\xa7\x1ar(\x1a@\x0f\x02\x03\x01\x00\x01\xa3c0a0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x17\x9d\xcd\x1e\x8b\xd69+p\xd3\\xd4\xa0\xb8\x1f\xb0\x00\xfc\xc5a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x17\x9d\xcd\x1e\x8b\xd69+p\xd3\\xd4\xa0\xb8\x1f\xb0\x00\xfc\xc5a0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00V\xd5{n\xe6"\x01\xd2B\x9b\x18\xd5\x0e\xd7f#\\xe3\xfe\xa0\xc7\x92\xd2\xe9\x94\xadK\xa2\xc6\xec\x12|t\xd5H\xd2Y\x14\x99\xc0\xeb\xb9\xd1\xeb\xf4H0[\xad\xa7Ws\x99\xa9\xd3\xe5\xb7\xd1.Y$X\xdch..b\xd8j\xe4p\x0b- P \xa42\x95\xd1\x00\x98\xbb\xd3\xfd\xf72\xf2I\xae\xc6z\xe0G\xben\xce\xcb\xa3r:-i]\xcb\xc8\xe8E9\xd4\xfaB\xc1\x11Lw]\x92\xfbj\xffXD\xe5\xeb\x81\x9e\xaf\xa0\x99\xad\xbe\xa9\x01f\xcb8\x1d<\xdfC\x1f\xf4Mn\xb4\xba\x17F\xfc}\xfd\x87\x81yj\x0d3\x0f\xfa/\xf8\x14\xb9\x80\xb3]M\xaa\x97\xe1\xf9\xe4\x18\xc5\xf8\xd58\x8c&<\xfd\xf2(\xe2\xeeZI\x88,\xdfy=\x8e\x9e\x90<\xbdAJ:\xdd[\xf6\x9a\xb4\xce?%0\x7f2}\xa2\x03\x94\xd0\xdcz\xa1R\xden\x93\x8d\x18&\xfdU\xac\xbd\x8f\x9b\xd2\xcf\xaf\xe7\x86,\xcb\x1f\x09o\xa3o\xa9\x84\xd4s\xbfM\xa1t\x1bN#`\xf2\xcc\x0e\xaa\x7f\xa4\x9cL%\xa8\xb2f;8\xff\xd9\x940\xf6r\x84\xbehU\x10\x0f\xc6s,\x16i\x93\x07\xfe\xb1E\xed\xbb\xa2Uj\xb0\xda\xb5J\x02%'\x85\xd7\xb7\xb7\x86D\x16\x89l\x80+>\x97\xa9\x9c\xd5~UL\xc6\xdeE\x10\x1c\xea\xe9;\x9f\x03S\xee\xeez\x01\x02\x16x\xd4\xe8\xc2\xbeFv\x88\x13?"\xbbH\x12\x1dR\x00\xb4\x02~!\x1a\x1e\x9c%\xf4\xf3=^\x1e\xd2\x1c\xf9\xb3-\xb6\xf77\\xc6\xcb!N\xb0\xf7\x99G\x18\x85\xc1+\xbaU\xae\x06\xea\xd0\x07\xb2\xdc\xab\xd0\x82\x96u\xce\xd2P\xfe\x99\xe7\xcf/\x9f\xe7v\xd1a*\xfb!\xbb1\xd0\xaa\x9fG\xa4\xb2"\xca\x16:PW\xc4[Cg\xc5eb\x03I\x01\xebC\xd9\xd8\xf8\x9e\xad\xcf\xb1c\x0eE\xf4\xa0Z,\x9b-\xc5\xa6\xc0\xad\xa8G\xf4'L8\x0d.\x1bI;R\xf4\xe8\x88\x83+T(\xd4\xf25R\xb42\x83bid\x0c\x91\x9c\x9f\x97\xeat\x16\xfd\x1f\x11\x06\x9a\x9b\xf4, CN=Entrust Root Certification Authority - G4,OU=(c) 2015 Entrust, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US = 0\x82\x06K0\x82\x043\xa0\x03\x02\x01\x02\x02\x11\x00\xd9\xb5C\x7f\xaf\xa99\x0f\x00\x00\x00\x00Ue\xadX0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\xbe1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1(0&\x06\x03U\x04\x0b\x13\x1fSee www.entrust.net/legal-terms1907\x06\x03U\x04\x0b\x130(c) 2015 Entrust, Inc. - for authorized use only1200\x06\x03U\x04\x03\x13)Entrust Root Certification Authority - G40\x1e\x17\x0d150527111116Z\x17\x0d371227114116Z0\x81\xbe1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dEntrust, Inc.1(0&\x06\x03U\x04\x0b\x13\x1fSee www.entrust.net/legal-terms1907\x06\x03U\x04\x0b\x130(c) 2015 Entrust, Inc. - for authorized use only1200\x06\x03U\x04\x03\x13)Entrust Root Certification Authority - G40\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb1\xec,B\xee\xe2\xd10\xff\xa5\x92G\xe2-\xc3\xbad\x97m\xca\xf7\x0d\xb5Y\xc1\xb3\xcb\xa8h\x19\xd8\xaf\x84m0p]~\xf3.\xd2S\x99\xe1\xfe\x1f^\xd9H\xaf]\x13\x8d\xdb\xffc3M\xd3\x00\x02\xbc\xc4\xf8\xd1\x06\x08\x94yX\x8a\x15\xde)\xb3\xfd\xfd\xc4O\xe8\xaa\xe2\xa0;y\xcd\xbfkC2\xdd\xd9t\x10\xb9\xf7\xf4h\xd4\xbb\xd0\x87\xd5\xaaK\x8a*o*\x04\xb5\xb2\xa6\xc7\xa0z\xe6H\xab\xd2\xd1Y\xcc\xd6~#\xe6\x97l\xf0B\xe5\xdcQK\x15A\xedIJ\xc9\xde\x10\x97\xd6v\xc1\xef\xa5\xb56\x14\x975\xd8x"5R\xefC\xbd\xdb'\xdbaV\x824\xdc\xcb\x88`\x0c\x0bZ\xe5,\x01\xc6T\xaf\xd7\xaa\xc1\x10{\xd2\x05Z\xb8@\x9e\x86\xa7\xc3\x90\x86\x02VR\x09z\x9c\xd2'\x82SJeRj\xf5<\xe7\xa8\xf2\x9c\xaf\x8b\xbd\xd3\x0e\xd4\xd4^n\x87\x9ej=E\x1d\xd1]\x1b\xf4\xe9\x0a\xac`\x99\xfb\x89\xb4\xff\x98,\xcf|\x1d\xe9\x02\xaa\x04\x9a\x1e\xb8\xdc\x88n%\xb3lf\xf7<\x90\xf3W\xc1\xb3/\xf5m\xf2\xfb\xca\xa1\xf8)\x9dF\x8b\xb3j\xf6\xe6g\x07\xbe,g\x0a*\x1fZ\xb2>W\xc4\xd3!!ceR\x91\x1b\xb1\x99\x8ey~\xe6\xeb\x8d\x00\xd9Z\xaa\xeas\xe8\xa4\x82\x02G\x96\xfe[\x8eTa\xa3\xeb/K0\xb0\x8b#ur|!<\xc8\xf6\xf1t\xd4\x1c{\xa3\x05U\xee\xbbM;2\xbe\x9awf\x9e\xaci\x90"\x07\x1fa:\x96\xbe\xe5\x9aO\xcc\x05<(Y\xd3\xc1\x0cT\xa8Ya\xbd\xc8rL\xe8\xdc\x9f\x87\x7f\xbd\x9cH6^\x95\xa3\x0e\xb98$U\xfcuf\xeb\x02\xe3\x084)J\xc6\xe3+/3\xa0\xda\xa3\x86\xa5\x12\x97\xfd\x80+\xda\x14B\xe3\x92\xbd>\xf2]^gt.\x1c\x88G)4_\xe22\xa8\x9c%7\x8c\xba\x98\x00\x97\x8bI\x96\x1e\xfd%\x8a\xac\xdc\xda\xd8]tnf\xb0\xffD\xdf\xa1\x18\xc6\xbeH/7\x94x\xf8\x95J?\x7f\x13^]Y\xfdt\x86CcsI\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9f8\xc4V#\xc39\xe8\xa0ql\xe8TL\xe4\xe8:\xb1\xbfg0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x12\xe5B\xa6{\x8b\x0f\x0c\xe4F\xa5\xb6`@\x87\x8c%~\xad\xb8h.[\xc6@v<\x03\xf8\xc9Y\xf4\xf3\xabb\xce\x10\x8d\xb4Zd\x8ch\xc0\xb0rC4\xd2\x1b\x0b\xf6,S\xd2\xca\x90K\x86f\xfc\xaa\x83"\xf4\x8b\x1ao&H\xacvw\x08\xbf\xc5\x98\\xf4&\x89\x9e{\xc3\xb9d2\x01\x7f\xd3\xc3\xddXm\xec\xb1\xab\x84Utw\x84\x04'Rk\x86L\xce\xdd\xb9e\xff\xd6\xc6^\x9f\x9a\x10\x99Kuj\xfej\xe9\x97 \xe4\xe4vz\xc6\xd0$\xaa\x90\xcd \x90\xbaGd\xfb\x7f\x07\xb3Sx\xb5\x0ab\xf2sC\xceA+\x81j.\x85\x16\x94S\xd4k_r"\xabQ-B\xd5\x00\x9c\x99\xbf\xde\xbb\x94;W\xfd\x9a\xf5\x86\xcbV;[\x88\x01\xe5|(K\x03\xf9I\x83|\xb2\x7f|\xe3\xed\x8e\xa1\x7f`S\x8eU\x9dP4\x12\x0f\xb7\x97{l\x87JD\xe7\xf5m\xec\x807\xf0X\x19nJhv\xf0\x1f\x92\xe4\xea\xb5\x92\xd3aQ\x10\x0b\xad\xa7\xd9_\xc7_\xdc\x1f\xa3\\x8c\xa1~\x9b\xb7\x9e\xd3Vof^\x07\x96 \xed\x0bt\xfbfN\x8b\x11\x15\xe9\x81I~o\xb0\xd4P\x7f"\xd7_e\x02\x0d\xa6\xf4\x85\x1e\xd8\xae\x06KJ\xa7\xd21f\xc2\xf8\xce\xe5\x08\xa6\xa4\x02\x96DhW\xc4\xd53\xcf\x19/\x14\xc4\x94\x1c{\xa4\xd9\xf0\x9f\x0e\xb1\x80\xe2\xd1\x9e\x11d\xa9\x88\x11:v\x82\xe5b\xc2\x80\xd8\xa4\x83\xed\x93\xef|/\x90\xb02L\x96\x15hHR\xd4\x99\x08\xc0$\xe8\x1c\xe3\xb3\xa5!\x0e\x92\xc0\x90\x1f\xcf _\xca;8\xc7\xb7m:\xf3\xe6D\xb8\x0e1k\x88\x8ep\xeb\x9c\x17R\xa8A\x94.\x87\xb6\xe7\xa6\x12\xc5u\xdf[\xc0\x0an{\xa4\xe4^\x86\xf96\x94\xdfw\xc3\xe9\x0d\xc09\xf1y\xbbF\x8e\xabCY'\xb7 \xbb#\xe9V@!\xec1=e\xaaC\xf2=\xdfpD\xe1\xbaM&\x10;\x98\x9f\xf3\xc8\x8e\x1b8V!jQ\x93\xd3\x91\xcaF\xda\x89\xb7=S\x83,\x08\x1f\x8b\x8fS\xdd\xff\xac\x1f, CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US = 0\x82\x02Y0\x82\x01\xdf\xa0\x03\x02\x01\x02\x02\x10f\xf2=\xaf\x87\xde\x8b\xb1J\xea\x0cW1\x01\xc2\xec0\x0a\x06\x08*\x86H\xce=\x04\x03\x030e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15Microsoft Corporation1604\x06\x03U\x04\x03\x13-Microsoft ECC Root Certificate Authority 20170\x1e\x17\x0d191218230645Z\x17\x0d420718231604Z0e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15Microsoft Corporation1604\x06\x03U\x04\x03\x13-Microsoft ECC Root Certificate Authority 20170v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xd4\xbc=\x02BuA\x13#\xcd\x80\x04\x86\x02Q/j\xa8\x81b\x0be\xcc\xf6\xca\x9d\x1eoJfQ\xa2\x03\xd9\x9d\x91\xfa\xb6\x16\xb1\x8cn\xde|\xcd\xdby\xa6/\xce\xbb\xceq/\xe5\xa5\xab(\xecc\x04f\x99\xf8\xfa\xf2\x93\x10\x05\xe1\x81(B\xe3\xc6h\xf4\xe6\x1b\x84`J\x89\xaf\xedy\x0f;\xce\xf1\xf6D\xf5\x01x\xc0\xa3T0R0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc8\xcb\x99rpR\x0c\xf8\xe6\xbe\xb2\x04W)*\xcfB\x10\xed50\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x000\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x020X\xf2M\xea\x0c\xf9_^\xee`)\xcb:\xf2\xdb\xd62\x84\x19?|\xd5/\xc2\xb1\xcc\x93\xaeP\xbb\x092\xc6\xc6\xed~\xc96\x94\x12\xe4h\x85\x06\xa2\x1b\xd0/\x021\x00\x99\xe9\x16\xb4\x0e\xfaVH\xd4\xa40\x16\x91x\xdbT\x8ce\x01\x8a\xe7Pf\xc21\xb79\xba\xb8\x1a"\x07N\xfckT\x16 \xff+\xb5\xe7L\x0cM\xa6Os, CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US = 0\x82\x05\xa80\x82\x03\x90\xa0\x03\x02\x01\x02\x02\x10\x1e\xd3\x97\x09_\xd8\xb4\xb3Gp\x1e\xaa\xbe\x7fE\xb30\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15Microsoft Corporation1604\x06\x03U\x04\x03\x13-Microsoft RSA Root Certificate Authority 20170\x1e\x17\x0d191218225122Z\x17\x0d420718230023Z0e1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x1e0\x1c\x06\x03U\x04\x0a\x13\x15Microsoft Corporation1604\x06\x03U\x04\x03\x13-Microsoft RSA Root Certificate Authority 20170\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xca[\xbe\x943\x8c)\x95\x91\x16\x0a\x95\xbdGb\xc1\x89\xf3\x996\xdfF\x90\xc9\xa5\xedxjoG\x91h\xf8'gP3\x1d\xa1\xa6\xfb\xe0\xe5C\xa3\x84\x02W\x01]\x9cH@\x82S\x10\xbc\xbf\xc7;h\x90\xb6\x82-\xe5\xf4e\xd0\xccm\x19\xcc\x95\xf9{\xacJ\x94\xad\x0e\xdeKC\x1d\x87\x07\x92\x13\x90\x80\x83d59\x04\xfc\xe5\xe9l\xb3\xb6\x1fP\x948eP\\x17F\xb9\xb6\x85\xb5\x1c\xb5\x17\xe8\xd6E\x9d\xd8\xb2&\xb0\xca\xc4pJ\xae`\xa4\xdd\xb3\xd9\xec\xfc;\xd5Wr\xbc?\xc8\xc9\xb2\xdeKk\xf8#l\x03\xc0\x05\xbd\x95\xc7\xcds;f\x80d\xe3\x1a\xac.\xf9G\x05\xf2\x06\xb6\x9bs\xf5x3[\xc7\xa1\xfb'*\xa1\xb4\x9a\x91\x8c\x91\xd3:\x82>v@\xb4\xcdRaQp(?\xc5\xc5Z\xf2\xc9\x8cI\xbb\x14[M\xc8\xffgML\x12\x96\xad\xf5\xfex\xa8\x97\x87\xd7\xfd^ \x80\xdc\xa1K"\xfb\xd4\x89\xad\xba\xceG\x97GU{\x8fE\xc8g(\x84\x95\x1ch0\xef\xefI\xe05{d\xe7\x98\xb0\x94\xdaM\x85;>U\xc4(\xafW\xf3\x9e\x13\xdbF'\x9f\x1e\xa2^D\x83\xa4\xa5\xca\xd5\x13\xb3K?\xc4\xe3\xc2\xe6\x86a\xa4R0\xb9z Oo\x0f8S\xcb3\x0c\x13+\x8f\xd6\x9a\xbd*\xc8-\xb1\x1c}KQ\xcaG\xd1H'r]\x87\xeb\xd5E\xe6He\x9d\xafR\x90\xba[\xa2\x18eW\x12\x9fh\xb9\xd4\x15k\x94\xc4i"\x98\xf43\xe0\xed\xf9Q\x8eAP\xc94Ov\x90\xac\xfc8\xc1\xd8\xe1{\xb9\xe3\xe3\x94\xe1Fi\xcb\x0e\x0aPk\x13\xba\xac\x0f7Z\xb7\x12\xb5\x90\x81\x1eV\xaeW"\x86\xd9\xc9\xd2\xd1\xd7Q\xe3\xab;\xc6U\xfd\x1e\x0e\xd3t\x0a\xd1\xda\xaa\xeai\xb8\x97(\x8fH\xc4\x07\xf8RC:\xf4\xcaU5,\xb0\xa6j\xc0\x9c\xf9\xf2\x81\xe1\x12j\xc0E\xd9g\xb3\xce\xff#\xa2\x89\x0aT\xd4\x14\xb9*\xa8\xd7\xec\xf9\xab\xcd%X2y\x8f\x90[\x989\xc4\x08\x06\xc1\xac\x7f\x0e=\x00\xa5\x02\x03\x01\x00\x01\xa3T0R0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x09\xcbY\x7f\x86\xb2p\x8f\x1a\xc39\xe3\xc0\xd9\xe9\xbf\xbbM\xb2#0\x10\x06\x09+\x06\x01\x04\x01\x827\x15\x01\x04\x03\x02\x01\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\xac\xaf>]\xc2\x11\x96\x89\x8e\xa3\xe7\x92\xd6\x97\x15\xb8\x13\xa2\xa6B.\x02\xcd\x16\x05Y'\xca \xe8\xba\xb8\xe8\x1a\xecM\xa8\x97V\xaeeC\xb1\x8f\x00\x9bR\xcdU\xcdS9mbL\x8b\x0d[|.D\xbf\x83\x10\x8f\xf3S\x82\x80\xc3O:\xc7n\x11?\xe6\xe3\x16\x91\x84\xfbm\x84\x7f4t\xad\x89\xa7\xce\xb9\xd7\xd7\x9f\x84d\x92\xbe\x95\xa1\xad\x09S3\xdd\xee\x0a\xeaJQ\x8eoU\xab\xba\xb5\x94F\xae\x8c\x7f\xd8\xa2P%e`\x80F\xdb3\x04\xael\xb5\x98tT%\xdc\x93\xe4\xf8\xe3U\x15=\xb8m\xc3\x0a\xa4\x12\xc1i\x85n\xdfd\xf1S\x99\xe1Ju \x9d\x95\x0f\xe4\xd6\xdc\x03\xf1Y\x18\xe8G\x89\xb2WZ\x94\xb6\xa9\xd8\x17+\x17I\xe5v\xcb\xc1V\x99:7\xb1\xffi,\x91\x91\x93\xe1\xdfL\xa37vM\xa1\x9f\xf8m\x1e\x1d\xd3\xfa\xec\xfb\xf4E\x1d\x13m\xcf\xf7Y\xe5"'r+\x86\xf3W\xbb0\xed$M\xdc}V\xbb\xa3\xb3\xf84y\x89\xc1\xe0\xf2\x02a\xf7\xa6\xfc\x0f\xbb\x1c\x17\x0b\xaeA\xd9|\xbd'\xa3\xfd.:\xd1\x93\x94\xb1s\x1d$\x8b\xaf[ \x89\xad\xb7gfy\xf5:\xc6\xa6\x963\xfeS\x92\xc8F\xb1\x11\x91\xc6\x99\x7f\x8f\xc9\xd6f1 A\x10\x87-\x0c\xd6\xc1\xaf4\x98\xcad\x83\xfb\x13W\xd1\xc1\xf0<z\x8c\xa5\xc1\xfd\x95!\xa0q\xc1\x93gq\x12\xea\x8f\x88\x0ai\x19d\x99#V\xfb\xac*.p\xbef\xc4\x0c\x84\xef\xe5\x8b\xf3\x93\x01\xf8j\x90\x93gK\xb2h\xa3\xb5b\x8f\xe9?\x8cz;^\x0f\xe7\x8c\xb8\xc6|\xef7\xfdt\xe2\xc8O3r\xe1\x949m\xbd\x12\xaf\xbe\x0cNp|\x1bo\x8d\xb32\x93sD\x16m\xe8\xf4\xf7\xe0\x95\x80\x8f\x96]8\xa4\xf4\xab\xde\x0a0\x87\x93\xd8M\x00qbE'K:B\x84[\x7fe\xb7g4R-\x9c\x16k\xaa\xa8\xd8{\xa3BLq\xc7\x0c\xca>\x83\xe4\xa6\xef\xb7\x010^Q\xa3y\xf5pi\xa6AD\x0f\x86\xb0,\x91\xc6=\xea\xae\x0f\x84, CN=e-Szigno Root CA 2017,organizationIdentifier=VATHU-23584497,O=Microsec Ltd.,L=Budapest,C=HU = 0\x82\x02@0\x82\x01\xe5\xa0\x03\x02\x01\x02\x02\x0c\x01TH\xef!\xfd\x97Y\x0d\xf5\x04\x0a0\x0a\x06\x08*\x86H\xce=\x04\x03\x020q1\x0b0\x09\x06\x03U\x04\x06\x13\x02HU1\x110\x0f\x06\x03U\x04\x07\x0c\x08Budapest1\x160\x14\x06\x03U\x04\x0a\x0c\x0dMicrosec Ltd.1\x170\x15\x06\x03U\x04a\x0c\x0eVATHU-235844971\x1e0\x1c\x06\x03U\x04\x03\x0c\x15e-Szigno Root CA 20170\x1e\x17\x0d170822120706Z\x17\x0d420822120706Z0q1\x0b0\x09\x06\x03U\x04\x06\x13\x02HU1\x110\x0f\x06\x03U\x04\x07\x0c\x08Budapest1\x160\x14\x06\x03U\x04\x0a\x0c\x0dMicrosec Ltd.1\x170\x15\x06\x03U\x04a\x0c\x0eVATHU-235844971\x1e0\x1c\x06\x03U\x04\x03\x0c\x15e-Szigno Root CA 20170Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\x96\xdc=\x8a\xd8\xb0{o\xc6'\xbeD\x90\xb1\xb3V\x15{\x8eC$}\x1a\x84Y\xeech\xb2\xc6^\x87\xd0\x15H\x1e\xa8\x90\xad\xbdS\xa2\xda\xde:\x90\xa6`_h2\xb5\x86A\xdf\x87[,{\xc5\xfe|z\xda\xa3c0a0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x87\x11\x15\x08\xd1\xaa\xc1x\x0c\xb1\xaf\xce\xc6\xc9\x90\xef\xbf0\x04\xc00\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x87\x11\x15\x08\xd1\xaa\xc1x\x0c\xb1\xaf\xce\xc6\xc9\x90\xef\xbf0\x04\xc00\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03I\x000F\x02!\x00\xb5W\xdd\xd7\x8aU\x0b6\xe1\x86D\xfa\xd4\xd9h\x8d\xb8\xdc#\x8a\x8a\x0d\xd4/}\xeas\xec\xbfMl\xa8\x02!\x00\xcb\xa5\xb4\x12\xfa\xe7\xb5\xe8\xcf~\x93\xfc\xf35\x8foNZ|\xb4\xbcN\xb2\xfcr\xaa[Y\xf9\xe7\xdc1, OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO = 0\x82\x05G0\x82\x03/\xa0\x03\x02\x01\x02\x02\x09\x11\x004\xb6N\xc66-60\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000A1\x0b0\x09\x06\x03U\x04\x06\x13\x02RO1\x140\x12\x06\x03U\x04\x0a\x13\x0bCERTSIGN SA1\x1c0\x1a\x06\x03U\x04\x0b\x13\x13certSIGN ROOT CA G20\x1e\x17\x0d170206092735Z\x17\x0d420206092735Z0A1\x0b0\x09\x06\x03U\x04\x06\x13\x02RO1\x140\x12\x06\x03U\x04\x0a\x13\x0bCERTSIGN SA1\x1c0\x1a\x06\x03U\x04\x0b\x13\x13certSIGN ROOT CA G20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc0\xc5u\x19\x91}Dtt\x87\xfe\x0e;\x96\xdc\xd8\x01\x16\xcc\xeec\x91\xe7\x0bo\xce;\x0ai\x1a|\xc2\xe3\xaf\x82\x8e\x86\xd7^\x8fW\xeb\xd3!Y\xfd97B0\xbeP\xea\xb6\x0f\xa9\x88\xd8.-i!\xe7\xd17\x18N}\x91\xd5\x16_k[\x00\xc29C\x0d6\x85R\xb9Se\x0f\x1dB\xe5\x8f\xcf\x05\xd3\xee\xdc\x0c\x1a\xd9\xb8\x8bx"g\xe4i\xb0h\xc5<\xe4lZF\xe7\xcd\xc7\xfa\xef\xc4\xecK\xbdj\xa4\xac\xfd\xcc(Q\xef\x92\xb4)\xab\xab5\x9aL\xe4\xc4\x08\xc6&\xcc\xf8i\x9f\xe4\x9c\xf0)\xd3\\xf9\xc6\x16%\x9e#\xc3 \xc1=\x0f?8@\xb0\xfe\x82D8\xaaZ\x1a\x8akcX8\xb4\x15\xd3\xb6\x11i{\x1eT\xee\x8c\x1a"\xacr\x97?#Y\x9b\xc9"\x84\xc1\x07O\xcc\x7f\xe2W\xca\x12p\xbb\xa6e\xf3iuc\xbd\x95\xfb\x1b\x97\xcd\xe4\xa8\xaf\xf6\xd1N\xa8\xd9\x8aq$\xcd6=\xbc\x96\xc4\xf1l\xa9\xae\xe5\xcf\x0dn(\x0d\xb0\x0e\xb5\xcaQ{x\x14\xc3 /\x7f\xfb\x14U\xe1\x11\x99\xfd\xd5\x0a\xa1\x9e\x02\xe3b_\xeb5K,\xb8r\xe8>=O\xac,\xbb.\x86\xe2\xa3v\x8f\xe5\x93*\xcf\xa5\xab\xc8\\x8dK\x06\xff\x12F\xacx\xcb\x14\x075\xe0\xa9\xdf\x8b\xe9\xaf\x15O\x16\x89[\xbd\xf6\x8d\xc6Y\xae\x88\x85\x0e\xc1\x89\xeb\x1fg\xc5E\x8e\xffm76+xf\x83\x91Q+=\xffQwvb\xa1\xecg>>\x81\x83\xe0V\xa9P\x1f\x1fz\x99\xabc\xbf\x84\x17w\xf1\x0d;\xdf\xf7\x9ca\xb35\x98\x8a:\xb2\xec<\x1a7?~\x8f\x92\xcf\xd9\x12\x14d\xda\x10\x02\x15A\xffO\xc4\xeb\x1c\xa3\xc9\xfa\x99\xf7F\xe9\xe1\x18\xd9\xb1\xb82-\xcb\x14\x0cP\xd8\x83e\x83\xee\xb9\\xcf\xcb\x05ZL\xfa\x19\x97k\xd6]\x13\xd3\xc2\T\xbc2s\xa0x\xf5\xf1m\x1e\xcb\x9f\xa5\xa6\x9f"\xdc\xd1Q\x9e\x82yd`)\x13>\xa3\xfdOrj\xab\xe2\xd4\xe5\xb8$U,DK\x8a\x88D\x9c\xca\x84\xd3*;\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x82!-f\xc6\xd7\xa0\xe0\x15\xeb\xceL\x09w\xc4`\x9eTn\x030\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00`\xde\x1a\xb8\xe7\xf2`\x82\xd5\x033\x81\xcb\x06\x8a\xf1"I\xe9\xe8\xea\x91\x7f\xc63^h\x19\x03\x86;C\x01\xcf\x07p\xe4\x08\x1ee\x85\x91\xe6\x11"\xb7\xf5\x02#\x8e\xae\xb9\x1e}\x1f~l\xe6\xbd%\xd5\x95\x1a\xf2\x05\xa6\xaf\x85\x02o\xae\xf8\xd61\xff%\xc9J\xc8\xc7\x8a\xa9\xd9\x9fKI\x9b\x11W\x99\x92C\x11\xde\xb63\xa4\xcc\xd7\x8dd}\xd4\xcd<(,\xb4\x9a\x96\xeaM\xf5\xc4D\xc4%\xaa \x80\xd8)U\xf7\xe0A\xfc\x06&\xff\xb96\xf5C\x14\x03fx\xe1\x11\xb1\xda _F\x00x\x00!\xa5\x1e\x00(axo\xa8\x01\x01\x8f\x9d4\x9a\xff\xf48\x90\xfb\xb8\xd1\xb3r\x06\xc9q\xe6\x81\xc5y\xed\x0b\xa6y\xf2\x13\x0b\x9c\xf7]\x0e{$\x93\xb4H\xdb\x86_\xdeP\x86x\xe7@\xe61\xa8\x90vpa\xaf\x9c7,\x11\xb5\x82\xb7\xaa\xae$4[r\x0ci\x0d\xcdY\x9f\xf6q\xaf\x9c\x0b\xd1\x0a8\xf9\x06"\x83S%\x0c\xfcQ\xc4\xe6\xbe\xe29\x95\x0b$\xad\xaf\xd1\x95\xe4\x96\xd7tdkqN\x02<\xaa\x85\xf3 \xa3C9v[lP\xfe\x9a\x9c\x14\x1ee\x14\x8a\x15\xbd\xa3\x82EZIVj\xd2\x9c\xb1c2\xe5a\xe0S"\x0e\xa7\x0aI\xea\xcb~\x1f\xa8\xe2b\x80\xf6\x10ER\x98\x06\x18\xde\xa5\xcd/\x7f\xaa\xd4\xe9>\x08r\xec#\x03\x02<\xa6\xaa\xd8\xbcgt=\x14\x17\xfbTK\x17\xe3\xd3y=mkI\xc9(\x0e.tP\xbf\x0c\xd9F:\x10\x86\xc9\xa7?\xe9\xa0\xec\x7f\xeb\xa5wXiq\xe6\x83\x0a7\xf2\x86Ij\xbey\x08\x90\xf6\x02\x16d>\xe5\xdaL~\x0c4\xc9\xf9_\xb6\xb3(Q\xa7\xa7+\xaaI\xfa\x8de)N\xe3k\x13\xa7\x94\xa3-Qmx\x0cD\xcb\xdf\xde\x08o\xce\xa3d\xab\xd3\x95\x84\xd4\xb9RTr{\x96%\xcc\xbci\xe3Hn\x0d\xd0\xc7\x9d'\x9a\xaa\xf8\x13\x92\xdd\x1e\xdfc\x9f5\xa9\x166\xec\x8c\xb8\x83\xf4=\x89\x8f\xcd\xb4\x17^\xd7\xb3\x17A\x10]'s`\x85WI"\x07, CN=Trustwave Global Certification Authority,O=Trustwave Holdings, Inc.,L=Chicago,ST=Illinois,C=US = 0\x82\x05\xda0\x82\x03\xc2\xa0\x03\x02\x01\x02\x02\x0c\x05\xf7\x0e\x86\xdaI\xf3F5.\xba\xb20\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x881\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x110\x0f\x06\x03U\x04\x08\x0c\x08Illinois1\x100\x0e\x06\x03U\x04\x07\x0c\x07Chicago1!0\x1f\x06\x03U\x04\x0a\x0c\x18Trustwave Holdings, Inc.110/\x06\x03U\x04\x03\x0c(Trustwave Global Certification Authority0\x1e\x17\x0d170823193412Z\x17\x0d420823193412Z0\x81\x881\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x110\x0f\x06\x03U\x04\x08\x0c\x08Illinois1\x100\x0e\x06\x03U\x04\x07\x0c\x07Chicago1!0\x1f\x06\x03U\x04\x0a\x0c\x18Trustwave Holdings, Inc.110/\x06\x03U\x04\x03\x0c(Trustwave Global Certification Authority0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb9]Q(K<7\x92\xd1\x82\xce\xbd\x1d\xbd\xcd\xdd\xb8\xab\xcf\x0a>\xe1]\xe5\xdc\xaa\x09\xb9W\x02>\xe6ca\xdf\xf2\x0f\x82c\xae\xa3\xf7\xacs\xd1|\xe7\xb3\x0b\xaf\x08\x00\x09Y\x7f\xcd)*\x88\x93\x87\x17\x18\x80\xed\x88\xb2\xb4\xb6\x10\x1f-\xd6_U\xa2\x13]\xd1\xc6\xeb\x06V\x89\x88\xfe\xac2\x9d\xfd\\xc3\x05\xc7n\xee\x86\x89\xba\x88\x03\x9dr!\x86\x90\xae\x8f\x03\xa5\xdc\x9f\x88(\xcb\xa3\x92I\x0f\xec\xd0\x0f\xe2mDO\x80j\xb2\xd4\xe7\xa0\x0aS\x01\xba\x8e\x97\x91vn\xbc\xfc\xd5k6\xe6@\x88\xd6{/_\x05\xe8,m\x11\xf3\xe7\xb2\xbe\x92DL\xd2\x97\xa4\xfe\xd2r\x81C\x07\x9c\xe9\x11>\xf5\x8b\x1aY}\x1fhX\xdd\x04\x00,\x96\xf3C\xb3~\x98\x19t\xd9\x9cs\xd9\x18\xbeA\xc74y\xd9\xf4b\xc2C\xb9\xb3'\xb0"\xcb\xf9=R\xc70G\xb3\xc9>\xb8j\xe2\xe7\xe8\x81p^B\x8bO&\xa5\xfe:\xc2 n\xbb\xf8\x16\x8e\xcd\x0c\xa9\xb4\x1blv\x10\xe1XyF>T\xce\x80\xa8W\x097)\x1b\x99\x13\x8f\x0c\xc8\xd6,\x1c\xfb\x05\xe8\x08\x95=eF\xdc\xee\xcdi\xe2M\x8f\x87(N4\x0b>\xcf\x14\xd9\xbb\xdd\xb6P\x9a\xadw\xd4\x19\xd6\xda\x1a\x88\xc8N\x1b'u\xd8\xb2\x08\xf1\xae\x830\xb9\x11\x0e\xcd\x87\xf0\x84\x8d\x15r|\xa1\xef\xcc\xf2\x88a\xba\xf4i\xbb\x0c\x8c\x0buW\x04\xb8N*\x14.=\x0f\x1c\x1e2\xa6b6\xeef\xe2"\xb8\x05@c\x10"\xf33\x1dtr\x8a,\xf59)\xa0\xd3\xe7\x1b\x80\x84-\xc5=\xe3M\xb1\xfd\x1ao\xbae\x07;X\xecBE&\xfb\xd8\xda%r\xc4\xf6\x00\xb1"y\xbd\xe3|YbJ\x9c\x05o=\xce\xe6\xd6Gc\x99\xc6$or\x12\xc8\xac\x7f\x90\xb4\x0b\x91p\xe8\xb7\xe6\x16\x10q\x17\xce\xde\x06OHA}5J\xa3\x89\xf2\xc9K{A\x11mg\xb7\x08\x98L\xe5\x11\x19\xaeB\x80\xdc\xfb\x90\x05\xd4\xf8P\xca\xbe\xe4\xad\xc7\xc2\x94\xd7\x16\x9d\xe6\x17\x8f\xaf6\xfb\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x99\xe0\x19g\x0db\xdbv\xb3\xda=\xb8[\xe8\xfdB\xd21\x0e\x870\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x98sp\xe2\xb0\xd3\xed9\xecL`\xd9\xa9\x12\x86\x17\x1e\x96\xd0\xe8T(;d-!\xa6\xf8\x9dV\x13jH=O\xc7>)\xdbmX\x83T=\x87}#\x05\xd4\xe4\x1c\xdc\xe88e\x86\xc5u\xa7Z\xdb5\x05\xbdw\xde\xbb)7@\x05\x07\xc3\x94R\x9f\xcad\xdd\xf1\x1b+\xdcF\x0a\x10\x021\xfdJh\x0d\x07d\x90\xe6\x1e\xf5*\xa1\xa8\xbb<]\xf9\xa3\x08\x0b\x11\x0c\xf1?-\x10\x94o\xfe\xe24\x87\x83\xd6\xcf\xe5\x1b5m\xd2\x03\xe1\xb0\x0d\xa8\xa0\xaaF'\x826\xa7\x15\xb6\x08\xa6BTW\xb6\x99Z\xe2\x0by\x90\xd7W\x12Q5\x19\x88Ah%\xd47\x17\x84\x15\xfb\x01r\xdc\x95\xdeR& \x98&\xe2v\xf5'o\xfa\x00;Ja\xd9\x0d\xcbQ\x93*\xfd\x16\x06\x96\xa7#\x9a#H\xfeQ\xbd\xb6\xc4\xb0\xb1T\xce\xdelA\xad\x16g~\xdb\xfd8\xcd\xb98N\xb2\xc1`\xcb\x9d\x17\xdfX\x9ezb\xb2&\x8ft\x95\x9b\xe4[\x1d\xd2\x0f\xdd\x98\x1c\x9bY\xb9#\xd31\xa0\xa6\xff8\xdd\xcf O\xe9XV:g\xc3\xd1\xf6\x99\x99\x9d\xba6\xb6\x80/\x88GO\x86\xbfD:\x80\xe47\x1c\xa6\xba\xea\x97\x98\x11\xd0\x84bGd\x1e\xaa\xee@\xbf4\xb1\x9c\x8fN\xe1\xf2\x92O\x1f\x8e\xf3\x9e\x97\xde\xf3\xa6yj\x89qOK'\x17H\xfe\xec\xf4P\x0fOI}\xccE\xe3\xbdz@\xc5A\xdcaV'\x06i\xe5rA\x81\xd3\xb6\x01\x89\xa0/:ry\xfe:0\xbfA\xec\xc7b>\x91K\xc7\xd91vB\xf9\xf7<c\xec&\x8cs\x0c}\x1a\x1d\xea\xa8|\x87\xa8\xc2'|\xe13A\x0f\xcf\xcf\xfc\x00\xa0"\x80\x9eJ\xa7o\x00\xb0AE\xb7"\xcahH\xc5B\xa2\xae\xdd\x1d\xf2\xe0nN\x05X\xb1\xc0\x90\x16*\xa4=\x10@\xbe\x8fbc\x83\xa9\x9c\x82}-\x02\xe9\x830|\xcb'\xc9\xfd\x1ef\x00\xb0.\xd3!/\x8e3\x16l\x98\xed\x10\xa8\x07\xd6\xcc\x93\xcf\xdb\xd1i\x1c\xe4\xca\xc9\xe0\xb6\x9c\xe9\xceqq\xdel?\x16\xa4y, CN=Trustwave Global ECC P256 Certification Authority,O=Trustwave Holdings, Inc.,L=Chicago,ST=Illinois,C=US = 0\x82\x02`0\x82\x02\x07\xa0\x03\x02\x01\x02\x02\x0c\x0dj_\x08?(\>Q\x95\xdf]0\x0a\x06\x08*\x86H\xce=\x04\x03\x020\x81\x911\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x110\x0f\x06\x03U\x04\x08\x13\x08Illinois1\x100\x0e\x06\x03U\x04\x07\x13\x07Chicago1!0\x1f\x06\x03U\x04\x0a\x13\x18Trustwave Holdings, Inc.1:08\x06\x03U\x04\x03\x131Trustwave Global ECC P256 Certification Authority0\x1e\x17\x0d170823193510Z\x17\x0d420823193510Z0\x81\x911\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x110\x0f\x06\x03U\x04\x08\x13\x08Illinois1\x100\x0e\x06\x03U\x04\x07\x13\x07Chicago1!0\x1f\x06\x03U\x04\x0a\x13\x18Trustwave Holdings, Inc.1:08\x06\x03U\x04\x03\x131Trustwave Global ECC P256 Certification Authority0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04~\xfbl\xe6#\xe3s2\x08\xca`\xe6S\x9c\xbat\x8d\x18\xb0x\x90R\x80\xdd8\xc0J\x1d\xd1\xa8\xcc\x93\xa4\x97\x068\xca\x0d\x15b\xc6\x8e\x01*e\x9d\xaa\xdf4\x91.\x81\xc1\xe43\x921\xc4\xfd\x09:\xa6?\xad\xa3C0A0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0f\x06\x03U\x1d\x0f\x01\x01\xff\x04\x05\x03\x03\x07\x06\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xa3A\x06\xac\x90m\xd1J\xebu\xa5J\x10\x99\xb3\xb1\xa1\x8bJ\xf70\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03G\x000D\x02 \x07\xe6T\xda\x0e\xa0Z\xb2\xae\x11\x9f\x87\xc5\xb6\xffi\xde%\xbe\xf8\xa0\xb7\x08\xf3D\xce*\xdf\x08!\x0c7\x02 -&\x03\xa0\x05\xbdk\xd1\xf6\\xf8e\xcc\x86m\xb3\x9c4Hc\x84\x09\xc5\x8dw\x1a\xe2\xcc\x9c\xe1t{, CN=Trustwave Global ECC P384 Certification Authority,O=Trustwave Holdings, Inc.,L=Chicago,ST=Illinois,C=US = 0\x82\x02\x9d0\x82\x02$\xa0\x03\x02\x01\x02\x02\x0c\x08\xbd\x85\x97l\x99'\xa4\x80hG;0\x0a\x06\x08*\x86H\xce=\x04\x03\x030\x81\x911\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x110\x0f\x06\x03U\x04\x08\x13\x08Illinois1\x100\x0e\x06\x03U\x04\x07\x13\x07Chicago1!0\x1f\x06\x03U\x04\x0a\x13\x18Trustwave Holdings, Inc.1:08\x06\x03U\x04\x03\x131Trustwave Global ECC P384 Certification Authority0\x1e\x17\x0d170823193643Z\x17\x0d420823193643Z0\x81\x911\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x110\x0f\x06\x03U\x04\x08\x13\x08Illinois1\x100\x0e\x06\x03U\x04\x07\x13\x07Chicago1!0\x1f\x06\x03U\x04\x0a\x13\x18Trustwave Holdings, Inc.1:08\x06\x03U\x04\x03\x131Trustwave Global ECC P384 Certification Authority0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04k\xda\x0du5\x081G\x05\xaeE\x99U\xf1\x11\x13.J\xf8\x101#\xa3~\x83\xd3\x7f(\x08:&\x1a:\xcf\x97\x82\x1f\x80\xb7'\x09\x8f\xd1\x8e0\xc4\x0a\x9b\x0e\xacX\x04\xab\xf76}\x94#\xa4\x9b\x0a\x8a\x8b\xab\xeb\xfd9%f\xf1^\xfe\x8c\xae\x8dAy\x9d\x09`\xce(\xa9\xd3\x8am\xf3\xd6E\xd4\xf2\x98\x848e\xa0\xa3C0A0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0f\x06\x03U\x1d\x0f\x01\x01\xff\x04\x05\x03\x03\x07\x06\x000\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14U\xa9\x84\x89\xd2\xc12\xbd\x18\xcbl\xa6\x07N\xc8\xe7\x9d\xbe\x82\x900\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03g\x000d\x0207\x01\x92\x97E\x12~\xa0\xf3>\xad\x19:r\xdd\xf4P\x93\x03\x12\xbeD\xd2OA\xa4\x8c\x9c\x9d\x1f\xa3\xf6\xc2\x92\xe7H\x14\xfeN\x9b\xa5\x91W\xae\xc67r\xbb\x020g%\x0a\xb1\x0c^\xee\xa9c\x92o\xe5\x90\x0b\xfef"\xcaG\xfd\x8a1\xf7\x83\xfez\xbf\x10\xbe\x18+\x1e\x8f\xf6)\x1e\x94Y\xef\x8e!7\xcbQ\x98\xa5nK, CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR = 0\x82\x05\xa20\x82\x03\x8a\xa0\x03\x02\x01\x02\x02\x14\x01\x940\x1e\xa2\x0b\xdd\xf5\xc53*\xb1CDq\xf8\xd6PM\x0d0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000i1\x0b0\x09\x06\x03U\x04\x06\x13\x02KR1&0$\x06\x03U\x04\x0a\x0c\x1dNAVER BUSINESS PLATFORM Corp.1200\x06\x03U\x04\x03\x0c)NAVER Global Root Certification Authority0\x1e\x17\x0d170818085842Z\x17\x0d370818235959Z0i1\x0b0\x09\x06\x03U\x04\x06\x13\x02KR1&0$\x06\x03U\x04\x0a\x0c\x1dNAVER BUSINESS PLATFORM Corp.1200\x06\x03U\x04\x03\x0c)NAVER Global Root Certification Authority0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb6\xd4\xf1\x93\\xb5@\x89\x0a\xab\x0d\x90[Pc\xae\x90\x94t\x17Er\xd6{eZ)K\xa7V\xa0K\xb8/Bu\xe9\xd9{$Z1e\xab\x17\x17\xd13:\xd9\x11\xdc@6\x87\xdf\xc7j\xe9&^Y\x8aw\xe3\xe8H\x9c1\x16\xfa>\x91\xb1\xca\xc9\xa3\xe2\x9f\xce!S\xa3\x0260\xcbR\x02\xe5\xda2]\xc3\xc5\xe6\xf9\xee\x11\xc7\x8b\xc9D\x1e\x84\x93\x18J\xb4\x9f\xe5\x12di\xd0&\x85b\x01\xb6\xc9\x02\x1d\xbe\x83Q\xbb\\xda\xf8\xad\x15j\x99\xf7\x92T\xf74[\xe9\xbf\xea)\x81\x12\xd4S\x91\x96\xb3\x91Z\xdd\xfe\x90s(\xfb0F\xb5\xca\x08\x07\xc7qr\xc9f\xd34\x97\xf6\x8c\xf4\x18J\xe1\xd0=ZE\xb6i\xa7)\xfb#\xce\x88\xd8\x12\x9c\x00H\xa8\xa6\x0f\xb3;\x92\x8dq\x0et\xc5\x8b\xc8L\xf9\xf4\x9b\x8e\xb8<i\xedo;P/X\xed\xc4\xb0\xd0\x1c\x1bj\x0c\xe2\xbcD\xaa\xd8\xcd\x14]\x94xa\xbf\x0en\xda*\xbc/\x0c\x0bq\xa6\xb3\x16?\x9c\xe6\xf9\xcc\x9fS5\xe2\x03\xa0\xa0\x18\xbf\xbb\xf1\xbe\xf4\xd6\x8c\x87\x0dB\xf7\x06\xb9\xf1m\xed\x04\x94\xa8\xfe\xb6\xd3\x06\xc6@a\xdf\x9d\x9d\xf3Tv\xceS:\x01\xa6\x92A\xec\x04\xa3\x8f\x0d\xa2\xd5\x09\xca\xd6\xcb\x9a\xf1\xefC]\xc0\xab\xa5A\xcf\Spp\xc9\x88\xa6-\xd4kasP&\x86a\x0e_\x1b\xc2+\xe2\x8c\xd5\xbb\x9d\xc1\x03B\xba\x94\xda_\xa9\xb0\xca\xccM\x0a\xefGi\x03/"\xfb\xf1(\xce\xbf]Pe\xa8\x90m\xb3t\xb0\x08\xc7\xac\xa8\xd1\xeb>\x9c\xfc]\x1a\x83.+\xcb\xb5\xf3D\x9d:\xa7\x17a\x96\xa2q\xd3p\x96\x15M\xb7Ls\xee\x19\\xc5[>A\xfe\xacu`;\x1bc\xce\x00\xdd\xda\x08\x90b\xb4\xe5-\xeeH\xa7k\x17\x99T\xbe\x87J\xe3\xa9^\x04L\xeb\x10mT\xd6\xef\xf1\xe8\xf2b\x16\xcb\x80k\xed=\xed\xf5\x1f0\xa5\xaeK\xc9\x13\xed\x8a\x01\x01\xc9\xb8QX\xc0f:\xb1fK\xc4\xd51\x02b\xe9t\x84\x0c\xdbMF-\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd2\x9f\x88\xdf\xa1\xcd,\xbd\xec\xf5;\x01\x01\x933'\xb2\xeb`K0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x002\xca\x80\xb3\x9d=T\x06\xdd\xd2\xd2.\xf0\xa4\x01!\x0bgH\xcam\x8e\xe0\xc8\xaa\x0d\xaa\x8d!W\x8f\xc6>z\xca\xdbQ\xd4R\xb3\xd4\x96\x84\xa5X`\x7f\xe5\x0b\x8e\x1f\xf5\xdc\x0a\x15\x81\xe5;\xb6\xb7"/\x09\x9c\x13\x16\xb1l\x0c5\x08m\xabcr\xed\xdc\xbe\xec\xc7W\xe60 q\xd6\xd7\x10\xc1\x13U\x01\x8c*C\xe4A\xf1\xcf:zS\x92\xce\xa2\x03\x05\x0d8\xdf\x02\xbb\x10.\xd9;\xd2\x9bz\xc0\xa1\xa6\xf8\xb51\xe6\xf4u\xc9\xb9S\x99uG"Z\x14\x15\xc7x\x1b\xb6\x9d\xe9\x0c\xf8\x1bv\xf1\x85\x84\xde\xa1\xda\x12\xef\xa4\xe2\x10\x97zx\xde\x0cQ\x97\xa8!@\x8b\x86\xbd\x0d\xf0^NK6\xbb; \x1f\x8aBV\xe1\x0b\x1a\xbf{\xd0"C,D\x8c\xfb\xe5*\xb4l\x1c\x1c\xba\x94\xe0\x13~!\xe6\x9a\xc2\xcb\xc5Bd\xb4\x1e\x94{\x08%\xc8q\xcc\x87EW\x85\xd3\x9f)b"\x83Q\x97\x00\x18\x97wj\x98\x92\xc9|`l\xdfl}J\xe4pL\xc2\x9e\xb8\x1d\xf7\xd04\xc7\x0f\xcc\xfb\xa7\xff\x03\xbe\xadp\x90\xda\x0b\xdd\xc8m\x97_\x9a\x7f\x092A\xfd\xcd\xa2\xccZmL\xf2\xaaI\xfef\xf8\xe9\xd85\xeb\x0e(\x1e\xeeH/:\xd0y\x098|\xa6"\x82\x93\x95\xd0\x03\xbe\xbe\x02\xa0\x05\xdd "\xe3o\x1d\x884`\xc6\xe6\x0a\xb9\x09u\x0b\xf0\x07\xe8i\x965\xc7\xfb#\x81\x8e89\xb8E+Cx\xa2\xd1,\x14\xff\x0d(rr\x95\x9b^\x09\xdb\x89D\x98\xaa\xa1I\xbbqR\xf2\xbf\xf6\xff'\xa16\xaf\xb8\xb6w\x88\xdd:\xa4m\x9b4\x90\xdc\x14]0\xbf\xb7\xeb\x17\xe4\x87\xb7q\xd0\xa1\xd7w\x15\xd4B\xd7\xf2\xf31\x99]\x9b\xdd\x16m?\xea\x06#\xf8F\xa2"\xed\x93\xf6\xdd\x9a\xe6*\x87\xb1\x98T\xf1"\xf7kE\xe3\xe2\x8ev\x1d\x9a\x8d\xc4\x06\x8d6\xb7\x14\xf3\x9dTi\xb7\x8e<\xd5\xa4m\x93\x81\xb7\xad\xf6\xbdd{\xc2\xc9h9\xa0\x92\x9c\xcd4\x86\x91\x90\xfadQ\x9d\xfe\xfe\xeb\xa5\xf5u\xde\x89\xf7r, CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,organizationIdentifier=VATES-Q2826004J,OU=Ceres,O=FNMT-RCM,C=ES = 0\x82\x02n0\x82\x01\xf3\xa0\x03\x02\x01\x02\x02\x10b\xf62l\xe5\xc4\xe3h\\x1bb\xdd\x9c.\x9d\x950\x0a\x06\x08*\x86H\xce=\x04\x03\x030x1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1\x110\x0f\x06\x03U\x04\x0a\x0c\x08FNMT-RCM1\x0e0\x0c\x06\x03U\x04\x0b\x0c\x05Ceres1\x180\x16\x06\x03U\x04a\x0c\x0fVATES-Q2826004J1,0*\x06\x03U\x04\x03\x0c#AC RAIZ FNMT-RCM SERVIDORES SEGUROS0\x1e\x17\x0d181220093733Z\x17\x0d431220093733Z0x1\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1\x110\x0f\x06\x03U\x04\x0a\x0c\x08FNMT-RCM1\x0e0\x0c\x06\x03U\x04\x0b\x0c\x05Ceres1\x180\x16\x06\x03U\x04a\x0c\x0fVATES-Q2826004J1,0*\x06\x03U\x04\x03\x0c#AC RAIZ FNMT-RCM SERVIDORES SEGUROS0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xf6\xbaWS\xc8\xca\xab\xdf6JR!\xe4\x97\xd2\x83g\x9e\xf0eQ\xd0^\x87\xc7G\xb1Y\xf2WG\x9b\x00\x02\x93D\x17i\xdbB\xc7\xb1\xb2:\x18\x0e\xb4]\x8c\xb3f]\xa14\xf96,I\xdb\xf3F\xfc\xb3DiD\x13f\xfd\xd7\xc5\xfd\xaf6M\xce\x03M\x07q\xcf\xafj\x05\xd2\xa2CZ\x0aRo\x01\x03N\x8e\x8b\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x01\xb9/\xef\xbf\x11\x86`\xf2O\xd0An\xabs\x1f\xe7\xd2nI0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xaeJ\xe3+@\xc3t\x11\xf2\x95\xad\x16#\xdeN\x0c\x1a\xe6]\xa5$^kD{\xfc8\xe2O\xcb\x9cE\x17\x11L\x14'&U9uJ\x03\xcc\x13\x90\x9f\x92\x021\x00\xfaJl`\x88s\xf3\xee\xb8\x98b\xa9\xce+\xc2\xd9\x8a\xa6p1\x1d\xaf\xb0\x94L\xebO\xc6\xe3\xd1\xf3b\xa7<\xff\x93.\x07\I\x01gi\x12\x02r\xbf\xe7, CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE = 0\x82\x05Z0\x82\x03B\xa0\x03\x02\x01\x02\x02\x12\x11\xd2\xbb\xb9\xd7#\x18\x9e@_\x0a\x9d-\xd0\xdf%g\xd10\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000F1\x0b0\x09\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\x0a\x13\x10GlobalSign nv-sa1\x1c0\x1a\x06\x03U\x04\x03\x13\x13GlobalSign Root R460\x1e\x17\x0d190320000000Z\x17\x0d460320000000Z0F1\x0b0\x09\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\x0a\x13\x10GlobalSign nv-sa1\x1c0\x1a\x06\x03U\x04\x03\x13\x13GlobalSign Root R460\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xac\xact2\xe8\xb3e\xe5\xba\xedC&\x1d\xa6\x89\x0dE\xba)\x88\xb2\xa4\x1dc\xdd\xd3\xc1,\x09W\x899\xa1U\xe9g4w\x0cn\xe4U\x1dR%\xd2\x13k^\xe1\x1d\xa9\xb7}\x892_\x0d\x9e\x9f,zc`@\x1f\xa6\xb0\xb6x\x8f\x99T\x96\x08X\xae\xe4\x06\xbcb\x05\x02\x16\xbf\xaf\xa8#\x03\xb6\x94\x0f\xbcnl\xc2\xcb\xd5\xa6\xbb\x0c\xe9\xf6\xc1\x02\xfb!\xdef\xdd\x17\xabtB\xef\xf0t/%\xf4\xeakU[\x90\xdb\x9d\xdf^\x87\x0a@\xfb\xad\x19k\xfb\xf7\xca`\x88\xde\xda\xc1\x8f\xd6\xae\xd5\x7f\xd4<\x83\xee\xd7\x16L\x83E3k'\xd0\x86\xd0\x1c-k\xf3\xab}\xf1\x85\xa9\xf5(\xd2\xad\xef\xf3\x84K\x1c\x87\xfc\x13\xa3:r\xa2Z\x11+\xd6'q'\xed\x81-mf\x81\x92\x87\xb4\x1bXz\xcc?\x0a\xfaFOMx\\xf8+H\xe3\x04\x84\xcb]\xf6\xb4j\xb3e\xfcB\x9eQ&# \xcb=\x14\xf9\x81\xede\x16\x00O\x1ad\x97f\x08\xcf\x8c{\xe3+\xc0\x9d\xf9\x14\xf2\x1b\xf1Vj\x16\xbf,\x85\x85\xcdx8\x9a\xebBj\x024\x18\x83\x17N\x94V\xf8\xb6\x82\xb5\xf3\x96\xdd=\xf3\xbe\x7f w>{\x19#k,\xd4rsCW}\xe0\xf8\xd7iO\x176\x04\xf9\xc0\x90`7E\xde\xe6\x0c\xd8t\x8d\xae\x9c\xa2mt]B\xbe\x06\xf5\xd9dn\x02\x10\xac\x89\xb0L;\x07M@~$\xc5\x8a\x98\x82y\x8e\xa4\xa7\x82 \x8d#\xfa'q\xc9\xdf\xc6At\xa0M\xf6\x91\x16\xdcF\x8c_)c1Yq\x0c\xd8o\xc2\xb62}\xfb\xe6]S\xa6~\x15\xfc\xbbu|]\xec\xf8\xf6\x17\x1c\xec\xc7k\x19\xcb\xf3{\xf0+\x07\xa5\xd9lyTvl\x9d\x1c\xa6n\x0e\xe9y\x0c\xa8#j\xa3\xdf\x1b01\x9f\xb1T{\xfej\xcbf\xaa\xdce\xd0\xa2\x9eJ\x9a\x07!k\x81\x8f\xdb\xc4Y\xfa\xde"\xc0\x04\x9c\xe3\xaa[6\x93\xe8=\xbdz\xa1\x9d\x0bv\xb1\x0b\xc7\x9d\xfd\xcf\x98\xa8\x06\xc2\xf8*\xa3\xa1\x83\xa0\xb7%r\xa5\x02\xe3\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x03\\xabs\x81\x87\xa8\xcc\xb0\xa6\xd5\x94\xe26\x96I\xff\x05\x99,0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00|x\xec\xf6\x02,\xbb[~\x92+]9\xdc\xbe\xd8\x1d\xa2B3M\xf9\xef\xa4*;Di\x1e\xac\xd9E\xa3N<\xa7\xd8$Q\xb2T\x1c\x93N\xc4\xef{\x93\x85`&\xea\x09H\xe0\xf5\xbb\xc7\xe9h\xd2\xbbj1q\xccy\xae\x11\xa8\xf0\x99\xfd\xe5\x1f\xbc/\xa8\xccW\xebv\xc4!\xa6GSUMh\xbf\x05\xa4\xee\xd7&\xabb\xdaC7K\xe2\xc6\xb5\xe5\xb2\x83\x19:\xc7\xd3\xdbM\x9e\x08z\xf3\xee\xcf>b\xfb\xac\xe8`\xcc\xd1\xc7\xa1\\x83E\xc4E\xcc\xf3\x17k\x14\xc9\x04\x02>\xd2$\xa6y\xe9\x1e\xce\xa2\xe7\xc1Y\x15\x9f\x1d\xe2K\x9a>\x9fv\x08-k\xd8\xbaW\x14\xda\x83\xea\xfe\x8cU\xe9\xd0N\xa9\xccw1\xb1D\x11z\\xb1>\xd3\x14E\x15\x18b$\x13\xd2\xcbM\xce\\x83\xc16\xf2\x10\xb5\x0e\x88m\xb8\xe1V\x9f\x89\xde\x96f9Gd,nM\xaeb{\xbf`t\x19\xb8V\xac\x92\xac\x162\xed\xadhU\xfe\x98\xba\xd34\xde\xf4\xc9a\xc3\x0e\x86\xf6K\x84`\xee\x0d{\xb52Xy\x91U,\x81C\xb3t\x1fz\xaa%\x9e\x1d\xd7\xa1\x8b\xb9\xcdB.\x04\xa4f\x83M\x895\xb6l\xa86Jy!x"\xd0B\xbc\xd1@1\x90\xa1\xbe\x04\xcf\xcag\xed\xf5\xf0\x80\xd3`\xc9\x83*"\x05\xd0\x07;R\xbf\x0c\x9e\xaa+\xf9\xbb\xe6\x1f\x8f%\xba\x85\x8d\x17\x1e\x02\xfe]P\x04W\xcf\xfe-\xbc\xef\\xc0\x1a\xab\xb6\x9f$\xc6\xdfshH\x90,\x14\xf4?R\x1a\xe4\xd2\xcb\x14\xc3ai\xcf\xe2\xf9\x18\xc5\xba3\x9f\x14\xa3\x04]\xb9q\xf7\xb5\x94\xd8\xf63\xc1Z\xc14\x8b|\x9b\xdd\x93:\xe7\x13\xa2pa\x9f\xaf\x8f\xeb\xd8\xc5u\xf83f\xd4tg:7w\x9c\xe7\xdd\xa4\x0fvCf\x8aC\xf2\x9f\xfb\x0cBxc\xd1\xe2\x0fo{\xd4\xa1=t\x97\x85\xb7H9A\xd6 \xfc\xd0:\xb3\xfa\xe8o\xc4\x8a\xbaq7\xbe\x8b\x97\xb1x1O\xb3\xe7\xb6\x03\x13\xceT\x9d\xae%Y\xcc\x7f5_\x08\xf7@E1x*z, CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE = 0\x82\x02\x0b0\x82\x01\x91\xa0\x03\x02\x01\x02\x02\x12\x11\xd2\xbb\xba3n\xd4\xbc\xe6$h\xc5\x0d\x84\x1d\x98\xe8C0\x0a\x06\x08*\x86H\xce=\x04\x03\x030F1\x0b0\x09\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\x0a\x13\x10GlobalSign nv-sa1\x1c0\x1a\x06\x03U\x04\x03\x13\x13GlobalSign Root E460\x1e\x17\x0d190320000000Z\x17\x0d460320000000Z0F1\x0b0\x09\x06\x03U\x04\x06\x13\x02BE1\x190\x17\x06\x03U\x04\x0a\x13\x10GlobalSign nv-sa1\x1c0\x1a\x06\x03U\x04\x03\x13\x13GlobalSign Root E460v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x9c\x0e\xb1\xcf\xb7\xe8\x9eRwu4\xfa\xa5F\xa7\xad2\x192\xb4\x07\xa9'\xca\x94\xbb\x0c\xd2\x0a\x10\xc7\xda\x89\xb0\x97\x0cp\x13\x09\x01\x8e\xd8\xeaG\xea\xbe\xb2\x80+\xcd\xfc(\x0d\xdb\xac\xbc\xa4\x867\xedp\x08\x00u\xea\x93\x0b{.R\x9c#h#\x06C\xec\x92/S\x84\xdb\xfbG\x14\x07\xe8_\x94g]\xc9z\x81< \xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x141\x0a\x90\x8f\xb6\xc6\x9d\xd2DK\x80\xb5\xa2\xe6\x1f\xb1\x12O\x1b\x950\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x021\x00\xdfT\x90\xed\x9b\xef\x8b\x94\x02\x93\x17\x82\x99\xbe\xb3\x9e,\xf6\x0b\x91\x8c\x9fJ\x14\xb1\xf6d\xbc\xbbhQ\x13\x0c\x03\xf7\x15\x8b\x84`\xb9\x8b\xffR\x8e\xe7\x8c\xbc\x1c\x020<\xf9\x11\xd4\x8cN\xc0\xc1a\xc2\x15L\xaa\xab\x1d\x0b1_;\x1c\xe2\x00\x97D1\xe6\xfes\x96/\xda\x96\xd3\xfe\x08\x07\xb34\x89\xbc\x05\x9f\xf7\x1e\x86\xee\x8bp, CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT = 0\x82\x05\x820\x82\x03j\xa0\x03\x02\x01\x02\x02\x0bZK\xbdZ\xfbO\x8a[\xfae\xe50\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000M1\x0b0\x09\x06\x03U\x04\x06\x13\x02AT1#0!\x06\x03U\x04\x0a\x13\x1ae-commerce monitoring GmbH1\x190\x17\x06\x03U\x04\x03\x13\x10GLOBALTRUST 20200\x1e\x17\x0d200210000000Z\x17\x0d400610000000Z0M1\x0b0\x09\x06\x03U\x04\x06\x13\x02AT1#0!\x06\x03U\x04\x0a\x13\x1ae-commerce monitoring GmbH1\x190\x17\x06\x03U\x04\x03\x13\x10GLOBALTRUST 20200\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xae.V\xad\x1b\x1c\xef\xf6\x95\x8f\xa0w\x1b+\xd3c\x8f\x84ME\xa2\x0f\x9f[E\xabY{Q4\xf9\xec\x8b\x8ax\xc5\xddk\xaf\xbd\xc4\xdf\x93E\x1e\xbf\x918\x0b\xae\x0e\x16\xe7As\xf8\xdb\xbb\xd1\xb8Q\xe0\xcb\x83;s8nw\x8a\x0fYc&\xcd\xa7*\xceT\xfb\xb8\xe2\xc0|G\xce`|?\xb2s\xf2\xc0\x19\xb6\x8a\x92\x875\x0d\x90(\xa2\xe4\x15\x04c>\xba\xaf\xee|^\xcc\xa6\x8bP\xb28\xf7Ac\xca\xce\xffi\x8fh\x0e\x956\xe5\xcc\xb9\x8c\x09\xcaK\xdd1\x90\x96\xc8\xcc\x1f\xfdV\x964\xdb\x8e\x1c\xea,\xbe\x85.c\xdd\xaa\xa9\x95\xd3\xfd)\x95\x13\xf0\xc8\x98\x93\xd9-\x16G\x90\x11\x83\xa2:"\xa2(W\xa2\xeb\xfe\xc0\x8c(\xa0\xa6}\xe7*B;\x82\x80c\xa5c\x1f\x19\xcc|\xb2f\xa8\xc2\xd3m7o\xe2~\x06Q\xd9E\x84\x1f\x12\xce$Rd\x85\x0bH\x80N\x87\xb1""0\xaa\xeb\xae\xbe\xe0\x02\xe0@\xe8\xb0B\x80\x03Q\xaa\xb4~\xaaD\xd7Ca\xf3\xa2k\x16\x89I\xa4\xa3\xa4+\x8a\x02\xc4x\xf4h\x8a\xc1\xe4z6\xb1o\x1b\x96\x1bwI\x8d\xd4\xc9\x06r\x8f\xcfS\xe3\xdc\x17\x85 J\xdc\x98'\xd3\x91&+G\x1ei\x07\xaf\xde\xa2\xe4\xe4\xd4k\x0b\xb3^|\xd4$\x80G)i;n\xe8\xac\xfd@\xeb\xd8\xedqq+\xf2\xe8X\x1d\xebA\x97"\xc5\x1f\xd49\xd0'\x8f\x87\xe3\x18\xf4\xe0\xa9F\x0d\xf5t:\x82.\xd0n,\x91\xa31\;F\xea{\x04\x10V^\x80\x1d\xf5\xa5e\xe8\x82\xfc\xe2\x07\x8cbE\xf5 \xdeFp\x86\xa1\xbc\x93\xd3\x1et\xa6l\xb0,\xf7\x03\x0c\x88\x0c\xcb\xd4rS\x86\xbc`F\xf3\x98j\xc2\xf1\xbfC\xf9p w\xca7AyURc\x8d[\x12\x9f\xc5h\xc4\x88\x9d\xac\xf20\xab\xb7\xa31\x97g\xad\x8f\x17\x0fl\xc7s\xed$\x94k\xc8\x83\x9a\xd0\x9a7I\x04\xab\xb1\x16\xc8lII-\xab\xa1\xd0\x8c\x92\xf2AJy!%\xdbc\xd7\xb6\x9c\xa7~Bi\xfb:c\x02\x03\x01\x00\x01\xa3c0a0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xdc.\x1f\xd1a7y\xe4\xab\xd5\xd5\xb3\x12qh=jh\x9c"0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xdc.\x1f\xd1a7y\xe4\xab\xd5\xd5\xb3\x12qh=jh\x9c"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\x91\xf0B\x02h@\xee\xc3h\xc0T/\xdf\xecb\xc3\xc3\x9e\x8a\xa01(\xaa\x83\x8e\xa4V\x96\x12\x10\x86V\xba\x97r\xd2T0|\xad\x19\xd5\x1dho\xfb\x14B\xd8\x8d\x0e\xf3\xb5\xd1\xa5\xe3\x02B^\xdc\xe8FX\x075\x020\xe0\xbctJ\xc1C*\xff\xdb\x1a\xd0\xb0\xafl\xc3\xfd\xcb\xb3\xf5\x7fm\x03.YV\x9d--5\x8c\xb2\xd6C\x17,\x92\x0a\xcb]\xe8\x8c\x0fKpC\xd0\x82\xff\xa8\xcc\xbf\xa4\x94\xc0\xbe\x87\xbd\x8a\xe3\x93{\xc6\x8f\x9b\x16\x9d'e\xbcz\xc5B\x82l\\x07\xd0\xa9\xc1\x88`D\xe9\x98\x85\x16_\xf8\x8f\xca\x01\x10\xce%\xc3\xf9`\x1b\xa0\xc5\x97\xc3\xd3,\x881\xa2\xbd0\xec\xd0\xd0\xc0\x12\xf1\xc19\xe3\xe5\xf5\xf8\xd6J\xdd4\xcd\xfbo\xc1O\xe3\x00\x8bV\xe2\x92\xf7(\xb2Bwr#g\xc7?\x11\x15\xb2\xc4\x03\x05\xbe\xbb\x11{\x0a\xbf\xa8n\xe7\xffXC\xcf\x9bg\xa0\x80\x07\xb6\x1d\xca\xadm\xeaA\x11~-t\x93\xfb\xc2\xbc\xbeQD\xc5\xefh%'\x80\xe3\xc8\xa0\xd4\x12\xec\xd9\xa57\x1d7|\xb4\x91\xca\xda\xd4\xb1\x96\x81\xefh\v\x10I\xaf~\xa57\x80\xb1\x1cR\xbd3\x81L\x8f\xf9\xdde\xd9\x14\xcd\x8a%X\xf4\xe2\xc5\x83\xa5\x09\x90\xd4l\x14c\xb5@\xdf\xeb\xc0\xfc\xc4X~\x0d\x14\x16\x87T'nV\xe4p\x84\xb8l2\x12~\x821C\xbe\xd7\xdd|\xa1\xad\xae\xd6\xab \x12\xef\x0a\xc3\x10\x8cI\x965\xdc\x0bu^\xb1O\xd5O4\x0e\x11 \x07uCE\xe9\xa3\x11\xda\xac\xa3\x99\xc2\xb6y'\xe2\xb9\xef\xc8\xe2\xf65)zt\xfa\xc5\x7f\x82\x05b\xa6\x0a\xeah\xb2yG\x06n\xf2W\xa8\x153\xc6\xf7xJ=B{k~\xfe\xf7F\xea\xd1\xeb\x8e\xef\x88h[\xe8\xc1\xd9q~\xfdd\xef\xffgG\x88X%/>\x86\x07\xbd\xfb\xa8\xe5\x82\xa8\xac\xa5\xd3iC\xcd1\x88I\x84S\x92\xc0\xb19\x1b9\x83\x010\xc4\xf2\xa9\xfa\xd0\x03\xbdr7`V\x1f6|\xbd9\x91\xf5m\x0d\xbf{\xd7\x92, CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES,serialNumber=G63287510 = 0\x82\x05\xef0\x82\x03\xd7\xa0\x03\x02\x01\x02\x02\x08\x0d\xd3\xe3\xbcl\xf9k\xb10\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000\x81\x841\x120\x10\x06\x03U\x04\x05\x13\x09G632875101\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1'0%\x06\x03U\x04\x0a\x13\x1eANF Autoridad de Certificacion1\x140\x12\x06\x03U\x04\x0b\x13\x0bANF CA Raiz1"0 \x06\x03U\x04\x03\x13\x19ANF Secure Server Root CA0\x1e\x17\x0d190904100038Z\x17\x0d390830100038Z0\x81\x841\x120\x10\x06\x03U\x04\x05\x13\x09G632875101\x0b0\x09\x06\x03U\x04\x06\x13\x02ES1'0%\x06\x03U\x04\x0a\x13\x1eANF Autoridad de Certificacion1\x140\x12\x06\x03U\x04\x0b\x13\x0bANF CA Raiz1"0 \x06\x03U\x04\x03\x13\x19ANF Secure Server Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xdb\xebk+\xe6dT\x95\x82\x90\xa3r\xa4\x19\x01\x9d\x9c\x0b\x81_sI\xba\xa7\xac\xf3\x04N{\x96\x0b\xec\x11\xe0[\xa6\x1c\xce\x1b\xd2\x0d\x83\x1c+\xb8\x9e\x1d~E2`\x0f\x07\xe9wX~\x9fj\xc8aN\xb6&\xc1L\x8d\xffL\xef4\xb2\x1fe\xd8\xb9x\xf5\xad\xa9q\xb9\xefOX\x1d\xa5\xdet \x97\xa1\xedhL\xde\x92\x17K\xbc\xab\xffe\x9a\x9e\xfbG\xd9Wr\xf3\x09\xa1\xaevD\x13n\x9c-D9\xbc\xf9\xc7;\xa4X=A\xbd\xb4\xc2I\xa3\xc8\x0d\xd2\x97/\x07eR\x00\xa7n\xc8\xafh\xec\xf4\x14\x96\xb6W\x1fV\xc39\x9f+m\xe4\xf3>\xf65d\xda\x0c\x1c\xa1\x84K/KK\xe2,$\x9dm\x93@\xeb\xb5#\x8e2\xcaoE\xd3\xa8\x89{\x1e\xcf\x1e\xfa[C\x8b\xcd\xcd\xa8\x0fj\xca\x0c^\xb9\x9eG\x8f\xf0\xd9\xb6\x0a\x0bXe\x173\xb9#\xe4w\x19}\xcbJ.\x92{O/\x10w\xb1\x8d/h\x9cb\xcc\xe0P\xf8\xec\x91\xa7TLW\x09\xd5vc\xc5\xe8e\x1e\xeemj\xcf\x09\x9d\xfa|O\xad`\x08\xfdV\x99\x0f\x15,{\xa9\x80\xab\x8ca\x8fJ\x07vB\xde=\xf4\xdd\xb2$3[\xb8\xb5\xa3D\xc9\xac\x7fw<\x1d#\xec\x82\xa9\xa6\xe2\xc8\x06L\x02\xfe\xac\\x99\x99\x0b/\x10\x8a\xa6\xf4\x7f\xd5\x87t\x0dYIE\xf6\xf0q\9)\xd6\xbfJ#\x8b\xf5_\x01c\xd2\x87s(\xb5K\x0a\xf5\xf8\xab\x82,~s%2\x1d\x0bc\x0a\x17\x81\x00\xff\xb6v^\xe7\xb4\xb1@\xca!\xbb\xd5\x80Q\xe5HRg,\xd2a\x89\x07\x0d\x0f\xceBw\xc0Ds\x9cDP\xa0\xdb\x10\x0a-\x95\x1c\x81\xaf\xe4\x1c\xe5\x14\x1e\xf16A\x01\x02/}s\xa7\xdeB\xccL\xe9\x89\x0dV\xf7\x9f\x91\xd4\x03\xc6l\xc9\x8f\xdb\xd8\x1c\xe0@\x98]f\x99\x98\x80n-\xff\x01\xc5\xce\xcbF\x1f\xac\x02\xc6C\xe6\xae\xa2\x84<\xc5N\x1e=m\xc9\x14L\xe3.A\xbb\xca9\xbf6<*\x19\xaaA\x87N\xa5\xceK2y\xdd\x90I\x7f\x02\x03\x01\x00\x01\xa3c0a0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x9c_\xd0lc\xa3_\x93\xca\x93\x98\x08\xad\x8c\x87\xa5,\\xc170\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9c_\xd0lc\xa3_\x93\xca\x93\x98\x08\xad\x8c\x87\xa5,\\xc170\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00N\x1e\xb9\x8a\xc6\xa0\x98?n\xc3i\xc0j\IR\xac\xcb+]x8\xc1\xd5T\x84\x9f\x93\xf0\x87\x19=,f\x89\xeb\x0dB\xfc\xcc\xf0u\x85?\x8b\xf4\x80]y\xe5\x17g\xbd5\x82\xe2\xf2<\x8e}[6\xcbZ\x80\x00)\xf2\xce+,\xf1\x8f\xaam\x05\x93lr\xc7V\xeb\xdfP#(\xe5E\x10=\xe8g\xa3\xaf\x0eU\x0f\x90\x09b\xefKY\xa2\xf6S\xf1\xc05\xe4/\xc1$\xbdy/N ";\xfd\x1a \xb0\xa4\x0e,p\xedt?\xb8\x13\x95\x06Q\xc8\xe8\x87&\xca\xa4[j\x16!\x92\xdds`\x9e\x10\x18\xde<\x81\xea\xe8\x18\xc3|\x89\xf2\x8bP>\xbd\x11\xe2\x15\x03\xa86}3\x01lH\x15\xd7\x88\x90\x99\x04\xc5\xcc\xe6\x07\xf4\xbc\xf4\x90\xed\x13\xe2\xea\x8b\xc3\x8f\xa33\x0f\xc1)L\x13N\xda\x15Vqsr\x82P\xf6\x9a3|\xa2\xb1\xa8\x1a4te\\xce\xd1\xeb\xabS\xe0\x1a\x80\xd8\xea:I\xe4&0\x9b\xe5\x1c\x8a\xa8\xa9\x152\x86\x99\x92\x0a\x10#V\x12\xe0\xf6\xceL\xe2\xbb\xbe\xdb\x8d\x92s\x01f/b>\xb2r'E6\xedMV\xe3\x97\x99\xff:5>\xa5TJRYK`\xdb\xee\xfex\x11\x7fJ\xdc\x14y`\xb6kd\x03\xdb\x15\x83\xe1\xa2\xbe\xf6#\x97P\xf0\x0936\xa7q\x96%\xf3\xb9B}\xdb8?,X\xac\xe8B\xe1\x0e\xd8\xd3;L.\x82\xe9\x83.k1\xd9\xddG\x86Om\x97\x91.O\xe2(q5\x16\xd1\xf2s\xfe%+\x07G$c'\xc8\xf8\xf6\xd9k\xfc\x121V\x08\xc0SB\xaf\x9c\xd03~\xfc\x06\xf01D\x03\x14\xf1X\xea\xf2j\x0d\xa9\x11\xb2\x83\xbe\xc5\x1a\xbf\x07\xeaY\xdc\xa3\x885\xef\x9cv2<M\x06"\xce\x15\xe5\xdd\x9e\xd8\x8f\xda\xde\xd2\xc49\xe5\x17\x81\xcf8G\xeb\x7f\x88mY\x1b\xdf\x9fB\x14\xae~\xcf\xa8\xb0fe\xda7\xaf\x9f\xaa=\xea(\xb6\xde\xd51X\x16\x82[\xea\xbb\x19u\x02s\x1a\xcaH\x1a!\x93\x90\x0a\x8e\x93\x84\xa7};#\x18\x92\x89\xa0\x8d\xac, CN=Certum EC-384 CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL = 0\x82\x02e0\x82\x01\xeb\xa0\x03\x02\x01\x02\x02\x10x\x8f'\\x81\x12R \xa5\x04\xd0-\xdd\xbas\xf40\x0a\x06\x08*\x86H\xce=\x04\x03\x030t1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1!0\x1f\x06\x03U\x04\x0a\x13\x18Asseco Data Systems S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1\x190\x17\x06\x03U\x04\x03\x13\x10Certum EC-384 CA0\x1e\x17\x0d180326072454Z\x17\x0d430326072454Z0t1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1!0\x1f\x06\x03U\x04\x0a\x13\x18Asseco Data Systems S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1\x190\x17\x06\x03U\x04\x03\x13\x10Certum EC-384 CA0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xc4(\x8e\xab\x18[j\xbend7c\xe4\xcd\xec\xab:\xf7\xcc\xa1\xb8\x0e\x82I\xd7\x86)\x9f\xa1\x94\xf2\xe3`x\x98\x81x\x06M\xf2\xec\x9a\x0eW`\x83\x9f\xb4\xe6\x17/\x1a\xb3]\x02[\x89#<\xc2\x11\x05*\xa7\x88\x13\x18\xf3P\x84\xd7\xbd4,'\x89U\xff\xceL\xe7\xdf\xa6\x1f(\xc4\xf0T\xc3\xb9|\xb7S\xad\xeb\xc2\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8d\x06ft$v:\xf3\x89\xf7\xbc\xd6\xbdG}/\xbc\x10_K0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x020\x03U-\xa6\xe6\x18\xc4|\xef\xc9Pn\xc1'\x0f\x9c\x87\xafn\xd5\x1b\x08\x18\xbd\x92)\xc1\xef\x94\x91x\xd2:\x1cU\x89b\xe5\x1b\x09\x1e\xbadk\xf1v\xb4\xd4\x021\x00\xb4B\x84\x99\xff\xab\xe7\x9e\xfb\x91\x97']\xdc\xb0[0q\xce^8\x1aj\xd9%\xe7\xea\xf7a\x92V\xf8\xea\xda6\xc2\x87e\x96.r%/\x7f\xdf\xc3\x13\xc9, CN=Certum Trusted Root CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL = 0\x82\x05\xc00\x82\x03\xa8\xa0\x03\x02\x01\x02\x02\x10\x1e\xbfYP\xb8\xc9\x807L\x06\xf7\xebUO\xb5\xed0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0d\x05\x000z1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1!0\x1f\x06\x03U\x04\x0a\x13\x18Asseco Data Systems S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1\x1f0\x1d\x06\x03U\x04\x03\x13\x16Certum Trusted Root CA0\x1e\x17\x0d180316121013Z\x17\x0d430316121013Z0z1\x0b0\x09\x06\x03U\x04\x06\x13\x02PL1!0\x1f\x06\x03U\x04\x0a\x13\x18Asseco Data Systems S.A.1'0%\x06\x03U\x04\x0b\x13\x1eCertum Certification Authority1\x1f0\x1d\x06\x03U\x04\x03\x13\x16Certum Trusted Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xd1-\x8e\xbb\xb76\xeam7\x91\x9fN\x93\xa7\x05\xe4)\x03%\xce\x1c\x82\xf7|\x99\x9fA\x06\xcd\xed\xa3\xba\xc0\xdb\x09,\xc1|\xdf)~Ke/\x93\xa7\xd4\x01k\x03(\x18\xa3\xd8\x9d\x05\xc1*\xd8E\xf1\x91\xde\xdf;\xd0\x80\x02\x8c\xcf8\x0f\xea\xa7\x\x11\xa4\xc1\xc8\x85\%\xd3\xd3\xb2\xe7%\xcf\x11T\x97\xab5\xc0\x1ev\x1c\xef\x00S\x9f9\xdc\x14\xa5,"%\xb3rr\xfc\x8d\xb3\xe5>\x08\x1e\x14*7\x0b\x88<\xca\xb0\xf4\xc8\xc2\xa1\xae\xbc\xc1\xbe)gU\xe2\xfc\xadY\\xfe\xbdW,\xb0\x90\x8d\xc2\xed7\xb6|\x99\x88\xb5\xd5\x03\x9a=\x15\x0d=:\xa8\xa8E\xf0\x95N%Y\x1d\xcd\x98i\xbb\xd3\xcc2\xc9\x8d\xef\x81\xfe\xad}\x89\xbb\xba`\x13\xcae\x95g\xa0\xf3\x19\xf6\x03V\xd4j\xd3'\xe2\xa1\xad\x83\xf0J\x12"w\x1c\x05s\xe2\x19qB\xc0\xecuF\x9a\x90X\xe0j\x8e+\xa5F0\x04\x8e\x19\xb2\x17\xe3\xbe\xa9\xba\x7fV\xf1$\x03\xd7\xb2!(v\x0e60Ly\xd5A\x9a\x9a\xa8\xb85\xba\x0c:\xf2D\x1b \x88\xf7\xc5%\xd7=\xc6\xe3>C\xdd\x87\xfe\xc4\xea\xf5S>Le\xff;J\xcbxZk\x17_\x0d\xc7\xc3ON\x9a*\xa2\xedWM"\xe2F\x9a?\x0f\x914$}U\xe3\x8c\x957\xd3\x1a\xf0\x09+,\xd2\xc9\x8d\xb4\x0d\x00\xabg)(\xd8\x01\xf5\x19\x04\xb6\x1d\xbev\xfer\\xc4\x85\xca\xd2\x80A\xdf\x05\xa8\xa3\xd5\x84\x90O\x0b\xf3\xe0?\x9b\x19\xd27\x89?\xf2{R\x1c\x8c\xf6\xe1\xf7<\x07\x97\x8c\x0e\xa2Y\x81\x0c\xb2\x90=\xd3\xe3YF\xed\x0f\xa9\xa7\xde\x80kZ\xaa\x07\xb6\x19\xcb\xbcW\xf3\x97!z\x0c\xb1+t>\xeb\xda\xa7g-L\xc4\x98\x9e6\x09vff\xfc\x1a?\xeaHT\x1c\xbe0\xbd\x80P\xbf|\xb5\xce\x00\xf6\x0ca\xd9\xe7$\x03\xe0\xe3\x01\x81\x0e\xbd\xd8\x854\x88\xbd\xb26\xa8{\\x08\xe5D\x80\x8co\xf8/\xd5!\xca\x1d\x1c\xd0\xfb\xc4\xb5\x87\xd1:N\xc7v\xb55H\xb5\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8c\xfb\x1cu\xbc\x02\xd3\x9fN.H\xd9\xf9`T\xaa\xc4\xb3O\xfa0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0d\x05\x00\x03\x82\x02\x01\x00H\xa2\xd5\x00\x0b.\xd0?\xbc\x1c\xd5\xb5TI\x1eZk\xf4\xe4\xf2\xe0@7\xe0\xcc\x14{\xb9\xc9\xfa5\xb5u\x17\x93j\x05i\x85\x9c\xcdO\x19x[\x19\x81\xf3c>\xc3\xce[\x8f\xf5/^\x01v\x13?,\x00\xb9\xcd\x96R9Im\x04N\xc5\xe9\x0f\x86\x0d\xe1\xfa\xb3_\x82\x12\xf1:\xcef\x06$4+\xe8\xcc\xca\xe7i\xdc\x87\x9d\xc24\xd7y\xd1\xd3w\xb8\xaaYX\xfe\x9d&\xfa8\x86>\x9d\x8a\x87dW\xe5\x17:\xe2\xf9\x8d\xb9\xe33x\xc1\x90\xd8\xb8\xdd\xb7\x83Q\xe4\xc4\xcc#\xd5\x06|\xe6Q\xd3\xcd41\xc0\xf6F\xbb\x0b\xad\xfc=\x10\x05*;J\x91%\xee\x8c\xd4\x84\x87\x80*\xbc\x09\x8c\xaa:\x13_\xe84yP\xc1\x10\x19\xf9\xd3(\x1e\xd4\xd1Q0)\xb3\xae\x90g\xd6\x1f\x0ac\xb1\xc5\xa9\xc6B1c\x17\x94\xefi\xcb/\xfa\x8c\x14}\xc4C\x18\x89\xd9\xf02@\xe6\x80\xe2F_\xe5\xe3\xc1\x00Y\xa8\xf9\xe8 \xbc\x89,\x0eG4\x0b\xeaW\xc2S6\xfc\xa7\xd4\xaf1\xcd\xfe\x02\xe5u\xfa\xb9'\x09\xf9\xf3\xf5;\xca}\x9f\xa9"\xcb\x88\xc9\xaa\xd1G=6w\xa8Ydk'\xcf\xef'\xc1\xe3$\xb5\x86\xf7\xae~2M\xb0yh\xd19\xe8\x90X\xc3\x83\xbc\x0f,\xd6\x97\xeb\xce\x0c\xe1 \xc7\xda\xb7>\xc3?\xbf/\xdc4\xa4\xfb+!\xcdg\x8fK\xf4\xe3\xea\xd4?\xe7O\xba\xb9\xa5\x93E\x1cf\x1f!\xfad^o\xe0v\x942\xcbu\xf5n\xe5\xf6\x8f\xc7\xb8\xa4\xcc\xa8\x96}d\xfb$ZJ\x03lk8\xc6\xe8\x03C\x9a\xf7W\xb9\xb3)i\x938\xf4\x03\xf2\xbb\xfb\x82k\x07 \xd1R\x1f\x9ad\x02{\x98f\xdb\MZ\x0f\xd0\x84\x95\xa0<\x14C\x06\xca\xca\xdb\xb8A6\xdajDg\x87\xaf\xaf\xe3E\x11\x15i\x08\xb2\xbe\x169\x97$o\x12E\xd1g]\x09\xa8\xc9\x15\xda\xfa\xd2\xa6_\x13a\x1f\xbf\x85\xac\xb4\xad\xad\x05\x94\x08\x83\x1eu\x17\xd3q;\x93P#Y\xa0\xed<\x91T\x9dv\x00\xc5\xc3\xb88\xdb, CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN = 0\x82\x05\xb30\x82\x03\x9b\xa0\x03\x02\x01\x02\x02\x14\x13\x02\xd5\xe2@L\x92F\x86\x16g]\xb4\xbb\xbb\xb2k>\xfc\x130\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000a1\x0b0\x09\x06\x03U\x04\x06\x13\x02TN1705\x06\x03U\x04\x0a\x0c.Agence Nationale de Certification Electronique1\x190\x17\x06\x03U\x04\x03\x0c\x10TunTrust Root CA0\x1e\x17\x0d190426085756Z\x17\x0d440426085756Z0a1\x0b0\x09\x06\x03U\x04\x06\x13\x02TN1705\x06\x03U\x04\x0a\x0c.Agence Nationale de Certification Electronique1\x190\x17\x06\x03U\x04\x03\x0c\x10TunTrust Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xc3\xcd\xd3\xfc\xbd\x04S\xdd\x0c :\xd5\x88.\x05KA\xf5\x83\x82~\xf7Y\x9f\x9e\x9ec\xe8s\xda\xf6\x06\xa9O\x1f\xb4\xf9\x0b\x1f9\x8c\x9a \xd0~\x06\xd4\xec4\xd9\x86\xbcu[\x87\x88\xf0\xd2\xd9\xd4\xa3\x0a\xb2l\x1b\xebI,>\xac]\xd8\x94\x03\xa0\xec4\xe50\xc45}\xfb&M\x1bn0T\xd8\xf5\x80E\x9c9\xad\x9c\xc9%\x04M\x9a\x90>N@n\x8ak\xcd)g\xc6\xcc-\xe0t\xe8\x05W\x0aHP\xfazC\xda~\xec[\x9a\x0ebv\xfe\xea\x9d\x1d\x85r\xec\x11\xbb5\xe8\x1f'\xbf\xc1\xa1\xc7\xbbH\x16\xddV\xd7\xccN\xa0\xe1\xb9\xac\xdb\xd5\x83\x19\x1a\x85\xd1\x94\x97\xd7\xca\xa3e\x0b\xf38\xf9\x02\xae\xdd\xf6g\xcf\xc9?\xf5\x8a,G\x1a\x99o\x05\x0d\xfd\xd0\x1d\x821\xfc)\xcc\x00X\x97\x91L\x80\x00\x1c3\x85\x96/\xcbA\xc2\x8b\x10\x84\xc3\x09$\x89\x1f\xb5\x0f\xd9\xd9wG\x18\x92\x94`\\xc7\x99\x03<\xfe\xf7\x95\xa7}P\xa1\x80\xc2\xa9\x83\xadX\x96U!\xdb\x86Y\xd4\xaf\xc6\xbc\xdd\x81n\x07\xdb`b\xfe\xec\x10n\xdah\x01\xf4\x83\x1b\xa9>\xa2[#\xd7d\xc6\xdf\xdc\xa2}\xd8K\xba\x82\xd2Q\xf8f\xbf\x06F\xe4y*&6y\x8f\x1fN\x99\x1d\xb2\x8f\x0c\x0e\x1c\xff\xc9]\xc0\xfd\x90\x10\xa6\xb17\xf3\xcd:$n\xb4\x85\x90\xbf\x80\xb9\x0c\x8c\xd5\x9b\xd6\xc8\xf1V?\x1a\x80\x89z\xa9\xe2\x1b2Q,>\xf2\xdf{\xf6]z)\x19\x8e\xe5\xc8\xbd6q\x8b]L\xc2\x1d?\xadX\xa2\xcf=pM\xa6P\x98%\xdc#\xf9\xb8XA\x08q\xbfO\xb8\x84\xa0\x8f\x00T\x15\xfc\x91mX\xa7\x96;\xebK\x96'\xcdk\xa2\xa1\x86\xac\x0d|T\xe6fLf_\x90\xbe!\x9a\x02F-\xe4\x83\xc2\x80\xb9\xcfK>\xe8\x7f<\x01\xec\x8f^\xcd\x7f\xd2(B\x01\x95\x8a\xe2\x97=\x10!}\xf6\x9d\x1c\xc54\xa1\xec,\x0e\x0aR,\x12Up$=\xcb\xc2\x145C]'N\xbe\xc0\xbd\xaa|\x96\xe7\xfc\x9ea\xadD\xd3\x00\x97\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x06\x9a\x9b\x1fS}\xf1\xf5\xa4\xc8\xd3\x86>\xa1sY\xb4\xf7D!0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x06\x9a\x9b\x1fS}\xf1\xf5\xa4\xc8\xd3\x86>\xa1sY\xb4\xf7D!0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\xaa\x05n\xb6\xdd\x15\xc9\xbf\xb3\xc6 \xf6\x06G\xb0\x86\x93%\xd3\x8d\xb9\xc8\x00?\x97\xf5R'\x88q\xc9t\xfd\xeb\xcad\xdb[\xef\x1e]\xba\xbf\xd1\xeb\xee\i\xba\x16\xc8\xf3\xb9\x8f\xd36.@I\x07\x0dY\xde\x8b\x10\xb0I\x05\xe2\xff\x91?K\xb7\xdd\x02\x8e\xf8\x81(\\xcc\xdcm\xaf_\x14\x9c}Xx\x0d\xf6\x80\x09\xb9\xe9\x0e\x97)\x19\xb8\xb7\xeb\xf8\x16\xcbU\x12\xe4\xc6}\xbb\xc4\xec\xf8\xb5\x1cN>g\xbf\xc5_\x1bmmG(\xaa\x04Xa\xd6v\xbf"\x7f\xd0\x07j\xa7dS\xf0\x97\x8d\x9d\x80?\xbb\xc1\x07\xdbe\xaf\xe6\x9b2\x9a\xc3T\x93\xc4\x1c\x08\xc3D\xfb{c\x11C\xd1j\x1aajym\x90O)\x8eG\x05\xc1\x12ii\xd6\xc661\xe1\xfc\xfa\x80\xba\O\xc4\xeb\xb72\xac\xf8ua\x17\xd7\x10\x19\xb9\xf1\xd2\x09\xefzB\x9d[Z\x0b\xd4\xc6\x95N*\xce\xff\x07\xd7O~\x18\x06\x88\xf1\x19\xb5\xd9\x98\xbb\xaeq\xc4\x1c\xe7tYX\xef\x0c\x89\xcf\x8b\x1fu\x93\x1a\x04\x14\x92HP\xa9\xebW)\x00\x16\xe36\x1c\xc8\xf8\xbf\xf03\xd5A\x0f\xc4\xcc<\xdd\xe93C\x01\x91\x10+\x1e\xd1\xb9]\xcd2\x19\x8b\x8f\x8c w\xd7"\xc4B\xdc\x84\x16\x9b%m\xe8\xb4Uq\x7f\xb0|\xb3\xd3qI\xb9\xcfR\xa4\x04?\xdc=\xa0\xbb\xaf3\x9e\x0a0`\x8e\xdb\x9d]\x94\xa8\xbd`\xe7b\x80v\x81\x83\x0c\x8c\xcc0FI\xe2\x0c\xd2\xa8\xaf\xebaq\xef\xe7"b\xa9\xf7\dl\x9f\x16\x8cg6'E\xf5\x09{\xbf\xf6\x10\x0a\xf1\xb0\x8dTC\x8c\x04\xba\xa3?\xef\xe25\xc7\xf9t\xe0o4A\xd0\xbfseW \xf9\x9bgzfh$N\x80e\xbd\x10\x99\x06Y\xf2e\xaf\xb8\xc6G\xbb\xfd\x90x\x8bAs.\xafU\x1f\xdc;\x92rn\x84\xd3\xd0aL\x0d\xccvW\xe2-\x85"\x156\x0d\xeb\x01\x9d\xeb\xd8\xeb\xc4\x84\x99\xfb\xc0\x0c\xcc2\xe8\xe3w\xda\x83D\x8b\x9eU(\xc0\x8bX\xd3\x90>N\x1b\x00\xf1\x15\xad\x83+\x9a, CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR = 0\x82\x05\xa40\x82\x03\x8c\xa0\x03\x02\x01\x02\x02\x109\xca\x93\x1c\xefC\xf3\xc6\x8e\x93\xc7\xf4d\x898~0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000l1\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1705\x06\x03U\x04\x0a\x0c.Hellenic Academic and Research Institutions CA1$0"\x06\x03U\x04\x03\x0c\x1bHARICA TLS RSA Root CA 20210\x1e\x17\x0d210219105538Z\x17\x0d450213105537Z0l1\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1705\x06\x03U\x04\x0a\x0c.Hellenic Academic and Research Institutions CA1$0"\x06\x03U\x04\x03\x0c\x1bHARICA TLS RSA Root CA 20210\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\x8b\xc2\xe7\xafe\x9b\x05g\x96\xc9\x0d$\xb9\xd0\x0ed\xfc\xce\xe2$\x18,\x84\x7fwQ\xcb\x04\x116\xb8^\xediq\xa7\x9e\xe4%\x09\x97g\xc1G\xc2\xcf\x91\x166b=8\x04\xe1Q\x82\xff\xac\xd2\xb4i\xdd.\xec\x11\xa3E\xeekk;L\xbf\x8c\x8d\xa4\x1e\x9d\x11\xb9\xe98\xf9z\x0e\x0c\x98\xe2#\x1d\xd1Nc\xd4\xe7\xb8AD\xfbk\xafk\xda\x1f\xd3\xc5\x91\x88[\xa4\x89\x92\xd1\x81\xe6\x8c9X\xa0\xd6iC\xa9\xad\x98RXn\xdb\x0a\xfbk\xcfh\xfa\xe3\xa4^:Es\x98\x07\xea_\x02r\xde\x0c\xa5\xb3\x9f\xae\xa9\x1d\xb7\x1d\xb3\xfc\x8aY\xe7nre\xad\xf50\x94#\x07\xf3\x82\x16K5\x98\x9cS\xbb/\xca\xe4Z\xd9\xc7\x8d\x1d\xfc\x98\x99\xfb,\xa4\x82k\xf0*\x1f\x8e\x0b_q\\\xaeB{)\x89\x81\xcb\x03\xa3\x99\xca\x88\x9e\x0b@\x09A3\xdb\xe6Xz\xfd\xae\x99p\xc0Z\x0f\xd6\x13\x86q/vi\xfc\x90\xdd\xdb-n\xd1\xf2\x9b\xf5\x1ak\x9eo\x15\x8cz\xf0K(\xa0"8\x80$l6\xa4;\xf20\x91\xf3x\x13\xcf\xc1?5\xab\xf1\x1d\x11#\xb5C"\x9e\x01\x92\xb7\x18\x02\xe5\x11\xd1\x82\xdb\x15\x00\xcca7\xc1*|\x9a\xe1\xd0\xba\xb3PF\xee\x82\xac\x9d1\xf8\xfb#\xe2\x03\x00Hp\xa3\x09&y\x15S`\xf38\\xad8\xea\x81\x00c\x14\xb93^\xdd\x0b\xdb\xa0E\x07\x1a3\x09\xf8M\xb4\xa7\x02\xa6i\xf4\xc2Y\x05\x88e\x85V\xaeK\xcb\xe0\xde<}-\x1a\xc8\xe9\xfb\x1f\xa3aJ\xd6*\x13\xadwL\x1a\x18\x9b\x91\x0fX\xd8\x06T\xc5\x97\xf8\xaa? \x8a\xa6\x85\xa6w\xf6\xa6\xfc\x1c\xe2\xeen\x943*\x83P\x84\x0a\xe5O\x86\xf8PEx\x00\x81\xeb[h\xe3&\x8d\xcc{\Q\xf4\x14,@\xbe\x1a`\x1dzra\x1d\x1fc-\x88\xaa\xce\xa2E\x90\x08\xfck\xbe\xb3P*Z\xfd\xa8H\x18F\xd6\x90@\x92\x90\x0a\x84^h1\xf8\xeb\xed\x0d\xd3\x1d\xc6}\x99\x18UV'e.\x8dE\xc5$\xec\xce\xe3\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x0aH#\xa6`\xa4\x92\x0a3\xea\x93[\xc5W\xea%M\xbd\x12\xee0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00>\x90H\xaanb\x15%f{\x0c\xd5\x8c\x8b\x89\x9d\xd7\xedN\x07\xef\x9c\xd0\x14_^P\xbdh\x96\x90\xa4\x14\x11\xaahm\x0959@\x09\xda\xf4\x09,4\xa5{Y\x84I)\x97t\xc8\x07\x1eGm\xf2\xce\x1cP&\xe3\x9e=@S?\xf7\x7f\x96v\x10\xc5F\xa5\xd0 KP\xf45;\x18\xf4UjA\x1bG\x06h<\xbb\x09\x08b\xd9_UB\xaa\xacS\x85\xac\x95V6V\xab\xe4\x05\x8c\xc5\xa8\xda\x1f\xa3i\xbdS\x0f\xc4\xff\xdc\xca\xe3~\xf2L\x88\x86GF\x1a\xf3\x00\xf5\x80\x91\xa2\xdcCB\x94\x9b \xf0\xd1\xcd\xb2\xeb,S\xc2SxJO\x04\x94A\x9a\x8f'2\xc1\xe5I\x19\xbf\xf1\xf2\xc2\x8b\xa8\x0a91(\xb4}b6,M\xec\x1f3\xb6~wm~P\xf0\x9f\x0e\xd7\x11\x8f\xcf\x18\xc5\xe3'\xfe&\xef\x05\x9d\xcf\xcf7\xc5\xd0{\xda;\xb0\x16\x84\x0c:\x93\xd6\xbe\x17\xdb\x0f>\x0e\x19x\x09\xc7\xa9\x02r"K\xf77v\xbau\xc4\x85\x03Zc\xd5\xb1u\x05\xc2\xb9\xbd\x94\xad\x8c\x15\x99\xa7\x93}\xf6\xc5\xf3\xaat\xcf\x04\x85\x94\x98\x00\xf4\xe2\xf9\xca$e\xbf\xe0b\xaf\xc8\xc5\xfa\xb2\xc9\x9eVH\xday\xfd\x96v\x15\xbe\xa3\x8eV\xc4\xb34\xfc\xbeG\xf4\xc1\xb4\xa8\xfc\xd50\x88h\xee\xcb\xae\xc9c\xc4v\xbe\xac8\x18\xe1^\\xcf\xae:"Q\xeb\xd1\x8b\xb3\xf3+3\x07T\x87\xfa\xb4\xb2\x13{\xbaS\x04b\x01\x9d\xf1\xc0O\xee\xe1:\xd4\x8b \x10\xfa\x02W\xe6\xef\xc1\x0b\xb7\x90F\x9c\x19)\x8c\xdco\xa0Jii\x94\xb7$e\xa0\xff\xac?\xce\x01\xfb!.\xfdh\xf8\x9b\xf2\xa5\xcf18\\x15\xaa\xe6\x97\x00\xc1\xdfZ\xa5\xa79\xaa\xe9\x84\x7f<Q\xa8:\xd9\x94[\x8c\xbfO\x08q\xe5\xdb\xa8\\xd4\xd2\xa6\xfe\x00\xa3\xc6\x16\xc7\x0f\xe8\x80\xce\x1c(dt\x19\x08\xd3B\xe3\xce\x00]\x7f\xb1\xdc\x13\xb0\xe1\x05\xcb\xd1 \xaa\x86t\x9e9\xe7\x91\xfd\xff[\xd6\xf7\xad\xa6/\x03\x0bm\xe3WT\xebvS\x18\x8d\x11\x98\xba, CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR = 0\x82\x02T0\x82\x01\xdb\xa0\x03\x02\x01\x02\x02\x10gt\x9d\x8dw\xd8;j\xdb"\xf4\xffY\xe2\xbf\xce0\x0a\x06\x08*\x86H\xce=\x04\x03\x030l1\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1705\x06\x03U\x04\x0a\x0c.Hellenic Academic and Research Institutions CA1$0"\x06\x03U\x04\x03\x0c\x1bHARICA TLS ECC Root CA 20210\x1e\x17\x0d210219110110Z\x17\x0d450213110109Z0l1\x0b0\x09\x06\x03U\x04\x06\x13\x02GR1705\x06\x03U\x04\x0a\x0c.Hellenic Academic and Research Institutions CA1$0"\x06\x03U\x04\x03\x0c\x1bHARICA TLS ECC Root CA 20210v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x048\x08\xfe\xb1\xa0\x96\xd2z\xac\xafI:\xd0\xc0\xe0\xc3;(\xaa\xf1rme\x00G\x88\x84\xfc\x9a&k\xaaK\xbal\x04\x0a\x88^\x17\xf2U\x87\xfc0\xb04\xe24XW\x1a\x84S\xe90\xd9\xa9\xf2\x96t\xc3Q\x1fXI1\xcc\x98N`\x11\x87u\xd3r\x94\x90O\x9b\x10%*\xa8x-\xbe\x90AX\x90\x15r\xa7\xa1\xb7\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc9\x1bS\x81\x12\xfe\x04\xd5\x16\xd1\xaa\xbc\x9ao\xb7\xa0\x95\x19n\xca0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03g\x000d\x020\x11\xde\xae\xf8\xdcN\x88\xb0\xa9\xf0"\xad\xc2Q@\xef`q-\xee\x8f\x02\xc4]\x03pI\xa4\x92\xea\xc5\x14\x88p\xa6\xd3\x0d\xb0\xaa\xca,@\x9c\xfb\xe9\x82n\x9a\x020+G\x9a\x07\xc6\xd1\xc2\x81|\xca\x0b\x96\x18A\x1b\xa3\xf40\x09\x9e\xb5#(\x0d\x9f\x14\xb6<S\xa2L\x06i}\xfal\x91\xc6*IE\xe6\xec\xb7\x13\xe1:l, CN=vTrus ECC Root CA,O=iTrusChina Co.,Ltd.,C=CN = 0\x82\x02\x0f0\x82\x01\x95\xa0\x03\x02\x01\x02\x02\x14nj\xbcY\xaaS\xbe\x989g\xa2\xd2k\xa4;\xe6m\x1c\xd6\xda0\x0a\x06\x08*\x86H\xce=\x04\x03\x030G1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x1c0\x1a\x06\x03U\x04\x0a\x13\x13iTrusChina Co.,Ltd.1\x1a0\x18\x06\x03U\x04\x03\x13\x11vTrus ECC Root CA0\x1e\x17\x0d180731072644Z\x17\x0d430731072644Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x1c0\x1a\x06\x03U\x04\x0a\x13\x13iTrusChina Co.,Ltd.1\x1a0\x18\x06\x03U\x04\x03\x13\x11vTrus ECC Root CA0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04ePJ\xae\x8cy\x96J\xaa\x1c\x08\xc3\xa3\xa2\xcd\xfeYVAw\xfd&\x94B\xbb\x1d\xcd\x08\xdbs\xb2[u\xf3\xcf\x9cN\x82\xf4\xbf\xf8a&\x85l\xd6\x85[rp\xd2\xfd\xdbb\xb4\xdfS\x8b\xbd\xb1DXbB\x09\xc7\xfa\x7f[\x10\xe7\xfe@\xfd\xc0\xd8\xc3+2\xe7p\xa6\xb7\xa6 U\x1d{\x80]K\x8fgL\xf1\x10\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x989\xcd\xbe\xd8\xb2\x8c\xf7\xb2\xab\xe1\xad$\xaf{|\xa1\xdb\x1f\xcf0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x020W\x9d\xddV\xf1\xc7\xe3\xe9\xb8IPk\x9bi\xc3o\xec\xc3}%\xe4W\x95\x13@\x9bR\xd3;\xf3@\x19\xbc&\xc7-\x06\x9e\xb5{6\x9f\xf5%\xd4ck\x00\x021\x00\xe9\xd3\xc6\x9eV\x9a*\xcc\xa1\xda?\xc8f+\xd3X\x9c \x85\xfa\xab\x91\x8app\x118`d\x0bb\x09\x91X\x00\xf9M\xfb4h\xda\x09\xad!\x06\x18\x94\xce, CN=vTrus Root CA,O=iTrusChina Co.,Ltd.,C=CN = 0\x82\x05V0\x82\x03>\xa0\x03\x02\x01\x02\x02\x14C\xe3q\x13\xd8\xb3Y\x14]\xb7\xce\x8c\xfd5\xfdo\xbc\x05\x8dE0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000C1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x1c0\x1a\x06\x03U\x04\x0a\x13\x13iTrusChina Co.,Ltd.1\x160\x14\x06\x03U\x04\x03\x13\x0dvTrus Root CA0\x1e\x17\x0d180731072405Z\x17\x0d430731072405Z0C1\x0b0\x09\x06\x03U\x04\x06\x13\x02CN1\x1c0\x1a\x06\x03U\x04\x0a\x13\x13iTrusChina Co.,Ltd.1\x160\x14\x06\x03U\x04\x03\x13\x0dvTrus Root CA0\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xbdU|a\xd3\xb8\x1d\x04b\x05\xa0\xael\xb7p\xb4A\xeaK\x03^\x10?\x90Z\x1c\x8b;\xb0f\x8blH\xa6\x1c"\xba\xd5@\x92\xee3\xb2#Y\xc9\x8e\xbcX\xda\x8b\x9e\xd0\x19\xf2/Y\xc6\x8ccZ\xba\x9f\xa3\x0b\xb0\xb3\x9a\\xba\x11\xb8\x12\xe9\x0c\xbb\xcfnl\x80\x87)\x14\x03,\x8d$\x9a\xc8d\x83\xb5j\xac\x13,3\xf1\x9f\xdc,a<\x1a?pU\x9b\xad\x00R\x7f\xcf\x04\xb9\xfe6\xfa\x9c\xc0\x16\xaeb\xfe\x96LC~U\x14\xbe\x1a\xb3\xd2m\xc2\xafvf\x95k*\xb0\x94w\x85^\x04\x0fb\x1dcu\xf7k\xe7\xcb[\x9ap\xec>g\x05\xf0\xfe\x07\x08\x80\xcf(\xdb\x05\xc6\x14'/\x86}\xf0'\xde\xff\xe6~3H\xe7\x0b\x1eX\xd1'+S\x0eWJe\xd7\xfb\xa2\x80`\xfcL\xbc5S\x01j\x97r\x82\xaf\xf1\x1dp\xe8\x9c\xf5\xef^\xc2l\xc7G~Z\x94\x85&M;\xba\xebL\xe8\xb0\x09\xc2e\xc2\x9d\x9d\x09\x9bN\xb5\x97\x05\xac\xf5\x06\xa0\xf76\x05~\xf4\x90\xb2k\xc4\xb4\xf9d\xea\xe9\x1a\x0a\xc8\x0d\xa8\xed'\xc9\xd4\xe7\xb3\xb9\xab\x82"\x90'=*\xe8|\x90\xef\xbcO\xfd\xe2\x0a$\xa7\xdee$\xa4]\xea\xc0v0\xd3wP\xf8\x0d\x04\x9b\x946\x01s\xca\x06X\xa6\xd3;\xdc\xfa\x04F\x13U\x8a\xc9DG\xb8Q9\x1a.\xe84\xe2y\xcbYJ\x0a\x7f\xbc\xa6\xef\x1f\x03gjY+%b\x93\xd9S\x19f<'b)\x86M\xa4k\xee\xff\xd4N\xba\xd5\xb4\xe2\x8eHZ\x00\x19\x09\xf1\x05\xd9\xce\x91\xb1\xf7\xeb\xe99O\xf6o\x04C\x9aU\xf5>\x05\x14\xbd\xbf\xb3Y\xb4\xd8\x8e3\x84\xa3\x90R\xaa\xb3\x02\x95`\xf9\x0cLh\xf9\xee\xd5\x17\x0d\xf8qW\xb5%\xe4)\xeee]\xaf\xd1\xee<\x17\x0bZC\xc5\xa5\x86\xea$\x9e\xe2\x05\x07\xdc4B\x12\x91\xd69t\xaeLA\x82\xdb\xf2\xa6H\xd1\xb3\x9b\xf33\xaa\xf3\xa6\xc0\xc5N\xf5\xf4\x9dvc\xe6\x02\xc6"K\xc1\x95?Pd,T\xe5\xb6\xf0<)\xcfW\x02\x03\x01\x00\x01\xa3B0@0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14Tbpc\xf1u\x84CX\x8e\xd1\x16 \xb1\xc6\xac\x1a\xbc\xf6\x890\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00)\xba\x92I\xa7\xad\xf0\xf1p\xc3\xe4\x97\xf0\x9f\xa9%\xd5k\x9e4\xfe\xe6\x1ad\xf6:kR\xb2\x10x\x1a\x9fL\xda\x8a\xda\xec\x1c7R\xe0BK\xfblv\xca$\x0b9\x12\x15\x9d\x9f\x11-\xfcyd\xdc\xe0\xe0\xf5\xdd\xe0W\xc9\xa5\xb2vpP\xa4\xfe\xb7\x0ap\xd5\xa04\xf1u\xd7MI\xba\x11\xd1\xb3\xd8\xec\x82\xff\xeb\x0e\xc4\xbfd-}cn\x17x\xec]|\x88\xc8\xeb\x8eWv\xd9Y\x04\xfa\xbcR\x1fE\xac\xf0z\x80\xec\xecov\xae\x91\xdb\x10\x8e\x04\xdc\x92\xdf\xa0\xf6\xe6\xaeI\xd3\xc1l\x12\x1b\xcc)\xaa\xf9\x08\xa5\xe27\x14\xca\xb1\xb8f\xef\x1a\x82\xe4\xf0\xf8\xf1\xa7\x16i\xb7\xdb\xa9a<\x9f\xf51\xcb\xe4\x00F\xc2/t\xb1\xb1\xd7\x81\xee\xa8&\x95\xbc\x88\xafL5\x07*\x02\xcax\x14mG+@V\xe9\xcb*`\xa1g\x03\xa0\xce\x8c\xbc\xb0rg\xc41\xce\xdb4\xe5%\x03`%{q\x98\xe4\xc0\x1b+_tB\xd2K\xc5Y\x08\x07\x87\xbe\xc5\xc3\x7f\xe7\x96\xd9\xe1\xdc(\x97\xd6\x8f\x05\xe3\xf5\x9bN\xca\x1dPG\x05S\xb0\xca9\xe7\x85\xa0\x89\xc1\x05;\x017\xd3?I\xe2w\xeb#\xc8\x88f;=9v!F\xf1\xec_#\xb8\xeb\xa2fut\xc1@\xf7\xd8h\x9a\x93\xe2-\xa9.\xbd\x1c\xa3\x1e\xc8t\xc6\xa4-z \xab;\xb8\xb0F\xfdo\xdd_RUub\xf0\x97\xa0|\xd78\xfd%\xdf\xcd\xa0\x9b\x10\xcf\x8b\xb88^^\xc5\xb4\xa6\x026\xa1\x1e_\x1c\xcf\xe2\x96\x9d)\xaa\xfd\x98\xaeR\xe1\xf3AR\xfb\xa9.r\x96\x9f'\xe3\xaas}\xf8\x1a#f{;\xabe\xb02\x01K\x15>=\xa2O\x0c+5\xa2\xc6\xd9g\x1250\xcdv.\x16\xb3\x99\x9eMON-;4C\xe1\x9a\x0e\x0d\xa4f\x97\xba\xd2\x1cJL,*\x8b\x8b\x81Oq\x1a\xa9\xdd\{{\x08\xc5\x00\x0d7@\xe3|{T_/\x85_v\xf6\xf7\xa7\xb0\x1cWV\xc1r\xe8\xad\xa2\xaf\x8d3I\xba\x1f\x8a\xdc\xe6t|`\x86o\x87\x97{, CN=ISRG Root X2,O=Internet Security Research Group,C=US = 0\x82\x02\x1b0\x82\x01\xa1\xa0\x03\x02\x01\x02\x02\x10A\xd2\x9d\xd1r\xea\xee\xa7\x80\xc1,l\xe9/\x87R0\x0a\x06\x08*\x86H\xce=\x04\x03\x030O1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\x0a\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\x0cISRG Root X20\x1e\x17\x0d200904000000Z\x17\x0d400917160000Z0O1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\x0a\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\x0cISRG Root X20v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xcd\x9b\xd5\x9f\x80\x83\x0a\xec\x09J\xf3\x16J>\\xcfw\xac\xdeg\x05\x0d\x1d\x07\xb6\xdc\x16\xfbZ\x8b\x14\xdb\xe2q`\xc4\xbaE\x95\x11\x89\x8e\xea\x06\xdf\xf7*\x16\x1c\xa4\xb9\xc5\xc52\xe0\x03\xe0\x1e\x82\x188\x8b\xd7E\xd8\x0ajn\xe6\x00w\xfb\x02Q}"\xd8\x0an\x9a[w\xdf\xf0\xfaA\xec9\xdcu\xcah\x07\x0c\x1f\xea\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14|B\x96\xae\xdeKH;\xfa\x92\xf8\x9e\x8c\xcfm\x8b\xa9r7\x950\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03h\x000e\x020{yNFP\x84\xc2D\x87F\x1bEp\xffX\x99\xde\xf4\xfd\xa4\xd2U\xa6 -t\xd64\xbcA\xa3P_\x01'V\xb4\xbe'u\x06\xaf\x12.u\x98\x8d\xfc\x021\x00\x8b\xf5wl\xd4\xc8e\xaa\xe0\x0b,\xee\x14\x9d'7\xa4\xf9S\xa5Q\xe4)\x83\xd7\xf8\x901[B\x9f\x0a\xf5\xfe\xae\x00h\xe7\x8cI\x0f\xb6o[[\x15\xf2\xe7, CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co., Ltd.,C=TW = 0\x82\x05j0\x82\x03R\xa0\x03\x02\x01\x02\x02\x10-\xdd\xac\xceb\x97\x94\xa1C\xe8\xb0\xcdvj^`0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000O1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1#0!\x06\x03U\x04\x0a\x0c\x1aChunghwa Telecom Co., Ltd.1\x1b0\x19\x06\x03U\x04\x03\x0c\x12HiPKI Root CA - G10\x1e\x17\x0d190222094604Z\x17\x0d371231155959Z0O1\x0b0\x09\x06\x03U\x04\x06\x13\x02TW1#0!\x06\x03U\x04\x0a\x0c\x1aChunghwa Telecom Co., Ltd.1\x1b0\x19\x06\x03U\x04\x03\x0c\x12HiPKI Root CA - G10\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xf4\x1e\x7fRs2\x0cs\xe4\xbd\x13t\xa3\xd40\xa8\xd0\xaeK\xd8\xb6\xdfuGf\xf4|\xe79\x04\x1ejp \xd2ZGrgU\xf4\xa5\xe8\x9d\xd5\x1e!\xa1\xf0g\xba\xcc!h\xbeDS\xbf\x8d\xf9\xe2\xdc/U\xc87?\x1f\xa4\xc0\x9c\xb3\xe4w\\xa0F\xfew\xfa\x1a\xa08\xea\xed\x9ar\xde+\xbd\x94W:\xba\xecy\xe7_}Bd9z&6\xf7$\xf0\xd5/\xba\x95\x98\x11f\xad\x975\xd6u\x01\x80\xe0\xaf\xf4\x84a\x8c\x0d\x1e_|\x87\x96^A\xaf\xeb\x87\xea\xf8]\xf1.\x88\x05>L"\xbb\xda\x1f*\xddRFd9\xf3B\xce\xd9\x9e\x0c\xb3\xb0w\x97d\x9c\xc0\xf4\xa3.\x1f\x95\x07\xb0\x17\xdf0\xdb\x00\x18\x96L\xa1\x81K\xdd\x04mS\xa3=\xfc\x07\xac\xd4\xc57\x82\xeb\xe4\x95\x08\x19(\x82\xd2B:\xa3\xd8S\xecy\x89`H`\xc8r\x92P\xdc\x03\x8f\x83?\xb2BWZ\xdbj\xe9\x11\x97\xdd\x85(\xbc0L\xab\xe3\xc2\xb1EDG\x1f\xe0\x8a\x16\x07\x96\xd2!\x0fS\xc0\xed\xa9~\xd4N\xec\x9b\x09\xec\xafB\xac0\xd6\xbf\xd1\x10E\xe0\xa6\x16\xb2\xa5\xc5\xd3Os\x943q\x02\xa1j\xa3\xd63\x97O!c\x1e[\x8f\xd9\xc1^Eqw\x0f\x81]_!\x9a\xad\x83\xcc\xfa^\xd6\x8d#_\x1b=A\xaf ufZJ\xf6\x9f\xfb\xab\x18\xf7q\xc0\xb6\x1d1\xec; \xeb\xcb\xe2\xb8\xf5\xae\x92\xb2\xf7\xe1\x84K\xf2\xa2\xf2\x93\x9a"\x9e\xd3\x14o6T\xbd\x1f^Y\x15\xb9s\xa8\xc1|o{b\xe9\x16lGZe\xf3\x0e\x11\x9bF\xd9\xfdm\xdc\xd6\x9c\xc0\xb4}\xa5\xb0\xdd?Vo\xa1\xf9\xf6\xe4\x12H\xfd\x06\x7f\x12W\xb6\xa9#O[\x03\xc3\xe0q*#\xb7\xf7\xb0\xb1;\xbc\x98\xbd\xd6\x98\xa8\x0ck\xf6\x8e\x12g\xa6\xf2\xb2X\xe4\x02\x09\x13<\xa9\xbb\x10\xb4\xd20E\xf1\xec\xf7\x00\x11\xdfe\xf8\xdc+CU\xbf\x16\x97\xc4\x0f\xd5,a\x84\xaar\x86\xfe\xe6:~\xc2?}\xee\xfc/\x14>\xe6\x85\xddPo\xb7I\xed\x02\x03\x01\x00\x01\xa3B0@0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xf2w\x17\xfa^\xa8\xfe\xf6=q\xd5h\xba\xc9F\x0c8\xd8\xaf\xb00\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00PQ\xf0u\xdcp\x04\xe3\xff\xaau\xd4q\xa2\xcb\x9e\x8f\xa8\xa9\xd3\xafu\xc7T\xcf:\x1c\x04\x99"\xac\xc4\x11\xe2\xef3J\xa6#\x1d\x0e\x0dG\xd87\xc7o\xaf4\x7fO\x81k5O\xe9r\xa51\xe2x\xe7\xf7N\x94\x18[@}\xcfk!T\x86\xe6\x95z\xfb\xc6\xca\xea\x9cHNW\x09]/\xac\xf4\xa5\xb4\x973X\xd5\xacy\xa9\xcc_\xf9\x85\xfaR\xc5\x8d\xf8\x91\x14\xeb:\x0d\x17\xd0R\xc2{\xe3\xc2s\x8eFx\x068,\xe8\\xdaf\xc4\xf4\xa4\xf0V\x193)Ze\x92\x05GFJ\xab\x84\xc3\x1e'\xa1\x1f\x11\x92\x99'u\x93\x0f\xbc6;\x97W\x8f&[\x0c\xbb\x9c\x0f\xd4n0\x07\xd4\xdc_6hf9\x83\x96'&\x8a\xc8\xc49\xfe\x9a!o\xd5r\x86\xe9\x7fb\xe5\x97N\xd0$\xd0@\xb0\xd0u\x08\x8e\xbdh\xee\x08\xd7n|\x10pF\x1b|\xe0\x88\xb2\x9er\x86\x99\x01\xe3\xbf\x9fI\x19\xb4%\xbeVe\xae\x17c\xe5\x1e\xdf\xe8\xffG\xa5\xbf\xe1&\x05\x84\xe4\xb0\xc0\xaf\xe7\x08\x99\xa8\x0c^&\x80E\xd4\xf8h/\x96\x8f\xae\xe2J\x1c\x9c\x16\x0c\x13o8\x87\xf6\xbb\xc84_\x92\x03Qyp\xa6\xdf\xcb\xf5\x99My\xcdN\xbcW\x9fCNk.+\x18\xf8js\x8c\xba\xc55\xef9jA\x1e\xcfq\xa8\xa2\xb2\x86\x07[:\xc9\xe1\xef?e\x04\x80G2Dp\x95N1gjt[\x10Eu\xea\xb0\x9f\xd0\xe65\xfeN\x9f\x8b\xcc+\x92E[n%`\x85F\xcd\xd1\xaa\xb0vf\x93w\x96\xbe\x83\xbe8\xb6$N&\x0b\xcc\xedzV\x1a\xe0\xe9Z\xc6d\xadLz\x00HD/\xb9@\xbb\x13>\xbe\x15x\x9d\x85\x81J*W\xde\xd5\x19C\xda\xdb\xca[G\x86\x83\x0b?\xb6\x0dvxsy"^\xb1\x80\x1f\xcf\xbe\xd1?V\x10\x98+\x95\x87\xa1\x1f\x9dd\x14`9,\xb3\x00U.\xe4\xf5\xb3\x0eW\xc4\x91A\x00\x9c?\xe8\xa5\xdf\xea\xf6\xff\xc8\xf0\xadmR\xa8\x17\xab\x9ba\xfc\x12Q5\xe4%\xfd\xaf\xaaj\x869, CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 = 0\x82\x01\xdc0\x82\x01\x83\xa0\x03\x02\x01\x02\x02\x0d\x02\x03\xe5~\xf5?\x93\xfd\xa5\x09!\xb2\xa60\x0a\x06\x08*\x86H\xce=\x04\x03\x020P1$0"\x06\x03U\x04\x0b\x13\x1bGlobalSign ECC Root CA - R41\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0\x1e\x17\x0d121113000000Z\x17\x0d380119031407Z0P1$0"\x06\x03U\x04\x0b\x13\x1bGlobalSign ECC Root CA - R41\x130\x11\x06\x03U\x04\x0a\x13\x0aGlobalSign1\x130\x11\x06\x03U\x04\x03\x13\x0aGlobalSign0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07\x03B\x00\x04\xb8\xc6y\xd3\x8fl%\x0e\x9f.9\x19\x1c\x03\xa4\xae\x9a\xe59\x07\x09\x16\xcac\xb1\xb9\x86\xf8\x8aW\xc1W\xceB\xfas\xa1\xf7eB\xff\x1e\xc1\x00\xb2ns\x0e\xff\xc7!\xe5\x18\xa4\xaa\xd9q?\xa8\xd4\xb9\xce\x8c\x1d\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14T\xb0{\xadE\xb8\xe2@\x7f\xfb\x0an\xfb\xbe3\xc9<\xa3\x84\xd50\x0a\x06\x08*\x86H\xce=\x04\x03\x02\x03G\x000D\x02 "Otr\xb9`\xaf\xf1\xe6\x9c\xa0\x16\x05P_\xc3^;nat\xef\xbe\x01\xc4\xbe\x18HYa\x822\x02 &\x9dTc@\xde7`P\xcf\xc8\xd8\xed\x9d\x82\xae7\x98\xbc\xa3\x8fLL\xa94+l\xef\xfb\x95\x9b&, CN=GTS Root R1,O=Google Trust Services LLC,C=US = 0\x82\x05W0\x82\x03?\xa0\x03\x02\x01\x02\x02\x0d\x02\x03\xe5\x93o1\xb0\x13I\x88k\xa2\x170\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R10\x1e\x17\x0d160622000000Z\x17\x0d360622000000Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R10\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb6\x11\x02\x8b\x1e\xe3\xa1w\x9b;\xdc\xbf\x94>\xb7\x95\xa7@<\xa1\xfd\x82\xf9}2\x06\x82q\xf6\xf6\x8c\x7f\xfb\xe8\xdb\xbcj.\x97\x97\xa3\x8cK\xf9+\xf6\xb1\xf9\xce\x84\x1d\xb1\xf9\xc5\x97\xde\xef\xb9\xf2\xa3\xe9\xbc\x12\x89^\xa7\xaaR\xab\xf8#'\xcb\xa4\xb1\x9cc\xdb\xd7\x99~\xf0\x0a^\xebh\xa6\xf4\xc6ZG\x0dM\x103\xe3N\xb1\x13\xa3\xc8\x18lK\xec\xfc\x09\x90\xdf\x9dd)%#\x07\xa1\xb4\xd2=.`\xe0\xcf\xd2\x09\x87\xbb\xcdH\xf0M\xc2\xc2z\x88\x8a\xbb\xba\xcfY\x19\xd6\xaf\x8f\xb0\x07\xb0\x9e1\xf1\x82\xc1\xc0\xdf.\xa6ml\x19\x0e\xb5\xd8~&\x1aE\x03=\xb0y\xa4\x94(\xad\x0f\x7f&\xe5\xa8\x08\xfe\x96\xe8<h\x94S\xee\x83:\x88+\x15\x96\x09\xb2\xe0z\x8c.u\xd6\x9c\xeb\xa7Vd\x8f\x96Oh\xae=\x97\xc2\x84\x8f\xc0\xbc@\xc0\x0b\\xbd\xf6\x87\xb35l\xac\x18P\x7f\x84\xe0L\xcd\x92\xd3 \xe93\xbcR\x99\xaf2\xb5)\xb3%*\xb4H\xf9r\xe1\xcad\xf7\xe6\x82\x10\x8d\xe8\x9d\xc2\x8a\x88\xfa8f\x8a\xfcc\xf9\x01\xf9x\xfd{\w\xfav\x87\xfa\xec\xdf\xb1\x0ey\x95W\xb4\xbd&\xef\xd6\x01\xd1\xeb\x16\x0a\xbb\x8e\x0b\xb5\xc5\xc5\x8aU\xab\xd3\xac\xea\x91K)\xcc\x19\xa42%N*\xf1eD\xd0\x02\xce\xaa\xceI\xb4\xea\x9f|\x83\xb0@{\xe7C\xab\xa7l\xa3\x8f}\x89\x81\xfaL\xa5\xff\xd5\x8e\xc3\xceK\xe0\xb5\xd8\xb3\x8eE\xcfv\xc0\xed@+\xfdS\x0f\xb0\xa7\xd5;\x0d\xb1\x8a\xa2\x03\xde1\xad\xccw\xeao{>\xd6\xdf\x91"\x12\xe6\xbe\xfa\xd82\xfc\x10c\x14Qr\xde]\xd6\x16\x93\xbd)h3\xef:f\xec\x07\x8a&\xdf\x13\xd7Wex'\xde^I\x14\x00\xa2\x00\x7f\x9a\xa8!\xb6\xa9\xb1\x95\xb0\xa5\xb9\x0d\x16\x11\xda\xc7lH<@\xe0~\x0dZ\xcdV<\xd1\x97\x05\xb9\xcbK\xed9K\x9c\xc4?\xd2U\x13n$\xb0\xd6q\xfa\xf4\xc1\xba\xcc\xed\x1b\xf5\xfe\x81A\xd8\x00\x98=:\xc8\xaez\x987\x18\x05\x95\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xe4\xaf+&q\x1a+H'\x85/Rf,\xef\xf0\x89\x13q>0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\x9f\xaaB&\xdb\x0b\x9b\xbe\xff\x1e\x96\x92.>\xa2eJj\x98\xba"\xcb}\xc1:\xd8\x82\x0a\x06\xc6\xf6\xa5\xde\xc0N\x87fy\xa1\xf9\xa6X\x9c\xaa\xf9\xb5\xe6`\xe7\xe0\xe8\xb1\x1eBA3\x0b7=\xce\x89p\x15\xca\xb5$\xa8\xcfk\xb5\xd2@!\x98\xcf"4\xcf;\xc5"\x84\xe0\xc5\x0e\x8a|]\x88\xe45$\xce\x9b>\x1aT\x1en\xdb\xb2\x87\xa7\xfc\xf3\xfa\x81U\x14b\x0aY\xa9"\x051>\x82\xd6\xee\xdbW4\xbc3\x95\xd3\x17\x1b\xe8'\xa2\x8b{N&\x1azZd\xb6\xd1\xac7\xf1\xfd\xa0\xf38\xecr\xf0\x11u\x9d\xcb4R\x8d\xe6vk\x17\xc6\xdf\x86\xab'\x8eI+uf\x81\x10!\xa6\xea>\xf4\xae%\xff|\x15\xde\xce\x8c%?\xcabp\x0a\xf7/\x09f\x07\xc8?\x1c\xfc\xf0\xdbE0\xdfb\x88\xc1\xb5\x0f\x9d\xc3\x9fJ\xdeYYG\xc5\x87"6\xe6\x82\xa7\xed\x0a\xb9\xe2\x07\xa0\x8d{zJ<q\xd2\xe2\x03\xa1\x1f2\x07\xdd\x1b\xe4B\xce\x0c\x00Ea\x80\xb5\x0b Y)x\xbd\xf9U\xcbc\xc5<L\xf4\xb6\xff\xdbj_1k\x99\x9e,\xc1kP\xa4\xd7\xe6\x18\x14\xbd\x85?g\xabF\x9f\xa0\xffB\xa7:\x7f\\xcb]\xb0p\x1d+4\xf5\xd4v\x09\x0c\xebxLY\x05\xf33B\xc3a\x15\x10\x1bwM\xce"\x8c\xd4\x85\xf2E}\xb7S\xea\xef@Z\x94\x0a\ _N@]b"v\xdf\xff\xcea\xbd\x8c#x\xd27\x02\xe0\x8e\xde\xd1\x117\x89\xf6\xbf\xedI\x07b\xae\x92\xec@\x1a\xaf\x14\x09\xd9\xd0N\xb2\xa2\xf7\xbe\xee\xee\xd8\xff\xdc\x1a-\xde\xb86q\xe2\xfcy\xb7\x94%\xd1Hs[\xa15\xe7\xb3\x99gu\xc1\x19:+GN\xd3B\x8e\xfd1\xc8\x16f\xda\xd2\x0c<\xdb\xb3\x8e\xc9\xa1\x0d\x80\x0f{\x16w\x14\xbf\xff\xdb\x09\x94\xb2\x93\xbc X\x15\xe9\xdbqC\xf3\xde\x10\xc3\x00\xdc\xa8*\x95\xb6\xc2\xd6?\x90kv\xdbl\xfe\x8c\xbc\xf2p5\x0c\xdc\x99\x195\xdc\xd7\xc8Fc\xd56q\xaeW\xfb\xb7\x82m\xdc, CN=GTS Root R2,O=Google Trust Services LLC,C=US = 0\x82\x05W0\x82\x03?\xa0\x03\x02\x01\x02\x02\x0d\x02\x03\xe5\xae\xc5\x8d\x04%\x1a\xab\x11%\xaa0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x000G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R20\x1e\x17\x0d160622000000Z\x17\x0d360622000000Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xce\xde\xfd\xa6\xfb\xec\xec\x144<\x07\x06ZlY\xf7\x195\xdd\xf7\xc1\x9dU\xaa\xd3\xcd;\xa4\x93r\xef\x0a\xfam\x9d\xf6\xf0\x85\x80[\xa1HR\x9f9\xc5\xb7\xee(\xac\xef\xcbvh\x14\xb9\xdf\xad\x01l\x99\x1f\xc4"\x1d\x9f\xferw\xe0,[\xaf\xe4\x04\xbfOr\xa0\x1a4\x98\xe89h\xec\x95%{v\xa1\xe6i\xb9\x85\x19\xbd\x89\x8c\xfe\xad\xed6\xeas\xbc\xff\x83\xe2\xcb}\xc1\xd2\xceJ\xb3\x8d\x05\x9e\x8bI\x93\xdf\xc1[\xd0n^\xf0.0.\x82\xfc\xfa\xbc\xb4\x17\x0aH\xe5\x88\x9b\xc5\x9bk\xde\xb0\xca\xb4\x03\xf0\xda\xf4\x90\xb8ed\xf7\L\xad\xe8~f^\x99\xd7\xb8\xc2>\xc8\xd0\x13\x9d\xad\xee\xe4E{\x89U\xf7\x8a\x1fbR\x84\x12\xb3\xc2@\x97\xe3\x8a\x1fG\x91\xa6tZ\xd2\xf8\xb1c(\x10\xb8\xb3\x09\xb8Vw@\xa2&\x98y\xc6\xfe\xdf%\xee>\xe5\xa0\x7f\xd4a\x0fQK<?\x8c\xda\xe1pt\xd8\xc2h\xa1\xf9\xc1\x0c\xe9\xa1\xe2\x7f\xbbU<v\x06\xeejN\xcc\x92\x880M\x9a\xbdO\x0bH\x9a\x84\xb5\x98\xa3\xd5\xfbs\xc1Wa\xdd(Vu\x13\xae\x87\x8e\xe7\x0cQ\x09\x10u\x88L\xbc\x8d\xf9{<\xd4"H\x1f*\xdc\xebk\xbbD\xb1\xcb3q2F\xaf\xadJ\xf1\x8c\xe8t:\xac\xe7\x1a"s\x80\xd20\xf7%B\xc7";;\x12\xad\x96.\xc6\xc3v\x07\xaa \xb75IW\xe9\x92I\xe8v\x16r1g+\x96~\x8a\xa3\xc7\x94V"\xbfjK~\x01!\xb2#2\xdf\xe4\x9aDmY[]\xf5\x00\xa0\x1c\x9b\xc6x\x97\x8d\x90\xff\x9b\xc8\xaa\xb4\xaf\x11Q9^\xd9\xfbg\xad\xd5[\x11\x9d2\x9a\x1b\xbd\xd5\xba[\xa5\xc9\xcb%iSU'\\xe0\xca6\xcb\x88a\xfb\x1e\xb7\xd0\xcb\xee\x16\xfb\xd3\xa6L\xde\x92\xa5\xd4\xe2\xdf\xf5\x06T\xde.\x9dK\xb4\x930\xaa\x81\xce\xdd\x1a\xdcQs\x0dOp\xe9\xe5\xb6\x16!\x19y\xb2\xe6\x89\x0bud\xca\xd5\xab\xbc\x09\xc1\x18\xa1\xff\xd4T\xa1\x85<\xfd\x14$\x03\xb2\x87\xd3\xa4\xb7\x02\x03\x01\x00\x01\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xbb\xff\xca\x8e#\x9fO\x99\xca\xdb\xe2h\xa6\xa5\x15'\x17\x1e\xd9\x0e0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0c\x05\x00\x03\x82\x02\x01\x00\x1f\xca\xce\xdd\xc7\xbe\xa1\x9f\xd9'L\x0b\xdc\x17\x98\x11j\x88\xde=\xe6qVr\xb2\x9e\x1aN\x9c\xd5+\x98$]\x9bk{\xb03\x82\x09\xbd\xdf%F\xea\x98\x9e\xb6\x1b\xfe\x83<\xd2ba\xc1\x04\xed\xce\xe0\xc5\xc9\xc8\x13\x13U\xe7\xa8c\xad\x8c{\x01\xfew0\xe1\xceh\x9b\x05\xf8\x12\xeey1\xa0AE5(\x0aq\xa4$O\x8c\xdc<\x82\x07_f\xdc}\x10\xfe\x0ca\xb3\x05\x95\xee\xe1\xae\x81\x0f\xa8\xf8\xc7\x8fM\xa8#\x02&k\x1d\x83RU\xce\xb5/\x00\xca\x80@\xe0\xe1t\xac`\xf5\x87\x80\x9d\xae6d\x91]\xb0h\x18\xea\x8aa\xc9w\xa8\x97\xc4\xc9\xc7\xa5\xfcUK\xf3\xf0\x7f\xb9e='h\xd0\xcck\xfaS\x9d\xe1\x91\x1a\xc9]\x1a\x96m2\x87\xed\x03 \xc8\x02\xceZ\xbe\xd9\xea\xfd\xb2M\xc4/\x1b\xdf_z\xf5\xf8\x8b\xc6\xee1:%QUg\x8dd2{\xe9\x9e\xc3\x82\xba*-\xe9\x1e\xb4\xe0H\x06\xa2\xfcg\xaf\x1f"\x02s\xfb \x0a\xaf\x9dTK\xa1\xcd\xff`G\xb0?]\xef\x1bV\xbd\x97!\x96-\x0a\xd1^\x9d8\x02Gl\xb9\xf4\xf6#%\xb8\xa0j\x9a+w\x08\xfa\xc4\xb1(\x90&X\x08<\xe2~\xaa\xd7=o\xba1\x88\x0a\x05\xeb'\xb5\xa1I\xee\xa0ET{\xe6'e\x99 !\xa8\xa3\xbc\xfb\x18\x96\xbbRo\x0c\xed\x83QL\xe9Y\xe2 `\xc5\xc2e\x92\x82\x8c\xf3\x10\x1f\x0e\x8a\x97\xbew\x82m?\x8f\x1d]\xbcI'\xbd\xccO\x0f\xe1\xcev\x86\x04#\xc5\xc0\x8c\x12[\xfd\xdb\x84\xa0$\xf1H\xffd|\xd0\xbe\\x16\xd1\xef\x99\xad\xc0\x1f\xfb\xcb\xae\xbc8"\x06&d\xda\xda\x97\x0e?(\x15D\xa8O\x00\xca\xf0\x9a\xcc\xcftj\xb4><\xeb\x95\xec\xb5\xd3Z\xd8\x81\x99\xe9C\x187\xeb\xb3\xbb\xd1XbA\xf3f\xd2\x8f\xaax\x95T \xc3Z.t+\xd5\xd1\xbe\x18i\xc0\xac\xd5\xa4\xcf9\xbaQ\x84\x03e\xe9b\xc0b\xfe\xd8MU\x96\xe2\xd0\x11\xfaH4\x11\xec\x9e\xed\x05\x1d\xe4\xc8\xd6\x1d\x86\xcb, CN=GTS Root R3,O=Google Trust Services LLC,C=US = 0\x82\x02\x090\x82\x01\x8e\xa0\x03\x02\x01\x02\x02\x0d\x02\x03\xe5\xb8\x82\xeb \xf8%'m=f0\x0a\x06\x08*\x86H\xce=\x04\x03\x030G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R30\x1e\x17\x0d160622000000Z\x17\x0d360622000000Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R30v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\x1fO3\x873)\x8a\xa1\x84\xde\xcb\xc7!XA\x89\xeaV\x9d+K\x85\xc6\x1dL'\xbc\x7f&Qro\xe2\x9f\xd6\xa3\xca\xccE\x14F\x8b\xad\xef~\x86\x8c\xec\xb1~/\xff\xa9q\x9d\x18\x84E\x04AUn+\xea&\x7f\xbb\x90\x01\xe3K\x19\xba\xe4T\x96E\x09\xb1\xd5l\x91D\xad\x84\x13\x8e\x9a\x8c\x0d\x80\x0c2\xf6\xe0'\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xc1\xf1&\xba\xa0-\xae\x85\x81\xcf\xd3\xf1*\x12\xbd\xb8\x0ag\xfd\xbc0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xf6\xe1 \x95\x14{T\xa3\x90\x16\x11\xbf\x84\xc8\xeaok\x17\x9e\x1eF\x98 \x9b\x9f\xd3\x0d\xd9\xac\xd3/\xcd|\xf8[.U\xbb\xbf\xdd\x92\xf7\xa4\x0c\xdc1\xe1\xa2\x021\x00\xfc\x97ff\xe5C\x16\x13\x83\xdd\xc7\xdf/\xbe\x148\xed\x01\xce\xb1\x17\x1a\x11u\xe9\xbd\x03\x8f&~\x84\xe5\xc9`\xa6\x95\xd7TY\xb7\xe7\x11,\x89\xd4\xb9\xee\x17, CN=GTS Root R4,O=Google Trust Services LLC,C=US = 0\x82\x02\x090\x82\x01\x8e\xa0\x03\x02\x01\x02\x02\x0d\x02\x03\xe5\xc0h\xefc\x1a\x9cr\x90PR0\x0a\x06\x08*\x86H\xce=\x04\x03\x030G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R40\x1e\x17\x0d160622000000Z\x17\x0d360622000000Z0G1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1"0 \x06\x03U\x04\x0a\x13\x19Google Trust Services LLC1\x140\x12\x06\x03U\x04\x03\x13\x0bGTS Root R40v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xf3ts\xa7h\x8b`\xaeC\xb85\xc5\x810{KI\x9d\xfb\xc1a\xce\xe6\xdeF\xbdk\xd5a\x185\xae@\xdds\xf7\x89\x910Z\xeb<\xee\x85|\xa2@v;\xa9\xc6\xb8G\xd8*\xe7\x92\x91js\xe9\xb1r9\x9f)\x9f\xa2\x98\xd3_^X\x86e\x0f\xa1\x84e\x06\xd1\xdc\x8b\xc9\xc7s\xc8\x8cj/\xe5\xc4\xab\xd1\x1d\x8a\xa3B0@0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x860\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x80L\xd6\xebt\xffI6\xa3\xd5\xd8\xfc\xb5>\xc5j\xf0\x94\x1d\x8c0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xe8@\xff\x83\xde\x03\xf4\x9f\xae\x1dz\xa7.\xb9\xafO\xf6\x83\x1d\x0e-\x85\x01\x1d\xd1\xd9j\xec\x0f\xc2\xaf\xc7^V^\\xd5\x1cX"(\x0b\xf70\xb6/\xb1|\x021\x00\xf0a<\xa7\xf4\xa0\x82\xe3!\xd5\x84\x1ds\x86\x9c-\xaf\xca4\x9b\xf1\x9f\xb9#6\xe2\xbc`\x03\x9d\x80\xb3\x9aV\xc8\xe1\xe2\xbb\x14y\xca\xcd!\xd4\x94\xb5IC, CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI = 0\x82\x05t0\x82\x03\\xa0\x03\x02\x01\x02\x02\x0f\x01g_'\xd6\xfez\xe3\xe4\xac\xbe\x09[\x05\x9e0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000D1\x0b0\x09\x06\x03U\x04\x06\x13\x02FI1\x1a0\x18\x06\x03U\x04\x0a\x0c\x11Telia Finland Oyj1\x190\x17\x06\x03U\x04\x03\x0c\x10Telia Root CA v20\x1e\x17\x0d181129115554Z\x17\x0d431129115554Z0D1\x0b0\x09\x06\x03U\x04\x06\x13\x02FI1\x1a0\x18\x06\x03U\x04\x0a\x0c\x11Telia Finland Oyj1\x190\x17\x06\x03U\x04\x03\x0c\x10Telia Root CA v20\x82\x02"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\x0a\x02\x82\x02\x01\x00\xb2\xd0?\x07\xbc\xe2{\xd0k\x99\xf8\xe2wi\xe7\xce\x9d\xa4\x03\xbc\x82m\xa1\xfe\x81e\x1fL'\xac\x8e\x00\xba\x16{\xeb0j\x00\xc0\xb3th~\xb2\xaf\xc7\xd5b\xb3z?P\xca\x8c6D$c\xd26\xe9\x0c\x85\xf6Cv\xd5L\xa1`rg\xe2(3\xa5\xcb1\xb8:"#4\xb8}\xbdV"@\x9d\xea\xf4{\x03\xadh\xfc\xb2\x81O\x98\xd0t\xea\x8d\xe5}\xcdc\xc3\xa3\xf6\xde\x92\xc2X\x19\xe0\x96\xbb\xc5\xc4\xa9=\xa5t\x96\xfe\xaf\xf9\x89\xaa\xbd\x95\x17T\xd8xD\xf1\x0cw\x15\x92\xe0\x98B\xa7\xa4\xd6\xaa \x92\xcd\xc1\xa0\xb3\x96\xb2:\x84B\x8d}\xd5\x95\xe4\xd6\xdb\xe9b\xc4X\xb3y\xc5\x8c\xd353\x83\x9fu\xa1R'a8\xf1Y=\x8eP\xe0\xbdy<\xe7l\x96\xfe^\xd9\x02e\xb4\x8e\\xd0\x114\xdf]\xbfR\xa7\x81\x00\xc3\x7f\x99E\x99\x15\xd5\x17\xc8\x0aS\xecc\xf3\x99}\xcci\x12\x86\xc2\x17\xf0\x01\x9e\xbf\x84\xbc\xd1R\xcb\x1b\x92f\xce\xa4S\xe5\xa1\xbf\xc4\xdb\x09\xd6\xe6\x89V+\xc8\xe3|\xde\xe3\xff\x89\xe55n(\xe8l\x0b#Q\xa9%\x05\xebH\xf8\xdd\xb1\xca\xfal\x08Q\xef\xb7\x18lD\xca&\xe1s\xc6\x89\x06\x81\xe5\x8a\xac\xb0\xe2)\xc6\xb9$\xb3kD\x11\xf4\xa5C\xc2LC\xe5p6\x8c\xb63Wz\x95.\x82\xa0\xf4\\x10\xb3a\x83\xf6\x02\x05\x86.|-l\xdc\x03Fn5\x93\xd5z\x95/\xde \xd8[~\x94\x90\x04j\xbaY=\x04\x05u\x9d7\xa2\x0e.=\xeb\xc1\xa4R\x83\xfe\xd0k\xd4f\x8e\xdc\xc6\xe9\x12N\x1d*W\xaa\x10\xbc|^\x82}\xa6\xa6\xc9\xf2-\xb9\xf5\x17'\xad\xd1\x0e\x89T+\x95\xfa\xc0\xad\x1d\x98\x14x3B\x86\x0a\xa9s\xb5\xfbt\x0d\xb7\x1b0\x19\xc4Z\x0e\x1c'\xb7\xda\x18\xd0\xff\x8a\xc8\x05\xba\xf1\xaa\x1c\xa27\xb7\xe6H\xa4F,\x94\xea\xa8vbG\x8b\x10S\x07HWl\xe2\x92M\xb6\xae\x05\xcb\xdc\xc1J^\x8f\xac=\x19N\xc2\xed`u+\xdb\xc1\xcaB\xd5\x02\x03\x01\x00\x01\xa3c0a0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14r\xac\xe43y\xaaE\x87\xf6\xfd\xac\x1d\x9e\xd6\xc7/\x86\xd8$90\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14r\xac\xe43y\xaaE\x87\xf6\xfd\xac\x1d\x9e\xd6\xc7/\x86\xd8$90\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x02\x01\x00\xa0;Y\xa7\x09\x94>6\x84\xd2~/9\xa5\x96\x97\xfa\x11\xad\xfcg\xf3q\x09\xf2\xb2\x89\x84gD\xaf\xb9\xef\xed\x96\xec\x9cd\xdb20og\x9a\xac~_\xb2\xab\x016~\x81\xfa\xe4\x84^\xd2\xac6\xe0kb\xc5}K\x0e\x82m\xd2vb\xd1\xfe\x97\xf8\x9f0|\x18\xf9\xb4Rw\x82\x1dv\xdb\xd3\x1d\xa9\xf0\xc1\x9a\x00\xbdmu\xd8}\xe7\xfa\xc78\xa3\x9cp\xe8Fy\x03\xaf.t\xdbu\xf8nS\x0c\x03\xc8\x99\x1a\x895\x19<\xd3\xc9T|\xa8\xf0,\xe6n\x07yoj\xe1\xe6\xea\x91\x82i\x0a\x1d\xc3~Y\xa2\x9ekF\x15\x98[\xd3\xafF\x1db\xc8\xce\x80RI\x11?\xc9\x04\x12\xc3\x13|?;\x8a\x96\xdb<\xa0\x1e\x0a\xb4\x8bT\xb2$g\x0d\xef\x82\xcb\xbe<}\xd1\xe2\x7f\xae\x16\xd6VX\xb9\xda \xb1\x83\x15\xa1\xef\x8aM2oA/\x13R\x82\x94\xd7\x1a\xc1x\xa2Q\xdd+pm\xb7\x1a\xf9\xf7\xb0\xe0g\x97V\xdb|aS\x09\x03(\x02@\xc7\xb3\xd8\xfd\x9cpj\xc6(\xc3\x85\xe9\xe2\xed\x1a\x93\xa0\xdeK\x98\xa2\x84>\x05w\x01\x96=\xfb\xb4 \x0f\x9cr\x02z\x12/\xd5\xa3\xbaQx\xaf*+DeN\xb5\xfd\x0a\xe8\xc1\xcdy\x87a+\xde\x80WE\xbfg\xf1\x9b\x91^\xa5\xa4\xecYH\x10\x0d8\xc7\xb0\xfa\xc3Dm\x04\xf5xP\x1c\x92\x96[\xda\xf5\xb8.\xba[\xcf\xe5\xf0j\x9dK/Xs-O-\xc4\x1c>\xf4\xb3?\xab\x15\x0e;\x19A\x8a\xa4\xc1W\x12fqL\xfaS\xe3W\xebb\x95\x09\x9eT\xdd\xd1\xc2<W<\xbd8\xad\x98d\xb7\xb8\x03\x9aSV`]\xb3\xd8B\x1b\K\x12\x8a\x1c\xeb\xeb}\xc6zi\xc7'\x7f\xa4\xf8\x8b\xf2\xe4\x94f\x87K\xe9\x94\x07\x09\x12y\x8a\xb2\xebt\x04\xdc\xce\xf4DY\xe0\x16\xca\xc5,X\xd7<{\xcfb\x86jP}56f\xa7\xfb7\xe7(\xc7\xd8\xd0\xad\xa5i\x94\x8f\xe8\xc1\xdf$\xf8\x1b\x071\x87\x81\xd8]\xf6\xe8(\xd8JR\x80\xac\x13\xeeP\x14\x1e\x98\xc7, CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE = 0\x82\x02\xdb0\x82\x02`\xa0\x03\x02\x01\x02\x02\x10|\xc9\x8f+\x84\xd7\xdf\xea\x0f\xc9e\x9a\xd3KM\x960\x0a\x06\x08*\x86H\xce=\x04\x03\x030H1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x13\x0cD-Trust GmbH1"0 \x06\x03U\x04\x03\x13\x19D-TRUST BR Root CA 1 20200\x1e\x17\x0d200211094500Z\x17\x0d350211094459Z0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x13\x0cD-Trust GmbH1"0 \x06\x03U\x04\x03\x13\x19D-TRUST BR Root CA 1 20200v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xc6\xcb\xc7(\xd1\xfb\x84\xf5\x9a\xefB\x14 \xe1Cknu\xad\xfc+\x03\x84\xd4v\x93%\xd7Y;Aek\x1e\xe64*\xbbt\xf6\x12\xce\xe8m\xe7\xab\xe4<N?D\x08\x8b\xcd\x16q\xcb\xbf\x92\x99\xf4\xa4\xd7<PTR\x90\x85\x83x\x94gg\xa3\x1c\x09\x19=u4\x85\xde\xed`}\xc7\x0c\xb4AR\xb9n\xe5\xeeB\xa3\x82\x01\x0d0\x82\x01\x090\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14s\x91\x10\xab\xffU\xb3Z|\x09%\xd5\xb2\xba\x08\xa0k\xab\x1fm0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x81\xc6\x06\x03U\x1d\x1f\x04\x81\xbe0\x81\xbb0>\xa0<\xa0:\x868http://crl.d-trust.net/crl/d-trust_br_root_ca_1_2020.crl0y\xa0w\xa0u\x86sldap://directory.d-trust.net/CN=D-TRUST%20BR%20Root%20CA%201%202020,O=D-Trust%20GmbH,C=DE?certificaterevocationlist0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\x94\x90-\x13\xfa\xe1c\xf8ac\xe8\xad\x85xT\x91\x9c\xb8\x938>\x1aA\xda@\x16SB\x08\xca/\x8e\xf1>\x81V\xc0\xaa\xd8\xed\x18\xc4\xb0\xae\xf4>\xfa&\x021\x00\xf3(\xe2\xc6\xdb+\x99\xfb\xb7Q\xb8$\xa3\xa4\x94z\x1a?\xe66\xe2\x03W3\x8a0\xcb\x82\xc7\xd6\x14\x11\xd5uc[\x14\x95\x9c\x1f\x01\xcf\xd8\xd5r\xa7\x0f;, CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE = 0\x82\x02\xdb0\x82\x02`\xa0\x03\x02\x01\x02\x02\x10_\x02A\xd7z\x87|L\x03\xa3\xac\x96\x8d\xfb\xff\xd00\x0a\x06\x08*\x86H\xce=\x04\x03\x030H1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x13\x0cD-Trust GmbH1"0 \x06\x03U\x04\x03\x13\x19D-TRUST EV Root CA 1 20200\x1e\x17\x0d200211100000Z\x17\x0d350211095959Z0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02DE1\x150\x13\x06\x03U\x04\x0a\x13\x0cD-Trust GmbH1"0 \x06\x03U\x04\x03\x13\x19D-TRUST EV Root CA 1 20200v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"\x03b\x00\x04\xf1\x0b\xdd\x86C \x19\xdf\x97\x85\xe8"J\x9b\xcf\x9d\x98\xbf\xb4\x05&\xc9\xcb\xe3\xa6\xd2\x8f\xc5\x9ex{1\x89\xa9\x89\xad'<e\x10\x82\xfc\xdf\xc3\x9dN\xf03#\xc4\xd22\xf5\x1c\xb0\xdf3\x17]\xc5\xf0\xb1\x8a\xf9\xef\xb9\xb7\x14\xca)J\xc2\x0f\xa9\x7fueI*0g\xf4d\xf7\xd6\x1aw\xda\xc3\xc2\x97aB{I\xad\xa3\x82\x01\x0d0\x82\x01\x090\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x7f\x10\x01\x167:\xa4(\xe4P\xf8\xa4\xf7\xeck2\xb6\xfe\xe9\x8b0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x060\x81\xc6\x06\x03U\x1d\x1f\x04\x81\xbe0\x81\xbb0>\xa0<\xa0:\x868http://crl.d-trust.net/crl/d-trust_ev_root_ca_1_2020.crl0y\xa0w\xa0u\x86sldap://directory.d-trust.net/CN=D-TRUST%20EV%20Root%20CA%201%202020,O=D-Trust%20GmbH,C=DE?certificaterevocationlist0\x0a\x06\x08*\x86H\xce=\x04\x03\x03\x03i\x000f\x021\x00\xca<\xc6*u\xc2^ub96\x00`Z\x8b\xc1\x93\x99\xcc\xd9\xdbA;;\x87\x99\x17;\xd5\xccO\xca"\xf7\xa0\x80\xcb\xf9\xb4\xb1\x1bV\xf5r\xd2\xfc\x19\xd1\x021\x00\x91\xf70\x93?\x10F+q\xa4\xd0;D\x9b\xc0)\x02\x05\xb2AwQ\xf3yZ\x9e\x8e\x14\xa0NB\xd2[\x81\xf34j\x03\xe7"8P[\xed\x19OC\x16

The default root CA bundle. By default, the mozilla-ca-list.zeek script sets this to Mozilla’s root CA list.

Types
SSL::CTInfo
Type

record

description: string

Description of the Log

operator: string

Operator of the Log

key: string

Public key of the Log.

maximum_merge_delay: count

Maximum merge delay of the Log

url: string

URL of the Log

The record type which contains the field for the Certificate Transparency log bundle.

SSL::Info
Type

record

ts: time &log

Time when the SSL connection was first detected.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

version_num: count &optional

Numeric SSL/TLS version that the server chose.

version: string &log &optional

SSL/TLS version that the server chose.

cipher: string &log &optional

SSL/TLS cipher suite that the server chose.

curve: string &log &optional

Elliptic curve the server chose when using ECDH/ECDHE.

server_name: string &log &optional

Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting.

session_id: string &optional

Session ID offered by the client for session resumption. Not used for logging.

resumed: bool &log &default = F &optional

Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection.

client_ticket_empty_session_seen: bool &default = F &optional

Flag to indicate if we saw a non-empty session ticket being sent by the client using an empty session ID. This value is used to determine if a session is being resumed. It’s not logged.

client_key_exchange_seen: bool &default = F &optional

Flag to indicate if we saw a client key exchange message sent by the client. This value is used to determine if a session is being resumed. It’s not logged.

client_psk_seen: bool &default = F &optional

Track if the client sent a pre-shared-key extension. Used to determine if a TLS 1.3 session is being resumed. Not logged.

last_alert: string &log &optional

Last alert that was seen during the connection.

next_protocol: string &log &optional

Next protocol the server chose using the application layer next protocol extension, if present.

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

established: bool &log &default = F &optional

Flag to indicate if this ssl session has been established successfully, or if it was aborted during the handshake.

logged: bool &default = F &optional

Flag to indicate if this record already has been logged, to prevent duplicates.

ssl_history: string &log &default = "" &optional

SSL history showing which types of packets we received in which order. Letters have the following meaning with client-sent letters being capitalized:

Letter

Meaning

H

hello_request

C

client_hello

S

server_hello

V

hello_verify_request

T

NewSessionTicket

X

certificate

K

server_key_exchange

R

certificate_request

N

server_hello_done

Y

certificate_verify

G

client_key_exchange

F

finished

W

certificate_url

U

certificate_status

A

supplemental_data

Z

unassigned_handshake_type

I

change_cipher_spec

B

heartbeat

D

application_data

E

end_of_early_data

O

encrypted_extensions

P

key_update

M

message_hash

J

hello_retry_request

L

alert

Q

unknown_content_type

delay_tokens: set [string] &optional

cert_chain: vector of Files::Info &optional

(present if base/protocols/ssl/files.zeek is loaded)

Chain of certificates offered by the server to validate its complete signing chain.

cert_chain_fps: vector of string &optional &log

(present if base/protocols/ssl/files.zeek is loaded)

An ordered vector of all certificate fingerprints for the certificates offered by the server.

client_cert_chain: vector of Files::Info &optional

(present if base/protocols/ssl/files.zeek is loaded)

Chain of certificates offered by the client to validate its complete signing chain.

client_cert_chain_fps: vector of string &optional &log

(present if base/protocols/ssl/files.zeek is loaded)

An ordered vector of all certificate fingerprints for the certificates offered by the client.

subject: string &log &optional

(present if base/protocols/ssl/files.zeek is loaded)

Subject of the X.509 certificate offered by the server.

issuer: string &log &optional

(present if base/protocols/ssl/files.zeek is loaded)

Issuer of the signer of the X.509 certificate offered by the server.

client_subject: string &log &optional

(present if base/protocols/ssl/files.zeek is loaded)

Subject of the X.509 certificate offered by the client.

client_issuer: string &log &optional

(present if base/protocols/ssl/files.zeek is loaded)

Subject of the signer of the X.509 certificate offered by the client.

sni_matches_cert: bool &log &optional

(present if base/protocols/ssl/files.zeek is loaded)

Set to true if the hostname sent in the SNI matches the certificate. Set to false if they do not match. Unset if the client did not send an SNI.

server_depth: count &default = 0 &optional

(present if base/protocols/ssl/files.zeek is loaded)

Current number of certificates seen from either side. Used to create file handles.

client_depth: count &default = 0 &optional

(present if base/protocols/ssl/files.zeek is loaded)

always_raise_x509_events: bool &default = F &optional

(present if policy/files/x509/disable-certificate-events-known-certs.zeek is loaded)

Set to true to force certificate events to always be raised for this connection.

client_random: string &optional

(present if policy/protocols/ssl/decryption.zeek is loaded)

last_originator_heartbeat_request_size: count &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

last_responder_heartbeat_request_size: count &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

originator_heartbeats: count &default = 0 &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

responder_heartbeats: count &default = 0 &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

heartbleed_detected: bool &default = F &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

enc_appdata_packages: count &default = 0 &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

enc_appdata_bytes: count &default = 0 &optional

(present if policy/protocols/ssl/heartbleed.zeek is loaded)

server_version: count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Numeric version of the server in the server hello

client_version: count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Numeric version of the client in the client hello

client_ciphers: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Ciphers that were offered by the client for the connection

ssl_client_exts: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

SSL Client extensions

ssl_server_exts: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

SSL server extensions

ticket_lifetime_hint: count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Suggested ticket lifetime sent in the session ticket handshake by the server.

dh_param_size: count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

The diffie helman parameter size, when using DH.

point_formats: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

supported elliptic curve point formats

client_curves: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

The curves supported by the client.

orig_alpn: vector of string &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Application layer protocol negotiation extension sent by the client.

client_supported_versions: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

TLS 1.3 supported versions

server_supported_version: count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

TLS 1.3 supported versions

psk_key_exchange_modes: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

TLS 1.3 Pre-shared key exchange modes

client_key_share_groups: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Key share groups from client hello

server_key_share_group: count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Selected key share group from server hello

client_comp_methods: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Client supported compression methods

comp_method: count &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Server chosen compression method

sigalgs: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Client supported signature algorithms

hashalgs: vector of count &log &optional

(present if policy/protocols/ssl/ssl-log-ext.zeek is loaded)

Client supported hash algorithms

validation_status: string &log &optional

(present if policy/protocols/ssl/validate-certs.zeek is loaded)

Result of certificate validation for this connection.

validation_code: int &optional

(present if policy/protocols/ssl/validate-certs.zeek is loaded)

Result of certificate validation for this connection, given as OpenSSL validation code.

valid_chain: vector of opaque of x509 &optional

(present if policy/protocols/ssl/validate-certs.zeek is loaded)

Ordered chain of validated certificate, if validation succeeded.

ocsp_status: string &log &optional

(present if policy/protocols/ssl/validate-ocsp.zeek is loaded)

Result of ocsp validation for this connection.

ocsp_response: string &optional

(present if policy/protocols/ssl/validate-ocsp.zeek is loaded)

ocsp response as string.

valid_scts: count &optional

(present if policy/protocols/ssl/validate-sct.zeek is loaded)

Number of valid SCTs that were encountered in the connection.

invalid_scts: count &optional

(present if policy/protocols/ssl/validate-sct.zeek is loaded)

Number of SCTs that could not be validated that were encountered in the connection.

valid_ct_logs: count &log &optional

(present if policy/protocols/ssl/validate-sct.zeek is loaded)

Number of different Logs for which valid SCTs were encountered in the connection.

valid_ct_operators: count &log &optional

(present if policy/protocols/ssl/validate-sct.zeek is loaded)

Number of different Log operators of which valid SCTs were encountered in the connection.

valid_ct_operators_list: set [string] &optional

(present if policy/protocols/ssl/validate-sct.zeek is loaded)

List of operators for which valid SCTs were encountered in the connection.

ct_proofs: vector of SSL::SctInfo &default = [] &optional

(present if policy/protocols/ssl/validate-sct.zeek is loaded)

Information about all SCTs that were encountered in the connection.

notary: CertNotary::Response &log &optional

(present if policy/protocols/ssl/notary.zeek is loaded)

A response from the ICSI certificate notary.

The record type which contains the fields of the SSL log.

Events
SSL::log_ssl
Type

event (rec: SSL::Info)

Event that can be handled to access the SSL record as it is sent on to the logging framework.

Hooks
SSL::finalize_ssl
Type

Conn::RemovalHook

SSL finalization hook. Remaining SSL info may get logged when it’s called. The SSL::ssl_finishing hook may either be called before this finalization hook for established SSL connections or during this finalization hook for SSL connections may have info still left to log.

SSL::log_policy
Type

Log::PolicyHook

SSL::ssl_finishing
Type

hook (c: connection) : bool

Hook that can be used to perform actions right before the log record is written.

Functions
SSL::delay_log
Type

function (info: SSL::Info, token: string) : void

Delays an SSL record for a specific token: the record will not be logged as long as the token exists or until 15 seconds elapses.

SSL::undelay_log
Type

function (info: SSL::Info, token: string) : void

Undelays an SSL record for a previously inserted token, allowing the record to be logged.

base/protocols/ssl/mozilla-ca-list.zeek

SSL
Namespace

SSL

Imports

base/protocols/ssl

Summary
Redefinitions

SSL::root_certs: table &redef
Detailed Interface

base/protocols/ssl/ct-list.zeek

SSL
Namespace

SSL

Imports

base/protocols/ssl

Summary
Redefinitions

SSL::ct_logs: table &redef
Detailed Interface

base/protocols/ssl/files.zeek

SSL
Namespace

SSL

Imports

base/files/x509, base/frameworks/files, base/protocols/ssl/main.zeek, base/utils/conn-ids.zeek

Summary
Redefinable Options

SSL::log_include_client_certificate_subject_issuer: bool &redef

Set this to true to include the client certificate subject and issuer in the SSL logfile.

SSL::log_include_server_certificate_subject_issuer: bool &redef

Set this to true to includd the server certificate subject and issuer from the SSL log file.
Redefinitions

SSL::Info: record
New Fields

SSL::Info

cert_chain: vector of Files::Info &optional

Chain of certificates offered by the server to validate its complete signing chain.

cert_chain_fps: vector of string &optional &log

An ordered vector of all certificate fingerprints for the certificates offered by the server.

client_cert_chain: vector of Files::Info &optional

Chain of certificates offered by the client to validate its complete signing chain.

client_cert_chain_fps: vector of string &optional &log

An ordered vector of all certificate fingerprints for the certificates offered by the client.

subject: string &log &optional

Subject of the X.509 certificate offered by the server.

issuer: string &log &optional

Issuer of the signer of the X.509 certificate offered by the server.

client_subject: string &log &optional

Subject of the X.509 certificate offered by the client.

client_issuer: string &log &optional

Subject of the signer of the X.509 certificate offered by the client.

sni_matches_cert: bool &log &optional

Set to true if the hostname sent in the SNI matches the certificate.

server_depth: count &default = 0 &optional

Current number of certificates seen from either side.

client_depth: count &default = 0 &optional
Functions

SSL::describe_file: function

Default file describer for SSL.

SSL::get_file_handle: function

Default file handle provider for SSL.
Detailed Interface
Redefinable Options
SSL::log_include_client_certificate_subject_issuer
Type

bool

Attributes

&redef

Default

F

Set this to true to include the client certificate subject and issuer in the SSL logfile. This information is rarely present and probably only interesting in very specific circumstances

SSL::log_include_server_certificate_subject_issuer
Type

bool

Attributes

&redef

Default

F

Set this to true to includd the server certificate subject and issuer from the SSL log file. This information is still available in x509.log.

Functions
SSL::describe_file
Type

function (f: fa_file) : string

Default file describer for SSL.

SSL::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for SSL.

base/files/x509/__load__.zeek

Imports

base/files/x509/certificate-event-cache.zeek, base/files/x509/log-ocsp.zeek, base/files/x509/main.zeek

Summary
Detailed Interface

base/files/x509/main.zeek

X509
Namespace

X509

Imports

base/files/hash, base/frameworks/cluster, base/frameworks/files

Summary
Runtime Options

X509::known_log_certs_maximum_size: count &redef

Maximum size of the known_log_certs table

X509::log_x509_in_files_log: bool &redef

This option specifies if X.509 certificates are logged in file.log.

X509::relog_known_certificates_after: interval &redef

By default, x509 certificates are deduplicated.
State Variables

X509::known_log_certs: set &create_expire = X509::relog_known_certificates_after

The set that stores information about certificates that already have been logged and should not be logged again.

X509::known_log_certs_use_broker: bool

Use broker stores to deduplicate certificates across the whole cluster.
Types

X509::Info: record

The record type which contains the fields of the X.509 log.

X509::LogCertHash: record

Type that is used to decide which certificates are duplicates for logging purposes.

X509::SctInfo: record

This record is used to store information about the SCTs that are encountered in Certificates.
Redefinitions

Files::Info: record &redef
New Fields

Files::Info

x509: X509::Info &optional

Information about X509 certificates.

Log::ID: enum
Events

X509::log_x509: event

Event for accessing logged records.
Hooks

X509::create_deduplication_index: hook

Hook that is used to create the index value used for log deduplication.

X509::log_policy: Log::PolicyHook
Functions

X509::hash_function: function &redef

The hash function used for certificate hashes.
Detailed Interface
Runtime Options
X509::known_log_certs_maximum_size
Type

count

Attributes

&redef

Default

1000000

Maximum size of the known_log_certs table

X509::log_x509_in_files_log
Type

bool

Attributes

&redef

Default

F

This option specifies if X.509 certificates are logged in file.log. Typically, there is not much value to having the entry in files.log - especially since, by default, the file ID is not present in the X509 log.

X509::relog_known_certificates_after
Type

interval

Attributes

&redef

Default

1.0 day

By default, x509 certificates are deduplicated. This configuration option configures the maximum time after which certificates are re-logged. Note - depending on other configuration options, this setting might only apply on a per-worker basis and you still might see certificates logged several times.

To disable deduplication completely, set this to 0secs.

State Variables
X509::known_log_certs
Type

set [X509::LogCertHash]

Attributes

&create_expire = X509::relog_known_certificates_after

Default

{}

The set that stores information about certificates that already have been logged and should not be logged again.

X509::known_log_certs_use_broker
Type

bool

Default

T

Use broker stores to deduplicate certificates across the whole cluster. This will cause log-deduplication to work cluster wide, but come at a slightly higher cost of memory and inter-node-communication.

This setting is ignored if Zeek is run in standalone mode.

Types
X509::Info
Type

record

ts: time &log

Current timestamp.

fingerprint: string &log

Fingerprint of the certificate - uses chosen algorithm.

certificate: X509::Certificate &log

Basic information about the certificate.

handle: opaque of x509

The opaque wrapping the certificate. Mainly used for the verify operations.

extensions: vector of X509::Extension &default = [] &optional

All extensions that were encountered in the certificate.

san: X509::SubjectAlternativeName &optional &log

Subject alternative name extension of the certificate.

basic_constraints: X509::BasicConstraints &optional &log

Basic constraints extension of the certificate.

extensions_cache: vector of any &default = [] &optional

All extensions in the order they were raised. This is used for caching certificates that are commonly encountered and should not be relied on in user scripts.

host_cert: bool &log &default = F &optional

Indicates if this certificate was a end-host certificate, or sent as part of a chain

client_cert: bool &log &default = F &optional

Indicates if this certificate was sent from the client

deduplication_index: X509::LogCertHash &optional

Record that is used to deduplicate log entries.

always_raise_x509_events: bool &default = F &optional

(present if policy/files/x509/disable-certificate-events-known-certs.zeek is loaded)

Set to true to force certificate events to always be raised for this certificate.

cert: string &log &optional

(present if policy/protocols/ssl/log-certs-base64.zeek is loaded)

Base64 endoded X.509 certificate.

The record type which contains the fields of the X.509 log.

X509::LogCertHash
Type

record

fingerprint: string

Certificate fingerprint

host_cert: bool

Indicates if this certificate was a end-host certificate, or sent as part of a chain

client_cert: bool

Indicates if this certificate was sent from the client

Type that is used to decide which certificates are duplicates for logging purposes. When adding entries to this, also change the create_deduplication_index to update them.

X509::SctInfo
Type

record

version: count

The version of the encountered SCT (should always be 0 for v1).

logid: string

The ID of the log issuing this SCT.

timestamp: count

The timestamp at which this SCT was issued measured since the epoch (January 1, 1970, 00:00), ignoring leap seconds, in milliseconds. Not converted to a Zeek timestamp because we need the exact value for validation.

hash_alg: count

The hash algorithm used for this sct.

sig_alg: count

The signature algorithm used for this sct.

signature: string

The signature of this SCT.

This record is used to store information about the SCTs that are encountered in Certificates.

Events
X509::log_x509
Type

event (rec: X509::Info)

Event for accessing logged records.

Hooks
X509::create_deduplication_index
Type

hook (c: X509::Info) : bool

Hook that is used to create the index value used for log deduplication.

X509::log_policy
Type

Log::PolicyHook

Functions
X509::hash_function
Type

function (cert: string) : string

Attributes

&redef

The hash function used for certificate hashes. By default this is sha256; you can use any other hash function and the hashes will change in ssl.log and in x509.log.

base/files/hash/__load__.zeek

Imports

base/files/hash/main.zeek

Summary
Detailed Interface

base/files/hash/main.zeek

FileHash
Namespace

FileHash

Imports

base/frameworks/files

Summary
Redefinitions

Files::Info: record &redef
New Fields

Files::Info

md5: string &log &optional

An MD5 digest of the file contents.

sha1: string &log &optional

A SHA1 digest of the file contents.

sha256: string &log &optional

A SHA256 digest of the file contents.
Detailed Interface

base/files/x509/certificate-event-cache.zeek

X509

This script sets up the certificate event cache handling of Zeek.

The Zeek core provided a method to skip certificate processing for known certificates. For more details about this functionality, see x509_set_certificate_cache.

This script uses this feature to lower the amount of processing that has to be performed by Zeek by caching all certificate events for common certificates. For these certificates, the parsing of certificate information in the core is disabled. Instead, the cached events and data structures from the previous certificates are used.

Namespace

X509

Imports

base/files/x509/main.zeek

Summary
Runtime Options

X509::caching_required_encounters: count &redef

How often do you have to encounter a certificate before caching the events for it.

X509::caching_required_encounters_interval: interval &redef

The timespan over which caching_required_encounters has to be reached

X509::certificate_cache_max_entries: count &redef

Maximum size of the certificate event cache

X509::certificate_cache_minimum_eviction_interval: interval &redef

After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.
Hooks

X509::x509_certificate_cache_replay: hook

This hook performs event-replays in case a certificate that already is in the cache is encountered.
Detailed Interface
Runtime Options
X509::caching_required_encounters
Type

count

Attributes

&redef

Default

10

How often do you have to encounter a certificate before caching the events for it. Set to 0 to disable caching of certificates.

X509::caching_required_encounters_interval
Type

interval

Attributes

&redef

Default

1.0 min 2.0 secs

The timespan over which caching_required_encounters has to be reached

X509::certificate_cache_max_entries
Type

count

Attributes

&redef

Default

10000

Redefinition

from policy/files/x509/disable-certificate-events-known-certs.zeek

=:

100000

Maximum size of the certificate event cache

X509::certificate_cache_minimum_eviction_interval
Type

interval

Attributes

&redef

Default

1.0 min 2.0 secs

After a certificate has not been encountered for this time, it may be evicted from the certificate event cache.

Hooks
X509::x509_certificate_cache_replay
Type

hook (f: fa_file, e: X509::Info, sha256: string) : bool

This hook performs event-replays in case a certificate that already is in the cache is encountered.

It is possible to change this behavior/skip sending the events by installing a higher priority hook instead.

base/files/x509/log-ocsp.zeek

OCSP

Enable logging of OCSP responses.

Namespace

OCSP

Summary
Types

OCSP::Info: record

The record type which contains the fields of the OCSP log.
Redefinitions

Log::ID: enum
Events

OCSP::log_ocsp: event

Event that can be handled to access the OCSP record as it is sent to the logging framework.
Hooks

OCSP::log_policy: Log::PolicyHook
Detailed Interface
Types
OCSP::Info
Type

record

ts: time &log

Time when the OCSP reply was encountered.

id: string &log

File id of the OCSP reply.

hashAlgorithm: string &log

Hash algorithm used to generate issuerNameHash and issuerKeyHash.

issuerNameHash: string &log

Hash of the issuer’s distingueshed name.

issuerKeyHash: string &log

Hash of the issuer’s public key.

serialNumber: string &log

Serial number of the affected certificate.

certStatus: string &log

Status of the affected certificate.

revoketime: time &log &optional

Time at which the certificate was revoked.

revokereason: string &log &optional

Reason for which the certificate was revoked.

thisUpdate: time &log

The time at which the status being shows is known to have been correct.

nextUpdate: time &log &optional

The latest time at which new information about the status of the certificate will be available.

The record type which contains the fields of the OCSP log.

Events
OCSP::log_ocsp
Type

event (rec: OCSP::Info)

Event that can be handled to access the OCSP record as it is sent to the logging framework.

Hooks
OCSP::log_policy
Type

Log::PolicyHook

base/protocols/http/__load__.zeek

Imports

base/protocols/http/entities.zeek, base/protocols/http/files.zeek, base/protocols/http/main.zeek, base/protocols/http/utils.zeek

Summary
Detailed Interface

base/protocols/http/main.zeek

HTTP

Implements base functionality for HTTP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace

HTTP

Imports

base/frameworks/tunnels, base/protocols/conn/removal-hooks.zeek, base/utils/files.zeek, base/utils/numbers.zeek

Summary
Runtime Options

HTTP::default_capture_password: bool &redef

This setting changes if passwords used in Basic-Auth are captured or not.

HTTP::http_methods: set &redef

A list of HTTP methods.

HTTP::proxy_headers: set &redef

A list of HTTP headers typically used to indicate proxied requests.
Types

HTTP::Info: record

The record type which contains the fields of the HTTP log.

HTTP::State: record

Structure to maintain state for an HTTP connection with multiple requests and responses.

HTTP::Tags: enum

Indicate a type of attack or compromise in the record to be logged.
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

http: HTTP::Info &optional

http_state: HTTP::State &optional

likely_server_ports: set &redef
Events

HTTP::log_http: event

Event that can be handled to access the HTTP record as it is sent on to the logging framework.
Hooks

HTTP::finalize_http: Conn::RemovalHook

HTTP finalization hook.

HTTP::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
HTTP::default_capture_password
Type

bool

Attributes

&redef

Default

F

This setting changes if passwords used in Basic-Auth are captured or not.

HTTP::http_methods
Type

set [string]

Attributes

&redef

Default
{
   "POST",
   "PUT",
   "CONNECT",
   "BMOVE",
   "SEARCH",
   "TRACE",
   "LOCK",
   "PROPPATCH",
   "HEAD",
   "OPTIONS",
   "POLL",
   "REPORT",
   "SUBSCRIBE",
   "MOVE",
   "GET",
   "UNLOCK",
   "DELETE",
   "COPY",
   "MKCOL",
   "PROPFIND"
}

A list of HTTP methods. Other methods will generate a weird. Note that the HTTP analyzer will only accept methods consisting solely of letters [A-Za-z].

HTTP::proxy_headers
Type

set [string]

Attributes

&redef

Default
{
   "CLIENT-IP",
   "X-FORWARDED-FROM",
   "VIA",
   "XROXY-CONNECTION",
   "PROXY-CONNECTION",
   "X-FORWARDED-FOR",
   "FORWARDED"
}

A list of HTTP headers typically used to indicate proxied requests.

Types
HTTP::Info
Type

record

ts: time &log

Timestamp for when the request happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

Represents the pipelined depth into the connection of this request/response transaction.

method: string &log &optional

Verb used in the HTTP request (GET, POST, HEAD, etc.).

host: string &log &optional

Value of the HOST header.

uri: string &log &optional

URI used in the request.

referrer: string &log &optional

Value of the “referer” header. The comment is deliberately misspelled like the standard declares, but the name used here is “referrer”, spelled correctly.

version: string &log &optional

Value of the version portion of the reply. If you require message-level detail, consider the http_request and http_reply events, which report each message’s version string.

user_agent: string &log &optional

Value of the User-Agent header from the client.

origin: string &log &optional

Value of the Origin header from the client.

request_body_len: count &log &default = 0 &optional

Actual uncompressed content size of the data transferred from the client.

response_body_len: count &log &default = 0 &optional

Actual uncompressed content size of the data transferred from the server.

status_code: count &log &optional

Status code returned by the server.

status_msg: string &log &optional

Status message returned by the server.

info_code: count &log &optional

Last seen 1xx informational reply code returned by the server.

info_msg: string &log &optional

Last seen 1xx informational reply message returned by the server.

tags: set [HTTP::Tags] &log

A set of indicators of various attributes discovered and related to a particular request/response pair.

username: string &log &optional

Username if basic-auth is performed for the request.

password: string &log &optional

Password if basic-auth is performed for the request.

capture_password: bool &default = HTTP::default_capture_password &optional

Determines if the password will be captured for this request.

proxied: set [string] &log &optional

All of the headers that may indicate if the request was proxied.

range_request: bool &default = F &optional

Indicates if this request can assume 206 partial content in response.

orig_fuids: vector of string &log &optional

(present if base/protocols/http/entities.zeek is loaded)

An ordered vector of file unique IDs. Limited to HTTP::max_files_orig entries.

orig_filenames: vector of string &log &optional

(present if base/protocols/http/entities.zeek is loaded)

An ordered vector of filenames from the client. Limited to HTTP::max_files_orig entries.

orig_mime_types: vector of string &log &optional

(present if base/protocols/http/entities.zeek is loaded)

An ordered vector of mime types. Limited to HTTP::max_files_orig entries.

resp_fuids: vector of string &log &optional

(present if base/protocols/http/entities.zeek is loaded)

An ordered vector of file unique IDs. Limited to HTTP::max_files_resp entries.

resp_filenames: vector of string &log &optional

(present if base/protocols/http/entities.zeek is loaded)

An ordered vector of filenames from the server. Limited to HTTP::max_files_resp entries.

resp_mime_types: vector of string &log &optional

(present if base/protocols/http/entities.zeek is loaded)

An ordered vector of mime types. Limited to HTTP::max_files_resp entries.

current_entity: HTTP::Entity &optional

(present if base/protocols/http/entities.zeek is loaded)

The current entity.

orig_mime_depth: count &default = 0 &optional

(present if base/protocols/http/entities.zeek is loaded)

Current number of MIME entities in the HTTP request message body.

resp_mime_depth: count &default = 0 &optional

(present if base/protocols/http/entities.zeek is loaded)

Current number of MIME entities in the HTTP response message body.

client_header_names: vector of string &log &optional

(present if policy/protocols/http/header-names.zeek is loaded)

The vector of HTTP header names sent by the client. No header values are included here, just the header names.

server_header_names: vector of string &log &optional

(present if policy/protocols/http/header-names.zeek is loaded)

The vector of HTTP header names sent by the server. No header values are included here, just the header names.

omniture: bool &default = F &optional

(present if policy/protocols/http/software-browser-plugins.zeek is loaded)

Indicates if the server is an omniture advertising server.

flash_version: string &optional

(present if policy/protocols/http/software-browser-plugins.zeek is loaded)

The unparsed Flash version, if detected.

cookie_vars: vector of string &optional &log

(present if policy/protocols/http/var-extraction-cookies.zeek is loaded)

Variable names extracted from all cookies.

uri_vars: vector of string &optional &log

(present if policy/protocols/http/var-extraction-uri.zeek is loaded)

Variable names from the URI.

The record type which contains the fields of the HTTP log.

HTTP::State
Type

record

pending: table [count] of HTTP::Info

Pending requests.

current_request: count &default = 0 &optional

Current request in the pending queue.

current_response: count &default = 0 &optional

Current response in the pending queue.

trans_depth: count &default = 0 &optional

Track the current deepest transaction. This is meant to cope with missing requests and responses.

Structure to maintain state for an HTTP connection with multiple requests and responses.

HTTP::Tags
Type

enum

HTTP::EMPTY

Placeholder.

HTTP::URI_SQLI

(present if policy/protocols/http/detect-sqli.zeek is loaded)

Indicator of a URI based SQL injection attack.

HTTP::POST_SQLI

(present if policy/protocols/http/detect-sqli.zeek is loaded)

Indicator of client body based SQL injection attack. This is typically the body content of a POST request. Not implemented yet.

HTTP::COOKIE_SQLI

(present if policy/protocols/http/detect-sqli.zeek is loaded)

Indicator of a cookie based SQL injection attack. Not implemented yet.

Indicate a type of attack or compromise in the record to be logged.

Events
HTTP::log_http
Type

event (rec: HTTP::Info)

Event that can be handled to access the HTTP record as it is sent on to the logging framework.

Hooks
HTTP::finalize_http
Type

Conn::RemovalHook

HTTP finalization hook. Remaining HTTP info may get logged when it’s called.

HTTP::log_policy
Type

Log::PolicyHook

base/protocols/http/entities.zeek

HTTP

Analysis and logging for MIME entities found in HTTP sessions.

Namespace

HTTP

Imports

base/frameworks/files, base/protocols/http/main.zeek, base/utils/files.zeek, base/utils/strings.zeek

Summary
Runtime Options

HTTP::max_files_orig: count &redef

Maximum number of originator files to log.

HTTP::max_files_resp: count &redef

Maximum number of responder files to log.
Types

HTTP::Entity: record
Redefinitions

HTTP::Info: record
New Fields

HTTP::Info

orig_fuids: vector of string &log &optional

An ordered vector of file unique IDs.

orig_filenames: vector of string &log &optional

An ordered vector of filenames from the client.

orig_mime_types: vector of string &log &optional

An ordered vector of mime types.

resp_fuids: vector of string &log &optional

An ordered vector of file unique IDs.

resp_filenames: vector of string &log &optional

An ordered vector of filenames from the server.

resp_mime_types: vector of string &log &optional

An ordered vector of mime types.

current_entity: HTTP::Entity &optional

The current entity.

orig_mime_depth: count &default = 0 &optional

Current number of MIME entities in the HTTP request message body.

resp_mime_depth: count &default = 0 &optional

Current number of MIME entities in the HTTP response message body.

fa_file: record &redef
New Fields

fa_file

http: HTTP::Info &optional
Hooks

HTTP::max_files_policy: hook

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp.
Detailed Interface
Runtime Options
HTTP::max_files_orig
Type

count

Attributes

&redef

Default

15

Maximum number of originator files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

HTTP::max_files_resp
Type

count

Attributes

&redef

Default

15

Maximum number of responder files to log. HTTP::max_files_policy even is called once this limit is reached to determine if it’s enforced.

Types
HTTP::Entity
Type

record

filename: string &optional

Filename for the entity if discovered from a header.

Hooks
HTTP::max_files_policy
Type

hook (f: fa_file, is_orig: bool) : bool

Called when reaching the max number of files across a given HTTP connection according to HTTP::max_files_orig or HTTP::max_files_resp. Break from the hook early to signal that the file limit should not be applied.

base/protocols/http/utils.zeek

HTTP

Utilities specific for HTTP processing.

Namespace

HTTP

Imports

base/protocols/http/main.zeek, base/utils/addrs.zeek

Summary
Functions

HTTP::build_url: function

Creates a URL from an HTTP::Info record.

HTTP::build_url_http: function

Creates a URL from an HTTP::Info record.

HTTP::describe: function

Create an extremely shortened representation of a log line.

HTTP::extract_keys: function

Given a string containing a series of key-value pairs separated by “=”, this function can be used to parse out all of the key names.
Detailed Interface
Functions
HTTP::build_url
Type

function (rec: HTTP::Info) : string

Creates a URL from an HTTP::Info record. This should handle edge cases such as proxied requests appropriately.

Rec

An HTTP::Info record.

Returns

A URL, not prefixed by "http://".

HTTP::build_url_http
Type

function (rec: HTTP::Info) : string

Creates a URL from an HTTP::Info record. This should handle edge cases such as proxied requests appropriately.

Rec

An HTTP::Info record.

Returns

A URL prefixed with "http://".

HTTP::describe
Type

function (rec: HTTP::Info) : string

Create an extremely shortened representation of a log line.

HTTP::extract_keys
Type

function (data: string, kv_splitter: pattern) : string_vec

Given a string containing a series of key-value pairs separated by “=”, this function can be used to parse out all of the key names.

Data

The raw data, such as a URL or cookie value.

Kv_splitter

A regular expression representing the separator between key-value pairs.

Returns

A vector of strings containing the keys.

base/protocols/http/files.zeek

HTTP
Namespace

HTTP

Imports

base/frameworks/files, base/protocols/http/entities.zeek, base/protocols/http/main.zeek, base/protocols/http/utils.zeek, base/utils/conn-ids.zeek

Summary
Functions

HTTP::describe_file: function

Default file describer for HTTP.

HTTP::get_file_handle: function

Default file handle provider for HTTP.
Detailed Interface
Functions
HTTP::describe_file
Type

function (f: fa_file) : string

Default file describer for HTTP.

HTTP::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for HTTP.

base/protocols/imap/__load__.zeek

Imports

base/protocols/imap/main.zeek

Summary
Detailed Interface

base/protocols/imap/main.zeek

IMAP
Namespace

IMAP

Summary
Redefinitions

likely_server_ports: set &redef
Detailed Interface

base/protocols/irc/__load__.zeek

Imports

base/protocols/irc/dcc-send.zeek, base/protocols/irc/files.zeek, base/protocols/irc/main.zeek

Summary
Detailed Interface

base/protocols/irc/main.zeek

IRC

Implements the core IRC analysis support. The logging model is to log IRC commands along with the associated response and some additional metadata about the connection if it’s available.

Namespace

IRC

Summary
Types

IRC::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

irc: IRC::Info &optional

IRC session information.

likely_server_ports: set &redef
Events

IRC::irc_log: event

Event that can be handled to access the IRC record as it is sent on to the logging framework.
Hooks

IRC::log_policy: Log::PolicyHook
Detailed Interface
Types
IRC::Info
Type

record

ts: time &log

Timestamp when the command was seen.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

nick: string &log &optional

Nickname given for the connection.

user: string &log &optional

Username given for the connection.

command: string &log &optional

Command given by the client.

value: string &log &optional

Value for the command given by the client.

addl: string &log &optional

Any additional data for the command.

dcc_file_name: string &log &optional

(present if base/protocols/irc/dcc-send.zeek is loaded)

DCC filename requested.

dcc_file_size: count &log &optional

(present if base/protocols/irc/dcc-send.zeek is loaded)

Size of the DCC transfer as indicated by the sender.

dcc_mime_type: string &log &optional

(present if base/protocols/irc/dcc-send.zeek is loaded)

Sniffed mime type of the file.

fuid: string &log &optional

(present if base/protocols/irc/files.zeek is loaded)

File unique ID.

Events
IRC::irc_log
Type

event (rec: IRC::Info)

Event that can be handled to access the IRC record as it is sent on to the logging framework.

Hooks
IRC::log_policy
Type

Log::PolicyHook

base/protocols/irc/dcc-send.zeek

IRC

File extraction and introspection for DCC transfers over IRC.

There is a major problem with this script in the cluster context because we might see A send B a message that a DCC connection is to be expected, but that connection will actually be between B and C which could be analyzed on a different worker.

Namespace

IRC

Imports

base/frameworks/cluster, base/protocols/conn/removal-hooks.zeek, base/protocols/irc/main.zeek, base/utils/files.zeek

Summary
Redefinitions

IRC::Info: record
New Fields

IRC::Info

dcc_file_name: string &log &optional

DCC filename requested.

dcc_file_size: count &log &optional

Size of the DCC transfer as indicated by the sender.

dcc_mime_type: string &log &optional

Sniffed mime type of the file.
Hooks

IRC::finalize_irc_data: Conn::RemovalHook

IRC DCC data finalization hook.
Detailed Interface
Hooks
IRC::finalize_irc_data
Type

Conn::RemovalHook

IRC DCC data finalization hook. Remaining expected IRC DCC state may be purged when it’s called.

base/protocols/irc/files.zeek

IRC
Namespace

IRC

Imports

base/frameworks/files, base/protocols/irc/dcc-send.zeek, base/utils/conn-ids.zeek

Summary
Redefinitions

IRC::Info: record
New Fields

IRC::Info

fuid: string &log &optional

File unique ID.

fa_file: record &redef
New Fields

fa_file

irc: IRC::Info &optional
Functions

IRC::get_file_handle: function

Default file handle provider for IRC.
Detailed Interface
Functions
IRC::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for IRC.

base/protocols/krb/__load__.zeek

Imports

base/protocols/krb/files.zeek, base/protocols/krb/main.zeek

Summary
Detailed Interface

base/protocols/krb/main.zeek

KRB

Implements base functionality for KRB analysis. Generates the kerberos.log file.

Namespace

KRB

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/krb/consts.zeek

Summary
Runtime Options

KRB::ignored_errors: set &redef

The server response error texts which are not logged.
Types

KRB::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

krb: KRB::Info &optional

likely_server_ports: set &redef
Events

KRB::log_krb: event

Event that can be handled to access the KRB record as it is sent on to the logging framework.
Hooks

KRB::finalize_krb: Conn::RemovalHook

Kerberos finalization hook.

KRB::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
KRB::ignored_errors
Type

set [string]

Attributes

&redef

Default
{
   "NEEDED_PREAUTH",
   "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"
}

The server response error texts which are not logged.

Types
KRB::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

request_type: string &log &optional

Request type - Authentication Service (“AS”) or Ticket Granting Service (“TGS”)

client: string &log &optional

Client

service: string &log &optional

Service

success: bool &log &optional

Request result

error_code: count &optional

Error code

error_msg: string &log &optional

Error message

from: time &log &optional

Ticket valid from

till: time &log &optional

Ticket valid till

cipher: string &log &optional

Ticket encryption type

forwardable: bool &log &optional

Forwardable ticket requested

renewable: bool &log &optional

Renewable ticket requested

logged: bool &default = F &optional

We’ve already logged this

client_cert: Files::Info &optional

(present if base/protocols/krb/files.zeek is loaded)

Client certificate

client_cert_subject: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

Subject of client certificate, if any

client_cert_fuid: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

File unique ID of client cert, if any

server_cert: Files::Info &optional

(present if base/protocols/krb/files.zeek is loaded)

Server certificate

server_cert_subject: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

Subject of server certificate, if any

server_cert_fuid: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

File unique ID of server cert, if any

auth_ticket: string &log &optional

(present if policy/protocols/krb/ticket-logging.zeek is loaded)

Hash of ticket used to authorize request/transaction

new_ticket: string &log &optional

(present if policy/protocols/krb/ticket-logging.zeek is loaded)

Hash of ticket returned by the KDC

Events
KRB::log_krb
Type

event (rec: KRB::Info)

Event that can be handled to access the KRB record as it is sent on to the logging framework.

Hooks
KRB::finalize_krb
Type

Conn::RemovalHook

Kerberos finalization hook. Remaining Kerberos info may get logged when it’s called.

KRB::log_policy
Type

Log::PolicyHook

base/protocols/krb/consts.zeek

KRB
Namespace

KRB

Summary
Constants

KRB::cipher_name: table &default = function

KRB::error_msg: table &default = function
Detailed Interface
Constants
KRB::cipher_name
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "des-cbc-md4",
   [25] = "camellia128-cts-cmac",
   [14] = "rsaES-OAEP-ENV-OID",
   [15] = "des-ede3-cbc-Env-OID",
   [16] = "des3-cbc-sha1-kd",
   [24] = "rc4-hmac-exp",
   [23] = "rc4-hmac",
   [9] = "dsaWithSHA1-CmsOID",
   [1] = "des-cbc-crc",
   [11] = "sha1WithRSAEncryption-CmsOID",
   [7] = "des3-cbc-sha1",
   [5] = "des3-cbc-md5",
   [10] = "md5WithRSAEncryption-CmsOID",
   [13] = "rsaEncryption-EnvOID",
   [12] = "rc2CBC-EnvOID",
   [26] = "camellia256-cts-cmac",
   [65] = "subkey-keymaterial",
   [18] = "aes256-cts-hmac-sha1-96",
   [3] = "des-cbc-md5",
   [17] = "aes128-cts-hmac-sha1-96"
}
KRB::error_msg
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "KDC_ERR_SERVICE_REVOKED",
   [20] = "KDC_ERR_TGT_REVOKED",
   [33] = "KRB_AP_ERR_TKT_NYV",
   [39] = "KRB_AP_ERR_BADVERSION",
   [67] = "KRB_AP_ERR_NO_TGT",
   [73] = "KDC_ERR_REVOCATION_STATUS_UNKNOWN",
   [75] = "KDC_ERR_CLIENT_NAME_MISMATCH",
   [46] = "KRB_AP_ERR_MUT_FAIL",
   [15] = "KDC_ERR_SUMTYPE_NOSUPP",
   [64] = "KDC_ERROR_INVALID_SIG",
   [28] = "KDC_ERR_PATH_NOT_ACCEPTED",
   [9] = "KDC_ERR_NULL_KEY",
   [68] = "KDC_ERR_WRONG_REALM",
   [71] = "KDC_ERR_INVALID_CERTIFICATE",
   [52] = "KRB_ERR_RESPONSE_TOO_BIG",
   [21] = "KDC_ERR_CLIENT_NOTYET",
   [4] = "KDC_ERR_C_OLD_MAST_KVNO",
   [12] = "KDC_ERR_POLICY",
   [41] = "KRB_AP_ERR_MODIFIED",
   [17] = "KDC_ERR_TRTYPE_NOSUPP",
   [25] = "KDC_ERR_PREAUTH_REQUIRED",
   [76] = "KDC_ERR_KDC_NAME_MISMATCH",
   [29] = "KDC_ERR_SVC_UNAVAILABLE",
   [16] = "KDC_ERR_PADATA_TYPE_NOSUPP",
   [38] = "KRB_AP_ERR_BADADDR",
   [63] = "KDC_ERROR_KDC_NOT_TRUSTED",
   [42] = "KRB_AP_ERR_BADORDER",
   [1] = "KDC_ERR_NAME_EXP",
   [11] = "KDC_ERR_NEVER_VALID",
   [35] = "KRB_AP_ERR_NOT_US",
   [22] = "KDC_ERR_SERVICE_NOTYET",
   [3] = "KDC_ERR_BAD_PVNO",
   [44] = "KRB_AP_ERR_BADKEYVER",
   [34] = "KRB_AP_ERR_REPEAT",
   [45] = "KRB_AP_ERR_NOKEY",
   [40] = "KRB_AP_ERR_MSG_TYPE",
   [36] = "KRB_AP_ERR_BADMATCH",
   [14] = "KDC_ERR_ETYPE_NOSUPP",
   [6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN",
   [31] = "KRB_AP_ERR_BAD_INTEGRITY",
   [8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE",
   [23] = "KDC_ERR_KEY_EXPIRED",
   [27] = "KDC_ERR_MUST_USE_USER2USER",
   [7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN",
   [66] = "KDC_ERR_CERTIFICATE_MISMATCH",
   [10] = "KDC_ERR_CANNOT_POSTDATE",
   [32] = "KRB_AP_ERR_TKT_EXPIRED",
   [13] = "KDC_ERR_BADOPTION",
   [26] = "KDC_ERR_SERVER_NOMATCH",
   [65] = "KDC_ERR_KEY_TOO_WEAK",
   [62] = "KDC_ERROR_CLIENT_NOT_TRUSTED",
   [74] = "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE",
   [47] = "KRB_AP_ERR_BADDIRECTION",
   [70] = "KDC_ERR_CANT_VERIFY_CERTIFICATE",
   [50] = "KRB_AP_ERR_INAPP_CKSUM",
   [2] = "KDC_ERR_SERVICE_EXP",
   [72] = "KDC_ERR_REVOKED_CERTIFICATE",
   [48] = "KRB_AP_ERR_METHOD",
   [24] = "KDC_ERR_PREAUTH_FAILED",
   [69] = "KRB_AP_ERR_USER_TO_USER_REQUIRED",
   [49] = "KRB_AP_ERR_BADSEQ",
   [5] = "KDC_ERR_S_OLD_MAST_KVNO",
   [61] = "KRB_ERR_FIELD_TOOLONG",
   [60] = "KRB_ERR_GENERIC",
   [51] = "KRB_AP_PATH_NOT_ACCEPTED",
   [37] = "KRB_AP_ERR_SKEW",
   [18] = "KDC_ERR_CLIENT_REVOKED",
   [0] = "KDC_ERR_NONE"
}

base/protocols/krb/files.zeek

KRB
Namespace

KRB

Imports

base/files/x509, base/frameworks/files, base/protocols/krb/main.zeek, base/utils/conn-ids.zeek

Summary
Redefinitions

KRB::Info: record
New Fields

KRB::Info

client_cert: Files::Info &optional

Client certificate

client_cert_subject: string &log &optional

Subject of client certificate, if any

client_cert_fuid: string &log &optional

File unique ID of client cert, if any

server_cert: Files::Info &optional

Server certificate

server_cert_subject: string &log &optional

Subject of server certificate, if any

server_cert_fuid: string &log &optional

File unique ID of server cert, if any
Functions

KRB::describe_file: function

Default file describer for KRB.

KRB::get_file_handle: function

Default file handle provider for KRB.
Detailed Interface
Functions
KRB::describe_file
Type

function (f: fa_file) : string

Default file describer for KRB.

KRB::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for KRB.

base/protocols/modbus/__load__.zeek

Imports

base/protocols/modbus/consts.zeek, base/protocols/modbus/main.zeek

Summary
Detailed Interface

base/protocols/modbus/consts.zeek

Modbus
Namespace

Modbus

Summary
Redefinable Options

Modbus::exception_codes: table &default = function &redef

Modbus::function_codes: table &default = function &redef

Standard defined Modbus function codes.
Detailed Interface
Redefinable Options
Modbus::exception_codes
Type

table [count] of string

Attributes

&default = function &redef

Default
{
   [2] = "ILLEGAL_DATA_ADDRESS",
   [8] = "MEMORY_PARITY_ERROR",
   [11] = "GATEWAY_TARGET_DEVICE_FAILED_TO_RESPOND",
   [5] = "ACKNOWLEDGE",
   [3] = "ILLEGAL_DATA_VALUE",
   [10] = "GATEWAY_PATH_UNAVAILABLE",
   [6] = "SLAVE_DEVICE_BUSY",
   [4] = "SLAVE_DEVICE_FAILURE",
   [1] = "ILLEGAL_FUNCTION"
}
Modbus::function_codes
Type

table [count] of string

Attributes

&default = function &redef

Default
{
   [40] = "PROGRAM_CONCEPT",
   [19] = "RESET_COMM_LINK_884_U84",
   [20] = "READ_FILE_RECORD",
   [149] = "WRITE_FILE_RECORD_EXCEPTION",
   [151] = "READ_WRITE_MULTIPLE_REGISTERS_EXCEPTION",
   [15] = "WRITE_MULTIPLE_COILS",
   [6] = "WRITE_SINGLE_REGISTER",
   [14] = "POLL_584_984",
   [125] = "FIRMWARE_REPLACEMENT",
   [8] = "DIAGNOSTICS",
   [23] = "READ_WRITE_MULTIPLE_REGISTERS",
   [9] = "PROGRAM_484",
   [7] = "READ_EXCEPTION_STATUS",
   [127] = "REPORT_LOCAL_ADDRESS",
   [21] = "WRITE_FILE_RECORD",
   [10] = "POLL_484",
   [4] = "READ_INPUT_REGISTERS",
   [13] = "PROGRAM_584_984",
   [12] = "GET_COMM_EVENT_LOG",
   [130] = "READ_DISCRETE_INPUTS_EXCEPTION",
   [148] = "READ_FILE_RECORD_EXCEPTION",
   [17] = "REPORT_SLAVE_ID",
   [134] = "WRITE_SINGLE_REGISTER_EXCEPTION",
   [152] = "READ_FIFO_QUEUE_EXCEPTION",
   [150] = "MASK_WRITE_REGISTER_EXCEPTION",
   [2] = "READ_DISCRETE_INPUTS",
   [132] = "READ_INPUT_REGISTERS_EXCEPTION",
   [16] = "WRITE_MULTIPLE_REGISTERS",
   [24] = "READ_FIFO_QUEUE",
   [133] = "WRITE_SINGLE_COIL_EXCEPTION",
   [1] = "READ_COILS",
   [11] = "GET_COMM_EVENT_COUNTER",
   [126] = "PROGRAM_584_984_2",
   [5] = "WRITE_SINGLE_COIL",
   [22] = "MASK_WRITE_REGISTER",
   [43] = "ENCAP_INTERFACE_TRANSPORT",
   [143] = "WRITE_MULTIPLE_COILS_EXCEPTION",
   [18] = "PROGRAM_884_U84",
   [135] = "READ_EXCEPTION_STATUS_EXCEPTION",
   [3] = "READ_HOLDING_REGISTERS",
   [131] = "READ_HOLDING_REGISTERS_EXCEPTION",
   [144] = "WRITE_MULTIPLE_REGISTERS_EXCEPTION",
   [129] = "READ_COILS_EXCEPTION"
}

Standard defined Modbus function codes.

base/protocols/modbus/main.zeek

Modbus

Base Modbus analysis script.

Namespace

Modbus

Imports

base/protocols/modbus/consts.zeek

Summary
Types

Modbus::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

modbus: Modbus::Info &optional

likely_server_ports: set &redef
Events

Modbus::log_modbus: event

Event that can be handled to access the Modbus record as it is sent on to the logging framework.
Hooks

Modbus::log_policy: Log::PolicyHook
Detailed Interface
Types
Modbus::Info
Type

record

ts: time &log

Time of the request.

uid: string &log

Unique identifier for the connection.

id: conn_id &log

Identifier for the connection.

func: string &log &optional

The name of the function message that was sent.

exception: string &log &optional

The exception if the response was a failure.

track_address: count &default = 0 &optional

(present if policy/protocols/modbus/track-memmap.zeek is loaded)

Events
Modbus::log_modbus
Type

event (rec: Modbus::Info)

Event that can be handled to access the Modbus record as it is sent on to the logging framework.

Hooks
Modbus::log_policy
Type

Log::PolicyHook

base/protocols/mqtt/__load__.zeek

Imports

base/protocols/mqtt/consts.zeek

Summary
Detailed Interface

base/protocols/mqtt/consts.zeek

MQTT

Constants definitions for MQTT.

Namespace

MQTT

Summary
Constants

MQTT::msg_types: table &default = function

MQTT::qos_levels: table &default = function

MQTT::return_codes: table &default = function

MQTT::versions: table &default = function
Detailed Interface
Constants
MQTT::msg_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "connack",
   [11] = "unsuback",
   [5] = "pubrec",
   [7] = "pubcomp",
   [6] = "pubrel",
   [10] = "unsubscribe",
   [14] = "disconnect",
   [4] = "puback",
   [13] = "pingresp",
   [12] = "pingreq",
   [8] = "subscribe",
   [3] = "publish",
   [9] = "suback",
   [1] = "connect"
}
MQTT::qos_levels
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "at most once",
   [2] = "exactly once",
   [1] = "at least once"
}
MQTT::return_codes
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "Refused: identifier rejected",
   [3] = "Refused: server unavailable",
   [5] = "Refused: not authorized",
   [0] = "Connection Accepted",
   [4] = "Refused: bad user name or password",
   [1] = "Refused: unacceptable protocol version"
}
MQTT::versions
Type

table [count] of string

Attributes

&default = function

Default
{
   [4] = "3.1.1",
   [3] = "3.1",
   [5] = "5.0"
}

base/protocols/mysql/__load__.zeek

Imports

base/protocols/mysql/main.zeek

Summary
Detailed Interface

base/protocols/mysql/main.zeek

MySQL

Implements base functionality for MySQL analysis. Generates the mysql.log file.

Namespace

MySQL

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/mysql/consts.zeek

Summary
Types

MySQL::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

mysql: MySQL::Info &optional
Events

MySQL::log_mysql: event

Event that can be handled to access the MySQL record as it is sent on to the logging framework.
Hooks

MySQL::finalize_mysql: Conn::RemovalHook

MySQL finalization hook.

MySQL::log_policy: Log::PolicyHook
Detailed Interface
Types
MySQL::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

cmd: string &log

The command that was issued

arg: string &log

The argument issued to the command

success: bool &log &optional

Did the server tell us that the command succeeded?

rows: count &log &optional

The number of affected rows, if any

response: string &log &optional

Server message, if any

Events
MySQL::log_mysql
Type

event (rec: MySQL::Info)

Event that can be handled to access the MySQL record as it is sent on to the logging framework.

Hooks
MySQL::finalize_mysql
Type

Conn::RemovalHook

MySQL finalization hook. Remaining MySQL info may get logged when it’s called.

MySQL::log_policy
Type

Log::PolicyHook

base/protocols/mysql/consts.zeek

MySQL
Namespace

MySQL

Summary
Constants

MySQL::commands: table &default = function
Detailed Interface
Constants
MySQL::commands
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "table_dump",
   [20] = "connect_out",
   [14] = "ping",
   [15] = "time",
   [6] = "drop_db",
   [30] = "binlog_dump_gtid",
   [31] = "reset_connection",
   [28] = "stmt_fetch",
   [23] = "stmt_execute",
   [8] = "shutdown",
   [27] = "set_option",
   [9] = "statistics",
   [7] = "refresh",
   [10] = "process_info",
   [21] = "register_slave",
   [4] = "field_list",
   [26] = "stmt_reset",
   [13] = "debug",
   [12] = "process_kill",
   [17] = "change_user",
   [25] = "stmt_close",
   [2] = "init_db",
   [29] = "daemon",
   [16] = "delayed_insert",
   [24] = "stmt_send_long_data",
   [1] = "quit",
   [11] = "connect",
   [5] = "create_db",
   [22] = "stmt_prepare",
   [18] = "binlog_dump",
   [3] = "query",
   [0] = "sleep"
}

base/protocols/ntlm/__load__.zeek

Imports

base/protocols/ntlm/main.zeek

Summary
Detailed Interface

base/protocols/ntlm/main.zeek

NTLM
Namespace

NTLM

Imports

base/frameworks/dpd, base/protocols/conn/removal-hooks.zeek

Summary
Types

NTLM::Info: record
Redefinitions

DPD::ignore_violations: set &redef

Log::ID: enum

connection: record
New Fields

connection

ntlm: NTLM::Info &optional
Hooks

NTLM::finalize_ntlm: Conn::RemovalHook

NTLM finalization hook.

NTLM::log_policy: Log::PolicyHook
Detailed Interface
Types
NTLM::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

username: string &log &optional

Username given by the client.

hostname: string &log &optional

Hostname given by the client.

domainname: string &log &optional

Domainname given by the client.

server_nb_computer_name: string &log &optional

NetBIOS name given by the server in a CHALLENGE.

server_dns_computer_name: string &log &optional

DNS name given by the server in a CHALLENGE.

server_tree_name: string &log &optional

Tree name given by the server in a CHALLENGE.

success: bool &log &optional

Indicate whether or not the authentication was successful.

done: bool &default = F &optional

Internally used field to indicate if the login attempt has already been logged.

Hooks
NTLM::finalize_ntlm
Type

Conn::RemovalHook

NTLM finalization hook. Remaining NTLM info may get logged when it’s called.

NTLM::log_policy
Type

Log::PolicyHook

base/protocols/ntp/__load__.zeek

Imports

base/protocols/ntp/consts.zeek, base/protocols/ntp/main.zeek

Summary
Detailed Interface

base/protocols/ntp/main.zeek

NTP
Namespace

NTP

Summary
Types

NTP::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

ntp: NTP::Info &optional

likely_server_ports: set &redef
Events

NTP::log_ntp: event

Event that can be handled to access the NTP record as it is sent on to the logging framework.
Hooks

NTP::log_policy: Log::PolicyHook
Detailed Interface
Types
NTP::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

version: count &log

The NTP version number (1, 2, 3, 4).

mode: count &log

The NTP mode being used.

stratum: count &log

The stratum (primary server, secondary server, etc.).

poll: interval &log

The maximum interval between successive messages.

precision: interval &log

The precision of the system clock.

root_delay: interval &log

Total round-trip delay to the reference clock.

root_disp: interval &log

Total dispersion to the reference clock.

ref_id: string &log

For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).

ref_time: time &log

Time when the system clock was last set or correct.

org_time: time &log

Time at the client when the request departed for the NTP server.

rec_time: time &log

Time at the server when the request arrived from the NTP client.

xmt_time: time &log

Time at the server when the response departed for the NTP client.

num_exts: count &default = 0 &optional &log

Number of extension fields (which are not currently parsed).

Events
NTP::log_ntp
Type

event (rec: NTP::Info)

Event that can be handled to access the NTP record as it is sent on to the logging framework.

Hooks
NTP::log_policy
Type

Log::PolicyHook

base/protocols/ntp/consts.zeek

NTP
Namespace

NTP

Summary
Redefinable Options

NTP::modes: table &default = function &redef

The descriptions of the NTP mode value, as described in RFC 5905, Figure 1
Detailed Interface
Redefinable Options
NTP::modes
Type

table [count] of string

Attributes

&default = function &redef

Default
{
   [2] = "symmetric passive",
   [5] = "broadcast server",
   [3] = "client",
   [7] = "reserved",
   [6] = "broadcast client",
   [4] = "server",
   [1] = "symmetric active"
}

The descriptions of the NTP mode value, as described in RFC 5905, Figure 1

base/protocols/pop3/__load__.zeek

Summary
Detailed Interface

base/protocols/radius/__load__.zeek

Imports

base/protocols/radius/main.zeek

Summary
Detailed Interface

base/protocols/radius/main.zeek

RADIUS

Implements base functionality for RADIUS analysis. Generates the radius.log file.

Namespace

RADIUS

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/radius/consts.zeek, base/utils/addrs.zeek

Summary
Types

RADIUS::Info: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

radius: RADIUS::Info &optional

likely_server_ports: set &redef
Events

RADIUS::log_radius: event

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.
Hooks

RADIUS::finalize_radius: Conn::RemovalHook

RADIUS finalization hook.

RADIUS::log_policy: Log::PolicyHook
Detailed Interface
Types
RADIUS::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

username: string &log &optional

The username, if present.

mac: string &log &optional

MAC address, if present.

framed_addr: addr &log &optional

The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.

tunnel_client: string &log &optional

Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.

connect_info: string &log &optional

Connect info, if present.

reply_msg: string &log &optional

Reply message from the server challenge. This is frequently shown to the user authenticating.

result: string &log &optional

Successful or failed authentication.

ttl: interval &log &optional

The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.

logged: bool &default = F &optional

Whether this has already been logged and can be ignored.

Events
RADIUS::log_radius
Type

event (rec: RADIUS::Info)

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

Hooks
RADIUS::finalize_radius
Type

Conn::RemovalHook

RADIUS finalization hook. Remaining RADIUS info may get logged when it’s called.

RADIUS::log_policy
Type

Log::PolicyHook

base/protocols/radius/consts.zeek

RADIUS
Namespace

RADIUS

Summary
Detailed Interface

base/protocols/rdp/__load__.zeek

Imports

base/protocols/rdp/consts.zeek, base/protocols/rdp/main.zeek

Summary
Detailed Interface

base/protocols/rdp/consts.zeek

RDP
Namespace

RDP

Summary
Constants

RDP::builds: table &default = function

RDP::cert_types: table &default = function

RDP::color_depths: table &default = function

RDP::encryption_levels: table &default = function

RDP::encryption_methods: table &default = function

RDP::failure_codes: table &default = function

RDP::high_color_depths: table &default = function

RDP::languages: table &default = function

RDP::results: table &default = function

RDP::security_protocols: table &default = function
Detailed Interface
Constants
RDP::builds
Type

table [count] of string

Attributes

&default = function

Default
{
   [2195] = "RDP 5.0",
   [7601] = "RDP 7.1",
   [6001] = "RDP 6.1",
   [6000] = "RDP 6.0",
   [419] = "RDP 4.0",
   [25282] = "RDP 8.0 (Mac)",
   [3790] = "RDP 5.2",
   [2600] = "RDP 5.1",
   [6002] = "RDP 6.2",
   [2221] = "RDP 5.0",
   [7600] = "RDP 7.0",
   [9600] = "RDP 8.1",
   [25189] = "RDP 8.0 (Mac)",
   [9200] = "RDP 8.0"
}
RDP::cert_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "X.509",
   [1] = "RSA"
}
RDP::color_depths
Type

table [count] of string

Attributes

&default = function

Default
{
   [8] = "32bit",
   [4] = "15bit",
   [2] = "16bit",
   [1] = "24bit"
}
RDP::encryption_levels
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "None",
   [2] = "Client compatible",
   [4] = "FIPS",
   [1] = "Low",
   [3] = "High"
}
RDP::encryption_methods
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "None",
   [10] = "FIPS",
   [8] = "56bit",
   [2] = "128bit",
   [1] = "40bit"
}
RDP::failure_codes
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "SSL_NOT_ALLOWED_BY_SERVER",
   [5] = "HYBRID_REQUIRED_BY_SERVER",
   [3] = "SSL_CERT_NOT_ON_SERVER",
   [6] = "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER",
   [4] = "INCONSISTENT_FLAGS",
   [1] = "SSL_REQUIRED_BY_SERVER"
}
RDP::high_color_depths
Type

table [count] of string

Attributes

&default = function

Default
{
   [15] = "15bit",
   [16] = "16bit",
   [8] = "8bit",
   [4] = "4bit",
   [24] = "24bit"
}
RDP::languages
Type

table [count] of string

Attributes

&default = function

Default
{
   [1154] = "Occitan",
   [66628] = "Tatar",
   [6153] = "English - Ireland",
   [658432] = "Phags-pa",
   [1080] = "Faroese",
   [67596] = "Belgian (Comma)",
   [11273] = "English - Trinidad",
   [71689] = "Scottish Gaelic",
   [263177] = "English - United States (Dvorak for right hand)",
   [1117184] = "Javanese",
   [1153] = "Maori - New Zealand",
   [1155] = "Corsican",
   [14337] = "Arabic - U.A.E.",
   [1140] = "Guarani - Paraguay",
   [66652] = "Cherokee Nation Phonetic",
   [1033] = "English - United States",
   [1129] = "Ibibio - Nigeria",
   [1053] = "Swedish",
   [12314] = "Serbian (Cyrillic) - Montenegro",
   [1134] = "Luxembourgish",
   [12297] = "English - Zimbabwe",
   [3079] = "German - Austria",
   [2070] = "Portuguese - Portugal",
   [66569] = "English - United States (Dvorak)",
   [5124] = "Chinese - Macao SAR",
   [68608] = "Myanmar",
   [1070] = "Sorbian",
   [1079] = "Georgian",
   [9226] = "Spanish - Colombia",
   [1089] = "Swahili",
   [66650] = "Syriac Phonetic",
   [1105] = "Tibetan - People's Republic of China",
   [17417] = "English - Malaysia",
   [1164] = "Dari",
   [9242] = "Serbian (Latin) - Serbia",
   [1064] = "Tajik",
   [14346] = "Spanish - Uruguay",
   [66604] = "Azerbaijani (Standard)",
   [1109] = "Burmese",
   [1158] = "K'iche",
   [1075] = "Venda",
   [4122] = "Croatian (Bosnia/Herzegovina)",
   [1128] = "Hausa - Nigeria",
   [1137] = "Kanuri - Nigeria",
   [66606] = "Sorbian Extended",
   [986112] = "Old Italic",
   [2141] = "Inuktitut (Latin) - Canada",
   [10249] = "English - Belize",
   [66565] = "Czech (QWERTY)",
   [11265] = "Arabic - Jordan",
   [197634] = "Bulgarian",
   [1081] = "Hindi",
   [1036] = "French - France",
   [1093] = "Bengali (India)",
   [132139] = "Armenian Phonetic",
   [4097] = "Arabic - Libya",
   [1133] = "Bashkir",
   [7227] = "Sami (Southern) - Sweden",
   [1039] = "Icelandic",
   [5146] = "Bosnian (Bosnia/Herzegovina)",
   [1059] = "Belarusian",
   [1088] = "Kyrgyz (Cyrillic)",
   [17418] = "Spanish - El Salvador",
   [22538] = "Spanish - Latin America",
   [6156] = "French - Monaco",
   [66568] = "Uyghur",
   [66641] = "Tibetan (PRC - Standard)",
   [132105] = "English - United States (International)",
   [66562] = "Bulgarian (Latin)",
   [1091] = "Uzbek (Latin)",
   [2128] = "Mongolian (Mongolian)",
   [66590] = "Thai Pattachote",
   [1043] = "Dutch - Netherlands",
   [132098] = "Bulgarian (phonetic layout)",
   [1052] = "Albanian - Albania",
   [1029] = "Czech",
   [2145] = "Nepali - India",
   [6154] = "Spanish - Panama",
   [197662] = "Thai Pattachote (non-ShiftLock)",
   [1115] = "Sinhalese - Sri Lanka",
   [328745] = "Persian (Standard)",
   [132134] = "Latvian (Standard)",
   [1135] = "Greenlandic",
   [9228] = "French - Democratic Rep. of Congo",
   [4155] = "Sami (Lule) - Norway",
   [66619] = "Sami Extended Norway",
   [1090] = "Turkmen",
   [66615] = "Georgian (QWERTY)",
   [199680] = "Tai Le",
   [1152] = "Uighur - China",
   [1065] = "Farsi",
   [10266] = "Serbian (Cyrillic) - Serbia",
   [3098] = "Serbian (Cyrillic)",
   [132151] = "Georgian (Ergonomic)",
   [2144] = "Kashmiri",
   [10241] = "Arabic - Syria",
   [2064] = "Italian - Switzerland",
   [1047] = "Rhaeto-Romanic",
   [1160] = "Wolof",
   [66688] = "Uyghur",
   [3076] = "Chinese - Hong Kong SAR",
   [2067] = "Dutch - Belgium",
   [13313] = "Arabic - Kuwait",
   [132165] = "Bangla (India)",
   [132142] = "Sorbian Standard",
   [2049] = "Arabic - Iraq",
   [132130] = "Ukrainian (Enhanced)",
   [3073] = "Arabic - Egypt",
   [1030] = "Danish",
   [15370] = "Spanish - Paraguay",
   [1131] = "Quecha - Bolivia",
   [1077] = "Zulu",
   [16394] = "Spanish - Bolivia",
   [132135] = "Lithuanian Standard",
   [1026] = "Bulgarian",
   [2055] = "German - Switzerland",
   [1082] = "Maltese",
   [8204] = "French - Reunion",
   [1071] = "FYRO Macedonian",
   [8218] = "Bosnian (Cyrillic) - Bosnia and Herzegovina",
   [12300] = "French - Cote d'Ivoire",
   [461824] = "Lisu (Basic)",
   [13321] = "English - Philippines",
   [1121] = "Nepali",
   [20490] = "Spanish - Puerto Rico",
   [3084] = "French - Canada",
   [69641] = "Canadian Multilingual Standard",
   [2155] = "Quecha - Ecuador",
   [1114] = "Syriac",
   [1066] = "Vietnamese",
   [1092] = "Tatar",
   [5132] = "French - Luxembourg",
   [1132] = "Sepedi",
   [263176] = "Greek (319) Latin",
   [14348] = "French - Morocco",
   [2074] = "Serbian (Latin)",
   [1098] = "Telugu",
   [1156] = "Alsatian",
   [1055] = "Turkish",
   [7178] = "Spanish - Dominican Republic",
   [9275] = "Sami (Inari) - Finland",
   [1083] = "Sami (Lappish)",
   [4106] = "Spanish - Guatemala",
   [3081] = "English - Australia",
   [5129] = "English - New Zealand",
   [1146] = "Mapudungun",
   [1037] = "Hebrew",
   [66598] = "Latvian (Legacy)",
   [1182720] = "Futhark",
   [1159] = "Kinyarwanda",
   [2057] = "English - United Kingdom",
   [2108] = "Irish",
   [1032] = "Greek",
   [1049] = "Russian",
   [2058] = "Spanish - Mexico",
   [132101] = "Czech Programmers",
   [132097] = "Arabic (102) AZERTY",
   [1067] = "Armenian - Armenia",
   [1054] = "Thai",
   [1143] = "Somali",
   [1031] = "German - Germany",
   [4108] = "French - Switzerland",
   [1103] = "Sanskrit",
   [15369] = "English - Hong Kong SAR",
   [133200] = "Mongolian (Mongolian Script - Standard)",
   [66585] = "Russian (Typewriter)",
   [197675] = "Armenian Typewriter",
   [9225] = "English - Caribbean",
   [2151] = "Pular - Senegal",
   [66561] = "Arabic (102)",
   [330752] = "Tifinagh (Basic)",
   [3153] = "Dzongkha",
   [66607] = "Macedonia (FYROM) - Standard",
   [1097] = "Tamil",
   [8201] = "English - Jamaica",
   [15361] = "Arabic - Bahrain",
   [4191] = "Central Atlas Tamazight (Tifinagh) - Morocco",
   [2115] = "Uzbek (Cyrillic)",
   [1062] = "Latvian",
   [4105] = "English - Canada",
   [1120] = "Kashmiri (Arabic)",
   [7169] = "Arabic - Tunisia",
   [2143] = "Tamazight (Latin)",
   [2118] = "Punjabi (Pakistan)",
   [13324] = "French - Mali",
   [66599] = "Lithuanian",
   [3082] = "Spanish - Spain (Modern Sort)",
   [8202] = "Spanish - Venezuela",
   [12289] = "Arabic - Lebanon",
   [7180] = "French - West Indies",
   [66629] = "Bangla (India - Legacy)",
   [67643] = "Finnish with Sami",
   [1142] = "Latin",
   [1074] = "Tswana",
   [1058] = "Ukrainian",
   [5130] = "Spanish - Costa Rica",
   [66603] = "Armenian Western",
   [1141] = "Hawaiian - United States",
   [1042] = "Korean",
   [8193] = "Arabic - Oman",
   [1086] = "Malay - Malaysia",
   [1106] = "Welsh",
   [197641] = "English - United States (Dvorak for left hand)",
   [66643] = "Khmer (NIDA)",
   [1122] = "French - West Indies",
   [1095] = "Gujarati",
   [18442] = "Spanish - Honduras",
   [1099] = "Kannada",
   [1087] = "Kazakh",
   [1094] = "Punjabi",
   [1035] = "Finnish",
   [66581] = "Polish (214)",
   [11274] = "Spanish - Argentina",
   [1069] = "Basque",
   [1111] = "Konkani",
   [1126] = "Edo",
   [3131] = "Sami (Northern) - Finland",
   [10252] = "French - Senegal",
   [1078] = "Afrikaans - South Africa",
   [1068] = "Azeri (Latin)",
   [592896] = "N'ko",
   [1124] = "Filipino",
   [2080] = "Urdu - India",
   [2052] = "Chinese - People's Republic of China",
   [1044] = "Norwegian (Bokmal)",
   [2068] = "Norwegian (Nynorsk)",
   [7177] = "English - South Africa",
   [1051648] = "Sora",
   [1034] = "Spanish - Spain (Traditional Sort)",
   [1028] = "Chinese - Taiwan",
   [66587] = "Slovak (QWERTY)",
   [133179] = "Sami Extended Finland-Sweden",
   [11290] = "Serbian (Latin) - Montenegro",
   [1084] = "Scottish Gaelic",
   [13322] = "Spanish - Chile",
   [132126] = "Thai Kedmanee (non-ShiftLock)",
   [6170] = "Serbian (Latin) - Bosnia and Herzegovina",
   [66584] = "Romanian (Standard)",
   [1051] = "Slovak",
   [66618] = "Maltese 48-key",
   [1096] = "Oriya",
   [2110] = "Malay - Brunei Darussalam",
   [31748] = "Chinese - Traditional",
   [328712] = "Greek Latin",
   [1116] = "Cherokee - United States",
   [396288] = "Tifinagh (Full)",
   [66567] = "German (IBM)",
   [58380] = "French - North Africa",
   [1038] = "Hungarian",
   [1061] = "Estonian",
   [16385] = "Arabic - Qatar",
   [527360] = "Lisu (Standard)",
   [1112] = "Manipuri",
   [789504] = "Gothic",
   [2060] = "French - Belgium",
   [16393] = "English - India",
   [132120] = "Romanian (Programmers)",
   [1025] = "Arabic - Saudi Arabia",
   [1119] = "Tamazight (Arabic)",
   [1104] = "Mongolian (Cyrillic)",
   [2129] = "Tibetan - Bhutan",
   [15372] = "French - Haiti",
   [1073] = "Tsonga",
   [66617] = "Hindi Traditional",
   [6203] = "Sami (Southern) - Norway",
   [19466] = "Spanish - Nicaragua",
   [5179] = "Sami (Lule) - Sweden",
   [6145] = "Arabic - Morocco",
   [1117] = "Inuktitut",
   [1138] = "Oromo",
   [197687] = "Georgian Ministry of Education and Science Schools",
   [263170] = "Bulgarian (phonetic traditional)",
   [920576] = "Osmanya",
   [10250] = "Spanish - Peru",
   [1041] = "Japanese",
   [4100] = "Chinese - Singapore",
   [21514] = "Spanish - United States",
   [1056] = "Urdu",
   [2121] = "Tamil - Sri Lanka",
   [1100] = "Malayalam",
   [1102] = "Marathi",
   [1125] = "Divehi",
   [1101] = "Assamese",
   [132121] = "Russian - Mnemonic",
   [2137] = "Sindhi - Pakistan",
   [2072] = "Romanian - Moldava",
   [2092] = "Azeri (Cyrillic)",
   [1130] = "Yoruba",
   [1127] = "Fulfulde - Nigeria",
   [1148] = "Mohawk",
   [66576] = "Italian (142)",
   [1139] = "Tigrigna - Ethiopia",
   [1048] = "Romanian",
   [12298] = "Spanish - Ecuador",
   [66570] = "Spanish Variation",
   [1110] = "Galician",
   [5121] = "Arabic - Algeria",
   [18441] = "English - Singapore",
   [2077] = "Swedish - Finland",
   [1076] = "Xhosa",
   [66582] = "Portuguese (Brazilian ABNT2)",
   [1108] = "Lao",
   [2073] = "Russian - Moldava",
   [263223] = "Georgian (Old Alphabets)",
   [1136] = "Igbo - Nigeria",
   [197640] = "Greek (220) Latin",
   [1150] = "Breton",
   [1113] = "Sindhi - India",
   [1050] = "Croatian",
   [1157] = "Yakut",
   [4103] = "German - Luxembourg",
   [394248] = "Greek Polytonic",
   [132104] = "Greek (319)",
   [1123] = "Pashto",
   [66651] = "Sinhala - wij 9",
   [8251] = "Sami (Skolt) - Finland",
   [1057] = "Indonesian",
   [2163] = "Tigrigna - Eritrea",
   [11276] = "French - Cameroon",
   [9217] = "Arabic - Yemen",
   [1107] = "Khmer",
   [2117] = "Bengali (Bangladesh)",
   [1063] = "Lithuanian",
   [1085] = "Yiddish",
   [14345] = "English - Indonesia",
   [855040] = "Ol Chiki",
   [1279] = "HID (Human Interface Device)",
   [1072] = "Sutu",
   [2107] = "Sami (Northern) - Sweden",
   [3179] = "Quecha - Peru\x09CB",
   [1145] = "Papiamentu",
   [5127] = "German - Liechtenstein",
   [66574] = "Hungarian 101-key",
   [1144] = "Yi",
   [66653] = "Inuktitut - Naqittaut",
   [1027] = "Catalan",
   [1060] = "Slovenian",
   [1046] = "Portuguese - Brazil",
   [1118] = "Amharic - Ethiopia",
   [723968] = "Buginese",
   [1040] = "Italian - Italy",
   [66661] = "Divehi Typewriter",
   [134144] = "New Tai Lue",
   [66591] = "Turkish F",
   [1045] = "Polish"
}
RDP::results
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "Success",
   [2] = "Resources not available",
   [4] = "Locked conference",
   [1] = "User rejected",
   [3] = "Rejected for symmetry breaking"
}
RDP::security_protocols
Type

table [count] of string

Attributes

&default = function

Default
{
   [0] = "RDP",
   [8] = "HYBRID_EX",
   [2] = "HYBRID",
   [1] = "SSL"
}

base/protocols/rdp/main.zeek

RDP

Implements base functionality for RDP analysis. Generates the rdp.log file.

Namespace

RDP

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/rdp/consts.zeek

Summary
Runtime Options

RDP::disable_analyzer_after_detection: bool &redef

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval: interval &redef

The amount of time to monitor an RDP session from when it is first identified.
Types

RDP::Info: record
Redefinitions

Log::ID: enum

RDP::Info: record
New Fields

RDP::Info

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection.

done: bool &default = F &optional

Track status of logging RDP connections.

connection: record
New Fields

connection

rdp: RDP::Info &optional

likely_server_ports: set &redef
Events

RDP::log_rdp: event

Event that can be handled to access the rdp record as it is sent on to the logging framework.
Hooks

RDP::finalize_rdp: Conn::RemovalHook

RDP finalization hook.

RDP::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
RDP::disable_analyzer_after_detection
Type

bool

Attributes

&redef

Default

F

If true, detach the RDP analyzer from the connection to prevent continuing to process encrypted traffic.

RDP::rdp_check_interval
Type

interval

Attributes

&redef

Default

10.0 secs

The amount of time to monitor an RDP session from when it is first identified. When this interval is reached, the session is logged.

Types
RDP::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

cookie: string &log &optional

Cookie value used by the client machine. This is typically a username.

result: string &log &optional

Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages.

security_protocol: string &log &optional

Security protocol chosen by the server.

client_channels: vector of string &log &optional

The channels requested by the client

keyboard_layout: string &log &optional

Keyboard layout (language) of the client machine.

client_build: string &log &optional

RDP client version used by the client machine.

client_name: string &log &optional

Name of the client machine.

client_dig_product_id: string &log &optional

Product ID of the client machine.

desktop_width: count &log &optional

Desktop width of the client machine.

desktop_height: count &log &optional

Desktop height of the client machine.

requested_color_depth: string &log &optional

The color depth requested by the client in the high_color_depth field.

cert_type: string &log &optional

If the connection is being encrypted with native RDP encryption, this is the type of cert being used.

cert_count: count &log &default = 0 &optional

The number of certs seen. X.509 can transfer an entire certificate chain.

cert_permanent: bool &log &optional

Indicates if the provided certificate or certificate chain is permanent or temporary.

encryption_level: string &log &optional

Encryption level of the connection.

encryption_method: string &log &optional

Encryption method of the connection.

analyzer_id: count &optional

The analyzer ID used for the analyzer instance attached to each connection. It is not used for logging since it’s a meaningless arbitrary number.

done: bool &default = F &optional

Track status of logging RDP connections.

ssl: bool &log &default = F &optional

(present if policy/protocols/rdp/indicate_ssl.zeek is loaded)

Flag the connection if it was seen over SSL.

Events
RDP::log_rdp
Type

event (rec: RDP::Info)

Event that can be handled to access the rdp record as it is sent on to the logging framework.

Hooks
RDP::finalize_rdp
Type

Conn::RemovalHook

RDP finalization hook. Remaining RDP info may get logged when it’s called.

RDP::log_policy
Type

Log::PolicyHook

base/protocols/rfb/__load__.zeek

Imports

base/protocols/rfb/main.zeek

Summary
Detailed Interface

base/protocols/rfb/main.zeek

RFB
Namespace

RFB

Imports

base/protocols/conn/removal-hooks.zeek

Summary
Types

RFB::Info: record

The record type which contains the fields of the RFB log.
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

rfb: RFB::Info &optional
Events

RFB::log_rfb: event
Hooks

RFB::finalize_rfb: Conn::RemovalHook

RFB finalization hook.

RFB::log_policy: Log::PolicyHook
Detailed Interface
Types
RFB::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

client_major_version: string &log &optional

Major version of the client.

client_minor_version: string &log &optional

Minor version of the client.

server_major_version: string &log &optional

Major version of the server.

server_minor_version: string &log &optional

Minor version of the server.

authentication_method: string &log &optional

Identifier of authentication method used.

auth: bool &log &optional

Whether or not authentication was successful.

share_flag: bool &log &optional

Whether the client has an exclusive or a shared session.

desktop_name: string &log &optional

Name of the screen that is being shared.

width: count &log &optional

Width of the screen that is being shared.

height: count &log &optional

Height of the screen that is being shared.

done: bool &default = F &optional

Internally used value to determine if this connection has already been logged.

The record type which contains the fields of the RFB log.

Events
RFB::log_rfb
Type

event (rec: RFB::Info)

Hooks
RFB::finalize_rfb
Type

Conn::RemovalHook

RFB finalization hook. Remaining RFB info may get logged when it’s called.

RFB::log_policy
Type

Log::PolicyHook

base/protocols/sip/__load__.zeek

Imports

base/protocols/sip/main.zeek

Summary
Detailed Interface

base/protocols/sip/main.zeek

SIP

Implements base functionality for SIP analysis. The logging model is to log request/response pairs and all relevant metadata together in a single record.

Namespace

SIP

Imports

base/protocols/conn/removal-hooks.zeek, base/utils/files.zeek, base/utils/numbers.zeek

Summary
Runtime Options

SIP::sip_methods: set &redef

A list of SIP methods.
Types

SIP::Info: record

The record type which contains the fields of the SIP log.

SIP::State: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

sip: SIP::Info &optional

sip_state: SIP::State &optional

likely_server_ports: set &redef
Events

SIP::log_sip: event

Event that can be handled to access the SIP record as it is sent on to the logging framework.
Hooks

SIP::finalize_sip: Conn::RemovalHook

SIP finalization hook.

SIP::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
SIP::sip_methods
Type

set [string]

Attributes

&redef

Default
{
   "BYE",
   "SUBSCRIBE",
   "NOTIFY",
   "REGISTER",
   "INVITE",
   "CANCEL",
   "OPTIONS",
   "ACK"
}

A list of SIP methods. Other methods will generate a weird. Note that the SIP analyzer will only accept methods consisting solely of letters [A-Za-z].

Types
SIP::Info
Type

record

ts: time &log

Timestamp for when the request happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

Represents the pipelined depth into the connection of this request/response transaction.

method: string &log &optional

Verb used in the SIP request (INVITE, REGISTER etc.).

uri: string &log &optional

URI used in the request.

date: string &log &optional

Contents of the Date: header from the client

request_from: string &log &optional

Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

request_to: string &log &optional

Contents of the To: header

response_from: string &log &optional

Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged.

response_to: string &log &optional

Contents of the response To: header

reply_to: string &log &optional

Contents of the Reply-To: header

call_id: string &log &optional

Contents of the Call-ID: header from the client

seq: string &log &optional

Contents of the CSeq: header from the client

subject: string &log &optional

Contents of the Subject: header from the client

request_path: vector of string &log &optional

The client message transmission path, as extracted from the headers.

response_path: vector of string &log &optional

The server message transmission path, as extracted from the headers.

user_agent: string &log &optional

Contents of the User-Agent: header from the client

status_code: count &log &optional

Status code returned by the server.

status_msg: string &log &optional

Status message returned by the server.

warning: string &log &optional

Contents of the Warning: header

request_body_len: count &log &optional

Contents of the Content-Length: header from the client

response_body_len: count &log &optional

Contents of the Content-Length: header from the server

content_type: string &log &optional

Contents of the Content-Type: header from the server

The record type which contains the fields of the SIP log.

SIP::State
Type

record

pending: table [count] of SIP::Info

Pending requests.

current_request: count &default = 0 &optional

Current request in the pending queue.

current_response: count &default = 0 &optional

Current response in the pending queue.

Events
SIP::log_sip
Type

event (rec: SIP::Info)

Event that can be handled to access the SIP record as it is sent on to the logging framework.

Hooks
SIP::finalize_sip
Type

Conn::RemovalHook

SIP finalization hook. Remaining SIP info may get logged when it’s called.

SIP::log_policy
Type

Log::PolicyHook

base/protocols/snmp/__load__.zeek

Imports

base/protocols/snmp/main.zeek

Summary
Detailed Interface

base/protocols/snmp/main.zeek

SNMP

Enables analysis and logging of SNMP datagrams.

Namespace

SNMP

Imports

base/protocols/conn/removal-hooks.zeek

Summary
Redefinable Options

SNMP::version_map: table &redef &default = "unknown"

Maps an SNMP version integer to a human readable string.
Types

SNMP::Info: record

Information tracked per SNMP session.
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

snmp: SNMP::Info &optional

likely_server_ports: set &redef
Events

SNMP::log_snmp: event

Event that can be handled to access the SNMP record as it is sent on to the logging framework.
Hooks

SNMP::finalize_snmp: Conn::RemovalHook

SNMP finalization hook.

SNMP::log_policy: Log::PolicyHook
Detailed Interface
Redefinable Options
SNMP::version_map
Type

table [count] of string

Attributes

&redef &default = "unknown"

Default
{
   [0] = "1",
   [1] = "2c",
   [3] = "3"
}

Maps an SNMP version integer to a human readable string.

Types
SNMP::Info
Type

record

ts: time &log

Timestamp of first packet belonging to the SNMP session.

uid: string &log

The unique ID for the connection.

id: conn_id &log

The connection’s 5-tuple of addresses/ports (ports inherently include transport protocol information)

duration: interval &log &default = 0 secs &optional

The amount of time between the first packet beloning to the SNMP session and the latest one seen.

version: string &log

The version of SNMP being used.

community: string &log &optional

The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901.

get_requests: count &log &default = 0 &optional

The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session.

get_bulk_requests: count &log &default = 0 &optional

The number of variable bindings in GetBulkRequest PDUs seen for the session.

get_responses: count &log &default = 0 &optional

The number of variable bindings in GetResponse/Response PDUs seen for the session.

set_requests: count &log &default = 0 &optional

The number of variable bindings in SetRequest PDUs seen for the session.

display_string: string &log &optional

A system description of the SNMP responder endpoint.

up_since: time &log &optional

The time at which the SNMP responder endpoint claims it’s been up since.

Information tracked per SNMP session.

Events
SNMP::log_snmp
Type

event (rec: SNMP::Info)

Event that can be handled to access the SNMP record as it is sent on to the logging framework.

Hooks
SNMP::finalize_snmp
Type

Conn::RemovalHook

SNMP finalization hook. Remaining SNMP info may get logged when it’s called.

SNMP::log_policy
Type

Log::PolicyHook

base/protocols/smb/__load__.zeek

Imports

base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek, base/protocols/smb/files.zeek, base/protocols/smb/main.zeek, base/protocols/smb/smb1-main.zeek, base/protocols/smb/smb2-main.zeek

Summary
Detailed Interface

base/protocols/smb/consts.zeek

SMB
SMB1
SMB2
Namespaces

SMB, SMB1, SMB2

Summary
Redefinable Options

SMB::rpc_sub_cmds: table &redef &default = function

The subcommands for RPC endpoints.

SMB::rpc_uuids: table &redef &default = function

The UUIDs used by the various RPC endpoints.

SMB::srv_cmds: table &redef &default = function

Server service sub commands.

SMB::statuses: table &redef &default = function

SMB::wksta_cmds: table &redef &default = function

Workstation service sub commands.
Constants

SMB1::commands: table &default = function

SMB1::trans2_sub_commands: table &default = function

SMB1::trans_sub_commands: table &default = function

SMB2::commands: table &default = function

SMB2::dialects: table &default = function

SMB2::share_types: table &default = function
Types

SMB::StatusCode: record

SMB::rpc_cmd_table: table
Redefinitions

SMB::pipe_filenames: set &redef

Heuristic detection of named pipes when the pipe mapping isn’t seen.
Detailed Interface
Redefinable Options
SMB::rpc_sub_cmds
Type

table [string] of SMB::rpc_cmd_table

Attributes

&redef &default = function

Default
{
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = {
      [40] = "NetrSetFileSecurity",
      [45] = "NetrDfsDeleteLocalPartition",
      [19] = "NetrShareDelSticky",
      [20] = "NetrShareCheck",
      [33] = "NetprNameValidate",
      [39] = "NetrGetFileSecurity",
      [36] = "NetrShareEnumSticky",
      [30] = "NetprPathType",
      [14] = "NetrShareAdd",
      [15] = "NetrShareEnum",
      [46] = "NetrDfsSetLocalVolumeState",
      [31] = "NetprPathCanonicalize",
      [28] = "NetrRemoteTOD",
      [8] = "NetrConnectionEnum",
      [23] = "NetrServerDiskEnum",
      [27] = "NetrServerTransportDel",
      [9] = "NetrFileEnum",
      [53] = "NetrServerTransportDelEx",
      [55] = "NetrServerAliasEnum",
      [56] = "NetrServerAliasDel",
      [52] = "NetrDfsManagerReportSiteInfo",
      [21] = "NetrServerGetInfo",
      [10] = "NetrFileGetInfo",
      [32] = "NetprPathCompare",
      [12] = "NetrSessionEnum",
      [13] = "NetrSessionDel",
      [26] = "NetrServerTransportEnum",
      [41] = "NetrServerTransportAddEx",
      [17] = "NetrShareSetInfo",
      [50] = "NetrDfsModifyPrefix",
      [25] = "NetrServerTransportAdd",
      [16] = "NetrShareGetInfo",
      [24] = "NetrServerStatisticsGet",
      [48] = "NetrDfsCreateExitPoint",
      [38] = "NetrShareDelCommit",
      [54] = "NetrServerAliasAdd",
      [49] = "NetrDfsDeleteExitPoint",
      [57] = "NetrShareDelEx",
      [11] = "NetrFileClose",
      [35] = "NetprNameCompare",
      [22] = "NetrServerSetInfo",
      [43] = "NetrDfsGetVersion",
      [51] = "NetrDfsFixLocalVolume",
      [18] = "NetrShareDel",
      [37] = "NetrShareDelStart",
      [44] = "NetrDfsCreateLocalPartition",
      [34] = "NetprNameCanonicalize"
   },
   ["6bffd098-a112-3610-9833-46c3f87e345a"] = {
      [2] = "NetrWkstaUserEnum",
      [25] = "NetrValidateName2",
      [20] = "NetrGetJoinInformation",
      [29] = "NetrSetPrimaryComputerName",
      [6] = "NetrWkstaTransportAdd",
      [30] = "NetrEnumerateComputerNames",
      [24] = "NetrRenameMachineInDomain2",
      [28] = "NetrRemoveAlternateComputerName",
      [23] = "NetrUnjoinDomain2",
      [8] = "NetrUseAdd",
      [9] = "NetrUseGetInfo",
      [27] = "NetrAddAlternateComputerName",
      [1] = "NetrWkstaSetInfo",
      [11] = "NetrUseEnum",
      [7] = "NetrWkstaTransportDel",
      [5] = "NetrWkstaTransportEnum",
      [10] = "NetrUseDel",
      [22] = "NetrJoinDomain2",
      [13] = "NetrWorkstationStatisticsGet",
      [26] = "NetrGetJoinableOUs2",
      [0] = "NetrWkstaGetInfo"
   }
}

The subcommands for RPC endpoints.

SMB::rpc_uuids
Type

table [string] of string

Attributes

&redef &default = function

Default
{
   ["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = "Server Service",
   ["6bffd098-a112-3610-9833-46c3f87e345a"] = "Workstation Service"
}

The UUIDs used by the various RPC endpoints.

SMB::srv_cmds
Type

table [count] of string

Attributes

&redef &default = function

Default
{
   [40] = "NetrSetFileSecurity",
   [45] = "NetrDfsDeleteLocalPartition",
   [19] = "NetrShareDelSticky",
   [20] = "NetrShareCheck",
   [33] = "NetprNameValidate",
   [39] = "NetrGetFileSecurity",
   [36] = "NetrShareEnumSticky",
   [30] = "NetprPathType",
   [14] = "NetrShareAdd",
   [15] = "NetrShareEnum",
   [46] = "NetrDfsSetLocalVolumeState",
   [31] = "NetprPathCanonicalize",
   [28] = "NetrRemoteTOD",
   [8] = "NetrConnectionEnum",
   [23] = "NetrServerDiskEnum",
   [27] = "NetrServerTransportDel",
   [9] = "NetrFileEnum",
   [53] = "NetrServerTransportDelEx",
   [55] = "NetrServerAliasEnum",
   [56] = "NetrServerAliasDel",
   [52] = "NetrDfsManagerReportSiteInfo",
   [21] = "NetrServerGetInfo",
   [10] = "NetrFileGetInfo",
   [32] = "NetprPathCompare",
   [12] = "NetrSessionEnum",
   [13] = "NetrSessionDel",
   [26] = "NetrServerTransportEnum",
   [41] = "NetrServerTransportAddEx",
   [17] = "NetrShareSetInfo",
   [50] = "NetrDfsModifyPrefix",
   [25] = "NetrServerTransportAdd",
   [16] = "NetrShareGetInfo",
   [24] = "NetrServerStatisticsGet",
   [48] = "NetrDfsCreateExitPoint",
   [38] = "NetrShareDelCommit",
   [54] = "NetrServerAliasAdd",
   [49] = "NetrDfsDeleteExitPoint",
   [57] = "NetrShareDelEx",
   [11] = "NetrFileClose",
   [35] = "NetprNameCompare",
   [22] = "NetrServerSetInfo",
   [43] = "NetrDfsGetVersion",
   [51] = "NetrDfsFixLocalVolume",
   [18] = "NetrShareDel",
   [37] = "NetrShareDelStart",
   [44] = "NetrDfsCreateLocalPartition",
   [34] = "NetprNameCanonicalize"
}

Server service sub commands.

SMB::statuses
Type

table [count] of SMB::StatusCode

Attributes

&redef &default = function

Default
{
   [0] = [id="SUCCESS", desc="The operation completed successfully."]
}
Redefinition

from base/protocols/smb/const-dos-error.zeek

+=:

65537 = [$id=badfunc, $desc=Incorrect function.], 65538 = [$id=error, $desc=Incorrect function.], 131073 = [$id=badfile, $desc=The system cannot find the file specified.], 131074 = [$id=badpw, $desc=Bad password.], 196609 = [$id=badpath, $desc=The system cannot find the path specified.], 196610 = [$id=badtype, $desc=reserved], 262145 = [$id=nofids, $desc=The system cannot open the file.], 262146 = [$id=access, $desc=The client does not have the necessary access rights to perform the requested function.], 327681 = [$id=noaccess, $desc=Access is denied.], 327682 = [$id=invnid, $desc=The TID specified was invalid.], 393217 = [$id=badfid, $desc=The handle is invalid.], 393218 = [$id=invnetname, $desc=The network name cannot be found.], 458753 = [$id=badmcb, $desc=The storage control blocks were destroyed.], 458754 = [$id=invdevice, $desc=The device specified is invalid.], 524289 = [$id=nomem, $desc=Not enough storage is available to process this command.], 589825 = [$id=badmem, $desc=The storage control block address is invalid.], 655361 = [$id=badenv, $desc=The environment is incorrect.], 786433 = [$id=badaccess, $desc=The access code is invalid.], 851969 = [$id=baddata, $desc=The data is invalid.], 917505 = [$id=res, $desc=reserved], 983041 = [$id=baddrive, $desc=The system cannot find the drive specified.], 1048577 = [$id=remcd, $desc=The directory cannot be removed.], 1114113 = [$id=diffdevice, $desc=The system cannot move the file to a different disk drive.], 1179649 = [$id=nofiles, $desc=There are no more files.], 1245187 = [$id=nowrite, $desc=The media is write protected.], 1310723 = [$id=badunit, $desc=The system cannot find the device specified.], 1376259 = [$id=notready, $desc=The device is not ready.], 1441794 = [$id=unknownsmb, $desc=The device does not recognize the command.], 1441795 = [$id=badcmd, $desc=The device does not recognize the command.], 1507331 = [$id=data, $desc=Data error (cyclic redundancy check).], 1572867 = [$id=badreq, $desc=The program issued a command but the command length is incorrect.], 1638403 = [$id=seek, $desc=The drive cannot locate a specific area or track on the disk.], 1703939 = [$id=badmedia, $desc=The specified disk or diskette cannot be accessed.], 1769475 = [$id=badsector, $desc=The drive cannot find the sector requested.], 1835011 = [$id=nopaper, $desc=The printer is out of paper.], 1900547 = [$id=write, $desc=The system cannot write to the specified device.], 1966083 = [$id=read, $desc=The system cannot read from the specified device.], 2031617 = [$id=general, $desc=A device attached to the system is not functioning.], 2031619 = [$id=general, $desc=A device attached to the system is not functioning.], 2097153 = [$id=badshare, $desc=The process cannot access the file because it is being used by another process.], 2097155 = [$id=badshare, $desc=The process cannot access the file because it is being used by another process.], 2162689 = [$id=lock, $desc=The process cannot access the file because another process has locked a portion of the file.], 2162691 = [$id=lock, $desc=The process cannot access the file because another process has locked a portion of the file.], 2228227 = [$id=wrongdisk, $desc=The wrong diskette is in the drive.], 2293763 = [$id=FCBunavail, $desc=No FCBs are available to process the request.], 2359299 = [$id=sharebufexc, $desc=A sharing buffer has been exceeded.], 2555907 = [$id=diskfull, $desc=The disk is full.], 3211266 = [$id=qfull, $desc=The print queue is full.], 3276801 = [$id=unsup, $desc=The network request is not supported.], 3276802 = [$id=qtoobig, $desc=The queued item too big.], 3407874 = [$id=invpfid, $desc=The print file FID is invalid.], 3407873 = [$id=dupname, $desc=A duplicate name exists on the network.], 4194305 = [$id=netnamedel, $desc=The specified network name is no longer available.], 4194306 = [$id=smbcmd, $desc=The server did not recognize the command received.], 4259842 = [$id=srverror, $desc=The server encountered an internal error.], 4325377 = [$id=noipc, $desc=The network resource type is not correct.], 4390913 = [$id=nosuchshare, $desc=The network name cannot be found.], 4390914 = [$id=filespecs, $desc=The specified FID and pathname combination is invalid.], 4456450 = [$id=badlink, $desc=reserved], 4521986 = [$id=badpermits, $desc=The access permissions specified for a file or directory are not a valid combination.], 4587522 = [$id=badpid, $desc=reserved], 4653057 = [$id=nomoreconn, $desc=nomoreconn.], 4653058 = [$id=setattrmode, $desc=The attribute mode specified is invalid.], 5242881 = [$id=filexists, $desc=The file exists.], 5308418 = [$id=paused, $desc=The message server is paused.], 5373954 = [$id=msgoff, $desc=Not receiving messages.], 5439490 = [$id=noroom, $desc=No room to buffer message.], 5701633 = [$id=invalidparam, $desc=The parameter is incorrect.], 5701634 = [$id=rmuns, $desc=Too many remote usernames.], 5767170 = [$id=timeout, $desc=Operation timed out.], 5832706 = [$id=noresource, $desc=No resources currently available for request.], 5898242 = [$id=toomanyuids, $desc=Too many Uids active on this session.], 5963778 = [$id=baduid, $desc=The Uid is not known as a valid user identifier on this session.], 7143425 = [$id=brokenpipe, $desc=The pipe has been ended.], 7208961 = [$id=cannotopen, $desc=The system cannot open the device or file specified.], 7995393 = [$id=insufficientbuffer, $desc=The data area passed to a system call is too small.], 8060929 = [$id=invalidname, $desc=The filename, directory name, or volume label syntax is incorrect.], 8126465 = [$id=unknownlevel, $desc=The system call level is not correct.], 9502721 = [$id=notempty, $desc=The directory is not empty.], 10354689 = [$id=notlocked, $desc=The segment is already unlocked.], 11993089 = [$id=rename, $desc=Cannot create a file when that file already exists.], 15073281 = [$id=badpipe, $desc=The pipe state is invalid.], 15138817 = [$id=pipebusy, $desc=All pipe instances are busy.], 15204353 = [$id=pipeclosing, $desc=The pipe is being closed.], 15269889 = [$id=notconnected, $desc=No process is on the other end of the pipe.], 15335425 = [$id=moredata, $desc=More data is available.], 16384002 = [$id=usempx, $desc=Temporarily unable to support Raw, use Mpx mode.], 16449538 = [$id=usestd, $desc=Temporarily unable to support Raw, use standard read/write.], 16515074 = [$id=contmpx, $desc=Continue in MPX mode.], 16646146 = [$id=badPassword, $desc=reserved], 16973825 = [$id=nomoreitems, $desc=No more data is available.], 17498113 = [$id=baddirectory, $desc=The directory name is invalid.], 18481153 = [$id=easnotsupported, $desc=The mounted file system does not support extended attributes.], 67108866 = [$id=_NOTIFY_ENUM_DIR, $desc=Too many files have changed since the last time an NT_TRANSACT_NOTIFY_CHANGE was issued.], 86900737 = [$id=logonfailure, $desc=Logon failure: unknown user name or bad password.], 117637121 = [$id=driveralreadyinstalled, $desc=The specified printer driver is already installed.], 117702657 = [$id=unknownprinterport, $desc=The specified port is unknown.], 117768193 = [$id=unknownprinterdriver, $desc=The printer driver is unknown.], 117833729 = [$id=unknownprintprocessor, $desc=The print processor is unknown.], 117899265 = [$id=invalidseparatorfile, $desc=The specified separator file is invalid.], 117964801 = [$id=invalidjobpriority, $desc=The specified priority is invalid.], 118030337 = [$id=invalidprintername, $desc=The printer name is invalid.], 118095873 = [$id=printeralreadyexists, $desc=The printer already exists.], 118161409 = [$id=invalidprintercommand, $desc=The printer command is invalid.], 118226945 = [$id=invaliddatatype, $desc=The specified datatype is invalid.], 118292481 = [$id=invalidenvironment, $desc=The Environment specified is invalid.], 139132929 = [$id=buftoosmall, $desc=The API return buffer is too small.], 140378113 = [$id=unknownipc, $desc=The requested API is not supported on the remote server.], 140967937 = [$id=nosuchprintjob, $desc=The print job does not exist.], 146735106 = [$id=accountExpired, $desc=This user account has expired.], 146800642 = [$id=badClient, $desc=The user is not allowed to log on from this workstation.], 146866178 = [$id=badLogonTime, $desc=The user is not allowed to log on at this time.], 146931714 = [$id=passwordExpired, $desc=The password of this user has expired.], 160890881 = [$id=invgroup, $desc=invgroup], 196608001 = [$id=unknownprintmonitor, $desc=The specified print monitor is unknown.], 196673537 = [$id=printerdriverinuse, $desc=The specified printer driver is currently in use.], 196739073 = [$id=spoolfilenotfound, $desc=The spool file was not found.], 196804609 = [$id=nostartdoc, $desc=A StartDocPrinter call was not issued.], 196870145 = [$id=noaddjob, $desc=An AddJob call was not issued.], 196935681 = [$id=printprocessoralreadyinstalled, $desc=The specified print processor has already been installed.], 197001217 = [$id=printmonitoralreadyinstalled, $desc=The specified print monitor has already been installed.], 197066753 = [$id=invalidprintmonitor, $desc=The specified print monitor does not have the required functions.], 197132289 = [$id=printmonitorinuse, $desc=The specified print monitor is currently in use.], 197197825 = [$id=printerhasjobsqueued, $desc=The requested operation is not allowed when there are jobs queued to the printer.], 4294901762 = [$id=nosupport, $desc=Function not supported.]
Redefinition

from base/protocols/smb/const-nt-status.zeek

+=:

1 = [$id=WAIT_1, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 2 = [$id=WAIT_2, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 3 = [$id=WAIT_3, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 63 = [$id=WAIT_63, $desc=The caller specified WaitAny for WaitType and one of the dispatcher objects in the Object array has been set to the signaled state.], 128 = [$id=ABANDONED, $desc=The caller attempted to wait for a mutex that has been abandoned.], 191 = [$id=ABANDONED_WAIT_63, $desc=The caller attempted to wait for a mutex that has been abandoned.], 192 = [$id=USER_APC, $desc=A user-mode APC was delivered before the given Interval expired.], 257 = [$id=ALERTED, $desc=The delay completed because the thread was alerted.], 258 = [$id=TIMEOUT, $desc=The given Timeout interval expired.], 259 = [$id=PENDING, $desc=The operation that was requested is pending completion.], 260 = [$id=REPARSE, $desc=A reparse should be performed by the Object Manager because the name of the file resulted in a symbolic link.], 261 = [$id=MORE_ENTRIES, $desc=Returned by enumeration APIs to indicate more information is available to successive calls.], 262 = [$id=NOT_ALL_ASSIGNED, $desc=Indicates not all privileges or groups that are referenced are assigned to the caller. This allows, for example, all privileges to be disabled without having to know exactly which privileges are assigned.], 263 = [$id=SOME_NOT_MAPPED, $desc=Some of the information to be translated has not been translated.], 264 = [$id=OPLOCK_BREAK_IN_PROGRESS, $desc=An open/create operation completed while an opportunistic lock (oplock) break is underway.], 265 = [$id=VOLUME_MOUNTED, $desc=A new volume has been mounted by a file system.], 266 = [$id=RXACT_COMMITTED, $desc=This success level status indicates that the transaction state already exists for the registry subtree but that a transaction commit was previously aborted. The commit has now been completed.], 267 = [$id=NOTIFY_CLEANUP, $desc=Indicates that a notify change request has been completed due to closing the handle that made the notify change request.], 268 = [$id=NOTIFY_ENUM_DIR, $desc=Indicates that a notify change request is being completed and that the information is not being returned in the caller's buffer. The caller now needs to enumerate the files to find the changes.], 269 = [$id=NO_QUOTAS_FOR_ACCOUNT, $desc={No Quotas} No system quota limits are specifically set for this account.], 270 = [$id=PRIMARY_TRANSPORT_CONNECT_FAILED, $desc={Connect Failure on Primary Transport} An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed. The computer WAS able to connect on a secondary transport.], 272 = [$id=PAGE_FAULT_TRANSITION, $desc=The page fault was a transition fault.], 273 = [$id=PAGE_FAULT_DEMAND_ZERO, $desc=The page fault was a demand zero fault.], 274 = [$id=PAGE_FAULT_COPY_ON_WRITE, $desc=The page fault was a demand zero fault.], 275 = [$id=PAGE_FAULT_GUARD_PAGE, $desc=The page fault was a demand zero fault.], 276 = [$id=PAGE_FAULT_PAGING_FILE, $desc=The page fault was satisfied by reading from a secondary storage device.], 277 = [$id=CACHE_PAGE_LOCKED, $desc=The cached page was locked during operation.], 278 = [$id=CRASH_DUMP, $desc=The crash dump exists in a paging file.], 279 = [$id=BUFFER_ALL_ZEROS, $desc=The specified buffer contains all zeros.], 280 = [$id=REPARSE_OBJECT, $desc=A reparse should be performed by the Object Manager because the name of the file resulted in a symbolic link.], 281 = [$id=RESOURCE_REQUIREMENTS_CHANGED, $desc=The device has succeeded a query-stop and its resource requirements have changed.], 288 = [$id=TRANSLATION_COMPLETE, $desc=The translator has translated these resources into the global space and no additional translations should be performed.], 289 = [$id=DS_MEMBERSHIP_EVALUATED_LOCALLY, $desc=The directory service evaluated group memberships locally, because it was unable to contact a global catalog server.], 290 = [$id=NOTHING_TO_TERMINATE, $desc=A process being terminated has no threads to terminate.], 291 = [$id=PROCESS_NOT_IN_JOB, $desc=The specified process is not part of a job.], 292 = [$id=PROCESS_IN_JOB, $desc=The specified process is part of a job.], 293 = [$id=VOLSNAP_HIBERNATE_READY, $desc={Volume Shadow Copy Service} The system is now ready for hibernation.], 294 = [$id=FSFILTER_OP_COMPLETED_SUCCESSFULLY, $desc=A file system or file system filter driver has successfully completed an FsFilter operation.], 295 = [$id=INTERRUPT_VECTOR_ALREADY_CONNECTED, $desc=The specified interrupt vector was already connected.], 296 = [$id=INTERRUPT_STILL_CONNECTED, $desc=The specified interrupt vector is still connected.], 297 = [$id=PROCESS_CLONED, $desc=The current process is a cloned process.], 298 = [$id=FILE_LOCKED_WITH_ONLY_READERS, $desc=The file was locked and all users of the file can only read.], 299 = [$id=FILE_LOCKED_WITH_WRITERS, $desc=The file was locked and at least one user of the file can write.], 514 = [$id=RESOURCEMANAGER_READ_ONLY, $desc=The specified ResourceManager made no changes or updates to the resource under this transaction.], 871 = [$id=WAIT_FOR_OPLOCK, $desc=An operation is blocked and waiting for an oplock.], 65537 = [$id=DBG_EXCEPTION_HANDLED, $desc=Debugger handled the exception.], 65538 = [$id=DBG_CONTINUE, $desc=The debugger continued.], 1835009 = [$id=FLT_IO_COMPLETE, $desc=The IO was completed by a filter.], 3221226599 = [$id=FILE_NOT_AVAILABLE, $desc=The file is temporarily unavailable.], 3221227297 = [$id=CALLBACK_RETURNED_THREAD_AFFINITY, $desc=A threadpool worker thread entered a callback at thread affinity %p and exited at affinity %p.], 1073741824 = [$id=OBJECT_NAME_EXISTS, $desc={Object Exists} An attempt was made to create an object but the object name already exists.], 1073741825 = [$id=THREAD_WAS_SUSPENDED, $desc={Thread Suspended} A thread termination occurred while the thread was suspended. The thread resumed, and termination proceeded.], 1073741826 = [$id=WORKING_SET_LIMIT_RANGE, $desc={Working Set Range Error} An attempt was made to set the working set minimum or maximum to values that are outside the allowable range.], 1073741827 = [$id=IMAGE_NOT_AT_BASE, $desc={Image Relocated} An image file could not be mapped at the address that is specified in the image file. Local fixes must be performed on this image.], 1073741828 = [$id=RXACT_STATE_CREATED, $desc=This informational level status indicates that a specified registry subtree transaction state did not yet exist and had to be created.], 1073741829 = [$id=SEGMENT_NOTIFICATION, $desc={Segment Load} A virtual DOS machine (VDM) is loading, unloading, or moving an MS-DOS or Win16 program segment image. An exception is raised so that a debugger can load, unload, or track symbols and breakpoints within these 16-bit segments.], 1073741830 = [$id=LOCAL_USER_SESSION_KEY, $desc={Local Session Key} A user session key was requested for a local remote procedure call (RPC) connection. The session key that is returned is a constant value and not unique to this connection.], 1073741831 = [$id=BAD_CURRENT_DIRECTORY, $desc={Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit.], 1073741832 = [$id=SERIAL_MORE_WRITES, $desc={Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)], 1073741833 = [$id=REGISTRY_RECOVERED, $desc={Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful.], 1073741834 = [$id=FT_READ_RECOVERY_FROM_BACKUP, $desc={Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device.], 1073741835 = [$id=FT_WRITE_RECOVERY, $desc={Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device.], 1073741836 = [$id=SERIAL_COUNTER_TIMEOUT, $desc={Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)], 1073741837 = [$id=NULL_LM_PASSWORD, $desc={Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string.], 1073741838 = [$id=IMAGE_MACHINE_TYPE_MISMATCH, $desc={Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load.], 1073741839 = [$id=RECEIVE_PARTIAL, $desc={Partial Data Received} The network transport returned partial data to its client. The remaining data will be sent later.], 1073741840 = [$id=RECEIVE_EXPEDITED, $desc={Expedited Data Received} The network transport returned data to its client that was marked as expedited by the remote system.], 1073741841 = [$id=RECEIVE_PARTIAL_EXPEDITED, $desc={Partial Expedited Data Received} The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.], 1073741842 = [$id=EVENT_DONE, $desc={TDI Event Done} The TDI indication has completed successfully.], 1073741843 = [$id=EVENT_PENDING, $desc={TDI Event Pending} The TDI indication has entered the pending state.], 1073741844 = [$id=CHECKING_FILE_SYSTEM, $desc=Checking file system on %wZ.], 1073741845 = [$id=FATAL_APP_EXIT, $desc={Fatal Application Exit} %hs], 1073741846 = [$id=PREDEFINED_HANDLE, $desc=The specified registry key is referenced by a predefined handle.], 1073741847 = [$id=WAS_UNLOCKED, $desc={Page Unlocked} The page protection of a locked page was changed to 'No Access' and the page was unlocked from memory and from the process.], 1073741848 = [$id=SERVICE_NOTIFICATION, $desc=%hs], 1073741849 = [$id=WAS_LOCKED, $desc={Page Locked} One of the pages to lock was already locked.], 1073741850 = [$id=LOG_HARD_ERROR, $desc=Application popup: %1 : %2], 1073741851 = [$id=ALREADY_WIN32, $desc=A Win32 process already exists.], 1073741852 = [$id=WX86_UNSIMULATE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741853 = [$id=WX86_CONTINUE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741854 = [$id=WX86_SINGLE_STEP, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741855 = [$id=WX86_BREAKPOINT, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741856 = [$id=WX86_EXCEPTION_CONTINUE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741857 = [$id=WX86_EXCEPTION_LASTCHANCE, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741858 = [$id=WX86_EXCEPTION_CHAIN, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741859 = [$id=IMAGE_MACHINE_TYPE_MISMATCH_EXE, $desc={Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine.], 1073741860 = [$id=NO_YIELD_PERFORMED, $desc=A yield execution was performed and no thread was available to run.], 1073741861 = [$id=TIMER_RESUME_IGNORED, $desc=The resume flag to a timer API was ignored.], 1073741862 = [$id=ARBITRATION_UNHANDLED, $desc=The arbiter has deferred arbitration of these resources to its parent.], 1073741863 = [$id=CARDBUS_NOT_SUPPORTED, $desc=The device has detected a CardBus card in its slot.], 1073741864 = [$id=WX86_CREATEWX86TIB, $desc=An exception status code that is used by the Win32 x86 emulation subsystem.], 1073741865 = [$id=MP_PROCESSOR_MISMATCH, $desc=The CPUs in this multiprocessor system are not all the same revision level. To use all processors, the operating system restricts itself to the features of the least capable processor in the system. If problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported.], 1073741866 = [$id=HIBERNATED, $desc=The system was put into hibernation.], 1073741867 = [$id=RESUME_HIBERNATION, $desc=The system was resumed from hibernation.], 1073741868 = [$id=FIRMWARE_UPDATED, $desc=0x4000002D<br />STATUS_DRIVERS_LEAKING_LOCKED_PAGES], 1073741870 = [$id=MESSAGE_RETRIEVED, $desc=The ALPC message being canceled has already been retrieved from the queue on the other side.], 1073741871 = [$id=SYSTEM_POWERSTATE_TRANSITION, $desc=The system power state is transitioning from %2 to %3.], 1073741872 = [$id=ALPC_CHECK_COMPLETION_LIST, $desc=The receive operation was successful. Check the ALPC completion list for the received message.], 1073741873 = [$id=SYSTEM_POWERSTATE_COMPLEX_TRANSITION, $desc=The system power state is transitioning from %2 to %3 but could enter %4.], 1073741874 = [$id=ACCESS_AUDIT_BY_POLICY, $desc=Access to %1 is monitored by policy rule %2.], 1073741875 = [$id=ABANDON_HIBERFILE, $desc=A valid hibernation file has been invalidated and should be abandoned.], 1073741876 = [$id=BIZRULES_NOT_ENABLED, $desc=Business rule scripts are disabled for the calling application.], 1073742484 = [$id=WAKE_SYSTEM, $desc=The system has awoken.], 1073742704 = [$id=DS_SHUTTING_DOWN, $desc=The directory service is shutting down.], 1073807361 = [$id=DBG_REPLY_LATER, $desc=Debugger will reply later.], 1073807362 = [$id=DBG_UNABLE_TO_PROVIDE_HANDLE, $desc=Debugger cannot provide a handle.], 1073807363 = [$id=DBG_TERMINATE_THREAD, $desc=Debugger terminated the thread.], 1073807364 = [$id=DBG_TERMINATE_PROCESS, $desc=Debugger terminated the process.], 1073807365 = [$id=DBG_CONTROL_C, $desc=Debugger obtained control of C.], 1073807366 = [$id=DBG_PRINTEXCEPTION_C, $desc=Debugger printed an exception on control C.], 1073807367 = [$id=DBG_RIPEXCEPTION, $desc=Debugger received a RIP exception.], 1073807368 = [$id=DBG_CONTROL_BREAK, $desc=Debugger received a control break.], 1073807369 = [$id=DBG_COMMAND_EXCEPTION, $desc=Debugger command communication exception.], 1073872982 = [$id=RPC_NT_UUID_LOCAL_ONLY, $desc=A UUID that is valid only on this computer has been allocated.], 1073873071 = [$id=RPC_NT_SEND_INCOMPLETE, $desc=Some data remains to be sent in the request buffer.], 1074397188 = [$id=CTX_CDM_CONNECT, $desc=The Client Drive Mapping Service has connected on Terminal Connection.], 1074397189 = [$id=CTX_CDM_DISCONNECT, $desc=The Client Drive Mapping Service has disconnected on Terminal Connection.], 1075118093 = [$id=SXS_RELEASE_ACTIVATION_CONTEXT, $desc=A kernel mode component is releasing a reference on an activation context.], 1075380276 = [$id=RECOVERY_NOT_NEEDED, $desc=The transactional resource manager is already consistent. Recovery is not needed.], 1075380277 = [$id=RM_ALREADY_STARTED, $desc=The transactional resource manager has already been started.], 1075445772 = [$id=LOG_NO_RESTART, $desc=The log service encountered a log stream with no restart area.], 1075511532 = [$id=VIDEO_DRIVER_DEBUG_REPORT_REQUEST, $desc={Display Driver Recovered From Failure} The %hs display driver has detected a failure and recovered from it. Some graphical operations may have failed. The next time you restart the machine, a dialog box appears, giving you an opportunity to upload data about this failure to Microsoft.], 1075707914 = [$id=GRAPHICS_PARTIAL_DATA_POPULATED, $desc=The specified buffer is not big enough to contain the entire requested dataset. Partial data is populated up to the size of the buffer.], 1075708183 = [$id=GRAPHICS_DRIVER_MISMATCH, $desc=The kernel driver detected a version mismatch between it and the user mode driver.], 1075708679 = [$id=GRAPHICS_MODE_NOT_PINNED, $desc=No mode is pinned on the specified VidPN source/target.], 1075708702 = [$id=GRAPHICS_NO_PREFERRED_MODE, $desc=The specified mode set does not specify a preference for one of its modes.], 1075708747 = [$id=GRAPHICS_DATASET_IS_EMPTY, $desc=The specified dataset (for example, mode set, frequency range set, descriptor set, or topology) is empty.], 1075708748 = [$id=GRAPHICS_NO_MORE_ELEMENTS_IN_DATASET, $desc=The specified dataset (for example, mode set, frequency range set, descriptor set, or topology) does not contain any more elements.], 1075708753 = [$id=GRAPHICS_PATH_CONTENT_GEOMETRY_TRANSFORMATION_NOT_PINNED, $desc=The specified content transformation is not pinned on the specified VidPN present path.], 1075708975 = [$id=GRAPHICS_UNKNOWN_CHILD_STATUS, $desc=The child device presence was not reliably detected.], 1075708983 = [$id=GRAPHICS_LEADLINK_START_DEFERRED, $desc=Starting the lead adapter in a linked configuration has been temporarily deferred.], 1075708985 = [$id=GRAPHICS_POLLING_TOO_FREQUENTLY, $desc=The display adapter is being polled for children too frequently at the same polling level.], 1075708986 = [$id=GRAPHICS_START_DEFERRED, $desc=Starting the adapter has been temporarily deferred.], 1076035585 = [$id=NDIS_INDICATION_REQUIRED, $desc=The request will be completed later by an NDIS status indication.], 2147483649 = [$id=GUARD_PAGE_VIOLATION, $desc={EXCEPTION} Guard Page Exception A page of memory that marks the end of a data structure, such as a stack or an array, has been accessed.], 2147483650 = [$id=DATATYPE_MISALIGNMENT, $desc={EXCEPTION} Alignment Fault A data type misalignment was detected in a load or store instruction.], 2147483651 = [$id=BREAKPOINT, $desc={EXCEPTION} Breakpoint A breakpoint has been reached.], 2147483652 = [$id=SINGLE_STEP, $desc={EXCEPTION} Single Step A single step or trace operation has just been completed.], 2147483653 = [$id=BUFFER_OVERFLOW, $desc={Buffer Overflow} The data was too large to fit into the specified buffer.], 2147483654 = [$id=NO_MORE_FILES, $desc={No More Files} No more files were found which match the file specification.], 2147483655 = [$id=WAKE_SYSTEM_DEBUGGER, $desc={Kernel Debugger Awakened} The system debugger was awakened by an interrupt.], 2147483658 = [$id=HANDLES_CLOSED, $desc={Handles Closed} Handles to objects have been automatically closed because of the requested operation.], 2147483659 = [$id=NO_INHERITANCE, $desc={Non-Inheritable ACL} An access control list (ACL) contains no components that can be inherited.], 2147483660 = [$id=GUID_SUBSTITUTION_MADE, $desc={GUID Substitution} During the translation of a globally unique identifier (GUID) to a Windows security ID (SID), no administratively defined GUID prefix was found. A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.], 2147483661 = [$id=PARTIAL_COPY, $desc=Because of protection conflicts, not all the requested bytes could be copied.], 2147483662 = [$id=DEVICE_PAPER_EMPTY, $desc={Out of Paper} The printer is out of paper.], 2147483663 = [$id=DEVICE_POWERED_OFF, $desc={Device Power Is Off} The printer power has been turned off.], 2147483664 = [$id=DEVICE_OFF_LINE, $desc={Device Offline} The printer has been taken offline.], 2147483665 = [$id=DEVICE_BUSY, $desc={Device Busy} The device is currently busy.], 2147483666 = [$id=NO_MORE_EAS, $desc={No More EAs} No more extended attributes (EAs) were found for the file.], 2147483667 = [$id=INVALID_EA_NAME, $desc={Illegal EA} The specified extended attribute (EA) name contains at least one illegal character.], 2147483668 = [$id=EA_LIST_INCONSISTENT, $desc={Inconsistent EA List} The extended attribute (EA) list is inconsistent.], 2147483669 = [$id=INVALID_EA_FLAG, $desc={Invalid EA Flag} An invalid extended attribute (EA) flag was set.], 2147483670 = [$id=VERIFY_REQUIRED, $desc={Verifying Disk} The media has changed and a verify operation is in progress; therefore, no reads or writes may be performed to the device, except those that are used in the verify operation.], 2147483671 = [$id=EXTRANEOUS_INFORMATION, $desc={Too Much Information} The specified access control list (ACL) contained more information than was expected.], 2147483672 = [$id=RXACT_COMMIT_NECESSARY, $desc=This warning level status indicates that the transaction state already exists for the registry subtree, but that a transaction commit was previously aborted. The commit has NOT been completed but has not been rolled back either; therefore, it may still be committed, if needed.], 2147483674 = [$id=NO_MORE_ENTRIES, $desc={No More Entries} No more entries are available from an enumeration operation.], 2147483675 = [$id=FILEMARK_DETECTED, $desc={Filemark Found} A filemark was detected.], 2147483676 = [$id=MEDIA_CHANGED, $desc={Media Changed} The media may have changed.], 2147483677 = [$id=BUS_RESET, $desc={I/O Bus Reset} An I/O bus reset was detected.], 2147483678 = [$id=END_OF_MEDIA, $desc={End of Media} The end of the media was encountered.], 2147483679 = [$id=BEGINNING_OF_MEDIA, $desc=The beginning of a tape or partition has been detected.], 2147483680 = [$id=MEDIA_CHECK, $desc={Media Changed} The media may have changed.], 2147483681 = [$id=SETMARK_DETECTED, $desc=A tape access reached a set mark.], 2147483682 = [$id=NO_DATA_DETECTED, $desc=During a tape access, the end of the data written is reached.], 2147483683 = [$id=REDIRECTOR_HAS_OPEN_HANDLES, $desc=The redirector is in use and cannot be unloaded.], 2147483684 = [$id=SERVER_HAS_OPEN_HANDLES, $desc=The server is in use and cannot be unloaded.], 2147483685 = [$id=ALREADY_DISCONNECTED, $desc=The specified connection has already been disconnected.], 2147483686 = [$id=LONGJUMP, $desc=A long jump has been executed.], 2147483687 = [$id=CLEANER_CARTRIDGE_INSTALLED, $desc=A cleaner cartridge is present in the tape library.], 2147483688 = [$id=PLUGPLAY_QUERY_VETOED, $desc=The Plug and Play query operation was not successful.], 2147483689 = [$id=UNWIND_CONSOLIDATE, $desc=A frame consolidation has been executed.], 2147483690 = [$id=REGISTRY_HIVE_RECOVERED, $desc={Registry Hive Recovered} The registry hive (file): %hs was corrupted and it has been recovered. Some data might have been lost.], 2147483691 = [$id=DLL_MIGHT_BE_INSECURE, $desc=The application is attempting to run executable code from the module %hs. This may be insecure. An alternative, %hs, is available. Should the application use the secure module %hs?], 2147483692 = [$id=DLL_MIGHT_BE_INCOMPATIBLE, $desc=The application is loading executable code from the module %hs. This is secure but may be incompatible with previous releases of the operating system. An alternative, %hs, is available. Should the application use the secure module %hs?], 2147483693 = [$id=STOPPED_ON_SYMLINK, $desc=The create operation stopped after reaching a symbolic link.], 2147484296 = [$id=DEVICE_REQUIRES_CLEANING, $desc=The device has indicated that cleaning is necessary.], 2147484297 = [$id=DEVICE_DOOR_OPEN, $desc=The device has indicated that its door is open. Further operations require it closed and secured.], 2147485699 = [$id=DATA_LOST_REPAIR, $desc=0x80010001<br />DBG_EXCEPTION_NOT_HANDLED], 2148728833 = [$id=CLUSTER_NODE_ALREADY_UP, $desc=The cluster node is already up.], 2148728834 = [$id=CLUSTER_NODE_ALREADY_DOWN, $desc=The cluster node is already down.], 2148728835 = [$id=CLUSTER_NETWORK_ALREADY_ONLINE, $desc=The cluster network is already online.], 2148728836 = [$id=CLUSTER_NETWORK_ALREADY_OFFLINE, $desc=The cluster network is already offline.], 2148728837 = [$id=CLUSTER_NODE_ALREADY_MEMBER, $desc=The cluster node is already a member of the cluster.], 2149122057 = [$id=COULD_NOT_RESIZE_LOG, $desc=The log could not be set to the requested size.], 2149122089 = [$id=NO_TXF_METADATA, $desc=There is no transaction metadata on the file.], 2149122097 = [$id=CANT_RECOVER_WITH_HANDLE_OPEN, $desc=The file cannot be recovered because there is a handle still open on it.], 2149122113 = [$id=TXF_METADATA_ALREADY_PRESENT, $desc=Transaction metadata is already present on this file and cannot be superseded.], 2149122114 = [$id=TRANSACTION_SCOPE_CALLBACKS_NOT_SET, $desc=A transaction scope could not be entered because the scope handler has not been initialized.], 2149253355 = [$id=VIDEO_HUNG_DISPLAY_DRIVER_THREAD_RECOVERED, $desc={Display Driver Stopped Responding and recovered} The %hs display driver has stopped working normally. The recovery had been performed.], 2149318657 = [$id=FLT_BUFFER_TOO_SMALL, $desc={Buffer too small} The buffer is too small to contain the entry. No information has been written to the buffer.], 2149646337 = [$id=FVE_PARTIAL_METADATA, $desc=Volume metadata read or write is incomplete.], 2149646338 = [$id=FVE_TRANSIENT_STATE, $desc=BitLocker encryption keys were ignored because the volume was in a transient state.], 3221225473 = [$id=UNSUCCESSFUL, $desc={Operation Failed} The requested operation was unsuccessful.], 3221225474 = [$id=NOT_IMPLEMENTED, $desc={Not Implemented} The requested operation is not implemented.], 3221225475 = [$id=INVALID_INFO_CLASS, $desc={Invalid Parameter} The specified information class is not a valid information class for the specified object.], 3221225476 = [$id=INFO_LENGTH_MISMATCH, $desc=The specified information record length does not match the length that is required for the specified information class.], 3221225477 = [$id=ACCESS_VIOLATION, $desc=The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.], 3221225478 = [$id=IN_PAGE_ERROR, $desc=The instruction at 0x%08lx referenced memory at 0x%08lx. The required data was not placed into memory because of an I/O error status of 0x%08lx.], 3221225479 = [$id=PAGEFILE_QUOTA, $desc=The page file quota for the process has been exhausted.], 3221225480 = [$id=INVALID_HANDLE, $desc=An invalid HANDLE was specified.], 3221225481 = [$id=BAD_INITIAL_STACK, $desc=An invalid initial stack was specified in a call to NtCreateThread.], 3221225482 = [$id=BAD_INITIAL_PC, $desc=An invalid initial start address was specified in a call to NtCreateThread.], 3221225483 = [$id=INVALID_CID, $desc=An invalid client ID was specified.], 3221225484 = [$id=TIMER_NOT_CANCELED, $desc=An attempt was made to cancel or set a timer that has an associated APC and the specified thread is not the thread that originally set the timer with an associated APC routine.], 3221225485 = [$id=INVALID_PARAMETER, $desc=An invalid parameter was passed to a service or function.], 3221225486 = [$id=NO_SUCH_DEVICE, $desc=A device that does not exist was specified.], 3221225487 = [$id=NO_SUCH_FILE, $desc={File Not Found} The file %hs does not exist.], 3221225488 = [$id=INVALID_DEVICE_REQUEST, $desc=The specified request is not a valid operation for the target device.], 3221225489 = [$id=END_OF_FILE, $desc=The end-of-file marker has been reached. There is no valid data in the file beyond this marker.], 3221225490 = [$id=WRONG_VOLUME, $desc={Wrong Volume} The wrong volume is in the drive. Insert volume %hs into drive %hs.], 3221225491 = [$id=NO_MEDIA_IN_DEVICE, $desc={No Disk} There is no disk in the drive. Insert a disk into drive %hs.], 3221225492 = [$id=UNRECOGNIZED_MEDIA, $desc={Unknown Disk Format} The disk in drive %hs is not formatted properly. Check the disk, and reformat it, if needed.], 3221225493 = [$id=NONEXISTENT_SECTOR, $desc={Sector Not Found} The specified sector does not exist.], 3221225494 = [$id=MORE_PROCESSING_REQUIRED, $desc={Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.], 3221225495 = [$id=NO_MEMORY, $desc={Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation.], 3221225496 = [$id=CONFLICTING_ADDRESSES, $desc={Conflicting Address Range} The specified address range conflicts with the address space.], 3221225497 = [$id=NOT_MAPPED_VIEW, $desc=The address range to unmap is not a mapped view.], 3221225498 = [$id=UNABLE_TO_FREE_VM, $desc=The virtual memory cannot be freed.], 3221225499 = [$id=UNABLE_TO_DELETE_SECTION, $desc=The specified section cannot be deleted.], 3221225500 = [$id=INVALID_SYSTEM_SERVICE, $desc=An invalid system service was specified in a system service call.], 3221225501 = [$id=ILLEGAL_INSTRUCTION, $desc={EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.], 3221225502 = [$id=INVALID_LOCK_SEQUENCE, $desc={Invalid Lock Sequence} An attempt was made to execute an invalid lock sequence.], 3221225503 = [$id=INVALID_VIEW_SIZE, $desc={Invalid Mapping} An attempt was made to create a view for a section that is bigger than the section.], 3221225504 = [$id=INVALID_FILE_FOR_SECTION, $desc={Bad File} The attributes of the specified mapping file for a section of memory cannot be read.], 3221225505 = [$id=ALREADY_COMMITTED, $desc={Already Committed} The specified address range is already committed.], 3221225506 = [$id=ACCESS_DENIED, $desc={Access Denied} A process has requested access to an object but has not been granted those access rights.], 3221225507 = [$id=BUFFER_TOO_SMALL, $desc={Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer.], 3221225508 = [$id=OBJECT_TYPE_MISMATCH, $desc={Wrong Type} There is a mismatch between the type of object that is required by the requested operation and the type of object that is specified in the request.], 3221225509 = [$id=NONCONTINUABLE_EXCEPTION, $desc={EXCEPTION} Cannot Continue Windows cannot continue from this exception.], 3221225510 = [$id=INVALID_DISPOSITION, $desc=An invalid exception disposition was returned by an exception handler.], 3221225511 = [$id=UNWIND, $desc=Unwind exception code.], 3221225512 = [$id=BAD_STACK, $desc=An invalid or unaligned stack was encountered during an unwind operation.], 3221225513 = [$id=INVALID_UNWIND_TARGET, $desc=An invalid unwind target was encountered during an unwind operation.], 3221225514 = [$id=NOT_LOCKED, $desc=An attempt was made to unlock a page of memory that was not locked.], 3221225515 = [$id=PARITY_ERROR, $desc=A device parity error on an I/O operation.], 3221225516 = [$id=UNABLE_TO_DECOMMIT_VM, $desc=An attempt was made to decommit uncommitted virtual memory.], 3221225517 = [$id=NOT_COMMITTED, $desc=An attempt was made to change the attributes on memory that has not been committed.], 3221225518 = [$id=INVALID_PORT_ATTRIBUTES, $desc=Invalid object attributes specified to NtCreatePort or invalid port attributes specified to NtConnectPort.], 3221225519 = [$id=PORT_MESSAGE_TOO_LONG, $desc=The length of the message that was passed to NtRequestPort or NtRequestWaitReplyPort is longer than the maximum message that is allowed by the port.], 3221225520 = [$id=INVALID_PARAMETER_MIX, $desc=An invalid combination of parameters was specified.], 3221225521 = [$id=INVALID_QUOTA_LOWER, $desc=An attempt was made to lower a quota limit below the current usage.], 3221225522 = [$id=DISK_CORRUPT_ERROR, $desc={Corrupt Disk} The file system structure on the disk is corrupt and unusable. Run the Chkdsk utility on the volume %hs.], 3221225523 = [$id=OBJECT_NAME_INVALID, $desc=The object name is invalid.], 3221225524 = [$id=OBJECT_NAME_NOT_FOUND, $desc=The object name is not found.], 3221225525 = [$id=OBJECT_NAME_COLLISION, $desc=The object name already exists.], 3221225527 = [$id=PORT_DISCONNECTED, $desc=An attempt was made to send a message to a disconnected communication port.], 3221225528 = [$id=DEVICE_ALREADY_ATTACHED, $desc=An attempt was made to attach to a device that was already attached to another device.], 3221225529 = [$id=OBJECT_PATH_INVALID, $desc=The object path component was not a directory object.], 3221225530 = [$id=OBJECT_PATH_NOT_FOUND, $desc={Path Not Found} The path %hs does not exist.], 3221225531 = [$id=OBJECT_PATH_SYNTAX_BAD, $desc=The object path component was not a directory object.], 3221225532 = [$id=DATA_OVERRUN, $desc={Data Overrun} A data overrun error occurred.], 3221225533 = [$id=DATA_LATE_ERROR, $desc={Data Late} A data late error occurred.], 3221225534 = [$id=DATA_ERROR, $desc={Data Error} An error occurred in reading or writing data.], 3221225535 = [$id=CRC_ERROR, $desc={Bad CRC} A cyclic redundancy check (CRC) checksum error occurred.], 3221225536 = [$id=SECTION_TOO_BIG, $desc={Section Too Large} The specified section is too big to map the file.], 3221225537 = [$id=PORT_CONNECTION_REFUSED, $desc=The NtConnectPort request is refused.], 3221225538 = [$id=INVALID_PORT_HANDLE, $desc=The type of port handle is invalid for the operation that is requested.], 3221225539 = [$id=SHARING_VIOLATION, $desc=A file cannot be opened because the share access flags are incompatible.], 3221225540 = [$id=QUOTA_EXCEEDED, $desc=Insufficient quota exists to complete the operation.], 3221225541 = [$id=INVALID_PAGE_PROTECTION, $desc=The specified page protection was not valid.], 3221225542 = [$id=MUTANT_NOT_OWNED, $desc=An attempt to release a mutant object was made by a thread that was not the owner of the mutant object.], 3221225543 = [$id=SEMAPHORE_LIMIT_EXCEEDED, $desc=An attempt was made to release a semaphore such that its maximum count would have been exceeded.], 3221225544 = [$id=PORT_ALREADY_SET, $desc=An attempt was made to set the DebugPort or ExceptionPort of a process, but a port already exists in the process, or an attempt was made to set the CompletionPort of a file but a port was already set in the file, or an attempt was made to set the associated completion port of an ALPC port but it is already set.], 3221225545 = [$id=SECTION_NOT_IMAGE, $desc=An attempt was made to query image information on a section that does not map an image.], 3221225546 = [$id=SUSPEND_COUNT_EXCEEDED, $desc=An attempt was made to suspend a thread whose suspend count was at its maximum.], 3221225547 = [$id=THREAD_IS_TERMINATING, $desc=An attempt was made to suspend a thread that has begun termination.], 3221225548 = [$id=BAD_WORKING_SET_LIMIT, $desc=An attempt was made to set the working set limit to an invalid value (for example, the minimum greater than maximum).], 3221225549 = [$id=INCOMPATIBLE_FILE_MAP, $desc=A section was created to map a file that is not compatible with an already existing section that maps the same file.], 3221225550 = [$id=SECTION_PROTECTION, $desc=A view to a section specifies a protection that is incompatible with the protection of the initial view.], 3221225551 = [$id=EAS_NOT_SUPPORTED, $desc=An operation involving EAs failed because the file system does not support EAs.], 3221225552 = [$id=EA_TOO_LARGE, $desc=An EA operation failed because the EA set is too large.], 3221225553 = [$id=NONEXISTENT_EA_ENTRY, $desc=An EA operation failed because the name or EA index is invalid.], 3221225554 = [$id=NO_EAS_ON_FILE, $desc=The file for which EAs were requested has no EAs.], 3221225555 = [$id=EA_CORRUPT_ERROR, $desc=The EA is corrupt and cannot be read.], 3221225556 = [$id=FILE_LOCK_CONFLICT, $desc=A requested read/write cannot be granted due to a conflicting file lock.], 3221225557 = [$id=LOCK_NOT_GRANTED, $desc=A requested file lock cannot be granted due to other existing locks.], 3221225558 = [$id=DELETE_PENDING, $desc=A non-close operation has been requested of a file object that has a delete pending.], 3221225559 = [$id=CTL_FILE_NOT_SUPPORTED, $desc=An attempt was made to set the control attribute on a file. This attribute is not supported in the destination file system.], 3221225560 = [$id=UNKNOWN_REVISION, $desc=Indicates a revision number that was encountered or specified is not one that is known by the service. It may be a more recent revision than the service is aware of.], 3221225561 = [$id=REVISION_MISMATCH, $desc=Indicates that two revision levels are incompatible.], 3221225562 = [$id=INVALID_OWNER, $desc=Indicates a particular security ID may not be assigned as the owner of an object.], 3221225563 = [$id=INVALID_PRIMARY_GROUP, $desc=Indicates a particular security ID may not be assigned as the primary group of an object.], 3221225564 = [$id=NO_IMPERSONATION_TOKEN, $desc=An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.], 3221225565 = [$id=CANT_DISABLE_MANDATORY, $desc=A mandatory group may not be disabled.], 3221225566 = [$id=NO_LOGON_SERVERS, $desc=No logon servers are currently available to service the logon request.], 3221225567 = [$id=NO_SUCH_LOGON_SESSION, $desc=A specified logon session does not exist. It may already have been terminated.], 3221225568 = [$id=NO_SUCH_PRIVILEGE, $desc=A specified privilege does not exist.], 3221225569 = [$id=PRIVILEGE_NOT_HELD, $desc=A required privilege is not held by the client.], 3221225570 = [$id=INVALID_ACCOUNT_NAME, $desc=The name provided is not a properly formed account name.], 3221225571 = [$id=USER_EXISTS, $desc=The specified account already exists.], 3221225572 = [$id=NO_SUCH_USER, $desc=The specified account does not exist.], 3221225573 = [$id=GROUP_EXISTS, $desc=The specified group already exists.], 3221225574 = [$id=NO_SUCH_GROUP, $desc=The specified group does not exist.], 3221225575 = [$id=MEMBER_IN_GROUP, $desc=The specified user account is already in the specified group account. Also used to indicate a group cannot be deleted because it contains a member.], 3221225576 = [$id=MEMBER_NOT_IN_GROUP, $desc=The specified user account is not a member of the specified group account.], 3221225577 = [$id=LAST_ADMIN, $desc=Indicates the requested operation would disable or delete the last remaining administration account. This is not allowed to prevent creating a situation in which the system cannot be administrated.], 3221225578 = [$id=WRONG_PASSWORD, $desc=When trying to update a password, this return status indicates that the value provided as the current password is not correct.], 3221225579 = [$id=ILL_FORMED_PASSWORD, $desc=When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.], 3221225580 = [$id=PASSWORD_RESTRICTION, $desc=When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.], 3221225581 = [$id=LOGON_FAILURE, $desc=The attempted logon is invalid. This is either due to a bad username or authentication information.], 3221225582 = [$id=ACCOUNT_RESTRICTION, $desc=Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).], 3221225583 = [$id=INVALID_LOGON_HOURS, $desc=The user account has time restrictions and may not be logged onto at this time.], 3221225584 = [$id=INVALID_WORKSTATION, $desc=The user account is restricted so that it may not be used to log on from the source workstation.], 3221225585 = [$id=PASSWORD_EXPIRED, $desc=The user account password has expired.], 3221225586 = [$id=ACCOUNT_DISABLED, $desc=The referenced account is currently disabled and may not be logged on to.], 3221225587 = [$id=NONE_MAPPED, $desc=None of the information to be translated has been translated.], 3221225588 = [$id=TOO_MANY_LUIDS_REQUESTED, $desc=The number of LUIDs requested may not be allocated with a single allocation.], 3221225589 = [$id=LUIDS_EXHAUSTED, $desc=Indicates there are no more LUIDs to allocate.], 3221225590 = [$id=INVALID_SUB_AUTHORITY, $desc=Indicates the sub-authority value is invalid for the particular use.], 3221225591 = [$id=INVALID_ACL, $desc=Indicates the ACL structure is not valid.], 3221225592 = [$id=INVALID_SID, $desc=Indicates the SID structure is not valid.], 3221225593 = [$id=INVALID_SECURITY_DESCR, $desc=Indicates the SECURITY_DESCRIPTOR structure is not valid.], 3221225594 = [$id=PROCEDURE_NOT_FOUND, $desc=Indicates the specified procedure address cannot be found in the DLL.], 3221225595 = [$id=INVALID_IMAGE_FORMAT, $desc={Bad Image} %hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.], 3221225596 = [$id=NO_TOKEN, $desc=An attempt was made to reference a token that does not exist. This is typically done by referencing the token that is associated with a thread when the thread is not impersonating a client.], 3221225597 = [$id=BAD_INHERITANCE_ACL, $desc=Indicates that an attempt to build either an inherited ACL or ACE was not successful. This can be caused by a number of things. One of the more probable causes is the replacement of a CreatorId with a SID that did not fit into the ACE or ACL.], 3221225598 = [$id=RANGE_NOT_LOCKED, $desc=The range specified in NtUnlockFile was not locked.], 3221225599 = [$id=DISK_FULL, $desc=An operation failed because the disk was full.], 3221225600 = [$id=SERVER_DISABLED, $desc=The GUID allocation server is disabled at the moment.], 3221225601 = [$id=SERVER_NOT_DISABLED, $desc=The GUID allocation server is enabled at the moment.], 3221225602 = [$id=TOO_MANY_GUIDS_REQUESTED, $desc=Too many GUIDs were requested from the allocation server at once.], 3221225603 = [$id=GUIDS_EXHAUSTED, $desc=The GUIDs could not be allocated because the Authority Agent was exhausted.], 3221225604 = [$id=INVALID_ID_AUTHORITY, $desc=The value provided was an invalid value for an identifier authority.], 3221225605 = [$id=AGENTS_EXHAUSTED, $desc=No more authority agent values are available for the particular identifier authority value.], 3221225606 = [$id=INVALID_VOLUME_LABEL, $desc=An invalid volume label has been specified.], 3221225607 = [$id=SECTION_NOT_EXTENDED, $desc=A mapped section could not be extended.], 3221225608 = [$id=NOT_MAPPED_DATA, $desc=Specified section to flush does not map a data file.], 3221225609 = [$id=RESOURCE_DATA_NOT_FOUND, $desc=Indicates the specified image file did not contain a resource section.], 3221225610 = [$id=RESOURCE_TYPE_NOT_FOUND, $desc=Indicates the specified resource type cannot be found in the image file.], 3221225611 = [$id=RESOURCE_NAME_NOT_FOUND, $desc=Indicates the specified resource name cannot be found in the image file.], 3221225612 = [$id=ARRAY_BOUNDS_EXCEEDED, $desc={EXCEPTION} Array bounds exceeded.], 3221225613 = [$id=FLOAT_DENORMAL_OPERAND, $desc={EXCEPTION} Floating-point denormal operand.], 3221225614 = [$id=FLOAT_DIVIDE_BY_ZERO, $desc={EXCEPTION} Floating-point division by zero.], 3221225615 = [$id=FLOAT_INEXACT_RESULT, $desc={EXCEPTION} Floating-point inexact result.], 3221225616 = [$id=FLOAT_INVALID_OPERATION, $desc={EXCEPTION} Floating-point invalid operation.], 3221225617 = [$id=FLOAT_OVERFLOW, $desc={EXCEPTION} Floating-point overflow.], 3221225618 = [$id=FLOAT_STACK_CHECK, $desc={EXCEPTION} Floating-point stack check.], 3221225619 = [$id=FLOAT_UNDERFLOW, $desc={EXCEPTION} Floating-point underflow.], 3221225620 = [$id=INTEGER_DIVIDE_BY_ZERO, $desc={EXCEPTION} Integer division by zero.], 3221225621 = [$id=INTEGER_OVERFLOW, $desc={EXCEPTION} Integer overflow.], 3221225622 = [$id=PRIVILEGED_INSTRUCTION, $desc={EXCEPTION} Privileged instruction.], 3221225623 = [$id=TOO_MANY_PAGING_FILES, $desc=An attempt was made to install more paging files than the system supports.], 3221225624 = [$id=FILE_INVALID, $desc=The volume for a file has been externally altered such that the opened file is no longer valid.], 3221225625 = [$id=ALLOTTED_SPACE_EXCEEDED, $desc=When a block of memory is allotted for future updates, such as the memory allocated to hold discretionary access control and primary group information, successive updates may exceed the amount of memory originally allotted. Because a quota may already have been charged to several processes that have handles to the object, it is not reasonable to alter the size of the allocated memory. Instead, a request that requires more memory than has been allotted must fail and the STATUS_ALLOTTED_SPACE_EXCEEDED error returned.], 3221225626 = [$id=INSUFFICIENT_RESOURCES, $desc=Insufficient system resources exist to complete the API.], 3221225627 = [$id=DFS_EXIT_PATH_FOUND, $desc=An attempt has been made to open a DFS exit path control file.], 3221225628 = [$id=DEVICE_DATA_ERROR, $desc=There are bad blocks (sectors) on the hard disk.], 3221225629 = [$id=DEVICE_NOT_CONNECTED, $desc=There is bad cabling, non-termination, or the controller is not able to obtain access to the hard disk.], 3221225631 = [$id=FREE_VM_NOT_AT_BASE, $desc=Virtual memory cannot be freed because the base address is not the base of the region and a region size of zero was specified.], 3221225632 = [$id=MEMORY_NOT_ALLOCATED, $desc=An attempt was made to free virtual memory that is not allocated.], 3221225633 = [$id=WORKING_SET_QUOTA, $desc=The working set is not big enough to allow the requested pages to be locked.], 3221225634 = [$id=MEDIA_WRITE_PROTECTED, $desc={Write Protect Error} The disk cannot be written to because it is write-protected. Remove the write protection from the volume %hs in drive %hs.], 3221225635 = [$id=DEVICE_NOT_READY, $desc={Drive Not Ready} The drive is not ready for use; its door may be open. Check drive %hs and make sure that a disk is inserted and that the drive door is closed.], 3221225636 = [$id=INVALID_GROUP_ATTRIBUTES, $desc=The specified attributes are invalid or are incompatible with the attributes for the group as a whole.], 3221225637 = [$id=BAD_IMPERSONATION_LEVEL, $desc=A specified impersonation level is invalid. Also used to indicate that a required impersonation level was not provided.], 3221225638 = [$id=CANT_OPEN_ANONYMOUS, $desc=An attempt was made to open an anonymous-level token. Anonymous tokens may not be opened.], 3221225639 = [$id=BAD_VALIDATION_CLASS, $desc=The validation information class requested was invalid.], 3221225640 = [$id=BAD_TOKEN_TYPE, $desc=The type of a token object is inappropriate for its attempted use.], 3221225641 = [$id=BAD_MASTER_BOOT_RECORD, $desc=The type of a token object is inappropriate for its attempted use.], 3221225642 = [$id=INSTRUCTION_MISALIGNMENT, $desc=An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.], 3221225643 = [$id=INSTANCE_NOT_AVAILABLE, $desc=The maximum named pipe instance count has been reached.], 3221225644 = [$id=PIPE_NOT_AVAILABLE, $desc=An instance of a named pipe cannot be found in the listening state.], 3221225645 = [$id=INVALID_PIPE_STATE, $desc=The named pipe is not in the connected or closing state.], 3221225646 = [$id=PIPE_BUSY, $desc=The specified pipe is set to complete operations and there are current I/O operations queued so that it cannot be changed to queue operations.], 3221225647 = [$id=ILLEGAL_FUNCTION, $desc=The specified handle is not open to the server end of the named pipe.], 3221225648 = [$id=PIPE_DISCONNECTED, $desc=The specified named pipe is in the disconnected state.], 3221225649 = [$id=PIPE_CLOSING, $desc=The specified named pipe is in the closing state.], 3221225650 = [$id=PIPE_CONNECTED, $desc=The specified named pipe is in the connected state.], 3221225651 = [$id=PIPE_LISTENING, $desc=The specified named pipe is in the listening state.], 3221225652 = [$id=INVALID_READ_MODE, $desc=The specified named pipe is not in message mode.], 3221225653 = [$id=IO_TIMEOUT, $desc={Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.], 3221225654 = [$id=FILE_FORCED_CLOSED, $desc=The specified file has been closed by another process.], 3221225655 = [$id=PROFILING_NOT_STARTED, $desc=Profiling is not started.], 3221225656 = [$id=PROFILING_NOT_STOPPED, $desc=Profiling is not stopped.], 3221225657 = [$id=COULD_NOT_INTERPRET, $desc=The passed ACL did not contain the minimum required information.], 3221225658 = [$id=FILE_IS_A_DIRECTORY, $desc=The file that was specified as a target is a directory, and the caller specified that it could be anything but a directory.], 3221225659 = [$id=NOT_SUPPORTED, $desc=The request is not supported.], 3221225660 = [$id=REMOTE_NOT_LISTENING, $desc=This remote computer is not listening.], 3221225661 = [$id=DUPLICATE_NAME, $desc=A duplicate name exists on the network.], 3221225662 = [$id=BAD_NETWORK_PATH, $desc=The network path cannot be located.], 3221225663 = [$id=NETWORK_BUSY, $desc=The network is busy.], 3221225664 = [$id=DEVICE_DOES_NOT_EXIST, $desc=This device does not exist.], 3221225665 = [$id=TOO_MANY_COMMANDS, $desc=The network BIOS command limit has been reached.], 3221225666 = [$id=ADAPTER_HARDWARE_ERROR, $desc=An I/O adapter hardware error has occurred.], 3221225667 = [$id=INVALID_NETWORK_RESPONSE, $desc=The network responded incorrectly.], 3221225668 = [$id=UNEXPECTED_NETWORK_ERROR, $desc=An unexpected network error occurred.], 3221225669 = [$id=BAD_REMOTE_ADAPTER, $desc=The remote adapter is not compatible.], 3221225670 = [$id=PRINT_QUEUE_FULL, $desc=The print queue is full.], 3221225671 = [$id=NO_SPOOL_SPACE, $desc=Space to store the file that is waiting to be printed is not available on the server.], 3221225672 = [$id=PRINT_CANCELLED, $desc=The requested print file has been canceled.], 3221225673 = [$id=NETWORK_NAME_DELETED, $desc=The network name was deleted.], 3221225674 = [$id=NETWORK_ACCESS_DENIED, $desc=Network access is denied.], 3221225675 = [$id=BAD_DEVICE_TYPE, $desc={Incorrect Network Resource Type} The specified device type (LPT, for example) conflicts with the actual device type on the remote resource.], 3221225676 = [$id=BAD_NETWORK_NAME, $desc={Network Name Not Found} The specified share name cannot be found on the remote server.], 3221225677 = [$id=TOO_MANY_NAMES, $desc=The name limit for the network adapter card of the local computer was exceeded.], 3221225678 = [$id=TOO_MANY_SESSIONS, $desc=The network BIOS session limit was exceeded.], 3221225679 = [$id=SHARING_PAUSED, $desc=File sharing has been temporarily paused.], 3221225680 = [$id=REQUEST_NOT_ACCEPTED, $desc=No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections.], 3221225681 = [$id=REDIRECTOR_PAUSED, $desc=Print or disk redirection is temporarily paused.], 3221225682 = [$id=NET_WRITE_FAULT, $desc=A network data fault occurred.], 3221225683 = [$id=PROFILING_AT_LIMIT, $desc=The number of active profiling objects is at the maximum and no more may be started.], 3221225684 = [$id=NOT_SAME_DEVICE, $desc={Incorrect Volume} The destination file of a rename request is located on a different device than the source of the rename request.], 3221225685 = [$id=FILE_RENAMED, $desc=The specified file has been renamed and thus cannot be modified.], 3221225686 = [$id=VIRTUAL_CIRCUIT_CLOSED, $desc={Network Request Timeout} The session with a remote server has been disconnected because the time-out interval for a request has expired.], 3221225687 = [$id=NO_SECURITY_ON_OBJECT, $desc=Indicates an attempt was made to operate on the security of an object that does not have security associated with it.], 3221225688 = [$id=CANT_WAIT, $desc=Used to indicate that an operation cannot continue without blocking for I/O.], 3221225689 = [$id=PIPE_EMPTY, $desc=Used to indicate that a read operation was done on an empty pipe.], 3221225690 = [$id=CANT_ACCESS_DOMAIN_INFO, $desc=Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.], 3221225691 = [$id=CANT_TERMINATE_SELF, $desc=Indicates that a thread attempted to terminate itself by default (called NtTerminateThread with NULL) and it was the last thread in the current process.], 3221225692 = [$id=INVALID_SERVER_STATE, $desc=Indicates the Sam Server was in the wrong state to perform the desired operation.], 3221225693 = [$id=INVALID_DOMAIN_STATE, $desc=Indicates the domain was in the wrong state to perform the desired operation.], 3221225694 = [$id=INVALID_DOMAIN_ROLE, $desc=This operation is only allowed for the primary domain controller of the domain.], 3221225695 = [$id=NO_SUCH_DOMAIN, $desc=The specified domain did not exist.], 3221225696 = [$id=DOMAIN_EXISTS, $desc=The specified domain already exists.], 3221225697 = [$id=DOMAIN_LIMIT_EXCEEDED, $desc=An attempt was made to exceed the limit on the number of domains per server for this release.], 3221225698 = [$id=OPLOCK_NOT_GRANTED, $desc=An error status returned when the opportunistic lock (oplock) request is denied.], 3221225699 = [$id=INVALID_OPLOCK_PROTOCOL, $desc=An error status returned when an invalid opportunistic lock (oplock) acknowledgment is received by a file system.], 3221225700 = [$id=INTERNAL_DB_CORRUPTION, $desc=This error indicates that the requested operation cannot be completed due to a catastrophic media failure or an on-disk data structure corruption.], 3221225701 = [$id=INTERNAL_ERROR, $desc=An internal error occurred.], 3221225702 = [$id=GENERIC_NOT_MAPPED, $desc=Indicates generic access types were contained in an access mask which should already be mapped to non-generic access types.], 3221225703 = [$id=BAD_DESCRIPTOR_FORMAT, $desc=Indicates a security descriptor is not in the necessary format (absolute or self-relative).], 3221225704 = [$id=INVALID_USER_BUFFER, $desc=An access to a user buffer failed at an expected point in time. This code is defined because the caller does not want to accept STATUS_ACCESS_VIOLATION in its filter.], 3221225705 = [$id=UNEXPECTED_IO_ERROR, $desc=If an I/O error that is not defined in the standard FsRtl filter is returned, it is converted to the following error, which is guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225706 = [$id=UNEXPECTED_MM_CREATE_ERR, $desc=If an MM error that is not defined in the standard FsRtl filter is returned, it is converted to one of the following errors, which are guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225707 = [$id=UNEXPECTED_MM_MAP_ERROR, $desc=If an MM error that is not defined in the standard FsRtl filter is returned, it is converted to one of the following errors, which are guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225708 = [$id=UNEXPECTED_MM_EXTEND_ERR, $desc=If an MM error that is not defined in the standard FsRtl filter is returned, it is converted to one of the following errors, which are guaranteed to be in the filter. In this case, information is lost; however, the filter correctly handles the exception.], 3221225709 = [$id=NOT_LOGON_PROCESS, $desc=The requested action is restricted for use by logon processes only. The calling process has not registered as a logon process.], 3221225710 = [$id=LOGON_SESSION_EXISTS, $desc=An attempt has been made to start a new session manager or LSA logon session by using an ID that is already in use.], 3221225711 = [$id=INVALID_PARAMETER_1, $desc=An invalid parameter was passed to a service or function as the first argument.], 3221225712 = [$id=INVALID_PARAMETER_2, $desc=An invalid parameter was passed to a service or function as the second argument.], 3221225713 = [$id=INVALID_PARAMETER_3, $desc=An invalid parameter was passed to a service or function as the third argument.], 3221225714 = [$id=INVALID_PARAMETER_4, $desc=An invalid parameter was passed to a service or function as the fourth argument.], 3221225715 = [$id=INVALID_PARAMETER_5, $desc=An invalid parameter was passed to a service or function as the fifth argument.], 3221225716 = [$id=INVALID_PARAMETER_6, $desc=An invalid parameter was passed to a service or function as the sixth argument.], 3221225717 = [$id=INVALID_PARAMETER_7, $desc=An invalid parameter was passed to a service or function as the seventh argument.], 3221225718 = [$id=INVALID_PARAMETER_8, $desc=An invalid parameter was passed to a service or function as the eighth argument.], 3221225719 = [$id=INVALID_PARAMETER_9, $desc=An invalid parameter was passed to a service or function as the ninth argument.], 3221225720 = [$id=INVALID_PARAMETER_10, $desc=An invalid parameter was passed to a service or function as the tenth argument.], 3221225721 = [$id=INVALID_PARAMETER_11, $desc=An invalid parameter was passed to a service or function as the eleventh argument.], 3221225722 = [$id=INVALID_PARAMETER_12, $desc=An invalid parameter was passed to a service or function as the twelfth argument.], 3221225723 = [$id=REDIRECTOR_NOT_STARTED, $desc=An attempt was made to access a network file, but the network software was not yet started.], 3221225724 = [$id=REDIRECTOR_STARTED, $desc=An attempt was made to start the redirector, but the redirector has already been started.], 3221225725 = [$id=STACK_OVERFLOW, $desc=A new guard page for the stack cannot be created.], 3221225726 = [$id=NO_SUCH_PACKAGE, $desc=A specified authentication package is unknown.], 3221225727 = [$id=BAD_FUNCTION_TABLE, $desc=A malformed function table was encountered during an unwind operation.], 3221225728 = [$id=VARIABLE_NOT_FOUND, $desc=Indicates the specified environment variable name was not found in the specified environment block.], 3221225729 = [$id=DIRECTORY_NOT_EMPTY, $desc=Indicates that the directory trying to be deleted is not empty.], 3221225730 = [$id=FILE_CORRUPT_ERROR, $desc={Corrupt File} The file or directory %hs is corrupt and unreadable. Run the Chkdsk utility.], 3221225731 = [$id=NOT_A_DIRECTORY, $desc=A requested opened file is not a directory.], 3221225732 = [$id=BAD_LOGON_SESSION_STATE, $desc=The logon session is not in a state that is consistent with the requested operation.], 3221225733 = [$id=LOGON_SESSION_COLLISION, $desc=An internal LSA error has occurred. An authentication package has requested the creation of a logon session but the ID of an already existing logon session has been specified.], 3221225734 = [$id=NAME_TOO_LONG, $desc=A specified name string is too long for its intended use.], 3221225735 = [$id=FILES_OPEN, $desc=The user attempted to force close the files on a redirected drive, but there were opened files on the drive, and the user did not specify a sufficient level of force.], 3221225736 = [$id=CONNECTION_IN_USE, $desc=The user attempted to force close the files on a redirected drive, but there were opened directories on the drive, and the user did not specify a sufficient level of force.], 3221225737 = [$id=MESSAGE_NOT_FOUND, $desc=RtlFindMessage could not locate the requested message ID in the message table resource.], 3221225738 = [$id=PROCESS_IS_TERMINATING, $desc=An attempt was made to duplicate an object handle into or out of an exiting process.], 3221225739 = [$id=INVALID_LOGON_TYPE, $desc=Indicates an invalid value has been provided for the LogonType requested.], 3221225740 = [$id=NO_GUID_TRANSLATION, $desc=Indicates that an attempt was made to assign protection to a file system file or directory and one of the SIDs in the security descriptor could not be translated into a GUID that could be stored by the file system. This causes the protection attempt to fail, which may cause a file creation attempt to fail.], 3221225741 = [$id=CANNOT_IMPERSONATE, $desc=Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.], 3221225742 = [$id=IMAGE_ALREADY_LOADED, $desc=Indicates that the specified image is already loaded.], 3221225751 = [$id=NO_LDT, $desc=Indicates that an attempt was made to change the size of the LDT for a process that has no LDT.], 3221225752 = [$id=INVALID_LDT_SIZE, $desc=Indicates that an attempt was made to grow an LDT by setting its size, or that the size was not an even number of selectors.], 3221225753 = [$id=INVALID_LDT_OFFSET, $desc=Indicates that the starting value for the LDT information was not an integral multiple of the selector size.], 3221225754 = [$id=INVALID_LDT_DESCRIPTOR, $desc=Indicates that the user supplied an invalid descriptor when trying to set up LDT descriptors.], 3221225755 = [$id=INVALID_IMAGE_NE_FORMAT, $desc=The specified image file did not have the correct format. It appears to be NE format.], 3221225756 = [$id=RXACT_INVALID_STATE, $desc=Indicates that the transaction state of a registry subtree is incompatible with the requested operation. For example, a request has been made to start a new transaction with one already in progress, or a request has been made to apply a transaction when one is not currently in progress.], 3221225757 = [$id=RXACT_COMMIT_FAILURE, $desc=Indicates an error has occurred during a registry transaction commit. The database has been left in an unknown, but probably inconsistent, state. The state of the registry transaction is left as COMMITTING.], 3221225758 = [$id=MAPPED_FILE_SIZE_ZERO, $desc=An attempt was made to map a file of size zero with the maximum size specified as zero.], 3221225759 = [$id=TOO_MANY_OPENED_FILES, $desc=Too many files are opened on a remote server. This error should only be returned by the Windows redirector on a remote drive.], 3221225760 = [$id=CANCELLED, $desc=The I/O request was canceled.], 3221225761 = [$id=CANNOT_DELETE, $desc=An attempt has been made to remove a file or directory that cannot be deleted.], 3221225762 = [$id=INVALID_COMPUTER_NAME, $desc=Indicates a name that was specified as a remote computer name is syntactically invalid.], 3221225763 = [$id=FILE_DELETED, $desc=An I/O request other than close was performed on a file after it was deleted, which can only happen to a request that did not complete before the last handle was closed via NtClose.], 3221225764 = [$id=SPECIAL_ACCOUNT, $desc=Indicates an operation that is incompatible with built-in accounts has been attempted on a built-in (special) SAM account. For example, built-in accounts cannot be deleted.], 3221225765 = [$id=SPECIAL_GROUP, $desc=The operation requested may not be performed on the specified group because it is a built-in special group.], 3221225766 = [$id=SPECIAL_USER, $desc=The operation requested may not be performed on the specified user because it is a built-in special user.], 3221225767 = [$id=MEMBERS_PRIMARY_GROUP, $desc=Indicates a member cannot be removed from a group because the group is currently the member's primary group.], 3221225768 = [$id=FILE_CLOSED, $desc=An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.], 3221225769 = [$id=TOO_MANY_THREADS, $desc=Indicates a process has too many threads to perform the requested action. For example, assignment of a primary token may only be performed when a process has zero or one threads.], 3221225770 = [$id=THREAD_NOT_IN_PROCESS, $desc=An attempt was made to operate on a thread within a specific process, but the specified thread is not in the specified process.], 3221225771 = [$id=TOKEN_ALREADY_IN_USE, $desc=An attempt was made to establish a token for use as a primary token but the token is already in use. A token can only be the primary token of one process at a time.], 3221225772 = [$id=PAGEFILE_QUOTA_EXCEEDED, $desc=The page file quota was exceeded.], 3221225773 = [$id=COMMITMENT_LIMIT, $desc={Out of Virtual Memory} Your system is low on virtual memory. To ensure that Windows runs correctly, increase the size of your virtual memory paging file. For more information, see Help.], 3221225774 = [$id=INVALID_IMAGE_LE_FORMAT, $desc=The specified image file did not have the correct format: it appears to be LE format.], 3221225775 = [$id=INVALID_IMAGE_NOT_MZ, $desc=The specified image file did not have the correct format: it did not have an initial MZ.], 3221225776 = [$id=INVALID_IMAGE_PROTECT, $desc=The specified image file did not have the correct format: it did not have a proper e_lfarlc in the MZ header.], 3221225777 = [$id=INVALID_IMAGE_WIN_16, $desc=The specified image file did not have the correct format: it appears to be a 16-bit Windows image.], 3221225778 = [$id=LOGON_SERVER_CONFLICT, $desc=The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role.], 3221225779 = [$id=TIME_DIFFERENCE_AT_DC, $desc=The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount.], 3221225780 = [$id=SYNCHRONIZATION_REQUIRED, $desc=The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required.], 3221225781 = [$id=DLL_NOT_FOUND, $desc={Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem.], 3221225782 = [$id=OPEN_FAILED, $desc=The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines.], 3221225783 = [$id=IO_PRIVILEGE_FAILED, $desc={Privilege Failed} The I/O permissions for the process could not be changed.], 3221225784 = [$id=ORDINAL_NOT_FOUND, $desc={Ordinal Not Found} The ordinal %ld could not be located in the dynamic link library %hs.], 3221225785 = [$id=ENTRYPOINT_NOT_FOUND, $desc={Entry Point Not Found} The procedure entry point %hs could not be located in the dynamic link library %hs.], 3221225786 = [$id=CONTROL_C_EXIT, $desc={Application Exit by CTRL+C} The application terminated as a result of a CTRL+C.], 3221225787 = [$id=LOCAL_DISCONNECT, $desc={Virtual Circuit Closed} The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.], 3221225788 = [$id=REMOTE_DISCONNECT, $desc={Virtual Circuit Closed} The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.], 3221225789 = [$id=REMOTE_RESOURCES, $desc={Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For example, the remote computer may not have enough available memory to carry out the request at this time.], 3221225790 = [$id=LINK_FAILED, $desc={Virtual Circuit Closed} An existing connection (virtual circuit) has been broken at the remote computer. There is probably something wrong with the network software protocol or the network hardware on the remote computer.], 3221225791 = [$id=LINK_TIMEOUT, $desc={Virtual Circuit Closed} The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.], 3221225792 = [$id=INVALID_CONNECTION, $desc=The connection handle that was given to the transport was invalid.], 3221225793 = [$id=INVALID_ADDRESS, $desc=The address handle that was given to the transport was invalid.], 3221225794 = [$id=DLL_INIT_FAILED, $desc={DLL Initialization Failed} Initialization of the dynamic link library %hs failed. The process is terminating abnormally.], 3221225795 = [$id=MISSING_SYSTEMFILE, $desc={Missing System File} The required system file %hs is bad or missing.], 3221225796 = [$id=UNHANDLED_EXCEPTION, $desc={Application Error} The exception %s (0x%08lx) occurred in the application at location 0x%08lx.], 3221225797 = [$id=APP_INIT_FAILURE, $desc={Application Error} The application failed to initialize properly (0x%lx). Click OK to terminate the application.], 3221225798 = [$id=PAGEFILE_CREATE_FAILED, $desc={Unable to Create Paging File} The creation of the paging file %hs failed (%lx). The requested size was %ld.], 3221225799 = [$id=NO_PAGEFILE, $desc={No Paging File Specified} No paging file was specified in the system configuration.], 3221225800 = [$id=INVALID_LEVEL, $desc={Incorrect System Call Level} An invalid level was passed into the specified system call.], 3221225801 = [$id=WRONG_PASSWORD_CORE, $desc={Incorrect Password to LAN Manager Server} You specified an incorrect password to a LAN Manager 2.x or MS-NET server.], 3221225802 = [$id=ILLEGAL_FLOAT_CONTEXT, $desc={EXCEPTION} A real-mode application issued a floating-point instruction and floating-point hardware is not present.], 3221225803 = [$id=PIPE_BROKEN, $desc=The pipe operation has failed because the other end of the pipe has been closed.], 3221225804 = [$id=REGISTRY_CORRUPT, $desc={The Registry Is Corrupt} The structure of one of the files that contains registry data is corrupt; the image of the file in memory is corrupt; or the file could not be recovered because the alternate copy or log was absent or corrupt.], 3221225805 = [$id=REGISTRY_IO_FAILED, $desc=An I/O operation initiated by the Registry failed and cannot be recovered. The registry could not read in, write out, or flush one of the files that contain the system's image of the registry.], 3221225806 = [$id=NO_EVENT_PAIR, $desc=An event pair synchronization operation was performed using the thread-specific client/server event pair object, but no event pair object was associated with the thread.], 3221225807 = [$id=UNRECOGNIZED_VOLUME, $desc=The volume does not contain a recognized file system. Be sure that all required file system drivers are loaded and that the volume is not corrupt.], 3221225808 = [$id=SERIAL_NO_DEVICE_INITED, $desc=No serial device was successfully initialized. The serial driver will unload.], 3221225809 = [$id=NO_SUCH_ALIAS, $desc=The specified local group does not exist.], 3221225810 = [$id=MEMBER_NOT_IN_ALIAS, $desc=The specified account name is not a member of the group.], 3221225811 = [$id=MEMBER_IN_ALIAS, $desc=The specified account name is already a member of the group.], 3221225812 = [$id=ALIAS_EXISTS, $desc=The specified local group already exists.], 3221225813 = [$id=LOGON_NOT_GRANTED, $desc=A requested type of logon (for example, interactive, network, and service) is not granted by the local security policy of the target system. Ask the system administrator to grant the necessary form of logon.], 3221225814 = [$id=TOO_MANY_SECRETS, $desc=The maximum number of secrets that may be stored in a single system was exceeded. The length and number of secrets is limited to satisfy U.S. State Department export restrictions.], 3221225815 = [$id=SECRET_TOO_LONG, $desc=The length of a secret exceeds the maximum allowable length. The length and number of secrets is limited to satisfy U.S. State Department export restrictions.], 3221225816 = [$id=INTERNAL_DB_ERROR, $desc=The local security authority (LSA) database contains an internal inconsistency.], 3221225817 = [$id=FULLSCREEN_MODE, $desc=The requested operation cannot be performed in full-screen mode.], 3221225818 = [$id=TOO_MANY_CONTEXT_IDS, $desc=During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.], 3221225819 = [$id=LOGON_TYPE_NOT_GRANTED, $desc=A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.], 3221225820 = [$id=NOT_REGISTRY_FILE, $desc=The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file.], 3221225821 = [$id=NT_CROSS_ENCRYPTION_REQUIRED, $desc=An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.], 3221225822 = [$id=DOMAIN_CTRLR_CONFIG_ERROR, $desc=A Windows Server has an incorrect configuration.], 3221225823 = [$id=FT_MISSING_MEMBER, $desc=An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system.], 3221225824 = [$id=ILL_FORMED_SERVICE_ENTRY, $desc=A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries.], 3221225825 = [$id=ILLEGAL_CHARACTER, $desc=An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE.], 3221225826 = [$id=UNMAPPABLE_CHARACTER, $desc=No mapping for the Unicode character exists in the target multibyte code page.], 3221225827 = [$id=UNDEFINED_CHARACTER, $desc=The Unicode character is not defined in the Unicode character set that is installed on the system.], 3221225828 = [$id=FLOPPY_VOLUME, $desc=The paging file cannot be created on a floppy disk.], 3221225829 = [$id=FLOPPY_ID_MARK_NOT_FOUND, $desc={Floppy Disk Error} While accessing a floppy disk, an ID address mark was not found.], 3221225830 = [$id=FLOPPY_WRONG_CYLINDER, $desc={Floppy Disk Error} While accessing a floppy disk, the track address from the sector ID field was found to be different from the track address that is maintained by the controller.], 3221225831 = [$id=FLOPPY_UNKNOWN_ERROR, $desc={Floppy Disk Error} The floppy disk controller reported an error that is not recognized by the floppy disk driver.], 3221225832 = [$id=FLOPPY_BAD_REGISTERS, $desc={Floppy Disk Error} While accessing a floppy-disk, the controller returned inconsistent results via its registers.], 3221225833 = [$id=DISK_RECALIBRATE_FAILED, $desc={Hard Disk Error} While accessing the hard disk, a recalibrate operation failed, even after retries.], 3221225834 = [$id=DISK_OPERATION_FAILED, $desc={Hard Disk Error} While accessing the hard disk, a disk operation failed even after retries.], 3221225835 = [$id=DISK_RESET_FAILED, $desc={Hard Disk Error} While accessing the hard disk, a disk controller reset was needed, but even that failed.], 3221225836 = [$id=SHARED_IRQ_BUSY, $desc=An attempt was made to open a device that was sharing an interrupt request (IRQ) with other devices. At least one other device that uses that IRQ was already opened. Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.], 3221225837 = [$id=FT_ORPHANING, $desc={FT Orphaning} A disk that is part of a fault-tolerant volume can no longer be accessed.], 3221225838 = [$id=BIOS_FAILED_TO_CONNECT_INTERRUPT, $desc=The basic input/output system (BIOS) failed to connect a system interrupt to the device or bus for which the device is connected.], 3221225842 = [$id=PARTITION_FAILURE, $desc=The tape could not be partitioned.], 3221225843 = [$id=INVALID_BLOCK_LENGTH, $desc=When accessing a new tape of a multi-volume partition, the current blocksize is incorrect.], 3221225844 = [$id=DEVICE_NOT_PARTITIONED, $desc=The tape partition information could not be found when loading a tape.], 3221225845 = [$id=UNABLE_TO_LOCK_MEDIA, $desc=An attempt to lock the eject media mechanism failed.], 3221225846 = [$id=UNABLE_TO_UNLOAD_MEDIA, $desc=An attempt to unload media failed.], 3221225847 = [$id=EOM_OVERFLOW, $desc=The physical end of tape was detected.], 3221225848 = [$id=NO_MEDIA, $desc={No Media} There is no media in the drive. Insert media into drive %hs.], 3221225850 = [$id=NO_SUCH_MEMBER, $desc=A member could not be added to or removed from the local group because the member does not exist.], 3221225851 = [$id=INVALID_MEMBER, $desc=A new member could not be added to a local group because the member has the wrong account type.], 3221225852 = [$id=KEY_DELETED, $desc=An illegal operation was attempted on a registry key that has been marked for deletion.], 3221225853 = [$id=NO_LOG_SPACE, $desc=The system could not allocate the required space in a registry log.], 3221225854 = [$id=TOO_MANY_SIDS, $desc=Too many SIDs have been specified.], 3221225855 = [$id=LM_CROSS_ENCRYPTION_REQUIRED, $desc=An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.], 3221225856 = [$id=KEY_HAS_CHILDREN, $desc=An attempt was made to create a symbolic link in a registry key that already has subkeys or values.], 3221225857 = [$id=CHILD_MUST_BE_VOLATILE, $desc=An attempt was made to create a stable subkey under a volatile parent key.], 3221225858 = [$id=DEVICE_CONFIGURATION_ERROR, $desc=The I/O device is configured incorrectly or the configuration parameters to the driver are incorrect.], 3221225859 = [$id=DRIVER_INTERNAL_ERROR, $desc=An error was detected between two drivers or within an I/O driver.], 3221225860 = [$id=INVALID_DEVICE_STATE, $desc=The device is not in a valid state to perform this request.], 3221225861 = [$id=IO_DEVICE_ERROR, $desc=The I/O device reported an I/O error.], 3221225862 = [$id=DEVICE_PROTOCOL_ERROR, $desc=A protocol error was detected between the driver and the device.], 3221225863 = [$id=BACKUP_CONTROLLER, $desc=This operation is only allowed for the primary domain controller of the domain.], 3221225864 = [$id=LOG_FILE_FULL, $desc=The log file space is insufficient to support this operation.], 3221225865 = [$id=TOO_LATE, $desc=A write operation was attempted to a volume after it was dismounted.], 3221225866 = [$id=NO_TRUST_LSA_SECRET, $desc=The workstation does not have a trust secret for the primary domain in the local LSA database.], 3221225867 = [$id=NO_TRUST_SAM_ACCOUNT, $desc=The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.], 3221225868 = [$id=TRUSTED_DOMAIN_FAILURE, $desc=The logon request failed because the trust relationship between the primary domain and the trusted domain failed.], 3221225869 = [$id=TRUSTED_RELATIONSHIP_FAILURE, $desc=The logon request failed because the trust relationship between this workstation and the primary domain failed.], 3221225870 = [$id=EVENTLOG_FILE_CORRUPT, $desc=The Eventlog log file is corrupt.], 3221225871 = [$id=EVENTLOG_CANT_START, $desc=No Eventlog log file could be opened. The Eventlog service did not start.], 3221225872 = [$id=TRUST_FAILURE, $desc=The network logon failed. This may be because the validation authority cannot be reached.], 3221225873 = [$id=MUTANT_LIMIT_EXCEEDED, $desc=An attempt was made to acquire a mutant such that its maximum count would have been exceeded.], 3221225874 = [$id=NETLOGON_NOT_STARTED, $desc=An attempt was made to logon, but the NetLogon service was not started.], 3221225875 = [$id=ACCOUNT_EXPIRED, $desc=The user account has expired.], 3221225876 = [$id=POSSIBLE_DEADLOCK, $desc={EXCEPTION} Possible deadlock condition.], 3221225877 = [$id=NETWORK_CREDENTIAL_CONFLICT, $desc=Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.], 3221225878 = [$id=REMOTE_SESSION_LIMIT, $desc=An attempt was made to establish a session to a network server, but there are already too many sessions established to that server.], 3221225879 = [$id=EVENTLOG_FILE_CHANGED, $desc=The log file has changed between reads.], 3221225880 = [$id=NOLOGON_INTERDOMAIN_TRUST_ACCOUNT, $desc=The account used is an interdomain trust account. Use your global user account or local user account to access this server.], 3221225881 = [$id=NOLOGON_WORKSTATION_TRUST_ACCOUNT, $desc=The account used is a computer account. Use your global user account or local user account to access this server.], 3221225882 = [$id=NOLOGON_SERVER_TRUST_ACCOUNT, $desc=The account used is a server trust account. Use your global user account or local user account to access this server.], 3221225883 = [$id=DOMAIN_TRUST_INCONSISTENT, $desc=The name or SID of the specified domain is inconsistent with the trust information for that domain.], 3221225884 = [$id=FS_DRIVER_REQUIRED, $desc=A volume has been accessed for which a file system driver is required that has not yet been loaded.], 3221225885 = [$id=IMAGE_ALREADY_LOADED_AS_DLL, $desc=Indicates that the specified image is already loaded as a DLL.], 3221225886 = [$id=INCOMPATIBLE_WITH_GLOBAL_SHORT_NAME_REGISTRY_SETTING, $desc=Short name settings may not be changed on this volume due to the global registry setting.], 3221225887 = [$id=SHORT_NAMES_NOT_ENABLED_ON_VOLUME, $desc=Short names are not enabled on this volume.], 3221225888 = [$id=SECURITY_STREAM_IS_INCONSISTENT, $desc=The security stream for the given volume is in an inconsistent state. Please run CHKDSK on the volume.], 3221225889 = [$id=INVALID_LOCK_RANGE, $desc=A requested file lock operation cannot be processed due to an invalid byte range.], 3221225890 = [$id=INVALID_ACE_CONDITION, $desc=The specified access control entry (ACE) contains an invalid condition.], 3221225891 = [$id=IMAGE_SUBSYSTEM_NOT_PRESENT, $desc=The subsystem needed to support the image type is not present.], 3221225892 = [$id=NOTIFICATION_GUID_ALREADY_DEFINED, $desc=The specified file already has a notification GUID associated with it.], 3221225985 = [$id=NETWORK_OPEN_RESTRICTION, $desc=A remote open failed because the network open restrictions were not satisfied.], 3221225986 = [$id=NO_USER_SESSION_KEY, $desc=There is no user session key for the specified logon session.], 3221225987 = [$id=USER_SESSION_DELETED, $desc=The remote user session has been deleted.], 3221225988 = [$id=RESOURCE_LANG_NOT_FOUND, $desc=Indicates the specified resource language ID cannot be found in the image file.], 3221225989 = [$id=INSUFF_SERVER_RESOURCES, $desc=Insufficient server resources exist to complete the request.], 3221225990 = [$id=INVALID_BUFFER_SIZE, $desc=The size of the buffer is invalid for the specified operation.], 3221225991 = [$id=INVALID_ADDRESS_COMPONENT, $desc=The transport rejected the specified network address as invalid.], 3221225992 = [$id=INVALID_ADDRESS_WILDCARD, $desc=The transport rejected the specified network address due to invalid use of a wildcard.], 3221225993 = [$id=TOO_MANY_ADDRESSES, $desc=The transport address could not be opened because all the available addresses are in use.], 3221225994 = [$id=ADDRESS_ALREADY_EXISTS, $desc=The transport address could not be opened because it already exists.], 3221225995 = [$id=ADDRESS_CLOSED, $desc=The transport address is now closed.], 3221225996 = [$id=CONNECTION_DISCONNECTED, $desc=The transport connection is now disconnected.], 3221225997 = [$id=CONNECTION_RESET, $desc=The transport connection has been reset.], 3221225998 = [$id=TOO_MANY_NODES, $desc=The transport cannot dynamically acquire any more nodes.], 3221225999 = [$id=TRANSACTION_ABORTED, $desc=The transport aborted a pending transaction.], 3221226000 = [$id=TRANSACTION_TIMED_OUT, $desc=The transport timed out a request that is waiting for a response.], 3221226001 = [$id=TRANSACTION_NO_RELEASE, $desc=The transport did not receive a release for a pending response.], 3221226002 = [$id=TRANSACTION_NO_MATCH, $desc=The transport did not find a transaction that matches the specific token.], 3221226003 = [$id=TRANSACTION_RESPONDED, $desc=The transport had previously responded to a transaction request.], 3221226004 = [$id=TRANSACTION_INVALID_ID, $desc=The transport does not recognize the specified transaction request ID.], 3221226005 = [$id=TRANSACTION_INVALID_TYPE, $desc=The transport does not recognize the specified transaction request type.], 3221226006 = [$id=NOT_SERVER_SESSION, $desc=The transport can only process the specified request on the server side of a session.], 3221226007 = [$id=NOT_CLIENT_SESSION, $desc=The transport can only process the specified request on the client side of a session.], 3221226008 = [$id=CANNOT_LOAD_REGISTRY_FILE, $desc={Registry File Failure} The registry cannot load the hive (file): %hs or its log or alternate. It is corrupt, absent, or not writable.], 3221226009 = [$id=DEBUG_ATTACH_FAILED, $desc={Unexpected Failure in DebugActiveProcess} An unexpected failure occurred while processing a DebugActiveProcess API request. You may choose OK to terminate the process, or Cancel to ignore the error.], 3221226010 = [$id=SYSTEM_PROCESS_TERMINATED, $desc={Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x). The system has been shut down.], 3221226011 = [$id=DATA_NOT_ACCEPTED, $desc={Data Not Accepted} The TDI client could not handle the data received during an indication.], 3221226012 = [$id=NO_BROWSER_SERVERS_FOUND, $desc={Unable to Retrieve Browser Server List} The list of servers for this workgroup is not currently available.], 3221226013 = [$id=VDM_HARD_ERROR, $desc=NTVDM encountered a hard error.], 3221226014 = [$id=DRIVER_CANCEL_TIMEOUT, $desc={Cancel Timeout} The driver %hs failed to complete a canceled I/O request in the allotted time.], 3221226015 = [$id=REPLY_MESSAGE_MISMATCH, $desc={Reply Message Mismatch} An attempt was made to reply to an LPC message, but the thread specified by the client ID in the message was not waiting on that message.], 3221226016 = [$id=MAPPED_ALIGNMENT, $desc={Mapped View Alignment Incorrect} An attempt was made to map a view of a file, but either the specified base address or the offset into the file were not aligned on the proper allocation granularity.], 3221226017 = [$id=IMAGE_CHECKSUM_MISMATCH, $desc={Bad Image Checksum} The image %hs is possibly corrupt. The header checksum does not match the computed checksum.], 3221226018 = [$id=LOST_WRITEBEHIND_DATA, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Try to save this file elsewhere.], 3221226019 = [$id=CLIENT_SERVER_PARAMETERS_INVALID, $desc=The parameters passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.], 3221226020 = [$id=PASSWORD_MUST_CHANGE, $desc=The user password must be changed before logging on the first time.], 3221226021 = [$id=NOT_FOUND, $desc=The object was not found.], 3221226022 = [$id=NOT_TINY_STREAM, $desc=The stream is not a tiny stream.], 3221226023 = [$id=RECOVERY_FAILURE, $desc=A transaction recovery failed.], 3221226024 = [$id=STACK_OVERFLOW_READ, $desc=The request must be handled by the stack overflow code.], 3221226025 = [$id=FAIL_CHECK, $desc=A consistency check failed.], 3221226026 = [$id=DUPLICATE_OBJECTID, $desc=The attempt to insert the ID in the index failed because the ID is already in the index.], 3221226027 = [$id=OBJECTID_EXISTS, $desc=The attempt to set the object ID failed because the object already has an ID.], 3221226028 = [$id=CONVERT_TO_LARGE, $desc=Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing oNode is moved or the extent stream is converted to a large stream.], 3221226029 = [$id=RETRY, $desc=The request needs to be retried.], 3221226030 = [$id=FOUND_OUT_OF_SCOPE, $desc=The attempt to find the object found an object on the volume that matches by ID; however, it is out of the scope of the handle that is used for the operation.], 3221226031 = [$id=ALLOCATE_BUCKET, $desc=The bucket array must be grown. Retry the transaction after doing so.], 3221226032 = [$id=PROPSET_NOT_FOUND, $desc=The specified property set does not exist on the object.], 3221226033 = [$id=MARSHALL_OVERFLOW, $desc=The user/kernel marshaling buffer has overflowed.], 3221226034 = [$id=INVALID_VARIANT, $desc=The supplied variant structure contains invalid data.], 3221226035 = [$id=DOMAIN_CONTROLLER_NOT_FOUND, $desc=A domain controller for this domain was not found.], 3221226036 = [$id=ACCOUNT_LOCKED_OUT, $desc=The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.], 3221226037 = [$id=HANDLE_NOT_CLOSABLE, $desc=NtClose was called on a handle that was protected from close via NtSetInformationObject.], 3221226038 = [$id=CONNECTION_REFUSED, $desc=The transport-connection attempt was refused by the remote system.], 3221226039 = [$id=GRACEFUL_DISCONNECT, $desc=The transport connection was gracefully closed.], 3221226040 = [$id=ADDRESS_ALREADY_ASSOCIATED, $desc=The transport endpoint already has an address associated with it.], 3221226041 = [$id=ADDRESS_NOT_ASSOCIATED, $desc=An address has not yet been associated with the transport endpoint.], 3221226042 = [$id=CONNECTION_INVALID, $desc=An operation was attempted on a nonexistent transport connection.], 3221226043 = [$id=CONNECTION_ACTIVE, $desc=An invalid operation was attempted on an active transport connection.], 3221226044 = [$id=NETWORK_UNREACHABLE, $desc=The remote network is not reachable by the transport.], 3221226045 = [$id=HOST_UNREACHABLE, $desc=The remote system is not reachable by the transport.], 3221226046 = [$id=PROTOCOL_UNREACHABLE, $desc=The remote system does not support the transport protocol.], 3221226047 = [$id=PORT_UNREACHABLE, $desc=No service is operating at the destination port of the transport on the remote system.], 3221226048 = [$id=REQUEST_ABORTED, $desc=The request was aborted.], 3221226049 = [$id=CONNECTION_ABORTED, $desc=The transport connection was aborted by the local system.], 3221226050 = [$id=BAD_COMPRESSION_BUFFER, $desc=The specified buffer contains ill-formed data.], 3221226051 = [$id=USER_MAPPED_FILE, $desc=The requested operation cannot be performed on a file with a user mapped section open.], 3221226052 = [$id=AUDIT_FAILED, $desc={Audit Failed} An attempt to generate a security audit failed.], 3221226053 = [$id=TIMER_RESOLUTION_NOT_SET, $desc=The timer resolution was not previously set by the current process.], 3221226054 = [$id=CONNECTION_COUNT_LIMIT, $desc=A connection to the server could not be made because the limit on the number of concurrent connections for this account has been reached.], 3221226055 = [$id=LOGIN_TIME_RESTRICTION, $desc=Attempting to log on during an unauthorized time of day for this account.], 3221226056 = [$id=LOGIN_WKSTA_RESTRICTION, $desc=The account is not authorized to log on from this station.], 3221226057 = [$id=IMAGE_MP_UP_MISMATCH, $desc={UP/MP Image Mismatch} The image %hs has been modified for use on a uniprocessor system, but you are running it on a multiprocessor machine. Reinstall the image file.], 3221226064 = [$id=INSUFFICIENT_LOGON_INFO, $desc=There is insufficient account information to log you on.], 3221226065 = [$id=BAD_DLL_ENTRYPOINT, $desc={Invalid DLL Entrypoint} The dynamic link library %hs is not written correctly. The stack pointer has been left in an inconsistent state. The entry point should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.], 3221226066 = [$id=BAD_SERVICE_ENTRYPOINT, $desc={Invalid Service Callback Entrypoint} The %hs service is not written correctly. The stack pointer has been left in an inconsistent state. The callback entry point should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.], 3221226067 = [$id=LPC_REPLY_LOST, $desc=The server received the messages but did not send a reply.], 3221226068 = [$id=IP_ADDRESS_CONFLICT1, $desc=There is an IP address conflict with another system on the network.], 3221226069 = [$id=IP_ADDRESS_CONFLICT2, $desc=There is an IP address conflict with another system on the network.], 3221226070 = [$id=REGISTRY_QUOTA_LIMIT, $desc={Low On Registry Space} The system has reached the maximum size that is allowed for the system part of the registry. Additional storage requests will be ignored.], 3221226071 = [$id=PATH_NOT_COVERED, $desc=The contacted server does not support the indicated part of the DFS namespace.], 3221226072 = [$id=NO_CALLBACK_ACTIVE, $desc=A callback return system service cannot be executed when no callback is active.], 3221226073 = [$id=LICENSE_QUOTA_EXCEEDED, $desc=The service being accessed is licensed for a particular number of connections. No more connections can be made to the service at this time because the service has already accepted the maximum number of connections.], 3221226074 = [$id=PWD_TOO_SHORT, $desc=The password provided is too short to meet the policy of your user account. Choose a longer password.], 3221226075 = [$id=PWD_TOO_RECENT, $desc=The policy of your user account does not allow you to change passwords too frequently. This is done to prevent users from changing back to a familiar, but potentially discovered, password. If you feel your password has been compromised, contact your administrator immediately to have a new one assigned.], 3221226076 = [$id=PWD_HISTORY_CONFLICT, $desc=You have attempted to change your password to one that you have used in the past. The policy of your user account does not allow this. Select a password that you have not previously used.], 3221226078 = [$id=PLUGPLAY_NO_DEVICE, $desc=You have attempted to load a legacy device driver while its device instance had been disabled.], 3221226079 = [$id=UNSUPPORTED_COMPRESSION, $desc=The specified compression format is unsupported.], 3221226080 = [$id=INVALID_HW_PROFILE, $desc=The specified hardware profile configuration is invalid.], 3221226081 = [$id=INVALID_PLUGPLAY_DEVICE_PATH, $desc=The specified Plug and Play registry device path is invalid.], 3221226082 = [$id=DRIVER_ORDINAL_NOT_FOUND, $desc={Driver Entry Point Not Found} The %hs device driver could not locate the ordinal %ld in driver %hs.], 3221226083 = [$id=DRIVER_ENTRYPOINT_NOT_FOUND, $desc={Driver Entry Point Not Found} The %hs device driver could not locate the entry point %hs in driver %hs.], 3221226084 = [$id=RESOURCE_NOT_OWNED, $desc={Application Error} The application attempted to release a resource it did not own. Click OK to terminate the application.], 3221226085 = [$id=TOO_MANY_LINKS, $desc=An attempt was made to create more links on a file than the file system supports.], 3221226086 = [$id=QUOTA_LIST_INCONSISTENT, $desc=The specified quota list is internally inconsistent with its descriptor.], 3221226087 = [$id=FILE_IS_OFFLINE, $desc=The specified file has been relocated to offline storage.], 3221226088 = [$id=EVALUATION_EXPIRATION, $desc={Windows Evaluation Notification} The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, upgrade this installation by using a licensed distribution of this product.], 3221226089 = [$id=ILLEGAL_DLL_RELOCATION, $desc={Illegal System DLL Relocation} The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range that is reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.], 3221226090 = [$id=LICENSE_VIOLATION, $desc={License Violation} The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with the product type is not permitted.], 3221226091 = [$id=DLL_INIT_FAILED_LOGOFF, $desc={DLL Initialization Failed} The application failed to initialize because the window station is shutting down.], 3221226092 = [$id=DRIVER_UNABLE_TO_LOAD, $desc={Unable to Load Device Driver} %hs device driver could not be loaded. Error Status was 0x%x.], 3221226093 = [$id=DFS_UNAVAILABLE, $desc=DFS is unavailable on the contacted server.], 3221226094 = [$id=VOLUME_DISMOUNTED, $desc=An operation was attempted to a volume after it was dismounted.], 3221226095 = [$id=WX86_INTERNAL_ERROR, $desc=An internal error occurred in the Win32 x86 emulation subsystem.], 3221226096 = [$id=WX86_FLOAT_STACK_CHECK, $desc=Win32 x86 emulation subsystem floating-point stack check.], 3221226097 = [$id=VALIDATE_CONTINUE, $desc=The validation process needs to continue on to the next step.], 3221226098 = [$id=NO_MATCH, $desc=There was no match for the specified key in the index.], 3221226099 = [$id=NO_MORE_MATCHES, $desc=There are no more matches for the current index enumeration.], 3221226101 = [$id=NOT_A_REPARSE_POINT, $desc=The NTFS file or directory is not a reparse point.], 3221226102 = [$id=IO_REPARSE_TAG_INVALID, $desc=The Windows I/O reparse tag passed for the NTFS reparse point is invalid.], 3221226103 = [$id=IO_REPARSE_TAG_MISMATCH, $desc=The Windows I/O reparse tag does not match the one that is in the NTFS reparse point.], 3221226104 = [$id=IO_REPARSE_DATA_INVALID, $desc=The user data passed for the NTFS reparse point is invalid.], 3221226105 = [$id=IO_REPARSE_TAG_NOT_HANDLED, $desc=The layered file system driver for this I/O tag did not handle it when needed.], 3221226112 = [$id=REPARSE_POINT_NOT_RESOLVED, $desc=The NTFS symbolic link could not be resolved even though the initial file name is valid.], 3221226113 = [$id=DIRECTORY_IS_A_REPARSE_POINT, $desc=The NTFS directory is a reparse point.], 3221226114 = [$id=RANGE_LIST_CONFLICT, $desc=The range could not be added to the range list because of a conflict.], 3221226115 = [$id=SOURCE_ELEMENT_EMPTY, $desc=The specified medium changer source element contains no media.], 3221226116 = [$id=DESTINATION_ELEMENT_FULL, $desc=The specified medium changer destination element already contains media.], 3221226117 = [$id=ILLEGAL_ELEMENT_ADDRESS, $desc=The specified medium changer element does not exist.], 3221226118 = [$id=MAGAZINE_NOT_PRESENT, $desc=The specified element is contained in a magazine that is no longer present.], 3221226119 = [$id=REINITIALIZATION_NEEDED, $desc=The device requires re-initialization due to hardware errors.], 3221226122 = [$id=ENCRYPTION_FAILED, $desc=The file encryption attempt failed.], 3221226123 = [$id=DECRYPTION_FAILED, $desc=The file decryption attempt failed.], 3221226124 = [$id=RANGE_NOT_FOUND, $desc=The specified range could not be found in the range list.], 3221226125 = [$id=NO_RECOVERY_POLICY, $desc=There is no encryption recovery policy configured for this system.], 3221226126 = [$id=NO_EFS, $desc=The required encryption driver is not loaded for this system.], 3221226127 = [$id=WRONG_EFS, $desc=The file was encrypted with a different encryption driver than is currently loaded.], 3221226128 = [$id=NO_USER_KEYS, $desc=There are no EFS keys defined for the user.], 3221226129 = [$id=FILE_NOT_ENCRYPTED, $desc=The specified file is not encrypted.], 3221226130 = [$id=NOT_EXPORT_FORMAT, $desc=The specified file is not in the defined EFS export format.], 3221226131 = [$id=FILE_ENCRYPTED, $desc=The specified file is encrypted and the user does not have the ability to decrypt it.], 3221226133 = [$id=WMI_GUID_NOT_FOUND, $desc=The GUID passed was not recognized as valid by a WMI data provider.], 3221226134 = [$id=WMI_INSTANCE_NOT_FOUND, $desc=The instance name passed was not recognized as valid by a WMI data provider.], 3221226135 = [$id=WMI_ITEMID_NOT_FOUND, $desc=The data item ID passed was not recognized as valid by a WMI data provider.], 3221226136 = [$id=WMI_TRY_AGAIN, $desc=The WMI request could not be completed and should be retried.], 3221226137 = [$id=SHARED_POLICY, $desc=The policy object is shared and can only be modified at the root.], 3221226138 = [$id=POLICY_OBJECT_NOT_FOUND, $desc=The policy object does not exist when it should.], 3221226139 = [$id=POLICY_ONLY_IN_DS, $desc=The requested policy information only lives in the Ds.], 3221226140 = [$id=VOLUME_NOT_UPGRADED, $desc=The volume must be upgraded to enable this feature.], 3221226141 = [$id=REMOTE_STORAGE_NOT_ACTIVE, $desc=The remote storage service is not operational at this time.], 3221226142 = [$id=REMOTE_STORAGE_MEDIA_ERROR, $desc=The remote storage service encountered a media error.], 3221226143 = [$id=NO_TRACKING_SERVICE, $desc=The tracking (workstation) service is not running.], 3221226144 = [$id=SERVER_SID_MISMATCH, $desc=The server process is running under a SID that is different from the SID that is required by client.], 3221226145 = [$id=DS_NO_ATTRIBUTE_OR_VALUE, $desc=The specified directory service attribute or value does not exist.], 3221226146 = [$id=DS_INVALID_ATTRIBUTE_SYNTAX, $desc=The attribute syntax specified to the directory service is invalid.], 3221226147 = [$id=DS_ATTRIBUTE_TYPE_UNDEFINED, $desc=The attribute type specified to the directory service is not defined.], 3221226148 = [$id=DS_ATTRIBUTE_OR_VALUE_EXISTS, $desc=The specified directory service attribute or value already exists.], 3221226149 = [$id=DS_BUSY, $desc=The directory service is busy.], 3221226150 = [$id=DS_UNAVAILABLE, $desc=The directory service is unavailable.], 3221226151 = [$id=DS_NO_RIDS_ALLOCATED, $desc=The directory service was unable to allocate a relative identifier.], 3221226152 = [$id=DS_NO_MORE_RIDS, $desc=The directory service has exhausted the pool of relative identifiers.], 3221226153 = [$id=DS_INCORRECT_ROLE_OWNER, $desc=The requested operation could not be performed because the directory service is not the master for that type of operation.], 3221226154 = [$id=DS_RIDMGR_INIT_ERROR, $desc=The directory service was unable to initialize the subsystem that allocates relative identifiers.], 3221226155 = [$id=DS_OBJ_CLASS_VIOLATION, $desc=The requested operation did not satisfy one or more constraints that are associated with the class of the object.], 3221226156 = [$id=DS_CANT_ON_NON_LEAF, $desc=The directory service can perform the requested operation only on a leaf object.], 3221226157 = [$id=DS_CANT_ON_RDN, $desc=The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.], 3221226158 = [$id=DS_CANT_MOD_OBJ_CLASS, $desc=The directory service detected an attempt to modify the object class of an object.], 3221226159 = [$id=DS_CROSS_DOM_MOVE_FAILED, $desc=An error occurred while performing a cross domain move operation.], 3221226160 = [$id=DS_GC_NOT_AVAILABLE, $desc=Unable to contact the global catalog server.], 3221226161 = [$id=DIRECTORY_SERVICE_REQUIRED, $desc=The requested operation requires a directory service, and none was available.], 3221226162 = [$id=REPARSE_ATTRIBUTE_CONFLICT, $desc=The reparse attribute cannot be set because it is incompatible with an existing attribute.], 3221226163 = [$id=CANT_ENABLE_DENY_ONLY, $desc=A group marked "use for deny only" cannot be enabled.], 3221226164 = [$id=FLOAT_MULTIPLE_FAULTS, $desc={EXCEPTION} Multiple floating-point faults.], 3221226165 = [$id=FLOAT_MULTIPLE_TRAPS, $desc={EXCEPTION} Multiple floating-point traps.], 3221226166 = [$id=DEVICE_REMOVED, $desc=The device has been removed.], 3221226167 = [$id=JOURNAL_DELETE_IN_PROGRESS, $desc=The volume change journal is being deleted.], 3221226168 = [$id=JOURNAL_NOT_ACTIVE, $desc=The volume change journal is not active.], 3221226169 = [$id=NOINTERFACE, $desc=The requested interface is not supported.], 3221226177 = [$id=DS_ADMIN_LIMIT_EXCEEDED, $desc=A directory service resource limit has been exceeded.], 3221226178 = [$id=DRIVER_FAILED_SLEEP, $desc={System Standby Failed} The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.], 3221226179 = [$id=MUTUAL_AUTHENTICATION_FAILED, $desc=Mutual Authentication failed. The server password is out of date at the domain controller.], 3221226180 = [$id=CORRUPT_SYSTEM_FILE, $desc=The system file %1 has become corrupt and has been replaced.], 3221226181 = [$id=DATATYPE_MISALIGNMENT_ERROR, $desc={EXCEPTION} Alignment Error A data type misalignment error was detected in a load or store instruction.], 3221226182 = [$id=WMI_READ_ONLY, $desc=The WMI data item or data block is read-only.], 3221226183 = [$id=WMI_SET_FAILURE, $desc=The WMI data item or data block could not be changed.], 3221226184 = [$id=COMMITMENT_MINIMUM, $desc={Virtual Memory Minimum Too Low} Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.], 3221226185 = [$id=REG_NAT_CONSUMPTION, $desc={EXCEPTION} Register NaT consumption faults. A NaT value is consumed on a non-speculative instruction.], 3221226186 = [$id=TRANSPORT_FULL, $desc=The transport element of the medium changer contains media, which is causing the operation to fail.], 3221226187 = [$id=DS_SAM_INIT_FAILURE, $desc=Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Click OK to shut down this system and restart in Directory Services Restore Mode. Check the event log for more detailed information.], 3221226188 = [$id=ONLY_IF_CONNECTED, $desc=This operation is supported only when you are connected to the server.], 3221226189 = [$id=DS_SENSITIVE_GROUP_VIOLATION, $desc=Only an administrator can modify the membership list of an administrative group.], 3221226190 = [$id=PNP_RESTART_ENUMERATION, $desc=A device was removed so enumeration must be restarted.], 3221226191 = [$id=JOURNAL_ENTRY_DELETED, $desc=The journal entry has been deleted from the journal.], 3221226192 = [$id=DS_CANT_MOD_PRIMARYGROUPID, $desc=Cannot change the primary group ID of a domain controller account.], 3221226193 = [$id=SYSTEM_IMAGE_BAD_SIGNATURE, $desc={Fatal System Error} The system image %s is not properly signed. The file has been replaced with the signed file. The system has been shut down.], 3221226194 = [$id=PNP_REBOOT_REQUIRED, $desc=The device will not start without a reboot.], 3221226195 = [$id=POWER_STATE_INVALID, $desc=The power state of the current device cannot support this request.], 3221226196 = [$id=DS_INVALID_GROUP_TYPE, $desc=The specified group type is invalid.], 3221226197 = [$id=DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN, $desc=In a mixed domain, no nesting of a global group if the group is security enabled.], 3221226198 = [$id=DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN, $desc=In a mixed domain, cannot nest local groups with other local groups, if the group is security enabled.], 3221226199 = [$id=DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER, $desc=A global group cannot have a local group as a member.], 3221226200 = [$id=DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER, $desc=A global group cannot have a universal group as a member.], 3221226201 = [$id=DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER, $desc=A universal group cannot have a local group as a member.], 3221226202 = [$id=DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER, $desc=A global group cannot have a cross-domain member.], 3221226203 = [$id=DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER, $desc=A local group cannot have another cross-domain local group as a member.], 3221226204 = [$id=DS_HAVE_PRIMARY_MEMBERS, $desc=Cannot change to a security-disabled group because primary members are in this group.], 3221226205 = [$id=WMI_NOT_SUPPORTED, $desc=The WMI operation is not supported by the data block or method.], 3221226206 = [$id=INSUFFICIENT_POWER, $desc=There is not enough power to complete the requested operation.], 3221226207 = [$id=SAM_NEED_BOOTKEY_PASSWORD, $desc=The Security Accounts Manager needs to get the boot password.], 3221226208 = [$id=SAM_NEED_BOOTKEY_FLOPPY, $desc=The Security Accounts Manager needs to get the boot key from the floppy disk.], 3221226209 = [$id=DS_CANT_START, $desc=The directory service cannot start.], 3221226210 = [$id=DS_INIT_FAILURE, $desc=The directory service could not start because of the following error: %hs Error Status: 0x%x. Click OK to shut down this system and restart in Directory Services Restore Mode. Check the event log for more detailed information.], 3221226211 = [$id=SAM_INIT_FAILURE, $desc=The Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Click OK to shut down this system and restart in Safe Mode. Check the event log for more detailed information.], 3221226212 = [$id=DS_GC_REQUIRED, $desc=The requested operation can be performed only on a global catalog server.], 3221226213 = [$id=DS_LOCAL_MEMBER_OF_LOCAL_ONLY, $desc=A local group can only be a member of other local groups in the same domain.], 3221226214 = [$id=DS_NO_FPO_IN_UNIVERSAL_GROUPS, $desc=Foreign security principals cannot be members of universal groups.], 3221226215 = [$id=DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED, $desc=Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.], 3221226217 = [$id=CURRENT_DOMAIN_NOT_ALLOWED, $desc=This operation cannot be performed on the current domain.], 3221226218 = [$id=CANNOT_MAKE, $desc=The directory or file cannot be created.], 3221226219 = [$id=SYSTEM_SHUTDOWN, $desc=The system is in the process of shutting down.], 3221226220 = [$id=DS_INIT_FAILURE_CONSOLE, $desc=Directory Services could not start because of the following error: %hs Error Status: 0x%x. Click OK to shut down the system. You can use the recovery console to diagnose the system further.], 3221226221 = [$id=DS_SAM_INIT_FAILURE_CONSOLE, $desc=Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Click OK to shut down the system. You can use the recovery console to diagnose the system further.], 3221226222 = [$id=UNFINISHED_CONTEXT_DELETED, $desc=A security context was deleted before the context was completed. This is considered a logon failure.], 3221226223 = [$id=NO_TGT_REPLY, $desc=The client is trying to negotiate a context and the server requires user-to-user but did not send a TGT reply.], 3221226224 = [$id=OBJECTID_NOT_FOUND, $desc=An object ID was not found in the file.], 3221226225 = [$id=NO_IP_ADDRESSES, $desc=Unable to accomplish the requested task because the local machine does not have any IP addresses.], 3221226226 = [$id=WRONG_CREDENTIAL_HANDLE, $desc=The supplied credential handle does not match the credential that is associated with the security context.], 3221226227 = [$id=CRYPTO_SYSTEM_INVALID, $desc=The crypto system or checksum function is invalid because a required function is unavailable.], 3221226228 = [$id=MAX_REFERRALS_EXCEEDED, $desc=The number of maximum ticket referrals has been exceeded.], 3221226229 = [$id=MUST_BE_KDC, $desc=The local machine must be a Kerberos KDC (domain controller) and it is not.], 3221226230 = [$id=STRONG_CRYPTO_NOT_SUPPORTED, $desc=The other end of the security negotiation requires strong crypto but it is not supported on the local machine.], 3221226231 = [$id=TOO_MANY_PRINCIPALS, $desc=The KDC reply contained more than one principal name.], 3221226232 = [$id=NO_PA_DATA, $desc=Expected to find PA data for a hint of what etype to use, but it was not found.], 3221226233 = [$id=PKINIT_NAME_MISMATCH, $desc=The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Contact your administrator.], 3221226234 = [$id=SMARTCARD_LOGON_REQUIRED, $desc=Smart card logon is required and was not used.], 3221226235 = [$id=KDC_INVALID_REQUEST, $desc=An invalid request was sent to the KDC.], 3221226236 = [$id=KDC_UNABLE_TO_REFER, $desc=The KDC was unable to generate a referral for the service requested.], 3221226237 = [$id=KDC_UNKNOWN_ETYPE, $desc=The encryption type requested is not supported by the KDC.], 3221226238 = [$id=SHUTDOWN_IN_PROGRESS, $desc=A system shutdown is in progress.], 3221226239 = [$id=SERVER_SHUTDOWN_IN_PROGRESS, $desc=The server machine is shutting down.], 3221226240 = [$id=NOT_SUPPORTED_ON_SBS, $desc=This operation is not supported on a computer running Windows Server 2003 for Small Business Server.], 3221226241 = [$id=WMI_GUID_DISCONNECTED, $desc=The WMI GUID is no longer available.], 3221226242 = [$id=WMI_ALREADY_DISABLED, $desc=Collection or events for the WMI GUID is already disabled.], 3221226243 = [$id=WMI_ALREADY_ENABLED, $desc=Collection or events for the WMI GUID is already enabled.], 3221226244 = [$id=MFT_TOO_FRAGMENTED, $desc=The master file table on the volume is too fragmented to complete this operation.], 3221226245 = [$id=COPY_PROTECTION_FAILURE, $desc=Copy protection failure.], 3221226246 = [$id=CSS_AUTHENTICATION_FAILURE, $desc=Copy protection error-DVD CSS Authentication failed.], 3221226247 = [$id=CSS_KEY_NOT_PRESENT, $desc=Copy protection error-The specified sector does not contain a valid key.], 3221226248 = [$id=CSS_KEY_NOT_ESTABLISHED, $desc=Copy protection error-DVD session key not established.], 3221226249 = [$id=CSS_SCRAMBLED_SECTOR, $desc=Copy protection error-The read failed because the sector is encrypted.], 3221226250 = [$id=CSS_REGION_MISMATCH, $desc=Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive.], 3221226251 = [$id=CSS_RESETS_EXHAUSTED, $desc=Copy protection error-The region setting of the drive may be permanent.], 3221226272 = [$id=PKINIT_FAILURE, $desc=The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log.], 3221226273 = [$id=SMARTCARD_SUBSYSTEM_FAILURE, $desc=The Kerberos protocol encountered an error while attempting to use the smart card subsystem.], 3221226274 = [$id=NO_KERB_KEY, $desc=The target server does not have acceptable Kerberos credentials.], 3221226320 = [$id=HOST_DOWN, $desc=The transport determined that the remote system is down.], 3221226321 = [$id=UNSUPPORTED_PREAUTH, $desc=An unsupported pre-authentication mechanism was presented to the Kerberos package.], 3221226322 = [$id=EFS_ALG_BLOB_TOO_BIG, $desc=The encryption algorithm that is used on the source file needs a bigger key buffer than the one that is used on the destination file.], 3221226323 = [$id=PORT_NOT_SET, $desc=An attempt to remove a processes DebugPort was made, but a port was not already associated with the process.], 3221226324 = [$id=DEBUGGER_INACTIVE, $desc=An attempt to do an operation on a debug port failed because the port is in the process of being deleted.], 3221226325 = [$id=DS_VERSION_CHECK_FAILURE, $desc=This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller.], 3221226326 = [$id=AUDITING_DISABLED, $desc=The specified event is currently not being audited.], 3221226327 = [$id=PRENT4_MACHINE_ACCOUNT, $desc=The machine account was created prior to Windows NT 4.0. The account needs to be recreated.], 3221226328 = [$id=DS_AG_CANT_HAVE_UNIVERSAL_MEMBER, $desc=An account group cannot have a universal group as a member.], 3221226329 = [$id=INVALID_IMAGE_WIN_32, $desc=The specified image file did not have the correct format; it appears to be a 32-bit Windows image.], 3221226330 = [$id=INVALID_IMAGE_WIN_64, $desc=The specified image file did not have the correct format; it appears to be a 64-bit Windows image.], 3221226331 = [$id=BAD_BINDINGS, $desc=The client's supplied SSPI channel bindings were incorrect.], 3221226332 = [$id=NETWORK_SESSION_EXPIRED, $desc=The client session has expired; so the client must re-authenticate to continue accessing the remote resources.], 3221226333 = [$id=APPHELP_BLOCK, $desc=The AppHelp dialog box canceled; thus preventing the application from starting.], 3221226334 = [$id=ALL_SIDS_FILTERED, $desc=The SID filtering operation removed all SIDs.], 3221226335 = [$id=NOT_SAFE_MODE_DRIVER, $desc=The driver was not loaded because the system is starting in safe mode.], 3221226337 = [$id=ACCESS_DISABLED_BY_POLICY_DEFAULT, $desc=Access to %1 has been restricted by your Administrator by the default software restriction policy level.], 3221226338 = [$id=ACCESS_DISABLED_BY_POLICY_PATH, $desc=Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.], 3221226339 = [$id=ACCESS_DISABLED_BY_POLICY_PUBLISHER, $desc=Access to %1 has been restricted by your Administrator by software publisher policy.], 3221226340 = [$id=ACCESS_DISABLED_BY_POLICY_OTHER, $desc=Access to %1 has been restricted by your Administrator by policy rule %2.], 3221226341 = [$id=FAILED_DRIVER_ENTRY, $desc=The driver was not loaded because it failed its initialization call.], 3221226342 = [$id=DEVICE_ENUMERATION_ERROR, $desc=The device encountered an error while applying power or reading the device configuration. This may be caused by a failure of your hardware or by a poor connection.], 3221226344 = [$id=MOUNT_POINT_NOT_RESOLVED, $desc=The create operation failed because the name contained at least one mount point that resolves to a volume to which the specified device object is not attached.], 3221226345 = [$id=INVALID_DEVICE_OBJECT_PARAMETER, $desc=The device object parameter is either not a valid device object or is not attached to the volume that is specified by the file name.], 3221226346 = [$id=MCA_OCCURED, $desc=A machine check error has occurred. Check the system event log for additional information.], 3221226347 = [$id=DRIVER_BLOCKED_CRITICAL, $desc=Driver %2 has been blocked from loading.], 3221226348 = [$id=DRIVER_BLOCKED, $desc=Driver %2 has been blocked from loading.], 3221226349 = [$id=DRIVER_DATABASE_ERROR, $desc=There was error [%2] processing the driver database.], 3221226350 = [$id=SYSTEM_HIVE_TOO_LARGE, $desc=System hive size has exceeded its limit.], 3221226351 = [$id=INVALID_IMPORT_OF_NON_DLL, $desc=A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.], 3221226353 = [$id=NO_SECRETS, $desc=The local account store does not contain secret material for the specified account.], 3221226354 = [$id=ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY, $desc=Access to %1 has been restricted by your Administrator by policy rule %2.], 3221226355 = [$id=FAILED_STACK_SWITCH, $desc=The system was not able to allocate enough memory to perform a stack switch.], 3221226356 = [$id=HEAP_CORRUPTION, $desc=A heap has been corrupted.], 3221226368 = [$id=SMARTCARD_WRONG_PIN, $desc=An incorrect PIN was presented to the smart card.], 3221226369 = [$id=SMARTCARD_CARD_BLOCKED, $desc=The smart card is blocked.], 3221226370 = [$id=SMARTCARD_CARD_NOT_AUTHENTICATED, $desc=No PIN was presented to the smart card.], 3221226371 = [$id=SMARTCARD_NO_CARD, $desc=No smart card is available.], 3221226372 = [$id=SMARTCARD_NO_KEY_CONTAINER, $desc=The requested key container does not exist on the smart card.], 3221226373 = [$id=SMARTCARD_NO_CERTIFICATE, $desc=The requested certificate does not exist on the smart card.], 3221226374 = [$id=SMARTCARD_NO_KEYSET, $desc=The requested keyset does not exist.], 3221226375 = [$id=SMARTCARD_IO_ERROR, $desc=A communication error with the smart card has been detected.], 3221226376 = [$id=DOWNGRADE_DETECTED, $desc=The system detected a possible attempt to compromise security. Ensure that you can contact the server that authenticated you.], 3221226377 = [$id=SMARTCARD_CERT_REVOKED, $desc=The smart card certificate used for authentication has been revoked. Contact your system administrator. There may be additional information in the event log.], 3221226378 = [$id=ISSUING_CA_UNTRUSTED, $desc=An untrusted certificate authority was detected while processing the smart card certificate that is used for authentication. Contact your system administrator.], 3221226379 = [$id=REVOCATION_OFFLINE_C, $desc=The revocation status of the smart card certificate that is used for authentication could not be determined. Contact your system administrator.], 3221226380 = [$id=PKINIT_CLIENT_FAILURE, $desc=The smart card certificate used for authentication was not trusted. Contact your system administrator.], 3221226381 = [$id=SMARTCARD_CERT_EXPIRED, $desc=The smart card certificate used for authentication has expired. Contact your system administrator.], 3221226382 = [$id=DRIVER_FAILED_PRIOR_UNLOAD, $desc=The driver could not be loaded because a previous version of the driver is still in memory.], 3221226383 = [$id=SMARTCARD_SILENT_CONTEXT, $desc=The smart card provider could not perform the action because the context was acquired as silent.], 3221226497 = [$id=PER_USER_TRUST_QUOTA_EXCEEDED, $desc=The delegated trust creation quota of the current user has been exceeded.], 3221226498 = [$id=ALL_USER_TRUST_QUOTA_EXCEEDED, $desc=The total delegated trust creation quota has been exceeded.], 3221226499 = [$id=USER_DELETE_TRUST_QUOTA_EXCEEDED, $desc=The delegated trust deletion quota of the current user has been exceeded.], 3221226500 = [$id=DS_NAME_NOT_UNIQUE, $desc=The requested name already exists as a unique identifier.], 3221226501 = [$id=DS_DUPLICATE_ID_FOUND, $desc=The requested object has a non-unique identifier and cannot be retrieved.], 3221226502 = [$id=DS_GROUP_CONVERSION_ERROR, $desc=The group cannot be converted due to attribute restrictions on the requested group type.], 3221226503 = [$id=VOLSNAP_PREPARE_HIBERNATE, $desc={Volume Shadow Copy Service} Wait while the Volume Shadow Copy Service prepares volume %hs for hibernation.], 3221226504 = [$id=USER2USER_REQUIRED, $desc=Kerberos sub-protocol User2User is required.], 3221226505 = [$id=STACK_BUFFER_OVERRUN, $desc=The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.], 3221226506 = [$id=NO_S4U_PROT_SUPPORT, $desc=The Kerberos subsystem encountered an error. A service for user protocol request was made against a domain controller which does not support service for user.], 3221226507 = [$id=CROSSREALM_DELEGATION_FAILURE, $desc=An attempt was made by this server to make a Kerberos constrained delegation request for a target that is outside the server realm. This action is not supported and the resulting error indicates a misconfiguration on the allowed-to-delegate-to list for this server. Contact your administrator.], 3221226508 = [$id=REVOCATION_OFFLINE_KDC, $desc=The revocation status of the domain controller certificate used for smart card authentication could not be determined. There is additional information in the system event log. Contact your system administrator.], 3221226509 = [$id=ISSUING_CA_UNTRUSTED_KDC, $desc=An untrusted certificate authority was detected while processing the domain controller certificate used for authentication. There is additional information in the system event log. Contact your system administrator.], 3221226510 = [$id=KDC_CERT_EXPIRED, $desc=The domain controller certificate used for smart card logon has expired. Contact your system administrator with the contents of your system event log.], 3221226511 = [$id=KDC_CERT_REVOKED, $desc=The domain controller certificate used for smart card logon has been revoked. Contact your system administrator with the contents of your system event log.], 3221226512 = [$id=PARAMETER_QUOTA_EXCEEDED, $desc=Data present in one of the parameters is more than the function can operate on.], 3221226513 = [$id=HIBERNATION_FAILURE, $desc=The system has failed to hibernate (The error code is %hs). Hibernation will be disabled until the system is restarted.], 3221226514 = [$id=DELAY_LOAD_FAILED, $desc=An attempt to delay-load a .dll or get a function address in a delay-loaded .dll failed.], 3221226515 = [$id=AUTHENTICATION_FIREWALL_FAILED, $desc=Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.], 3221226516 = [$id=VDM_DISALLOWED, $desc=%hs is a 16-bit application. You do not have permissions to execute 16-bit applications. Check your permissions with your system administrator.], 3221226517 = [$id=HUNG_DISPLAY_DRIVER_THREAD, $desc={Display Driver Stopped Responding} The %hs display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you reboot the machine a dialog will be displayed giving you a chance to report this failure to Microsoft.], 3221226518 = [$id=INSUFFICIENT_RESOURCE_FOR_SPECIFIED_SHARED_SECTION_SIZE, $desc=The Desktop heap encountered an error while allocating session memory. There is more information in the system event log.], 3221226519 = [$id=INVALID_CRUNTIME_PARAMETER, $desc=An invalid parameter was passed to a C runtime function.], 3221226520 = [$id=NTLM_BLOCKED, $desc=The authentication failed because NTLM was blocked.], 3221226521 = [$id=DS_SRC_SID_EXISTS_IN_FOREST, $desc=The source object's SID already exists in destination forest.], 3221226522 = [$id=DS_DOMAIN_NAME_EXISTS_IN_FOREST, $desc=The domain name of the trusted domain already exists in the forest.], 3221226523 = [$id=DS_FLAT_NAME_EXISTS_IN_FOREST, $desc=The flat name of the trusted domain already exists in the forest.], 3221226524 = [$id=INVALID_USER_PRINCIPAL_NAME, $desc=The User Principal Name (UPN) is invalid.], 3221226528 = [$id=ASSERTION_FAILURE, $desc=There has been an assertion failure.], 3221226529 = [$id=VERIFIER_STOP, $desc=Application verifier has found an error in the current process.], 3221226531 = [$id=CALLBACK_POP_STACK, $desc=A user mode unwind is in progress.], 3221226532 = [$id=INCOMPATIBLE_DRIVER_BLOCKED, $desc=%2 has been blocked from loading due to incompatibility with this system. Contact your software vendor for a compatible version of the driver.], 3221226533 = [$id=HIVE_UNLOADED, $desc=Illegal operation attempted on a registry key which has already been unloaded.], 3221226534 = [$id=COMPRESSION_DISABLED, $desc=Compression is disabled for this volume.], 3221226535 = [$id=FILE_SYSTEM_LIMITATION, $desc=The requested operation could not be completed due to a file system limitation.], 3221226536 = [$id=INVALID_IMAGE_HASH, $desc=The hash for image %hs cannot be found in the system catalogs. The image is likely corrupt or the victim of tampering.], 3221226537 = [$id=NOT_CAPABLE, $desc=The implementation is not capable of performing the request.], 3221226538 = [$id=REQUEST_OUT_OF_SEQUENCE, $desc=The requested operation is out of order with respect to other operations.], 3221226539 = [$id=IMPLEMENTATION_LIMIT, $desc=An operation attempted to exceed an implementation-defined limit.], 3221226540 = [$id=ELEVATION_REQUIRED, $desc=The requested operation requires elevation.], 3221226541 = [$id=NO_SECURITY_CONTEXT, $desc=The required security context does not exist.], 3221226542 = [$id=PKU2U_CERT_FAILURE, $desc=The PKU2U protocol encountered an error while attempting to utilize the associated certificates.], 3221226546 = [$id=BEYOND_VDL, $desc=The operation was attempted beyond the valid data length of the file.], 3221226547 = [$id=ENCOUNTERED_WRITE_IN_PROGRESS, $desc=The attempted write operation encountered a write already in progress for some portion of the range.], 3221226548 = [$id=PTE_CHANGED, $desc=The page fault mappings changed in the middle of processing a fault so the operation must be retried.], 3221226549 = [$id=PURGE_FAILED, $desc=The attempt to purge this file from memory failed to purge some or all the data from memory.], 3221226560 = [$id=CRED_REQUIRES_CONFIRMATION, $desc=The requested credential requires confirmation.], 3221226561 = [$id=CS_ENCRYPTION_INVALID_SERVER_RESPONSE, $desc=The remote server sent an invalid response for a file being opened with Client Side Encryption.], 3221226562 = [$id=CS_ENCRYPTION_UNSUPPORTED_SERVER, $desc=Client Side Encryption is not supported by the remote server even though it claims to support it.], 3221226563 = [$id=CS_ENCRYPTION_EXISTING_ENCRYPTED_FILE, $desc=File is encrypted and should be opened in Client Side Encryption mode.], 3221226564 = [$id=CS_ENCRYPTION_NEW_ENCRYPTED_FILE, $desc=A new encrypted file is being created and a $EFS needs to be provided.], 3221226565 = [$id=CS_ENCRYPTION_FILE_NOT_CSE, $desc=The SMB client requested a CSE FSCTL on a non-CSE file.], 3221226566 = [$id=INVALID_LABEL, $desc=Indicates a particular Security ID may not be assigned as the label of an object.], 3221226576 = [$id=DRIVER_PROCESS_TERMINATED, $desc=The process hosting the driver for this device has terminated.], 3221226577 = [$id=AMBIGUOUS_SYSTEM_DEVICE, $desc=The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria.], 3221226578 = [$id=SYSTEM_DEVICE_NOT_FOUND, $desc=The requested system device cannot be found.], 3221226579 = [$id=RESTART_BOOT_APPLICATION, $desc=This boot application must be restarted.], 3221226580 = [$id=INSUFFICIENT_NVRAM_RESOURCES, $desc=Insufficient NVRAM resources exist to complete the API.  A reboot might be required.], 3221226592 = [$id=NO_RANGES_PROCESSED, $desc=No ranges for the specified operation were able to be processed.], 3221226595 = [$id=DEVICE_FEATURE_NOT_SUPPORTED, $desc=The storage device does not support Offload Write.], 3221226596 = [$id=DEVICE_UNREACHABLE, $desc=Data cannot be moved because the source device cannot communicate with the destination device.], 3221226597 = [$id=INVALID_TOKEN, $desc=The token representing the data is invalid or expired.], 3221226752 = [$id=INVALID_TASK_NAME, $desc=The specified task name is invalid.], 3221226753 = [$id=INVALID_TASK_INDEX, $desc=The specified task index is invalid.], 3221226754 = [$id=THREAD_ALREADY_IN_TASK, $desc=The specified thread is already joining a task.], 3221226755 = [$id=CALLBACK_BYPASS, $desc=A callback has requested to bypass native code.], 3221227010 = [$id=FAIL_FAST_EXCEPTION, $desc=A fail fast exception occurred. Exception handlers will not be invoked and the process will be terminated immediately.], 3221227011 = [$id=IMAGE_CERT_REVOKED, $desc=Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.], 3221227264 = [$id=PORT_CLOSED, $desc=The ALPC port is closed.], 3221227265 = [$id=MESSAGE_LOST, $desc=The ALPC message requested is no longer available.], 3221227266 = [$id=INVALID_MESSAGE, $desc=The ALPC message supplied is invalid.], 3221227267 = [$id=REQUEST_CANCELED, $desc=The ALPC message has been canceled.], 3221227268 = [$id=RECURSIVE_DISPATCH, $desc=Invalid recursive dispatch attempt.], 3221227269 = [$id=LPC_RECEIVE_BUFFER_EXPECTED, $desc=No receive buffer has been supplied in a synchronous request.], 3221227270 = [$id=LPC_INVALID_CONNECTION_USAGE, $desc=The connection port is used in an invalid context.], 3221227271 = [$id=LPC_REQUESTS_NOT_ALLOWED, $desc=The ALPC port does not accept new request messages.], 3221227272 = [$id=RESOURCE_IN_USE, $desc=The resource requested is already in use.], 3221227273 = [$id=HARDWARE_MEMORY_ERROR, $desc=The hardware has reported an uncorrectable memory error.], 3221227274 = [$id=THREADPOOL_HANDLE_EXCEPTION, $desc=Status 0x%08x was returned, waiting on handle 0x%x for wait 0x%p, in waiter 0x%p.], 3221227275 = [$id=THREADPOOL_SET_EVENT_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to Set event(0x%p) failed with status 0x%08x.], 3221227276 = [$id=THREADPOOL_RELEASE_SEMAPHORE_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to ReleaseSemaphore(0x%p, %d) failed with status 0x%08x.], 3221227277 = [$id=THREADPOOL_RELEASE_MUTEX_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to ReleaseMutex(%p) failed with status 0x%08x.], 3221227278 = [$id=THREADPOOL_FREE_LIBRARY_ON_COMPLETION_FAILED, $desc=After a callback to 0x%p(0x%p), a completion call to FreeLibrary(%p) failed with status 0x%08x.], 3221227279 = [$id=THREADPOOL_RELEASED_DURING_OPERATION, $desc=The thread pool 0x%p was released while a thread was posting a callback to 0x%p(0x%p) to it.], 3221227280 = [$id=CALLBACK_RETURNED_WHILE_IMPERSONATING, $desc=A thread pool worker thread is impersonating a client, after a callback to 0x%p(0x%p). This is unexpected, indicating that the callback is missing a call to revert the impersonation.], 3221227281 = [$id=APC_RETURNED_WHILE_IMPERSONATING, $desc=A thread pool worker thread is impersonating a client, after executing an APC. This is unexpected, indicating that the APC is missing a call to revert the impersonation.], 3221227282 = [$id=PROCESS_IS_PROTECTED, $desc=Either the target process, or the target thread's containing process, is a protected process.], 3221227283 = [$id=MCA_EXCEPTION, $desc=A thread is getting dispatched with MCA EXCEPTION because of MCA.], 3221227284 = [$id=CERTIFICATE_MAPPING_NOT_UNIQUE, $desc=The client certificate account mapping is not unique.], 3221227285 = [$id=SYMLINK_CLASS_DISABLED, $desc=The symbolic link cannot be followed because its type is disabled.], 3221227286 = [$id=INVALID_IDN_NORMALIZATION, $desc=Indicates that the specified string is not valid for IDN normalization.], 3221227287 = [$id=NO_UNICODE_TRANSLATION, $desc=No mapping for the Unicode character exists in the target multi-byte code page.], 3221227288 = [$id=ALREADY_REGISTERED, $desc=The provided callback is already registered.], 3221227289 = [$id=CONTEXT_MISMATCH, $desc=The provided context did not match the target.], 3221227290 = [$id=PORT_ALREADY_HAS_COMPLETION_LIST, $desc=The specified port already has a completion list.], 3221227291 = [$id=CALLBACK_RETURNED_THREAD_PRIORITY, $desc=A threadpool worker thread entered a callback at thread base priority 0x%x and exited at priority 0x%x.], 3221227292 = [$id=INVALID_THREAD, $desc=An invalid thread, handle %p, is specified for this operation. Possibly, a threadpool worker thread was specified.], 3221227293 = [$id=CALLBACK_RETURNED_TRANSACTION, $desc=A threadpool worker thread entered a callback, which left transaction state.], 3221227294 = [$id=CALLBACK_RETURNED_LDR_LOCK, $desc=A threadpool worker thread entered a callback, which left the loader lock held.], 3221227295 = [$id=CALLBACK_RETURNED_LANG, $desc=A threadpool worker thread entered a callback, which left with preferred languages set.], 3221227296 = [$id=CALLBACK_RETURNED_PRI_BACK, $desc=A threadpool worker thread entered a callback, which left with background priorities set.], 3221227520 = [$id=DISK_REPAIR_DISABLED, $desc=The attempted operation required self healing to be enabled.], 3221227521 = [$id=DS_DOMAIN_RENAME_IN_PROGRESS, $desc=The directory service cannot perform the requested operation because a domain rename operation is in progress.], 3221227522 = [$id=DISK_QUOTA_EXCEEDED, $desc=An operation failed because the storage quota was exceeded.], 3221227524 = [$id=CONTENT_BLOCKED, $desc=An operation failed because the content was blocked.], 3221227525 = [$id=BAD_CLUSTERS, $desc=The operation could not be completed due to bad clusters on disk.], 3221227526 = [$id=VOLUME_DIRTY, $desc=The operation could not be completed because the volume is dirty. Please run the Chkdsk utility and try again. ], 3221227777 = [$id=FILE_CHECKED_OUT, $desc=This file is checked out or locked for editing by another user.], 3221227778 = [$id=CHECKOUT_REQUIRED, $desc=The file must be checked out before saving changes.], 3221227779 = [$id=BAD_FILE_TYPE, $desc=The file type being saved or retrieved has been blocked.], 3221227780 = [$id=FILE_TOO_LARGE, $desc=The file size exceeds the limit allowed and cannot be saved.], 3221227781 = [$id=FORMS_AUTH_REQUIRED, $desc=Access Denied. Before opening files in this location, you must first browse to the e.g. site and select the option to log on automatically.], 3221227782 = [$id=VIRUS_INFECTED, $desc=The operation did not complete successfully because the file contains a virus.], 3221227783 = [$id=VIRUS_DELETED, $desc=This file contains a virus and cannot be opened. Due to the nature of this virus, the file has been removed from this location.], 3221227784 = [$id=BAD_MCFG_TABLE, $desc=The resources required for this device conflict with the MCFG table.], 3221227785 = [$id=CANNOT_BREAK_OPLOCK, $desc=The operation did not complete successfully because it would cause an oplock to be broken. The caller has requested that existing oplocks not be broken.], 3221264536 = [$id=WOW_ASSERTION, $desc=WOW Assertion Error.], 3221266432 = [$id=INVALID_SIGNATURE, $desc=The cryptographic signature is invalid.], 3221266433 = [$id=HMAC_NOT_SUPPORTED, $desc=The cryptographic provider does not support HMAC.], 3221266448 = [$id=IPSEC_QUEUE_OVERFLOW, $desc=The IPsec queue overflowed.], 3221266449 = [$id=ND_QUEUE_OVERFLOW, $desc=The neighbor discovery queue overflowed.], 3221266450 = [$id=HOPLIMIT_EXCEEDED, $desc=An Internet Control Message Protocol (ICMP) hop limit exceeded error was received.], 3221266451 = [$id=PROTOCOL_NOT_SUPPORTED, $desc=The protocol is not installed on the local machine.], 3221266560 = [$id=LOST_WRITEBEHIND_DATA_NETWORK_DISCONNECTED, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs; the data has been lost. This error may be caused by network connectivity issues. Try to save this file elsewhere.], 3221266561 = [$id=LOST_WRITEBEHIND_DATA_NETWORK_SERVER_ERROR, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs; the data has been lost. This error was returned by the server on which the file exists. Try to save this file elsewhere.], 3221266562 = [$id=LOST_WRITEBEHIND_DATA_LOCAL_DISK_ERROR, $desc={Delayed Write Failed} Windows was unable to save all the data for the file %hs; the data has been lost. This error may be caused if the device has been removed or the media is write-protected.], 3221266563 = [$id=XML_PARSE_ERROR, $desc=Windows was unable to parse the requested XML data.], 3221266564 = [$id=XMLDSIG_ERROR, $desc=An error was encountered while processing an XML digital signature.], 3221266565 = [$id=WRONG_COMPARTMENT, $desc=This indicates that the caller made the connection request in the wrong routing compartment.], 3221266566 = [$id=AUTHIP_FAILURE, $desc=This indicates that there was an AuthIP failure when attempting to connect to the remote host.], 3221266567 = [$id=DS_OID_MAPPED_GROUP_CANT_HAVE_MEMBERS, $desc=OID mapped groups cannot have members.], 3221266568 = [$id=DS_OID_NOT_FOUND, $desc=The specified OID cannot be found.], 3221266688 = [$id=HASH_NOT_SUPPORTED, $desc=Hash generation for the specified version and hash type is not enabled on server.], 3221266689 = [$id=HASH_NOT_PRESENT, $desc=The hash requests is not present or not up to date with the current file contents.], 3221267105 = [$id=OFFLOAD_READ_FLT_NOT_SUPPORTED, $desc=A file system filter on the server has not opted in for Offload Read support.], 3221267106 = [$id=OFFLOAD_WRITE_FLT_NOT_SUPPORTED, $desc=A file system filter on the server has not opted in for Offload Write support.], 3221267107 = [$id=OFFLOAD_READ_FILE_NOT_SUPPORTED, $desc=Offload read operations cannot be performed on:], 3221267108 = [$id=OFFLOAD_WRITE_FILE_NOT_SUPPORTED, $desc=Offload write operations cannot be performed on:], 3221291009 = [$id=DBG_NO_STATE_CHANGE, $desc=The debugger did not perform a state change.], 3221291010 = [$id=DBG_APP_NOT_IDLE, $desc=The debugger found that the application is not idle.], 3221356545 = [$id=RPC_NT_INVALID_STRING_BINDING, $desc=The string binding is invalid.], 3221356546 = [$id=RPC_NT_WRONG_KIND_OF_BINDING, $desc=The binding handle is not the correct type.], 3221356547 = [$id=RPC_NT_INVALID_BINDING, $desc=The binding handle is invalid.], 3221356548 = [$id=RPC_NT_PROTSEQ_NOT_SUPPORTED, $desc=The RPC protocol sequence is not supported.], 3221356549 = [$id=RPC_NT_INVALID_RPC_PROTSEQ, $desc=The RPC protocol sequence is invalid.], 3221356550 = [$id=RPC_NT_INVALID_STRING_UUID, $desc=The string UUID is invalid.], 3221356551 = [$id=RPC_NT_INVALID_ENDPOINT_FORMAT, $desc=The endpoint format is invalid.], 3221356552 = [$id=RPC_NT_INVALID_NET_ADDR, $desc=The network address is invalid.], 3221356553 = [$id=RPC_NT_NO_ENDPOINT_FOUND, $desc=No endpoint was found.], 3221356554 = [$id=RPC_NT_INVALID_TIMEOUT, $desc=The time-out value is invalid.], 3221356555 = [$id=RPC_NT_OBJECT_NOT_FOUND, $desc=The object UUID was not found.], 3221356556 = [$id=RPC_NT_ALREADY_REGISTERED, $desc=The object UUID has already been registered.], 3221356557 = [$id=RPC_NT_TYPE_ALREADY_REGISTERED, $desc=The type UUID has already been registered.], 3221356558 = [$id=RPC_NT_ALREADY_LISTENING, $desc=The RPC server is already listening.], 3221356559 = [$id=RPC_NT_NO_PROTSEQS_REGISTERED, $desc=No protocol sequences have been registered.], 3221356560 = [$id=RPC_NT_NOT_LISTENING, $desc=The RPC server is not listening.], 3221356561 = [$id=RPC_NT_UNKNOWN_MGR_TYPE, $desc=The manager type is unknown.], 3221356562 = [$id=RPC_NT_UNKNOWN_IF, $desc=The interface is unknown.], 3221356563 = [$id=RPC_NT_NO_BINDINGS, $desc=There are no bindings.], 3221356564 = [$id=RPC_NT_NO_PROTSEQS, $desc=There are no protocol sequences.], 3221356565 = [$id=RPC_NT_CANT_CREATE_ENDPOINT, $desc=The endpoint cannot be created.], 3221356566 = [$id=RPC_NT_OUT_OF_RESOURCES, $desc=Insufficient resources are available to complete this operation.], 3221356567 = [$id=RPC_NT_SERVER_UNAVAILABLE, $desc=The RPC server is unavailable.], 3221356568 = [$id=RPC_NT_SERVER_TOO_BUSY, $desc=The RPC server is too busy to complete this operation.], 3221356569 = [$id=RPC_NT_INVALID_NETWORK_OPTIONS, $desc=The network options are invalid.], 3221356570 = [$id=RPC_NT_NO_CALL_ACTIVE, $desc=No RPCs are active on this thread.], 3221356571 = [$id=RPC_NT_CALL_FAILED, $desc=The RPC failed.], 3221356572 = [$id=RPC_NT_CALL_FAILED_DNE, $desc=The RPC failed and did not execute.], 3221356573 = [$id=RPC_NT_PROTOCOL_ERROR, $desc=An RPC protocol error occurred.], 3221356575 = [$id=RPC_NT_UNSUPPORTED_TRANS_SYN, $desc=The RPC server does not support the transfer syntax.], 3221356577 = [$id=RPC_NT_UNSUPPORTED_TYPE, $desc=The type UUID is not supported.], 3221356578 = [$id=RPC_NT_INVALID_TAG, $desc=The tag is invalid.], 3221356579 = [$id=RPC_NT_INVALID_BOUND, $desc=The array bounds are invalid.], 3221356580 = [$id=RPC_NT_NO_ENTRY_NAME, $desc=The binding does not contain an entry name.], 3221356581 = [$id=RPC_NT_INVALID_NAME_SYNTAX, $desc=The name syntax is invalid.], 3221356582 = [$id=RPC_NT_UNSUPPORTED_NAME_SYNTAX, $desc=The name syntax is not supported.], 3221356584 = [$id=RPC_NT_UUID_NO_ADDRESS, $desc=No network address is available to construct a UUID.], 3221356585 = [$id=RPC_NT_DUPLICATE_ENDPOINT, $desc=The endpoint is a duplicate.], 3221356586 = [$id=RPC_NT_UNKNOWN_AUTHN_TYPE, $desc=The authentication type is unknown.], 3221356587 = [$id=RPC_NT_MAX_CALLS_TOO_SMALL, $desc=The maximum number of calls is too small.], 3221356588 = [$id=RPC_NT_STRING_TOO_LONG, $desc=The string is too long.], 3221356589 = [$id=RPC_NT_PROTSEQ_NOT_FOUND, $desc=The RPC protocol sequence was not found.], 3221356590 = [$id=RPC_NT_PROCNUM_OUT_OF_RANGE, $desc=The procedure number is out of range.], 3221356591 = [$id=RPC_NT_BINDING_HAS_NO_AUTH, $desc=The binding does not contain any authentication information.], 3221356592 = [$id=RPC_NT_UNKNOWN_AUTHN_SERVICE, $desc=The authentication service is unknown.], 3221356593 = [$id=RPC_NT_UNKNOWN_AUTHN_LEVEL, $desc=The authentication level is unknown.], 3221356594 = [$id=RPC_NT_INVALID_AUTH_IDENTITY, $desc=The security context is invalid.], 3221356595 = [$id=RPC_NT_UNKNOWN_AUTHZ_SERVICE, $desc=The authorization service is unknown.], 3221356596 = [$id=EPT_NT_INVALID_ENTRY, $desc=The entry is invalid.], 3221356597 = [$id=EPT_NT_CANT_PERFORM_OP, $desc=The operation cannot be performed.], 3221356598 = [$id=EPT_NT_NOT_REGISTERED, $desc=No more endpoints are available from the endpoint mapper.], 3221356599 = [$id=RPC_NT_NOTHING_TO_EXPORT, $desc=No interfaces have been exported.], 3221356600 = [$id=RPC_NT_INCOMPLETE_NAME, $desc=The entry name is incomplete.], 3221356601 = [$id=RPC_NT_INVALID_VERS_OPTION, $desc=The version option is invalid.], 3221356602 = [$id=RPC_NT_NO_MORE_MEMBERS, $desc=There are no more members.], 3221356603 = [$id=RPC_NT_NOT_ALL_OBJS_UNEXPORTED, $desc=There is nothing to unexport.], 3221356604 = [$id=RPC_NT_INTERFACE_NOT_FOUND, $desc=The interface was not found.], 3221356605 = [$id=RPC_NT_ENTRY_ALREADY_EXISTS, $desc=The entry already exists.], 3221356606 = [$id=RPC_NT_ENTRY_NOT_FOUND, $desc=The entry was not found.], 3221356607 = [$id=RPC_NT_NAME_SERVICE_UNAVAILABLE, $desc=The name service is unavailable.], 3221356608 = [$id=RPC_NT_INVALID_NAF_ID, $desc=The network address family is invalid.], 3221356609 = [$id=RPC_NT_CANNOT_SUPPORT, $desc=The requested operation is not supported.], 3221356610 = [$id=RPC_NT_NO_CONTEXT_AVAILABLE, $desc=No security context is available to allow impersonation.], 3221356611 = [$id=RPC_NT_INTERNAL_ERROR, $desc=An internal error occurred in the RPC.], 3221356612 = [$id=RPC_NT_ZERO_DIVIDE, $desc=The RPC server attempted to divide an integer by zero.], 3221356613 = [$id=RPC_NT_ADDRESS_ERROR, $desc=An addressing error occurred in the RPC server.], 3221356614 = [$id=RPC_NT_FP_DIV_ZERO, $desc=A floating point operation at the RPC server caused a divide by zero.], 3221356615 = [$id=RPC_NT_FP_UNDERFLOW, $desc=A floating point underflow occurred at the RPC server.], 3221356616 = [$id=RPC_NT_FP_OVERFLOW, $desc=A floating point overflow occurred at the RPC server.], 3221356617 = [$id=RPC_NT_CALL_IN_PROGRESS, $desc=An RPC is already in progress for this thread.], 3221356618 = [$id=RPC_NT_NO_MORE_BINDINGS, $desc=There are no more bindings.], 3221356619 = [$id=RPC_NT_GROUP_MEMBER_NOT_FOUND, $desc=The group member was not found.], 3221356620 = [$id=EPT_NT_CANT_CREATE, $desc=The endpoint mapper database entry could not be created.], 3221356621 = [$id=RPC_NT_INVALID_OBJECT, $desc=The object UUID is the nil UUID.], 3221356623 = [$id=RPC_NT_NO_INTERFACES, $desc=No interfaces have been registered.], 3221356624 = [$id=RPC_NT_CALL_CANCELLED, $desc=The RPC was canceled.], 3221356625 = [$id=RPC_NT_BINDING_INCOMPLETE, $desc=The binding handle does not contain all the required information.], 3221356626 = [$id=RPC_NT_COMM_FAILURE, $desc=A communications failure occurred during an RPC.], 3221356627 = [$id=RPC_NT_UNSUPPORTED_AUTHN_LEVEL, $desc=The requested authentication level is not supported.], 3221356628 = [$id=RPC_NT_NO_PRINC_NAME, $desc=No principal name was registered.], 3221356629 = [$id=RPC_NT_NOT_RPC_ERROR, $desc=The error specified is not a valid Windows RPC error code.], 3221356631 = [$id=RPC_NT_SEC_PKG_ERROR, $desc=A security package-specific error occurred.], 3221356632 = [$id=RPC_NT_NOT_CANCELLED, $desc=The thread was not canceled.], 3221356642 = [$id=RPC_NT_INVALID_ASYNC_HANDLE, $desc=Invalid asynchronous RPC handle.], 3221356643 = [$id=RPC_NT_INVALID_ASYNC_CALL, $desc=Invalid asynchronous RPC call handle for this operation.], 3221356644 = [$id=RPC_NT_PROXY_ACCESS_DENIED, $desc=Access to the HTTP proxy is denied.], 3221422081 = [$id=RPC_NT_NO_MORE_ENTRIES, $desc=The list of RPC servers available for auto-handle binding has been exhausted.], 3221422082 = [$id=RPC_NT_SS_CHAR_TRANS_OPEN_FAIL, $desc=The file designated by DCERPCCHARTRANS cannot be opened.], 3221422083 = [$id=RPC_NT_SS_CHAR_TRANS_SHORT_FILE, $desc=The file containing the character translation table has fewer than 512 bytes.], 3221422084 = [$id=RPC_NT_SS_IN_NULL_CONTEXT, $desc=A null context handle is passed as an [in] parameter.], 3221422085 = [$id=RPC_NT_SS_CONTEXT_MISMATCH, $desc=The context handle does not match any known context handles.], 3221422086 = [$id=RPC_NT_SS_CONTEXT_DAMAGED, $desc=The context handle changed during a call.], 3221422087 = [$id=RPC_NT_SS_HANDLES_MISMATCH, $desc=The binding handles passed to an RPC do not match.], 3221422088 = [$id=RPC_NT_SS_CANNOT_GET_CALL_HANDLE, $desc=The stub is unable to get the call handle.], 3221422089 = [$id=RPC_NT_NULL_REF_POINTER, $desc=A null reference pointer was passed to the stub.], 3221422090 = [$id=RPC_NT_ENUM_VALUE_OUT_OF_RANGE, $desc=The enumeration value is out of range.], 3221422091 = [$id=RPC_NT_BYTE_COUNT_TOO_SMALL, $desc=The byte count is too small.], 3221422092 = [$id=RPC_NT_BAD_STUB_DATA, $desc=The stub received bad data.], 3221422169 = [$id=RPC_NT_INVALID_ES_ACTION, $desc=Invalid operation on the encoding/decoding handle.], 3221422170 = [$id=RPC_NT_WRONG_ES_VERSION, $desc=Incompatible version of the serializing package.], 3221422171 = [$id=RPC_NT_WRONG_STUB_VERSION, $desc=Incompatible version of the RPC stub.], 3221422172 = [$id=RPC_NT_INVALID_PIPE_OBJECT, $desc=The RPC pipe object is invalid or corrupt.], 3221422173 = [$id=RPC_NT_INVALID_PIPE_OPERATION, $desc=An invalid operation was attempted on an RPC pipe object.], 3221422174 = [$id=RPC_NT_WRONG_PIPE_VERSION, $desc=Unsupported RPC pipe version.], 3221422175 = [$id=RPC_NT_PIPE_CLOSED, $desc=The RPC pipe object has already been closed.], 3221422176 = [$id=RPC_NT_PIPE_DISCIPLINE_ERROR, $desc=The RPC call completed before all pipes were processed.], 3221422177 = [$id=RPC_NT_PIPE_EMPTY, $desc=No more data is available from the RPC pipe.], 3221487669 = [$id=PNP_BAD_MPS_TABLE, $desc=A device is missing in the system BIOS MPS table. This device will not be used. Contact your system vendor for a system BIOS update.], 3221487670 = [$id=PNP_TRANSLATION_FAILED, $desc=A translator failed to translate resources.], 3221487671 = [$id=PNP_IRQ_TRANSLATION_FAILED, $desc=An IRQ translator failed to translate resources.], 3221487672 = [$id=PNP_INVALID_ID, $desc=Driver %2 returned an invalid ID for a child device (%3).], 3221487673 = [$id=IO_REISSUE_AS_CACHED, $desc=Reissue the given operation as a cached I/O operation], 3221880833 = [$id=CTX_WINSTATION_NAME_INVALID, $desc=Session name %1 is invalid.], 3221880834 = [$id=CTX_INVALID_PD, $desc=The protocol driver %1 is invalid.], 3221880835 = [$id=CTX_PD_NOT_FOUND, $desc=The protocol driver %1 was not found in the system path.], 3221880838 = [$id=CTX_CLOSE_PENDING, $desc=A close operation is pending on the terminal connection.], 3221880839 = [$id=CTX_NO_OUTBUF, $desc=No free output buffers are available.], 3221880840 = [$id=CTX_MODEM_INF_NOT_FOUND, $desc=The MODEM.INF file was not found.], 3221880841 = [$id=CTX_INVALID_MODEMNAME, $desc=The modem (%1) was not found in the MODEM.INF file.], 3221880842 = [$id=CTX_RESPONSE_ERROR, $desc=The modem did not accept the command sent to it. Verify that the configured modem name matches the attached modem.], 3221880843 = [$id=CTX_MODEM_RESPONSE_TIMEOUT, $desc=The modem did not respond to the command sent to it. Verify that the modem cable is properly attached and the modem is turned on.], 3221880844 = [$id=CTX_MODEM_RESPONSE_NO_CARRIER, $desc=Carrier detection has failed or the carrier has been dropped due to disconnection.], 3221880845 = [$id=CTX_MODEM_RESPONSE_NO_DIALTONE, $desc=A dial tone was not detected within the required time. Verify that the phone cable is properly attached and functional.], 3221880846 = [$id=CTX_MODEM_RESPONSE_BUSY, $desc=A busy signal was detected at a remote site on callback.], 3221880847 = [$id=CTX_MODEM_RESPONSE_VOICE, $desc=A voice was detected at a remote site on callback.], 3221880848 = [$id=CTX_TD_ERROR, $desc=Transport driver error.], 3221880850 = [$id=CTX_LICENSE_CLIENT_INVALID, $desc=The client you are using is not licensed to use this system. Your logon request is denied.], 3221880851 = [$id=CTX_LICENSE_NOT_AVAILABLE, $desc=The system has reached its licensed logon limit. Try again later.], 3221880852 = [$id=CTX_LICENSE_EXPIRED, $desc=The system license has expired. Your logon request is denied.], 3221880853 = [$id=CTX_WINSTATION_NOT_FOUND, $desc=The specified session cannot be found.], 3221880854 = [$id=CTX_WINSTATION_NAME_COLLISION, $desc=The specified session name is already in use.], 3221880855 = [$id=CTX_WINSTATION_BUSY, $desc=The requested operation cannot be completed because the terminal connection is currently processing a connect, disconnect, reset, or delete operation.], 3221880856 = [$id=CTX_BAD_VIDEO_MODE, $desc=An attempt has been made to connect to a session whose video mode is not supported by the current client.], 3221880866 = [$id=CTX_GRAPHICS_INVALID, $desc=The application attempted to enable DOS graphics mode. DOS graphics mode is not supported.], 3221880868 = [$id=CTX_NOT_CONSOLE, $desc=The requested operation can be performed only on the system console. This is most often the result of a driver or system DLL requiring direct console access.], 3221880870 = [$id=CTX_CLIENT_QUERY_TIMEOUT, $desc=The client failed to respond to the server connect message.], 3221880871 = [$id=CTX_CONSOLE_DISCONNECT, $desc=Disconnecting the console session is not supported.], 3221880872 = [$id=CTX_CONSOLE_CONNECT, $desc=Reconnecting a disconnected session to the console is not supported.], 3221880874 = [$id=CTX_SHADOW_DENIED, $desc=The request to control another session remotely was denied.], 3221880875 = [$id=CTX_WINSTATION_ACCESS_DENIED, $desc=A process has requested access to a session, but has not been granted those access rights.], 3221880878 = [$id=CTX_INVALID_WD, $desc=The terminal connection driver %1 is invalid.], 3221880879 = [$id=CTX_WD_NOT_FOUND, $desc=The terminal connection driver %1 was not found in the system path.], 3221880880 = [$id=CTX_SHADOW_INVALID, $desc=The requested session cannot be controlled remotely. You cannot control your own session, a session that is trying to control your session, a session that has no user logged on, or other sessions from the console.], 3221880881 = [$id=CTX_SHADOW_DISABLED, $desc=The requested session is not configured to allow remote control.], 3221880882 = [$id=RDP_PROTOCOL_ERROR, $desc=The RDP protocol component %2 detected an error in the protocol stream and has disconnected the client.], 3221880883 = [$id=CTX_CLIENT_LICENSE_NOT_SET, $desc=Your request to connect to this terminal server has been rejected. Your terminal server client license number has not been entered for this copy of the terminal client. Contact your system administrator for help in entering a valid, unique license number for this terminal server client. Click OK to continue.], 3221880884 = [$id=CTX_CLIENT_LICENSE_IN_USE, $desc=Your request to connect to this terminal server has been rejected. Your terminal server client license number is currently being used by another user. Contact your system administrator to obtain a new copy of the terminal server client with a valid, unique license number. Click OK to continue.], 3221880885 = [$id=CTX_SHADOW_ENDED_BY_MODE_CHANGE, $desc=The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.], 3221880886 = [$id=CTX_SHADOW_NOT_RUNNING, $desc=Remote control could not be terminated because the specified session is not currently being remotely controlled.], 3221880887 = [$id=CTX_LOGON_DISABLED, $desc=Your interactive logon privilege has been disabled. Contact your system administrator.], 3221880888 = [$id=CTX_SECURITY_LAYER_ERROR, $desc=The terminal server security layer detected an error in the protocol stream and has disconnected the client.], 3221880889 = [$id=TS_INCOMPATIBLE_SESSIONS, $desc=The target session is incompatible with the current session.], 3221946369 = [$id=MUI_FILE_NOT_FOUND, $desc=The resource loader failed to find an MUI file.], 3221946370 = [$id=MUI_INVALID_FILE, $desc=The resource loader failed to load an MUI file because the file failed to pass validation.], 3221946371 = [$id=MUI_INVALID_RC_CONFIG, $desc=The RC manifest is corrupted with garbage data, is an unsupported version, or is missing a required item.], 3221946372 = [$id=MUI_INVALID_LOCALE_NAME, $desc=The RC manifest has an invalid culture name.], 3221946373 = [$id=MUI_INVALID_ULTIMATEFALLBACK_NAME, $desc=The RC manifest has and invalid ultimate fallback name.], 3221946374 = [$id=MUI_FILE_NOT_LOADED, $desc=The resource loader cache does not have a loaded MUI entry.], 3221946375 = [$id=RESOURCE_ENUM_USER_STOP, $desc=The user stopped resource enumeration.], 3222470657 = [$id=CLUSTER_INVALID_NODE, $desc=The cluster node is not valid.], 3222470658 = [$id=CLUSTER_NODE_EXISTS, $desc=The cluster node already exists.], 3222470659 = [$id=CLUSTER_JOIN_IN_PROGRESS, $desc=A node is in the process of joining the cluster.], 3222470660 = [$id=CLUSTER_NODE_NOT_FOUND, $desc=The cluster node was not found.], 3222470661 = [$id=CLUSTER_LOCAL_NODE_NOT_FOUND, $desc=The cluster local node information was not found.], 3222470662 = [$id=CLUSTER_NETWORK_EXISTS, $desc=The cluster network already exists.], 3222470663 = [$id=CLUSTER_NETWORK_NOT_FOUND, $desc=The cluster network was not found.], 3222470664 = [$id=CLUSTER_NETINTERFACE_EXISTS, $desc=The cluster network interface already exists.], 3222470665 = [$id=CLUSTER_NETINTERFACE_NOT_FOUND, $desc=The cluster network interface was not found.], 3222470666 = [$id=CLUSTER_INVALID_REQUEST, $desc=The cluster request is not valid for this object.], 3222470667 = [$id=CLUSTER_INVALID_NETWORK_PROVIDER, $desc=The cluster network provider is not valid.], 3222470668 = [$id=CLUSTER_NODE_DOWN, $desc=The cluster node is down.], 3222470669 = [$id=CLUSTER_NODE_UNREACHABLE, $desc=The cluster node is not reachable.], 3222470670 = [$id=CLUSTER_NODE_NOT_MEMBER, $desc=The cluster node is not a member of the cluster.], 3222470671 = [$id=CLUSTER_JOIN_NOT_IN_PROGRESS, $desc=A cluster join operation is not in progress.], 3222470672 = [$id=CLUSTER_INVALID_NETWORK, $desc=The cluster network is not valid.], 3222470673 = [$id=CLUSTER_NO_NET_ADAPTERS, $desc=No network adapters are available.], 3222470674 = [$id=CLUSTER_NODE_UP, $desc=The cluster node is up.], 3222470675 = [$id=CLUSTER_NODE_PAUSED, $desc=The cluster node is paused.], 3222470676 = [$id=CLUSTER_NODE_NOT_PAUSED, $desc=The cluster node is not paused.], 3222470677 = [$id=CLUSTER_NO_SECURITY_CONTEXT, $desc=No cluster security context is available.], 3222470678 = [$id=CLUSTER_NETWORK_NOT_INTERNAL, $desc=The cluster network is not configured for internal cluster communication.], 3222470679 = [$id=CLUSTER_POISONED, $desc=The cluster node has been poisoned.], 3222536193 = [$id=ACPI_INVALID_OPCODE, $desc=An attempt was made to run an invalid AML opcode.], 3222536194 = [$id=ACPI_STACK_OVERFLOW, $desc=The AML interpreter stack has overflowed.], 3222536195 = [$id=ACPI_ASSERT_FAILED, $desc=An inconsistent state has occurred.], 3222536196 = [$id=ACPI_INVALID_INDEX, $desc=An attempt was made to access an array outside its bounds.], 3222536197 = [$id=ACPI_INVALID_ARGUMENT, $desc=A required argument was not specified.], 3222536198 = [$id=ACPI_FATAL, $desc=A fatal error has occurred.], 3222536199 = [$id=ACPI_INVALID_SUPERNAME, $desc=An invalid SuperName was specified.], 3222536200 = [$id=ACPI_INVALID_ARGTYPE, $desc=An argument with an incorrect type was specified.], 3222536201 = [$id=ACPI_INVALID_OBJTYPE, $desc=An object with an incorrect type was specified.], 3222536202 = [$id=ACPI_INVALID_TARGETTYPE, $desc=A target with an incorrect type was specified.], 3222536203 = [$id=ACPI_INCORRECT_ARGUMENT_COUNT, $desc=An incorrect number of arguments was specified.], 3222536204 = [$id=ACPI_ADDRESS_NOT_MAPPED, $desc=An address failed to translate.], 3222536205 = [$id=ACPI_INVALID_EVENTTYPE, $desc=An incorrect event type was specified.], 3222536206 = [$id=ACPI_HANDLER_COLLISION, $desc=A handler for the target already exists.], 3222536207 = [$id=ACPI_INVALID_DATA, $desc=Invalid data for the target was specified.], 3222536208 = [$id=ACPI_INVALID_REGION, $desc=An invalid region for the target was specified.], 3222536209 = [$id=ACPI_INVALID_ACCESS_SIZE, $desc=An attempt was made to access a field outside the defined range.], 3222536210 = [$id=ACPI_ACQUIRE_GLOBAL_LOCK, $desc=The global system lock could not be acquired.], 3222536211 = [$id=ACPI_ALREADY_INITIALIZED, $desc=An attempt was made to reinitialize the ACPI subsystem.], 3222536212 = [$id=ACPI_NOT_INITIALIZED, $desc=The ACPI subsystem has not been initialized.], 3222536213 = [$id=ACPI_INVALID_MUTEX_LEVEL, $desc=An incorrect mutex was specified.], 3222536214 = [$id=ACPI_MUTEX_NOT_OWNED, $desc=The mutex is not currently owned.], 3222536215 = [$id=ACPI_MUTEX_NOT_OWNER, $desc=An attempt was made to access the mutex by a process that was not the owner.], 3222536216 = [$id=ACPI_RS_ACCESS, $desc=An error occurred during an access to region space.], 3222536217 = [$id=ACPI_INVALID_TABLE, $desc=An attempt was made to use an incorrect table.], 3222536224 = [$id=ACPI_REG_HANDLER_FAILED, $desc=The registration of an ACPI event failed.], 3222536225 = [$id=ACPI_POWER_REQUEST_FAILED, $desc=An ACPI power object failed to transition state.], 3222601729 = [$id=SXS_SECTION_NOT_FOUND, $desc=The requested section is not present in the activation context.], 3222601730 = [$id=SXS_CANT_GEN_ACTCTX, $desc=0xC0150003<br />STATUS_SXS_INVALID_ACTCTXDATA_FORMAT], 3222601732 = [$id=SXS_ASSEMBLY_NOT_FOUND, $desc=The referenced assembly is not installed on the system.], 3222601733 = [$id=SXS_MANIFEST_FORMAT_ERROR, $desc=The manifest file does not begin with the required tag and format information.], 3222601734 = [$id=SXS_MANIFEST_PARSE_ERROR, $desc=The manifest file contains one or more syntax errors.], 3222601735 = [$id=SXS_ACTIVATION_CONTEXT_DISABLED, $desc=The application attempted to activate a disabled activation context.], 3222601736 = [$id=SXS_KEY_NOT_FOUND, $desc=The requested lookup key was not found in any active activation context.], 3222601737 = [$id=SXS_VERSION_CONFLICT, $desc=A component version required by the application conflicts with another component version that is already active.], 3222601738 = [$id=SXS_WRONG_SECTION_TYPE, $desc=The type requested activation context section does not match the query API used.], 3222601739 = [$id=SXS_THREAD_QUERIES_DISABLED, $desc=Lack of system resources has required isolated activation to be disabled for the current thread of execution.], 3222601740 = [$id=SXS_ASSEMBLY_MISSING, $desc=The referenced assembly could not be found.], 3222601742 = [$id=SXS_PROCESS_DEFAULT_ALREADY_SET, $desc=An attempt to set the process default activation context failed because the process default activation context was already set.], 3222601743 = [$id=SXS_EARLY_DEACTIVATION, $desc=The activation context being deactivated is not the most recently activated one.], 3222601744 = [$id=SXS_INVALID_DEACTIVATION, $desc=The activation context being deactivated is not active for the current thread of execution.], 3222601745 = [$id=SXS_MULTIPLE_DEACTIVATION, $desc=The activation context being deactivated has already been deactivated.], 3222601746 = [$id=SXS_SYSTEM_DEFAULT_ACTIVATION_CONTEXT_EMPTY, $desc=The activation context of the system default assembly could not be generated.], 3222601747 = [$id=SXS_PROCESS_TERMINATION_REQUESTED, $desc=A component used by the isolation facility has requested that the process be terminated.], 3222601748 = [$id=SXS_CORRUPT_ACTIVATION_STACK, $desc=The activation context activation stack for the running thread of execution is corrupt.], 3222601749 = [$id=SXS_CORRUPTION, $desc=The application isolation metadata for this process or thread has become corrupt.], 3222601750 = [$id=SXS_INVALID_IDENTITY_ATTRIBUTE_VALUE, $desc=The value of an attribute in an identity is not within the legal range.], 3222601751 = [$id=SXS_INVALID_IDENTITY_ATTRIBUTE_NAME, $desc=The name of an attribute in an identity is not within the legal range.], 3222601752 = [$id=SXS_IDENTITY_DUPLICATE_ATTRIBUTE, $desc=An identity contains two definitions for the same attribute.], 3222601753 = [$id=SXS_IDENTITY_PARSE_ERROR, $desc=The identity string is malformed. This may be due to a trailing comma, more than two unnamed attributes, a missing attribute name, or a missing attribute value.], 3222601754 = [$id=SXS_COMPONENT_STORE_CORRUPT, $desc=The component store has become corrupted.], 3222601755 = [$id=SXS_FILE_HASH_MISMATCH, $desc=A component's file does not match the verification information present in the component manifest.], 3222601756 = [$id=SXS_MANIFEST_IDENTITY_SAME_BUT_CONTENTS_DIFFERENT, $desc=The identities of the manifests are identical, but their contents are different.], 3222601757 = [$id=SXS_IDENTITIES_DIFFERENT, $desc=The component identities are different.], 3222601758 = [$id=SXS_ASSEMBLY_IS_NOT_A_DEPLOYMENT, $desc=The assembly is not a deployment.], 3222601759 = [$id=SXS_FILE_NOT_PART_OF_ASSEMBLY, $desc=The file is not a part of the assembly.], 3222601760 = [$id=ADVANCED_INSTALLER_FAILED, $desc=An advanced installer failed during setup or servicing.], 3222601761 = [$id=XML_ENCODING_MISMATCH, $desc=The character encoding in the XML declaration did not match the encoding used in the document.], 3222601762 = [$id=SXS_MANIFEST_TOO_BIG, $desc=The size of the manifest exceeds the maximum allowed.], 3222601763 = [$id=SXS_SETTING_NOT_REGISTERED, $desc=The setting is not registered.], 3222601764 = [$id=SXS_TRANSACTION_CLOSURE_INCOMPLETE, $desc=One or more required transaction members are not present.], 3222601765 = [$id=SMI_PRIMITIVE_INSTALLER_FAILED, $desc=The SMI primitive installer failed during setup or servicing.], 3222601766 = [$id=GENERIC_COMMAND_FAILED, $desc=A generic command executable returned a result that indicates failure.], 3222601767 = [$id=SXS_FILE_HASH_MISSING, $desc=A component is missing file verification information in its manifest.], 3222863873 = [$id=TRANSACTIONAL_CONFLICT, $desc=The function attempted to use a name that is reserved for use by another transaction.], 3222863874 = [$id=INVALID_TRANSACTION, $desc=The transaction handle associated with this operation is invalid.], 3222863875 = [$id=TRANSACTION_NOT_ACTIVE, $desc=The requested operation was made in the context of a transaction that is no longer active.], 3222863876 = [$id=TM_INITIALIZATION_FAILED, $desc=The transaction manager was unable to be successfully initialized. Transacted operations are not supported.], 3222863877 = [$id=RM_NOT_ACTIVE, $desc=Transaction support within the specified file system resource manager was not started or was shut down due to an error.], 3222863878 = [$id=RM_METADATA_CORRUPT, $desc=The metadata of the resource manager has been corrupted. The resource manager will not function.], 3222863879 = [$id=TRANSACTION_NOT_JOINED, $desc=The resource manager attempted to prepare a transaction that it has not successfully joined.], 3222863880 = [$id=DIRECTORY_NOT_RM, $desc=The specified directory does not contain a file system resource manager.], 3222863882 = [$id=TRANSACTIONS_UNSUPPORTED_REMOTE, $desc=The remote server or share does not support transacted file operations.], 3222863883 = [$id=LOG_RESIZE_INVALID_SIZE, $desc=The requested log size for the file system resource manager is invalid.], 3222863884 = [$id=REMOTE_FILE_VERSION_MISMATCH, $desc=The remote server sent mismatching version number or Fid for a file opened with transactions.], 3222863887 = [$id=CRM_PROTOCOL_ALREADY_EXISTS, $desc=The resource manager tried to register a protocol that already exists.], 3222863888 = [$id=TRANSACTION_PROPAGATION_FAILED, $desc=The attempt to propagate the transaction failed.], 3222863889 = [$id=CRM_PROTOCOL_NOT_FOUND, $desc=The requested propagation protocol was not registered as a CRM.], 3222863890 = [$id=TRANSACTION_SUPERIOR_EXISTS, $desc=The transaction object already has a superior enlistment, and the caller attempted an operation that would have created a new superior. Only a single superior enlistment is allowed.], 3222863891 = [$id=TRANSACTION_REQUEST_NOT_VALID, $desc=The requested operation is not valid on the transaction object in its current state.], 3222863892 = [$id=TRANSACTION_NOT_REQUESTED, $desc=The caller has called a response API, but the response is not expected because the transaction manager did not issue the corresponding request to the caller.], 3222863893 = [$id=TRANSACTION_ALREADY_ABORTED, $desc=It is too late to perform the requested operation, because the transaction has already been aborted.], 3222863894 = [$id=TRANSACTION_ALREADY_COMMITTED, $desc=It is too late to perform the requested operation, because the transaction has already been committed.], 3222863895 = [$id=TRANSACTION_INVALID_MARSHALL_BUFFER, $desc=The buffer passed in to NtPushTransaction or NtPullTransaction is not in a valid format.], 3222863896 = [$id=CURRENT_TRANSACTION_NOT_VALID, $desc=The current transaction context associated with the thread is not a valid handle to a transaction object.], 3222863897 = [$id=LOG_GROWTH_FAILED, $desc=An attempt to create space in the transactional resource manager's log failed. The failure status has been recorded in the event log.], 3222863905 = [$id=OBJECT_NO_LONGER_EXISTS, $desc=The object (file, stream, or link) that corresponds to the handle has been deleted by a transaction savepoint rollback.], 3222863906 = [$id=STREAM_MINIVERSION_NOT_FOUND, $desc=The specified file miniversion was not found for this transacted file open.], 3222863907 = [$id=STREAM_MINIVERSION_NOT_VALID, $desc=The specified file miniversion was found but has been invalidated. The most likely cause is a transaction savepoint rollback.], 3222863908 = [$id=MINIVERSION_INACCESSIBLE_FROM_SPECIFIED_TRANSACTION, $desc=A miniversion may be opened only in the context of the transaction that created it.], 3222863909 = [$id=CANT_OPEN_MINIVERSION_WITH_MODIFY_INTENT, $desc=It is not possible to open a miniversion with modify access.], 3222863910 = [$id=CANT_CREATE_MORE_STREAM_MINIVERSIONS, $desc=It is not possible to create any more miniversions for this stream.], 3222863912 = [$id=HANDLE_NO_LONGER_VALID, $desc=The handle has been invalidated by a transaction. The most likely cause is the presence of memory mapping on a file or an open handle when the transaction ended or rolled back to savepoint.], 3222863920 = [$id=LOG_CORRUPTION_DETECTED, $desc=The log data is corrupt.], 3222863922 = [$id=RM_DISCONNECTED, $desc=The transaction outcome is unavailable because the resource manager responsible for it is disconnected.], 3222863923 = [$id=ENLISTMENT_NOT_SUPERIOR, $desc=The request was rejected because the enlistment in question is not a superior enlistment.], 3222863926 = [$id=FILE_IDENTITY_NOT_PERSISTENT, $desc=The file cannot be opened in a transaction because its identity depends on the outcome of an unresolved transaction.], 3222863927 = [$id=CANT_BREAK_TRANSACTIONAL_DEPENDENCY, $desc=The operation cannot be performed because another transaction is depending on this property not changing.], 3222863928 = [$id=CANT_CROSS_RM_BOUNDARY, $desc=The operation would involve a single file with two transactional resource managers and is, therefore, not allowed.], 3222863929 = [$id=TXF_DIR_NOT_EMPTY, $desc=The $Txf directory must be empty for this operation to succeed.], 3222863930 = [$id=INDOUBT_TRANSACTIONS_EXIST, $desc=The operation would leave a transactional resource manager in an inconsistent state and is therefore not allowed.], 3222863931 = [$id=TM_VOLATILE, $desc=The operation could not be completed because the transaction manager does not have a log.], 3222863932 = [$id=ROLLBACK_TIMER_EXPIRED, $desc=A rollback could not be scheduled because a previously scheduled rollback has already executed or been queued for execution.], 3222863933 = [$id=TXF_ATTRIBUTE_CORRUPT, $desc=The transactional metadata attribute on the file or directory %hs is corrupt and unreadable.], 3222863934 = [$id=EFS_NOT_ALLOWED_IN_TRANSACTION, $desc=The encryption operation could not be completed because a transaction is active.], 3222863935 = [$id=TRANSACTIONAL_OPEN_NOT_ALLOWED, $desc=This object is not allowed to be opened in a transaction.], 3222863936 = [$id=TRANSACTED_MAPPING_UNSUPPORTED_REMOTE, $desc=Memory mapping (creating a mapped section) a remote file under a transaction is not supported.], 3222863939 = [$id=TRANSACTION_REQUIRED_PROMOTION, $desc=Promotion was required to allow the resource manager to enlist, but the transaction was set to disallow it.], 3222863940 = [$id=CANNOT_EXECUTE_FILE_IN_TRANSACTION, $desc=This file is open for modification in an unresolved transaction and may be opened for execute only by a transacted reader.], 3222863941 = [$id=TRANSACTIONS_NOT_FROZEN, $desc=The request to thaw frozen transactions was ignored because transactions were not previously frozen.], 3222863942 = [$id=TRANSACTION_FREEZE_IN_PROGRESS, $desc=Transactions cannot be frozen because a freeze is already in progress.], 3222863943 = [$id=NOT_SNAPSHOT_VOLUME, $desc=The target volume is not a snapshot volume. This operation is valid only on a volume mounted as a snapshot.], 3222863944 = [$id=NO_SAVEPOINT_WITH_OPEN_FILES, $desc=The savepoint operation failed because files are open on the transaction, which is not permitted.], 3222863945 = [$id=SPARSE_NOT_ALLOWED_IN_TRANSACTION, $desc=The sparse operation could not be completed because a transaction is active on the file.], 3222863946 = [$id=TM_IDENTITY_MISMATCH, $desc=The call to create a transaction manager object failed because the Tm Identity that is stored in the log file does not match the Tm Identity that was passed in as an argument.], 3222863947 = [$id=FLOATED_SECTION, $desc=I/O was attempted on a section object that has been floated as a result of a transaction ending. There is no valid data.], 3222863948 = [$id=CANNOT_ACCEPT_TRANSACTED_WORK, $desc=The transactional resource manager cannot currently accept transacted work due to a transient condition, such as low resources.], 3222863949 = [$id=CANNOT_ABORT_TRANSACTIONS, $desc=The transactional resource manager had too many transactions outstanding that could not be aborted. The transactional resource manager has been shut down.], 3222863950 = [$id=TRANSACTION_NOT_FOUND, $desc=The specified transaction was unable to be opened because it was not found.], 3222863951 = [$id=RESOURCEMANAGER_NOT_FOUND, $desc=The specified resource manager was unable to be opened because it was not found.], 3222863952 = [$id=ENLISTMENT_NOT_FOUND, $desc=The specified enlistment was unable to be opened because it was not found.], 3222863953 = [$id=TRANSACTIONMANAGER_NOT_FOUND, $desc=The specified transaction manager was unable to be opened because it was not found.], 3222863954 = [$id=TRANSACTIONMANAGER_NOT_ONLINE, $desc=The specified resource manager was unable to create an enlistment because its associated transaction manager is not online.], 3222863955 = [$id=TRANSACTIONMANAGER_RECOVERY_NAME_COLLISION, $desc=The specified transaction manager was unable to create the objects contained in its log file in the Ob namespace. Therefore, the transaction manager was unable to recover.], 3222863956 = [$id=TRANSACTION_NOT_ROOT, $desc=The call to create a superior enlistment on this transaction object could not be completed because the transaction object specified for the enlistment is a subordinate branch of the transaction. Only the root of the transaction can be enlisted as a superior.], 3222863957 = [$id=TRANSACTION_OBJECT_EXPIRED, $desc=Because the associated transaction manager or resource manager has been closed, the handle is no longer valid.], 3222863958 = [$id=COMPRESSION_NOT_ALLOWED_IN_TRANSACTION, $desc=The compression operation could not be completed because a transaction is active on the file.], 3222863959 = [$id=TRANSACTION_RESPONSE_NOT_ENLISTED, $desc=The specified operation could not be performed on this superior enlistment because the enlistment was not created with the corresponding completion response in the NotificationMask.], 3222863960 = [$id=TRANSACTION_RECORD_TOO_LONG, $desc=The specified operation could not be performed because the record to be logged was too long. This can occur because either there are too many enlistments on this transaction or the combined RecoveryInformation being logged on behalf of those enlistments is too long.], 3222863961 = [$id=NO_LINK_TRACKING_IN_TRANSACTION, $desc=The link-tracking operation could not be completed because a transaction is active.], 3222863962 = [$id=OPERATION_NOT_SUPPORTED_IN_TRANSACTION, $desc=This operation cannot be performed in a transaction.], 3222863963 = [$id=TRANSACTION_INTEGRITY_VIOLATED, $desc=The kernel transaction manager had to abort or forget the transaction because it blocked forward progress.], 3222863968 = [$id=EXPIRED_HANDLE, $desc=The handle is no longer properly associated with its transaction.  It may have been opened in a transactional resource manager that was subsequently forced to restart.  Please close the handle and open a new one.], 3222863969 = [$id=TRANSACTION_NOT_ENLISTED, $desc=The specified operation could not be performed because the resource manager is not enlisted in the transaction.], 3222929409 = [$id=LOG_SECTOR_INVALID, $desc=The log service found an invalid log sector.], 3222929410 = [$id=LOG_SECTOR_PARITY_INVALID, $desc=The log service encountered a log sector with invalid block parity.], 3222929411 = [$id=LOG_SECTOR_REMAPPED, $desc=The log service encountered a remapped log sector.], 3222929412 = [$id=LOG_BLOCK_INCOMPLETE, $desc=The log service encountered a partial or incomplete log block.], 3222929413 = [$id=LOG_INVALID_RANGE, $desc=The log service encountered an attempt to access data outside the active log range.], 3222929414 = [$id=LOG_BLOCKS_EXHAUSTED, $desc=The log service user-log marshaling buffers are exhausted.], 3222929415 = [$id=LOG_READ_CONTEXT_INVALID, $desc=The log service encountered an attempt to read from a marshaling area with an invalid read context.], 3222929416 = [$id=LOG_RESTART_INVALID, $desc=The log service encountered an invalid log restart area.], 3222929417 = [$id=LOG_BLOCK_VERSION, $desc=The log service encountered an invalid log block version.], 3222929418 = [$id=LOG_BLOCK_INVALID, $desc=The log service encountered an invalid log block.], 3222929419 = [$id=LOG_READ_MODE_INVALID, $desc=The log service encountered an attempt to read the log with an invalid read mode.], 3222929421 = [$id=LOG_METADATA_CORRUPT, $desc=The log service encountered a corrupted metadata file.], 3222929422 = [$id=LOG_METADATA_INVALID, $desc=The log service encountered a metadata file that could not be created by the log file system.], 3222929423 = [$id=LOG_METADATA_INCONSISTENT, $desc=The log service encountered a metadata file with inconsistent data.], 3222929424 = [$id=LOG_RESERVATION_INVALID, $desc=The log service encountered an attempt to erroneously allocate or dispose reservation space.], 3222929425 = [$id=LOG_CANT_DELETE, $desc=The log service cannot delete the log file or the file system container.], 3222929426 = [$id=LOG_CONTAINER_LIMIT_EXCEEDED, $desc=The log service has reached the maximum allowable containers allocated to a log file.], 3222929427 = [$id=LOG_START_OF_LOG, $desc=The log service has attempted to read or write backward past the start of the log.], 3222929428 = [$id=LOG_POLICY_ALREADY_INSTALLED, $desc=The log policy could not be installed because a policy of the same type is already present.], 3222929429 = [$id=LOG_POLICY_NOT_INSTALLED, $desc=The log policy in question was not installed at the time of the request.], 3222929430 = [$id=LOG_POLICY_INVALID, $desc=The installed set of policies on the log is invalid.], 3222929431 = [$id=LOG_POLICY_CONFLICT, $desc=A policy on the log in question prevented the operation from completing.], 3222929432 = [$id=LOG_PINNED_ARCHIVE_TAIL, $desc=The log space cannot be reclaimed because the log is pinned by the archive tail.], 3222929433 = [$id=LOG_RECORD_NONEXISTENT, $desc=The log record is not a record in the log file.], 3222929434 = [$id=LOG_RECORDS_RESERVED_INVALID, $desc=The number of reserved log records or the adjustment of the number of reserved log records is invalid.], 3222929435 = [$id=LOG_SPACE_RESERVED_INVALID, $desc=The reserved log space or the adjustment of the log space is invalid.], 3222929436 = [$id=LOG_TAIL_INVALID, $desc=A new or existing archive tail or the base of the active log is invalid.], 3222929437 = [$id=LOG_FULL, $desc=The log space is exhausted.], 3222929438 = [$id=LOG_MULTIPLEXED, $desc=The log is multiplexed; no direct writes to the physical log are allowed.], 3222929439 = [$id=LOG_DEDICATED, $desc=The operation failed because the log is dedicated.], 3222929440 = [$id=LOG_ARCHIVE_NOT_IN_PROGRESS, $desc=The operation requires an archive context.], 3222929441 = [$id=LOG_ARCHIVE_IN_PROGRESS, $desc=Log archival is in progress.], 3222929442 = [$id=LOG_EPHEMERAL, $desc=The operation requires a nonephemeral log, but the log is ephemeral.], 3222929443 = [$id=LOG_NOT_ENOUGH_CONTAINERS, $desc=The log must have at least two containers before it can be read from or written to.], 3222929444 = [$id=LOG_CLIENT_ALREADY_REGISTERED, $desc=A log client has already registered on the stream.], 3222929445 = [$id=LOG_CLIENT_NOT_REGISTERED, $desc=A log client has not been registered on the stream.], 3222929446 = [$id=LOG_FULL_HANDLER_IN_PROGRESS, $desc=A request has already been made to handle the log full condition.], 3222929447 = [$id=LOG_CONTAINER_READ_FAILED, $desc=The log service encountered an error when attempting to read from a log container.], 3222929448 = [$id=LOG_CONTAINER_WRITE_FAILED, $desc=The log service encountered an error when attempting to write to a log container.], 3222929449 = [$id=LOG_CONTAINER_OPEN_FAILED, $desc=The log service encountered an error when attempting to open a log container.], 3222929450 = [$id=LOG_CONTAINER_STATE_INVALID, $desc=The log service encountered an invalid container state when attempting a requested action.], 3222929451 = [$id=LOG_STATE_INVALID, $desc=The log service is not in the correct state to perform a requested action.], 3222929452 = [$id=LOG_PINNED, $desc=The log space cannot be reclaimed because the log is pinned.], 3222929453 = [$id=LOG_METADATA_FLUSH_FAILED, $desc=The log metadata flush failed.], 3222929454 = [$id=LOG_INCONSISTENT_SECURITY, $desc=Security on the log and its containers is inconsistent.], 3222929455 = [$id=LOG_APPENDED_FLUSH_FAILED, $desc=Records were appended to the log or reservation changes were made, but the log could not be flushed.], 3222929456 = [$id=LOG_PINNED_RESERVATION, $desc=The log is pinned due to reservation consuming most of the log space. Free some reserved records to make space available.], 3222995178 = [$id=VIDEO_HUNG_DISPLAY_DRIVER_THREAD, $desc={Display Driver Stopped Responding} The %hs display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you reboot the computer, a dialog box will allow you to upload data about this failure to Microsoft.], 3223060481 = [$id=FLT_NO_HANDLER_DEFINED, $desc=A handler was not defined by the filter for this operation.], 3223060482 = [$id=FLT_CONTEXT_ALREADY_DEFINED, $desc=A context is already defined for this object.], 3223060483 = [$id=FLT_INVALID_ASYNCHRONOUS_REQUEST, $desc=Asynchronous requests are not valid for this operation.], 3223060484 = [$id=FLT_DISALLOW_FAST_IO, $desc=This is an internal error code used by the filter manager to determine if a fast I/O operation should be forced down the input/output request packet (IRP) path. Minifilters should never return this value.], 3223060485 = [$id=FLT_INVALID_NAME_REQUEST, $desc=An invalid name request was made. The name requested cannot be retrieved at this time.], 3223060486 = [$id=FLT_NOT_SAFE_TO_POST_OPERATION, $desc=Posting this operation to a worker thread for further processing is not safe at this time because it could lead to a system deadlock.], 3223060487 = [$id=FLT_NOT_INITIALIZED, $desc=The Filter Manager was not initialized when a filter tried to register. Make sure that the Filter Manager is loaded as a driver.], 3223060488 = [$id=FLT_FILTER_NOT_READY, $desc=The filter is not ready for attachment to volumes because it has not finished initializing (FltStartFiltering has not been called).], 3223060489 = [$id=FLT_POST_OPERATION_CLEANUP, $desc=The filter must clean up any operation-specific context at this time because it is being removed from the system before the operation is completed by the lower drivers.], 3223060490 = [$id=FLT_INTERNAL_ERROR, $desc=The Filter Manager had an internal error from which it cannot recover; therefore, the operation has failed. This is usually the result of a filter returning an invalid value from a pre-operation callback.], 3223060491 = [$id=FLT_DELETING_OBJECT, $desc=The object specified for this action is in the process of being deleted; therefore, the action requested cannot be completed at this time.], 3223060492 = [$id=FLT_MUST_BE_NONPAGED_POOL, $desc=A nonpaged pool must be used for this type of context.], 3223060493 = [$id=FLT_DUPLICATE_ENTRY, $desc=A duplicate handler definition has been provided for an operation.], 3223060494 = [$id=FLT_CBDQ_DISABLED, $desc=The callback data queue has been disabled.], 3223060495 = [$id=FLT_DO_NOT_ATTACH, $desc=Do not attach the filter to the volume at this time.], 3223060496 = [$id=FLT_DO_NOT_DETACH, $desc=Do not detach the filter from the volume at this time.], 3223060497 = [$id=FLT_INSTANCE_ALTITUDE_COLLISION, $desc=An instance already exists at this altitude on the volume specified.], 3223060498 = [$id=FLT_INSTANCE_NAME_COLLISION, $desc=An instance already exists with this name on the volume specified.], 3223060499 = [$id=FLT_FILTER_NOT_FOUND, $desc=The system could not find the filter specified.], 3223060500 = [$id=FLT_VOLUME_NOT_FOUND, $desc=The system could not find the volume specified.], 3223060501 = [$id=FLT_INSTANCE_NOT_FOUND, $desc=The system could not find the instance specified.], 3223060502 = [$id=FLT_CONTEXT_ALLOCATION_NOT_FOUND, $desc=No registered context allocation definition was found for the given request.], 3223060503 = [$id=FLT_INVALID_CONTEXT_REGISTRATION, $desc=An invalid parameter was specified during context registration.], 3223060504 = [$id=FLT_NAME_CACHE_MISS, $desc=The name requested was not found in the Filter Manager name cache and could not be retrieved from the file system.], 3223060505 = [$id=FLT_NO_DEVICE_OBJECT, $desc=The requested device object does not exist for the given volume.], 3223060506 = [$id=FLT_VOLUME_ALREADY_MOUNTED, $desc=The specified volume is already mounted.], 3223060507 = [$id=FLT_ALREADY_ENLISTED, $desc=The specified transaction context is already enlisted in a transaction.], 3223060508 = [$id=FLT_CONTEXT_ALREADY_LINKED, $desc=The specified context is already attached to another object.], 3223060512 = [$id=FLT_NO_WAITER_FOR_REPLY, $desc=No waiter is present for the filter's reply to this message.], 3223126017 = [$id=MONITOR_NO_DESCRIPTOR, $desc=A monitor descriptor could not be obtained.], 3223126018 = [$id=MONITOR_UNKNOWN_DESCRIPTOR_FORMAT, $desc=This release does not support the format of the obtained monitor descriptor.], 3223126019 = [$id=MONITOR_INVALID_DESCRIPTOR_CHECKSUM, $desc=The checksum of the obtained monitor descriptor is invalid.], 3223126020 = [$id=MONITOR_INVALID_STANDARD_TIMING_BLOCK, $desc=The monitor descriptor contains an invalid standard timing block.], 3223126021 = [$id=MONITOR_WMI_DATABLOCK_REGISTRATION_FAILED, $desc=WMI data-block registration failed for one of the MSMonitorClass WMI subclasses.], 3223126022 = [$id=MONITOR_INVALID_SERIAL_NUMBER_MONDSC_BLOCK, $desc=The provided monitor descriptor block is either corrupted or does not contain the monitor's detailed serial number.], 3223126023 = [$id=MONITOR_INVALID_USER_FRIENDLY_MONDSC_BLOCK, $desc=The provided monitor descriptor block is either corrupted or does not contain the monitor's user-friendly name.], 3223126024 = [$id=MONITOR_NO_MORE_DESCRIPTOR_DATA, $desc=There is no monitor descriptor data at the specified (offset or size) region.], 3223126025 = [$id=MONITOR_INVALID_DETAILED_TIMING_BLOCK, $desc=The monitor descriptor contains an invalid detailed timing block.], 3223126026 = [$id=MONITOR_INVALID_MANUFACTURE_DATE, $desc=Monitor descriptor contains invalid manufacture date.], 3223191552 = [$id=GRAPHICS_NOT_EXCLUSIVE_MODE_OWNER, $desc=Exclusive mode ownership is needed to create an unmanaged primary allocation.], 3223191553 = [$id=GRAPHICS_INSUFFICIENT_DMA_BUFFER, $desc=The driver needs more DMA buffer space to complete the requested operation.], 3223191554 = [$id=GRAPHICS_INVALID_DISPLAY_ADAPTER, $desc=The specified display adapter handle is invalid.], 3223191555 = [$id=GRAPHICS_ADAPTER_WAS_RESET, $desc=The specified display adapter and all of its state have been reset.], 3223191556 = [$id=GRAPHICS_INVALID_DRIVER_MODEL, $desc=The driver stack does not match the expected driver model.], 3223191557 = [$id=GRAPHICS_PRESENT_MODE_CHANGED, $desc=Present happened but ended up into the changed desktop mode.], 3223191558 = [$id=GRAPHICS_PRESENT_OCCLUDED, $desc=Nothing to present due to desktop occlusion.], 3223191559 = [$id=GRAPHICS_PRESENT_DENIED, $desc=Not able to present due to denial of desktop access.], 3223191560 = [$id=GRAPHICS_CANNOTCOLORCONVERT, $desc=Not able to present with color conversion.], 3223191563 = [$id=GRAPHICS_PRESENT_REDIRECTION_DISABLED, $desc=Present redirection is disabled (desktop windowing management subsystem is off).], 3223191564 = [$id=GRAPHICS_PRESENT_UNOCCLUDED, $desc=Previous exclusive VidPn source owner has released its ownership], 3223191808 = [$id=GRAPHICS_NO_VIDEO_MEMORY, $desc=Not enough video memory is available to complete the operation.], 3223191809 = [$id=GRAPHICS_CANT_LOCK_MEMORY, $desc=Could not probe and lock the underlying memory of an allocation.], 3223191810 = [$id=GRAPHICS_ALLOCATION_BUSY, $desc=The allocation is currently busy.], 3223191811 = [$id=GRAPHICS_TOO_MANY_REFERENCES, $desc=An object being referenced has already reached the maximum reference count and cannot be referenced further.], 3223191812 = [$id=GRAPHICS_TRY_AGAIN_LATER, $desc=A problem could not be solved due to an existing condition. Try again later.], 3223191813 = [$id=GRAPHICS_TRY_AGAIN_NOW, $desc=A problem could not be solved due to an existing condition. Try again now.], 3223191814 = [$id=GRAPHICS_ALLOCATION_INVALID, $desc=The allocation is invalid.], 3223191815 = [$id=GRAPHICS_UNSWIZZLING_APERTURE_UNAVAILABLE, $desc=No more unswizzling apertures are currently available.], 3223191816 = [$id=GRAPHICS_UNSWIZZLING_APERTURE_UNSUPPORTED, $desc=The current allocation cannot be unswizzled by an aperture.], 3223191817 = [$id=GRAPHICS_CANT_EVICT_PINNED_ALLOCATION, $desc=The request failed because a pinned allocation cannot be evicted.], 3223191824 = [$id=GRAPHICS_INVALID_ALLOCATION_USAGE, $desc=The allocation cannot be used from its current segment location for the specified operation.], 3223191825 = [$id=GRAPHICS_CANT_RENDER_LOCKED_ALLOCATION, $desc=A locked allocation cannot be used in the current command buffer.], 3223191826 = [$id=GRAPHICS_ALLOCATION_CLOSED, $desc=The allocation being referenced has been closed permanently.], 3223191827 = [$id=GRAPHICS_INVALID_ALLOCATION_INSTANCE, $desc=An invalid allocation instance is being referenced.], 3223191828 = [$id=GRAPHICS_INVALID_ALLOCATION_HANDLE, $desc=An invalid allocation handle is being referenced.], 3223191829 = [$id=GRAPHICS_WRONG_ALLOCATION_DEVICE, $desc=The allocation being referenced does not belong to the current device.], 3223191830 = [$id=GRAPHICS_ALLOCATION_CONTENT_LOST, $desc=The specified allocation lost its content.], 3223192064 = [$id=GRAPHICS_GPU_EXCEPTION_ON_DEVICE, $desc=A GPU exception was detected on the given device. The device cannot be scheduled.], 3223192320 = [$id=GRAPHICS_INVALID_VIDPN_TOPOLOGY, $desc=The specified VidPN topology is invalid.], 3223192321 = [$id=GRAPHICS_VIDPN_TOPOLOGY_NOT_SUPPORTED, $desc=The specified VidPN topology is valid but is not supported by this model of the display adapter.], 3223192322 = [$id=GRAPHICS_VIDPN_TOPOLOGY_CURRENTLY_NOT_SUPPORTED, $desc=The specified VidPN topology is valid but is not currently supported by the display adapter due to allocation of its resources.], 3223192323 = [$id=GRAPHICS_INVALID_VIDPN, $desc=The specified VidPN handle is invalid.], 3223192324 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_SOURCE, $desc=The specified video present source is invalid.], 3223192325 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_TARGET, $desc=The specified video present target is invalid.], 3223192326 = [$id=GRAPHICS_VIDPN_MODALITY_NOT_SUPPORTED, $desc=The specified VidPN modality is not supported (for example, at least two of the pinned modes are not co-functional).], 3223192328 = [$id=GRAPHICS_INVALID_VIDPN_SOURCEMODESET, $desc=The specified VidPN source mode set is invalid.], 3223192329 = [$id=GRAPHICS_INVALID_VIDPN_TARGETMODESET, $desc=The specified VidPN target mode set is invalid.], 3223192330 = [$id=GRAPHICS_INVALID_FREQUENCY, $desc=The specified video signal frequency is invalid.], 3223192331 = [$id=GRAPHICS_INVALID_ACTIVE_REGION, $desc=The specified video signal active region is invalid.], 3223192332 = [$id=GRAPHICS_INVALID_TOTAL_REGION, $desc=The specified video signal total region is invalid.], 3223192336 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_SOURCE_MODE, $desc=The specified video present source mode is invalid.], 3223192337 = [$id=GRAPHICS_INVALID_VIDEO_PRESENT_TARGET_MODE, $desc=The specified video present target mode is invalid.], 3223192338 = [$id=GRAPHICS_PINNED_MODE_MUST_REMAIN_IN_SET, $desc=The pinned mode must remain in the set on the VidPN's co-functional modality enumeration.], 3223192339 = [$id=GRAPHICS_PATH_ALREADY_IN_TOPOLOGY, $desc=The specified video present path is already in the VidPN's topology.], 3223192340 = [$id=GRAPHICS_MODE_ALREADY_IN_MODESET, $desc=The specified mode is already in the mode set.], 3223192341 = [$id=GRAPHICS_INVALID_VIDEOPRESENTSOURCESET, $desc=The specified video present source set is invalid.], 3223192342 = [$id=GRAPHICS_INVALID_VIDEOPRESENTTARGETSET, $desc=The specified video present target set is invalid.], 3223192343 = [$id=GRAPHICS_SOURCE_ALREADY_IN_SET, $desc=The specified video present source is already in the video present source set.], 3223192344 = [$id=GRAPHICS_TARGET_ALREADY_IN_SET, $desc=The specified video present target is already in the video present target set.], 3223192345 = [$id=GRAPHICS_INVALID_VIDPN_PRESENT_PATH, $desc=The specified VidPN present path is invalid.], 3223192346 = [$id=GRAPHICS_NO_RECOMMENDED_VIDPN_TOPOLOGY, $desc=The miniport has no recommendation for augmenting the specified VidPN's topology.], 3223192347 = [$id=GRAPHICS_INVALID_MONITOR_FREQUENCYRANGESET, $desc=The specified monitor frequency range set is invalid.], 3223192348 = [$id=GRAPHICS_INVALID_MONITOR_FREQUENCYRANGE, $desc=The specified monitor frequency range is invalid.], 3223192349 = [$id=GRAPHICS_FREQUENCYRANGE_NOT_IN_SET, $desc=The specified frequency range is not in the specified monitor frequency range set.], 3223192351 = [$id=GRAPHICS_FREQUENCYRANGE_ALREADY_IN_SET, $desc=The specified frequency range is already in the specified monitor frequency range set.], 3223192352 = [$id=GRAPHICS_STALE_MODESET, $desc=The specified mode set is stale. Reacquire the new mode set.], 3223192353 = [$id=GRAPHICS_INVALID_MONITOR_SOURCEMODESET, $desc=The specified monitor source mode set is invalid.], 3223192354 = [$id=GRAPHICS_INVALID_MONITOR_SOURCE_MODE, $desc=The specified monitor source mode is invalid.], 3223192355 = [$id=GRAPHICS_NO_RECOMMENDED_FUNCTIONAL_VIDPN, $desc=The miniport does not have a recommendation regarding the request to provide a functional VidPN given the current display adapter configuration.], 3223192356 = [$id=GRAPHICS_MODE_ID_MUST_BE_UNIQUE, $desc=The ID of the specified mode is being used by another mode in the set.], 3223192357 = [$id=GRAPHICS_EMPTY_ADAPTER_MONITOR_MODE_SUPPORT_INTERSECTION, $desc=The system failed to determine a mode that is supported by both the display adapter and the monitor connected to it.], 3223192358 = [$id=GRAPHICS_VIDEO_PRESENT_TARGETS_LESS_THAN_SOURCES, $desc=The number of video present targets must be greater than or equal to the number of video present sources.], 3223192359 = [$id=GRAPHICS_PATH_NOT_IN_TOPOLOGY, $desc=The specified present path is not in the VidPN's topology.], 3223192360 = [$id=GRAPHICS_ADAPTER_MUST_HAVE_AT_LEAST_ONE_SOURCE, $desc=The display adapter must have at least one video present source.], 3223192361 = [$id=GRAPHICS_ADAPTER_MUST_HAVE_AT_LEAST_ONE_TARGET, $desc=The display adapter must have at least one video present target.], 3223192362 = [$id=GRAPHICS_INVALID_MONITORDESCRIPTORSET, $desc=The specified monitor descriptor set is invalid.], 3223192363 = [$id=GRAPHICS_INVALID_MONITORDESCRIPTOR, $desc=The specified monitor descriptor is invalid.], 3223192364 = [$id=GRAPHICS_MONITORDESCRIPTOR_NOT_IN_SET, $desc=The specified descriptor is not in the specified monitor descriptor set.], 3223192365 = [$id=GRAPHICS_MONITORDESCRIPTOR_ALREADY_IN_SET, $desc=The specified descriptor is already in the specified monitor descriptor set.], 3223192366 = [$id=GRAPHICS_MONITORDESCRIPTOR_ID_MUST_BE_UNIQUE, $desc=The ID of the specified monitor descriptor is being used by another descriptor in the set.], 3223192367 = [$id=GRAPHICS_INVALID_VIDPN_TARGET_SUBSET_TYPE, $desc=The specified video present target subset type is invalid.], 3223192368 = [$id=GRAPHICS_RESOURCES_NOT_RELATED, $desc=Two or more of the specified resources are not related to each other, as defined by the interface semantics.], 3223192369 = [$id=GRAPHICS_SOURCE_ID_MUST_BE_UNIQUE, $desc=The ID of the specified video present source is being used by another source in the set.], 3223192370 = [$id=GRAPHICS_TARGET_ID_MUST_BE_UNIQUE, $desc=The ID of the specified video present target is being used by another target in the set.], 3223192371 = [$id=GRAPHICS_NO_AVAILABLE_VIDPN_TARGET, $desc=The specified VidPN source cannot be used because there is no available VidPN target to connect it to.], 3223192372 = [$id=GRAPHICS_MONITOR_COULD_NOT_BE_ASSOCIATED_WITH_ADAPTER, $desc=The newly arrived monitor could not be associated with a display adapter.], 3223192373 = [$id=GRAPHICS_NO_VIDPNMGR, $desc=The particular display adapter does not have an associated VidPN manager.], 3223192374 = [$id=GRAPHICS_NO_ACTIVE_VIDPN, $desc=The VidPN manager of the particular display adapter does not have an active VidPN.], 3223192375 = [$id=GRAPHICS_STALE_VIDPN_TOPOLOGY, $desc=The specified VidPN topology is stale; obtain the new topology.], 3223192376 = [$id=GRAPHICS_MONITOR_NOT_CONNECTED, $desc=No monitor is connected on the specified video present target.], 3223192377 = [$id=GRAPHICS_SOURCE_NOT_IN_TOPOLOGY, $desc=The specified source is not part of the specified VidPN's topology.], 3223192378 = [$id=GRAPHICS_INVALID_PRIMARYSURFACE_SIZE, $desc=The specified primary surface size is invalid.], 3223192379 = [$id=GRAPHICS_INVALID_VISIBLEREGION_SIZE, $desc=The specified visible region size is invalid.], 3223192380 = [$id=GRAPHICS_INVALID_STRIDE, $desc=The specified stride is invalid.], 3223192381 = [$id=GRAPHICS_INVALID_PIXELFORMAT, $desc=The specified pixel format is invalid.], 3223192382 = [$id=GRAPHICS_INVALID_COLORBASIS, $desc=The specified color basis is invalid.], 3223192383 = [$id=GRAPHICS_INVALID_PIXELVALUEACCESSMODE, $desc=The specified pixel value access mode is invalid.], 3223192384 = [$id=GRAPHICS_TARGET_NOT_IN_TOPOLOGY, $desc=The specified target is not part of the specified VidPN's topology.], 3223192385 = [$id=GRAPHICS_NO_DISPLAY_MODE_MANAGEMENT_SUPPORT, $desc=Failed to acquire the display mode management interface.], 3223192386 = [$id=GRAPHICS_VIDPN_SOURCE_IN_USE, $desc=The specified VidPN source is already owned by a DMM client and cannot be used until that client releases it.], 3223192387 = [$id=GRAPHICS_CANT_ACCESS_ACTIVE_VIDPN, $desc=The specified VidPN is active and cannot be accessed.], 3223192388 = [$id=GRAPHICS_INVALID_PATH_IMPORTANCE_ORDINAL, $desc=The specified VidPN's present path importance ordinal is invalid.], 3223192389 = [$id=GRAPHICS_INVALID_PATH_CONTENT_GEOMETRY_TRANSFORMATION, $desc=The specified VidPN's present path content geometry transformation is invalid.], 3223192390 = [$id=GRAPHICS_PATH_CONTENT_GEOMETRY_TRANSFORMATION_NOT_SUPPORTED, $desc=The specified content geometry transformation is not supported on the respective VidPN present path.], 3223192391 = [$id=GRAPHICS_INVALID_GAMMA_RAMP, $desc=The specified gamma ramp is invalid.], 3223192392 = [$id=GRAPHICS_GAMMA_RAMP_NOT_SUPPORTED, $desc=The specified gamma ramp is not supported on the respective VidPN present path.], 3223192393 = [$id=GRAPHICS_MULTISAMPLING_NOT_SUPPORTED, $desc=Multisampling is not supported on the respective VidPN present path.], 3223192394 = [$id=GRAPHICS_MODE_NOT_IN_MODESET, $desc=The specified mode is not in the specified mode set.], 3223192397 = [$id=GRAPHICS_INVALID_VIDPN_TOPOLOGY_RECOMMENDATION_REASON, $desc=The specified VidPN topology recommendation reason is invalid.], 3223192398 = [$id=GRAPHICS_INVALID_PATH_CONTENT_TYPE, $desc=The specified VidPN present path content type is invalid.], 3223192399 = [$id=GRAPHICS_INVALID_COPYPROTECTION_TYPE, $desc=The specified VidPN present path copy protection type is invalid.], 3223192400 = [$id=GRAPHICS_UNASSIGNED_MODESET_ALREADY_EXISTS, $desc=Only one unassigned mode set can exist at any one time for a particular VidPN source or target.], 3223192402 = [$id=GRAPHICS_INVALID_SCANLINE_ORDERING, $desc=The specified scan line ordering type is invalid.], 3223192403 = [$id=GRAPHICS_TOPOLOGY_CHANGES_NOT_ALLOWED, $desc=The topology changes are not allowed for the specified VidPN.], 3223192404 = [$id=GRAPHICS_NO_AVAILABLE_IMPORTANCE_ORDINALS, $desc=All available importance ordinals are being used in the specified topology.], 3223192405 = [$id=GRAPHICS_INCOMPATIBLE_PRIVATE_FORMAT, $desc=The specified primary surface has a different private-format attribute than the current primary surface.], 3223192406 = [$id=GRAPHICS_INVALID_MODE_PRUNING_ALGORITHM, $desc=The specified mode-pruning algorithm is invalid.], 3223192407 = [$id=GRAPHICS_INVALID_MONITOR_CAPABILITY_ORIGIN, $desc=The specified monitor-capability origin is invalid.], 3223192408 = [$id=GRAPHICS_INVALID_MONITOR_FREQUENCYRANGE_CONSTRAINT, $desc=The specified monitor-frequency range constraint is invalid.], 3223192409 = [$id=GRAPHICS_MAX_NUM_PATHS_REACHED, $desc=The maximum supported number of present paths has been reached.], 3223192410 = [$id=GRAPHICS_CANCEL_VIDPN_TOPOLOGY_AUGMENTATION, $desc=The miniport requested that augmentation be canceled for the specified source of the specified VidPN's topology.], 3223192411 = [$id=GRAPHICS_INVALID_CLIENT_TYPE, $desc=The specified client type was not recognized.], 3223192412 = [$id=GRAPHICS_CLIENTVIDPN_NOT_SET, $desc=The client VidPN is not set on this adapter (for example, no user mode-initiated mode changes have taken place on this adapter).], 3223192576 = [$id=GRAPHICS_SPECIFIED_CHILD_ALREADY_CONNECTED, $desc=The specified display adapter child device already has an external device connected to it.], 3223192577 = [$id=GRAPHICS_CHILD_DESCRIPTOR_NOT_SUPPORTED, $desc=The display adapter child device does not support reporting a descriptor.], 3223192624 = [$id=GRAPHICS_NOT_A_LINKED_ADAPTER, $desc=The display adapter is not linked to any other adapters.], 3223192625 = [$id=GRAPHICS_LEADLINK_NOT_ENUMERATED, $desc=The lead adapter in a linked configuration was not enumerated yet.], 3223192626 = [$id=GRAPHICS_CHAINLINKS_NOT_ENUMERATED, $desc=Some chain adapters in a linked configuration have not yet been enumerated.], 3223192627 = [$id=GRAPHICS_ADAPTER_CHAIN_NOT_READY, $desc=The chain of linked adapters is not ready to start because of an unknown failure.], 3223192628 = [$id=GRAPHICS_CHAINLINKS_NOT_STARTED, $desc=An attempt was made to start a lead link display adapter when the chain links had not yet started.], 3223192629 = [$id=GRAPHICS_CHAINLINKS_NOT_POWERED_ON, $desc=An attempt was made to turn on a lead link display adapter when the chain links were turned off.], 3223192630 = [$id=GRAPHICS_INCONSISTENT_DEVICE_LINK_STATE, $desc=The adapter link was found in an inconsistent state. Not all adapters are in an expected PNP/power state.], 3223192632 = [$id=GRAPHICS_NOT_POST_DEVICE_DRIVER, $desc=The driver trying to start is not the same as the driver for the posted display adapter.], 3223192635 = [$id=GRAPHICS_ADAPTER_ACCESS_NOT_EXCLUDED, $desc=An operation is being attempted that requires the display adapter to be in a quiescent state.], 3223192832 = [$id=GRAPHICS_OPM_NOT_SUPPORTED, $desc=The driver does not support OPM.], 3223192833 = [$id=GRAPHICS_COPP_NOT_SUPPORTED, $desc=The driver does not support COPP.], 3223192834 = [$id=GRAPHICS_UAB_NOT_SUPPORTED, $desc=The driver does not support UAB.], 3223192835 = [$id=GRAPHICS_OPM_INVALID_ENCRYPTED_PARAMETERS, $desc=The specified encrypted parameters are invalid.], 3223192836 = [$id=GRAPHICS_OPM_PARAMETER_ARRAY_TOO_SMALL, $desc=An array passed to a function cannot hold all of the data that the function wants to put in it.], 3223192837 = [$id=GRAPHICS_OPM_NO_PROTECTED_OUTPUTS_EXIST, $desc=The GDI display device passed to this function does not have any active protected outputs.], 3223192838 = [$id=GRAPHICS_PVP_NO_DISPLAY_DEVICE_CORRESPONDS_TO_NAME, $desc=The PVP cannot find an actual GDI display device that corresponds to the passed-in GDI display device name.], 3223192839 = [$id=GRAPHICS_PVP_DISPLAY_DEVICE_NOT_ATTACHED_TO_DESKTOP, $desc=This function failed because the GDI display device passed to it was not attached to the Windows desktop.], 3223192840 = [$id=GRAPHICS_PVP_MIRRORING_DEVICES_NOT_SUPPORTED, $desc=The PVP does not support mirroring display devices because they do not have any protected outputs.], 3223192842 = [$id=GRAPHICS_OPM_INVALID_POINTER, $desc=The function failed because an invalid pointer parameter was passed to it. A pointer parameter is invalid if it is null, is not correctly aligned, or it points to an invalid address or a kernel mode address.], 3223192843 = [$id=GRAPHICS_OPM_INTERNAL_ERROR, $desc=An internal error caused an operation to fail.], 3223192844 = [$id=GRAPHICS_OPM_INVALID_HANDLE, $desc=The function failed because the caller passed in an invalid OPM user-mode handle.], 3223192845 = [$id=GRAPHICS_PVP_NO_MONITORS_CORRESPOND_TO_DISPLAY_DEVICE, $desc=This function failed because the GDI device passed to it did not have any monitors associated with it.], 3223192846 = [$id=GRAPHICS_PVP_INVALID_CERTIFICATE_LENGTH, $desc=A certificate could not be returned because the certificate buffer passed to the function was too small.], 3223192847 = [$id=GRAPHICS_OPM_SPANNING_MODE_ENABLED, $desc=DxgkDdiOpmCreateProtectedOutput() could not create a protected output because the video present yarget is in spanning mode.], 3223192848 = [$id=GRAPHICS_OPM_THEATER_MODE_ENABLED, $desc=DxgkDdiOpmCreateProtectedOutput() could not create a protected output because the video present target is in theater mode.], 3223192849 = [$id=GRAPHICS_PVP_HFS_FAILED, $desc=The function call failed because the display adapter's hardware functionality scan (HFS) failed to validate the graphics hardware.], 3223192850 = [$id=GRAPHICS_OPM_INVALID_SRM, $desc=The HDCP SRM passed to this function did not comply with section 5 of the HDCP 1.1 specification.], 3223192851 = [$id=GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_HDCP, $desc=The protected output cannot enable the HDCP system because it does not support it.], 3223192852 = [$id=GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_ACP, $desc=The protected output cannot enable analog copy protection because it does not support it.], 3223192853 = [$id=GRAPHICS_OPM_OUTPUT_DOES_NOT_SUPPORT_CGMSA, $desc=The protected output cannot enable the CGMS-A protection technology because it does not support it.], 3223192854 = [$id=GRAPHICS_OPM_HDCP_SRM_NEVER_SET, $desc=DxgkDdiOPMGetInformation() cannot return the version of the SRM being used because the application never successfully passed an SRM to the protected output.], 3223192855 = [$id=GRAPHICS_OPM_RESOLUTION_TOO_HIGH, $desc=DxgkDdiOPMConfigureProtectedOutput() cannot enable the specified output protection technology because the output's screen resolution is too high.], 3223192856 = [$id=GRAPHICS_OPM_ALL_HDCP_HARDWARE_ALREADY_IN_USE, $desc=DxgkDdiOPMConfigureProtectedOutput() cannot enable HDCP because other physical outputs are using the display adapter's HDCP hardware.], 3223192858 = [$id=GRAPHICS_OPM_PROTECTED_OUTPUT_NO_LONGER_EXISTS, $desc=The operating system asynchronously destroyed this OPM-protected output because the operating system state changed. This error typically occurs because the monitor PDO associated with this protected output was removed or stopped, the protected output's session became a nonconsole session, or the protected output's desktop became inactive.], 3223192859 = [$id=GRAPHICS_OPM_SESSION_TYPE_CHANGE_IN_PROGRESS, $desc=OPM functions cannot be called when a session is changing its type. Three types of sessions currently exist: console, disconnected, and remote (RDP or ICA).], 3223192860 = [$id=GRAPHICS_OPM_PROTECTED_OUTPUT_DOES_NOT_HAVE_COPP_SEMANTICS, $desc=The DxgkDdiOPMGetCOPPCompatibleInformation, DxgkDdiOPMGetInformation, or DxgkDdiOPMConfigureProtectedOutput function failed. This error is returned only if a protected output has OPM semantics. ], 3223192861 = [$id=GRAPHICS_OPM_INVALID_INFORMATION_REQUEST, $desc=The DxgkDdiOPMGetInformation and DxgkDdiOPMGetCOPPCompatibleInformation functions return this error code if the passed-in sequence number is not the expected sequence number or the passed-in OMAC value is invalid.], 3223192862 = [$id=GRAPHICS_OPM_DRIVER_INTERNAL_ERROR, $desc=The function failed because an unexpected error occurred inside a display driver.], 3223192863 = [$id=GRAPHICS_OPM_PROTECTED_OUTPUT_DOES_NOT_HAVE_OPM_SEMANTICS, $desc=The DxgkDdiOPMGetCOPPCompatibleInformation, DxgkDdiOPMGetInformation, or DxgkDdiOPMConfigureProtectedOutput function failed. This error is returned only if a protected output has COPP semantics. ], 3223192864 = [$id=GRAPHICS_OPM_SIGNALING_NOT_SUPPORTED, $desc=The DxgkDdiOPMGetCOPPCompatibleInformation and DxgkDdiOPMConfigureProtectedOutput functions return this error if the display driver does not support the DXGKMDT_OPM_GET_ACP_AND_CGMSA_SIGNALING and DXGKMDT_OPM_SET_ACP_AND_CGMSA_SIGNALING GUIDs.], 3223192865 = [$id=GRAPHICS_OPM_INVALID_CONFIGURATION_REQUEST, $desc=The DxgkDdiOPMConfigureProtectedOutput function returns this error code if the passed-in sequence number is not the expected sequence number or the passed-in OMAC value is invalid.], 3223192960 = [$id=GRAPHICS_I2C_NOT_SUPPORTED, $desc=The monitor connected to the specified video output does not have an I2C bus.], 3223192961 = [$id=GRAPHICS_I2C_DEVICE_DOES_NOT_EXIST, $desc=No device on the I2C bus has the specified address.], 3223192962 = [$id=GRAPHICS_I2C_ERROR_TRANSMITTING_DATA, $desc=An error occurred while transmitting data to the device on the I2C bus.], 3223192963 = [$id=GRAPHICS_I2C_ERROR_RECEIVING_DATA, $desc=An error occurred while receiving data from the device on the I2C bus.], 3223192964 = [$id=GRAPHICS_DDCCI_VCP_NOT_SUPPORTED, $desc=The monitor does not support the specified VCP code.], 3223192965 = [$id=GRAPHICS_DDCCI_INVALID_DATA, $desc=The data received from the monitor is invalid.], 3223192966 = [$id=GRAPHICS_DDCCI_MONITOR_RETURNED_INVALID_TIMING_STATUS_BYTE, $desc=A function call failed because a monitor returned an invalid timing status byte when the operating system used the DDC/CI get timing report and timing message command to get a timing report from a monitor.], 3223192967 = [$id=GRAPHICS_DDCCI_INVALID_CAPABILITIES_STRING, $desc=A monitor returned a DDC/CI capabilities string that did not comply with the ACCESS.bus 3.0, DDC/CI 1.1, or MCCS 2 Revision 1 specification.], 3223192968 = [$id=GRAPHICS_MCA_INTERNAL_ERROR, $desc=An internal error caused an operation to fail.], 3223192969 = [$id=GRAPHICS_DDCCI_INVALID_MESSAGE_COMMAND, $desc=An operation failed because a DDC/CI message had an invalid value in its command field.], 3223192970 = [$id=GRAPHICS_DDCCI_INVALID_MESSAGE_LENGTH, $desc=This error occurred because a DDC/CI message had an invalid value in its length field.], 3223192971 = [$id=GRAPHICS_DDCCI_INVALID_MESSAGE_CHECKSUM, $desc=This error occurred because the value in a DDC/CI message's checksum field did not match the message's computed checksum value. This error implies that the data was corrupted while it was being transmitted from a monitor to a computer.], 3223192972 = [$id=GRAPHICS_INVALID_PHYSICAL_MONITOR_HANDLE, $desc=This function failed because an invalid monitor handle was passed to it.], 3223192973 = [$id=GRAPHICS_MONITOR_NO_LONGER_EXISTS, $desc=The operating system asynchronously destroyed the monitor that corresponds to this handle because the operating system's state changed. This error typically occurs because the monitor PDO associated with this handle was removed or stopped, or a display mode change occurred. A display mode change occurs when Windows sends a WM_DISPLAYCHANGE message to applications.], 3223193056 = [$id=GRAPHICS_ONLY_CONSOLE_SESSION_SUPPORTED, $desc=This function can be used only if a program is running in the local console session. It cannot be used if a program is running on a remote desktop session or on a terminal server session.], 3223193057 = [$id=GRAPHICS_NO_DISPLAY_DEVICE_CORRESPONDS_TO_NAME, $desc=This function cannot find an actual GDI display device that corresponds to the specified GDI display device name.], 3223193058 = [$id=GRAPHICS_DISPLAY_DEVICE_NOT_ATTACHED_TO_DESKTOP, $desc=The function failed because the specified GDI display device was not attached to the Windows desktop.], 3223193059 = [$id=GRAPHICS_MIRRORING_DEVICES_NOT_SUPPORTED, $desc=This function does not support GDI mirroring display devices because GDI mirroring display devices do not have any physical monitors associated with them.], 3223193060 = [$id=GRAPHICS_INVALID_POINTER, $desc=The function failed because an invalid pointer parameter was passed to it. A pointer parameter is invalid if it is null, is not correctly aligned, or points to an invalid address or to a kernel mode address.], 3223193061 = [$id=GRAPHICS_NO_MONITORS_CORRESPOND_TO_DISPLAY_DEVICE, $desc=This function failed because the GDI device passed to it did not have a monitor associated with it.], 3223193062 = [$id=GRAPHICS_PARAMETER_ARRAY_TOO_SMALL, $desc=An array passed to the function cannot hold all of the data that the function must copy into the array.], 3223193063 = [$id=GRAPHICS_INTERNAL_ERROR, $desc=An internal error caused an operation to fail.], 3223193064 = [$id=GRAPHICS_SESSION_TYPE_CHANGE_IN_PROGRESS, $desc=The function failed because the current session is changing its type. This function cannot be called when the current session is changing its type. Three types of sessions currently exist: console, disconnected, and remote (RDP or ICA).], 3223388160 = [$id=FVE_LOCKED_VOLUME, $desc=The volume must be unlocked before it can be used.], 3223388161 = [$id=FVE_NOT_ENCRYPTED, $desc=The volume is fully decrypted and no key is available.], 3223388162 = [$id=FVE_BAD_INFORMATION, $desc=The control block for the encrypted volume is not valid.], 3223388163 = [$id=FVE_TOO_SMALL, $desc=Not enough free space remains on the volume to allow encryption.], 3223388164 = [$id=FVE_FAILED_WRONG_FS, $desc=The partition cannot be encrypted because the file system is not supported.], 3223388165 = [$id=FVE_FAILED_BAD_FS, $desc=The file system is inconsistent. Run the Check Disk utility.], 3223388166 = [$id=FVE_FS_NOT_EXTENDED, $desc=The file system does not extend to the end of the volume.], 3223388167 = [$id=FVE_FS_MOUNTED, $desc=This operation cannot be performed while a file system is mounted on the volume.], 3223388168 = [$id=FVE_NO_LICENSE, $desc=BitLocker Drive Encryption is not included with this version of Windows.], 3223388169 = [$id=FVE_ACTION_NOT_ALLOWED, $desc=The requested action was denied by the FVE control engine.], 3223388170 = [$id=FVE_BAD_DATA, $desc=The data supplied is malformed.], 3223388171 = [$id=FVE_VOLUME_NOT_BOUND, $desc=The volume is not bound to the system.], 3223388172 = [$id=FVE_NOT_DATA_VOLUME, $desc=The volume specified is not a data volume.], 3223388173 = [$id=FVE_CONV_READ_ERROR, $desc=A read operation failed while converting the volume.], 3223388174 = [$id=FVE_CONV_WRITE_ERROR, $desc=A write operation failed while converting the volume.], 3223388175 = [$id=FVE_OVERLAPPED_UPDATE, $desc=The control block for the encrypted volume was updated by another thread. Try again.], 3223388176 = [$id=FVE_FAILED_SECTOR_SIZE, $desc=The volume encryption algorithm cannot be used on this sector size.], 3223388177 = [$id=FVE_FAILED_AUTHENTICATION, $desc=BitLocker recovery authentication failed.], 3223388178 = [$id=FVE_NOT_OS_VOLUME, $desc=The volume specified is not the boot operating system volume.], 3223388179 = [$id=FVE_KEYFILE_NOT_FOUND, $desc=The BitLocker startup key or recovery password could not be read from external media.], 3223388180 = [$id=FVE_KEYFILE_INVALID, $desc=The BitLocker startup key or recovery password file is corrupt or invalid.], 3223388181 = [$id=FVE_KEYFILE_NO_VMK, $desc=The BitLocker encryption key could not be obtained from the startup key or the recovery password.], 3223388182 = [$id=FVE_TPM_DISABLED, $desc=The TPM is disabled.], 3223388183 = [$id=FVE_TPM_SRK_AUTH_NOT_ZERO, $desc=The authorization data for the SRK of the TPM is not zero.], 3223388184 = [$id=FVE_TPM_INVALID_PCR, $desc=The system boot information changed or the TPM locked out access to BitLocker encryption keys until the computer is restarted.], 3223388185 = [$id=FVE_TPM_NO_VMK, $desc=The BitLocker encryption key could not be obtained from the TPM.], 3223388186 = [$id=FVE_PIN_INVALID, $desc=The BitLocker encryption key could not be obtained from the TPM and PIN.], 3223388187 = [$id=FVE_AUTH_INVALID_APPLICATION, $desc=A boot application hash does not match the hash computed when BitLocker was turned on.], 3223388188 = [$id=FVE_AUTH_INVALID_CONFIG, $desc=The Boot Configuration Data (BCD) settings are not supported or have changed because BitLocker was enabled.], 3223388189 = [$id=FVE_DEBUGGER_ENABLED, $desc=Boot debugging is enabled. Run Windows Boot Configuration Data Store Editor (bcdedit.exe) to turn it off.], 3223388190 = [$id=FVE_DRY_RUN_FAILED, $desc=The BitLocker encryption key could not be obtained.], 3223388191 = [$id=FVE_BAD_METADATA_POINTER, $desc=The metadata disk region pointer is incorrect.], 3223388192 = [$id=FVE_OLD_METADATA_COPY, $desc=The backup copy of the metadata is out of date.], 3223388193 = [$id=FVE_REBOOT_REQUIRED, $desc=No action was taken because a system restart is required.], 3223388194 = [$id=FVE_RAW_ACCESS, $desc=No action was taken because BitLocker Drive Encryption is in RAW access mode.], 3223388195 = [$id=FVE_RAW_BLOCKED, $desc=BitLocker Drive Encryption cannot enter RAW access mode for this volume.], 3223388198 = [$id=FVE_NO_FEATURE_LICENSE, $desc=This feature of BitLocker Drive Encryption is not included with this version of Windows.], 3223388199 = [$id=FVE_POLICY_USER_DISABLE_RDV_NOT_ALLOWED, $desc=Group policy does not permit turning off BitLocker Drive Encryption on roaming data volumes.], 3223388200 = [$id=FVE_CONV_RECOVERY_FAILED, $desc=Bitlocker Drive Encryption failed to recover from aborted conversion. This could be due to either all conversion logs being corrupted or the media being write-protected.], 3223388201 = [$id=FVE_VIRTUALIZED_SPACE_TOO_BIG, $desc=The requested virtualization size is too big.], 3223388208 = [$id=FVE_VOLUME_TOO_SMALL, $desc=The drive is too small to be protected using BitLocker Drive Encryption.], 3223453697 = [$id=FWP_CALLOUT_NOT_FOUND, $desc=The callout does not exist.], 3223453698 = [$id=FWP_CONDITION_NOT_FOUND, $desc=The filter condition does not exist.], 3223453699 = [$id=FWP_FILTER_NOT_FOUND, $desc=The filter does not exist.], 3223453700 = [$id=FWP_LAYER_NOT_FOUND, $desc=The layer does not exist.], 3223453701 = [$id=FWP_PROVIDER_NOT_FOUND, $desc=The provider does not exist.], 3223453702 = [$id=FWP_PROVIDER_CONTEXT_NOT_FOUND, $desc=The provider context does not exist.], 3223453703 = [$id=FWP_SUBLAYER_NOT_FOUND, $desc=The sublayer does not exist.], 3223453704 = [$id=FWP_NOT_FOUND, $desc=The object does not exist.], 3223453705 = [$id=FWP_ALREADY_EXISTS, $desc=An object with that GUID or LUID already exists.], 3223453706 = [$id=FWP_IN_USE, $desc=The object is referenced by other objects and cannot be deleted.], 3223453707 = [$id=FWP_DYNAMIC_SESSION_IN_PROGRESS, $desc=The call is not allowed from within a dynamic session.], 3223453708 = [$id=FWP_WRONG_SESSION, $desc=The call was made from the wrong session and cannot be completed.], 3223453709 = [$id=FWP_NO_TXN_IN_PROGRESS, $desc=The call must be made from within an explicit transaction.], 3223453710 = [$id=FWP_TXN_IN_PROGRESS, $desc=The call is not allowed from within an explicit transaction.], 3223453711 = [$id=FWP_TXN_ABORTED, $desc=The explicit transaction has been forcibly canceled.], 3223453712 = [$id=FWP_SESSION_ABORTED, $desc=The session has been canceled.], 3223453713 = [$id=FWP_INCOMPATIBLE_TXN, $desc=The call is not allowed from within a read-only transaction.], 3223453714 = [$id=FWP_TIMEOUT, $desc=The call timed out while waiting to acquire the transaction lock.], 3223453715 = [$id=FWP_NET_EVENTS_DISABLED, $desc=The collection of network diagnostic events is disabled.], 3223453716 = [$id=FWP_INCOMPATIBLE_LAYER, $desc=The operation is not supported by the specified layer.], 3223453717 = [$id=FWP_KM_CLIENTS_ONLY, $desc=The call is allowed for kernel-mode callers only.], 3223453718 = [$id=FWP_LIFETIME_MISMATCH, $desc=The call tried to associate two objects with incompatible lifetimes.], 3223453719 = [$id=FWP_BUILTIN_OBJECT, $desc=The object is built-in and cannot be deleted.], 3223453720 = [$id=FWP_TOO_MANY_BOOTTIME_FILTERS, $desc=The maximum number of boot-time filters has been reached.], 3223453721 = [$id=FWP_NOTIFICATION_DROPPED, $desc=A notification could not be delivered because a message queue has reached maximum capacity.], 3223453722 = [$id=FWP_TRAFFIC_MISMATCH, $desc=The traffic parameters do not match those for the security association context.], 3223453723 = [$id=FWP_INCOMPATIBLE_SA_STATE, $desc=The call is not allowed for the current security association state.], 3223453724 = [$id=FWP_NULL_POINTER, $desc=A required pointer is null.], 3223453725 = [$id=FWP_INVALID_ENUMERATOR, $desc=An enumerator is not valid.], 3223453726 = [$id=FWP_INVALID_FLAGS, $desc=The flags field contains an invalid value.], 3223453727 = [$id=FWP_INVALID_NET_MASK, $desc=A network mask is not valid.], 3223453728 = [$id=FWP_INVALID_RANGE, $desc=An FWP_RANGE is not valid.], 3223453729 = [$id=FWP_INVALID_INTERVAL, $desc=The time interval is not valid.], 3223453730 = [$id=FWP_ZERO_LENGTH_ARRAY, $desc=An array that must contain at least one element has a zero length.], 3223453731 = [$id=FWP_NULL_DISPLAY_NAME, $desc=The displayData.name field cannot be null.], 3223453732 = [$id=FWP_INVALID_ACTION_TYPE, $desc=The action type is not one of the allowed action types for a filter.], 3223453733 = [$id=FWP_INVALID_WEIGHT, $desc=The filter weight is not valid.], 3223453734 = [$id=FWP_MATCH_TYPE_MISMATCH, $desc=A filter condition contains a match type that is not compatible with the operands.], 3223453735 = [$id=FWP_TYPE_MISMATCH, $desc=An FWP_VALUE or FWPM_CONDITION_VALUE is of the wrong type.], 3223453736 = [$id=FWP_OUT_OF_BOUNDS, $desc=An integer value is outside the allowed range.], 3223453737 = [$id=FWP_RESERVED, $desc=A reserved field is nonzero.], 3223453738 = [$id=FWP_DUPLICATE_CONDITION, $desc=A filter cannot contain multiple conditions operating on a single field.], 3223453739 = [$id=FWP_DUPLICATE_KEYMOD, $desc=A policy cannot contain the same keying module more than once.], 3223453740 = [$id=FWP_ACTION_INCOMPATIBLE_WITH_LAYER, $desc=The action type is not compatible with the layer.], 3223453741 = [$id=FWP_ACTION_INCOMPATIBLE_WITH_SUBLAYER, $desc=The action type is not compatible with the sublayer.], 3223453742 = [$id=FWP_CONTEXT_INCOMPATIBLE_WITH_LAYER, $desc=The raw context or the provider context is not compatible with the layer.], 3223453743 = [$id=FWP_CONTEXT_INCOMPATIBLE_WITH_CALLOUT, $desc=The raw context or the provider context is not compatible with the callout.], 3223453744 = [$id=FWP_INCOMPATIBLE_AUTH_METHOD, $desc=The authentication method is not compatible with the policy type.], 3223453745 = [$id=FWP_INCOMPATIBLE_DH_GROUP, $desc=The Diffie-Hellman group is not compatible with the policy type.], 3223453746 = [$id=FWP_EM_NOT_SUPPORTED, $desc=An IKE policy cannot contain an Extended Mode policy.], 3223453747 = [$id=FWP_NEVER_MATCH, $desc=The enumeration template or subscription will never match any objects.], 3223453748 = [$id=FWP_PROVIDER_CONTEXT_MISMATCH, $desc=The provider context is of the wrong type.], 3223453749 = [$id=FWP_INVALID_PARAMETER, $desc=The parameter is incorrect.], 3223453750 = [$id=FWP_TOO_MANY_SUBLAYERS, $desc=The maximum number of sublayers has been reached.], 3223453751 = [$id=FWP_CALLOUT_NOTIFICATION_FAILED, $desc=The notification function for a callout returned an error.], 3223453752 = [$id=FWP_INCOMPATIBLE_AUTH_CONFIG, $desc=The IPsec authentication configuration is not compatible with the authentication type.], 3223453753 = [$id=FWP_INCOMPATIBLE_CIPHER_CONFIG, $desc=The IPsec cipher configuration is not compatible with the cipher type.], 3223453756 = [$id=FWP_DUPLICATE_AUTH_METHOD, $desc=A policy cannot contain the same auth method more than once.], 3223453952 = [$id=FWP_TCPIP_NOT_READY, $desc=The TCP/IP stack is not ready.], 3223453953 = [$id=FWP_INJECT_HANDLE_CLOSING, $desc=The injection handle is being closed by another thread.], 3223453954 = [$id=FWP_INJECT_HANDLE_STALE, $desc=The injection handle is stale.], 3223453955 = [$id=FWP_CANNOT_PEND, $desc=The classify cannot be pended.], 3223519234 = [$id=NDIS_CLOSING, $desc=The binding to the network interface is being closed.], 3223519236 = [$id=NDIS_BAD_VERSION, $desc=An invalid version was specified.], 3223519237 = [$id=NDIS_BAD_CHARACTERISTICS, $desc=An invalid characteristics table was used.], 3223519238 = [$id=NDIS_ADAPTER_NOT_FOUND, $desc=Failed to find the network interface or the network interface is not ready.], 3223519239 = [$id=NDIS_OPEN_FAILED, $desc=Failed to open the network interface.], 3223519240 = [$id=NDIS_DEVICE_FAILED, $desc=The network interface has encountered an internal unrecoverable failure.], 3223519241 = [$id=NDIS_MULTICAST_FULL, $desc=The multicast list on the network interface is full.], 3223519242 = [$id=NDIS_MULTICAST_EXISTS, $desc=An attempt was made to add a duplicate multicast address to the list.], 3223519243 = [$id=NDIS_MULTICAST_NOT_FOUND, $desc=At attempt was made to remove a multicast address that was never added.], 3223519244 = [$id=NDIS_REQUEST_ABORTED, $desc=The network interface aborted the request.], 3223519245 = [$id=NDIS_RESET_IN_PROGRESS, $desc=The network interface cannot process the request because it is being reset.], 3223519247 = [$id=NDIS_INVALID_PACKET, $desc=An attempt was made to send an invalid packet on a network interface.], 3223519248 = [$id=NDIS_INVALID_DEVICE_REQUEST, $desc=The specified request is not a valid operation for the target device.], 3223519249 = [$id=NDIS_ADAPTER_NOT_READY, $desc=The network interface is not ready to complete this operation.], 3223519252 = [$id=NDIS_INVALID_LENGTH, $desc=The length of the buffer submitted for this operation is not valid.], 3223519253 = [$id=NDIS_INVALID_DATA, $desc=The data used for this operation is not valid.], 3223519254 = [$id=NDIS_BUFFER_TOO_SHORT, $desc=The length of the submitted buffer for this operation is too small.], 3223519255 = [$id=NDIS_INVALID_OID, $desc=The network interface does not support this object identifier.], 3223519256 = [$id=NDIS_ADAPTER_REMOVED, $desc=The network interface has been removed.], 3223519257 = [$id=NDIS_UNSUPPORTED_MEDIA, $desc=The network interface does not support this media type.], 3223519258 = [$id=NDIS_GROUP_ADDRESS_IN_USE, $desc=An attempt was made to remove a token ring group address that is in use by other components.], 3223519259 = [$id=NDIS_FILE_NOT_FOUND, $desc=An attempt was made to map a file that cannot be found.], 3223519260 = [$id=NDIS_ERROR_READING_FILE, $desc=An error occurred while NDIS tried to map the file.], 3223519261 = [$id=NDIS_ALREADY_MAPPED, $desc=An attempt was made to map a file that is already mapped.], 3223519262 = [$id=NDIS_RESOURCE_CONFLICT, $desc=An attempt to allocate a hardware resource failed because the resource is used by another component.], 3223519263 = [$id=NDIS_MEDIA_DISCONNECTED, $desc=The I/O operation failed because the network media is disconnected or the wireless access point is out of range.], 3223519266 = [$id=NDIS_INVALID_ADDRESS, $desc=The network address used in the request is invalid.], 3223519274 = [$id=NDIS_PAUSED, $desc=The offload operation on the network interface has been paused.], 3223519275 = [$id=NDIS_INTERFACE_NOT_FOUND, $desc=The network interface was not found.], 3223519276 = [$id=NDIS_UNSUPPORTED_REVISION, $desc=The revision number specified in the structure is not supported.], 3223519277 = [$id=NDIS_INVALID_PORT, $desc=The specified port does not exist on this network interface.], 3223519278 = [$id=NDIS_INVALID_PORT_STATE, $desc=The current state of the specified port on this network interface does not support the requested operation.], 3223519279 = [$id=NDIS_LOW_POWER_STATE, $desc=The miniport adapter is in a lower power state.], 3223519419 = [$id=NDIS_NOT_SUPPORTED, $desc=The network interface does not support this request.], 3223523343 = [$id=NDIS_OFFLOAD_POLICY, $desc=The TCP connection is not offloadable because of a local policy setting.], 3223523346 = [$id=NDIS_OFFLOAD_CONNECTION_REJECTED, $desc=The TCP connection is not offloadable by the Chimney offload target.], 3223523347 = [$id=NDIS_OFFLOAD_PATH_REJECTED, $desc=The IP Path object is not in an offloadable state.], 3223527424 = [$id=NDIS_DOT11_AUTO_CONFIG_ENABLED, $desc=The wireless LAN interface is in auto-configuration mode and does not support the requested parameter change operation.], 3223527425 = [$id=NDIS_DOT11_MEDIA_IN_USE, $desc=The wireless LAN interface is busy and cannot perform the requested operation.], 3223527426 = [$id=NDIS_DOT11_POWER_STATE_INVALID, $desc=The wireless LAN interface is power down and does not support the requested operation.], 3223527427 = [$id=NDIS_PM_WOL_PATTERN_LIST_FULL, $desc=The list of wake on LAN patterns is full.], 3223527428 = [$id=NDIS_PM_PROTOCOL_OFFLOAD_LIST_FULL, $desc=The list of low power protocol offloads is full.], 3224764417 = [$id=IPSEC_BAD_SPI, $desc=The SPI in the packet does not match a valid IPsec SA.], 3224764418 = [$id=IPSEC_SA_LIFETIME_EXPIRED, $desc=The packet was received on an IPsec SA whose lifetime has expired.], 3224764419 = [$id=IPSEC_WRONG_SA, $desc=The packet was received on an IPsec SA that does not match the packet characteristics.], 3224764420 = [$id=IPSEC_REPLAY_CHECK_FAILED, $desc=The packet sequence number replay check failed.], 3224764421 = [$id=IPSEC_INVALID_PACKET, $desc=The IPsec header and/or trailer in the packet is invalid.], 3224764422 = [$id=IPSEC_INTEGRITY_CHECK_FAILED, $desc=The IPsec integrity check failed.], 3224764423 = [$id=IPSEC_CLEAR_TEXT_DROP, $desc=IPsec dropped a clear text packet.], 3224764424 = [$id=IPSEC_AUTH_FIREWALL_DROP, $desc=IPsec dropped an incoming ESP packet in authenticated firewall mode.  This drop is benign.], 3224764425 = [$id=IPSEC_THROTTLE_DROP, $desc=IPsec dropped a packet due to DOS throttle.], 3224797184 = [$id=IPSEC_DOSP_BLOCK, $desc=IPsec Dos Protection matched an explicit block rule.], 3224797185 = [$id=IPSEC_DOSP_RECEIVED_MULTICAST, $desc=IPsec Dos Protection received an IPsec specific multicast packet which is not allowed.], 3224797186 = [$id=IPSEC_DOSP_INVALID_PACKET, $desc=IPsec Dos Protection received an incorrectly formatted packet.], 3224797187 = [$id=IPSEC_DOSP_STATE_LOOKUP_FAILED, $desc=IPsec Dos Protection failed to lookup state.], 3224797188 = [$id=IPSEC_DOSP_MAX_ENTRIES, $desc=IPsec Dos Protection failed to create state because there are already maximum number of entries allowed by policy.], 3224797189 = [$id=IPSEC_DOSP_KEYMOD_NOT_ALLOWED, $desc=IPsec Dos Protection received an IPsec negotiation packet for a keying module which is not allowed by policy.], 3224797190 = [$id=IPSEC_DOSP_MAX_PER_IP_RATELIMIT_QUEUES, $desc=IPsec Dos Protection failed to create per internal IP ratelimit queue because there is already maximum number of queues allowed by policy.], 3224895579 = [$id=VOLMGR_MIRROR_NOT_SUPPORTED, $desc=The system does not support mirrored volumes.], 3224895580 = [$id=VOLMGR_RAID5_NOT_SUPPORTED, $desc=The system does not support RAID-5 volumes.], 3225026580 = [$id=VIRTDISK_PROVIDER_NOT_FOUND, $desc=A virtual disk support provider for the specified file was not found.], 3225026581 = [$id=VIRTDISK_NOT_VIRTUAL_DISK, $desc=The specified disk is not a virtual disk.], 3225026582 = [$id=VHD_PARENT_VHD_ACCESS_DENIED, $desc=The chain of virtual hard disks is inaccessible. The process has not been granted access rights to the parent virtual hard disk for the differencing disk.], 3225026583 = [$id=VHD_CHILD_PARENT_SIZE_MISMATCH, $desc=The chain of virtual hard disks is corrupted. There is a mismatch in the virtual sizes of the parent virtual hard disk and differencing disk.], 3225026584 = [$id=VHD_DIFFERENCING_CHAIN_CYCLE_DETECTED, $desc=The chain of virtual hard disks is corrupted. A differencing disk is indicated in its own parent chain.], 3225026585 = [$id=VHD_DIFFERENCING_CHAIN_ERROR_IN_PARENT, $desc=The chain of virtual hard disks is inaccessible. There was an error opening a virtual hard disk further up the chain.]
SMB::wksta_cmds
Type

table [count] of string

Attributes

&redef &default = function

Default
{
   [2] = "NetrWkstaUserEnum",
   [25] = "NetrValidateName2",
   [20] = "NetrGetJoinInformation",
   [29] = "NetrSetPrimaryComputerName",
   [6] = "NetrWkstaTransportAdd",
   [30] = "NetrEnumerateComputerNames",
   [24] = "NetrRenameMachineInDomain2",
   [28] = "NetrRemoveAlternateComputerName",
   [23] = "NetrUnjoinDomain2",
   [8] = "NetrUseAdd",
   [9] = "NetrUseGetInfo",
   [27] = "NetrAddAlternateComputerName",
   [1] = "NetrWkstaSetInfo",
   [11] = "NetrUseEnum",
   [7] = "NetrWkstaTransportDel",
   [5] = "NetrWkstaTransportEnum",
   [10] = "NetrUseDel",
   [22] = "NetrJoinDomain2",
   [13] = "NetrWorkstationStatisticsGet",
   [26] = "NetrGetJoinableOUs2",
   [0] = "NetrWkstaGetInfo"
}

Workstation service sub commands.

Constants
SMB1::commands
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "LOCK_AND_READ",
   [20] = "WRITE_AND_UNLOCK",
   [33] = "QUERY_SERVER",
   [39] = "IOCTL",
   [30] = "WRITE_MPX",
   [46] = "READ_ANDX",
   [15] = "CREATE_NEW",
   [28] = "READ_MPX_SECONDARY",
   [164] = "NT_CANCEL",
   [9] = "SET_INFORMATION",
   [53] = "FIND_NOTIFY_CLOSE",
   [52] = "FIND_CLOSE2",
   [4] = "CLOSE",
   [12] = "LOCK_BYTE_RANGE",
   [130] = "FIND",
   [41] = "COPY",
   [17] = "PROCESS_EXIT",
   [29] = "WRITE_RAW",
   [16] = "CHECK_DIRECTORY",
   [115] = "SESSION_SETUP_ANDX",
   [38] = "TRANSACTION_SECONDARY",
   [165] = "NT_RENAME",
   [193] = "WRITE_PRINT_FILE",
   [42] = "MOVE",
   [1] = "DELETE_DIRECTORY",
   [116] = "LOGOFF_ANDX",
   [11] = "WRITE",
   [113] = "TREE_DISCONNECT",
   [35] = "QUERY_INFORMATION2",
   [216] = "READ_BULK",
   [43] = "ECHO",
   [114] = "NEGOTIATE",
   [3] = "CREATE",
   [44] = "WRITE_AND_CLOSE",
   [129] = "SEARCH",
   [34] = "SET_INFORMATION2",
   [45] = "OPEN_ANDX",
   [40] = "IOCTL_SECONDARY",
   [194] = "CLOSE_PRINT_FILE",
   [36] = "LOCKING_ANDX",
   [14] = "CREATE_TEMPORARY",
   [6] = "DELETE",
   [31] = "WRITE_MPX_SECONDARY",
   [8] = "QUERY_INFORMATION",
   [192] = "OPEN_PRINT_FILE",
   [27] = "READ_MPX",
   [195] = "GET_PRINT_QUEUE",
   [7] = "RENAME",
   [10] = "READ",
   [32] = "WRITE_COMPLETE",
   [26] = "READ_RAW",
   [13] = "UNLOCK_BYTE_RANGE",
   [128] = "QUERY_INFORMATION_DISK",
   [218] = "WRITE_BULK_DATA",
   [217] = "WRITE_BULK",
   [160] = "NT_TRANSACT",
   [47] = "WRITE_ANDX",
   [50] = "TRANSACTION2",
   [2] = "OPEN",
   [132] = "FIND_CLOSE",
   [48] = "NEW_FILE_SIZE",
   [49] = "CLOSE_AND_TREE_DISC",
   [162] = "NT_CREATE_ANDX",
   [5] = "FLUSH",
   [112] = "TREE_CONNECT",
   [161] = "NT_TRANSACT_SECONDARY",
   [51] = "TRANSACTION2_SECONDARY",
   [37] = "TRANSACTION",
   [18] = "SEEK",
   [117] = "TREE_CONNECT_ANDX",
   [0] = "CREATE_DIRECTORY",
   [131] = "FIND_UNIQUE"
}
SMB1::trans2_sub_commands
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "FIND_NEXT2",
   [6] = "SET_PATH_INFORMATION",
   [14] = "SESSION_SETUP",
   [16] = "GET_DFS_REFERRAL",
   [8] = "SET_FILE_INFORMATION",
   [9] = "FSCTL",
   [1] = "FIND_FIRST2",
   [11] = "FIND_NOTIFY_FIRST",
   [7] = "QUERY_FILE_INFORMATION",
   [5] = "QUERY_PATH_INFORMATION",
   [10] = "IOCTL",
   [4] = "SET_FS_INFORMATION",
   [13] = "CREATE_DIRECTORY",
   [12] = "FIND_NOTIFY_NEXT",
   [3] = "QUERY_FS_INFORMATION",
   [17] = "REPORT_DFS_INCONSISTENCY",
   [0] = "OPEN2"
}
SMB1::trans_sub_commands
Type

table [count] of string

Attributes

&default = function

Default
{
   [55] = "WRITE_NMPIPE",
   [38] = "TRANSACT_NMPIPE",
   [54] = "READ_NMPIPE",
   [33] = "QUERY_NMPIPE_STATE",
   [17] = "RAW_READ_NMPIPE",
   [35] = "PEEK_NMPIPE",
   [49] = "RAW_WRITE_NMPIPE",
   [34] = "QUERY_NMPIPE_INFO",
   [1] = "SET_NMPIPE_STATE",
   [83] = "WAIT_NMPIPE",
   [84] = "CALL_NMPIPE"
}
SMB2::commands
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "LOGOFF",
   [14] = "QUERY_DIRECTORY",
   [15] = "CHANGE_NOTIFY",
   [6] = "CLOSE",
   [16] = "QUERY_INFO",
   [8] = "READ",
   [9] = "WRITE",
   [1] = "SESSION_SETUP",
   [11] = "IOCTL",
   [7] = "FLUSH",
   [5] = "CREATE",
   [10] = "LOCK",
   [4] = "TREE_DISCONNECT",
   [13] = "ECHO",
   [12] = "CANCEL",
   [18] = "OPLOCK_BREAK",
   [3] = "TREE_CONNECT",
   [17] = "SET_INFO",
   [0] = "NEGOTIATE_PROTOCOL"
}
SMB2::dialects
Type

table [count] of string

Attributes

&default = function

Default
{
   [528] = "2.1",
   [770] = "3.0.2",
   [768] = "3.0",
   [767] = "2.1+",
   [514] = "2.0.2",
   [785] = "3.1.1"
}
SMB2::share_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "PIPE",
   [1] = "DISK",
   [3] = "PRINT"
}
Types
SMB::StatusCode
Type

record

id: string

desc: string

SMB::rpc_cmd_table
Type

table [count] of string

base/protocols/smb/const-dos-error.zeek

SMB
Namespace

SMB

Imports

base/protocols/smb/consts.zeek

Summary
Redefinitions

SMB::statuses: table &redef &default = function
Detailed Interface

base/protocols/smb/const-nt-status.zeek

SMB
Namespace

SMB

Imports

base/protocols/smb/consts.zeek

Summary
Redefinitions

SMB::statuses: table &redef &default = function
Detailed Interface

base/protocols/smb/main.zeek

SMB
Namespace

SMB

Imports

base/protocols/smb/const-dos-error.zeek, base/protocols/smb/const-nt-status.zeek, base/protocols/smb/consts.zeek

Summary
Runtime Options

SMB::logged_file_actions: set &redef

The file actions which are logged.
Types

SMB::Action: enum

Abstracted actions for SMB file actions.

SMB::CmdInfo: record

This record is for the smb_cmd.log

SMB::FileInfo: record

This record is for the smb_files.log

SMB::State: record

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo: record

This record is for the smb_mapping.log
Redefinitions

Log::ID: enum

SMB::FileInfo: record
New Fields

SMB::FileInfo

fid: count &optional

ID referencing this file.

uuid: string &optional

UUID referencing this file if DCE/RPC.

connection: record

Everything below here is used internally in the SMB scripts.

New Fields

connection

smb_state: SMB::State &optional

likely_server_ports: set &redef
Hooks

SMB::log_policy_files: Log::PolicyHook

SMB::log_policy_mapping: Log::PolicyHook
Functions

SMB::set_current_file: function &redef

This is an internally used function.

SMB::write_file_log: function &redef

This is an internally used function.
Detailed Interface
Runtime Options
SMB::logged_file_actions
Type

set [SMB::Action]

Attributes

&redef

Default
{
   SMB::PRINT_CLOSE,
   SMB::FILE_DELETE,
   SMB::FILE_OPEN,
   SMB::FILE_RENAME,
   SMB::PRINT_OPEN
}

The file actions which are logged.

Types
SMB::Action
Type

enum

SMB::FILE_READ
SMB::FILE_WRITE
SMB::FILE_OPEN
SMB::FILE_CLOSE
SMB::FILE_DELETE
SMB::FILE_RENAME
SMB::FILE_SET_ATTRIBUTE
SMB::PIPE_READ
SMB::PIPE_WRITE
SMB::PIPE_OPEN
SMB::PIPE_CLOSE
SMB::PRINT_READ
SMB::PRINT_WRITE
SMB::PRINT_OPEN
SMB::PRINT_CLOSE

Abstracted actions for SMB file actions.

SMB::CmdInfo
Type

record

ts: time &log &default = 0.0 &optional

Timestamp of the command request.

uid: string &log

Unique ID of the connection the request was sent over.

id: conn_id &log

ID of the connection the request was sent over.

command: string &log

The command sent by the client.

sub_command: string &log &optional

The subcommand sent by the client, if present.

argument: string &log &optional

Command argument sent by the client, if any.

status: string &log &optional

Server reply to the client’s command.

rtt: interval &log &optional

Round trip time from the request to the response.

version: string &log

Version of SMB for the command.

username: string &log &optional

Authenticated username, if available.

tree: string &log &optional

If this is related to a tree, this is the tree that was used for the current command.

tree_service: string &log &optional

The type of tree (disk share, printer share, named pipe, etc.).

referenced_file: SMB::FileInfo &log &optional

If the command referenced a file, store it here.

referenced_tree: SMB::TreeInfo &optional

If the command referenced a tree, store it here.

smb1_offered_dialects: string_vec &optional

(present if base/protocols/smb/smb1-main.zeek is loaded)

Dialects offered by the client.

smb2_offered_dialects: index_vec &optional

(present if base/protocols/smb/smb2-main.zeek is loaded)

Dialects offered by the client.

This record is for the smb_cmd.log

SMB::FileInfo
Type

record

ts: time &log &default = 0.0 &optional

Time when the file was first discovered.

uid: string &log

Unique ID of the connection the file was sent over.

id: conn_id &log

ID of the connection the file was sent over.

fuid: string &log &optional

Unique ID of the file.

action: SMB::Action &log &optional

Action this log record represents.

path: string &log &optional

Path pulled from the tree this file was transferred to or from.

name: string &log &optional

Filename if one was seen.

size: count &log &default = 0 &optional

Total size of the file.

prev_name: string &log &optional

If the rename action was seen, this will be the file’s previous name.

times: SMB::MACTimes &log &optional

Last time this file was modified.

fid: count &optional

ID referencing this file.

uuid: string &optional

UUID referencing this file if DCE/RPC.

This record is for the smb_files.log

SMB::State
Type

record

current_cmd: SMB::CmdInfo &optional

A reference to the current command.

current_file: SMB::FileInfo &optional

A reference to the current file.

current_tree: SMB::TreeInfo &optional

A reference to the current tree.

pending_cmds: table [count] of SMB::CmdInfo &optional

Indexed on MID to map responses to requests.

fid_map: table [count] of SMB::FileInfo &optional

File map to retrieve file information based on the file ID.

tid_map: table [count] of SMB::TreeInfo &optional

Tree map to retrieve tree information based on the tree ID.

uid_map: table [count] of string &optional

User map to retrieve user name based on the user ID.

pipe_map: table [count] of string &optional

Pipe map to retrieve UUID based on the file ID of a pipe.

recent_files: set [string] &default = {  } &optional &read_expire = 3.0 mins

A set of recent files to avoid logging the same files over and over in the smb files log. This only applies to files seen in a single connection.

This record stores the SMB state of in-flight commands, the file and tree map of the connection.

SMB::TreeInfo
Type

record

ts: time &log &default = 0.0 &optional

Time when the tree was mapped.

uid: string &log

Unique ID of the connection the tree was mapped over.

id: conn_id &log

ID of the connection the tree was mapped over.

path: string &log &optional

Name of the tree path.

service: string &log &optional

The type of resource of the tree (disk share, printer share, named pipe, etc.).

native_file_system: string &log &optional

File system of the tree.

share_type: string &log &default = "DISK" &optional

If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well.

This record is for the smb_mapping.log

Hooks
SMB::log_policy_files
Type

Log::PolicyHook

SMB::log_policy_mapping
Type

Log::PolicyHook

Functions
SMB::set_current_file
Type

function (smb_state: SMB::State, file_id: count) : void

Attributes

&redef

This is an internally used function.

SMB::write_file_log
Type

function (state: SMB::State) : void

Attributes

&redef

This is an internally used function.

base/protocols/smb/smb1-main.zeek

SMB1
Namespace

SMB1

Imports

base/protocols/smb/main.zeek

Summary
Redefinitions

SMB::CmdInfo: record
New Fields

SMB::CmdInfo

smb1_offered_dialects: string_vec &optional

Dialects offered by the client.
Detailed Interface

base/protocols/smb/smb2-main.zeek

SMB2
Namespace

SMB2

Imports

base/protocols/smb/main.zeek

Summary
Redefinitions

SMB::CmdInfo: record
New Fields

SMB::CmdInfo

smb2_offered_dialects: index_vec &optional

Dialects offered by the client.
Detailed Interface

base/protocols/smb/files.zeek

SMB
Namespace

SMB

Imports

base/frameworks/files, base/protocols/smb/main.zeek

Summary
Functions

SMB::describe_file: function

Default file describer for SMB.

SMB::get_file_handle: function

Default file handle provider for SMB.
Detailed Interface
Functions
SMB::describe_file
Type

function (f: fa_file) : string

Default file describer for SMB.

SMB::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for SMB.

base/protocols/smtp/__load__.zeek

Imports

base/protocols/smtp/entities.zeek, base/protocols/smtp/files.zeek, base/protocols/smtp/main.zeek

Summary
Detailed Interface

base/protocols/smtp/main.zeek

SMTP
Namespace

SMTP

Imports

base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/utils/addrs.zeek, base/utils/directions-and-hosts.zeek, base/utils/email.zeek

Summary
Runtime Options

SMTP::mail_path_capture: Host &redef

Direction to capture the full “Received from” path.

SMTP::mail_transaction_validation: bool &redef

When seeing a RCPT TO or DATA command, validate that it has been preceded by a MAIL FROM or RCPT TO command, respectively, else log a weird and possibly disable the SMTP analyzer upon too many invalid transactions.

SMTP::max_invalid_mail_transactions: count &redef

Disable the SMTP analyzer when that many invalid transactions have been observed in an SMTP session.
Types

SMTP::Info: record

SMTP::State: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

smtp: SMTP::Info &optional

smtp_state: SMTP::State &optional

likely_server_ports: set &redef
Events

SMTP::log_smtp: event
Hooks

SMTP::finalize_smtp: Conn::RemovalHook

SMTP finalization hook.

SMTP::log_policy: Log::PolicyHook
Functions

SMTP::describe: function

Create an extremely shortened representation of a log line.
Detailed Interface
Runtime Options
SMTP::mail_path_capture
Type

Host

Attributes

&redef

Default

ALL_HOSTS

Direction to capture the full “Received from” path.

REMOTE_HOSTS - only capture the path until an internal host is found. LOCAL_HOSTS - only capture the path until the external host is discovered. ALL_HOSTS - always capture the entire path. NO_HOSTS - never capture the path.

SMTP::mail_transaction_validation
Type

bool

Attributes

&redef

Default

T

When seeing a RCPT TO or DATA command, validate that it has been preceded by a MAIL FROM or RCPT TO command, respectively, else log a weird and possibly disable the SMTP analyzer upon too many invalid transactions.

SMTP::max_invalid_mail_transactions
Type

count

Attributes

&redef

Default

25

Disable the SMTP analyzer when that many invalid transactions have been observed in an SMTP session.

Types
SMTP::Info
Type

record

ts: time &log

Time when the message was first seen.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.

helo: string &log &optional

Contents of the Helo header.

mailfrom: string &log &optional

Email addresses found in the From header.

rcptto: set [string] &log &optional

Email addresses found in the Rcpt header.

date: string &log &optional

Contents of the Date header.

from: string &log &optional

Contents of the From header.

to: set [string] &log &optional

Contents of the To header.

cc: set [string] &log &optional

Contents of the CC header.

reply_to: string &log &optional

Contents of the ReplyTo header.

msg_id: string &log &optional

Contents of the MsgID header.

in_reply_to: string &log &optional

Contents of the In-Reply-To header.

subject: string &log &optional

Contents of the Subject header.

x_originating_ip: addr &log &optional

Contents of the X-Originating-IP header.

first_received: string &log &optional

Contents of the first Received header.

second_received: string &log &optional

Contents of the second Received header.

last_reply: string &log &optional

The last message that the server sent to the client.

path: vector of addr &log &optional

The message transmission path, as extracted from the headers.

user_agent: string &log &optional

Value of the User-Agent header from the client.

tls: bool &log &default = F &optional

Indicates that the connection has switched to using TLS.

process_received_from: bool &default = T &optional

Indicates if the “Received: from” headers should still be processed.

has_client_activity: bool &default = F &optional

Indicates if client activity has been seen, but not yet logged.

process_smtp_headers: bool &default = T &optional

Indicates if the SMTP headers should still be processed.

entity_count: count &default = 0 &optional

entity: SMTP::Entity &optional

(present if base/protocols/smtp/entities.zeek is loaded)

The current entity being seen.

fuids: vector of string &log &default = [] &optional

(present if base/protocols/smtp/files.zeek is loaded)

An ordered vector of file unique IDs seen attached to the message.

is_webmail: bool &log &default = F &optional

(present if policy/protocols/smtp/software.zeek is loaded)

Boolean indicator of if the message was sent through a webmail interface.

SMTP::State
Type

record

helo: string &optional

messages_transferred: count &default = 0 &optional

Count the number of individual messages transmitted during this SMTP session. Note, this is not the number of recipients, but the number of message bodies transferred.

pending_messages: set [SMTP::Info] &optional

trans_mail_from_seen: bool &default = F &optional

trans_rcpt_to_seen: bool &default = F &optional

invalid_transactions: count &default = 0 &optional

analyzer_id: count &optional

mime_depth: count &default = 0 &optional

(present if base/protocols/smtp/entities.zeek is loaded)

Track the number of MIME encoded files transferred during a session.

Events
SMTP::log_smtp
Type

event (rec: SMTP::Info)

Hooks
SMTP::finalize_smtp
Type

Conn::RemovalHook

SMTP finalization hook. Remaining SMTP info may get logged when it’s called.

SMTP::log_policy
Type

Log::PolicyHook

Functions
SMTP::describe
Type

function (rec: SMTP::Info) : string

Create an extremely shortened representation of a log line.

base/protocols/smtp/entities.zeek

SMTP

Analysis and logging for MIME entities found in SMTP sessions.

Namespace

SMTP

Imports

base/frameworks/files, base/protocols/smtp/main.zeek, base/utils/files.zeek, base/utils/strings.zeek

Summary
Types

SMTP::Entity: record
Redefinitions

SMTP::Info: record
New Fields

SMTP::Info

entity: SMTP::Entity &optional

The current entity being seen.

SMTP::State: record
New Fields

SMTP::State

mime_depth: count &default = 0 &optional

Track the number of MIME encoded files transferred during a session.
Detailed Interface
Types
SMTP::Entity
Type

record

filename: string &optional

Filename for the entity if discovered from a header.

excerpt: string &log &default = "" &optional

(present if policy/protocols/smtp/entities-excerpt.zeek is loaded)

The entity body excerpt.

base/protocols/smtp/files.zeek

SMTP
Namespace

SMTP

Imports

base/frameworks/files, base/protocols/smtp/entities.zeek, base/protocols/smtp/main.zeek, base/utils/conn-ids.zeek

Summary
Redefinitions

SMTP::Info: record
New Fields

SMTP::Info

fuids: vector of string &log &default = [] &optional

An ordered vector of file unique IDs seen attached to the message.
Functions

SMTP::describe_file: function

Default file describer for SMTP.

SMTP::get_file_handle: function

Default file handle provider for SMTP.
Detailed Interface
Functions
SMTP::describe_file
Type

function (f: fa_file) : string

Default file describer for SMTP.

SMTP::get_file_handle
Type

function (c: connection, is_orig: bool) : string

Default file handle provider for SMTP.

base/protocols/socks/__load__.zeek

Imports

base/protocols/socks/consts.zeek, base/protocols/socks/main.zeek

Summary
Detailed Interface

base/protocols/socks/consts.zeek

SOCKS
Namespace

SOCKS

Summary
Constants

SOCKS::v4_status: table &default = function

SOCKS::v5_authentication_methods: table &default = function

SOCKS::v5_status: table &default = function
Types

SOCKS::RequestType: enum
Detailed Interface
Constants
SOCKS::v4_status
Type

table [count] of string

Attributes

&default = function

Default
{
   [92] = "request failed because client is not running identd",
   [93] = "request failed because client's identd could not confirm the user ID string in the request",
   [90] = "succeeded",
   [91] = "general SOCKS server failure"
}
SOCKS::v5_authentication_methods
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "Username/Password",
   [8] = "Multi-Authentication Framework",
   [7] = "NDS Authentication",
   [5] = "Challenge-Response Authentication Method",
   [3] = "Challenge-Handshake Authentication Protocol",
   [0] = "No Authentication Required",
   [6] = "Secure Sockets Layer",
   [255] = "No Acceptable Methods",
   [1] = "GSSAPI"
}
SOCKS::v5_status
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "connection not allowed by ruleset",
   [8] = "Address type not supported",
   [5] = "Connection refused",
   [7] = "Command not supported",
   [3] = "Network unreachable",
   [0] = "succeeded",
   [6] = "TTL expired",
   [4] = "Host unreachable",
   [1] = "general SOCKS server failure"
}
Types
SOCKS::RequestType
Type

enum

SOCKS::CONNECTION
SOCKS::PORT
SOCKS::UDP_ASSOCIATE

base/protocols/socks/main.zeek

SOCKS
Namespace

SOCKS

Imports

base/frameworks/tunnels, base/protocols/conn/removal-hooks.zeek, base/protocols/socks/consts.zeek

Summary
Runtime Options

SOCKS::default_capture_password: bool &redef

Whether passwords are captured or not.
Types

SOCKS::Info: record

The record type which contains the fields of the SOCKS log.
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

socks: SOCKS::Info &optional

likely_server_ports: set &redef
Events

SOCKS::log_socks: event

Event that can be handled to access the SOCKS record as it is sent on to the logging framework.
Hooks

SOCKS::finalize_socks: Conn::RemovalHook

SOCKS finalization hook.

SOCKS::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
SOCKS::default_capture_password
Type

bool

Attributes

&redef

Default

F

Whether passwords are captured or not.

Types
SOCKS::Info
Type

record

ts: time &log

Time when the proxy connection was first detected.

uid: string &log

Unique ID for the tunnel - may correspond to connection uid or be non-existent.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

version: count &log

Protocol version of SOCKS.

user: string &log &optional

Username used to request a login to the proxy.

password: string &log &optional

Password used to request a login to the proxy.

status: string &log &optional

Server status for the attempt at using the proxy.

request: SOCKS::Address &log &optional

Client requested SOCKS address. Could be an address, a name or both.

request_p: port &log &optional

Client requested port.

bound: SOCKS::Address &log &optional

Server bound address. Could be an address, a name or both.

bound_p: port &log &optional

Server bound port.

capture_password: bool &default = SOCKS::default_capture_password &optional

Determines if the password will be captured for this request.

The record type which contains the fields of the SOCKS log.

Events
SOCKS::log_socks
Type

event (rec: SOCKS::Info)

Event that can be handled to access the SOCKS record as it is sent on to the logging framework.

Hooks
SOCKS::finalize_socks
Type

Conn::RemovalHook

SOCKS finalization hook. Remaining SOCKS info may get logged when it’s called.

SOCKS::log_policy
Type

Log::PolicyHook

base/protocols/ssh/__load__.zeek

Imports

base/protocols/ssh/main.zeek

Summary
Detailed Interface

base/protocols/ssh/main.zeek

GLOBAL
SSH

Implements base functionality for SSH analysis. Generates the ssh.log file.

Namespaces

GLOBAL, SSH

Imports

base/protocols/conn/removal-hooks.zeek, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

SSH::compression_algorithms: set &redef

The set of compression algorithms.

SSH::disable_analyzer_after_detection: bool &redef

If true, after detection detach the SSH analyzer from the connection to prevent continuing to process encrypted traffic.
Types

SSH::Info: record

The record type which contains the fields of the SSH log.
Redefinitions

Log::ID: enum

The SSH protocol logging stream identifier.

SSH::Info: record
New Fields

SSH::Info

logged: bool &default = F &optional

capabilities: SSH::Capabilities &optional

analyzer_id: count &optional

Analzyer ID

connection: record
New Fields

connection

ssh: SSH::Info &optional

likely_server_ports: set &redef
Events

SSH::log_ssh: event

Event that can be handled to access the SSH record as it is sent on to the logging framework.

ssh_auth_failed: event

This event is generated when an SSH connection was determined to have had a failed authentication.

ssh_auth_result: event

This event is generated when a determination has been made about the final authentication result of an SSH connection.
Hooks

SSH::finalize_ssh: Conn::RemovalHook

SSH finalization hook.

SSH::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Runtime Options
SSH::compression_algorithms
Type

set [string]

Attributes

&redef

Default
{
   "zlib@openssh.com",
   "zlib"
}

The set of compression algorithms. We can’t accurately determine authentication success or failure when compression is enabled.

SSH::disable_analyzer_after_detection
Type

bool

Attributes

&redef

Default

T

If true, after detection detach the SSH analyzer from the connection to prevent continuing to process encrypted traffic. Helps with performance (especially with large file transfers).

Types
SSH::Info
Type

record

ts: time &log

Time when the SSH connection began.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

version: count &log &optional

SSH major version (1, 2, or unset). The version can be unset if the client and server version strings are unset, malformed or incompatible so no common version can be extracted. If no version can be extracted even though both client and server versions are set a weird will be generated.

auth_success: bool &log &optional

Authentication result (T=success, F=failure, unset=unknown)

auth_attempts: count &log &default = 0 &optional

The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey)

direction: Direction &log &optional

Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.

client: string &log &optional

The client’s version string

server: string &log &optional

The server’s version string

cipher_alg: string &log &optional

The encryption algorithm in use

mac_alg: string &log &optional

The signing (MAC) algorithm in use

compression_alg: string &log &optional

The compression algorithm in use

kex_alg: string &log &optional

The key exchange algorithm in use

host_key_alg: string &log &optional

The server host key’s algorithm

host_key: string &log &optional

The server’s key fingerprint

logged: bool &default = F &optional

capabilities: SSH::Capabilities &optional

analyzer_id: count &optional

Analzyer ID

remote_location: geo_location &log &optional

(present if policy/protocols/ssh/geo-data.zeek is loaded)

Add geographic data related to the “remote” host of the connection.

The record type which contains the fields of the SSH log.

Events
SSH::log_ssh
Type

event (rec: SSH::Info)

Event that can be handled to access the SSH record as it is sent on to the logging framework.

ssh_auth_failed
Type

event (c: connection)

This event is generated when an SSH connection was determined to have had a failed authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication failure, this event is not raised.

This event is only raised once per connection.

C

The connection over which the SSH connection took place.

See also:

ssh_auth_result
Type

event (c: connection, result: bool, auth_attempts: count)

This event is generated when a determination has been made about the final authentication result of an SSH connection. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the result of the authentication, this event is not raised.

This event is only raised once per connection.

C

The connection over which the SSH connection took place.

Result

True if the authentication was successful, false if not.

Auth_attempts

The number of authentication attempts that were observed.

See also:

Hooks
SSH::finalize_ssh
Type

Conn::RemovalHook

SSH finalization hook. Remaining SSH info may get logged when it’s called.

SSH::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

base/protocols/syslog/__load__.zeek

Imports

base/protocols/syslog/consts.zeek, base/protocols/syslog/main.zeek

Summary
Detailed Interface

base/protocols/syslog/consts.zeek

Syslog

Constants definitions for syslog.

Namespace

Syslog

Summary
Constants

Syslog::facility_codes: table &default = function

Mapping between the constants and string values for syslog facilities.

Syslog::severity_codes: table &default = function

Mapping between the constants and string values for syslog severities.
Detailed Interface
Constants
Syslog::facility_codes
Type

table [count] of string

Attributes

&default = function

Default
{
   [19] = "LOCAL3",
   [2] = "MAIL",
   [20] = "LOCAL4",
   [14] = "ALERT",
   [15] = "CLOCK",
   [6] = "LPR",
   [16] = "LOCAL0",
   [8] = "UUCP",
   [23] = "LOCAL7",
   [9] = "CRON",
   [1] = "USER",
   [11] = "FTP",
   [999] = "UNSPECIFIED",
   [5] = "SYSLOG",
   [7] = "NEWS",
   [21] = "LOCAL5",
   [10] = "AUTHPRIV",
   [22] = "LOCAL6",
   [4] = "AUTH",
   [12] = "NTP",
   [13] = "AUDIT",
   [18] = "LOCAL2",
   [3] = "DAEMON",
   [17] = "LOCAL1",
   [0] = "KERN"
}

Mapping between the constants and string values for syslog facilities.

Syslog::severity_codes
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "CRIT",
   [999] = "UNSPECIFIED",
   [5] = "NOTICE",
   [7] = "DEBUG",
   [3] = "ERR",
   [0] = "EMERG",
   [6] = "INFO",
   [4] = "WARNING",
   [1] = "ALERT"
}

Mapping between the constants and string values for syslog severities.

base/protocols/syslog/main.zeek

Syslog

Core script support for logging syslog messages. This script represents one syslog message as one logged record.

Namespace

Syslog

Imports

base/protocols/syslog/consts.zeek

Summary
Types

Syslog::Info: record

The record type which contains the fields of the syslog log.
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

syslog: Syslog::Info &optional

likely_server_ports: set &redef
Hooks

Syslog::log_policy: Log::PolicyHook
Detailed Interface
Types
Syslog::Info
Type

record

ts: time &log

Timestamp when the syslog message was seen.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

proto: transport_proto &log

Protocol over which the message was seen.

facility: string &log

Syslog facility for the message.

severity: string &log

Syslog severity for the message.

message: string &log

The plain text message.

The record type which contains the fields of the syslog log.

Hooks
Syslog::log_policy
Type

Log::PolicyHook

base/protocols/tunnels/__load__.zeek

Summary
Detailed Interface

base/protocols/xmpp/__load__.zeek

Imports

base/protocols/xmpp/main.zeek

Summary
Detailed Interface

base/protocols/xmpp/main.zeek

XMPP
Namespace

XMPP

Summary
Redefinitions

likely_server_ports: set &redef
Detailed Interface

base/files/pe/__load__.zeek

Imports

base/files/pe/consts.zeek, base/files/pe/main.zeek

Summary
Detailed Interface

base/files/pe/consts.zeek

PE
Namespace

PE

Summary
Constants

PE::directories: table &default = function

PE::dll_characteristics: table &default = function

PE::file_characteristics: table &default = function

PE::machine_types: table &default = function

PE::os_versions: table &default = function

PE::section_characteristics: table &default = function

PE::section_descs: table &default = function

PE::windows_subsystems: table &default = function
Detailed Interface
Constants
PE::directories
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "Resource Table",
   [14] = "CLR Runtime Header",
   [15] = "Reserved",
   [6] = "Debug",
   [8] = "Global Ptr",
   [9] = "TLS Table",
   [1] = "Import Table",
   [11] = "Bound Import",
   [7] = "Architecture",
   [5] = "Base Relocation Table",
   [10] = "Load Config Table",
   [4] = "Certificate Table",
   [13] = "Delay Import Descriptor",
   [12] = "IAT",
   [3] = "Exception Table",
   [0] = "Export Table"
}
PE::dll_characteristics
Type

table [count] of string

Attributes

&default = function

Default
{
   [512] = "NO_ISOLATION",
   [8192] = "WDM_DRIVER",
   [32768] = "TERMINAL_SERVER_AWARE",
   [64] = "DYNAMIC_BASE",
   [1024] = "NO_SEH",
   [2048] = "NO_BIND",
   [256] = "NX_COMPAT",
   [128] = "FORCE_INTEGRITY"
}
PE::file_characteristics
Type

table [count] of string

Attributes

&default = function

Default
{
   [32768] = "BYTES_REVERSED_HI",
   [2] = "EXECUTABLE_IMAGE",
   [16384] = "UP_SYSTEM_ONLY",
   [16] = "AGGRESSIVE_WS_TRIM",
   [4] = "LINE_NUMS_STRIPPED",
   [256] = "32BIT_MACHINE",
   [4096] = "SYSTEM",
   [128] = "BYTES_REVERSED_LO",
   [32] = "LARGE_ADDRESS_AWARE",
   [512] = "DEBUG_STRIPPED",
   [8192] = "DLL",
   [8] = "LOCAL_SYMS_STRIPPED",
   [1024] = "REMOVABLE_RUN_FROM_SWAP",
   [2048] = "NET_RUN_FROM_SWAP",
   [1] = "RELOCS_STRIPPED"
}
PE::machine_types
Type

table [count] of string

Attributes

&default = function

Default
{
   [332] = "I386",
   [448] = "ARM",
   [419] = "SH3DSP",
   [34404] = "AMD64",
   [1126] = "MIPSFPU16",
   [36929] = "M32R",
   [512] = "IA64",
   [424] = "SH5",
   [870] = "MIPSFPU",
   [496] = "POWERPC",
   [450] = "THUMB",
   [422] = "SH4",
   [3772] = "EBC",
   [467] = "AM33",
   [452] = "ARMNT",
   [614] = "MIPS16",
   [497] = "POWERPCFP",
   [358] = "R4000",
   [418] = "SH3",
   [0] = "UNKNOWN",
   [361] = "WCEMIPSV2",
   [43620] = "ARM64"
}
PE::os_versions
Type

table [count, count] of string

Attributes

&default = function

Default
{
   [2, 11] = "Windows 2.11",
   [6, 2] = "Windows 8 or Server 2012",
   [5, 0] = "Windows 2000",
   [3, 51] = "Windows NT 3.51",
   [2, 0] = "Windows 2.0",
   [3, 11] = "Windows for Workgroups 3.11",
   [5, 1] = "Windows XP",
   [3, 0] = "Windows 3.0",
   [1, 0] = "Windows 1.0",
   [10, 0] = "Windows 10",
   [4, 90] = "Windows Me",
   [5, 2] = "Windows XP x64 or Server 2003",
   [6, 1] = "Windows 7 or Server 2008 R2",
   [3, 50] = "Windows NT 3.5",
   [4, 10] = "Windows 98",
   [2, 10] = "Windows 2.10",
   [1, 1] = "Windows 1.01",
   [1, 4] = "Windows 1.04",
   [6, 3] = "Windows 8.1 or Server 2012 R2",
   [6, 0] = "Windows Vista or Server 2008",
   [3, 10] = "Windows 3.1 or NT 3.1",
   [6, 4] = "Windows 10 Technical Preview",
   [3, 2] = "Windows 3.2",
   [1, 3] = "Windows 1.03",
   [4, 0] = "Windows 95 or NT 4.0"
}
PE::section_characteristics
Type

table [count] of string

Attributes

&default = function

Default
{
   [1048576] = "ALIGN_1BYTES",
   [131072] = "MEM_16BIT",
   [64] = "CNT_INITIALIZED_DATA",
   [12582912] = "ALIGN_2048BYTES",
   [8] = "TYPE_NO_PAD",
   [7340032] = "ALIGN_64BYTES",
   [13631488] = "ALIGN_4096BYTES",
   [2147483648] = "MEM_WRITE",
   [536870912] = "MEM_EXECUTE",
   [128] = "CNT_UNINITIALIZED_DATA",
   [32] = "CNT_CODE",
   [14680064] = "ALIGN_8192BYTES",
   [6291456] = "ALIGN_32BYTES",
   [4194304] = "ALIGN_8BYTES",
   [67108864] = "MEM_NOT_CACHED",
   [5242880] = "ALIGN_16BYTES",
   [32768] = "GPREL",
   [9437184] = "ALIGN_256BYTES",
   [4096] = "LNK_COMDAT",
   [524288] = "MEM_PRELOAD",
   [16777216] = "LNK_NRELOC_OVFL",
   [33554432] = "MEM_DISCARDABLE",
   [512] = "LNK_INFO",
   [11534336] = "ALIGN_1024BYTES",
   [262144] = "MEM_LOCKED",
   [3145728] = "ALIGN_4BYTES",
   [256] = "LNK_OTHER",
   [268435456] = "MEM_SHARED",
   [1073741824] = "MEM_READ",
   [2048] = "LNK_REMOVE",
   [10485760] = "ALIGN_512BYTES",
   [8388608] = "ALIGN_128BYTES",
   [2097152] = "ALIGN_2BYTES",
   [134217728] = "MEM_NOT_PAGED"
}
PE::section_descs
Type

table [string] of string

Attributes

&default = function

Default
{
   [".debug$P"] = "Precompiled debug types",
   [".drective"] = "Linker options",
   [".text"] = "Executable code",
   [".idata"] = "Import tables",
   [".sbss"] = "GP-relative uninitialized data",
   [".idlsym"] = "Includes registered SEH to support IDL attributes",
   [".edata"] = "Export tables",
   [".sdata"] = "GP-relative initialized data",
   [".rdata"] = "Read-only initialized data",
   [".pdata"] = "Exception information",
   [".debug$S"] = "Debug symbols",
   [".tls$"] = "Thread-local storage",
   [".reloc"] = "Image relocations",
   [".debug$F"] = "Generated FPO debug information",
   [".bss"] = "Uninitialized data",
   [".debug$T"] = "Debug types",
   [".cormeta"] = "CLR metadata that indicates that the object file contains managed code",
   [".tls"] = "Thread-local storage",
   [".sxdata"] = "Registered exception handler data",
   [".vsdata"] = "GP-relative initialized data",
   [".rsrc"] = "Resource directory",
   [".srdata"] = "GP-relative read-only data",
   [".data"] = "Initialized data",
   [".xdata"] = "Exception information"
}
PE::windows_subsystems
Type

table [count] of string

Attributes

&default = function

Default
{
   [2] = "WINDOWS_GUI",
   [11] = "EFI_BOOT_SERVICE_DRIVER",
   [7] = "POSIX_CUI",
   [10] = "EFI_APPLICATION",
   [14] = "XBOX",
   [13] = "EFI_ROM",
   [12] = "EFI_RUNTIME_DRIVER",
   [3] = "WINDOWS_CUI",
   [9] = "WINDOWS_CE_GUI",
   [0] = "UNKNOWN",
   [1] = "NATIVE"
}

base/files/pe/main.zeek

PE
Namespace

PE

Imports

base/files/pe/consts.zeek

Summary
Types

PE::Info: record
Redefinitions

Log::ID: enum

fa_file: record &redef
New Fields

fa_file

pe: PE::Info &optional
Events

PE::log_pe: event

Event for accessing logged records.
Hooks

PE::log_policy: Log::PolicyHook

PE::set_file: hook

A hook that gets called when we first see a PE file.
Detailed Interface
Types
PE::Info
Type

record

ts: time &log

Current timestamp.

id: string &log

File id of this portable executable file.

machine: string &log &optional

The target machine that the file was compiled for.

compile_ts: time &log &optional

The time that the file was created at.

os: string &log &optional

The required operating system.

subsystem: string &log &optional

The subsystem that is required to run this file.

is_exe: bool &log &default = T &optional

Is the file an executable, or just an object file?

is_64bit: bool &log &default = T &optional

Is the file a 64-bit executable?

uses_aslr: bool &log &default = F &optional

Does the file support Address Space Layout Randomization?

uses_dep: bool &log &default = F &optional

Does the file support Data Execution Prevention?

uses_code_integrity: bool &log &default = F &optional

Does the file enforce code integrity checks?

uses_seh: bool &log &default = T &optional

Does the file use structured exception handing?

has_import_table: bool &log &optional

Does the file have an import table?

has_export_table: bool &log &optional

Does the file have an export table?

has_cert_table: bool &log &optional

Does the file have an attribute certificate table?

has_debug_data: bool &log &optional

Does the file have a debug table?

section_names: vector of string &log &optional

The names of the sections, in order.

Events
PE::log_pe
Type

event (rec: PE::Info)

Event for accessing logged records.

Hooks
PE::log_policy
Type

Log::PolicyHook

PE::set_file
Type

hook (f: fa_file) : bool

A hook that gets called when we first see a PE file.

base/files/extract/__load__.zeek

Imports

base/files/extract/main.zeek

Summary
Detailed Interface

base/files/extract/main.zeek

FileExtract
Namespace

FileExtract

Imports

base/frameworks/files, base/utils/paths.zeek

Summary
Runtime Options

FileExtract::default_limit: count &redef

The default max size for extracted files (they won’t exceed this number of bytes).
Redefinable Options

FileExtract::prefix: string &redef

The prefix where files are extracted to.
Redefinitions

Files::AnalyzerArgs: record &redef
New Fields

Files::AnalyzerArgs

extract_filename: string &optional

The local filename to which to write an extracted file.

extract_limit: count &default = FileExtract::default_limit &optional

The maximum allowed file size in bytes of extract_filename.

Files::Info: record &redef
New Fields

Files::Info

extracted: string &optional &log

Local filename of extracted file.

extracted_cutoff: bool &optional &log

Set to true if the file being extracted was cut off so the whole file was not logged.

extracted_size: count &optional &log

The number of bytes extracted to disk.
Functions

FileExtract::set_limit: function

Sets the maximum allowed extracted file size.
Detailed Interface
Runtime Options
FileExtract::default_limit
Type

count

Attributes

&redef

Default

0

Redefinition

from policy/tuning/defaults/extracted_file_limits.zeek

=:

104857600

The default max size for extracted files (they won’t exceed this number of bytes). A value of zero means unlimited.

Redefinable Options
FileExtract::prefix
Type

string

Attributes

&redef

Default

"./extract_files/"

The prefix where files are extracted to.

Functions
FileExtract::set_limit
Type

function (f: fa_file, args: Files::AnalyzerArgs, n: count) : bool

Sets the maximum allowed extracted file size.

F

A file that’s being extracted.

Args

Arguments that identify a file extraction analyzer.

N

Allowed number of bytes to be extracted.

Returns

false if a file extraction analyzer wasn’t active for the file, else true.

base/misc/find-checksum-offloading.zeek

ChecksumOffloading

Discover cases where the local interface is sniffed and outbound packets have checksum offloading. Load this script to receive a notice if it’s likely that checksum offload effects are being seen on a live interface or in a packet trace file.

Namespace

ChecksumOffloading

Imports

base/frameworks/notice

Summary
Redefinable Options

ChecksumOffloading::check_interval: interval &redef

The interval which is used for checking packet statistics to see if checksum offloading is affecting analysis.
Detailed Interface
Redefinable Options
ChecksumOffloading::check_interval
Type

interval

Attributes

&redef

Default

10.0 secs

The interval which is used for checking packet statistics to see if checksum offloading is affecting analysis.

base/misc/find-filtered-trace.zeek

FilteredTraceDetection

Discovers trace files that contain TCP traffic consisting only of control packets (e.g. it’s been filtered to contain only SYN/FIN/RST packets and no content). On finding such a trace, a warning is emitted that suggests toggling the detect_filtered_trace option may be desired if the user does not want Zeek to report missing TCP segments.

Namespace

FilteredTraceDetection

Summary
State Variables

FilteredTraceDetection::enable: bool &redef

Flag to enable filtered trace file detection and warning message.
Detailed Interface
State Variables
FilteredTraceDetection::enable
Type

bool

Attributes

&redef

Default

T

Flag to enable filtered trace file detection and warning message.

base/misc/installation.zeek

Installation

This module collects properties of the Zeek installation.

Directories are absolute and guaranteed to exist. Not all are necessarily in operational use – this depends on how you’re running Zeek (as a standalone process or clusterized, via zeekctl or the Management framework, etc).

For details about Zeek’s version, see the Version module.

Namespace

Installation

Summary
Constants

Installation::etc_dir: string

The installation’s configuration directory.

Installation::log_dir: string

The installation’s log directory.

Installation::root_dir: string

Zeek installation root directory.

Installation::spool_dir: string

The installation’s spool directory.

Installation::state_dir: string

The installation’s variable-state directory.
Detailed Interface
Constants
Installation::etc_dir
Type

string

Default

"/usr/local/zeek/etc"

The installation’s configuration directory.

Installation::log_dir
Type

string

Default

"/usr/local/zeek/logs"

The installation’s log directory.

Installation::root_dir
Type

string

Default

"/usr/local/zeek"

Zeek installation root directory.

Installation::spool_dir
Type

string

Default

"/usr/local/zeek/spool"

The installation’s spool directory.

Installation::state_dir
Type

string

Default

"/usr/local/zeek/var/lib"

The installation’s variable-state directory.

base/misc/version.zeek

Version

Provide information about the currently running Zeek version. The most convenient way to access this are the Version::number and Version::info constants.

Namespace

Version

Imports

base/frameworks/reporter, base/utils/strings.zeek

Summary
Constants

Version::info: Version::VersionDescription

VersionDescription record pertaining to the currently running version of Zeek.

Version::number: count

version number of the currently running version of Zeek as a numeric representation.
Types

Version::VersionDescription: record

A type exactly describing a Zeek version
Functions

Version::at_least: function

Test if the current running version of Zeek is greater or equal to the given version string.

Version::parse: function

Parse a given version string.
Detailed Interface
Constants
Version::info
Type

Version::VersionDescription

VersionDescription record pertaining to the currently running version of Zeek.

Version::number
Type

count

version number of the currently running version of Zeek as a numeric representation. The format of the number is ABBCC with A being the major version, bb being the minor version (2 digits) and CC being the patchlevel (2 digits). As an example, Zeek 2.4.1 results in the number 20401

Types
Version::VersionDescription
Type

record

version_number: count

Number representing the version which can be used for easy comparison. The format of the number is ABBCC with A being the major version, bb being the minor version (2 digits) and CC being the patchlevel (2 digits). As an example, Zeek 2.4.1 results in the number 20401.

major: count

Major version number (e.g. 2 for 2.5)

minor: count

Minor version number (e.g. 5 for 2.5)

patch: count

Patch version number (e.g. 0 for 2.5 or 1 for 2.4.1)

commit: count

Commit number for development versions, Versions prior to 3.0.0, like “2.4-12”, use a post-release commit number (12 commits after the 2.4 release). Versions after 3.0.0, like “3.1.0-dev.37”, use a pre-release commit number (37 commits into the development cycle for 3.1.0). For non-development version this number will be zero.

beta: bool

If set to true, the version is a beta build of Zeek. These versions may start like “2.6-beta” or “3.0.0-rc” (the “rc” form started being used for 3.0.0 and later).

debug: bool

If set to true, the version is a debug build

version_string: string

String representation of this version

A type exactly describing a Zeek version

Functions
Version::at_least
Type

function (version_string: string) : bool

Test if the current running version of Zeek is greater or equal to the given version string.

Version_string

Version to check against the current running version.

Returns

True if running version greater or equal to the given version.

Version::parse
Type

function (version_string: string) : Version::VersionDescription

Parse a given version string.

Version_string

Zeek version string.

Returns

VersionDescription record.

builtin-plugins/__preload__.zeek

Summary
Detailed Interface

builtin-plugins/__load__.zeek

Summary
Detailed Interface

zeekygen/__load__.zeek

Imports

policy/frameworks/control/controllee.zeek, policy/frameworks/control/controller.zeek, policy/frameworks/files/extract-all-files.zeek, policy/frameworks/management/agent/main.zeek, policy/frameworks/management/controller/main.zeek, policy/frameworks/management/node/__load__.zeek, policy/frameworks/management/node/main.zeek, policy/misc/dump-events.zeek, policy/protocols/conn/speculative-service.zeek, policy/protocols/ssl/decryption.zeek, policy/protocols/ssl/extract-certs-pem.zeek, policy/protocols/ssl/notary.zeek, test-all-policy.zeek, zeekygen/example.zeek

Summary
Detailed Interface

test-all-policy.zeek

Imports

policy/files/unified2/__load__.zeek, policy/files/unified2/main.zeek, policy/files/x509/disable-certificate-events-known-certs.zeek, policy/files/x509/log-ocsp.zeek, policy/frameworks/dpd/detect-protocols.zeek, policy/frameworks/dpd/packet-segment-logging.zeek, policy/frameworks/files/detect-MHR.zeek, policy/frameworks/files/entropy-test-all-files.zeek, policy/frameworks/files/hash-all-files.zeek, policy/frameworks/intel/do_expire.zeek, policy/frameworks/intel/do_notice.zeek, policy/frameworks/intel/removal.zeek, policy/frameworks/intel/seen/__load__.zeek, policy/frameworks/intel/seen/conn-established.zeek, policy/frameworks/intel/seen/dns.zeek, policy/frameworks/intel/seen/file-hashes.zeek, policy/frameworks/intel/seen/file-names.zeek, policy/frameworks/intel/seen/http-headers.zeek, policy/frameworks/intel/seen/http-url.zeek, policy/frameworks/intel/seen/pubkey-hashes.zeek, policy/frameworks/intel/seen/smb-filenames.zeek, policy/frameworks/intel/seen/smtp-url-extraction.zeek, policy/frameworks/intel/seen/smtp.zeek, policy/frameworks/intel/seen/ssl.zeek, policy/frameworks/intel/seen/where-locations.zeek, policy/frameworks/intel/seen/x509.zeek, policy/frameworks/intel/whitelist.zeek, policy/frameworks/management/__load__.zeek, policy/frameworks/management/agent/__load__.zeek, policy/frameworks/management/agent/api.zeek, policy/frameworks/management/agent/boot.zeek, policy/frameworks/management/agent/config.zeek, policy/frameworks/management/config.zeek, policy/frameworks/management/controller/__load__.zeek, policy/frameworks/management/controller/api.zeek, policy/frameworks/management/controller/boot.zeek, policy/frameworks/management/controller/config.zeek, policy/frameworks/management/log.zeek, policy/frameworks/management/node/api.zeek, policy/frameworks/management/node/config.zeek, policy/frameworks/management/persistence.zeek, policy/frameworks/management/request.zeek, policy/frameworks/management/supervisor/__load__.zeek, policy/frameworks/management/supervisor/api.zeek, policy/frameworks/management/supervisor/config.zeek, policy/frameworks/management/supervisor/main.zeek, policy/frameworks/management/types.zeek, policy/frameworks/management/util.zeek, policy/frameworks/netcontrol/catch-and-release.zeek, policy/frameworks/notice/__load__.zeek, policy/frameworks/notice/actions/drop.zeek, policy/frameworks/notice/extend-email/hostnames.zeek, policy/frameworks/packet-filter/shunt.zeek, policy/frameworks/software/version-changes.zeek, policy/frameworks/software/vulnerable.zeek, policy/frameworks/software/windows-version-detection.zeek, policy/integration/barnyard2/__load__.zeek, policy/integration/barnyard2/main.zeek, policy/integration/barnyard2/types.zeek, policy/integration/collective-intel/__load__.zeek, policy/integration/collective-intel/main.zeek, policy/misc/capture-loss.zeek, policy/misc/detect-traceroute/__load__.zeek, policy/misc/detect-traceroute/main.zeek, policy/misc/load-balancing.zeek, policy/misc/loaded-scripts.zeek, policy/misc/profiling.zeek, policy/misc/scan.zeek, policy/misc/stats.zeek, policy/misc/trim-trace-file.zeek, policy/misc/unknown-protocols.zeek, policy/misc/weird-stats.zeek, policy/protocols/conn/known-hosts.zeek, policy/protocols/conn/known-services.zeek, policy/protocols/conn/mac-logging.zeek, policy/protocols/conn/vlan-logging.zeek, policy/protocols/conn/weirds.zeek, policy/protocols/dhcp/msg-orig.zeek, policy/protocols/dhcp/software.zeek, policy/protocols/dhcp/sub-opts.zeek, policy/protocols/dns/auth-addl.zeek, policy/protocols/dns/detect-external-names.zeek, policy/protocols/dns/log-original-query-case.zeek, policy/protocols/ftp/detect-bruteforcing.zeek, policy/protocols/ftp/detect.zeek, policy/protocols/ftp/software.zeek, policy/protocols/http/detect-sqli.zeek, policy/protocols/http/detect-webapps.zeek, policy/protocols/http/header-names.zeek, policy/protocols/http/software-browser-plugins.zeek, policy/protocols/http/software.zeek, policy/protocols/http/var-extraction-cookies.zeek, policy/protocols/http/var-extraction-uri.zeek, policy/protocols/krb/ticket-logging.zeek, policy/protocols/modbus/known-masters-slaves.zeek, policy/protocols/modbus/track-memmap.zeek, policy/protocols/mqtt/__load__.zeek, policy/protocols/mqtt/main.zeek, policy/protocols/mysql/software.zeek, policy/protocols/rdp/indicate_ssl.zeek, policy/protocols/smb/log-cmds.zeek, policy/protocols/smtp/blocklists.zeek, policy/protocols/smtp/detect-suspicious-orig.zeek, policy/protocols/smtp/entities-excerpt.zeek, policy/protocols/smtp/software.zeek, policy/protocols/ssh/detect-bruteforcing.zeek, policy/protocols/ssh/geo-data.zeek, policy/protocols/ssh/interesting-hostnames.zeek, policy/protocols/ssh/software.zeek, policy/protocols/ssl/decryption.zeek, policy/protocols/ssl/expiring-certs.zeek, policy/protocols/ssl/heartbleed.zeek, policy/protocols/ssl/known-certs.zeek, policy/protocols/ssl/log-certs-base64.zeek, policy/protocols/ssl/log-hostcerts-only.zeek, policy/protocols/ssl/ssl-log-ext.zeek, policy/protocols/ssl/validate-certs.zeek, policy/protocols/ssl/validate-ocsp.zeek, policy/protocols/ssl/validate-sct.zeek, policy/protocols/ssl/weak-keys.zeek, policy/tuning/__load__.zeek, policy/tuning/defaults/__load__.zeek, policy/tuning/defaults/extracted_file_limits.zeek, policy/tuning/defaults/packet-fragments.zeek, policy/tuning/defaults/warnings.zeek, policy/tuning/json-logs.zeek, policy/tuning/track-all-assets.zeek

Summary
Detailed Interface

policy/frameworks/management/agent/__load__.zeek

The entry point for the Management framework’s cluster agent. It runs bootstrap logic for launching an agent process via Zeek’s Supervisor.

Summary
Detailed Interface

policy/frameworks/management/agent/api.zeek

Management::Agent::API

The event API of cluster agents. Most endpoints consist of event pairs, where the agent answers a request event with a corresponding response event. Such event pairs share the same name prefix and end in “_request” and “_response”, respectively.

Namespace

Management::Agent::API

Imports

base/frameworks/supervisor/control.zeek, policy/frameworks/management/types.zeek

Summary
Constants

Management::Agent::API::version: count

A simple versioning scheme, used to track basic compatibility of controller and agent.
Events

Management::Agent::API::agent_standby_request: event

The controller sends this event to convey that the agent is not currently required.

Management::Agent::API::agent_standby_response: event

Response to a Management::Agent::API::agent_standby_request event.

Management::Agent::API::agent_welcome_request: event

The controller sends this event to confirm to the agent that it is part of the current cluster topology.

Management::Agent::API::agent_welcome_response: event

Response to a Management::Agent::API::agent_welcome_request event.

Management::Agent::API::deploy_request: event

The controller sends this event to deploy a cluster configuration to this instance.

Management::Agent::API::deploy_response: event

Response to a Management::Agent::API::deploy_request event.

Management::Agent::API::get_nodes_request: event

The controller sends this event to request a list of Management::NodeStatus records that capture the status of Supervisor-managed nodes running on this instance.

Management::Agent::API::get_nodes_response: event

Response to a Management::Agent::API::get_nodes_request event.

Management::Agent::API::node_dispatch_request: event

The controller sends this to every agent to request a dispatch (the execution of a pre-implemented activity) to all cluster nodes.

Management::Agent::API::node_dispatch_response: event

Response to a Management::Agent::API::node_dispatch_request event.

Management::Agent::API::notify_agent_hello: event

The agent sends this event upon peering as a “check-in”, informing the controller that an agent of the given name is now available to communicate with.

Management::Agent::API::notify_change: event

Management::Agent::API::notify_error: event

Management::Agent::API::notify_log: event

Management::Agent::API::restart_request: event

The controller sends this event to ask the agent to restart currently running Zeek cluster nodes.

Management::Agent::API::restart_response: event

Response to a Management::Agent::API::restart_request event.
Detailed Interface
Constants
Management::Agent::API::version
Type

count

Default

1

A simple versioning scheme, used to track basic compatibility of controller and agent.

Events
Management::Agent::API::agent_standby_request
Type

event (reqid: string)

The controller sends this event to convey that the agent is not currently required. This status may later change, depending on updates from the client, so the Broker-level peering can remain active. The agent releases any cluster-related resources (including shutdown of existing Zeek cluster nodes) when processing the request, and confirms via the response event. Shutting down an agent at this point has no operational impact on the running cluster.

Reqid

a request identifier string, echoed in the response event.

Management::Agent::API::agent_standby_response
Type

event (reqid: string, result: Management::Result)

Response to a Management::Agent::API::agent_standby_request event. The agent sends this back to the controller.

Reqid

the request identifier used in the request event.

Result

the result record.

Management::Agent::API::agent_welcome_request
Type

event (reqid: string)

The controller sends this event to confirm to the agent that it is part of the current cluster topology. The agent acknowledges with a Management::Agent::API::agent_welcome_response event, upon which the controller may proceed with a cluster deployment to this agent.

Reqid

a request identifier string, echoed in the response event.

Management::Agent::API::agent_welcome_response
Type

event (reqid: string, result: Management::Result)

Response to a Management::Agent::API::agent_welcome_request event. The agent sends this back to the controller.

Reqid

the request identifier used in the request event.

Result

the result record.

Management::Agent::API::deploy_request
Type

event (reqid: string, config: Management::Configuration, force: bool &default = F &optional)

The controller sends this event to deploy a cluster configuration to this instance. Once processed, the agent responds with a Management::Agent::API::deploy_response event. event.

Reqid

a request identifier string, echoed in the response event.

Config

a Management::Configuration record describing the cluster topology. This contains the full topology, not just the part pertaining to this instance: the cluster framework requires full cluster visibility to establish needed peerings.

Force

whether to re-deploy (i.e., restart its Zeek cluster nodes) when the agent already runs this configuration. This relies on the config ID to determine config equality.

Management::Agent::API::deploy_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Agent::API::deploy_request event. The agent sends this back to the controller.

Reqid

the request identifier used in the request event.

Results

A vector of Management::Result records, each capturing the outcome of a single launched node. For failing nodes, the result’s data field is a Management::NodeOutputs record.

Management::Agent::API::get_nodes_request
Type

event (reqid: string)

The controller sends this event to request a list of Management::NodeStatus records that capture the status of Supervisor-managed nodes running on this instance. instances.

Reqid

a request identifier string, echoed in the response event.

Management::Agent::API::get_nodes_response
Type

event (reqid: string, result: Management::Result)

Response to a Management::Agent::API::get_nodes_request event. The agent sends this back to the controller.

Reqid

the request identifier used in the request event.

Result

a Management::Result record. Its data member is a vector of Management::NodeStatus records, covering the nodes at this instance. The result may also indicate failure, with error messages indicating what went wrong.

Management::Agent::API::node_dispatch_request
Type

event (reqid: string, action: vector of string, nodes: set [string] &default = {  } &optional)

The controller sends this to every agent to request a dispatch (the execution of a pre-implemented activity) to all cluster nodes. This is the generic controller-agent “back-end” implementation of explicit client-controller “front-end” interactions, including:

Reqid

a request identifier string, echoed in the response event.

Action

the requested dispatch command, with any arguments.

Nodes

a set of cluster node names (e.g. “worker-01”) to retrieve the values from. An empty set, supplied by default, means retrieval from all nodes managed by the agent.

Management::Agent::API::node_dispatch_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Agent::API::node_dispatch_request event. Each agent sends this back to the controller to report the dispatch outcomes on all nodes managed by that agent.

Reqid

the request identifier used in the request event.

Results

a vector of Management::Result records. Each record covers one Zeek cluster node managed by this agent. Upon success, each Management::Result record’s data member contains the dispatches’ response in a data type appropriate for the respective dispatch.

Management::Agent::API::notify_agent_hello
Type

event (instance: string, id: string, connecting: bool, api_version: count)

The agent sends this event upon peering as a “check-in”, informing the controller that an agent of the given name is now available to communicate with. It is a controller-level equivalent of :zeek:see:`Broker::peer_added and triggered by it.

Instance

an instance name, really the agent’s name as per Management::Agent::get_name.

Id

the Broker ID of the agent.

Connecting

true if this agent connected to the controller, false if the controller connected to the agent.

Api_version

the API version of this agent.

Management::Agent::API::notify_change
Type

event (instance: string, n: Management::Node, old: Management::State, new: Management::State)

Management::Agent::API::notify_error
Type

event (instance: string, msg: string, node: string &default = "" &optional)

Management::Agent::API::notify_log
Type

event (instance: string, msg: string, node: string &default = "" &optional)

Management::Agent::API::restart_request
Type

event (reqid: string, nodes: set [string] &default = {  } &optional)

The controller sends this event to ask the agent to restart currently running Zeek cluster nodes. For nodes currently running, the agent places these nodes into PENDING state and sends restart events to the Supervisor, rendering its responses into a list of Management::Result records summarizing each node restart. When restarted nodes check in with the agent, they switch back to RUNNING state. The agent ignores nodes not currently running.

Reqid

a request identifier string, echoed in the response event.

Nodes

a set of cluster node names (e.g. “worker-01”) to restart. An empty set, supplied by default, means restart of all of the agent’s current cluster nodes.

Management::Agent::API::restart_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Agent::API::restart_request event. The agent sends this back to the controller when the Supervisor has restarted all nodes affected, or a timoeut occurs.

Reqid

the request identifier used in the request event.

Results

a vector of Management::Result, one for each Supervisor transaction. Each such result identifies both the instance and node.

policy/frameworks/management/types.zeek

Management

This module holds the basic types needed for the Management framework. These are used by both cluster agent and controller, and several have corresponding implementations in zeek-client.

Namespace

Management

Summary
Types

Management::Configuration: record

Data structure capturing a cluster’s complete configuration.

Management::Instance: record

Configuration describing a Zeek instance running a Cluster Agent.

Management::InstanceVec: vector

Management::Node: record

Configuration describing a Cluster Node process.

Management::NodeOutputs: record

In Management::Controller::API::deploy_response events, each Management::Result indicates the outcome of a launched cluster node.

Management::NodeStatus: record

The status of a Supervisor-managed node, as reported to the client in a get_nodes_request/get_nodes_response transaction.

Management::NodeStatusVec: vector

Management::Option: record

A Zeek-side option with value.

Management::Result: record

Return value for request-response API event pairs.

Management::ResultVec: vector

Management::Role: enum

Management infrastructure node type.

Management::State: enum

State that a Cluster Node can be in.
Functions

Management::result_to_string: function

Given a Management::Result record, this function returns a string summarizing it.

Management::result_vec_to_string: function

Given a vector of Management::Result records, this function returns a string summarizing them.
Detailed Interface
Types
Management::Configuration
Type

record

id: string &default = Chd8EgFWk2j &optional

Unique identifier for a particular configuration

instances: set [Management::Instance] &default = {  } &optional

The instances in the cluster.

nodes: set [Management::Node] &default = {  } &optional

The set of nodes in the cluster, as distributed over the instances.

Data structure capturing a cluster’s complete configuration.

Management::Instance
Type

record

name: string

Unique, human-readable instance name

host: addr

IP address of system

listen_port: port &optional

Agent listening port. Not needed if agents connect to controller.

Configuration describing a Zeek instance running a Cluster Agent. Normally, there’ll be one instance per cluster system: a single physical system.

Management::InstanceVec
Type

vector of Management::Instance

Management::Node
Type

record

name: string

Cluster-unique, human-readable node name

instance: string

Name of instance where node is to run

role: Supervisor::ClusterRole

Role of the node.

state: Management::State

Desired, or current, run state.

p: port &optional

Port on which this node will listen

scripts: vector of string &optional

Additional Zeek scripts for node

options: set [Management::Option] &optional

Zeek options for node

interface: string &optional

Interface to sniff

cpu_affinity: int &optional

CPU/core number to pin to

env: table [string] of string &default = {  } &optional

Custom environment vars

Configuration describing a Cluster Node process.

Management::NodeOutputs
Type

record

stdout: string

The stdout stream of a Zeek process

stderr: string

The stderr stream of a Zeek process

In Management::Controller::API::deploy_response events, each Management::Result indicates the outcome of a launched cluster node. If a node does not launch properly (meaning it doesn’t check in with the agent on the machine it’s running on), the result will indicate failure, and its data field will be an instance of this record, capturing the stdout and stderr output of the failing node.

Management::NodeStatus
Type

record

node: string

Cluster-unique, human-readable node name

state: Management::State

Current run state of the node.

mgmt_role: Management::Role &default = Management::NONE &optional

Role the node plays in cluster management.

cluster_role: Supervisor::ClusterRole &default = Supervisor::NONE &optional

Role the node plays in the Zeek cluster.

pid: int &optional

Process ID of the node. This is optional because the Supervisor may not have a PID when a node is still bootstrapping.

p: port &optional

The node’s Broker peering listening port, if any.

The status of a Supervisor-managed node, as reported to the client in a get_nodes_request/get_nodes_response transaction.

Management::NodeStatusVec
Type

vector of Management::NodeStatus

Management::Option
Type

record

name: string

Name of option

value: string

Value of option

A Zeek-side option with value.

Management::Result
Type

record

reqid: string

Request ID of operation this result refers to

success: bool &default = T &optional

True if successful

instance: string &optional

Name of associated instance (for context)

data: any &optional

Addl data returned for successful operation

error: string &optional

Descriptive error on failure

node: string &optional

Name of associated node (for context)

Return value for request-response API event pairs. Some responses contain one, others multiple of these. The request ID allows clients to string requests and responses together. Agents and the controller fill in the instance and node fields whenever there’s sufficient context to define them. Any result produced by an agent will carry an instance value, for example.

Management::ResultVec
Type

vector of Management::Result

Management::Role
Type

enum

Management::NONE

No active role in cluster management

Management::AGENT

A cluster management agent.

Management::CONTROLLER

The cluster’s controller.

Management::NODE

A managed cluster node (worker, manager, etc).

Management infrastructure node type. This intentionally does not include the managed cluster node types (worker, logger, etc) – those continue to be managed by the cluster framework.

Management::State
Type

enum

Management::PENDING

Not yet running

Management::RUNNING

Running and operating normally

Management::STOPPED

Explicitly stopped

Management::FAILED

Failed to start; and permanently halted

Management::CRASHED

Crashed, will be restarted,

Management::UNKNOWN

State not known currently (e.g., because of lost connectivity)

State that a Cluster Node can be in. State changes trigger an API notification (see notify_change()). The Pending state corresponds to the Supervisor not yet reporting a PID for a node when it has not yet fully launched.

Functions
Management::result_to_string
Type

function (res: Management::Result) : string

Given a Management::Result record, this function returns a string summarizing it.

Management::result_vec_to_string
Type

function (res: Management::ResultVec) : string

Given a vector of Management::Result records, this function returns a string summarizing them.

policy/frameworks/management/agent/boot.zeek

The cluster agent boot logic runs in Zeek’s supervisor and instructs it to launch a Management agent process. The agent’s main logic resides in main.zeek, similarly to other frameworks. The new process will execute that script.

If the current process is not the Zeek supervisor, this does nothing.

Imports

base/utils/paths.zeek, policy/frameworks/management/agent/config.zeek

Summary
Redefinitions

Broker::default_listen_address: string &redef

SupervisorControl::enable_listen: bool &redef
Detailed Interface

policy/frameworks/management/agent/config.zeek

Management::Agent

Configuration settings for a cluster agent.

Namespace

Management::Agent

Imports

base/misc/installation.zeek, policy/frameworks/management, policy/frameworks/management/controller/config.zeek

Summary
Redefinable Options

Management::Agent::archive_cmd: string &redef

The archival command.

Management::Agent::archive_dir: string &redef

The destination interval for archived logs.

Management::Agent::archive_interval: interval &redef

The archival interval to use.

Management::Agent::archive_logs: bool &redef

Whether the agent should periodically invoke zeek-archiver to finalize logs.

Management::Agent::controller: Broker::NetworkInfo &redef

The network coordinates of the controller.

Management::Agent::default_port: port &redef

The fallback listen port if Management::Agent::listen_port remains empty.

Management::Agent::directory: string &redef

An optional working directory for the agent.

Management::Agent::listen_address: string &redef

The network address the agent listens on.

Management::Agent::listen_port: string &redef

The network port the agent listens on.

Management::Agent::name: string &redef

The name this agent uses to represent the cluster instance it manages.

Management::Agent::stderr_file: string &redef

Agent stderr log configuration.

Management::Agent::stdout_file: string &redef

Agent stdout log configuration.

Management::Agent::topic_prefix: string &redef

The agent’s Broker topic prefix.
Functions

Management::Agent::endpoint_info: function

Returns a Broker::EndpointInfo record for this instance.

Management::Agent::get_name: function

Returns the effective name of this agent.

Management::Agent::instance: function

Returns a Management::Instance describing this instance (its agent name plus listening address/port, as applicable).
Detailed Interface
Redefinable Options
Management::Agent::archive_cmd
Type

string

Attributes

&redef

Default

""

The archival command. When empty, defaults to the zeek-archiver installed with the Zeek distribution. Whatever the command, the agent will invoke it like zeek-archiver, so take a look at its command-line arguments if you’re planning to put in place a substitute. Archival happens from the Log::default_rotation_dir to Management::Agent::archive_dir.

Management::Agent::archive_dir
Type

string

Attributes

&redef

Default

"/usr/local/zeek/logs"

The destination interval for archived logs.

Management::Agent::archive_interval
Type

interval

Attributes

&redef

Default

0 secs

The archival interval to use. When 0, it defaults to the log rotation interval.

Management::Agent::archive_logs
Type

bool

Attributes

&redef

Default

T

Whether the agent should periodically invoke zeek-archiver to finalize logs.

Management::Agent::controller
Type

Broker::NetworkInfo

Attributes

&redef

Default
{
   address="127.0.0.1"
   bound_port=2150/tcp
}

The network coordinates of the controller. By default, the agent connects locally to the controller at its default port. Assigning a Broker::NetworkInfo record with IP address “0.0.0.0” means the controller should instead connect to the agent. If you’d like to use that mode, make sure to set Management::Agent::listen_address and Management::Agent::listen_port as needed.

Management::Agent::default_port
Type

port

Attributes

&redef

Default

2151/tcp

The fallback listen port if Management::Agent::listen_port remains empty.

Management::Agent::directory
Type

string

Attributes

&redef

Default

""

An optional working directory for the agent. Agent and controller currently only log locally, not via the Zeek cluster’s logger node. This means that if multiple agents and/or controllers work from the same directory, output may get garbled. When not set, defaults to a directory named after the agent (as per its get_name() result).

Management::Agent::listen_address
Type

string

Attributes

&redef

Default

""

The network address the agent listens on. This only takes effect if the agent isn’t configured to connect to the controller (see Management::Agent::controller). By default this uses the value of the ZEEK_AGENT_ADDR environment variable, but you may also redef to a specific value. When empty, the implementation falls back to Management::default_address.

Management::Agent::listen_port
Type

string

Attributes

&redef

Default

""

The network port the agent listens on. Counterpart to Management::Agent::listen_address, defaulting to the ZEEK_AGENT_PORT environment variable.

Management::Agent::name
Type

string

Attributes

&redef

Default

""

The name this agent uses to represent the cluster instance it manages. Defaults to the value of the ZEEK_AGENT_NAME environment variable. When that is unset and you don’t redef the value, the implementation defaults to “agent-<hostname>”.

Management::Agent::stderr_file
Type

string

Attributes

&redef

Default

"stderr"

Agent stderr log configuration. Like Management::Agent::stdout_file, but for the stderr stream.

Management::Agent::stdout_file
Type

string

Attributes

&redef

Default

"stdout"

Agent stdout log configuration. If the string is non-empty, Zeek will produce a free-form log (i.e., not one governed by Zeek’s logging framework) in the agent’s working directory. If left empty, no such log results.

Note that the agent also establishes a “proper” Zeek log via the Management::Log module.

Management::Agent::topic_prefix
Type

string

Attributes

&redef

Default

"zeek/management/agent"

The agent’s Broker topic prefix. For its own communication, the agent suffixes this with “/<name>”, based on Management::Agent::get_name.

Functions
Management::Agent::endpoint_info
Type

function () : Broker::EndpointInfo

Returns a Broker::EndpointInfo record for this instance. Similar to Management::Agent::instance, but with slightly different data format.

Management::Agent::get_name
Type

function () : string

Returns the effective name of this agent.

Management::Agent::instance
Type

function () : Management::Instance

Returns a Management::Instance describing this instance (its agent name plus listening address/port, as applicable).

policy/frameworks/management/__load__.zeek

This loads Management framework functionality needed by both the controller and agents. Note that there’s no notion of loading “the Management framework” – one always loads “management/controller” or “management/agent”. This __load__ script exists only to simplify loading all common functionality.

Imports

policy/frameworks/management/config.zeek, policy/frameworks/management/log.zeek, policy/frameworks/management/persistence.zeek, policy/frameworks/management/request.zeek, policy/frameworks/management/types.zeek, policy/frameworks/management/util.zeek

Summary
Detailed Interface

policy/frameworks/management/config.zeek

Management

Management framework configuration settings common to agent and controller. This does not include config settings that exist in both agent and controller but that they set differently, since setting defaults here would be awkward or pointless (since both node types would overwrite them anyway). For role-specific settings, see management/controller/config.zeek and management/agent/config.zeek.

Namespace

Management

Imports

base/misc/installation.zeek, policy/frameworks/management/types.zeek

Summary
Redefinable Options

Management::connect_retry: interval &redef

The retry interval for Broker connnects.

Management::default_address: string &redef

The fallback listen address if more specific adddresses, such as the controller’s Management::Controller::listen_address remains empty.

Management::role: Management::Role &redef

The role of this process in cluster management.

Management::spool_dir: string &redef

The toplevel directory in which the Management framework creates spool state for any Zeek nodes, including the Zeek cluster, agents, and the controller.

Management::state_dir: string &redef

The toplevel directory for variable state, such as Broker data stores.
Functions

Management::get_spool_dir: function

Returns the effective spool directory for the management framework.

Management::get_state_dir: function

Returns the effective state directory for the management framework.
Detailed Interface
Redefinable Options
Management::connect_retry
Type

interval

Attributes

&redef

Default

1.0 sec

The retry interval for Broker connnects. Defaults to a more aggressive value compared to Broker’s 30s.

Management::default_address
Type

string

Attributes

&redef

Default

"0.0.0.0"

The fallback listen address if more specific adddresses, such as the controller’s Management::Controller::listen_address remains empty. Unless redefined, this listens on all interfaces.

Management::role
Type

Management::Role

Attributes

&redef

Default

Management::NONE

Redefinition

from policy/frameworks/management/agent/main.zeek

=:

Management::AGENT
Redefinition

from policy/frameworks/management/controller/main.zeek

=:

Management::CONTROLLER
Redefinition

from policy/frameworks/management/node/main.zeek

=:

Management::NODE

The role of this process in cluster management. Use this to differentiate code based on the type of node in which it ends up running.

Management::spool_dir
Type

string

Attributes

&redef

Default

""

The toplevel directory in which the Management framework creates spool state for any Zeek nodes, including the Zeek cluster, agents, and the controller. Don’t use this directly, use the Management::get_spool_dir function.

Management::state_dir
Type

string

Attributes

&redef

Default

""

The toplevel directory for variable state, such as Broker data stores. Don’t use this directly, use the Management::get_state_dir function.

Functions
Management::get_spool_dir
Type

function () : string

Returns the effective spool directory for the management framework. That’s Management::spool_dir when set, otherwise the installation’s spool directory.

Management::get_state_dir
Type

function () : string

Returns the effective state directory for the management framework. That’s Management::state_dir when set, otherwise the installation’s state directory.

policy/frameworks/management/log.zeek

Management::Log

This module implements logging abilities for controller and agent. It uses Zeek’s logging framework and works only for nodes managed by the supervisor. In this setting Zeek’s logging framework operates locally, i.e., this does not involve logger nodes.

Namespace

Management::Log

Imports

policy/frameworks/management/config.zeek

Summary
Types

Management::Log::Info: record &log

The record type containing the column fields of the agent/controller log.

Management::Log::Level: enum

The controller/agent log supports four different log levels.
Redefinitions

Log::ID: enum

The cluster logging stream identifier.
Hooks

Management::Log::log_policy: Log::PolicyHook

A default logging policy hook for the stream.
Functions

Management::Log::debug: function

A debug-level log message writer.

Management::Log::error: function

An error-level log message writer.

Management::Log::info: function

An info-level log message writer.

Management::Log::warning: function

A warning-level log message writer.
Detailed Interface
Types
Management::Log::Info
Type

record

ts: time &log

The time at which a cluster message was generated.

node: string &log

The name of the node that is creating the log record.

level: string &log

Log level of this message, converted from the above Level enum

role: string &log

The role of the node, translated from Management::Role.

message: string &log

A message indicating information about cluster controller operation.

Attributes

&log

The record type containing the column fields of the agent/controller log.

Management::Log::Level
Type

enum

Management::Log::DEBUG
Management::Log::INFO
Management::Log::WARNING
Management::Log::ERROR

The controller/agent log supports four different log levels.

Hooks
Management::Log::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions
Management::Log::debug
Type

function (message: string) : void

A debug-level log message writer.

Message

the message to log.

Management::Log::error
Type

function (message: string) : void

An error-level log message writer. (This only logs a message, it does not terminate Zeek or have other runtime effects.)

Message

the message to log.

Management::Log::info
Type

function (message: string) : void

An info-level log message writer.

Message

the message to log.

Management::Log::warning
Type

function (message: string) : void

A warning-level log message writer.

Message

the message to log.

policy/frameworks/management/persistence.zeek

Common adjustments for any kind of Zeek node when we run the Management framework.

Imports

base/misc/installation.zeek, base/utils/paths.zeek, policy/frameworks/management/config.zeek

Summary
Redefinitions

Log::default_rotation_dir: string &redef
Detailed Interface

policy/frameworks/management/request.zeek

Management::Request

This module implements a request state abstraction in the Management framework that both controller and agent use to connect request events to subsequent response ones, and to be able to time out such requests.

Namespace

Management::Request

Imports

policy/frameworks/management/config.zeek, policy/frameworks/management/types.zeek

Summary
Redefinable Options

Management::Request::timeout_interval: interval &redef

The timeout interval for request state.
State Variables

Management::Request::null_req: Management::Request::Request

A token request that serves as a null/nonexistant request.
Types

Management::Request::Request: record

Request records track state associated with a request/response event pair.
Redefinitions

Management::Request::Request: record
New Fields

Management::Request::Request

finish: function (req: Management::Request::Request)void &optional

A callback to invoke when this request is finished via Management::Request::finish.
Events

Management::Request::request_expired: event

This event fires when a request times out (as per the Management::Request::timeout_interval) before it has been finished via Management::Request::finish().
Functions

Management::Request::create: function

This function establishes request state.

Management::Request::finish: function

This function marks a request as complete and causes Zeek to release its internal state.

Management::Request::is_null: function

This function is a helper predicate to indicate whether a given request is null.

Management::Request::lookup: function

This function looks up the request for a given request ID and returns it.

Management::Request::to_string: function

For troubleshooting, this function renders a request record to a string.
Detailed Interface
Redefinable Options
Management::Request::timeout_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Redefinition

from policy/frameworks/management/agent/main.zeek

=:

5.0 secs

The timeout interval for request state. Such state (see the Management::Request module) ties together request and response event pairs. A timeout causes cleanup of request state if regular request/response processing hasn’t already done so. It applies both to request state kept in the controller and the agent, though the two use different timeout values: agent-side requests time out more quickly. This allows agents to send more meaningful error messages, while the controller’s timeouts serve as a last resort to ensure response to the client.

State Variables
Management::Request::null_req
Type

Management::Request::Request

Default
{
   id=""
   parent_id=<uninitialized>
   results=[]
   finished=T
   finish=<uninitialized>
   supervisor_state_agent=<uninitialized>
   deploy_state_agent=<uninitialized>
   node_dispatch_state_agent=<uninitialized>
   restart_state_agent=<uninitialized>
   deploy_state=<uninitialized>
   get_nodes_state=<uninitialized>
   node_dispatch_state=<uninitialized>
   restart_state=<uninitialized>
   test_state=<uninitialized>
}

A token request that serves as a null/nonexistant request.

Types
Management::Request::Request
Type

record

id: string

Each request has a hopfully unique ID provided by the requester.

parent_id: string &optional

For requests that result based upon another request (such as when the controller sends requests to agents based on a request it received by the client), this specifies that original, “parent” request.

results: Management::ResultVec &default = [] &optional

The results vector builds up the list of results we eventually send to the requestor when we have processed the request.

finished: bool &default = F &optional

An internal flag to track whether a request is complete.

finish: function (<recursion>)void &optional

A callback to invoke when this request is finished via Management::Request::finish.

supervisor_state_agent: Management::Agent::Runtime::SupervisorState &optional

(present if policy/frameworks/management/agent/main.zeek is loaded)

deploy_state_agent: Management::Agent::Runtime::DeployState &optional

(present if policy/frameworks/management/agent/main.zeek is loaded)

node_dispatch_state_agent: Management::Agent::Runtime::NodeDispatchState &optional

(present if policy/frameworks/management/agent/main.zeek is loaded)

restart_state_agent: Management::Agent::Runtime::RestartState &optional

(present if policy/frameworks/management/agent/main.zeek is loaded)

deploy_state: Management::Controller::Runtime::DeployState &optional

(present if policy/frameworks/management/controller/main.zeek is loaded)

get_nodes_state: Management::Controller::Runtime::GetNodesState &optional

(present if policy/frameworks/management/controller/main.zeek is loaded)

node_dispatch_state: Management::Controller::Runtime::NodeDispatchState &optional

(present if policy/frameworks/management/controller/main.zeek is loaded)

restart_state: Management::Controller::Runtime::RestartState &optional

(present if policy/frameworks/management/controller/main.zeek is loaded)

test_state: Management::Controller::Runtime::TestState &optional

(present if policy/frameworks/management/controller/main.zeek is loaded)

Request records track state associated with a request/response event pair. Calls to Management::Request::create establish such state when an entity sends off a request event, while Management::Request::finish clears the state when a corresponding response event comes in, or the state times out.

Events
Management::Request::request_expired
Type

event (req: Management::Request::Request)

This event fires when a request times out (as per the Management::Request::timeout_interval) before it has been finished via Management::Request::finish().

Req

the request state that is expiring.

Functions
Management::Request::create
Type

function (reqid: string &default = fD0qxAnfwOe &optional) : Management::Request::Request

This function establishes request state.

Reqid

the identifier to use for the request.

Management::Request::finish
Type

function (reqid: string) : bool

This function marks a request as complete and causes Zeek to release its internal state. When the request does not exist, this does nothing.

Reqid

the ID of the request state to releaase.

Management::Request::is_null
Type

function (request: Management::Request::Request) : bool

This function is a helper predicate to indicate whether a given request is null.

Request

a Request record to check.

Returns

T if the given request matches the null_req instance, F otherwise.

Management::Request::lookup
Type

function (reqid: string) : Management::Request::Request

This function looks up the request for a given request ID and returns it. When no such request exists, returns Management::Request::null_req.

Reqid

the ID of the request state to retrieve.

Management::Request::to_string
Type

function (request: Management::Request::Request) : string

For troubleshooting, this function renders a request record to a string.

Request

the request to render.

policy/frameworks/management/util.zeek

Management::Util

Utility functions for the Management framework, available to agent and controller.

Namespace

Management::Util

Summary
Functions

Management::Util::set_to_vector: function

Renders a set of strings to an alphabetically sorted vector.
Detailed Interface
Functions
Management::Util::set_to_vector
Type

function (ss: set [string]) : vector of string

Renders a set of strings to an alphabetically sorted vector.

Ss

the string set to convert.

Returns

the vector of all strings in ss.

policy/frameworks/management/controller/config.zeek

Management::Controller

Configuration settings for the cluster controller.

Namespace

Management::Controller

Imports

policy/frameworks/management

Summary
Redefinable Options

Management::Controller::auto_assign_ports: bool &redef

Whether the controller should auto-assign listening ports to cluster nodes that need them and don’t have them explicitly specified in cluster configurations.

Management::Controller::auto_assign_start_port: port &redef

The TCP start port to use for auto-assigning cluster node listening ports, if Management::Controller::auto_assign_ports is enabled (the default) and the provided configurations don’t have ports assigned.

Management::Controller::default_port: port &redef

The fallback listen port if Management::Controller::listen_port remains empty.

Management::Controller::directory: string &redef

An optional custom output directory for stdout/stderr.

Management::Controller::listen_address: string &redef

The network address the controller listens on.

Management::Controller::listen_port: string &redef

The network port the controller listens on.

Management::Controller::name: string &redef

The name of this controller.

Management::Controller::stderr_file: string &redef

The controller’s stderr log name.

Management::Controller::stdout_file: string &redef

The controller’s stdout log name.

Management::Controller::topic: string &redef

The controller’s Broker topic.
Constants

Management::Controller::store_name: string

The name of the Broker store the controller uses to persist internal state to disk.
Functions

Management::Controller::endpoint_info: function

Returns a Broker::EndpointInfo record describing the controller.

Management::Controller::get_name: function

Returns the effective name of the controller.

Management::Controller::network_info: function

Returns a Broker::NetworkInfo record describing the controller.
Detailed Interface
Redefinable Options
Management::Controller::auto_assign_ports
Type

bool

Attributes

&redef

Default

T

Whether the controller should auto-assign listening ports to cluster nodes that need them and don’t have them explicitly specified in cluster configurations.

Management::Controller::auto_assign_start_port
Type

port

Attributes

&redef

Default

2200/tcp

The TCP start port to use for auto-assigning cluster node listening ports, if Management::Controller::auto_assign_ports is enabled (the default) and the provided configurations don’t have ports assigned.

Management::Controller::default_port
Type

port

Attributes

&redef

Default

2150/tcp

The fallback listen port if Management::Controller::listen_port remains empty.

Management::Controller::directory
Type

string

Attributes

&redef

Default

""

An optional custom output directory for stdout/stderr. Agent and controller currently only log locally, not via the Zeek cluster’s logger node. This means that if both write to the same log file, output gets garbled.

Management::Controller::listen_address
Type

string

Attributes

&redef

Default

""

The network address the controller listens on. By default this uses the value of the ZEEK_CONTROLLER_ADDR environment variable, but you may also redef to a specific value. When empty, the implementation falls back to Management::default_address.

Management::Controller::listen_port
Type

string

Attributes

&redef

Default

""

The network port the controller listens on. Counterpart to Management::Controller::listen_address, defaulting to the ZEEK_CONTROLLER_PORT environment variable.

Management::Controller::name
Type

string

Attributes

&redef

Default

""

The name of this controller. Defaults to the value of the ZEEK_CONTROLLER_NAME environment variable. When that is unset and the user doesn’t redef the value, the implementation defaults to “controller-<hostname>”.

Management::Controller::stderr_file
Type

string

Attributes

&redef

Default

"stderr"

The controller’s stderr log name. Like Management::Controller::stdout_file, but for the stderr stream.

Management::Controller::stdout_file
Type

string

Attributes

&redef

Default

"stdout"

The controller’s stdout log name. If the string is non-empty, Zeek will produce a free-form log (i.e., not one governed by Zeek’s logging framework) in the controller’s working directory. If left empty, no such log results.

Note that the controller also establishes a “proper” Zeek log via the Management::Log module.

Management::Controller::topic
Type

string

Attributes

&redef

Default

"zeek/management/controller"

The controller’s Broker topic. Clients send requests to this topic.

Constants
Management::Controller::store_name
Type

string

Default

"controller"

The name of the Broker store the controller uses to persist internal state to disk.

Functions
Management::Controller::endpoint_info
Type

function () : Broker::EndpointInfo

Returns a Broker::EndpointInfo record describing the controller.

Management::Controller::get_name
Type

function () : string

Returns the effective name of the controller.

Management::Controller::network_info
Type

function () : Broker::NetworkInfo

Returns a Broker::NetworkInfo record describing the controller.

policy/frameworks/management/controller/__load__.zeek

The entry point for the Management framework’s cluster controller. It runs bootstrap logic for launching a controller process via Zeek’s Supervisor.

Summary
Detailed Interface

policy/frameworks/management/controller/api.zeek

Management::Controller::API

The event API of cluster controllers. Most endpoints consist of event pairs, where the controller answers the client’s request event with a corresponding response event. Such event pairs share the same name prefix and end in “_request” and “_response”, respectively.

Namespace

Management::Controller::API

Imports

policy/frameworks/management/types.zeek

Summary
Constants

Management::Controller::API::version: count

A simple versioning scheme, used to track basic compatibility of controller, agents, and the client.
Events

Management::Controller::API::deploy_request: event

Trigger deployment of a previously staged configuration.

Management::Controller::API::deploy_response: event

Response to a Management::Controller::API::deploy_request event.

Management::Controller::API::get_configuration_request: event

The client sends this event to retrieve the controller’s current cluster configuration(s).

Management::Controller::API::get_configuration_response: event

Response to a Management::Controller::API::get_configuration_request event.

Management::Controller::API::get_id_value_request: event

The client sends this event to retrieve the current value of a variable in Zeek’s global namespace, referenced by the given identifier (i.e., variable name).

Management::Controller::API::get_id_value_response: event

Response to a Management::Controller::API::get_id_value_request event.

Management::Controller::API::get_instances_request: event

The client sends this event to request a list of the currently peered agents/instances.

Management::Controller::API::get_instances_response: event

Response to a Management::Controller::API::get_instances_request event.

Management::Controller::API::get_nodes_request: event

The client sends this event to request a list of Management::NodeStatus records that capture the status of Supervisor-managed nodes running on the cluster’s instances.

Management::Controller::API::get_nodes_response: event

Response to a Management::Controller::API::get_nodes_request event.

Management::Controller::API::notify_agents_ready: event

The controller triggers this event when the operational cluster instances align with the ones desired by the cluster configuration.

Management::Controller::API::restart_request: event

The client sends this event to restart currently running Zeek cluster nodes.

Management::Controller::API::restart_response: event

Response to a Management::Controller::API::restart_request event.

Management::Controller::API::stage_configuration_request: event

Upload a configuration to the controller for later deployment.

Management::Controller::API::stage_configuration_response: event

Response to a Management::Controller::API::stage_configuration_request event.

Management::Controller::API::test_timeout_request: event

This event causes no further action (other than getting logged) if with_state is F.

Management::Controller::API::test_timeout_response: event

Response to a Management::Controller::API::test_timeout_request event.
Detailed Interface
Constants
Management::Controller::API::version
Type

count

Default

1

A simple versioning scheme, used to track basic compatibility of controller, agents, and the client.

Events
Management::Controller::API::deploy_request
Type

event (reqid: string)

Trigger deployment of a previously staged configuration. The client sends this event to the controller, which deploys the configuration to the agents. Agents then terminate any previously running cluster nodes and (re-)launch those defined in the new configuration. Once each agent has responded (or a timeout occurs), the controller sends a response event back to the client, aggregating the results from the agents. The controller keeps the staged configuration available for download, or re-deployment. In addition, the deployed configuration becomes available for download as well, with any augmentations (e.g. node ports filled in by auto-assignment) reflected.

Reqid

a request identifier string, echoed in the response event.

Management::Controller::API::deploy_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Controller::API::deploy_request event. The controller sends this back to the client, conveying the outcome of the deployment.

Reqid

the request identifier used in the request event.

Results

a vector of Management::Result records. Each member captures the result of launching one cluster node captured in the configuration, or an agent-wide error when the result does not indicate a particular node.

Management::Controller::API::get_configuration_request
Type

event (reqid: string, deployed: bool)

The client sends this event to retrieve the controller’s current cluster configuration(s).

Reqid

a request identifier string, echoed in the response event.

Deployed

when true, returns the deployed configuration (if any), otherwise the staged one (if any).

Management::Controller::API::get_configuration_response
Type

event (reqid: string, result: Management::Result)

Response to a Management::Controller::API::get_configuration_request event. The controller sends this back to the client, with the requested configuration.

Reqid

the request identifier used in the request event.

Result

a Management::Result record with a successful Management::Configuration in the data member, if a configuration is currently deployed. Otherwise, a Result record in error state, with no data value assigned.

Management::Controller::API::get_id_value_request
Type

event (reqid: string, id: string, nodes: set [string] &default = {  } &optional)

The client sends this event to retrieve the current value of a variable in Zeek’s global namespace, referenced by the given identifier (i.e., variable name). The controller asks all agents to retrieve this value from each cluster node, accumulates the returned responses, and responds with a get_id_value_response event back to the client.

Reqid

a request identifier string, echoed in the response event.

Id

the name of the variable whose value to retrieve.

Nodes

a set of cluster node names (e.g. “worker-01”) to retrieve the values from. An empty set, supplied by default, means retrieval from all current cluster nodes.

Management::Controller::API::get_id_value_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Controller::API::get_id_value_request event. The controller sends this back to the client, with a JSON representation of the requested global ID on all relevant instances.

Reqid

the request identifier used in the request event.

Results

a vector of Management::Result records. Each record covers one Zeek cluster node. Each record’s data field contains a string with the JSON rendering (as produced by to_json, including the error strings it potentially returns).

Management::Controller::API::get_instances_request
Type

event (reqid: string)

The client sends this event to request a list of the currently peered agents/instances.

Reqid

a request identifier string, echoed in the response event.

Management::Controller::API::get_instances_response
Type

event (reqid: string, result: Management::Result)

Response to a Management::Controller::API::get_instances_request event. The controller sends this back to the client.

Reqid

the request identifier used in the request event.

Result

a Management::Result. Its data member is a vector of Management::Instance records.

Management::Controller::API::get_nodes_request
Type

event (reqid: string)

The client sends this event to request a list of Management::NodeStatus records that capture the status of Supervisor-managed nodes running on the cluster’s instances.

Reqid

a request identifier string, echoed in the response event.

Management::Controller::API::get_nodes_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Controller::API::get_nodes_request event. The controller sends this back to the client, with a description of the nodes currently managed by the Supervisors on all connected instances. This includes agents and possibly the controller, if it runs jointly with an agent.

Reqid

the request identifier used in the request event.

Results

a vector of Management::Result records. Each record covers one cluster instance. Each record’s data member is a vector of Management::NodeStatus records, covering the nodes at that instance. Results may also indicate failure, with error messages indicating what went wrong.

Management::Controller::API::notify_agents_ready
Type

event (instances: set [string])

The controller triggers this event when the operational cluster instances align with the ones desired by the cluster configuration. It’s essentially a cluster management readiness event. This event is currently only used internally by the controller, and not published to topics.

Instances

the set of instance names now ready.

Management::Controller::API::restart_request
Type

event (reqid: string, nodes: set [string] &default = {  } &optional)

The client sends this event to restart currently running Zeek cluster nodes. The controller relays the request to its agents, which respond with a list of Management::Result records summarizing each node restart. The controller combines these lists, and sends a Management::Controller::API::restart_response event with the result.

Reqid

a request identifier string, echoed in the response event.

Nodes

a set of cluster node names (e.g. “worker-01”) to restart. An empty set, supplied by default, means restart of all current cluster nodes.

Management::Controller::API::restart_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Controller::API::restart_request event. The controller sends this back to the client when it has received responses from all agents involved, or a timeout occurs.

Reqid

the request identifier used in the request event.

Results

a vector of Management::Result, combining the restart results from all agents. Each such result identifies both the instance and node in question. Results that do not identify an instance are generated by the controller, flagging corner cases, including absence of a deployed cluster or unknown nodes.

Management::Controller::API::stage_configuration_request
Type

event (reqid: string, config: Management::Configuration)

Upload a configuration to the controller for later deployment. The client sends this event to the controller, which validates the configuration and indicates the outcome in its response event. No deployment takes place yet, and existing deployed configurations and the running Zeek cluster remain intact. To trigger deployment of an uploaded configuration, use Management::Controller::API::deploy_request.

Reqid

a request identifier string, echoed in the response event.

Config

a Management::Configuration record specifying the cluster configuration.

Management::Controller::API::stage_configuration_response
Type

event (reqid: string, results: Management::ResultVec)

Response to a Management::Controller::API::stage_configuration_request event. The controller sends this back to the client, conveying validation results.

Reqid

the request identifier used in the request event.

Results

a Management::Result vector, indicating whether the controller accepts the configuration. In case of a success, a single result record indicates so. Otherwise, the sequence is all errors, each indicating a configuration validation error.

Management::Controller::API::test_timeout_request
Type

event (reqid: string, with_state: bool)

This event causes no further action (other than getting logged) if with_state is F. When T, the controller establishes request state, and the controller only ever sends the response event when this state times out.

Reqid

a request identifier string, echoed in the response event when with_state is T.

With_state

flag indicating whether the controller should keep (and time out) request state for this request.

Management::Controller::API::test_timeout_response
Type

event (reqid: string, result: Management::Result)

Response to a Management::Controller::API::test_timeout_request event. The controller sends this back to the client if the original request had the with_state flag.

Reqid

the request identifier used in the request event.

policy/frameworks/management/controller/boot.zeek

The cluster controller’s boot logic runs in Zeek’s supervisor and instructs it to launch the Management controller process. The controller’s main logic resides in main.zeek, similarly to other frameworks. The new process will execute that script.

If the current process is not the Zeek supervisor, this does nothing.

Imports

base/utils/paths.zeek, policy/frameworks/management/controller/config.zeek

Summary
Detailed Interface

policy/frameworks/management/node/api.zeek

Management::Node::API

The Management event API of cluster nodes. The API consists of request/ response event pairs, like elsewhere in the Management, Supervisor, and Control frameworks.

Namespace

Management::Node::API

Imports

policy/frameworks/management/types.zeek

Summary
Events

Management::Node::API::node_dispatch_request: event

Management agents send this event to every Zeek cluster node to run a “dispatch” – a particular, pre-implemented action.

Management::Node::API::node_dispatch_response: event

Response to a node_dispatch_request event.

Management::Node::API::notify_node_hello: event

The cluster nodes send this event upon peering as a “check-in” to the agent, to indicate the node is now available to communicate with.
Detailed Interface
Events
Management::Node::API::node_dispatch_request
Type

event (reqid: string, action: vector of string, nodes: set [string] &default = {  } &optional)

Management agents send this event to every Zeek cluster node to run a “dispatch” – a particular, pre-implemented action. This is the agent-node complement to Management::Agent::API::node_dispatch_request.

Reqid

a request identifier string, echoed in the response event.

Action

the requested dispatch command, with any arguments.

Nodes

the cluster node names this dispatch targets. An empty set, supplied by default, means it applies to all nodes. Since nodes receive all dispatch requests, they can use any node names provided here to filter themselves out of responding.

Management::Node::API::node_dispatch_response
Type

event (reqid: string, result: Management::Result)

Response to a node_dispatch_request event. The nodes send this back to the agent. This is the agent-node equivalent of Management::Agent::API::node_dispatch_response.

Reqid

the request identifier used in the request event.

Result

a Management::Result record covering one Zeek cluster node managed by the agent. Upon success, the data field contains a value appropriate for the requested dispatch.

Management::Node::API::notify_node_hello
Type

event (node: string)

The cluster nodes send this event upon peering as a “check-in” to the agent, to indicate the node is now available to communicate with. It is an agent-level equivalent of Broker::peer_added, and similar to Management::Agent::API::notify_agent_hello for agents.

Node

the name of the node, as given in Cluster::node.

policy/frameworks/management/node/config.zeek

Management::Node

Configuration settings for nodes controlled by the Management framework.

Namespace

Management::Node

Summary
Redefinable Options

Management::Node::node_topic: string &redef

The nodes’ Broker topic.

Management::Node::stderr_file: string &redef

Cluster node stderr log configuration.

Management::Node::stdout_file: string &redef

Cluster node stdout log configuration.
Detailed Interface
Redefinable Options
Management::Node::node_topic
Type

string

Attributes

&redef

Default

"zeek/management/node"

The nodes’ Broker topic. Cluster nodes automatically subscribe to it, to receive request events from the Management framework.

Management::Node::stderr_file
Type

string

Attributes

&redef

Default

"stderr"

Cluster node stderr log configuration. Like Management::Node::stdout_file, but for the stderr stream.

Management::Node::stdout_file
Type

string

Attributes

&redef

Default

"stdout"

Cluster node stdout log configuration. If the string is non-empty, Zeek will produce a free-form log (i.e., not one governed by Zeek’s logging framework) in the node’s working directory. If left empty, no such log results.

Note that cluster nodes also establish a “proper” management log via the Management::Log module.

policy/frameworks/management/supervisor/__load__.zeek

Imports

policy/frameworks/management/supervisor/main.zeek

Summary
Detailed Interface

policy/frameworks/management/supervisor/main.zeek

Management::Supervisor

This module provides functionality the Management framework places directly in the Supervisor.

Namespace

Management::Supervisor

Imports

base/utils/paths.zeek, base/utils/queue.zeek, policy/frameworks/management/node/config.zeek, policy/frameworks/management/supervisor/api.zeek, policy/frameworks/management/supervisor/config.zeek, policy/frameworks/management/types.zeek

Summary
Detailed Interface

policy/frameworks/management/supervisor/api.zeek

Management::Supervisor::API
Namespace

Management::Supervisor::API

Imports

policy/frameworks/management/types.zeek

Summary
Events

Management::Supervisor::API::notify_node_exit: event

The Supervisor generates this event whenever it has received a status update from the stem, indicating that a node exited.
Detailed Interface
Events
Management::Supervisor::API::notify_node_exit
Type

event (node: string, outputs: Management::NodeOutputs)

The Supervisor generates this event whenever it has received a status update from the stem, indicating that a node exited.

Node

the name of a node previously created via Supervisor::create.

Outputs

stdout/stderr context for the node. The contained strings span up to the 100 most recent lines in the corresponding stream. See Management::Supervisor::output_max_lines to adjust the line limit.

policy/frameworks/management/supervisor/config.zeek

Management::Supervisor

Configuration settings for the Management framework’s supervisor extension.

Namespace

Management::Supervisor

Summary
Redefinable Options

Management::Supervisor::output_max_lines: count &redef

The maximum number of stdout/stderr output lines to convey in Management::Supervisor::API::notify_node_exit events.

Management::Supervisor::print_stderr: bool &redef

Whether to print the stderr sent up to the Supervisor by created nodes to the terminal.

Management::Supervisor::print_stdout: bool &redef

Whether to print the stdout sent up to the Supervisor by created nodes to the terminal.

Management::Supervisor::topic_prefix: string &redef

The Broker topic for Management framework communication with the Supervisor.
Detailed Interface
Redefinable Options
Management::Supervisor::output_max_lines
Type

count

Attributes

&redef

Default

100

The maximum number of stdout/stderr output lines to convey in Management::Supervisor::API::notify_node_exit events.

Management::Supervisor::print_stderr
Type

bool

Attributes

&redef

Default

F

Whether to print the stderr sent up to the Supervisor by created nodes to the terminal. By default, this is disabled since this output already ends up in a node-specific stderr file, per Management::Node::stderr_file.

Management::Supervisor::print_stdout
Type

bool

Attributes

&redef

Default

F

Whether to print the stdout sent up to the Supervisor by created nodes to the terminal. By default, this is disabled since this output already ends up in a node-specific stdout file, per Management::Node::stdout_file.

Management::Supervisor::topic_prefix
Type

string

Attributes

&redef

Default

"zeek/management/supervisor"

The Broker topic for Management framework communication with the Supervisor. The agent subscribes to this.

policy/frameworks/dpd/detect-protocols.zeek

ProtocolDetector

Finds connections with protocols on non-standard ports with DPD.

Namespace

ProtocolDetector

Imports

base/frameworks/notice, base/protocols/conn/removal-hooks.zeek, base/utils/conn-ids.zeek, base/utils/site.zeek

Summary
Runtime Options

ProtocolDetector::minimum_duration: interval &redef

ProtocolDetector::minimum_volume: double &redef

ProtocolDetector::suppress_servers: set &redef

ProtocolDetector::valids: table &redef
Constants

ProtocolDetector::check_interval: interval
State Variables

ProtocolDetector::servers: table &read_expire = 14.0 days
Types

ProtocolDetector::dir: enum
Redefinitions

Notice::Type: enum
Hooks

ProtocolDetector::finalize_protocol_detection: Conn::RemovalHook

Non-standard protocol port detection finalization hook.
Functions

ProtocolDetector::found_protocol: function
Detailed Interface
Runtime Options
ProtocolDetector::minimum_duration
Type

interval

Attributes

&redef

Default

30.0 secs

ProtocolDetector::minimum_volume
Type

double

Attributes

&redef

Default

4000.0

ProtocolDetector::suppress_servers
Type

set [AllAnalyzers::Tag]

Attributes

&redef

Default

{}

ProtocolDetector::valids
Type

table [AllAnalyzers::Tag, addr, port] of ProtocolDetector::dir

Attributes

&redef

Default

{}

Constants
ProtocolDetector::check_interval
Type

interval

Default

5.0 secs

State Variables
ProtocolDetector::servers
Type

table [addr, port, string] of set [string]

Attributes

&read_expire = 14.0 days

Default

{}

Types
ProtocolDetector::dir
Type

enum

ProtocolDetector::NONE
ProtocolDetector::INCOMING
ProtocolDetector::OUTGOING
ProtocolDetector::BOTH
Hooks
ProtocolDetector::finalize_protocol_detection
Type

Conn::RemovalHook

Non-standard protocol port detection finalization hook.

Functions
ProtocolDetector::found_protocol
Type

function (c: connection, atype: AllAnalyzers::Tag, protocol: string) : void

policy/frameworks/dpd/packet-segment-logging.zeek

DPD

This script enables logging of packet segment data when a protocol parsing violation is encountered. The amount of data from the packet logged is set by the DPD::packet_segment_size variable. A caveat to logging packet data is that in some cases, the packet may not be the packet that actually caused the protocol violation.

Namespace

DPD

Imports

base/frameworks/dpd

Summary
Runtime Options

DPD::packet_segment_size: int &redef

Size of the packet segment to display in the DPD log.
Redefinitions

DPD::Info: record
New Fields

DPD::Info

packet_segment: string &optional &log

A chunk of the payload that most likely resulted in the analyzer violation.
Detailed Interface
Runtime Options
DPD::packet_segment_size
Type

int

Attributes

&redef

Default

255

Size of the packet segment to display in the DPD log.

policy/frameworks/intel/do_notice.zeek

Intel

This script enables notice generation for intelligence matches.

Namespace

Intel

Imports

base/frameworks/intel, base/frameworks/notice

Summary
Redefinitions

Intel::MetaData: record
New Fields

Intel::MetaData

do_notice: bool &default = F &optional

A boolean value to allow the data itself to represent if the indicator that this metadata is attached to is notice worthy.

if_in: Intel::Where &optional

Restrictions on when notices are created to only create them if the do_notice field is T and the notice was seen in the indicated location.

Notice::Type: enum

  • Intel::Notice: This notice is generated when an intelligence indicator is denoted to be notice-worthy.
Detailed Interface

policy/frameworks/intel/do_expire.zeek

Intel

This script enables expiration for intelligence items.

Namespace

Intel

Imports

base/frameworks/intel

Summary
Redefinitions

Intel::item_expiration: interval &redef
Detailed Interface

policy/frameworks/intel/whitelist.zeek

Intel

This script enables whitelisting for intelligence items.

Namespace

Intel

Imports

base/frameworks/intel

Summary
Redefinitions

Intel::MetaData: record
New Fields

Intel::MetaData

whitelist: bool &default = F &optional

A boolean value to indicate whether the item is whitelisted.
Detailed Interface

policy/frameworks/intel/removal.zeek

Intel

This script enables removal of intelligence items.

Namespace

Intel

Imports

base/frameworks/intel

Summary
Redefinitions

Intel::MetaData: record
New Fields

Intel::MetaData

remove: bool &default = F &optional

A boolean value to indicate whether the item should be removed.
Detailed Interface

policy/frameworks/intel/seen/__load__.zeek

Imports

policy/frameworks/intel/seen/conn-established.zeek, policy/frameworks/intel/seen/dns.zeek, policy/frameworks/intel/seen/file-hashes.zeek, policy/frameworks/intel/seen/file-names.zeek, policy/frameworks/intel/seen/http-headers.zeek, policy/frameworks/intel/seen/http-url.zeek, policy/frameworks/intel/seen/pubkey-hashes.zeek, policy/frameworks/intel/seen/smb-filenames.zeek, policy/frameworks/intel/seen/smtp-url-extraction.zeek, policy/frameworks/intel/seen/smtp.zeek, policy/frameworks/intel/seen/ssl.zeek, policy/frameworks/intel/seen/x509.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/conn-established.zeek

Imports

base/frameworks/intel, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/where-locations.zeek

Imports

base/frameworks/intel

Summary
Redefinitions

Intel::Where: enum
Detailed Interface

policy/frameworks/intel/seen/dns.zeek

Imports

base/frameworks/intel, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/file-hashes.zeek

Imports

base/frameworks/intel, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/file-names.zeek

Imports

base/frameworks/intel, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/http-headers.zeek

Imports

base/frameworks/intel, base/utils/addrs.zeek, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/http-url.zeek

Imports

base/frameworks/intel, base/protocols/http/utils.zeek, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/pubkey-hashes.zeek

Imports

base/frameworks/intel, base/protocols/ssh, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/ssl.zeek

Imports

base/frameworks/intel, base/protocols/ssl, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/smb-filenames.zeek

Imports

base/frameworks/intel, base/protocols/smb, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/smtp.zeek

Imports

base/frameworks/intel, base/protocols/smtp, base/utils/email.zeek, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/smtp-url-extraction.zeek

Imports

base/frameworks/intel, base/protocols/smtp, base/utils/urls.zeek, policy/frameworks/intel/seen/where-locations.zeek

Summary
Detailed Interface

policy/frameworks/intel/seen/x509.zeek

Intel
Namespace

Intel

Imports

base/files/x509, base/frameworks/intel, policy/frameworks/intel/seen/where-locations.zeek

Summary
Runtime Options

Intel::enable_x509_ext_subject_alternative_name: bool &redef

Enables the extraction of subject alternate names from the X509 SAN DNS field
Detailed Interface
Runtime Options
Intel::enable_x509_ext_subject_alternative_name
Type

bool

Attributes

&redef

Default

T

Enables the extraction of subject alternate names from the X509 SAN DNS field

policy/frameworks/netcontrol/catch-and-release.zeek

NetControl

Implementation of catch-and-release functionality for NetControl.

Namespace

NetControl

Imports

base/frameworks/cluster, base/frameworks/netcontrol

Summary
Runtime Options

NetControl::catch_release_warn_blocked_ip_encountered: bool &redef

If true, catch and release warns if packets of an IP address are still seen after it should have been blocked.
Redefinable Options

NetControl::catch_release_intervals: vector &redef

Time intervals for which subsequent drops of the same IP take effect.

NetControl::watch_connections: bool &redef

If true, catch_release_seen is called on the connection originator in new_connection, connection_established, partial_connection, connection_attempt, connection_rejected, connection_reset and connection_pending
Types

NetControl::BlockInfo: record

This record is used for storing information about current blocks that are part of catch and release.

NetControl::CatchReleaseActions: enum

The enum that contains the different kinds of messages that are logged by catch and release.

NetControl::CatchReleaseInfo: record

The record type that is used for representing and logging
Redefinitions

Log::ID: enum
Events

NetControl::catch_release_add: event

NetControl::catch_release_block_delete: event

NetControl::catch_release_block_new: event

NetControl::catch_release_delete: event

NetControl::catch_release_encountered: event

NetControl::catch_release_forgotten: event

Event is raised when catch and release cases management of an IP address because no activity was seen within the watch_until period.

NetControl::log_netcontrol_catch_release: event

Event that can be handled to access the NetControl::CatchReleaseInfo record as it is sent on to the logging framework.
Hooks

NetControl::log_policy_catch_release: Log::PolicyHook
Functions

NetControl::catch_release_seen: function

This function can be called to notify the catch and release script that activity by an IP address was seen.

NetControl::drop_address_catch_release: function

Stops all packets involving an IP address from being forwarded.

NetControl::get_catch_release_info: function

Get the NetControl::BlockInfo record for an address currently blocked by catch and release.

NetControl::unblock_address_catch_release: function

Removes an address from being watched with catch and release.
Detailed Interface
Runtime Options
NetControl::catch_release_warn_blocked_ip_encountered
Type

bool

Attributes

&redef

Default

F

If true, catch and release warns if packets of an IP address are still seen after it should have been blocked.

Redefinable Options
NetControl::catch_release_intervals
Type

vector of interval

Attributes

&redef

Default
[10.0 mins, 1.0 hr, 1.0 day, 7.0 days]

Time intervals for which subsequent drops of the same IP take effect.

NetControl::watch_connections
Type

bool

Attributes

&redef

Default

T

If true, catch_release_seen is called on the connection originator in new_connection, connection_established, partial_connection, connection_attempt, connection_rejected, connection_reset and connection_pending

Types
NetControl::BlockInfo
Type

record

block_until: time &optional

Absolute time indicating until when a block is inserted using NetControl.

watch_until: time

Absolute time indicating until when an IP address is watched to reblock it.

num_reblocked: count &default = 0 &optional

Number of times an IP address was reblocked.

current_interval: count

Number indicating at which catch and release interval we currently are.

current_block_id: string

ID of the inserted block, if any.

location: string &optional

User specified string.

This record is used for storing information about current blocks that are part of catch and release.

NetControl::CatchReleaseActions
Type

enum

NetControl::INFO

Log lines marked with info are purely informational; no action was taken.

NetControl::ADDED

A rule for the specified IP address already existed in NetControl (outside of catch-and-release). Catch and release did not add a new rule, but is now watching the IP address and will add a new rule after the current rule expires.

NetControl::DROP_REQUESTED

A drop was requested by catch and release.

NetControl::DROPPED

An address was successfully blocked by catch and release.

NetControl::UNBLOCK

An address was unblocked after the timeout expired.

NetControl::FORGOTTEN

An address was forgotten because it did not reappear within the watch_until interval.

NetControl::SEEN_AGAIN

A watched IP address was seen again; catch and release will re-block it.

The enum that contains the different kinds of messages that are logged by catch and release.

NetControl::CatchReleaseInfo
Type

record

ts: time &log

The absolute time indicating when the action for this log-line occured.

rule_id: string &log &optional

The rule id that this log line refers to.

ip: addr &log

The IP address that this line refers to.

action: NetControl::CatchReleaseActions &log

The action that was taken in this log-line.

block_interval: interval &log &optional

The current block_interaval (for how long the address is blocked).

watch_interval: interval &log &optional

The current watch_interval (for how long the address will be watched and re-block if it reappears).

blocked_until: time &log &optional

The absolute time until which the address is blocked.

watched_until: time &log &optional

The absolute time until which the address will be monitored.

num_blocked: count &log &optional

Number of times that this address was blocked in the current cycle.

location: string &log &optional

The user specified location string.

message: string &log &optional

Additional informational string by the catch and release framework about this log-line.

The record type that is used for representing and logging

Events
NetControl::catch_release_add
Type

event (a: addr, location: string)

NetControl::catch_release_block_delete
Type

event (a: addr)

NetControl::catch_release_block_new
Type

event (a: addr, b: NetControl::BlockInfo)

NetControl::catch_release_delete
Type

event (a: addr, reason: string)

NetControl::catch_release_encountered
Type

event (a: addr)

NetControl::catch_release_forgotten
Type

event (a: addr, bi: NetControl::BlockInfo)

Event is raised when catch and release cases management of an IP address because no activity was seen within the watch_until period.

A

The address that is no longer being managed.

Bi

The NetControl::BlockInfo record containing information about the block.

NetControl::log_netcontrol_catch_release
Type

event (rec: NetControl::CatchReleaseInfo)

Event that can be handled to access the NetControl::CatchReleaseInfo record as it is sent on to the logging framework.

Hooks
NetControl::log_policy_catch_release
Type

Log::PolicyHook

Functions
NetControl::catch_release_seen
Type

function (a: addr) : void

This function can be called to notify the catch and release script that activity by an IP address was seen. If the respective IP address is currently monitored by catch and release and not blocked, the block will be reinstated. See the documentation of watch_new_connection which events the catch and release functionality usually monitors for activity.

A

The address that was seen and should be re-dropped if it is being watched.

NetControl::drop_address_catch_release
Type

function (a: addr, location: string &default = "" &optional) : NetControl::BlockInfo

Stops all packets involving an IP address from being forwarded. This function uses catch-and-release functionality, where the IP address is only dropped for a short amount of time that is incremented steadily when the IP is encountered again.

In cluster mode, this function works on workers as well as the manager. On managers, the returned NetControl::BlockInfo record will not contain the block ID, which will be assigned on the manager.

A

The address to be dropped.

T

How long to drop it, with 0 being indefinitely.

Location

An optional string describing where the drop was triggered.

Returns

The NetControl::BlockInfo record containing information about the inserted block.

NetControl::get_catch_release_info
Type

function (a: addr) : NetControl::BlockInfo

Get the NetControl::BlockInfo record for an address currently blocked by catch and release. If the address is unknown to catch and release, the watch_until time will be set to 0.

In cluster mode, this function works on the manager and workers. On workers, the data will lag slightly behind the manager; if you add a block, it will not be instantly available via this function.

A

The address to get information about.

Returns

The NetControl::BlockInfo record containing information about the inserted block.

NetControl::unblock_address_catch_release
Type

function (a: addr, reason: string &default = "" &optional) : bool

Removes an address from being watched with catch and release. Returns true if the address was found and removed; returns false if it was unknown to catch and release.

If the address is currently blocked, and the block was inserted by catch and release, the block is removed.

A

The address to be unblocked.

Reason

A reason for the unblock.

Returns

True if the address was unblocked.

policy/frameworks/files/detect-MHR.zeek

TeamCymruMalwareHashRegistry

Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (https://www.team-cymru.com/mhr.html).

Namespace

TeamCymruMalwareHashRegistry

Imports

base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.zeek

Summary
Runtime Options

TeamCymruMalwareHashRegistry::match_file_types: pattern &redef

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url: string &redef

The Match notice has a sub message with a URL where you can get more information about the file.

TeamCymruMalwareHashRegistry::notice_threshold: count &redef

The malware hash registry runs each malware sample through several A/V engines.
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
TeamCymruMalwareHashRegistry::match_file_types
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url
Type

string

Attributes

&redef

Default

"https://www.virustotal.com/gui/search/%s"

The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.

TeamCymruMalwareHashRegistry::notice_threshold
Type

count

Attributes

&redef

Default

10

The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.

policy/frameworks/files/hash-all-files.zeek

Perform MD5 and SHA1 hashing on all files.

Imports

base/files/hash

Summary
Detailed Interface

policy/frameworks/files/entropy-test-all-files.zeek

Files
Namespace

Files

Summary
Redefinitions

Files::Info: record &redef
New Fields

Files::Info

entropy: double &log &optional

The information density of the contents of the file, expressed as a number of bits per character.
Detailed Interface

policy/frameworks/notice/__load__.zeek

Imports

policy/frameworks/notice/extend-email/hostnames.zeek

Summary
Detailed Interface

policy/frameworks/notice/extend-email/hostnames.zeek

Notice

Loading this script extends the Notice::ACTION_EMAIL action by appending to the email the hostnames associated with Notice::Info’s src and dst fields as determined by a DNS lookup.

Namespace

Notice

Imports

base/frameworks/notice/main.zeek

Summary
Detailed Interface

policy/frameworks/notice/actions/drop.zeek

Notice

This script extends the built in notice code to implement the IP address dropping functionality.

Namespace

Notice

Imports

base/frameworks/netcontrol, base/frameworks/notice/main.zeek, policy/frameworks/netcontrol/catch-and-release.zeek

Summary
Redefinitions

Notice::Info: record
New Fields

Notice::Info

dropped: bool &log &default = F &optional

Indicate if the $src IP address was dropped and denied network access.
Detailed Interface

policy/files/unified2/__load__.zeek

Imports

policy/files/unified2/main.zeek

Summary
Detailed Interface

policy/files/unified2/main.zeek

Unified2
Namespace

Unified2

Imports

base/utils/dir.zeek, base/utils/paths.zeek

Summary
Redefinable Options

Unified2::classification_config: string &redef

The classification.config file you would like to use for your alerts.

Unified2::gen_msg: string &redef

The gen-msg.map file you would like to use for your alerts.

Unified2::sid_msg: string &redef

The sid-msg.map file you would like to use for your alerts.

Unified2::watch_dir: string &redef

Directory to watch for Unified2 records.

Unified2::watch_file: string &redef

File to watch for Unified2 files.
Types

Unified2::Info: record &log

Unified2::PacketID: record &log
Redefinitions

Log::ID: enum

fa_file: record &redef
New Fields

fa_file

u2_events: table [count] of Unified2::IDSEvent &optional &create_expire = 5.0 secs &expire_func = function

Recently received IDS events.
Events

Unified2::alert: event

Reconstructed “alert” which combines related events and packets.

Unified2::log_unified2: event

The event for accessing logged records.
Hooks

Unified2::log_policy: Log::PolicyHook
Detailed Interface
Redefinable Options
Unified2::classification_config
Type

string

Attributes

&redef

Default

""

The classification.config file you would like to use for your alerts.

Unified2::gen_msg
Type

string

Attributes

&redef

Default

""

The gen-msg.map file you would like to use for your alerts.

Unified2::sid_msg
Type

string

Attributes

&redef

Default

""

The sid-msg.map file you would like to use for your alerts.

Unified2::watch_dir
Type

string

Attributes

&redef

Default

""

Directory to watch for Unified2 records.

Unified2::watch_file
Type

string

Attributes

&redef

Default

""

File to watch for Unified2 files.

Types
Unified2::Info
Type

record

ts: time &log

Timestamp attached to the alert.

id: Unified2::PacketID &log

Addresses and ports for the connection.

sensor_id: count &log

Sensor that originated this event.

signature_id: count &log

Sig id for this generator.

signature: string &optional &log

A string representation of the signature_id field if a sid_msg.map file was loaded.

generator_id: count &log

Which generator generated the alert?

generator: string &optional &log

A string representation of the generator_id field if a gen_msg.map file was loaded.

signature_revision: count &log

Sig revision for this id.

classification_id: count &log

Event classification.

classification: string &optional &log

Descriptive classification string.

priority_id: count &log

Event priority.

event_id: count &log

Event ID.

packet: string &optional &log

Some of the packet data.

Attributes

&log

Unified2::PacketID
Type

record

src_ip: addr &log

src_p: port &log

dst_ip: addr &log

dst_p: port &log

Attributes

&log

Events
Unified2::alert
Type

event (f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet)

Reconstructed “alert” which combines related events and packets.

Unified2::log_unified2
Type

event (rec: Unified2::Info)

The event for accessing logged records.

Hooks
Unified2::log_policy
Type

Log::PolicyHook

policy/files/x509/disable-certificate-events-known-certs.zeek

DisableX509Events

This script disables repeat certificate events for hosts for hosts for which the same certificate was seen in the recent past;

This script specifically plugs into the event caching mechanism that is set up by the base X509 script certificate-event-cache.zeek. It adds another layer of tracking that checks if the same certificate was seen for the server IP address before, when the same SNI was used to connect. If the certificate is in the event cache and all of these conditions apply, then no certificate related events will be raised.

Please note that while this optimization can lead to a considerable reduction of load in some settings, it also means that certain detection scripts that rely on the certificate events being raised do no longer work - since the events will not be raised for all connections.

Currently this script only works for X509 certificates that are sent via SSL/TLS connections.

If you use any script that requires certificate events for each single connection, you should not load this script.

Namespace

DisableX509Events

Imports

base/files/x509, base/protocols/ssl

Summary
Redefinitions

SSL::Info: record
New Fields

SSL::Info

always_raise_x509_events: bool &default = F &optional

Set to true to force certificate events to always be raised for this connection.

X509::Info: record
New Fields

X509::Info

always_raise_x509_events: bool &default = F &optional

Set to true to force certificate events to always be raised for this certificate.

X509::certificate_cache_max_entries: count &redef

Let’s be a bit more generous with the number of certificates that we allow to be put into the cache.
Detailed Interface

policy/files/x509/log-ocsp.zeek

Summary
Detailed Interface

policy/frameworks/packet-filter/shunt.zeek

PacketFilter
Namespace

PacketFilter

Imports

base/frameworks/notice, base/frameworks/packet-filter

Summary
Redefinable Options

PacketFilter::max_bpf_shunts: count &redef

The maximum number of BPF based shunts that Zeek is allowed to perform.
Redefinitions

Notice::Type: enum
Functions

PacketFilter::current_shunted_conns: function

Retrieve the currently shunted connections.

PacketFilter::current_shunted_host_pairs: function

Retrieve the currently shunted host pairs.

PacketFilter::force_unshunt_host_pair: function

Performs the same function as the PacketFilter::unshunt_host_pair function, but it forces an immediate filter update.

PacketFilter::shunt_conn: function

Call this function to use BPF to shunt a connection (to prevent the data packets from reaching Zeek).

PacketFilter::shunt_host_pair: function

This function will use a BPF expression to shunt traffic between the two hosts given in the conn_id so that the traffic is never exposed to Zeek’s traffic processing.

PacketFilter::unshunt_host_pair: function

Remove shunting for a host pair given as a conn_id.
Detailed Interface
Redefinable Options
PacketFilter::max_bpf_shunts
Type

count

Attributes

&redef

Default

100

The maximum number of BPF based shunts that Zeek is allowed to perform.

Functions
PacketFilter::current_shunted_conns
Type

function () : set [conn_id]

Retrieve the currently shunted connections.

PacketFilter::current_shunted_host_pairs
Type

function () : set [conn_id]

Retrieve the currently shunted host pairs.

PacketFilter::force_unshunt_host_pair
Type

function (id: conn_id) : bool

Performs the same function as the PacketFilter::unshunt_host_pair function, but it forces an immediate filter update.

PacketFilter::shunt_conn
Type

function (id: conn_id) : bool

Call this function to use BPF to shunt a connection (to prevent the data packets from reaching Zeek). For TCP connections, control packets are still allowed through so that Zeek can continue logging the connection and it can stop shunting once the connection ends.

PacketFilter::shunt_host_pair
Type

function (id: conn_id) : bool

This function will use a BPF expression to shunt traffic between the two hosts given in the conn_id so that the traffic is never exposed to Zeek’s traffic processing.

PacketFilter::unshunt_host_pair
Type

function (id: conn_id) : bool

Remove shunting for a host pair given as a conn_id. The filter is not immediately removed. It waits for the occasional filter update done by the PacketFilter framework.

policy/frameworks/software/version-changes.zeek

Software

Provides the possibility to define software names that are interesting to watch for changes. A notice is generated if software versions change on a host.

Namespace

Software

Imports

base/frameworks/notice, base/frameworks/software

Summary
Runtime Options

Software::interesting_version_changes: set &redef

Some software is more interesting when the version changes and this is a set of all software that should raise a notice when a different version is seen on a host.
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
Software::interesting_version_changes
Type

set [string]

Attributes

&redef

Default

{}

Some software is more interesting when the version changes and this is a set of all software that should raise a notice when a different version is seen on a host.

policy/frameworks/software/vulnerable.zeek

Software

Provides a variable to define vulnerable versions of software and if a version of that software is as old or older than the defined version a notice will be generated.

Namespace

Software

Imports

base/frameworks/control, base/frameworks/notice, base/frameworks/software

Summary
Runtime Options

Software::vulnerable_versions_update_endpoint: string &redef

The DNS zone where runtime vulnerable software updates will be loaded from.

Software::vulnerable_versions_update_interval: interval &redef

The interval at which vulnerable versions should grab updates over DNS.
Redefinable Options

Software::vulnerable_versions: table &redef

This is a table of software versions indexed by the name of the software and a set of version ranges that are declared to be vulnerable for that software.
Types

Software::VulnerableVersionRange: record
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
Software::vulnerable_versions_update_endpoint
Type

string

Attributes

&redef

Default

""

The DNS zone where runtime vulnerable software updates will be loaded from.

Software::vulnerable_versions_update_interval
Type

interval

Attributes

&redef

Default

1.0 hr

The interval at which vulnerable versions should grab updates over DNS.

Redefinable Options
Software::vulnerable_versions
Type

table [string] of set [Software::VulnerableVersionRange]

Attributes

&redef

Default

{}

This is a table of software versions indexed by the name of the software and a set of version ranges that are declared to be vulnerable for that software.

Types
Software::VulnerableVersionRange
Type

record

min: Software::Version &optional

The minimal version of a vulnerable version range. This field can be undefined if all previous versions of a piece of software are vulnerable.

max: Software::Version

The maximum vulnerable version. This field is deliberately not optional because a maximum vulnerable version must always be defined. This assumption may become incorrect if all future versions of some software are to be considered vulnerable. :)

policy/frameworks/software/windows-version-detection.zeek

OS

Windows systems access a Microsoft Certificate Revocation List (CRL) periodically. The user agent for these requests reveals which version of Crypt32.dll installed on the system, which can uniquely identify the version of Windows that’s running.

This script will log the version of Windows that was identified to the Software framework.

Namespace

OS

Imports

base/frameworks/software, base/protocols/http

Summary
Redefinable Options

OS::crypto_api_mapping: table &redef
Types

Software::name_and_version: record
Redefinitions

Software::Type: enum

  • OS::WINDOWS: Identifier for Windows operating system versions
Detailed Interface
Redefinable Options
OS::crypto_api_mapping
Type

table [string] of Software::name_and_version

Attributes

&redef

Default
{
   ["Microsoft-CryptoAPI/5.131.3790.1830"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=1830, addl="XP x64 or Server 2003 SP1"]],
   ["Microsoft-CryptoAPI/5.131.2600.3249"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3249, addl="XP SP3 RC Beta"]],
   ["Microsoft-CryptoAPI/5.131.2600.5508"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5508, addl="XP SP3 RC2 Update 2"]],
   ["Microsoft-CryptoAPI/5.131.2600.3180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3180, addl="XP SP3 Beta 1"]],
   ["Microsoft-CryptoAPI/5.131.2600.3264"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3264, addl="XP SP3 RC1"]],
   ["Microsoft-CryptoAPI/6.2"] = [name="Windows", version=[major=6, minor=2, minor2=<uninitialized>, minor3=<uninitialized>, addl="8 or Server 2012"]],
   ["Microsoft-CryptoAPI/5.131.2600.3282"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3282, addl="XP SP3 RC1 Update"]],
   ["Microsoft-CryptoAPI/5.131.3790.5235"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=5235, addl="XP x64 or Server 2003 with MS13-095"]],
   ["Microsoft-CryptoAPI/6.4"] = [name="Windows", version=[major=6, minor=4, minor2=<uninitialized>, minor3=<uninitialized>, addl="10 Technical Preview"]],
   ["Microsoft-CryptoAPI/5.131.2600.0"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=0, addl="XP SP0"]],
   ["Microsoft-CryptoAPI/5.131.2600.5512"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=5512, addl="XP SP3"]],
   ["Microsoft-CryptoAPI/5.131.2195.6661"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6661, addl="2000 SP4"]],
   ["Microsoft-CryptoAPI/5.131.2195.6926"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6926, addl="2000 with Hotfix 98830"]],
   ["Microsoft-CryptoAPI/6.0"] = [name="Windows", version=[major=6, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl="Vista or Server 2008"]],
   ["Microsoft-CryptoAPI/5.131.3790.0"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=0, addl="XP x64 or Server 2003 SP0"]],
   ["Microsoft-CryptoAPI/6.3"] = [name="Windows", version=[major=6, minor=3, minor2=<uninitialized>, minor3=<uninitialized>, addl="8.1 or Server 2012 R2"]],
   ["Microsoft-CryptoAPI/5.131.2600.3205"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3205, addl="XP SP3 Beta 2"]],
   ["Microsoft-CryptoAPI/5.131.2600.1106"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=1106, addl="XP SP1"]],
   ["Microsoft-CryptoAPI/5.131.2600.2180"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=2180, addl="XP SP2"]],
   ["Microsoft-CryptoAPI/5.131.2195.6824"] = [name="Windows", version=[major=5, minor=131, minor2=2195, minor3=6824, addl="2000 with MS04-11"]],
   ["Microsoft-CryptoAPI/5.131.2600.3300"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3300, addl="XP SP3 RC2"]],
   ["Microsoft-CryptoAPI/6.1"] = [name="Windows", version=[major=6, minor=1, minor2=<uninitialized>, minor3=<uninitialized>, addl="7 or Server 2008 R2"]],
   ["Microsoft-CryptoAPI/10.0"] = [name="Windows", version=[major=10, minor=0, minor2=<uninitialized>, minor3=<uninitialized>, addl=<uninitialized>]],
   ["Microsoft-CryptoAPI/5.131.2600.3311"] = [name="Windows", version=[major=5, minor=131, minor2=2600, minor3=3311, addl="XP SP3 RC2 Update"]],
   ["Microsoft-CryptoAPI/5.131.3790.3959"] = [name="Windows", version=[major=5, minor=131, minor2=3790, minor3=3959, addl="XP x64 or Server 2003 SP2"]]
}
Types
Software::name_and_version
Type

record

name: string

version: Software::Version

policy/integration/barnyard2/__load__.zeek

Imports

policy/integration/barnyard2/main.zeek, policy/integration/barnyard2/types.zeek

Summary
Detailed Interface

policy/integration/barnyard2/types.zeek

Barnyard2

This file is separate from the base script so that dependencies can be loaded in the correct order.

Namespace

Barnyard2

Summary
Types

Barnyard2::AlertData: record &log

Barnyard2::PacketID: record &log
Events

Barnyard2::barnyard_alert: event

This is the event that Barnyard2 instances will send if they’re configured with the bro_alert output plugin.
Detailed Interface
Types
Barnyard2::AlertData
Type

record

sensor_id: count &log

Sensor that originated this event.

ts: time &log

Timestamp attached to the alert.

signature_id: count &log

Sig id for this generator.

generator_id: count &log

Which generator generated the alert?

signature_revision: count &log

Sig revision for this id.

classification_id: count &log

Event classification.

classification: string &log

Descriptive classification string.

priority_id: count &log

Event priority.

event_id: count &log

Event ID.

Attributes

&log

Barnyard2::PacketID
Type

record

src_ip: addr &log

src_p: port &log

dst_ip: addr &log

dst_p: port &log

Attributes

&log

Events
Barnyard2::barnyard_alert
Type

event (id: Barnyard2::PacketID, alert: Barnyard2::AlertData, msg: string, data: string)

This is the event that Barnyard2 instances will send if they’re configured with the bro_alert output plugin.

policy/integration/barnyard2/main.zeek

Barnyard2

This script lets Barnyard2 integrate with Zeek. It receives alerts from Barnyard2 and logs them. In the future it will do more correlation and derive new notices from the alerts.

Namespace

Barnyard2

Imports

policy/integration/barnyard2/types.zeek

Summary
Types

Barnyard2::Info: record
Redefinitions

Log::ID: enum
Hooks

Barnyard2::log_policy: Log::PolicyHook
Functions

Barnyard2::pid2cid: function

This can convert a Barnyard Barnyard2::PacketID value to a conn_id value in the case that you might need to index into an existing data structure elsewhere within Zeek.
Detailed Interface
Types
Barnyard2::Info
Type

record

ts: time &log

Timestamp of the alert.

pid: Barnyard2::PacketID &log

Associated packet ID.

alert: Barnyard2::AlertData &log

Associated alert data.

Hooks
Barnyard2::log_policy
Type

Log::PolicyHook

Functions
Barnyard2::pid2cid
Type

function (p: Barnyard2::PacketID) : conn_id

This can convert a Barnyard Barnyard2::PacketID value to a conn_id value in the case that you might need to index into an existing data structure elsewhere within Zeek.

policy/integration/collective-intel/__load__.zeek

Imports

policy/integration/collective-intel/main.zeek

Summary
Detailed Interface

policy/integration/collective-intel/main.zeek

Intel
Namespace

Intel

Imports

base/frameworks/intel

Summary
Types

Intel::CIF: record

CIF record used for consistent formatting of CIF values.
Redefinitions

Intel::Info: record
New Fields

Intel::Info

cif: Intel::CIF &log &optional

Intel::MetaData: record

This file adds mapping between the Collective Intelligence Framework (CIF) and Zeek.

New Fields

Intel::MetaData

cif_tags: string &optional

Maps to the ‘tags’ fields in CIF

cif_confidence: double &optional

Maps to the ‘confidence’ field in CIF

cif_source: string &optional

Maps to the ‘source’ field in CIF

cif_description: string &optional

Maps to the ‘description’ field in CIF

cif_firstseen: string &optional

Maps to the ‘firstseen’ field in CIF

cif_lastseen: string &optional

Maps to the ‘lastseen’ field in CIF
Detailed Interface
Types
Intel::CIF
Type

record

tags: string &optional &log

CIF tags observations, examples for tags are botnet or exploit.

confidence: double &optional &log

In CIF Confidence details the degree of certainty of a given observation.

source: string &optional &log

Source given in CIF.

description: string &optional &log

description given in CIF.

firstseen: string &optional &log

First time the source observed the behavior.

lastseen: string &optional &log

Last time the source observed the behavior.

CIF record used for consistent formatting of CIF values.

policy/misc/capture-loss.zeek

CaptureLoss

This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss. The loss could be due to overload on the host or NIC performing the packet capture or it could even be beyond the host. If you are capturing from a switch with a SPAN port, it’s very possible that the switch itself could be overloaded and dropping packets. Reported loss is computed in terms of the number of “gap events” (ACKs for a sequence number that’s above a gap).

Namespace

CaptureLoss

Imports

base/frameworks/notice

Summary
Runtime Options

CaptureLoss::initial_watch_interval: interval &redef

For faster feedback on cluster health, the first capture loss report is generated this many minutes after startup.

CaptureLoss::minimum_acks: count &redef

The minimum number of ACKs expected for a single peer in a watch interval.

CaptureLoss::too_much_loss: double &redef

The percentage of missed data that is considered “too much” when the CaptureLoss::Too_Much_Loss notice should be generated.

CaptureLoss::watch_interval: interval &redef

The interval at which capture loss reports are created in a running cluster (that is, after the first report).
Types

CaptureLoss::Info: record
Redefinitions

Log::ID: enum

Notice::Type: enum
Hooks

CaptureLoss::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
CaptureLoss::initial_watch_interval
Type

interval

Attributes

&redef

Default

1.0 min

For faster feedback on cluster health, the first capture loss report is generated this many minutes after startup.

CaptureLoss::minimum_acks
Type

count

Attributes

&redef

Default

1

The minimum number of ACKs expected for a single peer in a watch interval. If the number seen is less than this, CaptureLoss::Too_Little_Traffic is raised.

CaptureLoss::too_much_loss
Type

double

Attributes

&redef

Default

0.1

The percentage of missed data that is considered “too much” when the CaptureLoss::Too_Much_Loss notice should be generated. The value is expressed as a double between 0 and 1 with 1 being 100%.

CaptureLoss::watch_interval
Type

interval

Attributes

&redef

Default

15.0 mins

The interval at which capture loss reports are created in a running cluster (that is, after the first report).

Types
CaptureLoss::Info
Type

record

ts: time &log

Timestamp for when the measurement occurred.

ts_delta: interval &log

The time delay between this measurement and the last.

peer: string &log

In the event that there are multiple Zeek instances logging to the same host, this distinguishes each peer with its individual name.

gaps: count &log

Number of missed ACKs from the previous measurement interval.

acks: count &log

Total number of ACKs seen in the previous measurement interval.

percent_lost: double &log

Percentage of ACKs seen where the data being ACKed wasn’t seen.

Hooks
CaptureLoss::log_policy
Type

Log::PolicyHook

policy/misc/detect-traceroute/__load__.zeek

Imports

policy/misc/detect-traceroute/main.zeek

Summary
Detailed Interface

policy/misc/detect-traceroute/main.zeek

Traceroute

This script detects a large number of ICMP Time Exceeded messages heading toward hosts that have sent low TTL packets. It generates a notice when the number of ICMP Time Exceeded messages for a source-destination pair exceeds a threshold.

Namespace

Traceroute

Imports

base/frameworks/signatures, base/frameworks/sumstats

Summary
Redefinable Options

Traceroute::icmp_time_exceeded_interval: interval &redef

Interval at which to watch for the Traceroute::icmp_time_exceeded_threshold variable to be crossed.

Traceroute::icmp_time_exceeded_threshold: double &redef

Defines the threshold for ICMP Time Exceeded messages for a src-dst pair.

Traceroute::require_low_ttl_packets: bool &redef

By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host.
Types

Traceroute::Info: record

The log record for the traceroute log.
Redefinitions

Log::ID: enum

Notice::Type: enum

Signatures::ignored_ids: pattern &redef
Events

Traceroute::log_traceroute: event
Hooks

Traceroute::log_policy: Log::PolicyHook
Detailed Interface
Redefinable Options
Traceroute::icmp_time_exceeded_interval
Type

interval

Attributes

&redef

Default

3.0 mins

Interval at which to watch for the Traceroute::icmp_time_exceeded_threshold variable to be crossed. At the end of each interval the counter is reset.

Traceroute::icmp_time_exceeded_threshold
Type

double

Attributes

&redef

Default

3.0

Defines the threshold for ICMP Time Exceeded messages for a src-dst pair. This threshold only comes into play after a host is found to be sending low TTL packets.

Traceroute::require_low_ttl_packets
Type

bool

Attributes

&redef

Default

T

By default this script requires that any host detected running traceroutes first send low TTL packets (TTL < 10) to the traceroute destination host. Changing this setting to F will relax the detection a bit by solely relying on ICMP time-exceeded messages to detect traceroute.

Types
Traceroute::Info
Type

record

ts: time &log

Timestamp

src: addr &log

Address initiating the traceroute.

dst: addr &log

Destination address of the traceroute.

proto: string &log

Protocol used for the traceroute.

The log record for the traceroute log.

Events
Traceroute::log_traceroute
Type

event (rec: Traceroute::Info)

Hooks
Traceroute::log_policy
Type

Log::PolicyHook

policy/misc/load-balancing.zeek

LoadBalancing

This script implements the “Zeek side” of several load balancing approaches for Zeek clusters.

Namespace

LoadBalancing

Imports

base/frameworks/cluster, base/frameworks/packet-filter

Summary
Redefinable Options

LoadBalancing::method: LoadBalancing::Method &redef

Defines the method of load balancing to use.
Types

LoadBalancing::Method: enum
Redefinitions

Cluster::Node: record
New Fields

Cluster::Node

lb_filter: string &optional

A BPF filter for load balancing traffic sniffed on a single interface across a number of processes.
Detailed Interface
Redefinable Options
LoadBalancing::method
Type

LoadBalancing::Method

Attributes

&redef

Default

LoadBalancing::AUTO_BPF

Defines the method of load balancing to use.

Types
LoadBalancing::Method
Type

enum

LoadBalancing::AUTO_BPF

Apply BPF filters to each worker in a way that causes them to automatically flow balance traffic between them.

policy/misc/loaded-scripts.zeek

LoadedScripts

Log the loaded scripts.

Namespace

LoadedScripts

Imports

base/utils/paths.zeek

Summary
Types

LoadedScripts::Info: record
Redefinitions

Log::ID: enum
Hooks

LoadedScripts::log_policy: Log::PolicyHook
Detailed Interface
Types
LoadedScripts::Info
Type

record

name: string &log

Name of the script loaded potentially with spaces included before the file name to indicate load depth. The convention is two spaces per level of depth.

Hooks
LoadedScripts::log_policy
Type

Log::PolicyHook

policy/misc/profiling.zeek

Profiling

Turns on profiling of Zeek resource consumption.

Namespace

Profiling

Summary
Redefinitions

expensive_profiling_multiple: count &redef

Set the expensive profiling interval (multiple of profiling_interval).

profiling_file: file &redef

Set the profiling output file.

profiling_interval: interval &redef

Set the cheap profiling interval.
Detailed Interface

policy/misc/scan.zeek

Scan

TCP Scan detection.

Namespace

Scan

Imports

base/frameworks/notice, base/frameworks/sumstats, base/utils/time.zeek

Summary
Redefinable Options

Scan::addr_scan_interval: interval &redef

Failed connection attempts are tracked over this time interval for the address scan detection.

Scan::addr_scan_threshold: double &redef

The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.

Scan::port_scan_interval: interval &redef

Failed connection attempts are tracked over this time interval for the port scan detection.

Scan::port_scan_threshold: double &redef

The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.
Redefinitions

Notice::Type: enum

  • Scan::Address_Scan: Address scans detect that a host appears to be scanning some number of destinations on a single port.

  • Scan::Port_Scan: Port scans detect that an attacking host appears to be scanning a single victim host on several ports.
Hooks

Scan::addr_scan_policy: hook

Scan::port_scan_policy: hook
Detailed Interface
Redefinable Options
Scan::addr_scan_interval
Type

interval

Attributes

&redef

Default

5.0 mins

Failed connection attempts are tracked over this time interval for the address scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::addr_scan_threshold
Type

double

Attributes

&redef

Default

25.0

The threshold of the unique number of hosts a scanning host has to have failed connections with on a single port.

Scan::port_scan_interval
Type

interval

Attributes

&redef

Default

5.0 mins

Failed connection attempts are tracked over this time interval for the port scan detection. A higher interval will detect slower scanners, but may also yield more false positives.

Scan::port_scan_threshold
Type

double

Attributes

&redef

Default

15.0

The threshold of the number of unique ports a scanning host has to have failed connections with on a single victim host.

Hooks
Scan::addr_scan_policy
Type

hook (scanner: addr, victim: addr, scanned_port: port) : bool

Scan::port_scan_policy
Type

hook (scanner: addr, victim: addr, scanned_port: port) : bool

policy/misc/stats.zeek

Stats

Log memory/packet/lag statistics.

Namespace

Stats

Imports

base/frameworks/notice

Summary
Runtime Options

Stats::report_interval: interval &redef

How often stats are reported.
Types

Stats::Info: record
Redefinitions

Log::ID: enum
Events

Stats::log_stats: event

Event to catch stats as they are written to the logging stream.
Hooks

Stats::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
Stats::report_interval
Type

interval

Attributes

&redef

Default

5.0 mins

How often stats are reported.

Types
Stats::Info
Type

record

ts: time &log

Timestamp for the measurement.

peer: string &log

Peer that generated this log. Mostly for clusters.

mem: count &log

Amount of memory currently in use in MB.

pkts_proc: count &log

Number of packets processed since the last stats interval.

bytes_recv: count &log

Number of bytes received since the last stats interval if reading live traffic.

pkts_dropped: count &log &optional

Number of packets dropped since the last stats interval if reading live traffic.

pkts_link: count &log &optional

Number of packets seen on the link since the last stats interval if reading live traffic.

pkt_lag: interval &log &optional

Lag between the wall clock and packet timestamps if reading live traffic.

events_proc: count &log

Number of events processed since the last stats interval.

events_queued: count &log

Number of events that have been queued since the last stats interval.

active_tcp_conns: count &log

TCP connections currently in memory.

active_udp_conns: count &log

UDP connections currently in memory.

active_icmp_conns: count &log

ICMP connections currently in memory.

tcp_conns: count &log

TCP connections seen since last stats interval.

udp_conns: count &log

UDP connections seen since last stats interval.

icmp_conns: count &log

ICMP connections seen since last stats interval.

timers: count &log

Number of timers scheduled since last stats interval.

active_timers: count &log

Current number of scheduled timers.

files: count &log

Number of files seen since last stats interval.

active_files: count &log

Current number of files actively being seen.

dns_requests: count &log

Number of DNS requests seen since last stats interval.

active_dns_requests: count &log

Current number of DNS requests awaiting a reply.

reassem_tcp_size: count &log

Current size of TCP data in reassembly.

reassem_file_size: count &log

Current size of File data in reassembly.

reassem_frag_size: count &log

Current size of packet fragment data in reassembly.

reassem_unknown_size: count &log

Current size of unknown data in reassembly (this is only PIA buffer right now).

Events
Stats::log_stats
Type

event (rec: Stats::Info)

Event to catch stats as they are written to the logging stream.

Hooks
Stats::log_policy
Type

Log::PolicyHook

policy/misc/weird-stats.zeek

SumStats
WeirdStats

Log weird statistics.

Namespaces

SumStats, WeirdStats

Imports

base/frameworks/cluster, base/frameworks/sumstats

Summary
Redefinable Options

WeirdStats::weird_stat_interval: interval &redef

How often stats are reported.
Types

WeirdStats::Info: record
Redefinitions

Log::ID: enum
Events

WeirdStats::log_weird_stats: event
Hooks

WeirdStats::log_policy: Log::PolicyHook
Detailed Interface
Redefinable Options
WeirdStats::weird_stat_interval
Type

interval

Attributes

&redef

Default

15.0 mins

How often stats are reported.

Types
WeirdStats::Info
Type

record

ts: time &log

Timestamp for the measurement.

name: string &log

Name of the weird.

num_seen: count &log

Number of times weird was seen since the last stats interval.

Events
WeirdStats::log_weird_stats
Type

event (rec: WeirdStats::Info)

Hooks
WeirdStats::log_policy
Type

Log::PolicyHook

policy/misc/trim-trace-file.zeek

TrimTraceFile

Deletes the -w tracefile at regular intervals and starts a new file from scratch.

Namespace

TrimTraceFile

Summary
Redefinable Options

TrimTraceFile::trim_interval: interval &redef

The interval between times that the output tracefile is rotated.
Events

TrimTraceFile::go: event

This event can be generated externally to this script if on-demand tracefile rotation is required with the caveat that the script doesn’t currently attempt to get back on schedule automatically and the next trim likely won’t happen on the TrimTraceFile::trim_interval.
Detailed Interface
Redefinable Options
TrimTraceFile::trim_interval
Type

interval

Attributes

&redef

Default

10.0 mins

The interval between times that the output tracefile is rotated.

Events
TrimTraceFile::go
Type

event (first_trim: bool)

This event can be generated externally to this script if on-demand tracefile rotation is required with the caveat that the script doesn’t currently attempt to get back on schedule automatically and the next trim likely won’t happen on the TrimTraceFile::trim_interval.

policy/misc/unknown-protocols.zeek

UnknownProtocol

This script logs information about packet protocols that Zeek doesn’t know how to process. Mostly these come from packet analysis plugins when they attempt to forward to the next analyzer, but they also can originate from non-packet analyzers.

Namespace

UnknownProtocol

Imports

base/frameworks/notice

Summary
Types

UnknownProtocol::Info: record
Redefinitions

Log::ID: enum
Hooks

UnknownProtocol::log_policy: Log::PolicyHook
Detailed Interface
Types
UnknownProtocol::Info
Type

record

ts: time &log

Timestamp for when the measurement occurred.

analyzer: string &log

The string name of the analyzer attempting to forward the protocol.

protocol_id: string &log

The identifier of the protocol being forwarded.

first_bytes: string &log

A certain number of bytes at the start of the unknown protocol’s header.

Hooks
UnknownProtocol::log_policy
Type

Log::PolicyHook

policy/protocols/conn/known-hosts.zeek

Known

This script logs hosts that Zeek determines have performed complete TCP handshakes and logs the address once per day (by default). The log that is output provides an easy way to determine a count of the IP addresses in use on a network per day.

Namespace

Known

Imports

base/frameworks/cluster, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

Known::host_store_timeout: interval &redef

The timeout interval to use for operations against Known::host_store.

Known::host_tracking: Host &redef

The hosts whose existence should be logged and tracked.
Redefinable Options

Known::host_store_expiry: interval &redef

The expiry interval of new entries in Known::host_store.

Known::host_store_name: string &redef

The Broker topic name to use for Known::host_store.

Known::use_host_store: bool &redef

Toggles between different implementations of this script.
State Variables

Known::host_store: Cluster::StoreInfo

Holds the set of all known hosts.

Known::hosts: set &create_expire = 1.0 day &redef

The set of all known addresses to store for preventing duplicate logging of addresses.
Types

Known::HostsInfo: record

The record type which contains the column fields of the known-hosts log.
Redefinitions

Log::ID: enum

The known-hosts logging stream identifier.
Events

Known::log_known_hosts: event

An event that can be handled to access the Known::HostsInfo record as it is sent on to the logging framework.
Hooks

Known::log_policy_hosts: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Runtime Options
Known::host_store_timeout
Type

interval

Attributes

&redef

Default

15.0 secs

The timeout interval to use for operations against Known::host_store.

Known::host_tracking
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Redefinition

from policy/tuning/track-all-assets.zeek

=:

ALL_HOSTS

The hosts whose existence should be logged and tracked. See Host for possible choices.

Redefinable Options
Known::host_store_expiry
Type

interval

Attributes

&redef

Default

1.0 day

The expiry interval of new entries in Known::host_store. This also changes the interval at which hosts get logged.

Known::host_store_name
Type

string

Attributes

&redef

Default

"zeek/known/hosts"

The Broker topic name to use for Known::host_store.

Known::use_host_store
Type

bool

Attributes

&redef

Default

F

Toggles between different implementations of this script. When true, use a Broker data store, else use a regular Zeek set with keys uniformly distributed over proxy nodes in cluster operation.

State Variables
Known::host_store
Type

Cluster::StoreInfo

Default
{
   name=<uninitialized>
   store=<uninitialized>
   master_node=""
   master=F
   backend=Broker::MEMORY
   options=[sqlite=[path=""]]
   clone_resync_interval=10.0 secs
   clone_stale_interval=5.0 mins
   clone_mutation_buffer_interval=2.0 mins
}

Holds the set of all known hosts. Keys in the store are addresses and their associated value will always be the “true” boolean.

Known::hosts
Type

set [addr]

Attributes

&create_expire = 1.0 day &redef

Default

{}

The set of all known addresses to store for preventing duplicate logging of addresses. It can also be used from other scripts to inspect if an address has been seen in use. Maintain the list of known hosts for 24 hours so that the existence of each individual address is logged each day.

In cluster operation, this set is distributed uniformly across proxy nodes.

Types
Known::HostsInfo
Type

record

ts: time &log

The timestamp at which the host was detected.

host: addr &log

The address that was detected originating or responding to a TCP connection.

The record type which contains the column fields of the known-hosts log.

Events
Known::log_known_hosts
Type

event (rec: Known::HostsInfo)

An event that can be handled to access the Known::HostsInfo record as it is sent on to the logging framework.

Hooks
Known::log_policy_hosts
Type

Log::PolicyHook

A default logging policy hook for the stream.

policy/protocols/conn/known-services.zeek

Known

This script logs and tracks active services. For this script, an active service is defined as an IP address and port of a server for which a TCP handshake (SYN+ACK) is observed, assumed to have been done in the past (started seeing packets mid-connection, but the server is actively sending data), or sent at least one UDP packet. If a protocol name is found/known for service, that will be logged, but services whose names can’t be determined are also still logged.

Namespace

Known

Imports

base/frameworks/cluster, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

Known::service_store_timeout: interval &redef

The timeout interval to use for operations against Known::service_store.

Known::service_tracking: Host &redef

The hosts whose services should be tracked and logged.

Known::service_udp_requires_response: bool &redef

Require UDP server to respond before considering it an “active service”.
Redefinable Options

Known::service_store_expiry: interval &redef

The expiry interval of new entries in Known::service_store.

Known::service_store_name: string &redef

The Broker topic name to use for Known::service_store.

Known::use_service_store: bool &redef

Toggles between different implementations of this script.
State Variables

Known::service_store: Cluster::StoreInfo

Holds the set of all known services.

Known::services: table &create_expire = 1.0 day

Tracks the set of daily-detected services for preventing the logging of duplicates, but can also be inspected by other scripts for different purposes.
Types

Known::AddrPortServTriplet: record

Known::ServicesInfo: record

The record type which contains the column fields of the known-services log.
Redefinitions

Log::ID: enum

The known-services logging stream identifier.

connection: record
New Fields

connection

known_services_done: bool &default = F &optional
Events

Known::log_known_services: event

Event that can be handled to access the Known::ServicesInfo record as it is sent on to the logging framework.
Hooks

Known::log_policy_services: Log::PolicyHook

A default logging policy hook for the stream.
Detailed Interface
Runtime Options
Known::service_store_timeout
Type

interval

Attributes

&redef

Default

15.0 secs

The timeout interval to use for operations against Known::service_store.

Known::service_tracking
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Redefinition

from policy/tuning/track-all-assets.zeek

=:

ALL_HOSTS

The hosts whose services should be tracked and logged. See Host for possible choices.

Known::service_udp_requires_response
Type

bool

Attributes

&redef

Default

T

Require UDP server to respond before considering it an “active service”.

Redefinable Options
Known::service_store_expiry
Type

interval

Attributes

&redef

Default

1.0 day

The expiry interval of new entries in Known::service_store. This also changes the interval at which services get logged.

Known::service_store_name
Type

string

Attributes

&redef

Default

"zeek/known/services"

The Broker topic name to use for Known::service_store.

Known::use_service_store
Type

bool

Attributes

&redef

Default

F

Toggles between different implementations of this script. When true, use a Broker data store, else use a regular Zeek set with keys uniformly distributed over proxy nodes in cluster operation.

State Variables
Known::service_store
Type

Cluster::StoreInfo

Default
{
   name=<uninitialized>
   store=<uninitialized>
   master_node=""
   master=F
   backend=Broker::MEMORY
   options=[sqlite=[path=""]]
   clone_resync_interval=10.0 secs
   clone_stale_interval=5.0 mins
   clone_mutation_buffer_interval=2.0 mins
}

Holds the set of all known services. Keys in the store are Known::AddrPortServTriplet and their associated value is always the boolean value of “true”.

Known::services
Type

table [addr, port] of set [string]

Attributes

&create_expire = 1.0 day

Default

{}

Tracks the set of daily-detected services for preventing the logging of duplicates, but can also be inspected by other scripts for different purposes.

In cluster operation, this table is uniformly distributed across proxy nodes.

This table is automatically populated and shouldn’t be directly modified.

Types
Known::AddrPortServTriplet
Type

record

host: addr

p: port

serv: string

Known::ServicesInfo
Type

record

ts: time &log

The time at which the service was detected.

host: addr &log

The host address on which the service is running.

port_num: port &log

The port number on which the service is running.

port_proto: transport_proto &log

The transport-layer protocol which the service uses.

service: set [string] &log

A set of protocols that match the service’s connection payloads.

The record type which contains the column fields of the known-services log.

Events
Known::log_known_services
Type

event (rec: Known::ServicesInfo)

Event that can be handled to access the Known::ServicesInfo record as it is sent on to the logging framework.

Hooks
Known::log_policy_services
Type

Log::PolicyHook

A default logging policy hook for the stream.

policy/protocols/conn/mac-logging.zeek

Conn

This script adds link-layer address (MAC) information to the connection logs

Namespace

Conn

Imports

base/protocols/conn

Summary
Redefinitions

Conn::Info: record
New Fields

Conn::Info

orig_l2_addr: string &log &optional

Link-layer address of the originator, if available.

resp_l2_addr: string &log &optional

Link-layer address of the responder, if available.
Detailed Interface

policy/protocols/conn/vlan-logging.zeek

Conn

This script adds VLAN information to the connection log.

Namespace

Conn

Imports

base/protocols/conn

Summary
Redefinitions

Conn::Info: record
New Fields

Conn::Info

vlan: int &log &optional

The outer VLAN for this connection, if applicable.

inner_vlan: int &log &optional

The inner VLAN for this connection, if applicable.
Detailed Interface

policy/protocols/conn/weirds.zeek

Conn

This script handles core generated connection related “weird” events to push weird information about connections into the weird framework. For live operational deployments, this can frequently cause load issues due to large numbers of these events and quite possibly shouldn’t be loaded.

Namespace

Conn

Imports

base/frameworks/notice

Summary
Redefinitions

Notice::Type: enum
Detailed Interface

policy/protocols/dhcp/msg-orig.zeek

DHCP

Add a field that logs the order of hosts sending messages using the same DHCP transaction ID. This information is occasionally needed on some networks to fully explain the DHCP sequence.

Namespace

DHCP

Imports

base/protocols/dhcp

Summary
Redefinitions

DHCP::Info: record
New Fields

DHCP::Info

msg_orig: vector of addr &log &default = [] &optional

The address that originated each message from the msg_types field.
Detailed Interface

policy/protocols/dhcp/software.zeek

DHCP

Software identification and extraction for DHCP traffic.

Namespace

DHCP

Imports

base/frameworks/software, base/protocols/dhcp

Summary
Redefinitions

DHCP::Info: record
New Fields

DHCP::Info

client_software: string &log &optional

Software reported by the client in the vendor_class option.

server_software: string &log &optional

Software reported by the server in the vendor_class option.

Software::Type: enum

  • DHCP::CLIENT: Identifier for web browsers in the software framework.

  • DHCP::SERVER: Identifier for web servers in the software framework.
Detailed Interface

policy/protocols/dhcp/sub-opts.zeek

DHCP
Namespace

DHCP

Imports

base/protocols/dhcp

Summary
Redefinitions

DHCP::Info: record
New Fields

DHCP::Info

circuit_id: string &log &optional

Added by DHCP relay agents which terminate switched or permanent circuits.

agent_remote_id: string &log &optional

A globally unique identifier added by relay agents to identify the remote host end of the circuit.

subscriber_id: string &log &optional

The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected.
Detailed Interface

policy/protocols/dns/auth-addl.zeek

DNS

This script adds authoritative and additional responses for the current query to the DNS log. It can cause severe overhead due to the need for all authoritative and additional responses to have events generated. This script is not recommended for use on heavily loaded links.

Namespace

DNS

Imports

base/protocols/dns/main.zeek

Summary
Redefinitions

DNS::Info: record
New Fields

DNS::Info

auth: set [string] &log &optional

Authoritative responses for the query.

addl: set [string] &log &optional

Additional responses for the query.

dns_skip_all_addl: bool &redef

dns_skip_all_auth: bool &redef
Detailed Interface

policy/protocols/dns/detect-external-names.zeek

DNS

This script detects names which are not within zones considered to be local but resolving to addresses considered local. The Site::local_zones variable must be set appropriately for this detection.

Namespace

DNS

Imports

base/frameworks/notice, base/utils/site.zeek

Summary
Redefinitions

Notice::Type: enum

  • DNS::External_Name: Raised when a non-local name is found to be pointing at a local host.
Detailed Interface

policy/protocols/dns/log-original-query-case.zeek

DNS

This script adds the query with its original letter casing to the DNS log.

Namespace

DNS

Imports

base/protocols/dns/main.zeek

Summary
Redefinitions

DNS::Info: record
New Fields

DNS::Info

original_query: string &log &optional

Query with original letter casing
Detailed Interface

policy/protocols/ftp/detect-bruteforcing.zeek

FTP

FTP brute-forcing detector, triggering when too many rejected usernames or failed passwords have occurred from a single address.

Namespace

FTP

Imports

base/frameworks/sumstats, base/protocols/ftp, base/utils/time.zeek

Summary
Redefinable Options

FTP::bruteforce_measurement_interval: interval &redef

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold: double &redef

How many rejected usernames or passwords are required before being considered to be bruteforcing.
Redefinitions

Notice::Type: enum

  • FTP::Bruteforcing: Indicates a host bruteforcing FTP logins by watching for too many rejected usernames or failed passwords.
Detailed Interface
Redefinable Options
FTP::bruteforce_measurement_interval
Type

interval

Attributes

&redef

Default

15.0 mins

The time period in which the threshold needs to be crossed before being reset.

FTP::bruteforce_threshold
Type

double

Attributes

&redef

Default

20.0

How many rejected usernames or passwords are required before being considered to be bruteforcing.

policy/protocols/ftp/detect.zeek

FTP

Detect various potentially bad FTP activities.

Namespace

FTP

Imports

base/frameworks/notice, base/protocols/ftp

Summary
Redefinitions

Notice::Type: enum

  • FTP::Site_Exec_Success: Indicates that a successful response to a “SITE EXEC” command/arg pair was seen.
Detailed Interface

policy/protocols/ftp/software.zeek

FTP

Software detection with the FTP protocol.

Namespace

FTP

Imports

base/frameworks/software

Summary
Redefinitions

Software::Type: enum
Detailed Interface

policy/protocols/http/detect-sqli.zeek

HTTP

SQL injection attack detection in HTTP.

Namespace

HTTP

Imports

base/frameworks/notice, base/frameworks/sumstats, base/protocols/http

Summary
Redefinable Options

HTTP::collect_SQLi_samples: count &redef

Collecting samples will add extra data to notice emails by collecting some sample SQL injection url paths.

HTTP::match_sql_injection_uri: pattern &redef

Regular expression is used to match URI based SQL injections.

HTTP::sqli_requests_interval: interval &redef

Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed.

HTTP::sqli_requests_threshold: double &redef

Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.
Redefinitions

HTTP::Tags: enum

Notice::Type: enum
Hooks

HTTP::sqli_policy: hook

A hook that can be used to prevent specific requests from being counted as an injection attempt.
Detailed Interface
Redefinable Options
HTTP::collect_SQLi_samples
Type

count

Attributes

&redef

Default

5

Collecting samples will add extra data to notice emails by collecting some sample SQL injection url paths. Disable sample collection by setting this value to 0.

HTTP::match_sql_injection_uri
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?([\?&][^[:blank:]\x00-\x1f\|]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+)$?)|(^?([\?&][^[:blank:]\x00-\x1f\|]+?=[\-0-9%]+([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS]))$?))$?)|(^?([\?&][^[:blank:]\x00-\x1f]+?=[\-0-9%]*([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT]))$?))$?)|(^?([\?&][^[:blank:]\x00-\x1f\|]+?=([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,})$?))$?)|(^?([\?&][^[:blank:]\x00-\x1f]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\()$?))$?)|(^?(\/\*![[:digit:]]{5}.*?\*\/)$?))$?/

Regular expression is used to match URI based SQL injections.

HTTP::sqli_requests_interval
Type

interval

Attributes

&redef

Default

5.0 mins

Interval at which to watch for the HTTP::sqli_requests_threshold variable to be crossed. At the end of each interval the counter is reset.

HTTP::sqli_requests_threshold
Type

double

Attributes

&redef

Default

50.0

Defines the threshold that determines if an SQL injection attack is ongoing based on the number of requests that appear to be SQL injection attacks.

Hooks
HTTP::sqli_policy
Type

hook (c: connection, method: string, unescaped_URI: string) : bool

A hook that can be used to prevent specific requests from being counted as an injection attempt. Use a ‘break’ statement to exit the hook early and ignore the request.

policy/protocols/http/detect-webapps.zeek

HTTP

Detect and log web applications through the software framework.

Namespace

HTTP

Imports

base/frameworks/signatures, base/frameworks/software, base/protocols/http

Summary
Redefinitions

Signatures::ignored_ids: pattern &redef

Software::Info: record
New Fields

Software::Info

url: string &optional &log

Most root URL where the software was discovered.

Software::Type: enum
Detailed Interface

policy/protocols/http/header-names.zeek

HTTP

Extract and include the header names used for each request in the HTTP logging stream. The headers in the logging stream will be stored in the same order which they were seen on the wire.

Namespace

HTTP

Imports

base/protocols/http/main.zeek

Summary
Runtime Options

HTTP::log_client_header_names: bool &redef

A boolean value to determine if client header names are to be logged.

HTTP::log_server_header_names: bool &redef

A boolean value to determine if server header names are to be logged.
Redefinitions

HTTP::Info: record
New Fields

HTTP::Info

client_header_names: vector of string &log &optional

The vector of HTTP header names sent by the client.

server_header_names: vector of string &log &optional

The vector of HTTP header names sent by the server.
Detailed Interface
Runtime Options
HTTP::log_client_header_names
Type

bool

Attributes

&redef

Default

T

A boolean value to determine if client header names are to be logged.

HTTP::log_server_header_names
Type

bool

Attributes

&redef

Default

F

A boolean value to determine if server header names are to be logged.

policy/protocols/http/software-browser-plugins.zeek

HTTP

Detect browser plugins as they leak through requests to Omniture advertising servers.

Namespace

HTTP

Imports

base/frameworks/software, base/protocols/http

Summary
Redefinitions

HTTP::Info: record
New Fields

HTTP::Info

omniture: bool &default = F &optional

Indicates if the server is an omniture advertising server.

flash_version: string &optional

The unparsed Flash version, if detected.

Software::Type: enum
Detailed Interface

policy/protocols/http/software.zeek

HTTP

Software identification and extraction for HTTP traffic.

Namespace

HTTP

Imports

base/frameworks/software

Summary
Runtime Options

HTTP::ignored_user_agents: pattern &redef

The pattern of HTTP User-Agents which you would like to ignore.
Redefinitions

Software::Type: enum

  • HTTP::APPSERVER: Identifier for app servers in the software framework.

  • HTTP::BROWSER: Identifier for web browsers in the software framework.

  • HTTP::SERVER: Identifier for web servers in the software framework.
Detailed Interface
Runtime Options
HTTP::ignored_user_agents
Type

pattern

Attributes

&redef

Default
/^?(NO_DEFAULT)$?/

The pattern of HTTP User-Agents which you would like to ignore.

policy/protocols/http/var-extraction-cookies.zeek

HTTP

Extracts and logs variable names from cookies sent by clients.

Namespace

HTTP

Imports

base/protocols/http/main.zeek, base/protocols/http/utils.zeek

Summary
Redefinitions

HTTP::Info: record
New Fields

HTTP::Info

cookie_vars: vector of string &optional &log

Variable names extracted from all cookies.
Detailed Interface

policy/protocols/http/var-extraction-uri.zeek

HTTP

Extracts and logs variables from the requested URI in the default HTTP logging stream.

Namespace

HTTP

Imports

base/protocols/http

Summary
Redefinitions

HTTP::Info: record
New Fields

HTTP::Info

uri_vars: vector of string &optional &log

Variable names from the URI.
Detailed Interface

policy/protocols/krb/ticket-logging.zeek

KRB

Add Kerberos ticket hashes to the krb.log

Namespace

KRB

Imports

base/protocols/krb

Summary
Redefinitions

KRB::Info: record
New Fields

KRB::Info

auth_ticket: string &log &optional

Hash of ticket used to authorize request/transaction

new_ticket: string &log &optional

Hash of ticket returned by the KDC
Detailed Interface

policy/protocols/modbus/known-masters-slaves.zeek

Known

Script for tracking known Modbus masters and slaves.

Todo

This script needs a lot of work. What might be more interesting is to track master/slave relationships based on commands sent and successful (non-exception) responses.

Namespace

Known

Imports

base/protocols/modbus

Summary
State Variables

Known::modbus_nodes: set &create_expire = 1.0 day &redef

The Modbus nodes being tracked.
Types

Known::ModbusDeviceType: enum

Known::ModbusInfo: record
Redefinitions

Log::ID: enum
Events

Known::log_known_modbus: event

Event that can be handled to access the loggable record as it is sent on to the logging framework.
Hooks

Known::log_policy_modbus: Log::PolicyHook
Detailed Interface
State Variables
Known::modbus_nodes
Type

set [addr, Known::ModbusDeviceType]

Attributes

&create_expire = 1.0 day &redef

Default

{}

The Modbus nodes being tracked.

Types
Known::ModbusDeviceType
Type

enum

Known::MODBUS_MASTER
Known::MODBUS_SLAVE
Known::ModbusInfo
Type

record

ts: time &log

The time the device was discovered.

host: addr &log

The IP address of the host.

device_type: Known::ModbusDeviceType &log

The type of device being tracked.

Events
Known::log_known_modbus
Type

event (rec: Known::ModbusInfo)

Event that can be handled to access the loggable record as it is sent on to the logging framework.

Hooks
Known::log_policy_modbus
Type

Log::PolicyHook

policy/protocols/modbus/track-memmap.zeek

Modbus

This script tracks the memory map of holding (read/write) registers and logs changes as they are discovered.

Todo

Not all register read and write functions are supported yet.

Namespace

Modbus

Imports

base/protocols/modbus, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

Modbus::track_memmap: Host &redef

The hosts that should have memory mapping enabled.
State Variables

Modbus::device_registers: table

The memory map of slaves is tracked with this variable.
Types

Modbus::MemmapInfo: record

Modbus::RegisterValue: record

Modbus::Registers: table

Indexed on the device register value and yielding the register value.
Redefinitions

Log::ID: enum

Modbus::Info: record
New Fields

Modbus::Info

track_address: count &default = 0 &optional
Events

Modbus::changed_register: event

This event is generated every time a register is seen to be different than it was previously seen to be.
Hooks

Modbus::log_policy_register_change: Log::PolicyHook
Detailed Interface
Runtime Options
Modbus::track_memmap
Type

Host

Attributes

&redef

Default

ALL_HOSTS

The hosts that should have memory mapping enabled.

State Variables
Modbus::device_registers
Type

table [addr] of Modbus::Registers

Default

{}

The memory map of slaves is tracked with this variable.

Types
Modbus::MemmapInfo
Type

record

ts: time &log

Timestamp for the detected register change.

uid: string &log

Unique ID for the connection.

id: conn_id &log

Connection ID.

register: count &log

The device memory offset.

old_val: count &log

The old value stored in the register.

new_val: count &log

The new value stored in the register.

delta: interval &log

The time delta between when the old_val and new_val were seen.

Modbus::RegisterValue
Type

record

last_set: time

value: count

Modbus::Registers
Type

table [count] of Modbus::RegisterValue

Indexed on the device register value and yielding the register value.

Events
Modbus::changed_register
Type

event (c: connection, register: count, old_val: count, new_val: count, delta: interval)

This event is generated every time a register is seen to be different than it was previously seen to be.

Hooks
Modbus::log_policy_register_change
Type

Log::PolicyHook

policy/protocols/mqtt/__load__.zeek

Imports

policy/protocols/mqtt/main.zeek

Summary
Detailed Interface

policy/protocols/mqtt/main.zeek

MQTT

Implements base functionality for MQTT (v3.1.1) analysis. Generates the mqtt.log file.

Namespace

MQTT

Imports

base/protocols/mqtt/consts.zeek

Summary
Types

MQTT::ConnectInfo: record

MQTT::PublishInfo: record

MQTT::State: record

Data structure to track pub/sub messaging state of a given connection.

MQTT::SubUnsub: enum &redef

MQTT::SubscribeInfo: record
Redefinitions

Log::ID: enum

connection: record
New Fields

connection

mqtt: MQTT::ConnectInfo &optional

mqtt_state: MQTT::State &optional

likely_server_ports: set &redef
Events

MQTT::log_mqtt: event

Event that can be handled to access the MQTT record as it is sent on to the logging framework.
Hooks

MQTT::log_policy_connect: Log::PolicyHook

MQTT::log_policy_publish: Log::PolicyHook

MQTT::log_policy_subscribe: Log::PolicyHook
Functions

MQTT::publish_expire: function

The expiration function for published messages that haven’t been logged yet simply causes the message to be logged.

MQTT::subscribe_expire: function

The expiration function for subscription messages that haven’t been logged yet simply causes the message to be logged.
Detailed Interface
Types
MQTT::ConnectInfo
Type

record

ts: time &log

Timestamp for when the event happened

uid: string &log

Unique ID for the connection

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports

proto_name: string &log &optional

Indicates the protocol name

proto_version: string &log &optional

The version of the protocol in use

client_id: string &log &optional

Unique identifier for the client

connect_status: string &log &optional

Status message from the server in response to the connect request

will_topic: string &log &optional

Topic to publish a “last will and testament” message to

will_payload: string &log &optional

Payload to publish as a “last will and testament”

MQTT::PublishInfo
Type

record

ts: time &log

Timestamp for when the publish message started

uid: string &log

UID for the connection

id: conn_id &log

ID fields for the connection

from_client: bool &log

Indicates if the message was published by the client of this connection or published to the client.

retain: bool &log

Indicates if the message was to be retained by the server

qos: string &log

QoS level set for the message

status: string &log &default = "incomplete_qos" &optional

Status of the published message. This will be set to “incomplete_qos” if the full back and forth for the requested level of QoS was not seen. Otherwise if it’s successful the field will be “ok”.

topic: string &log

Topic the message was published to

payload: string &log

Payload of the message

payload_len: count &log

The actual length of the payload in the case the payload field’s contents were truncated according to MQTT::max_payload_size.

ack: bool &default = F &optional

Track if the message was acked

rec: bool &default = F &optional

Indicates if the server sent the RECEIVED qos message

rel: bool &default = F &optional

Indicates if the client sent the RELEASE qos message

comp: bool &default = F &optional

Indicates if the server sent the COMPLETE qos message

qos_level: count &default = 0 &optional

Internally used for comparing numeric qos level

MQTT::State
Type

record

publish: table [count] of MQTT::PublishInfo &optional &write_expire = 5.0 secs &expire_func = MQTT::publish_expire

Published messages that haven’t been logged yet.

subscribe: table [count] of MQTT::SubscribeInfo &optional &write_expire = 5.0 secs &expire_func = MQTT::subscribe_expire

Subscription/unsubscription messages that haven’t been ACK’d or logged yet.

Data structure to track pub/sub messaging state of a given connection.

MQTT::SubUnsub
Type

enum

MQTT::SUBSCRIBE
MQTT::UNSUBSCRIBE
Attributes

&redef

MQTT::SubscribeInfo
Type

record

ts: time &log

Timestamp for when the subscribe or unsubscribe request started

uid: string &log

UID for the connection

id: conn_id &log

ID fields for the connection

action: MQTT::SubUnsub &log

Indicates if a subscribe or unsubscribe action is taking place

topics: string_vec &log

The topics (or topic patterns) being subscribed to

qos_levels: index_vec &log &optional

QoS levels requested for messages from subscribed topics

granted_qos_level: count &log &optional

QoS level the server granted

ack: bool &log &default = F &optional

Indicates if the request was acked by the server

Events
MQTT::log_mqtt
Type

event (rec: MQTT::ConnectInfo)

Event that can be handled to access the MQTT record as it is sent on to the logging framework.

Hooks
MQTT::log_policy_connect
Type

Log::PolicyHook

MQTT::log_policy_publish
Type

Log::PolicyHook

MQTT::log_policy_subscribe
Type

Log::PolicyHook

Functions
MQTT::publish_expire
Type

function (tbl: table [count] of MQTT::PublishInfo, idx: count) : interval

The expiration function for published messages that haven’t been logged yet simply causes the message to be logged.

MQTT::subscribe_expire
Type

function (tbl: table [count] of MQTT::SubscribeInfo, idx: count) : interval

The expiration function for subscription messages that haven’t been logged yet simply causes the message to be logged.

policy/protocols/mysql/software.zeek

MySQL

Software identification and extraction for MySQL traffic.

Namespace

MySQL

Imports

base/frameworks/software

Summary
Redefinitions

Software::Type: enum

  • MySQL::SERVER: Identifier for MySQL servers in the software framework.
Detailed Interface

policy/protocols/rdp/indicate_ssl.zeek

RDP

If an RDP session is “upgraded” to SSL, this will be indicated with this script in a new field added to the RDP log.

Namespace

RDP

Imports

base/protocols/rdp, base/protocols/ssl

Summary
Redefinitions

RDP::Info: record
New Fields

RDP::Info

ssl: bool &log &default = F &optional

Flag the connection if it was seen over SSL.
Detailed Interface

policy/protocols/smb/log-cmds.zeek

SMB

Load this script to generate an SMB command log, smb_cmd.log. This is primarily useful for debugging.

Namespace

SMB

Imports

base/protocols/smb

Summary
Runtime Options

SMB::ignored_command_statuses: set &redef

The server response statuses which are not logged.
Redefinitions

Log::ID: enum
Hooks

SMB::log_policy: Log::PolicyHook
Detailed Interface
Runtime Options
SMB::ignored_command_statuses
Type

set [string]

Attributes

&redef

Default
{
   "MORE_PROCESSING_REQUIRED"
}

The server response statuses which are not logged.

Hooks
SMB::log_policy
Type

Log::PolicyHook

policy/protocols/smtp/blocklists.zeek

SMTP

Watch for various SPAM blocklist URLs in SMTP error messages.

Namespace

SMTP

Imports

base/frameworks/notice, base/protocols/smtp

Summary
Runtime Options

SMTP::blocklist_error_messages: pattern &redef
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
SMTP::blocklist_error_messages
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?((^?(spamhaus\.org\/)$?)|(^?(sophos\.com\/security\/)$?))$?)|(^?(spamcop\.net\/bl)$?))$?)|(^?(cbl\.abuseat\.org\/)$?))$?)|(^?(sorbs\.net\/)$?))$?)|(^?(bsn\.borderware\.com\/)$?))$?)|(^?(mail-abuse\.com\/)$?))$?)|(^?(b\.barracudacentral\.com\/)$?))$?)|(^?(psbl\.surriel\.com\/)$?))$?)|(^?(antispam\.imp\.ch\/)$?))$?)|(^?(dyndns\.com\/.*spam)$?))$?)|(^?(rbl\.knology\.net\/)$?))$?)|(^?(intercept\.datapacket\.net\/)$?))$?)|(^?(uceprotect\.net\/)$?))$?)|(^?(hostkarma\.junkemailfilter\.com\/)$?))$?/

policy/protocols/smtp/detect-suspicious-orig.zeek

SMTP
Namespace

SMTP

Imports

base/frameworks/notice/main.zeek, base/protocols/smtp/main.zeek

Summary
Runtime Options

SMTP::suspicious_origination_countries: set &redef

Places where it’s suspicious for mail to originate from represented as all-capital, two character country codes (e.g., US).

SMTP::suspicious_origination_networks: set &redef
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
SMTP::suspicious_origination_countries
Type

set [string]

Attributes

&redef

Default

{}

Places where it’s suspicious for mail to originate from represented as all-capital, two character country codes (e.g., US). It requires Zeek to be built with GeoIP support.

SMTP::suspicious_origination_networks
Type

set [subnet]

Attributes

&redef

Default

{}

policy/protocols/smtp/entities-excerpt.zeek

SMTP

This script is for optionally adding a body excerpt to the SMTP entities log.

Namespace

SMTP

Imports

base/protocols/smtp/entities.zeek

Summary
Runtime Options

SMTP::default_entity_excerpt_len: count &redef

This is the default value for how much of the entity body should be included for all MIME entities.
Redefinitions

SMTP::Entity: record
New Fields

SMTP::Entity

excerpt: string &log &default = "" &optional

The entity body excerpt.
Detailed Interface
Runtime Options
SMTP::default_entity_excerpt_len
Type

count

Attributes

&redef

Default

0

This is the default value for how much of the entity body should be included for all MIME entities. The lesser of this value and default_file_bof_buffer_size will be used.

policy/protocols/smtp/software.zeek

SMTP

This script feeds software detected through email into the software framework. Mail clients and webmail interfaces are the only thing currently detected.

TODO:

  • Find some heuristic to determine if email was sent through a MS Exchange webmail interface as opposed to a desktop client.

Namespace

SMTP

Imports

base/frameworks/software/main.zeek, base/protocols/smtp/main.zeek

Summary
Runtime Options

SMTP::detect_clients_in_messages_from: Host &redef

Assuming that local mail servers are more trustworthy with the headers they insert into message envelopes, this default makes Zeek not attempt to detect software in inbound message bodies.

SMTP::webmail_user_agents: pattern &redef

A regular expression to match USER-AGENT-like headers to find if a message was sent with a webmail interface.
Redefinitions

SMTP::Info: record
New Fields

SMTP::Info

is_webmail: bool &log &default = F &optional

Boolean indicator of if the message was sent through a webmail interface.

Software::Type: enum
Detailed Interface
Runtime Options
SMTP::detect_clients_in_messages_from
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Assuming that local mail servers are more trustworthy with the headers they insert into message envelopes, this default makes Zeek not attempt to detect software in inbound message bodies. If mail coming in from external addresses gives incorrect data in the Received headers, it could populate your SOFTWARE logging stream with incorrect data. If you would like to detect mail clients for incoming messages (network traffic originating from a non-local address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.

SMTP::webmail_user_agents
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?(^iPlanet Messenger)$?)|(^?(^Sun Java\(tm\) System Messenger Express)$?))$?)|(^?(\(IMP\))$?))$?)|(^?(^SquirrelMail)$?))$?)|(^?(^NeoMail)$?))$?)|(^?(ZimbraWebClient)$?))$?/

A regular expression to match USER-AGENT-like headers to find if a message was sent with a webmail interface.

policy/protocols/ssh/detect-bruteforcing.zeek

SSH

Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.

Namespace

SSH

Imports

base/frameworks/intel, base/frameworks/notice, base/frameworks/sumstats, base/protocols/ssh

Summary
Redefinable Options

SSH::guessing_timeout: interval &redef

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers: table &redef

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”.

SSH::password_guesses_limit: double &redef

The number of failed SSH connections before a host is designated as guessing passwords.
Redefinitions

Intel::Where: enum

Notice::Type: enum
Detailed Interface
Redefinable Options
SSH::guessing_timeout
Type

interval

Attributes

&redef

Default

30.0 mins

The amount of time to remember presumed non-successful logins to build a model of a password guesser.

SSH::ignore_guessers
Type

table [subnet] of subnet

Attributes

&redef

Default

{}

This value can be used to exclude hosts or entire networks from being tracked as potential “guessers”. The index represents client subnets and the yield value represents server subnets.

SSH::password_guesses_limit
Type

double

Attributes

&redef

Default

30.0

The number of failed SSH connections before a host is designated as guessing passwords.

policy/protocols/ssh/geo-data.zeek

SSH

Geodata based detections for SSH analysis.

Namespace

SSH

Imports

base/frameworks/notice, base/protocols/ssh

Summary
Runtime Options

SSH::watched_countries: set &redef

The set of countries for which you’d like to generate notices upon successful login.
Redefinitions

Notice::Type: enum

SSH::Info: record
New Fields

SSH::Info

remote_location: geo_location &log &optional

Add geographic data related to the “remote” host of the connection.
Detailed Interface
Runtime Options
SSH::watched_countries
Type

set [string]

Attributes

&redef

Default
{
   "RO"
}

The set of countries for which you’d like to generate notices upon successful login.

policy/protocols/ssh/interesting-hostnames.zeek

SSH

This script will generate a notice if an apparent SSH login originates or heads to a host with a reverse hostname that looks suspicious. By default, the regular expression to match “interesting” hostnames includes names that are typically used for infrastructure hosts like nameservers, mail servers, web servers and ftp servers.

Namespace

SSH

Imports

base/frameworks/notice

Summary
Runtime Options

SSH::interesting_hostnames: pattern &redef

Strange/bad host names to see successful SSH logins from or to.
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
SSH::interesting_hostnames
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?((^?(^d?ns[0-9]*\.)$?)|(^?(^smtp[0-9]*\.)$?))$?)|(^?(^mail[0-9]*\.)$?))$?)|(^?(^pop[0-9]*\.)$?))$?)|(^?(^imap[0-9]*\.)$?))$?)|(^?(^www[0-9]*\.)$?))$?)|(^?(^ftp[0-9]*\.)$?))$?/

Strange/bad host names to see successful SSH logins from or to.

policy/protocols/ssh/software.zeek

SSH

Extracts SSH client and server information from SSH connections and forwards it to the software framework.

Namespace

SSH

Imports

base/frameworks/software

Summary
Redefinitions

Software::Type: enum

  • SSH::CLIENT: Identifier for SSH servers in the software framework.

  • SSH::SERVER: Identifier for SSH clients in the software framework.
Detailed Interface

policy/protocols/ssl/decryption.zeek

SSL

This script allows for the decryption of certain TLS 1.2 connections, if the user is in possession of the private key material for the session. Key material can either be provided via a file (useful for processing trace files) or via sending events via Broker (for live decoding).

Please note that this feature is experimental and can change without guarantees to our typical deprecation timeline. Please also note that currently only TLS 1.2 connections that use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite are supported.

Namespace

SSL

Imports

base/frameworks/input, base/frameworks/notice, base/protocols/conn, base/protocols/ssl

Summary
Redefinable Options

SSL::keylog_file: string &redef

This can be set to a file that contains the session secrets for decryption, when parsing a pcap file.

SSL::secret_expiration: interval &redef

Secrets expire after this time of not being used.
Redefinitions

SSL::Info: record
New Fields

SSL::Info

client_random: string &optional

SSL::disable_analyzer_after_detection: bool &redef
Events

SSL::add_keys: event

This event can be triggered, e.g., via Broker to add known keys to the TLS key database.

SSL::add_secret: event

This event can be triggered, e.g., via Broker to add known secrets to the TLS secret datbase.
Detailed Interface
Redefinable Options
SSL::keylog_file
Type

string

Attributes

&redef

Default

""

This can be set to a file that contains the session secrets for decryption, when parsing a pcap file. Please note that, when using this feature, you probably want to pause processing of data till this file has been read.

SSL::secret_expiration
Type

interval

Attributes

&redef

Default

5.0 mins

Secrets expire after this time of not being used.

Events
SSL::add_keys
Type

event (client_random: string, keys: string)

This event can be triggered, e.g., via Broker to add known keys to the TLS key database.

Client_random

client random for which the key is set

Keys

key material

SSL::add_secret
Type

event (client_random: string, secrets: string)

This event can be triggered, e.g., via Broker to add known secrets to the TLS secret datbase.

Client_random

client random for which the secret is set

Secrets

derived TLS secrets material

policy/protocols/ssl/expiring-certs.zeek

SSL

Generate notices when X.509 certificates over SSL/TLS are expired or going to expire soon based on the date and time values stored within the certificate.

Namespace

SSL

Imports

base/files/x509, base/frameworks/notice, base/protocols/ssl, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

SSL::notify_certs_expiration: Host &redef

The category of hosts you would like to be notified about which have certificates that are going to be expiring soon.

SSL::notify_when_cert_expiring_in: interval &redef

The time before a certificate is going to expire that you would like to start receiving SSL::Certificate_Expires_Soon notices.
Redefinitions

Notice::Type: enum
Detailed Interface
Runtime Options
SSL::notify_certs_expiration
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

The category of hosts you would like to be notified about which have certificates that are going to be expiring soon. By default, these notices will be suppressed by the notice framework for 1 day after a particular certificate has had a notice generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS

SSL::notify_when_cert_expiring_in
Type

interval

Attributes

&redef

Default

30.0 days

The time before a certificate is going to expire that you would like to start receiving SSL::Certificate_Expires_Soon notices.

policy/protocols/ssl/heartbleed.zeek

Heartbleed

Detect the TLS heartbleed attack. See http://heartbleed.com for more.

Namespace

Heartbleed

Imports

base/frameworks/notice, base/protocols/ssl

Summary
Redefinitions

Notice::Type: enum

SSL::Info: record
New Fields

SSL::Info

last_originator_heartbeat_request_size: count &optional

last_responder_heartbeat_request_size: count &optional

originator_heartbeats: count &default = 0 &optional

responder_heartbeats: count &default = 0 &optional

heartbleed_detected: bool &default = F &optional

enc_appdata_packages: count &default = 0 &optional

enc_appdata_bytes: count &default = 0 &optional

SSL::disable_analyzer_after_detection: bool &redef
Detailed Interface

policy/protocols/ssl/known-certs.zeek

Known

Log information about certificates while attempting to avoid duplicate logging.

Namespace

Known

Imports

base/files/x509, base/frameworks/cluster, base/protocols/ssl, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

Known::cert_store_expiry: interval &redef

The expiry interval of new entries in Known::cert_store.

Known::cert_store_timeout: interval &redef

The timeout interval to use for operations against Known::cert_store.

Known::cert_tracking: Host &redef

The certificates whose existence should be logged and tracked.
Redefinable Options

Known::cert_store_name: string &redef

The Broker topic name to use for Known::cert_store.

Known::use_cert_store: bool &redef

Toggles between different implementations of this script.
State Variables

Known::cert_store: Cluster::StoreInfo

Holds the set of all known certificates.

Known::certs: set &create_expire = 1.0 day &redef

The set of all known certificates to store for preventing duplicate logging.
Types

Known::AddrCertHashPair: record

Known::CertsInfo: record
Redefinitions

Log::ID: enum
Events

Known::log_known_certs: event

Event that can be handled to access the loggable record as it is sent on to the logging framework.
Hooks

Known::log_policy_certs: Log::PolicyHook
Detailed Interface
Runtime Options
Known::cert_store_expiry
Type

interval

Attributes

&redef

Default

1.0 day

The expiry interval of new entries in Known::cert_store. This also changes the interval at which certs get logged.

Known::cert_store_timeout
Type

interval

Attributes

&redef

Default

15.0 secs

The timeout interval to use for operations against Known::cert_store.

Known::cert_tracking
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Redefinition

from policy/tuning/track-all-assets.zeek

=:

ALL_HOSTS

The certificates whose existence should be logged and tracked. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.

Redefinable Options
Known::cert_store_name
Type

string

Attributes

&redef

Default

"zeek/known/certs"

The Broker topic name to use for Known::cert_store.

Known::use_cert_store
Type

bool

Attributes

&redef

Default

F

Toggles between different implementations of this script. When true, use a Broker data store, else use a regular Zeek set with keys uniformly distributed over proxy nodes in cluster operation.

State Variables
Known::cert_store
Type

Cluster::StoreInfo

Default
{
   name=<uninitialized>
   store=<uninitialized>
   master_node=""
   master=F
   backend=Broker::MEMORY
   options=[sqlite=[path=""]]
   clone_resync_interval=10.0 secs
   clone_stale_interval=5.0 mins
   clone_mutation_buffer_interval=2.0 mins
}

Holds the set of all known certificates. Keys in the store are of type Known::AddrCertHashPair and their associated value is always the boolean value of “true”.

Known::certs
Type

set [addr, string]

Attributes

&create_expire = 1.0 day &redef

Default

{}

The set of all known certificates to store for preventing duplicate logging. It can also be used from other scripts to inspect if a certificate has been seen in use. The string value in the set is for storing the DER formatted certificate’ SHA1 hash.

In cluster operation, this set is uniformly distributed across proxy nodes.

Types
Known::AddrCertHashPair
Type

record

host: addr

hash: string

Known::CertsInfo
Type

record

ts: time &log

The timestamp when the certificate was detected.

host: addr &log

The address that offered the certificate.

port_num: port &log &optional

If the certificate was handed out by a server, this is the port that the server was listening on.

subject: string &log &optional

Certificate subject.

issuer_subject: string &log &optional

Certificate issuer subject.

serial: string &log &optional

Serial number for the certificate.

Events
Known::log_known_certs
Type

event (rec: Known::CertsInfo)

Event that can be handled to access the loggable record as it is sent on to the logging framework.

Hooks
Known::log_policy_certs
Type

Log::PolicyHook

policy/protocols/ssl/log-certs-base64.zeek

This script is used to extract certificates seen on the wire to Zeek log files. The certificates are base64-encoded and written to ssl.log, to the newly added cert field.

Imports

base/files/x509, base/protocols/ssl

Summary
Redefinitions

X509::Info: record
New Fields

X509::Info

cert: string &log &optional

Base64 endoded X.509 certificate.
Detailed Interface

policy/protocols/ssl/ssl-log-ext.zeek

This file adds a lot of additional information to the SSL log It is not loaded by default since the information significantly expands the log and is probably not interesting for a majority of people.

Imports

base/protocols/ssl

Summary
Redefinitions

SSL::Info: record
New Fields

SSL::Info

server_version: count &log &optional

Numeric version of the server in the server hello

client_version: count &log &optional

Numeric version of the client in the client hello

client_ciphers: vector of count &log &optional

Ciphers that were offered by the client for the connection

ssl_client_exts: vector of count &log &optional

SSL Client extensions

ssl_server_exts: vector of count &log &optional

SSL server extensions

ticket_lifetime_hint: count &log &optional

Suggested ticket lifetime sent in the session ticket handshake by the server.

dh_param_size: count &log &optional

The diffie helman parameter size, when using DH.

point_formats: vector of count &log &optional

supported elliptic curve point formats

client_curves: vector of count &log &optional

The curves supported by the client.

orig_alpn: vector of string &log &optional

Application layer protocol negotiation extension sent by the client.

client_supported_versions: vector of count &log &optional

TLS 1.3 supported versions

server_supported_version: count &log &optional

TLS 1.3 supported versions

psk_key_exchange_modes: vector of count &log &optional

TLS 1.3 Pre-shared key exchange modes

client_key_share_groups: vector of count &log &optional

Key share groups from client hello

server_key_share_group: count &log &optional

Selected key share group from server hello

client_comp_methods: vector of count &log &optional

Client supported compression methods

comp_method: count &optional

Server chosen compression method

sigalgs: vector of count &log &optional

Client supported signature algorithms

hashalgs: vector of count &log &optional

Client supported hash algorithms
Detailed Interface

policy/protocols/ssl/log-hostcerts-only.zeek

X509

When this script is loaded, only the host certificates (client and server) will be logged to x509.log. Logging of all other certificates will be suppressed.

Namespace

X509

Imports

base/files/x509, base/protocols/ssl

Summary
Detailed Interface

policy/protocols/ssl/validate-certs.zeek

SSL

Perform full certificate chain validation for SSL certificates.

Namespace

SSL

Imports

base/frameworks/cluster, base/frameworks/notice, base/protocols/ssl

Summary
State Variables

SSL::recently_validated_certs: table &read_expire = 5.0 mins &redef

Result values for recently validated chains along with the validation status are kept in this table to avoid constant validation every time the same certificate chain is seen.

SSL::ssl_cache_intermediate_ca: bool &redef

Use intermediate CA certificate caching when trying to validate certificates.

SSL::ssl_store_valid_chain: bool &redef

Store the valid chain in c$ssl$valid_chain if validation succeeds.
Redefinitions

Notice::Type: enum

  • SSL::Invalid_Server_Cert: This notice indicates that the result of validating the certificate along with its full certificate chain was invalid.

SSL::Info: record
New Fields

SSL::Info

validation_status: string &log &optional

Result of certificate validation for this connection.

validation_code: int &optional

Result of certificate validation for this connection, given as OpenSSL validation code.

valid_chain: vector of opaque of x509 &optional

Ordered chain of validated certificate, if validation succeeded.
Events

SSL::intermediate_add: event

Event from a manager to workers when encountering a new, valid intermediate.

SSL::new_intermediate: event

Event from workers to the manager when a new intermediate chain is to be added.
Detailed Interface
State Variables
SSL::recently_validated_certs
Type

table [string] of X509::Result

Attributes

&read_expire = 5.0 mins &redef

Default

{}

Result values for recently validated chains along with the validation status are kept in this table to avoid constant validation every time the same certificate chain is seen.

SSL::ssl_cache_intermediate_ca
Type

bool

Attributes

&redef

Default

T

Use intermediate CA certificate caching when trying to validate certificates. When this is enabled, Zeek keeps track of all valid intermediate CA certificates that it has seen in the past. When encountering a host certificate that cannot be validated because of missing intermediate CA certificate, the cached list is used to try to validate the cert. This is similar to how Firefox is doing certificate validation.

Disabling this will usually greatly increase the number of validation warnings that you encounter. Only disable if you want to find misconfigured servers.

SSL::ssl_store_valid_chain
Type

bool

Attributes

&redef

Default

F

Redefinition

from policy/protocols/ssl/validate-sct.zeek

=:

T

Store the valid chain in c$ssl$valid_chain if validation succeeds. This has a potentially high memory impact, depending on the local environment and is thus disabled by default.

Events
SSL::intermediate_add
Type

event (key: string, value: vector of opaque of x509)

Event from a manager to workers when encountering a new, valid intermediate.

SSL::new_intermediate
Type

event (key: string, value: vector of opaque of x509)

Event from workers to the manager when a new intermediate chain is to be added.

policy/protocols/ssl/validate-ocsp.zeek

SSL

Perform validation of stapled OCSP responses.

Namespace

SSL

Imports

base/frameworks/notice, base/protocols/ssl

Summary
Redefinitions

Notice::Type: enum

SSL::Info: record
New Fields

SSL::Info

ocsp_status: string &log &optional

Result of ocsp validation for this connection.

ocsp_response: string &optional

ocsp response as string.
Detailed Interface

policy/protocols/ssl/validate-sct.zeek

SSL

Perform validation of Signed Certificate Timestamps, as used for Certificate Transparency. See RFC6962 for more details.

Namespace

SSL

Imports

base/protocols/ssl, policy/protocols/ssl/validate-certs.zeek

Summary
Types

SSL::SctInfo: record

This record is used to store information about the SCTs that are encountered in a SSL connection.

SSL::SctSource: enum

List of the different sources for Signed Certificate Timestamp
Redefinitions

SSL::Info: record
New Fields

SSL::Info

valid_scts: count &optional

Number of valid SCTs that were encountered in the connection.

invalid_scts: count &optional

Number of SCTs that could not be validated that were encountered in the connection.

valid_ct_logs: count &log &optional

Number of different Logs for which valid SCTs were encountered in the connection.

valid_ct_operators: count &log &optional

Number of different Log operators of which valid SCTs were encountered in the connection.

valid_ct_operators_list: set [string] &optional

List of operators for which valid SCTs were encountered in the connection.

ct_proofs: vector of SSL::SctInfo &default = [] &optional

Information about all SCTs that were encountered in the connection.

SSL::ssl_store_valid_chain: bool &redef
Detailed Interface
Types
SSL::SctInfo
Type

record

version: count

The version of the encountered SCT (should always be 0 for v1).

logid: string

The ID of the log issuing this SCT.

timestamp: count

The timestamp at which this SCT was issued measured since the epoch (January 1, 1970, 00:00), ignoring leap seconds, in milliseconds. Not converted to a Zeek timestamp because we need the exact value for validation.

sig_alg: count

The signature algorithm used for this sct.

hash_alg: count

The hash algorithm used for this sct.

signature: string

The signature of this SCT.

source: SSL::SctSource

Source of this SCT.

valid: bool &optional

Validation result of this SCT.

This record is used to store information about the SCTs that are encountered in a SSL connection.

SSL::SctSource
Type

enum

SSL::SCT_X509_EXT

Signed Certificate Timestamp was encountered in the extension of an X.509 certificate.

SSL::SCT_TLS_EXT

Signed Certificate Timestamp was encountered in an TLS session extension.

SSL::SCT_OCSP_EXT

Signed Certificate Timestamp was encountered in the extension of an stapled OCSP reply.

List of the different sources for Signed Certificate Timestamp

policy/protocols/ssl/weak-keys.zeek

SSL

Generate notices when SSL/TLS connections use certificates, DH parameters, or cipher suites that are deemed to be insecure.

Namespace

SSL

Imports

base/frameworks/notice, base/protocols/ssl, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

SSL::notify_dh_length_shorter_cert_length: bool &redef

Warn if the DH key length is smaller than the certificate key length.

SSL::notify_minimal_key_length: count &redef

The minimal key length in bits that is considered to be safe.

SSL::notify_weak_keys: Host &redef

The category of hosts you would like to be notified about which are using weak keys/ciphers/protocol_versions.

SSL::tls_minimum_version: count &redef

Warn if a server negotiates a SSL session with a protocol version smaller than the specified version.

SSL::unsafe_ciphers_regex: pattern &redef

Warn if a server negotiates an unsafe cipher suite.
Redefinitions

Notice::Type: enum

  • SSL::Old_Version: Indicates that a server is using a potentially unsafe version

  • SSL::Weak_Cipher: Indicates that a server is using a potentially unsafe cipher

  • SSL::Weak_Key: Indicates that a server is using a potentially unsafe key.
Detailed Interface
Runtime Options
SSL::notify_dh_length_shorter_cert_length
Type

bool

Attributes

&redef

Default

T

Warn if the DH key length is smaller than the certificate key length. This is potentially unsafe because it gives a wrong impression of safety due to the certificate key length. However, it is very common and cannot be avoided in some settings (e.g. with old jave clients).

SSL::notify_minimal_key_length
Type

count

Attributes

&redef

Default

2048

The minimal key length in bits that is considered to be safe. Any shorter (non-EC) key lengths will trigger a notice.

SSL::notify_weak_keys
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

The category of hosts you would like to be notified about which are using weak keys/ciphers/protocol_versions. By default, these notices will be suppressed by the notice framework for 1 day after a particular host has had a notice generated. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS

SSL::tls_minimum_version
Type

count

Attributes

&redef

Default

769

Warn if a server negotiates a SSL session with a protocol version smaller than the specified version. By default, the minimal version is TLSv10 because SSLv2 and v3 have serious security issued. See https://tools.ietf.org/html/draft-thomson-sslv3-diediedie-00 To disable, set to SSLv20

SSL::unsafe_ciphers_regex
Type

pattern

Attributes

&redef

Default
/^?((_EXPORT_)|(_RC4_))$?/

Warn if a server negotiates an unsafe cipher suite. By default, we only warn when encountering old export cipher suites, or RC4 (see RFC7465).

policy/tuning/__load__.zeek

This loads the default tuning

Imports

policy/tuning/defaults

Summary
Detailed Interface

policy/tuning/defaults/__load__.zeek

Imports

policy/tuning/defaults/extracted_file_limits.zeek, policy/tuning/defaults/packet-fragments.zeek, policy/tuning/defaults/warnings.zeek

Summary
Detailed Interface

policy/tuning/defaults/packet-fragments.zeek

Summary
Redefinitions

frag_timeout: interval &redef

Shorten the fragment timeout from never expiring to expiring fragments after five minutes.
Detailed Interface

policy/tuning/defaults/warnings.zeek

This file is meant to print messages on stdout for settings that would be good to set in most cases or other things that could be done to achieve better detection.

Imports

base/utils/site.zeek

Summary
Detailed Interface

policy/tuning/defaults/extracted_file_limits.zeek

Imports

base/files/extract

Summary
Redefinitions

FileExtract::default_limit: count &redef
Detailed Interface

policy/tuning/json-logs.zeek

Loading this script will cause all logs to be written out as JSON by default.

Summary
Redefinitions

LogAscii::use_json: bool &redef
Detailed Interface

policy/tuning/track-all-assets.zeek

Imports

base/frameworks/software, policy/protocols/conn/known-hosts.zeek, policy/protocols/conn/known-services.zeek, policy/protocols/ssl/known-certs.zeek

Summary
Redefinitions

Known::cert_tracking: Host &redef

Known::host_tracking: Host &redef

Known::service_tracking: Host &redef

Software::asset_tracking: Host &redef
Detailed Interface

policy/protocols/ssl/notary.zeek

CertNotary
Namespace

CertNotary

Imports

base/protocols/ssl

Summary
Runtime Options

CertNotary::domain: string &redef

The notary domain to query.
Types

CertNotary::Response: record

A response from the ICSI certificate notary.
Redefinitions

SSL::Info: record
New Fields

SSL::Info

notary: CertNotary::Response &log &optional

A response from the ICSI certificate notary.
Detailed Interface
Runtime Options
CertNotary::domain
Type

string

Attributes

&redef

Default

"notary.icsi.berkeley.edu"

The notary domain to query.

Types
CertNotary::Response
Type

record

first_seen: count &log &optional

last_seen: count &log &optional

times_seen: count &log &optional

valid: bool &log &optional

A response from the ICSI certificate notary.

policy/frameworks/control/controllee.zeek

Control

The controllee portion of the control framework. Load this script if remote runtime control of the Zeek process is desired.

A controllee only needs to load the controllee script in addition to the specific analysis scripts desired. It may also need a node configured as a controller node in the communications nodes configuration:

zeek <scripts> frameworks/control/controllee
Namespace

Control

Imports

base/frameworks/broker, base/frameworks/control

Summary
Detailed Interface

policy/frameworks/control/controller.zeek

Control

This is a utility script that implements the controller interface for the control framework. It’s intended to be run to control a remote Zeek and then shutdown.

It’s intended to be used from the command line like this:

zeek <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
Namespace

Control

Imports

base/frameworks/broker, base/frameworks/control

Summary
Detailed Interface

policy/frameworks/management/agent/main.zeek

Management::Agent::Runtime

This is the main “runtime” of a cluster agent. Zeek does not load this directly; rather, the agent’s bootstrapping module (in ./boot.zeek) specifies it as the script to run in the node newly created via Zeek’s supervisor.

Namespace

Management::Agent::Runtime

Imports

base/frameworks/broker, base/utils/paths.zeek, policy/frameworks/management, policy/frameworks/management/agent/api.zeek, policy/frameworks/management/agent/config.zeek, policy/frameworks/management/node/api.zeek, policy/frameworks/management/node/config.zeek, policy/frameworks/management/supervisor/api.zeek, policy/frameworks/management/supervisor/config.zeek

Summary
Types

Management::Agent::Runtime::DeployState: record

Request state for deploy requests.

Management::Agent::Runtime::NodeDispatchState: record

Request state for node dispatches, tracking the requested action as well as received responses.

Management::Agent::Runtime::RestartState: record

Request state for restart requests, tracking eceived responses.

Management::Agent::Runtime::SupervisorState: record

Request state specific to the agent’s Supervisor interactions.
Redefinitions

Management::Request::Request: record
New Fields

Management::Request::Request

supervisor_state_agent: Management::Agent::Runtime::SupervisorState &optional

deploy_state_agent: Management::Agent::Runtime::DeployState &optional

node_dispatch_state_agent: Management::Agent::Runtime::NodeDispatchState &optional

restart_state_agent: Management::Agent::Runtime::RestartState &optional

Management::Request::timeout_interval: interval &redef

Management::role: Management::Role &redef

table_expire_interval: interval &redef
Events

Management::Agent::Runtime::trigger_log_archival: event
Detailed Interface
Types
Management::Agent::Runtime::DeployState
Type

record

nodes_pending: set [string]

Zeek cluster nodes the provided configuration requested and which have not yet checked in with the agent.

Request state for deploy requests.

Management::Agent::Runtime::NodeDispatchState
Type

record

action: vector of string

The dispatched action. The first string is a command, any remaining strings its arguments.

requests: set [string] &default = {  } &optional

Request state for every node managed by this agent.

Request state for node dispatches, tracking the requested action as well as received responses.

Management::Agent::Runtime::RestartState
Type

record

requests: set [string] &default = {  } &optional

Request state for every node the agent asks the Supervisor to restart.

Request state for restart requests, tracking eceived responses.

Management::Agent::Runtime::SupervisorState
Type

record

node: string &default = "" &optional

Name of the node the Supervisor is acting on, if applicable.

status: Supervisor::Status &optional

The result of a status request.

restart_result: bool &optional

The result of a restart request.

Request state specific to the agent’s Supervisor interactions.

Events
Management::Agent::Runtime::trigger_log_archival
Type

event (run_archival: bool &default = T &optional)

policy/frameworks/management/controller/main.zeek

Management::Controller::Runtime

This is the main “runtime” of the Management framework’s controller. Zeek does not load this directly; rather, the controller’s bootstrapping module (in ./boot.zeek) specifies it as the script to run in the node newly created by the supervisor.

Namespace

Management::Controller::Runtime

Imports

base/frameworks/broker, policy/frameworks/management, policy/frameworks/management/agent/api.zeek, policy/frameworks/management/agent/config.zeek, policy/frameworks/management/controller/api.zeek, policy/frameworks/management/controller/config.zeek

Summary
Types

Management::Controller::Runtime::ConfigState: enum

A cluster configuration uploaded by the client goes through multiple states on its way to deployment.

Management::Controller::Runtime::DeployState: record

Request state specific to Management::Controller::API::deploy_request and Management::Controller::API::deploy_response.

Management::Controller::Runtime::GetNodesState: record

Request state specific to Management::Controller::API::get_nodes_request and Management::Controller::API::get_nodes_response.

Management::Controller::Runtime::NodeDispatchState: record

Request state for node dispatch requests, to track the requested action and received responses.

Management::Controller::Runtime::RestartState: record

Request state specific to Management::Controller::API::restart_request and Management::Controller::API::restart_response.

Management::Controller::Runtime::TestState: record

Dummy state for internal state-keeping test cases.
Redefinitions

Management::Request::Request: record
New Fields

Management::Request::Request

deploy_state: Management::Controller::Runtime::DeployState &optional

get_nodes_state: Management::Controller::Runtime::GetNodesState &optional

node_dispatch_state: Management::Controller::Runtime::NodeDispatchState &optional

restart_state: Management::Controller::Runtime::RestartState &optional

test_state: Management::Controller::Runtime::TestState &optional

Management::role: Management::Role &redef

table_expire_interval: interval &redef
Detailed Interface
Types
Management::Controller::Runtime::ConfigState
Type

enum

Management::Controller::Runtime::STAGED

As provided by the client.

Management::Controller::Runtime::READY

Necessary updates made, e.g. ports filled in.

Management::Controller::Runtime::DEPLOYED

Sent off to the agents for deployment.

A cluster configuration uploaded by the client goes through multiple states on its way to deployment.

Management::Controller::Runtime::DeployState
Type

record

config: Management::Configuration

The cluster configuration the controller is deploying.

is_internal: bool &default = F &optional

Whether this is a controller-internal deployment, or triggered via a request by a remote peer/client.

requests: set [string] &default = {  } &optional

Request state for every controller/agent transaction.

Request state specific to Management::Controller::API::deploy_request and Management::Controller::API::deploy_response.

Management::Controller::Runtime::GetNodesState
Type

record

requests: set [string] &default = {  } &optional

Request state for every controller/agent transaction.

Request state specific to Management::Controller::API::get_nodes_request and Management::Controller::API::get_nodes_response.

Management::Controller::Runtime::NodeDispatchState
Type

record

action: vector of string

The dispatched action. The first string is a command, any remaining strings its arguments.

requests: set [string] &default = {  } &optional

Request state for every controller/agent transaction. The set of strings tracks the node names from which we still expect responses, before we can respond back to the client.

Request state for node dispatch requests, to track the requested action and received responses. Node dispatches are requests to execute pre-implemented actions on every node in the cluster, and report their outcomes. See Management::Agent::API::node_dispatch_request and Management::Agent::API::node_dispatch_response for the agent/controller interaction, and Management::Controller::API::get_id_value_request and Management::Controller::API::get_id_value_response for an example of a specific API the controller generalizes into a dispatch.

Management::Controller::Runtime::RestartState
Type

record

requests: set [string] &default = {  } &optional

Request state for every controller/agent transaction.

Request state specific to Management::Controller::API::restart_request and Management::Controller::API::restart_response.

Management::Controller::Runtime::TestState
Type

record

Dummy state for internal state-keeping test cases.

policy/frameworks/management/node/__load__.zeek

Imports

policy/frameworks/management/node/main.zeek

Summary
Detailed Interface

policy/frameworks/management/node/main.zeek

Management::Node

This module provides Management framework functionality present in every cluster node, to allowing Management agents to interact with the nodes.

Namespace

Management::Node

Imports

base/frameworks/broker/store.zeek, base/frameworks/cluster, base/frameworks/logging/writers/ascii.zeek, base/misc/installation.zeek, base/utils/paths.zeek, policy/frameworks/management, policy/frameworks/management/agent/config.zeek, policy/frameworks/management/node/api.zeek, policy/frameworks/management/node/config.zeek

Summary
Redefinitions

Management::role: Management::Role &redef
Detailed Interface

policy/frameworks/files/extract-all-files.zeek

Extract all files to disk.

Imports

base/files/extract

Summary
Detailed Interface

policy/misc/dump-events.zeek

DumpEvents

This script dumps the events that Zeek raises out to standard output in a readable form. This is for debugging only and allows to understand events and their parameters as Zeek processes input. Note that it will show only events for which a handler is defined.

Namespace

DumpEvents

Summary
Runtime Options

DumpEvents::include: pattern &redef

Only include events matching the given pattern into output.

DumpEvents::include_args: bool &redef

If true, include event arguments in output.
Redefinable Options

DumpEvents::dump_all_events: bool &redef

By default, only events that are handled in a script are dumped.
Detailed Interface
Runtime Options
DumpEvents::include
Type

pattern

Attributes

&redef

Default
/^?(.*)$?/

Only include events matching the given pattern into output. By default, the pattern matches all events.

DumpEvents::include_args
Type

bool

Attributes

&redef

Default

T

If true, include event arguments in output.

Redefinable Options
DumpEvents::dump_all_events
Type

bool

Attributes

&redef

Default

F

By default, only events that are handled in a script are dumped. Setting this option to true will cause unhandled events to be dumped too.

policy/protocols/conn/speculative-service.zeek

Conn

This script adds information about matched DPD signatures to the connection log.

Namespace

Conn

Imports

base/protocols/conn

Summary
Redefinitions

Conn::Info: record
New Fields

Conn::Info

speculative_service: string &log &optional

Protocol that was determined by a matching signature after the beginning of a connection.

connection: record
New Fields

connection

speculative_service: set [string] &default = {  } &optional

dpd_late_match_stop: bool &redef

dpd_match_only_beginning: bool &redef
Detailed Interface

policy/protocols/ssl/extract-certs-pem.zeek

SSL

This script is used to extract host certificates seen on the wire to disk after being converted to PEM files. The certificates will be stored in a single file, one for local certificates and one for remote certificates.

Note

  • It doesn’t work well on a cluster because each worker will write its own certificate files and no duplicate checking is done across the cluster so each node would log each certificate.

Namespace

SSL

Imports

base/files/x509, base/protocols/ssl, base/utils/directions-and-hosts.zeek

Summary
Runtime Options

SSL::extract_certs_pem: Host &redef

Control if host certificates offered by the defined hosts will be written to the PEM certificates file.
Detailed Interface
Runtime Options
SSL::extract_certs_pem
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Control if host certificates offered by the defined hosts will be written to the PEM certificates file. Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.

zeekygen/example.zeek

ZeekygenExample

This is an example script that demonstrates Zeekygen-style documentation. It generally will make most sense when viewing the script’s raw source code and comparing to the HTML-rendered version.

Comments in the from ##! are meant to summarize the script’s purpose. They are transferred directly in to the generated reStructuredText (reST) document associated with the script.

Tip

You can embed directives and roles within ##-stylized comments.

There’s also a custom role to reference any identifier node in the Zeek Sphinx domain that’s good for “see alsos”, e.g.

See also: ZeekygenExample::a_var, ZeekygenExample::ONE, SSH::Info

And a custom directive does the equivalent references:

See also:

Namespace

ZeekygenExample

Imports

base/frameworks/notice, base/protocols/http, policy/frameworks/software/vulnerable.zeek

Summary
Redefinable Options

ZeekygenExample::an_option: set &redef

Add documentation for “an_option” here.

ZeekygenExample::option_with_init: interval &redef

Default initialization will be generated automatically.
State Variables

ZeekygenExample::a_var: bool

Put some documentation for “a_var” here.

ZeekygenExample::summary_test: string

The first sentence for a particular identifier’s summary text ends here.

ZeekygenExample::var_without_explicit_type: string

Types are inferred, that information is self-documenting.
Types

ZeekygenExample::ComplexRecord: record &redef

General documentation for a type “ComplexRecord” goes here.

ZeekygenExample::Info: record

An example record to be used with a logging stream.

ZeekygenExample::SimpleEnum: enum

Documentation for the “SimpleEnum” type goes here.

ZeekygenExample::SimpleRecord: record

General documentation for a type “SimpleRecord” goes here.
Redefinitions

Log::ID: enum

Notice::Type: enum

ZeekygenExample::SimpleEnum: enum

Document the “SimpleEnum” redef here with any special info regarding the redef itself.

ZeekygenExample::SimpleRecord: record

Document the record extension redef itself here.

New Fields

ZeekygenExample::SimpleRecord

field_ext: string &optional

Document the extending field like this.
Events

ZeekygenExample::an_event: event

Summarize “an_event” here.
Functions

ZeekygenExample::a_function: function

Summarize purpose of “a_function” here.
Detailed Interface
Redefinable Options
ZeekygenExample::an_option
Type

set [addr, addr, string]

Attributes

&redef

Default

{}

Add documentation for “an_option” here. The type/attribute information is all generated automatically.

ZeekygenExample::option_with_init
Type

interval

Attributes

&redef

Default

10.0 msecs

Default initialization will be generated automatically. More docs can be added here.

State Variables
ZeekygenExample::a_var
Type

bool

Put some documentation for “a_var” here. Any global/non-const that isn’t a function/event/hook is classified as a “state variable” in the generated docs.

ZeekygenExample::summary_test
Type

string

The first sentence for a particular identifier’s summary text ends here. And this second sentence doesn’t show in the short description provided by the table of all identifiers declared by this script.

ZeekygenExample::var_without_explicit_type
Type

string

Default

"this works"

Types are inferred, that information is self-documenting.

Types
ZeekygenExample::ComplexRecord
Type

record

field1: count

Counts something.

field2: bool

Toggles something.

field3: ZeekygenExample::SimpleRecord

Zeekygen automatically tracks types and cross-references are automatically inserted in to generated docs.

msg: string &default = "blah" &optional

Attributes are self-documenting.

Attributes

&redef

General documentation for a type “ComplexRecord” goes here.

ZeekygenExample::Info
Type

record

ts: time &log

uid: string &log

status: count &log &optional

An example record to be used with a logging stream. Nothing special about it. If another script redefs this type to add fields, the generated documentation will show all original fields plus the extensions and the scripts which contributed to it (provided they are also @load’ed).

ZeekygenExample::SimpleEnum
Type

enum

ZeekygenExample::ONE

Documentation for particular enum values is added like this. And can also span multiple lines.

ZeekygenExample::TWO

Or this style is valid to document the preceding enum value.

ZeekygenExample::THREE
ZeekygenExample::FOUR

And some documentation for “FOUR”.

ZeekygenExample::FIVE

Also “FIVE”.

Documentation for the “SimpleEnum” type goes here. It can span multiple lines.

ZeekygenExample::SimpleRecord
Type

record

field1: count

Counts something.

field2: bool

Toggles something.

field_ext: string &optional

Document the extending field like this. Or here, like this.

General documentation for a type “SimpleRecord” goes here. The way fields can be documented is similar to what’s already seen for enums.

Events
ZeekygenExample::an_event
Type

event (name: string)

Summarize “an_event” here. Give more details about “an_event” here.

ZeekygenExample::a_function should not be confused as a parameter in the generated docs, but it also doesn’t generate a cross-reference link. Use the see role instead: ZeekygenExample::a_function.

Name

Describe the argument here.

Functions
ZeekygenExample::a_function
Type

function (tag: string, msg: string) : string

Summarize purpose of “a_function” here. Give more details about “a_function” here. Separating the documentation of the params/return values with empty comments is optional, but improves readability of script.

Tag

Function arguments can be described like this.

Msg

Another param.

Returns

Describe the return type here.

Developer Guides

In addition to documentation found or mentioned below, some developer-oriented content is maintained directly in the Zeek wiki due to the nature of the content (e.g. the author finds it to be more dynamic, informal, meta, transient, etc. compared to other documentation).

Writing Plugins

Zeek provides a plugin API that enables extending the system dynamically, without modifying the core code base. That way, custom code remains self-contained and can be maintained, compiled, and installed independently. Currently, plugins can add the following functionality to Zeek:

  • Zeek scripts.

  • Builtin functions/events/types for the scripting language.

  • Protocol analyzers.

  • File analyzers.

  • Packet sources and packet dumpers.

  • Logging framework backends.

  • Input framework readers.

A plugin’s functionality is available to the user just as if Zeek had the corresponding code built-in. Indeed, internally many of Zeek’s pieces are structured as plugins as well, they are just statically compiled into the binary rather than loaded dynamically at runtime.

Note

Plugins and Zeek packages are related but separate concepts. Both extend Zeek’s functionality without modifying Zeek’s source code. A plugin achieves this via compiled, native code that Zeek links into its core at runtime. A Zeek package, on the other hand, is a modular addition to Zeek, managed via the zkg package manager, that may or may not include a plugin. More commonly, packages consist of script-layer additions to Zeek’s functionality. Packages also feature more elaborate metadata, enabling dependencies on other packages, Zeek versions, etc.

Quick Start

Writing a basic plugin is quite straight-forward as long as one follows a few conventions. In the following, we create a simple example plugin that adds a new Built-In Function (BIF) to Zeek: we’ll add rot13(s: string) : string, a function that rotates every letter in a string by 13 places.

Generally, a plugin comes in the form of a directory following a certain structure. To get started, Zeek’s distribution provides a helper script auxil/zeek-aux/plugin-support/init-plugin that creates a skeleton plugin that can then be customized. Let’s use that:

# init-plugin ./rot13-plugin Demo Rot13

As you can see, the script takes three arguments. The first is a directory inside which the plugin skeleton will be created. The second is the namespace the plugin will live in, and the third is a descriptive name for the plugin itself relative to the namespace. Zeek uses the combination of namespace and name to identify a plugin. The namespace serves to avoid naming conflicts between plugins written by independent developers; pick, e.g., the name of your organisation. The namespaces Bro (legacy) and Zeek are reserved for functionality distributed by the Zeek Project. In our example, the plugin will be called Demo::Rot13.

The init-plugin script puts a number of files in place. The full layout is described later. For now, all we need is src/rot13.bif. It’s initially empty, but we’ll add our new BIF there as follows:

# cat src/rot13.bif
%%{
#include <cstring>
#include <cctype>
#include "zeek/util.h"
#include "zeek/ZeekString.h"
#include "zeek/Val.h"
%%}

module Demo;

function rot13%(s: string%) : string
    %{
    char* rot13 = util::copy_string(s->CheckString());

    for ( char* p = rot13; *p; p++ )
        {
        char b = islower(*p) ? 'a' : 'A';
        char d = *p - b + 13;

        if ( d >= 13 && d <= 38 )
            *p  = d % 26 + b;
        }

    zeek::String* zs = new zeek::String(1, reinterpret_cast<byte_vec>(rot13),
                                        strlen(rot13));
    return make_intrusive<StringVal>(zs);
    %}

The syntax of this file is just like any other *.bif file; we won’t go into it here.

Now we are ready to compile our plugin. The configure script will just need to be able to find the location of either a Zeek installation-tree or a Zeek source-tree.

When building a plugin against a Zeek installation-tree, simply have the installation’s associated zeek-config in your PATH and the configure script will detect it and use it to obtain all the information it needs:

# which zeek-config
/usr/local/zeek/bin/zeek-config
# cd rot13-plugin
# ./configure && make
[... cmake output ...]

When building a plugin against a Zeek source-tree (which itself needs to have first been built), the configure script has to explicitly be told its location:

# cd rot13-plugin
# ./configure --zeek-dist=/path/to/zeek/dist && make
[... cmake output ...]

This builds the plugin in a subdirectory build/. In fact, that subdirectory becomes the plugin: when make finishes, build/ has everything it needs for Zeek to recognize it as a dynamic plugin.

Let’s try that. Once we point Zeek to the build/ directory, it will pull in our new plugin automatically, as we can check with the -N option:

# export ZEEK_PLUGIN_PATH=/path/to/rot13-plugin/build
# zeek -N
[...]
Demo::Rot13 - <Insert description> (dynamic, version 0.1.0)
[...]

That looks quite good, except for the dummy description that we should replace with something nicer so that users will know what our plugin is about. We do this by editing the config.description line in src/Plugin.cc, like this:

[...]
plugin::Configuration Plugin::Configure()
    {
    plugin::Configuration config;
    config.name = "Demo::Rot13";
    config.description = "Caesar cipher rotating a string's letters by 13 places.";
    config.version.major = 0;
    config.version.minor = 1;
    config.version.patch = 0;
    return config;
    }
[...]

Now rebuild and verify that the description is visible:

# make
[...]
# zeek -N | grep Rot13
Demo::Rot13 - Caesar cipher rotating a string's letters by 13 places. (dynamic, version 0.1.0)

Zeek can also show us what exactly the plugin provides with the more verbose option -NN:

# zeek -NN
[...]
Demo::Rot13 - Caesar cipher rotating a string's letters by 13 places. (dynamic, version 0.1.0)
    [Function] Demo::rot13
[...]

There’s our function. Now let’s use it:

# zeek -e 'print Demo::rot13("Hello")'
Uryyb

It works. We next install the plugin along with Zeek itself, so that it will find it directly without needing the ZEEK_PLUGIN_PATH environment variable. If we first unset the variable, the function will no longer be available:

# unset ZEEK_PLUGIN_PATH
# zeek -e 'print Demo::rot13("Hello")'
error in <command line>, line 1: unknown identifier Demo::rot13, at or near "Demo::rot13"

Once we install it, it works again:

# make install
# zeek -e 'print Demo::rot13("Hello")'
Uryyb

The installed version went into <zeek-install-prefix>/lib/zeek/plugins/Demo_Rot13.

One can distribute the plugin independently of Zeek for others to use. To distribute in source form, just remove the build/ directory (make distclean does that) and then tar up the whole rot13-plugin/ directory. Others then follow the same process as above after unpacking.

To distribute the plugin in binary form, the build process conveniently creates a corresponding tarball in build/dist/. In this case, it’s called Demo_Rot13-0.1.0.tar.gz, with the version number coming out of the VERSION file that init-plugin put into place. The binary tarball has everything needed to run the plugin, but no further source files. Optionally, one can include further files by specifying them in the plugin’s CMakeLists.txt through the zeek_plugin_dist_files macro; the skeleton does that for README, VERSION, CHANGES, and COPYING. To use the plugin through the binary tarball, just unpack it into <zeek-install-prefix>/lib/zeek/plugins/. Alternatively, if you unpack it in another location, then you need to point ZEEK_PLUGIN_PATH there.

Before distributing your plugin, you should edit some of the meta files that init-plugin puts in place. Edit README and VERSION, and update CHANGES when you make changes. Also put a license file in place as COPYING; if BSD is fine, you will find a template in COPYING.edit-me.

Plugin Directory Layout

A plugin’s directory needs to follow a set of conventions so that Zeek (1) recognizes it as a plugin, and (2) knows what to load. While init-plugin takes care of most of this, the following is the full story. We’ll use <base> to represent a plugin’s top-level directory. With the skeleton, <base> corresponds to build/.

<base>/__bro_plugin__

A file that marks a directory as containing a Zeek plugin. The file must exist, and its content must consist of a single line with the qualified name of the plugin (e.g., “Demo::Rot13”).

<base>/lib/<plugin-name>.<os>-<arch>.so

The shared library containing the plugin’s compiled code. Zeek will load this in dynamically at run-time if OS and architecture match the current platform.

scripts/

A directory with the plugin’s custom Zeek scripts. When the plugin gets activated, this directory will be automatically added to ZEEKPATH, so that any scripts/modules inside can be “@load”ed.

scripts/__load__.zeek

A Zeek script that will be loaded when the plugin gets activated. When this script executes, any BIF elements that the plugin defines will already be available. See below for more information on activating plugins.

scripts/__preload__.zeek

A Zeek script that will be loaded when the plugin gets activated, but before any BIF elements become available. See below for more information on activating plugins.

lib/bif/

Directory with auto-generated Zeek scripts that declare the plugin’s BIF elements. The files here are produced by bifcl.

Any other files in <base> are ignored by Zeek.

By convention, a plugin should put its custom scripts into sub folders of scripts/, i.e., scripts/<plugin-namespace>/<plugin-name>/<script>.zeek to avoid conflicts. As usual, you can then put a __load__.zeek in there as well so that, e.g., @load Demo/Rot13 could load a whole module in the form of multiple individual scripts.

Note that in addition to the paths above, the init-plugin helper puts some more files and directories in place that help with development and installation (e.g., CMakeLists.txt, Makefile, and source code in src/). However, all these do not have a special meaning for Zeek at runtime and aren’t necessary for a plugin to function.

init-plugin

init-plugin puts a basic plugin structure in place that follows the above layout and augments it with a CMake build and installation system. Plugins with this structure can be used both directly out of their source directory (after make and setting Zeek’s ZEEK_PLUGIN_PATH), and when installed alongside Zeek (after make install).

Upon completion, init-plugin initializes a git repository and stages its produced files for committing, but does not yet commit the files. This allows you to tweak the new plugin as needed prior to the initial commit.

make install copies over the lib and scripts directories, as well as the __bro_plugin__ magic file and any further distribution files specified in CMakeLists.txt (e.g., README, VERSION). You can find a full list of files installed in build/MANIFEST. Behind the scenes, make install really just unpacks the binary tarball from build/dist into the destination directory.

init-plugin will never overwrite existing files. If its target directory already exists, it will by default decline to do anything. You can run it with -u instead to update an existing plugin, however it will never overwrite any existing files; it will only put in place files it doesn’t find yet. To revert a file back to what init-plugin created originally, delete it first and then rerun with -u.

init-plugin puts a configure script in place that wraps cmake with a more familiar configure-style configuration. By default, the script provides two options for specifying paths to the Zeek source (--zeek-dist) and to the plugin’s installation directory (--install-root). To extend configure with plugin-specific options (such as search paths for its dependencies) don’t edit the script directly but instead extend configure.plugin, which configure includes. That way you will be able to more easily update configure in the future when the distribution version changes. In configure.plugin you can use the predefined shell function append_cache_entry to seed values into the CMake cache; see the installed skeleton version and existing plugins for examples.

Note

In the past init-plugin also generated a zkg.meta file, automatically creating a Zeek package containing a plugin. init-plugin now focuses purely on plugins, as its name suggests. To bootstrap new Zeek packages (possibly containing plugins), use the more featureful templating functionality provided by the zkg create command, explained here.

Activating a Plugin

A plugin needs to be activated to make it available to the user. Activating a plugin will:

  1. Load the dynamic module

  2. Make any BIF items available

  3. Add the scripts/ directory to ZEEKPATH

  4. Load scripts/__preload__.zeek

  5. Make BIF elements available to scripts.

  6. Load scripts/__load__.zeek

By default, Zeek will automatically activate all dynamic plugins found in its search path ZEEK_PLUGIN_PATH. However, in bare mode (zeek -b), no dynamic plugins will be activated by default; instead the user can selectively enable individual plugins in scriptland using the @load-plugin <qualified-plugin-name> directive (e.g., @load-plugin Demo::Rot13). Alternatively, one can activate a plugin from the command-line by specifying its full name (Demo::Rot13), or set the environment variable ZEEK_PLUGIN_ACTIVATE to a list of comma-separated names of plugins to unconditionally activate, even in bare mode.

zeek -N shows activated plugins separately from found but not yet activated plugins. Note that plugins compiled statically into Zeek are always activated, and hence show up as such even in bare mode.

Plugin Components

It’s easy for a plugin to provide custom scripts: just put them into scripts/, as described above. The CMake infrastructure will automatically install them, as well include them into the source and binary plugin distributions.

Any number or combination of other components can be provided by a single plugin. For example a plugin can provide multiple different protocol analyzers, or both a log writer and input reader.

The best place to look for examples or templates for a specific type of plugin component are the source code of Zeek itself since every one of its components uses the same API as any external plugin.

Each component type also has a simple integration test, found in the Zeek source-tree’s testing/btest/plugins/ directory, that can serve useful for creating basic plugin skeletons.

Testing Plugins

A plugin should come with a test suite to exercise its functionality. The init-plugin script puts in place a basic BTest setup to start with. Initially, it comes with a single test that just checks that Zeek loads the plugin correctly:

# cd tests
# btest -A
[  0%] rot13.show-plugin ... ok
all 1 tests successful

You can also run this via the Makefile:

# cd ..
# make test
make -C tests
make[1]: Entering directory `tests'
all 1 tests successful
make[1]: Leaving directory `tests'

Now let’s add a custom test that ensures that our BIF works correctly:

# cd tests
# cat >rot13/bif-rot13.zeek

# @TEST-EXEC: zeek %INPUT >output
# @TEST-EXEC: btest-diff output

event zeek_init()
    {
    print Demo::rot13("Hello");
    }

Check the output:

# btest -d rot13/bif-rot13.zeek
[  0%] rot13.bif-rot13 ... failed
% 'btest-diff output' failed unexpectedly (exit code 100)
% cat .diag
== File ===============================
Uryyb
== Error ===============================
test-diff: no baseline found.
=======================================

% cat .stderr

1 of 1 test failed

Install the baseline:

# btest -U rot13/bif-rot13.zeek
all 1 tests successful

Run the test-suite:

# btest
all 2 tests successful

Debugging Plugins

If your plugin isn’t loading as expected, Zeek’s debugging facilities can help illuminate what’s going on. To enable, recompile Zeek with debugging support (./configure --enable-debug), and afterwards rebuild your plugin as well. If you then run Zeek with -B plugins, it will produce a file debug.log that records details about the process for searching, loading, and activating plugins.

To generate your own debugging output from inside your plugin, you can add a custom debug stream by using the PLUGIN_DBG_LOG(<plugin>, <args>) macro (defined in DebugLogger.h), where <plugin> is the Plugin instance and <args> are printf-style arguments, just as with Zeek’s standard debugging macros (grep for DBG_LOG in Zeek’s src/ to see examples). At runtime, you can then activate your plugin’s debugging output with -B plugin-<name>, where <name> is the name of the plugin as returned by its Configure() method, yet with the namespace-separator :: replaced with a simple dash. Example: If the plugin is called Demo::Rot13, use -B plugin-Demo-Rot13. As usual, the debugging output will be recorded to debug.log if Zeek’s compiled in debug mode.

Building Plugins Statically

Plugins can be built statically into a Zeek binary using the --include-plugins option passed to configure. This argument takes a colon-separated list of paths to plugin source. Building plugins in this manner includes them directly into the Zeek binary and installation. They are loaded automatically by Zeek at startup without needing to install them separately.

Headers for built-in plugins are installed into a subdirectory of <zeek-install-prefix>/include/zeek/builtin-plugins specific to each plugin. Scripts are installed into a subdirectory of <zeek-install-prefix>/share/zeek/builtin-plugins specific to each plugin. The scripts directory is also automatically added to the default ZEEKPATH.

Writing analyzers with Spicy

Spicy is a parser generator that makes it easy to create robust C++ parsers network protocols, file formats, and more. Spicy analyzers can be integrated with Zeek with spicy-plugin so that one can create Zeek protocol, packet and file analyzers.

Spicy is documented separately, so this section just presents high-level points relevant for Zeek.

Installation

A Zeek configured with default ./configure options includes Spicy. If the --disable-spicy configure option is used instead, Spicy and spicy-plugin need to be installed out of band, see the instructions for Spicy and spicy-plugin, respectively.

Writing an analyzer

Analyzer scaffolding including a Spicy grammar .spicy, Zeek integration glue code .evt and a CMake build setup can be generated with the zkg package manager with the default package template by passing --feature spicy-analyzer.

See the Spicy documentation for details on how to write and integrate a parser.

Zeek Documentation

The documentation repo at zeek-docs contains version-specific Zeek documentation source files that are ultimately used as the basis for content hosted at https://docs.zeek.org.

Markup Format, Style, and Conventions

For general guidance on the basics of how the documentation is written, consult this Zeek wiki:

https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions

Source-Tree Organization

The zeek-docs repo containing this README file is the root of a Sphinx source tree and can be modified to add more documentation, style sheets, JavaScript, etc. The Sphinx config file is conf.py. The typical way new documents get integrated is from them being referenced directly in index.rst or indirectly from something in the toctree (Table of Contents Tree) specified in that main index.

There is also a custom Sphinx domain implemented in ext/zeek.py which adds some reStructureText (reST) directives and roles that aid in generating useful index entries and cross-references. This primarily supports integration with the script-reference sections, some of which are auto-generated by Zeek’s Doxygen-like feature, named “Zeekygen”. The bulk of auto-generated content lives under the scripts/ directory or has a file name starting with “autogenerated”, so if you find yourself wanting to change those, you should actually look at at doing those changes within the Zeek repo itself rather than here, so see the next section for how Zeeygen docs can be (re)generated.

Generating Zeekygen Reference Docs

All Zeekygen-generated docs get committed into Git, so if you don’t have to perform any changes on it and just want to preview what’s already existing, you can skip down to the next Local Previewing section.

The Zeekygen documentation-generation feature is a part of Zeek itself, so you’ll want to obtain the Zeek repo from Git, read the INSTALL file directions to install required dependencies, and build Zeek:

git clone --recursive https://github.com/zeek/zeek
cd zeek
# Read INSTALL file and get dependencies here
./configure && make -j $(nproc)
# Make desired edits to scripts/, src/, etc.
./ci/update-zeekygen-docs.sh

The last command runs a script to generate documentation, which will end up in the doc/ subdirectory. Note that doc/ is just a Git submodule of this this zeek-docs repository, so you can run git status there to find exactly what changed.

Also note that the documentation-generation script is run automatically on a daily basis to incorporate up any documentation changes that people make in Zeek itself without them having to necessarily be aware of the full documentation process. The GitHub Action that does that daily task is located in the Zeek repo’s .github/workflows/generate-docs.yml file.

Local Previewing (How To Build)

First make sure you have the required dependencies used for building docs:

If you have pip, you may just use the command pip3 install -r requirements.txt to install all the dependencies using the requirements.txt from zeek-docs.

Now run make within the zeek-docs repository’s top-level to locally render its reST files into HTML. After the build completes, HTML documentation is symlinked in build/html and you can open the index.html found there in your web browser.

There’s also a make livehtml (requires pip3 install sphinx-autobuild) target in the top-level Makefile that is useful for editing the reST files and seeing changes rendered out live to a separate browser.

Hosting

Documentation is hosted by Read the Docs (RTD), so you can generally read about how it works there. The web-interface is accessible via https://readthedocs.org/projects/zeek-docs.

How zeek-docs is configured to use RTD is a combination of some custom settings in its .readthedocs.yml file and others only accessible through RTD’s web-interface (e.g. domain and subproject settings). Most config settings are likely understandable just by browing the web-interface and RTD’s guides, but a few particular points to mention:

  • There is an associated, always-failing project at https://readthedocs.org/projects/zeek. It’s always-failing because RTD redirects only activate when pages 404 and this project exists so that all attempts to use https://zeek.rtfd.io or https://zeek.readthedocs.io get redirected to https://docs.zeek.org. Those would have been the project URLs if ownership of the RTD ‘zeek’ project was had from the start, but it was only obtained later, after documentation already started development in the ‘zeek-docs’ RTD project slug.

  • Over time, page redirects have accrued into redirects.yml as a way to help document what they are and why they happened and also as a potential way to automate addition/reinstantiation of a large number of redirects, but typically redirects can be manually added via the RTD web interface first and then noted in redirects.yml

  • There are RTD subprojects for things like Broker, Package Manager, and Spicy. The use of subprojects simply allows access to their RTD docs via the custom domain of https://docs.zeek.org

  • RTD will auto-build any newly-pushed commits to zeek-docs (i.e. a webhook is configured), but if a tag is changed to point somewhere different, you’ll typically have to go into the RTD web interface, “Edit” the associated version under “Versions”, “wipe” the existing docs, and then manually trigger a rebuild of that version tag under “Builds”.

Contributor’s Guide

See below for selection of some of the more common contribution guidelines maintained directly in Zeek wiki.

General Contribution Process

See https://github.com/zeek/zeek/wiki/Contribution-Guide

Coding Style and Conventions

See https://github.com/zeek/zeek/wiki/Coding-Style-and-Conventions

General Documentation Structure/Process

See the README file of https://github.com/zeek/zeek-docs

Documentation Style and Conventions

See https://github.com/zeek/zeek/wiki/Documentation-Style-and-Conventions

Checking for Memory Errors and Leaks

See https://github.com/zeek/zeek/wiki/Checking-for-Memory-Errors-and-Leaks

Maintainer’s Guide

Some notable guidelines for maintainers are linked below for convenience, but they are generally maintained directly in the Zeek wiki.

Release Process

See https://github.com/zeek/zeek/wiki/Release-Process

Subcomponents

To find documentation for the various subcomponents of Zeek, see their respective GitHub repositories or documentation:

Acknowledgements

Thanks to everyone who contributed in making Zeek’s documentation (alphabetically):

  • Johanna Amann

  • Richard Bejtlich

  • Michael Dopheide

  • Amber Graner

  • Jan Grashöfer

  • Christian Kreibich

  • Terry Leach

  • Aashish Sharma

  • Jon Siwek

  • Stephen Smoot

  • Robin Sommer

  • Aaron Soto

  • Nick Turley

  • Fatema Bannat Wala

  • Tim Wojtulewicz

Documentation Versioning

Attention

The Zeek codebase has three primary branches of interest to users so this document is also maintained as three different versions, one associated with each branch of Zeek. The default version of docs.zeek.org tracks Zeek’s latest Git development:

If you instead use a Zeek Long-Term Support (LTS) or Feature release these are the appropriate starting points:

To help clarify which release you are using, the version numbering scheme for the two release branches is described in the Release Cadence policy.