base/init-bare.zeek

Analyzer
BinPAC
Cluster
DCE_RPC
DHCP
FTP
GLOBAL
HTTP
JSON
KRB
MIME
MOUNT3
MQTT
NCP
NFS3
NTLM
NTP
PE
Pcap
RADIUS
RDP
Reporter
SMB
SMB1
SMB2
SMTP
SNMP
SOCKS
SSH
SSL
TCP
Threading
Tunnel
UnknownProtocol
WebSocket
Weird
X509
Namespaces

Analyzer, BinPAC, Cluster, DCE_RPC, DHCP, FTP, GLOBAL, HTTP, JSON, KRB, MIME, MOUNT3, MQTT, NCP, NFS3, NTLM, NTP, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SMTP, SNMP, SOCKS, SSH, SSL, TCP, Threading, Tunnel, UnknownProtocol, WebSocket, Weird, X509

Imports

base/bif/CPP-load.bif.zeek, base/bif/communityid.bif.zeek, base/bif/const.bif.zeek, base/bif/event.bif.zeek, base/bif/mmdb.bif.zeek, base/bif/option.bif.zeek, base/bif/packet_analysis.bif.zeek, base/bif/plugins/Zeek_KRB.types.bif.zeek, base/bif/plugins/Zeek_SNMP.types.bif.zeek, base/bif/reporter.bif.zeek, base/bif/stats.bif.zeek, base/bif/strings.bif.zeek, base/bif/supervisor.bif.zeek, base/bif/types.bif.zeek, base/bif/zeek.bif.zeek, base/frameworks/spicy/init-bare.zeek, base/frameworks/supervisor/api.zeek, base/packet-protocols

Summary

Runtime Options

MQTT::max_payload_size: count &redef

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration: interval &redef

How long a weird of a given type is allowed to keep state/counters in memory.

Weird::sampling_global_list: set &redef

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate: count &redef

The rate-limiting sampling rate.

Weird::sampling_threshold: count &redef

How many weirds of a given type to tolerate before sampling begins.

Weird::sampling_whitelist: set &redef

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size: count &redef

Default amount of bytes that file analysis will buffer in order to use for mime type matching.

default_file_timeout_interval: interval &redef

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets: set &redef

Checksums are ignored for all packets with a src address within this set of networks.

udp_content_delivery_ports_use_resp: bool &redef

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports: set &redef

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.

Redefinable Options

BinPAC::flowbuffer_capacity_max: count &redef

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min: count &redef

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer.

BinPAC::flowbuffer_contract_threshold: count &redef

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit.

DCE_RPC::max_cmd_reassembly: count &redef

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data: count &redef

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

HTTP::upgrade_analyzers: table &redef

Lookup table for Upgrade analyzers.

KRB::keytab: string &redef

Kerberos keytab file name.

MIME::max_depth: count &redef

Stop analysis of nested multipart MIME entities if this depth is reached.

NCP::max_frame_size: count &redef

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data: bool &redef

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

NFS3::return_data_first_only: bool &redef

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max: count &redef

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize: count &redef

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::bufsize_offline_bytes: count &redef

Number of bytes to use for buffering file read operations when reading from a PCAP file.

Pcap::non_fd_timeout: interval &redef

Default timeout for packet sources without file descriptors.

Pcap::snaplen: count &redef

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr: bool &redef

Tunable for sending reporter error messages to STDERR.

Reporter::info_to_stderr: bool &redef

Tunable for sending reporter info messages to STDERR.

Reporter::warnings_to_stderr: bool &redef

Tunable for sending reporter warning messages to STDERR.

SMB::max_dce_rpc_analyzers: count &redef

Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.

SMB::max_pending_messages: count &redef

The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser.

SMB::pipe_filenames: set &redef

A set of file names used as named pipes over SMB.

SSL::dtls_max_reported_version_errors: count &redef

Maximum number of invalid version errors to report in one DTLS connection.

SSL::dtls_max_version_errors: count &redef

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended.

SSL::max_alerts_per_record: count &redef

Maximum number of Alert messages parsed from an SSL record with content_type alert (21).

Threading::heartbeat_interval: interval &redef

The heartbeat interval used by the threading framework.

Tunnel::delay_gtp_confirmation: bool &redef

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing analyzer_confirmation_info.

Tunnel::delay_teredo_confirmation: bool &redef

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a analyzer_confirmation_info.

Tunnel::ip_tunnel_timeout: interval &redef

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_changes_per_connection: count &redef

The number of tunnel_changed events that will be sent for a connection.

Tunnel::max_depth: count &redef

The maximum depth of a tunnel to decapsulate until giving up.

Tunnel::validate_vxlan_checksums: bool &redef

Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation.

UnknownProtocol::first_bytes_count: count &redef

The number of bytes to extract from the next header and log in the first bytes field.

UnknownProtocol::sampling_duration: interval &redef

How long an analyzer/protocol pair is allowed to keep state/counters in in memory.

UnknownProtocol::sampling_rate: count &redef

The rate-limiting sampling rate.

UnknownProtocol::sampling_threshold: count &redef

How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.

WebSocket::payload_chunk_size: count &redef

The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded.

WebSocket::use_dpd_default: bool &redef

Whether to enable DPD on WebSocket frame payload by default.

WebSocket::use_spicy_analyzer: bool &redef

Whether to use the Spicy WebSocket protocol analyzer.

allow_network_time_forward: bool &redef

Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source).

bits_per_uid: count &redef

Number of bits in UIDs that are generated to identify connections and files.

check_for_unused_event_handlers: bool &redef &deprecated =

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter: string &redef

BPF filter the user has set via the -f command line options.

detect_filtered_trace: bool &redef

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.

digest_salt: string &redef

This salt value is used for several message digests in Zeek.

dns_session_timeout: interval &redef

Time to wait before timing out a DNS request.

dpd_buffer_size: count &redef

Size of per-connection buffer used for dynamic protocol detection.

dpd_ignore_ports: bool &redef

If true, don’t consider any ports for deciding which protocol analyzer to use.

dpd_late_match_stop: bool &redef

If true, stops signature matching after a late match.

dpd_match_only_beginning: bool &redef

If true, stops signature matching if dpd_buffer_size has been reached.

dpd_max_packets: count &redef

Maximum number of per-connection packets that will be buffered for dynamic protocol detection.

dpd_reassemble_first_packets: bool &redef

Reassemble the beginning of all TCP connections before doing signature matching.

exit_only_after_terminate: bool &redef

Flag to prevent Zeek from exiting automatically when input is exhausted.

expensive_profiling_multiple: count &redef

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

frag_timeout: interval &redef

How long to hold onto fragments for possible reassembly.

global_hash_seed: string &redef

Seed for hashes computed internally for probabilistic data structures.

icmp_inactivity_timeout: interval &redef

If an ICMP flow is inactive, time it out after this interval.

ignore_checksums: bool &redef

If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header.

ignore_keep_alive_rexmit: bool &redef

Ignore certain TCP retransmissions for conn_stats.

io_poll_interval_default: count &redef

How many rounds to go without checking IO sources with file descriptors for readiness by default.

io_poll_interval_live: count &redef

How often to check IO sources with file descriptors for readiness when monitoring with a live packet source.

likely_server_ports: set &redef

Ports which the core considers being likely used by servers.

log_rotate_base_time: string &redef

Base time of log rotations in 24-hour time format (%H:%M), e.g.

max_analyzer_violations: count &redef

The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance.

max_find_all_string_length: int &redef

Maximum string length allowed for calls to the find_all and find_all_ordered BIFs.

max_timer_expires: count &redef

The maximum number of expired timers to process after processing each new packet.

mmdb_asn_db: string &redef

Default name of the MaxMind ASN database file:

mmdb_city_db: string &redef

Default name of the MaxMind City database file:

mmdb_country_db: string &redef

Default name of the MaxMind Country database file:

mmdb_dir: string &redef

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

mmdb_dir_fallbacks: vector &redef

Fallback locations for MaxMind databases.

mmdb_stale_check_interval: interval &redef

Sets the interval for MaxMind DB file staleness checks.

non_analyzed_lifetime: interval &redef

If a connection belongs to an application that we don’t analyze, time it out after this interval.

packet_filter_default: bool &redef

Default mode for Zeek’s user-space dynamic packet filter.

packet_source_inactivity_timeout: interval &redef

If a packet source does not yield packets for this amount of time, it is considered idle.

partial_connection_ok: bool &redef

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

peer_description: string &redef

Description transmitted to remote communication peers for identification.

pkt_profile_freq: double &redef

Frequency associated with packet profiling.

pkt_profile_mode: pkt_profile_modes &redef

Output mode for packet profiling information.

profiling_interval: interval &redef

Update interval for profiling (0 disables).

record_all_packets: bool &redef

If a trace file is given with -w, dump all packets seen by Zeek into it.

report_gaps_for_partial: bool &redef

Whether we want content_gap for partial connections.

rpc_timeout: interval &redef

Time to wait before timing out an RPC request.

sig_max_group_size: count &redef

Maximum size of regular expression groups for signature matching.

skip_http_data: bool &redef

Skip HTTP data for performance considerations.

table_expire_delay: interval &redef

When expiring table entries, wait this amount of time before checking the next chunk of entries.

table_expire_interval: interval &redef

Check for expired table entries after this amount of time.

table_incremental_step: count &redef

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

tcp_SYN_ack_ok: bool &redef

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout: interval &redef

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay: interval &redef

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay: interval &redef

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger: interval &redef

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.

tcp_content_deliver_all_orig: bool &redef

If true, all TCP originator-side traffic is reported via tcp_contents.

tcp_content_deliver_all_resp: bool &redef

If true, all TCP responder-side traffic is reported via tcp_contents.

tcp_content_delivery_ports_orig: table &redef

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

tcp_content_delivery_ports_resp: table &redef

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

tcp_excessive_data_without_further_acks: count &redef

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.

tcp_inactivity_timeout: interval &redef

If a TCP connection is inactive, time it out after this interval.

tcp_match_undelivered: bool &redef

If true, pass any undelivered to the signature engine before flushing the state.

tcp_max_above_hole_without_any_acks: count &redef

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.

tcp_max_initial_window: count &redef

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).

tcp_max_old_segments: count &redef

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies.

tcp_partial_close_delay: interval &redef

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig: set &redef

For services without a handler, these sets define originator-side ports that still trigger reassembly.

tcp_reassembler_ports_resp: set &redef

For services without a handler, these sets define responder-side ports that still trigger reassembly.

tcp_reset_delay: interval &redef

Upon seeing a RST, flush state after this much time.

tcp_session_timer: interval &redef

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh: interval &redef

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

tcp_storm_thresh: count &redef

Number of FINs/RSTs in a row that constitute a “storm”.

time_machine_profiling: bool &redef &deprecated = "Remove in v7.1. Unused."

If true, output profiling for Time-Machine queries.

truncate_http_URI: int &redef

Maximum length of HTTP URIs passed to events.

udp_content_deliver_all_orig: bool &redef

If true, all UDP originator-side traffic is reported via udp_contents.

udp_content_deliver_all_resp: bool &redef

If true, all UDP responder-side traffic is reported via udp_contents.

udp_content_delivery_ports_orig: table &redef

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

udp_content_delivery_ports_resp: table &redef

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

udp_inactivity_timeout: interval &redef

If a UDP flow is inactive, time it out after this interval.

use_conn_size_analyzer: bool &redef

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint.

watchdog_interval: interval &redef

Zeek’s watchdog interval.

Constants

CONTENTS_BOTH: count

Record both originator and responder contents.

CONTENTS_NONE: count

Turn off recording of contents.

CONTENTS_ORIG: count

Record originator contents.

CONTENTS_RESP: count

Record responder contents.

DNS_ADDL: count

An additional record.

DNS_ANS: count

An answer record.

DNS_AUTH: count

An authoritative record.

DNS_QUERY: count

A query.

ENDIAN_BIG: count

Big endian.

ENDIAN_CONFUSED: count

Tried to determine endian, but failed.

ENDIAN_LITTLE: count

Little endian.

ENDIAN_UNKNOWN: count

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB: count

Administratively prohibited.

ICMP_UNREACH_HOST: count

Host unreachable.

ICMP_UNREACH_NEEDFRAG: count

Fragment needed.

ICMP_UNREACH_NET: count

Network unreachable.

ICMP_UNREACH_PORT: count

Port unreachable.

ICMP_UNREACH_PROTOCOL: count

Protocol unreachable.

IPPROTO_AH: count

IPv6 authentication header.

IPPROTO_DSTOPTS: count

IPv6 destination options header.

IPPROTO_ESP: count

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT: count

IPv6 fragment header.

IPPROTO_HOPOPTS: count

IPv6 hop-by-hop-options header.

IPPROTO_ICMP: count

Control message protocol.

IPPROTO_ICMPV6: count

ICMP for IPv6.

IPPROTO_IGMP: count

Group management protocol.

IPPROTO_IP: count

Dummy for IP.

IPPROTO_IPIP: count

IP encapsulation in IP.

IPPROTO_IPV6: count

IPv6 header.

IPPROTO_MOBILITY: count

IPv6 mobility header.

IPPROTO_NONE: count

IPv6 no next header.

IPPROTO_RAW: count

Raw IP packet.

IPPROTO_ROUTING: count

IPv6 routing header.

IPPROTO_TCP: count

TCP.

IPPROTO_UDP: count

User datagram protocol.

LOGIN_STATE_AUTHENTICATE: count

LOGIN_STATE_CONFUSED: count

LOGIN_STATE_LOGGED_IN: count

LOGIN_STATE_SKIP: count

RPC_status: table

Mapping of numerical RPC status codes to readable messages.

SNMP::OBJ_COUNTER32_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG: count

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG: count

A NULL value.

SNMP::OBJ_INTEGER_TAG: count

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG: count

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG: count

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG: count

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG: count

An octet string.

SNMP::OBJ_OID_TAG: count

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG: count

An octet string.

SNMP::OBJ_TIMETICKS_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG: count

A NULL value.

TCP_CLOSED: count

Endpoint has closed connection.

TCP_ESTABLISHED: count

Endpoint has finished initial handshake regularly.

TCP_INACTIVE: count

Endpoint is still inactive.

TCP_PARTIAL: count

Endpoint has sent data but no initial SYN.

TCP_RESET: count

Endpoint has sent RST.

TCP_SYN_ACK_SENT: count

Endpoint has sent SYN/ACK.

TCP_SYN_SENT: count

Endpoint has sent SYN.

TH_ACK: count

ACK.

TH_FIN: count

FIN.

TH_FLAGS: count

Mask combining all flags.

TH_PUSH: count

PUSH.

TH_RST: count

RST.

TH_SYN: count

SYN.

TH_URG: count

URG.

UDP_ACTIVE: count

Endpoint has sent something.

UDP_INACTIVE: count

Endpoint is still inactive.

trace_output_file: string

Holds the filename of the trace file given with -w (empty if none).

zeek_script_args: vector

Arguments given to Zeek from the command line.

State Variables

capture_filters: table &redef

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).

direct_login_prompts: set &redef

TODO.

discarder_maxlen: count &redef

Maximum length of payload passed to discarder functions.

dns_max_queries: count &redef

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.

dns_skip_addl: set &redef

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

dns_skip_all_addl: bool &redef

If true, all DNS ADDL records are skipped.

dns_skip_all_auth: bool &redef

If true, all DNS AUTH records are skipped.

dns_skip_auth: set &redef

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

done_with_network: bool

http_entity_data_delivery_size: count &redef

Maximum number of HTTP entity data delivered to events.

interfaces: string &add_func = add_interface &redef

Network interfaces to listen on.

login_failure_msgs: set &redef

TODO.

login_non_failure_msgs: set &redef

TODO.

login_prompts: set &redef

TODO.

login_success_msgs: set &redef

TODO.

login_timeouts: set &redef

TODO.

mime_segment_length: count &redef

The length of MIME data segments delivered to handlers of mime_segment_data.

mime_segment_overlap_length: count &redef

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file: file &redef

File where packet profiles are logged.

profiling_file: file &redef

Write profiling info into this file in regular intervals.

restrict_filters: table &redef

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

secondary_filters: table &redef

Definition of “secondary filters”.

signature_files: string &add_func = add_signature_file &redef

Signature files to read.

skip_authentication: set &redef

TODO.

Types

Analyzer::disabling_analyzer: hook &redef

A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers.

AnalyzerConfirmationInfo: record

Generic analyzer confirmation info record.

AnalyzerViolationInfo: record

Generic analyzer violation info record.

Backtrace: vector

A representation of a Zeek script’s call stack.

BacktraceElement: record

A representation of an element in a Zeek script’s call stack.

BrokerStats: record

Statistics about Broker communication.

Cluster::Pool: record

A pool used for distributing data/work among a set of cluster nodes.

ConnStats: record

DHCP::Addrs: vector

A list of addresses offered by a DHCP server.

DHCP::ClientFQDN: record

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID: record

DHCP Client Identifier (Option 61) ..

DHCP::Msg: record

A DHCP message.

DHCP::Options: record

DHCP::SubOpt: record

DHCP Relay Agent Information Option (Option 82) ..

DHCP::SubOpts: vector

DNSStats: record

Statistics related to Zeek’s active use of DNS.

EncapsulatingConnVector: vector

A type alias for a vector of encapsulating “connections”, i.e.

EventNameCounter: record &log

Statistics about how many times each event name is queued.

EventNameStats: vector

EventStats: record

FileAnalysisStats: record

Statistics of file analysis.

GapStats: record

Statistics about number of gaps in TCP connections.

IPAddrAnonymization: enum

IPAddrAnonymizationClass: enum

JSON::TimestampFormat: enum

KRB::AP_Options: record

AP Options.

KRB::Error_Msg: record

The data from the ERROR_MSG message.

KRB::Host_Address: record

A Kerberos host address See RFC 4120.

KRB::Host_Address_Vector: vector

KRB::KDC_Options: record

KDC Options.

KRB::KDC_Request: record

The data from the AS_REQ and TGS_REQ messages.

KRB::KDC_Response: record

The data from the AS_REQ and TGS_REQ messages.

KRB::SAFE_Msg: record

The data from the SAFE message.

KRB::Ticket: record

A Kerberos ticket.

KRB::Ticket_Vector: vector

KRB::Type_Value: record

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Type_Value_Vector: vector

MOUNT3::dirmntargs_t: record

MOUNT mnt arguments.

MOUNT3::info_t: record

Record summarizing the general results and status of MOUNT3 request/reply pairs.

MOUNT3::mnt_reply_t: record

MOUNT lookup reply.

MQTT::ConnectAckMsg: record

MQTT::ConnectMsg: record

MQTT::PublishMsg: record

MatcherStats: record

Statistics of all regular expression matchers.

ModbusCoils: vector

A vector of boolean values that indicate the setting for a range of modbus coils.

ModbusFileRecordRequest: record

ModbusFileRecordRequests: vector

ModbusFileRecordResponse: record

ModbusFileRecordResponses: vector

ModbusFileReference: record

ModbusFileReferences: vector

ModbusHeaders: record

ModbusRegisters: vector

A vector of count values that represent 16bit modbus register values.

NFS3::delobj_reply_t: record

NFS reply for remove, rmdir.

NFS3::direntry_t: record

NFS direntry.

NFS3::direntry_vec_t: vector

Vector of NFS direntry.

NFS3::diropargs_t: record

NFS readdir arguments.

NFS3::fattr_t: record

NFS file attributes.

NFS3::fsstat_t: record

NFS fsstat.

NFS3::info_t: record

Record summarizing the general results and status of NFSv3 request/reply pairs.

NFS3::link_reply_t: record

NFS link reply.

NFS3::linkargs_t: record

NFS link arguments.

NFS3::lookup_reply_t: record

NFS lookup reply.

NFS3::newobj_reply_t: record

NFS reply for create, mkdir, and symlink.

NFS3::read_reply_t: record

NFS read reply.

NFS3::readargs_t: record

NFS read arguments.

NFS3::readdir_reply_t: record

NFS readdir reply.

NFS3::readdirargs_t: record

NFS readdir arguments.

NFS3::readlink_reply_t: record

NFS readline reply.

NFS3::renameobj_reply_t: record

NFS reply for rename.

NFS3::renameopargs_t: record

NFS rename arguments.

NFS3::sattr_reply_t: record

NFS sattr reply.

NFS3::sattr_t: record

NFS file attributes.

NFS3::sattrargs_t: record

NFS sattr arguments.

NFS3::symlinkargs_t: record

NFS symlink arguments.

NFS3::symlinkdata_t: record

NFS symlinkdata attributes.

NFS3::wcc_attr_t: record

NFS wcc attributes.

NFS3::write_reply_t: record

NFS write reply.

NFS3::writeargs_t: record

NFS write arguments.

NTLM::AVs: record

NTLM::Authenticate: record

NTLM::Challenge: record

NTLM::Negotiate: record

NTLM::NegotiateFlags: record

NTLM::Version: record

NTP::ControlMessage: record

NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.

NTP::Message: record

NTP message as defined in RFC 5905.

NTP::Mode7Message: record

NTP mode 7 message.

NTP::StandardMessage: record

NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations.

NetStats: record

Packet capture statistics.

PE::DOSHeader: record

PE::FileHeader: record

PE::OptionalHeader: record

PE::SectionHeader: record

Record for Portable Executable (PE) section headers.

PacketSource: record

Properties of an I/O packet source being read by Zeek.

Pcap::Interface: record

The definition of a “pcap interface”.

Pcap::Interfaces: set

Pcap::filter_state: enum

The state of the compilation for a pcap filter.

PcapFilterID: enum

Enum type identifying dynamic BPF filters.

ProcStats: record

Statistics about Zeek’s process.

RADIUS::AttributeList: vector

RADIUS::Attributes: table

RADIUS::Message: record

RDP::ClientChannelDef: record

Name and flags for a single channel requested by the client.

RDP::ClientChannelList: vector

The list of channels requested by the client.

RDP::ClientClusterData: record

The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.

RDP::ClientCoreData: record

RDP::ClientSecurityData: record

The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.

RDP::EarlyCapabilityFlags: record

ReassemblerStats: record

Holds statistics for all types of reassembly.

ReporterStats: record

Statistics about reporter messages and weirds.

SMB1::Find_First2_Request_Args: record

SMB1::Find_First2_Response_Args: record

SMB1::Header: record

An SMB1 header.

SMB1::NegotiateCapabilities: record

SMB1::NegotiateRawMode: record

SMB1::NegotiateResponse: record

SMB1::NegotiateResponseCore: record

SMB1::NegotiateResponseLANMAN: record

SMB1::NegotiateResponseNTLM: record

SMB1::NegotiateResponseSecurity: record

SMB1::SessionSetupAndXCapabilities: record

SMB1::SessionSetupAndXRequest: record

SMB1::SessionSetupAndXResponse: record

SMB1::Trans2_Args: record

SMB1::Trans2_Sec_Args: record

SMB1::Trans_Sec_Args: record

SMB2::CloseResponse: record

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

SMB2::CompressionCapabilities: record

Compression information as defined in SMB v.

SMB2::CreateRequest: record

The request sent by the client to request either creation of or access to a file.

SMB2::CreateResponse: record

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

SMB2::EncryptionCapabilities: record

Encryption information as defined in SMB v.

SMB2::FileAttrs: record

A series of boolean flags describing basic and extended file attributes for SMB2.

SMB2::FileEA: record

This information class is used to query or set extended attribute (EA) information for a file.

SMB2::FileEAs: vector

A vector of extended attribute (EA) information for a file.

SMB2::Fscontrol: record

A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.

SMB2::GUID: record

An SMB2 globally unique identifier which identifies a file.

SMB2::Header: record

An SMB2 header.

SMB2::NegotiateContextValue: record

The context type information as defined in SMB v.

SMB2::NegotiateContextValues: vector

SMB2::NegotiateResponse: record

The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands.

SMB2::PreAuthIntegrityCapabilities: record

Preauthentication information as defined in SMB v.

SMB2::SessionSetupFlags: record

A flags field that indicates additional information about the session that’s sent in the session_setup response.

SMB2::SessionSetupRequest: record

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

SMB2::SessionSetupResponse: record

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

SMB2::Transform_header: record

An SMB2 transform header (for SMB 3.x dialects with encryption enabled).

SMB2::TreeConnectResponse: record

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

SMB::MACTimes: record

MAC times for a file.

SNMP::Binding: record

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings: vector

A VarBindList data structure from either RFC 1157 or RFC 3416.

SNMP::BulkPDU: record

A BulkPDU data structure from RFC 3416.

SNMP::Header: record

A generic SNMP header data structure that may include data from any version of SNMP.

SNMP::HeaderV1: record

The top-level message data structure of an SNMPv1 datagram, not including the PDU data.

SNMP::HeaderV2: record

The top-level message data structure of an SNMPv2 datagram, not including the PDU data.

SNMP::HeaderV3: record

The top-level message data structure of an SNMPv3 datagram, not including the PDU data.

SNMP::ObjectValue: record

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416.

SNMP::PDU: record

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context: record

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e.

SNMP::TrapPDU: record

A Trap-PDU data structure from RFC 1157.

SOCKS::Address: record &log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SSH::Algorithm_Prefs: record

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities: record

This record lists the preferences of an SSH endpoint for algorithm selection.

SSL::PSKIdentity: record

SSL::SignatureAndHashAlgorithm: record

SYN_packet: record

Fields of a SYN packet.

TCP::Option: record

A TCP Option field parsed from a TCP header.

TCP::OptionList: vector

The full list of TCP Option fields parsed from a TCP header.

ThreadStats: record

Statistics about threads.

TimerStats: record

Statistics of timers.

Tunnel::EncapsulatingConn: record &log

Records the identity of an encapsulating parent of a tunneled connection.

WebSocket::AnalyzerConfig: record

Record type that is passed to WebSocket::configure_analyzer.

X509::BasicConstraints: record &log

X509::Certificate: record

X509::Extension: record

X509::Result: record

Result of an X509 certificate chain verification

X509::SubjectAlternativeName: record

addr_set: set

A set of addresses.

addr_vec: vector

A vector of addresses.

any_vec: vector

A vector of any, used by some builtin functions to store a list of varying types.

assertion_failure: hook

A hook that is invoked when an assert statement fails.

assertion_result: hook

A hook that is invoked with the result of every assert statement.

bittorrent_benc_dir: table

A table of BitTorrent “benc” values.

bittorrent_benc_value: record

BitTorrent “benc” value.

bittorrent_peer: record

A BitTorrent peer.

bittorrent_peer_set: set

A set of BitTorrent peers.

bt_tracker_headers: table

Header table type used by BitTorrent analyzer.

call_argument: record

Meta-information about a parameter to a function/event.

call_argument_vector: vector

Vector type used to capture parameters of a function/event call.

conn_id: record &log

A connection’s identifying 4-tuple of endpoints and ports.

connection: record

A connection.

count_set: set

A set of counts.

dns_answer: record

The general part of a DNS reply.

dns_binds_rr: record

A Private RR type BINDS record.

dns_dnskey_rr: record

A DNSSEC DNSKEY record.

dns_ds_rr: record

A DNSSEC DS record.

dns_edns_additional: record

An additional DNS EDNS record.

dns_edns_cookie: record

An DNS EDNS COOKIE (COOKIE) record.

dns_edns_ecs: record

An DNS EDNS Client Subnet (ECS) record.

dns_edns_tcp_keepalive: record

An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.

dns_loc_rr: record

A Private RR type LOC record.

dns_mapping: record

dns_msg: record

A DNS message.

dns_nsec3_rr: record

A DNSSEC NSEC3 record.

dns_nsec3param_rr: record

A DNSSEC NSEC3PARAM record.

dns_rrsig_rr: record

A DNSSEC RRSIG record.

dns_soa: record

A DNS SOA record.

dns_svcb_rr: record

DNS SVCB and HTTPS RRs

dns_tsig_additional: record

An additional DNS TSIG record.

double_vec: vector

A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.

endpoint: record

Statistics about a connection endpoint.

endpoint_stats: record

Statistics about what a TCP endpoint sent.

entropy_test_result: record

Computed entropy values.

fa_file: record &redef

File Analysis handle for a file that Zeek is analyzing.

fa_metadata: record

File Analysis metadata that’s been inferred about a particular file.

files_tag_set: set

A set of file analyzer tags.

flow_id: record &log

The identifying 4-tuple of a uni-directional flow.

from_json_result: record

Return type for from_json BIF.

ftp_port: record

A parsed host/port combination describing server endpoint for an upcoming data transfer.

geo_autonomous_system: record &log

GeoIP autonomous system information.

geo_location: record &log

GeoIP location information.

gtp_access_point_name: string

gtp_cause: count

gtp_charging_characteristics: count

gtp_charging_gateway_addr: addr

gtp_charging_id: count

gtp_create_pdp_ctx_request_elements: record

gtp_create_pdp_ctx_response_elements: record

gtp_delete_pdp_ctx_request_elements: record

gtp_delete_pdp_ctx_response_elements: record

gtp_end_user_addr: record

gtp_gsn_addr: record

gtp_imsi: count

gtp_msisdn: string

gtp_nsapi: count

gtp_omc_id: string

gtp_private_extension: record

gtp_proto_config_options: string

gtp_qos_profile: record

gtp_rai: record

gtp_recovery: count

gtp_reordering_required: bool

gtp_selection_mode: count

gtp_teardown_ind: bool

gtp_teid1: count

gtp_teid_control_plane: count

gtp_tft: string

gtp_trace_reference: count

gtp_trace_type: count

gtp_trigger_id: string

gtp_update_pdp_ctx_request_elements: record

gtp_update_pdp_ctx_response_elements: record

gtpv1_hdr: record

A GTPv1 (GPRS Tunneling Protocol) header.

http_message_stat: record

HTTP message statistics.

http_stats_rec: record

HTTP session statistics.

icmp6_nd_option: record

Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.

icmp6_nd_options: vector

A type alias for a vector of ICMPv6 neighbor discovery message options.

icmp6_nd_prefix_info: record

Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.

icmp_context: record

Packet context part of an ICMP message.

icmp_hdr: record

Values extracted from an ICMP header.

icmp_info: record

Specifics about an ICMP conversation/packet.

id_table: table

Table type used to map script-level identifiers to meta-information describing them.

index_vec: vector

A vector of counts, used by some builtin functions to store a list of indices.

int_vec: vector

A vector of integers, used by telemetry builtin functions to store histogram bounds.

interval_set: set

A set of intervals.

ip4_hdr: record

Values extracted from an IPv4 header.

ip6_ah: record

Values extracted from an IPv6 Authentication extension header.

ip6_dstopts: record

Values extracted from an IPv6 Destination options extension header.

ip6_esp: record

Values extracted from an IPv6 ESP extension header.

ip6_ext_hdr: record

A general container for a more specific IPv6 extension header.

ip6_ext_hdr_chain: vector

A type alias for a vector of IPv6 extension headers.

ip6_fragment: record

Values extracted from an IPv6 Fragment extension header.

ip6_hdr: record

Values extracted from an IPv6 header.

ip6_hopopts: record

Values extracted from an IPv6 Hop-by-Hop options extension header.

ip6_mobility_back: record

Values extracted from an IPv6 Mobility Binding Acknowledgement message.

ip6_mobility_be: record

Values extracted from an IPv6 Mobility Binding Error message.

ip6_mobility_brr: record

Values extracted from an IPv6 Mobility Binding Refresh Request message.

ip6_mobility_bu: record

Values extracted from an IPv6 Mobility Binding Update message.

ip6_mobility_cot: record

Values extracted from an IPv6 Mobility Care-of Test message.

ip6_mobility_coti: record

Values extracted from an IPv6 Mobility Care-of Test Init message.

ip6_mobility_hdr: record

Values extracted from an IPv6 Mobility header.

ip6_mobility_hot: record

Values extracted from an IPv6 Mobility Home Test message.

ip6_mobility_hoti: record

Values extracted from an IPv6 Mobility Home Test Init message.

ip6_mobility_msg: record

Values extracted from an IPv6 Mobility header’s message data.

ip6_option: record

Values extracted from an IPv6 extension header’s (e.g.

ip6_options: vector

A type alias for a vector of IPv6 options.

ip6_routing: record

Values extracted from an IPv6 Routing extension header.

irc_join_info: record

IRC join information.

irc_join_list: set

Set of IRC join information.

l2_hdr: record

Values extracted from the layer 2 header.

mime_header_list: table

A list of MIME headers.

mime_header_rec: record

A MIME header key/value pair.

mime_match: record

A structure indicating a MIME type and strength of a match against file magic signatures.

mime_matches: vector

A vector of file magic signature matches, ordered by strength of the signature, strongest first.

pcap_packet: record

Policy-level representation of a packet passed on by libpcap.

pkt_hdr: record

A packet header, consisting of an IP header and transport-layer header.

pkt_profile_modes: enum

Output modes for packet profiling information.

pm_callit_request: record

An RPC portmapper callit request.

pm_mapping: record

An RPC portmapper mapping.

pm_mappings: table

Table of RPC portmapper mappings.

pm_port_request: record

An RPC portmapper request.

psk_identity_vec: vector

raw_pkt_hdr: record

A raw packet header, consisting of L2 header and everything in pkt_hdr.

record_field: record

Meta-information about a record field.

record_field_table: table

Table type used to map record field declarations to meta-information describing them.

rotate_info: record

script_id: record

Meta-information about a script-level identifier.

signature_and_hashalgorithm_vec: vector

A vector of Signature and Hash Algorithms.

signature_state: record

Description of a signature match.

string_any_file_hook: hook

A hook taking a fa_file, an any, and a string.

string_any_table: table

A string-table of any.

string_array: table

An ordered array of strings.

string_mapper: function

Function mapping a string to a string.

string_set: set

A set of strings.

string_vec: vector

A vector of strings.

subnet_set: set

A set of subnets.

subnet_vec: vector

A vector of subnets.

sw_align: record

Helper type for return value of Smith-Waterman algorithm.

sw_align_vec: vector

Helper type for return value of Smith-Waterman algorithm.

sw_params: record

Parameters for the Smith-Waterman algorithm.

sw_substring: record

Helper type for return value of Smith-Waterman algorithm.

sw_substring_vec: vector

Return type for Smith-Waterman algorithm.

table_string_of_count: table

A table of counts indexed by strings.

table_string_of_string: table

A table of strings indexed by strings.

tcp_hdr: record

Values extracted from a TCP header.

teredo_auth: record

A Teredo origin indication header.

teredo_hdr: record

A Teredo packet header.

teredo_origin: record

A Teredo authentication header.

transport_proto: enum

A connection’s transport-layer protocol.

udp_hdr: record

Values extracted from a UDP header.

var_sizes: table

Table type used to map variable names to their memory allocation.

x509_opaque_vector: vector

A vector of x509 opaques.

Functions

add_interface: function

Internal function.

add_signature_file: function

Internal function.

discarder_check_icmp: function

Function for skipping packets based on their ICMP header.

discarder_check_ip: function

Function for skipping packets based on their IP header.

discarder_check_tcp: function

Function for skipping packets based on their TCP header.

discarder_check_udp: function

Function for skipping packets based on their UDP header.

from_json_default_key_mapper: function

The default JSON key mapper function.

max_count: function

Returns maximum of two count values.

max_double: function

Returns maximum of two double values.

max_interval: function

Returns maximum of two interval values.

min_count: function

Returns minimum of two count values.

min_double: function

Returns minimum of two double values.

min_interval: function

Returns minimum of two interval values.

Detailed Interface

Runtime Options

MQTT::max_payload_size
Type

count

Attributes

&redef

Default

100

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration
Type

interval

Attributes

&redef

Default

10.0 mins

How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than Weird::sampling_threshold times, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.

Weird::sampling_global_list
Type

set [string]

Attributes

&redef

Default

{}

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate
Type

count

Attributes

&redef

Default

1000

The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.

Weird::sampling_threshold
Type

count

Attributes

&redef

Default

25

How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.

Weird::sampling_whitelist
Type

set [string]

Attributes

&redef

Default

{}

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size
Type

count

Attributes

&redef

Default

4096

Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.

default_file_timeout_interval
Type

interval

Attributes

&redef

Default

2.0 mins

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Checksums are ignored for all packets with a src address within this set of networks. Useful for cases where a host might be seeing packets collected from local hosts before checksums were applied by hardware. This frequently manifests when sniffing a local management interface on a host and Zeek sees packets before the hardware has had a chance to apply the checksums.

udp_content_delivery_ports_use_resp
Type

bool

Attributes

&redef

Default

F

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports
Type

set [port]

Attributes

&redef

Default

{}

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp, udp_content_delivery_ports_resp

Redefinable Options

BinPAC::flowbuffer_capacity_max
Type

count

Attributes

&redef

Default

10485760

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min
Type

count

Attributes

&redef

Default

512

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. If the buffer is later contracted, its capacity is also reduced to this size.

BinPAC::flowbuffer_contract_threshold
Type

count

Attributes

&redef

Default

2097152

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit. I.e. this is the maximum capacity to reserve in between the parsing of units. If, after parsing a unit, the flowbuffer capacity is greater than this value, it will be contracted.

DCE_RPC::max_cmd_reassembly
Type

count

Attributes

&redef

Default

20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type

count

Attributes

&redef

Default

30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

HTTP::upgrade_analyzers
Type

table [string] of Analyzer::Tag

Attributes

&redef

Default

{}

Redefinition

from base/protocols/websocket/main.zeek

+=:

websocket = Analyzer::ANALYZER_WEBSOCKET

Lookup table for Upgrade analyzers. First, a case sensitive lookup is done using the client’s Upgrade header. If no match is found, the all lower-case value is used. If there’s still no match Zeek uses dynamic protocol detection for the upgraded to protocol instead.

KRB::keytab
Type

string

Attributes

&redef

Default

""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

MIME::max_depth
Type

count

Attributes

&redef

Default

100

Stop analysis of nested multipart MIME entities if this depth is reached. Setting this value to 0 removes the limit.

NCP::max_frame_size
Type

count

Attributes

&redef

Default

65536

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data
Type

bool

Attributes

&redef

Default

F

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

See also: NFS3::return_data_max, NFS3::return_data_first_only

NFS3::return_data_first_only
Type

bool

Attributes

&redef

Default

T

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max
Type

count

Attributes

&redef

Default

512

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize
Type

count

Attributes

&redef

Default

128

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::bufsize_offline_bytes
Type

count

Attributes

&redef

Default

131072

Number of bytes to use for buffering file read operations when reading from a PCAP file. Setting this to 0 uses operating system defaults as chosen by fopen().

Pcap::non_fd_timeout
Type

interval

Attributes

&redef

Default

20.0 usecs

Default timeout for packet sources without file descriptors.

For libpcap based packet sources that do not provide a usable file descriptor for select(), the timeout provided to the IO loop is either zero if a packet was most recently available or else this value.

Depending on the expected packet rate per-worker and the amount of available packet buffer, raising this value can significantly reduce Zeek’s CPU usage at the cost of a small delay before processing packets. Setting this value too high may cause packet drops due to running out of available buffer space.

Increasing this value to 200usec on low-traffic Myricom based systems (5 kpps per Zeek worker) has shown a 50% reduction in CPU usage.

This is an advanced setting. Do monitor dropped packets and capture loss information when changing it.

Note

Packet sources that override GetNextTimeout() method may not respect this value.

See also: io_poll_interval_live

Pcap::snaplen
Type

count

Attributes

&redef

Default

9216

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

Reporter::info_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

Reporter::warnings_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

SMB::max_dce_rpc_analyzers
Type

count

Attributes

&redef

Default

1000

Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.

See also: smb_discarded_dce_rpc_analyzers

SMB::max_pending_messages
Type

count

Attributes

&redef

Default

1000

The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser. When the limit is reached, internal parser state is discarded and smb2_discarded_messages_state raised.

Setting this to zero will disable the functionality.

See also: smb2_discarded_messages_state

SMB::pipe_filenames
Type

set [string]

Attributes

&redef

Default

{}

Redefinition

from base/protocols/smb/consts.zeek

=:

spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds

A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.

See also: smb_pipe_connect_heuristic

SSL::dtls_max_reported_version_errors
Type

count

Attributes

&redef

Default

1

Maximum number of invalid version errors to report in one DTLS connection.

SSL::dtls_max_version_errors
Type

count

Attributes

&redef

Default

10

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.

SSL::max_alerts_per_record
Type

count

Attributes

&redef

Default

10

Maximum number of Alert messages parsed from an SSL record with content_type alert (21). The remaining alerts are discarded. For TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446.

Threading::heartbeat_interval
Type

interval

Attributes

&redef

Default

1.0 sec

The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.

Tunnel::delay_gtp_confirmation
Type

bool

Attributes

&redef

Default

F

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing analyzer_confirmation_info. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.

Tunnel::delay_teredo_confirmation
Type

bool

Attributes

&redef

Default

T

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a analyzer_confirmation_info. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation.

Tunnel::ip_tunnel_timeout
Type

interval

Attributes

&redef

Default

1.0 day

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_changes_per_connection
Type

count

Attributes

&redef

Default

5

The number of tunnel_changed events that will be sent for a connection. Once this limit is hit, no more of those events will be sent to avoid a large number of events being sent for connections that regularly swap. This can be set to zero to disable this limiting.

Tunnel::max_depth
Type

count

Attributes

&redef

Default

4

The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.

Tunnel::validate_vxlan_checksums
Type

bool

Attributes

&redef

Default

T

Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. The spec says the checksum should be transmitted as zero, but if not, then the decapsulating destination may choose whether to perform the validation.

UnknownProtocol::first_bytes_count
Type

count

Attributes

&redef

Default

10

The number of bytes to extract from the next header and log in the first bytes field.

UnknownProtocol::sampling_duration
Type

interval

Attributes

&redef

Default

1.0 hr

How long an analyzer/protocol pair is allowed to keep state/counters in in memory. Once the threshold has been hit, this is the amount of time before the rate-limiting for a pair expires and is reset.

UnknownProtocol::sampling_rate
Type

count

Attributes

&redef

Default

100000

The rate-limiting sampling rate. One out of every of this number of rate-limited pairs of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited pairs.

UnknownProtocol::sampling_threshold
Type

count

Attributes

&redef

Default

3

How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.

WebSocket::payload_chunk_size
Type

count

Attributes

&redef

Default

8192

The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded. There should not be a reason to change this value except for debugging and testing reasons.

WebSocket::use_dpd_default
Type

bool

Attributes

&redef

Default

T

Whether to enable DPD on WebSocket frame payload by default.

WebSocket::use_spicy_analyzer
Type

bool

Attributes

&redef

Default

F

Whether to use the Spicy WebSocket protocol analyzer.

As of now, the BinPac version has better performance, but we may change the default in the future.

allow_network_time_forward
Type

bool

Attributes

&redef

Default

T

Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source).

Only set this to F if you really know what you’re doing. Setting this to F on non-worker systems causes network_time to be stuck at 0.0 and timer expiration will be non-functional.

The main purpose of this option is to yield control over network time to plugins or scripts via broker or other non-timer events.

See also: network_time, set_network_time, packet_source_inactivity_timeout

bits_per_uid
Type

count

Attributes

&redef

Default

96

Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.

check_for_unused_event_handlers
Type

bool

Attributes

&redef &deprecated = “Remove in v7.1. This has been replaced by usage analyzer functionality.”

Default

F

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter
Type

string

Attributes

&redef

Default

""

BPF filter the user has set via the -f command line options. Empty if none.

detect_filtered_trace
Type

bool

Attributes

&redef

Default

F

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via content_gap.

digest_salt
Type

string

Attributes

&redef

Default

"Please change this value."

This salt value is used for several message digests in Zeek. We use a salt to help mitigate the possibility of an attacker manipulating source data to, e.g., mount complexity attacks or cause ID collisions. This salt is, for example, used by get_file_handle to generate installation-unique file IDs (the id field of fa_file).

dns_session_timeout
Type

interval

Attributes

&redef

Default

10.0 secs

Time to wait before timing out a DNS request.

dpd_buffer_size
Type

count

Attributes

&redef

Default

1024

Size of per-connection buffer used for dynamic protocol detection. For each connection, Zeek buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also: dpd_reassemble_first_packets, dpd_match_only_beginning, dpd_ignore_ports, dpd_max_packets

dpd_ignore_ports
Type

bool

Attributes

&redef

Default

F

If true, don’t consider any ports for deciding which protocol analyzer to use.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_match_only_beginning

dpd_late_match_stop
Type

bool

Attributes

&redef

Default

F

Redefinition

from policy/protocols/conn/speculative-service.zeek

=:

T

If true, stops signature matching after a late match. A late match may occur in case the DPD buffer is exhausted but a protocol signature matched. To allow late matching, dpd_match_only_beginning must be disabled.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_match_only_beginning

Note

Despite the name, this option stops all signature matching, not only signatures used for dynamic protocol detection but is triggered by DPD signatures only.

dpd_match_only_beginning
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/conn/speculative-service.zeek

=:

F

If true, stops signature matching if dpd_buffer_size has been reached.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

dpd_max_packets
Type

count

Attributes

&redef

Default

100

Maximum number of per-connection packets that will be buffered for dynamic protocol detection. For each connection, Zeek buffers up to this amount of packets in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also: dpd_reassemble_first_packets, dpd_match_only_beginning, dpd_ignore_ports, dpd_buffer_size

dpd_reassemble_first_packets
Type

bool

Attributes

&redef

Default

T

Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.

See also: dpd_buffer_size, dpd_match_only_beginning, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

exit_only_after_terminate
Type

bool

Attributes

&redef

Default

F

Flag to prevent Zeek from exiting automatically when input is exhausted. Normally Zeek terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Zeek’s main loop will instead keep idling until terminate is explicitly called.

This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.

expensive_profiling_multiple
Type

count

Attributes

&redef

Default

0

Redefinition

from policy/misc/profiling.zeek

=:

20

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

See also: profiling_interval, profiling_file

frag_timeout
Type

interval

Attributes

&redef

Default

0 secs

Redefinition

from policy/tuning/defaults/packet-fragments.zeek

=:

5.0 mins

How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.

global_hash_seed
Type

string

Attributes

&redef

Default

""

Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Zeek instances. If left unset, Zeek will use a temporary local seed.

icmp_inactivity_timeout
Type

interval

Attributes

&redef

Default

1.0 min

If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, udp_inactivity_timeout, set_inactivity_timeout

ignore_checksums
Type

bool

Attributes

&redef

Default

F

If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header. This is useful when running against traces of local traffic and the NIC checksum offloading feature is enabled. It can also be useful for running on altered trace files, and for saving a few cycles at the risk of analyzing invalid data. With this option, packets that have a value of zero in the total-length field of the IPv4 header are also accepted, and the capture-length is used instead. The total-length field is commonly set to zero when the NIC sequence offloading feature is enabled. Note that the -C command-line option overrides the setting of this variable.

ignore_keep_alive_rexmit
Type

bool

Attributes

&redef

Default

F

Ignore certain TCP retransmissions for conn_stats. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter in conn_stats.

See also: conn_stats

io_poll_interval_default
Type

count

Attributes

&redef

Default

100

How many rounds to go without checking IO sources with file descriptors for readiness by default. This is used when reading from traces.

Very roughly, when reading from a pcap, setting this to 100 results in 100 packets being processed without checking FD based IO sources.

Note

This should not be changed outside of development or when debugging problems with the main-loop, or developing features with tight main-loop interaction.

See also: io_poll_interval_live

io_poll_interval_live
Type

count

Attributes

&redef

Default

10

How often to check IO sources with file descriptors for readiness when monitoring with a live packet source.

The poll interval gets defaulted to 100 which is good for cases like reading from pcap files and when there isn’t a packet source, but is a little too infrequent for live sources (especially fast live sources). Set it down a little bit for those sources.

Note

This should not be changed outside of development or when debugging problems with the main-loop, or developing features with tight main-loop interaction.

See also: io_poll_interval_default

likely_server_ports
Type

set [port]

Attributes

&redef

Default

{}

Redefinition

from base/packet-protocols/ayiya/main.zeek

+=:

PacketAnalyzer::AYIYA::ayiya_ports
Redefinition

from base/packet-protocols/geneve/main.zeek

+=:

PacketAnalyzer::Geneve::geneve_ports
Redefinition

from base/packet-protocols/vxlan/main.zeek

+=:

PacketAnalyzer::VXLAN::vxlan_ports
Redefinition

from base/packet-protocols/teredo/main.zeek

+=:

PacketAnalyzer::TEREDO::teredo_ports
Redefinition

from base/packet-protocols/gtpv1/main.zeek

+=:

PacketAnalyzer::GTPV1::gtpv1_ports
Redefinition

from base/protocols/dce-rpc/main.zeek

+=:

DCE_RPC::ports
Redefinition

from base/protocols/dhcp/main.zeek

+=:

67/udp
Redefinition

from base/protocols/dnp3/main.zeek

+=:

DNP3::ports
Redefinition

from base/protocols/dns/main.zeek

+=:

DNS::ports
Redefinition

from base/protocols/finger/main.zeek

+=:

Finger::ports
Redefinition

from base/protocols/ftp/main.zeek

+=:

FTP::ports
Redefinition

from base/protocols/ssl/main.zeek

+=:

SSL::ssl_ports, SSL::dtls_ports
Redefinition

from base/protocols/http/main.zeek

+=:

HTTP::ports
Redefinition

from base/protocols/imap/main.zeek

+=:

IMAP::ports
Redefinition

from base/protocols/irc/main.zeek

+=:

IRC::ports
Redefinition

from base/protocols/krb/main.zeek

+=:

KRB::tcp_ports, KRB::udp_ports
Redefinition

from base/protocols/ldap/main.zeek

+=:

LDAP::ports_tcp, LDAP::ports_udp
Redefinition

from base/protocols/modbus/main.zeek

+=:

Modbus::ports
Redefinition

from base/protocols/mqtt/main.zeek

+=:

MQTT::ports
Redefinition

from base/protocols/ntp/main.zeek

+=:

NTP::ports
Redefinition

from base/protocols/radius/main.zeek

+=:

RADIUS::ports
Redefinition

from base/protocols/rdp/main.zeek

+=:

RDP::rdp_ports, RDP::rdpeudp_ports
Redefinition

from base/protocols/sip/main.zeek

+=:

SIP::ports
Redefinition

from base/protocols/snmp/main.zeek

+=:

SNMP::ports
Redefinition

from base/protocols/smb/main.zeek

+=:

SMB::ports
Redefinition

from base/protocols/smtp/main.zeek

+=:

SMTP::ports
Redefinition

from base/protocols/socks/main.zeek

+=:

SOCKS::ports
Redefinition

from base/protocols/ssh/main.zeek

+=:

SSH::ports
Redefinition

from base/protocols/syslog/main.zeek

+=:

Syslog::ports
Redefinition

from base/protocols/xmpp/main.zeek

+=:

XMPP::ports

Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.

log_rotate_base_time
Type

string

Attributes

&redef

Default

"0:00"

Base time of log rotations in 24-hour time format (%H:%M), e.g. “12:00”.

max_analyzer_violations
Type

count

Attributes

&redef

Default

1000

The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance. A weird providing information about the analyzer and connection is generated once the limit is reached.

An analyzer generating this many violations is unlikely parsing the right protocol or potentially buggy.

See also DPD::max_violations which controls disabling analyzers through script logic after a certain number of violations was observed.

max_find_all_string_length
Type

int

Attributes

&redef

Default

10000

Maximum string length allowed for calls to the find_all and find_all_ordered BIFs.

max_timer_expires
Type

count

Attributes

&redef

Default

300

The maximum number of expired timers to process after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.

mmdb_asn_db
Type

string

Attributes

&redef

Default

"GeoLite2-ASN.mmdb"

Default name of the MaxMind ASN database file:

mmdb_city_db
Type

string

Attributes

&redef

Default

"GeoLite2-City.mmdb"

Default name of the MaxMind City database file:

mmdb_country_db
Type

string

Attributes

&redef

Default

"GeoLite2-Country.mmdb"

Default name of the MaxMind Country database file:

mmdb_dir
Type

string

Attributes

&redef

Default

""

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

mmdb_dir_fallbacks
Type

vector of string

Attributes

&redef

Default
["/usr/share/GeoIP", "/var/lib/GeoIP", "/usr/local/share/GeoIP", "/usr/local/var/GeoIP"]

Fallback locations for MaxMind databases. Zeek attempts these when mmdb_dir is not set, or it cannot read a DB file from it. For geolocation lookups, Zeek will first attempt to locate the city database in each of the fallback locations, and should this fail, attempt to locate the country one.

mmdb_stale_check_interval
Type

interval

Attributes

&redef

Default

5.0 mins

Sets the interval for MaxMind DB file staleness checks. When Zeek detects a change in inode or modification time, the database is re-opened. Setting a negative interval disables staleness checks.

non_analyzed_lifetime
Type

interval

Attributes

&redef

Default

0 secs

If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but tcp_inactivity_timeout, udp_inactivity_timeout, and icmp_inactivity_timeout still apply).

packet_filter_default
Type

bool

Attributes

&redef

Default

F

Default mode for Zeek’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.

Note

This is not the BPF packet filter but an additional dynamic filter that Zeek optionally applies just before normal processing starts.

See also: install_dst_addr_filter, install_dst_net_filter, install_src_addr_filter, install_src_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter

packet_source_inactivity_timeout
Type

interval

Attributes

&redef

Default

100.0 msecs

If a packet source does not yield packets for this amount of time, it is considered idle. When a packet source is found to be idle, Zeek will update network_time to current time in order for timer expiration to function. A packet source queueing up packets and not yielding them for longer than this interval without yielding any packets will provoke not-very-well-defined timer behavior.

On Zeek workers with low packet rates, timer expiration may be delayed by this many milliseconds after the last packet has been received.

partial_connection_ok
Type

bool

Attributes

&redef

Default

T

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

peer_description
Type

string

Attributes

&redef

Default

"zeek"

Description transmitted to remote communication peers for identification.

pkt_profile_freq
Type

double

Attributes

&redef

Default

0.0

Frequency associated with packet profiling.

See also: pkt_profile_modes, pkt_profile_mode, pkt_profile_file

pkt_profile_mode
Type

pkt_profile_modes

Attributes

&redef

Default

PKT_PROFILE_MODE_NONE

Output mode for packet profiling information.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_file

profiling_interval
Type

interval

Attributes

&redef

Default

0 secs

Redefinition

from policy/misc/profiling.zeek

=:

15.0 secs

Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.zeek.

See also: profiling_file, expensive_profiling_multiple

record_all_packets
Type

bool

Attributes

&redef

Default

F

If a trace file is given with -w, dump all packets seen by Zeek into it. By default, Zeek applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.

See also: trace_output_file

report_gaps_for_partial
Type

bool

Attributes

&redef

Default

F

Whether we want content_gap for partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.

See also: content_gap, partial_connection

rpc_timeout
Type

interval

Attributes

&redef

Default

24.0 secs

Time to wait before timing out an RPC request.

sig_max_group_size
Type

count

Attributes

&redef

Default

50

Maximum size of regular expression groups for signature matching.

skip_http_data
Type

bool

Attributes

&redef

Default

F

Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.

See also: http_entity_data, skip_http_entity_data, http_entity_data_delivery_size

table_expire_delay
Type

interval

Attributes

&redef

Default

10.0 msecs

When expiring table entries, wait this amount of time before checking the next chunk of entries.

See also: table_expire_interval, table_incremental_step

table_expire_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Redefinition

from policy/frameworks/management/agent/main.zeek

=:

2.0 secs
Redefinition

from policy/frameworks/management/controller/main.zeek

=:

2.0 secs

Check for expired table entries after this amount of time.

See also: table_incremental_step, table_expire_delay

table_incremental_step
Type

count

Attributes

&redef

Default

5000

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

See also: table_expire_interval, table_expire_delay

tcp_SYN_ack_ok
Type

bool

Attributes

&redef

Default

T

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout
Type

interval

Attributes

&redef

Default

5.0 secs

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger
Type

interval

Attributes

&redef

Default

5.0 secs

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.

tcp_content_deliver_all_orig
Type

bool

Attributes

&redef

Default

F

If true, all TCP originator-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_deliver_all_resp
Type

bool

Attributes

&redef

Default

F

If true, all TCP responder-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_orig
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_resp
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_excessive_data_without_further_acks
Type

count

Attributes

&redef

Default

10485760

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Zeek would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.

See also: tcp_max_initial_window, tcp_max_above_hole_without_any_acks

tcp_inactivity_timeout
Type

interval

Attributes

&redef

Default

5.0 mins

If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: udp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

tcp_match_undelivered
Type

bool

Attributes

&redef

Default

T

If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.

tcp_max_above_hole_without_any_acks
Type

count

Attributes

&redef

Default

16384

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.

See also: tcp_max_initial_window, tcp_excessive_data_without_further_acks

tcp_max_initial_window
Type

count

Attributes

&redef

Default

16384

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.

See also: tcp_max_above_hole_without_any_acks, tcp_excessive_data_without_further_acks

tcp_max_old_segments
Type

count

Attributes

&redef

Default

0

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additional buffering.

tcp_partial_close_delay
Type

interval

Attributes

&redef

Default

3.0 secs

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig
Type

set [port]

Attributes

&redef

Default

{}

For services without a handler, these sets define originator-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_resp

tcp_reassembler_ports_resp
Type

set [port]

Attributes

&redef

Default

{}

For services without a handler, these sets define responder-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_orig

tcp_reset_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Upon seeing a RST, flush state after this much time.

tcp_session_timer
Type

interval

Attributes

&redef

Default

6.0 secs

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh
Type

interval

Attributes

&redef

Default

1.0 sec

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

See also: tcp_storm_thresh

tcp_storm_thresh
Type

count

Attributes

&redef

Default

1000

Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as weird via the notice framework, and they must also come within intervals of at most tcp_storm_interarrival_thresh.

See also: tcp_storm_interarrival_thresh

time_machine_profiling
Type

bool

Attributes

&redef &deprecated = "Remove in v7.1. Unused."

Default

F

If true, output profiling for Time-Machine queries.

truncate_http_URI
Type

int

Attributes

&redef

Default

-1

Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.

See also: http_request

udp_content_deliver_all_orig
Type

bool

Attributes

&redef

Default

F

If true, all UDP originator-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp

udp_content_deliver_all_resp
Type

bool

Attributes

&redef

Default

F

If true, all UDP responder-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_contents, udp_content_delivery_ports_use_resp

udp_content_delivery_ports_orig
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp, udp_content_ports

udp_content_delivery_ports_resp
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp, udp_content_ports

udp_inactivity_timeout
Type

interval

Attributes

&redef

Default

1.0 min

If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

use_conn_size_analyzer
Type

bool

Attributes

&redef

Default

T

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’s endpoint record value.

watchdog_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Zeek’s watchdog interval.

Constants

CONTENTS_BOTH
Type

count

Default

3

Record both originator and responder contents.

CONTENTS_NONE
Type

count

Default

0

Turn off recording of contents.

CONTENTS_ORIG
Type

count

Default

1

Record originator contents.

CONTENTS_RESP
Type

count

Default

2

Record responder contents.

DNS_ADDL
Type

count

Default

3

An additional record.

DNS_ANS
Type

count

Default

1

An answer record.

DNS_AUTH
Type

count

Default

2

An authoritative record.

DNS_QUERY
Type

count

Default

0

A query. This shouldn’t occur, just for completeness.

ENDIAN_BIG
Type

count

Default

2

Big endian.

ENDIAN_CONFUSED
Type

count

Default

3

Tried to determine endian, but failed.

ENDIAN_LITTLE
Type

count

Default

1

Little endian.

ENDIAN_UNKNOWN
Type

count

Default

0

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB
Type

count

Default

13

Administratively prohibited.

ICMP_UNREACH_HOST
Type

count

Default

1

Host unreachable.

ICMP_UNREACH_NEEDFRAG
Type

count

Default

4

Fragment needed.

ICMP_UNREACH_NET
Type

count

Default

0

Network unreachable.

ICMP_UNREACH_PORT
Type

count

Default

3

Port unreachable.

ICMP_UNREACH_PROTOCOL
Type

count

Default

2

Protocol unreachable.

IPPROTO_AH
Type

count

Default

51

IPv6 authentication header.

IPPROTO_DSTOPTS
Type

count

Default

60

IPv6 destination options header.

IPPROTO_ESP
Type

count

Default

50

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT
Type

count

Default

44

IPv6 fragment header.

IPPROTO_HOPOPTS
Type

count

Default

0

IPv6 hop-by-hop-options header.

IPPROTO_ICMP
Type

count

Default

1

Control message protocol.

IPPROTO_ICMPV6
Type

count

Default

58

ICMP for IPv6.

IPPROTO_IGMP
Type

count

Default

2

Group management protocol.

IPPROTO_IP
Type

count

Default

0

Dummy for IP.

IPPROTO_IPIP
Type

count

Default

4

IP encapsulation in IP.

IPPROTO_IPV6
Type

count

Default

41

IPv6 header.

IPPROTO_MOBILITY
Type

count

Default

135

IPv6 mobility header.

IPPROTO_NONE
Type

count

Default

59

IPv6 no next header.

IPPROTO_RAW
Type

count

Default

255

Raw IP packet.

IPPROTO_ROUTING
Type

count

Default

43

IPv6 routing header.

IPPROTO_TCP
Type

count

Default

6

TCP.

IPPROTO_UDP
Type

count

Default

17

User datagram protocol.

LOGIN_STATE_AUTHENTICATE
Type

count

Default

0

LOGIN_STATE_CONFUSED
Type

count

Default

3

LOGIN_STATE_LOGGED_IN
Type

count

Default

1

LOGIN_STATE_SKIP
Type

count

Default

2

RPC_status
Type

table [rpc_status] of string

Default
{
   [RPC_PROG_MISMATCH] = "mismatch",
   [RPC_AUTH_ERROR] = "auth error",
   [RPC_SYSTEM_ERR] = "system err",
   [RPC_PROC_UNAVAIL] = "proc unavail",
   [RPC_SUCCESS] = "ok",
   [RPC_UNKNOWN_ERROR] = "unknown",
   [RPC_TIMEOUT] = "timeout",
   [RPC_GARBAGE_ARGS] = "garbage args",
   [RPC_PROG_UNAVAIL] = "prog unavail"
}

Mapping of numerical RPC status codes to readable messages.

See also: pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, rpc_dialogue, rpc_reply

SNMP::OBJ_COUNTER32_TAG
Type

count

Default

65

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG
Type

count

Default

70

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG
Type

count

Default

130

A NULL value.

SNMP::OBJ_INTEGER_TAG
Type

count

Default

2

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG
Type

count

Default

64

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG
Type

count

Default

129

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG
Type

count

Default

128

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG
Type

count

Default

4

An octet string.

SNMP::OBJ_OID_TAG
Type

count

Default

6

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG
Type

count

Default

68

An octet string.

SNMP::OBJ_TIMETICKS_TAG
Type

count

Default

67

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG
Type

count

Default

66

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG
Type

count

Default

5

A NULL value.

TCP_CLOSED
Type

count

Default

5

Endpoint has closed connection.

TCP_ESTABLISHED
Type

count

Default

4

Endpoint has finished initial handshake regularly.

TCP_INACTIVE
Type

count

Default

0

Endpoint is still inactive.

TCP_PARTIAL
Type

count

Default

3

Endpoint has sent data but no initial SYN.

TCP_RESET
Type

count

Default

6

Endpoint has sent RST.

TCP_SYN_ACK_SENT
Type

count

Default

2

Endpoint has sent SYN/ACK.

TCP_SYN_SENT
Type

count

Default

1

Endpoint has sent SYN.

TH_ACK
Type

count

Default

16

ACK.

TH_FIN
Type

count

Default

1

FIN.

TH_FLAGS
Type

count

Default

63

Mask combining all flags.

TH_PUSH
Type

count

Default

8

PUSH.

TH_RST
Type

count

Default

4

RST.

TH_SYN
Type

count

Default

2

SYN.

TH_URG
Type

count

Default

32

URG.

UDP_ACTIVE
Type

count

Default

1

Endpoint has sent something.

UDP_INACTIVE
Type

count

Default

0

Endpoint is still inactive.

trace_output_file
Type

string

Default

""

Holds the filename of the trace file given with -w (empty if none).

See also: record_all_packets

zeek_script_args
Type

vector of string

Default
[]

Arguments given to Zeek from the command line. In order to use this, Zeek must use a -- command line argument immediately followed by a script file and additional arguments after that. For example:

zeek --bare-mode -- myscript.zeek -a -b -c

To use Zeek as an executable interpreter, include a line at the top of a script like the following and make the script executable:

#!/usr/local/zeek/bin/zeek --

State Variables

capture_filters
Type

table [string] of string

Attributes

&redef

Default

{}

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Zeek is not configured with PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all in restrict_filters) will be analyzed.

See also: PacketFilter, PacketFilter::enable_auto_protocol_capture_filters, PacketFilter::unrestricted_filter, restrict_filters

direct_login_prompts
Type

set [string]

Attributes

&redef

Default

{}

TODO.

discarder_maxlen
Type

count

Attributes

&redef

Default

128

Maximum length of payload passed to discarder functions.

See also: discarder_check_tcp, discarder_check_udp, discarder_check_icmp, discarder_check_ip

dns_max_queries
Type

count

Attributes

&redef

Default

25

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.

dns_skip_addl
Type

set [addr]

Attributes

&redef

Default

{}

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

See also: dns_skip_all_addl, dns_skip_auth

dns_skip_all_addl
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/dns/auth-addl.zeek

=:

F

If true, all DNS ADDL records are skipped.

See also: dns_skip_all_auth, dns_skip_addl

dns_skip_all_auth
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/dns/auth-addl.zeek

=:

F

If true, all DNS AUTH records are skipped.

See also: dns_skip_all_addl, dns_skip_auth

dns_skip_auth
Type

set [addr]

Attributes

&redef

Default

{}

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

See also: dns_skip_all_auth, dns_skip_addl

done_with_network
Type

bool

Default

F

http_entity_data_delivery_size
Type

count

Attributes

&redef

Default

1500

Maximum number of HTTP entity data delivered to events.

See also: http_entity_data, skip_http_entity_data, skip_http_data

interfaces
Type

string

Attributes

&add_func = add_interface &redef

Default

""

Network interfaces to listen on. Use redef interfaces += "eth0" to extend.

login_failure_msgs
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_non_failure_msgs
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_prompts
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_success_msgs
Type

set [string]

Attributes

&redef

Default

{}

TODO.

login_timeouts
Type

set [string]

Attributes

&redef

Default

{}

TODO.

mime_segment_length
Type

count

Attributes

&redef

Default

1024

The length of MIME data segments delivered to handlers of mime_segment_data.

See also: mime_segment_data, mime_segment_overlap_length

mime_segment_overlap_length
Type

count

Attributes

&redef

Default

0

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file
Type

file

Attributes

&redef

File where packet profiles are logged.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_mode

profiling_file
Type

file

Attributes

&redef

Default
file "prof.log" of string
Redefinition

from policy/misc/profiling.zeek

=:

open(fmt(prof.%s, Profiling::log_suffix()))

Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.zeek.

See also: profiling_interval, expensive_profiling_multiple

restrict_filters
Type

table [string] of string

Attributes

&redef

Default

{}

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

See also: PacketFilter, PacketFilter::enable_auto_protocol_capture_filters, PacketFilter::unrestricted_filter, capture_filters

secondary_filters
Type

table [string] of event (filter: string, pkt: pkt_hdr)

Attributes

&redef

Default

{}

Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.

signature_files
Type

string

Attributes

&add_func = add_signature_file &redef

Default

""

Signature files to read. Use redef signature_files  += "foo.sig" to extend. Signature files added this way will be searched relative to ZEEKPATH. Using the @load-sigs directive instead is preferred since that can search paths relative to the current script.

skip_authentication
Type

set [string]

Attributes

&redef

Default

{}

TODO.

Types

Analyzer::disabling_analyzer
Type

hook (c: connection, atype: AllAnalyzers::Tag, aid: count) : bool

Attributes

&redef

A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers. Specifically, an analyzer can be prevented from being disabled by using a break statement within the hook. This hook is invoked synchronously during a disable_analyzer call.

Scripts implementing this hook should have other logic that will eventually disable the analyzer for the given connection. That is, if a script vetoes disabling an analyzer, it takes responsibility for a later call to disable_analyzer, which may be never.

Param c

The connection

Param atype

The type / tag of the analyzer being disabled.

Param aid

The analyzer ID.

AnalyzerConfirmationInfo
Type

record

c: connection &optional

The connection related to this confirmation, if any. This field may be set if there’s any connection related information available for this confirmation. For protocol analyzers it is guaranteed to be set, but may also be added by file analyzers as additional contextual information.

f: fa_file &optional

The file object related to this confirmation, if any.

aid: count &optional

Specific analyzer instance that can be used to reference the analyzer when using builtin functions like disable_analyzer.

Generic analyzer confirmation info record.

See also: analyzer_confirmation_info

AnalyzerViolationInfo
Type

record

reason: string

The reason for the violation - should be user readable.

c: connection &optional

The connection related to this violation, if any. This field may be set if there’s any connection related information available for this violation. For protocol analyzers it is guaranteed to be set, but may also be added by file analyzers as additional contextual information.

f: fa_file &optional

The file object related to this violation, if any.

aid: count &optional

Specific analyzer instance that can be used to reference the analyzer when using builtin functions like disable_analyzer.

data: string &optional

Piece of binary data that was parsed and caused the violation.

Generic analyzer violation info record.

See also: analyzer_violation_info

Backtrace
Type

vector of BacktraceElement

A representation of a Zeek script’s call stack.

See also: backtrace, print_backtrace

BacktraceElement
Type

record

function_name: string

The name of the function being called at this point in the call stack.

function_args: call_argument_vector

The arguments passed to the function being called.

file_location: string &optional

The file in which the function call is being made.

line_location: count &optional

The line number at which the function call is being made.

A representation of an element in a Zeek script’s call stack.

See also: backtrace, print_backtrace

BrokerStats
Type

record

num_peers: count

num_stores: count

Number of active data stores.

num_pending_queries: count

Number of pending data store queries.

num_events_incoming: count

Number of total log messages received.

num_events_outgoing: count

Number of total log messages sent.

num_logs_incoming: count

Number of total log records received.

num_logs_outgoing: count

Number of total log records sent.

num_ids_incoming: count

Number of total identifiers received.

num_ids_outgoing: count

Number of total identifiers sent.

Statistics about Broker communication.

See also: get_broker_stats

Cluster::Pool
Type

record

spec: Cluster::PoolSpec

(present if base/frameworks/cluster/pools.zeek is loaded)

The specification of the pool that was used when registering it.

nodes: Cluster::PoolNodeTable &default = {  } &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

Nodes in the pool, indexed by their name (e.g. “manager”).

node_list: vector of Cluster::PoolNode &default = [] &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

A list of nodes in the pool in a deterministic order.

hrw_pool: HashHRW::Pool &default = [sites={  }] &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

The Rendezvous hashing structure.

rr_key_seq: Cluster::RoundRobinTable &default = {  } &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

Round-Robin table indexed by arbitrary key and storing the next index of node_list that will be eligible to receive work (if it’s alive at the time of next request).

alive_count: count &default = 0 &optional

(present if base/frameworks/cluster/pools.zeek is loaded)

Number of pool nodes that are currently alive.

A pool used for distributing data/work among a set of cluster nodes.

ConnStats
Type

record

total_conns: count

current_conns: count

sess_current_conns: count

num_packets: count

num_fragments: count

max_fragments: count

num_tcp_conns: count

Current number of TCP connections in memory.

max_tcp_conns: count

Maximum number of concurrent TCP connections so far.

cumulative_tcp_conns: count

Total number of TCP connections so far.

num_udp_conns: count

Current number of UDP flows in memory.

max_udp_conns: count

Maximum number of concurrent UDP flows so far.

cumulative_udp_conns: count

Total number of UDP flows so far.

num_icmp_conns: count

Current number of ICMP flows in memory.

max_icmp_conns: count

Maximum number of concurrent ICMP flows so far.

cumulative_icmp_conns: count

Total number of ICMP flows so far.

killed_by_inactivity: count

DHCP::Addrs
Type

vector of addr

A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.

See also: dhcp_message

DHCP::ClientFQDN
Type

record

flags: count

An unparsed bitfield of flags (refer to RFC 4702).

rcode1: count

This field is deprecated in the standard.

rcode2: count

This field is deprecated in the standard.

domain_name: string

The Domain Name part of the option carries all or part of the FQDN of a DHCP client.

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID
Type

record

hwtype: count

hwaddr: string

DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message

DHCP::Msg
Type

record

op: count

Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY

m_type: count

The type of DHCP message.

xid: count

Transaction ID of a DHCP session.

secs: interval

Number of seconds since client began address acquisition or renewal process

flags: count

ciaddr: addr

Original IP address of the client.

yiaddr: addr

IP address assigned to the client.

siaddr: addr

IP address of the server.

giaddr: addr

IP address of the relaying gateway.

chaddr: string

Client hardware address.

sname: string &default = "" &optional

Server host name.

file_n: string &default = "" &optional

Boot file name.

A DHCP message. .. zeek:see:: dhcp_message

DHCP::Options
Type

record

options: index_vec &optional

The ordered list of all DHCP option numbers.

subnet_mask: addr &optional

Subnet Mask Value (option 1)

routers: DHCP::Addrs &optional

Router addresses (option 3)

dns_servers: DHCP::Addrs &optional

DNS Server addresses (option 6)

host_name: string &optional

The Hostname of the client (option 12)

domain_name: string &optional

The DNS domain name of the client (option 15)

forwarding: bool &optional

Enable/Disable IP Forwarding (option 19)

broadcast: addr &optional

Broadcast Address (option 28)

vendor: string &optional

Vendor specific data. This can frequently be unparsed binary data. (option 43)

nbns: DHCP::Addrs &optional

NETBIOS name server list (option 44)

addr_request: addr &optional

Address requested by the client (option 50)

lease: interval &optional

Lease time offered by the server. (option 51)

serv_addr: addr &optional

Server address to allow clients to distinguish between lease offers. (option 54)

param_list: index_vec &optional

DHCP Parameter Request list (option 55)

message: string &optional

Textual error message (option 56)

max_msg_size: count &optional

Maximum Message Size (option 57)

renewal_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)

rebinding_time: interval &optional

This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)

vendor_class: string &optional

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)

client_id: DHCP::ClientID &optional

DHCP Client Identifier (Option 61)

user_class: string &optional

User Class opaque value (Option 77)

client_fqdn: DHCP::ClientFQDN &optional

DHCP Client FQDN (Option 81)

sub_opt: DHCP::SubOpts &optional

DHCP Relay Agent Information Option (Option 82)

auto_config: bool &optional

Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)

auto_proxy_config: string &optional

URL to find a proxy.pac for auto proxy config (Option 252)

time_offset: int &optional

The offset of the client’s subnet in seconds from UTC. (Option 2)

time_servers: DHCP::Addrs &optional

A list of RFC 868 time servers available to the client. (Option 4)

name_servers: DHCP::Addrs &optional

A list of IEN 116 name servers available to the client. (Option 5)

ntp_servers: DHCP::Addrs &optional

A list of IP addresses indicating NTP servers available to the client. (Option 42)

DHCP::SubOpt
Type

record

code: count

value: string

DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message

DHCP::SubOpts
Type

vector of DHCP::SubOpt

DNSStats
Type

record

requests: count

Number of DNS requests made

successful: count

Number of successful DNS replies.

failed: count

Number of DNS reply failures.

pending: count

Current pending queries.

cached_hosts: count

Number of cached hosts.

cached_addresses: count

Number of cached addresses.

cached_texts: count

Number of cached text entries.

cached_total: count

Total number of cached entries.

Statistics related to Zeek’s active use of DNS. These numbers are about Zeek performing DNS queries on it’s own, not traffic being seen.

See also: get_dns_stats

EncapsulatingConnVector
Type

vector of Tunnel::EncapsulatingConn

A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

EventNameCounter
Type

record

name: string &log

Name of the zeek event.

times_called: count &log

Times it was called, as counted by the event handlers.

Attributes

&log

Statistics about how many times each event name is queued.

See also: get_event_handler_stats

EventNameStats
Type

vector of EventNameCounter

EventStats
Type

record

queued: count

Total number of events queued so far.

dispatched: count

Total number of events dispatched so far.

FileAnalysisStats
Type

record

current: count

Current number of files being analyzed.

max: count

Maximum number of concurrent files so far.

cumulative: count

Cumulative number of files analyzed.

Statistics of file analysis.

See also: get_file_analysis_stats

GapStats
Type

record

ack_events: count

How many ack events could have had gaps.

ack_bytes: count

How many bytes those covered.

gap_events: count

How many did have gaps.

gap_bytes: count

How many bytes were missing in the gaps.

Statistics about number of gaps in TCP connections.

See also: get_gap_stats

IPAddrAnonymization
Type

enum

KEEP_ORIG_ADDR
SEQUENTIALLY_NUMBERED
RANDOM_MD5
PREFIX_PRESERVING_A50
PREFIX_PRESERVING_MD5

See also: anonymize_addr

IPAddrAnonymizationClass
Type

enum

ORIG_ADDR
RESP_ADDR
OTHER_ADDR

See also: anonymize_addr

JSON::TimestampFormat
Type

enum

JSON::TS_EPOCH

Timestamps will be formatted as UNIX epoch doubles. This is the format that Zeek typically writes out timestamps.

JSON::TS_MILLIS

Timestamps will be formatted as unsigned integers that represent the number of milliseconds since the UNIX epoch.

JSON::TS_ISO8601

Timestamps will be formatted in the ISO8601 DateTime format. Subseconds are also included which isn’t actually part of the standard but most consumers that parse ISO8601 seem to be able to cope with that.

KRB::AP_Options
Type

record

use_session_key: bool

Indicates that user-to-user-authentication is in use

mutual_required: bool

Mutual authentication is required

AP Options. See RFC 4120

KRB::Error_Msg
Type

record

pvno: count &optional

Protocol version number (5 for KRB5)

msg_type: count &optional

The message type (30 for ERROR_MSG)

client_time: time &optional

Current time on the client

server_time: time &optional

Current time on the server

error_code: count

The specific error code

client_realm: string &optional

Realm of the ticket

client_name: string &optional

Name on the ticket

service_realm: string &optional

Realm of the service

service_name: string &optional

Name of the service

error_text: string &optional

Additional text to explain the error

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

The data from the ERROR_MSG message. See RFC 4120.

KRB::Host_Address
Type

record

ip: addr &log &optional

IPv4 or IPv6 address

netbios: string &log &optional

NetBIOS address

unknown: KRB::Type_Value &optional

Some other type that we don’t support yet

A Kerberos host address See RFC 4120.

KRB::Host_Address_Vector
Type

vector of KRB::Host_Address

KRB::KDC_Options
Type

record

forwardable: bool

The ticket to be issued should have its forwardable flag set.

forwarded: bool

A (TGT) request for forwarding.

proxiable: bool

The ticket to be issued should have its proxiable flag set.

proxy: bool

A request for a proxy.

allow_postdate: bool

The ticket to be issued should have its may-postdate flag set.

postdated: bool

A request for a postdated ticket.

renewable: bool

The ticket to be issued should have its renewable flag set.

opt_hardware_auth: bool

Reserved for opt_hardware_auth

disable_transited_check: bool

Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.

renewable_ok: bool

If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable

enc_tkt_in_skey: bool

The ticket for the end server is to be encrypted in the session key from the additional TGT provided

renew: bool

The request is for a renewal

validate: bool

The request is to validate a postdated ticket.

KDC Options. See RFC 4120

KRB::KDC_Request
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (10 for AS_REQ, 12 for TGS_REQ)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

kdc_options: KRB::KDC_Options &optional

Options specified in the request

client_name: string &optional

Name on the ticket

service_realm: string &optional

Realm of the service

service_name: string &optional

Name of the service

from: time &optional

Time the ticket is good from

till: time &optional

Time the ticket is good till

rtime: time &optional

The requested renew-till time

nonce: count &optional

A random nonce generated by the client

encryption_types: vector of count &optional

The desired encryption algorithms, in order of preference

host_addrs: vector of KRB::Host_Address &optional

Any additional addresses the ticket should be valid for

additional_tickets: vector of KRB::Ticket &optional

Additional tickets may be included for certain transactions

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::KDC_Response
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (11 for AS_REP, 13 for TGS_REP)

pa_data: vector of KRB::Type_Value &optional

Optional pre-authentication data

client_realm: string &optional

Realm on the ticket

client_name: string

Name on the service

ticket: KRB::Ticket

The ticket that was issued

The data from the AS_REQ and TGS_REQ messages. See RFC 4120.

KRB::SAFE_Msg
Type

record

pvno: count

Protocol version number (5 for KRB5)

msg_type: count

The message type (20 for SAFE_MSG)

data: string

The application-specific data that is being passed from the sender to the receiver

timestamp: time &optional

Current time from the sender of the message

seq: count &optional

Sequence number used to detect replays

sender: KRB::Host_Address &optional

Sender address

recipient: KRB::Host_Address &optional

Recipient address

The data from the SAFE message. See RFC 4120.

KRB::Ticket
Type

record

pvno: count

Protocol version number (5 for KRB5)

realm: string

Realm

service_name: string

Name of the service

cipher: count

Cipher the ticket was encrypted with

ciphertext: string &optional

Cipher text of the ticket

authenticationinfo: string &optional

Authentication info

A Kerberos ticket. See RFC 4120.

KRB::Ticket_Vector
Type

vector of KRB::Ticket

KRB::Type_Value
Type

record

data_type: count

The data type

val: string

The data value

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Type_Value_Vector
Type

vector of KRB::Type_Value

MOUNT3::dirmntargs_t
Type

record

dirname: string

Name of directory to mount

MOUNT mnt arguments.

See also: mount_proc_mnt

MOUNT3::info_t
Type

record

rpc_stat: rpc_status

The RPC status.

mnt_stat: MOUNT3::status_t

The MOUNT status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

rpc_uid: count

The user id of the reply.

rpc_gid: count

The group id of the reply.

rpc_stamp: count

The stamp of the reply.

rpc_machine_name: string

The machine name of the reply.

rpc_auxgids: index_vec

The auxiliary ids of the reply.

Record summarizing the general results and status of MOUNT3 request/reply pairs.

Note that when rpc_stat or mount_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time

MOUNT3::mnt_reply_t
Type

record

dirfh: string &optional

Dir handle

auth_flavors: vector of MOUNT3::auth_flavor_t &optional

Returned authentication flavors

MOUNT lookup reply. If the mount failed, dir_attr may be set. If the mount succeeded, fh is always set.

See also: mount_proc_mnt

MQTT::ConnectAckMsg
Type

record

return_code: count

Return code from the connack message

session_present: bool

The Session present flag helps the client establish whether the Client and Server have a consistent view about whether there is already stored Session state.

MQTT::ConnectMsg
Type

record

protocol_name: string

Protocol name

protocol_version: count

Protocol version

client_id: string

Identifies the Client to the Server.

keep_alive: interval

The maximum time interval that is permitted to elapse between the point at which the Client finishes transmitting one Control Packet and the point it starts sending the next.

clean_session: bool

The clean_session flag indicates if the server should or shouldn’t use a clean session or use existing previous session state.

will_retain: bool

Specifies if the Will Message is to be retained when it is published.

will_qos: count

Specifies the QoS level to be used when publishing the Will Message.

will_topic: string &optional

Topic to publish the Will message to.

will_msg: string &optional

The actual Will message to publish.

username: string &optional

Username to use for authentication to the server.

password: string &optional

Pass to use for authentication to the server.

MQTT::PublishMsg
Type

record

dup: bool

Indicates if this is the first attempt at publishing the message.

qos: count

Indicates what level of QoS is enabled for this message.

retain: bool

Indicates if the server should retain this message so that clients subscribing to the topic in the future will receive this message automatically.

topic: string

Name of the topic the published message is directed into.

payload: string

Payload of the published message.

payload_len: count

The actual length of the payload in the case the payload field’s contents were truncated according to MQTT::max_payload_size.

MatcherStats
Type

record

matchers: count

Number of distinct RE matchers.

nfa_states: count

Number of NFA states across all matchers.

dfa_states: count

Number of DFA states across all matchers.

computed: count

Number of computed DFA state transitions.

mem: count

Number of bytes used by DFA states.

hits: count

Number of cache hits.

misses: count

Number of cache misses.

Statistics of all regular expression matchers.

See also: get_matcher_stats

ModbusCoils
Type

vector of bool

A vector of boolean values that indicate the setting for a range of modbus coils.

ModbusFileRecordRequest
Type

record

ref_type: count

file_num: count

record_num: count

record_len: count

ModbusFileRecordRequests
Type

vector of ModbusFileRecordRequest

ModbusFileRecordResponse
Type

record

file_len: count

ref_type: count

record_data: string

ModbusFileRecordResponses
Type

vector of ModbusFileRecordResponse

ModbusFileReference
Type

record

ref_type: count

file_num: count

record_num: count

record_len: count

record_data: string

ModbusFileReferences
Type

vector of ModbusFileReference

ModbusHeaders
Type

record

tid: count

Transaction identifier

pid: count

Protocol identifier

uid: count

Unit identifier (previously ‘slave address’)

function_code: count

MODBUS function code

len: count

Length of the application PDU following the header plus one byte for the uid field.

ModbusRegisters
Type

vector of count

A vector of count values that represent 16bit modbus register values.

NFS3::delobj_reply_t
Type

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.

See also: nfs_proc_remove, nfs_proc_rmdir

NFS3::direntry_t
Type

record

fileid: count

E.g., inode number.

fname: string

Filename.

cookie: count

Cookie value.

attr: NFS3::fattr_t &optional

readdirplus: the fh attributes for the entry.

fh: string &optional

readdirplus: the fh for the entry

NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.

See also: NFS3::direntry_vec_t, NFS3::readdir_reply_t

NFS3::direntry_vec_t
Type

vector of NFS3::direntry_t

Vector of NFS direntry.

See also: NFS3::readdir_reply_t

NFS3::diropargs_t
Type

record

dirfh: string

The file handle of the directory.

fname: string

The name of the file we are interested in.

NFS readdir arguments.

See also: nfs_proc_readdir

NFS3::fattr_t
Type

record

ftype: NFS3::file_type_t

File type.

mode: count

Mode

nlink: count

Number of links.

uid: count

User ID.

gid: count

Group ID.

size: count

Size.

used: count

TODO.

rdev1: count

TODO.

rdev2: count

TODO.

fsid: count

TODO.

fileid: count

TODO.

atime: time

Time of last access.

mtime: time

Time of last modification.

ctime: time

Time of creation.

NFS file attributes. Field names are based on RFC 1813.

See also: nfs_proc_getattr

NFS3::fsstat_t
Type

record

attrs: NFS3::fattr_t &optional

Attributes.

tbytes: double

TODO.

fbytes: double

TODO.

abytes: double

TODO.

tfiles: double

TODO.

ffiles: double

TODO.

afiles: double

TODO.

invarsec: interval

TODO.

NFS fsstat.

NFS3::info_t
Type

record

rpc_stat: rpc_status

The RPC status.

nfs_stat: NFS3::status_t

The NFS status.

req_start: time

The start time of the request.

req_dur: interval

The duration of the request.

req_len: count

The length in bytes of the request.

rep_start: time

The start time of the reply.

rep_dur: interval

The duration of the reply.

rep_len: count

The length in bytes of the reply.

rpc_uid: count

The user id of the reply.

rpc_gid: count

The group id of the reply.

rpc_stamp: count

The stamp of the reply.

rpc_machine_name: string

The machine name of the reply.

rpc_auxgids: index_vec

The auxiliary ids of the reply.

Record summarizing the general results and status of NFSv3 request/reply pairs.

Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.

See also: nfs_proc_create, nfs_proc_getattr, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_not_implemented, nfs_proc_null, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rmdir, nfs_proc_write, nfs_reply_status

Type

record

post_attr: NFS3::fattr_t &optional

Optional post-operation attributes of the file system object identified by file

preattr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ file.

postattr: NFS3::fattr_t &optional

Optional attributes associated w/ file.

NFS link reply.

See also: nfs_proc_link

NFS3::linkargs_t
Type

record

fh: string

The file handle for the existing file system object.

link: NFS3::diropargs_t

The location of the link to be created.

NFS link arguments.

See also: nfs_proc_link

NFS3::lookup_reply_t
Type

record

fh: string &optional

File handle of object looked up.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ file

dir_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.

See also: nfs_proc_lookup

NFS3::newobj_reply_t
Type

record

fh: string &optional

File handle of object created.

obj_attr: NFS3::fattr_t &optional

Optional attributes associated w/ new object.

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr’s may be set. Note: no guarantee that fh is set after success.

See also: nfs_proc_create, nfs_proc_mkdir

NFS3::read_reply_t
Type

record

attr: NFS3::fattr_t &optional

Attributes.

size: count &optional

Number of bytes read.

eof: bool &optional

Sid the read end at EOF.

data: string &optional

The actual data; not yet implemented.

NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.

NFS3::readargs_t
Type

record

fh: string

File handle to read from.

offset: count

Offset in file.

size: count

Number of bytes to read.

NFS read arguments.

See also: nfs_proc_read

NFS3::readdir_reply_t
Type

record

isplus: bool

True if the reply for a readdirplus request.

dir_attr: NFS3::fattr_t &optional

Directory attributes.

cookieverf: count &optional

TODO.

entries: NFS3::direntry_vec_t &optional

Returned directory entries.

eof: bool

If true, no more entries in directory.

NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.

NFS3::readdirargs_t
Type

record

isplus: bool

Is this a readdirplus request?

dirfh: string

The directory filehandle.

cookie: count

Cookie / pos in dir; 0 for first call.

cookieverf: count

The cookie verifier.

dircount: count

“count” field for readdir; maxcount otherwise (in bytes).

maxcount: count &optional

Only used for readdirplus. in bytes.

NFS readdir arguments. Used for both readdir and readdirplus.

See also: nfs_proc_readdir

Type

record

attr: NFS3::fattr_t &optional

Attributes.

nfspath: string &optional

Contents of the symlink; in general a pathname as text.

NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.

See also: nfs_proc_readlink

NFS3::renameobj_reply_t
Type

record

src_dir_pre_attr: NFS3::wcc_attr_t

src_dir_post_attr: NFS3::fattr_t

dst_dir_pre_attr: NFS3::wcc_attr_t

dst_dir_post_attr: NFS3::fattr_t

NFS reply for rename. Corresponds to wcc_data in the spec.

See also: nfs_proc_rename

NFS3::renameopargs_t
Type

record

src_dirfh: string

src_fname: string

dst_dirfh: string

dst_fname: string

NFS rename arguments.

See also: nfs_proc_rename

NFS3::sattr_reply_t
Type

record

dir_pre_attr: NFS3::wcc_attr_t &optional

Optional attributes associated w/ dir.

dir_post_attr: NFS3::fattr_t &optional

Optional attributes associated w/ dir.

NFS sattr reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr are set.

NFS3::sattr_t
Type

record

mode: count &optional

Mode

uid: count &optional

User ID.

gid: count &optional

Group ID.

size: count &optional

Size.

atime: NFS3::time_how_t &optional

Time of last access.

mtime: NFS3::time_how_t &optional

Time of last modification.

NFS file attributes. Field names are based on RFC 1813.

See also: nfs_proc_sattr

NFS3::sattrargs_t
Type

record

fh: string

The file handle for the existing file system object.

new_attributes: NFS3::sattr_t

The new attributes for the file.

NFS sattr arguments.

See also: nfs_proc_sattr

NFS3::symlinkargs_t
Type

record

link: NFS3::diropargs_t

The location of the link to be created.

symlinkdata: NFS3::symlinkdata_t

The symbolic link to be created.

NFS symlink arguments.

See also: nfs_proc_symlink

NFS3::symlinkdata_t
Type

record

symlink_attributes: NFS3::sattr_t

The initial attributes for the symbolic link

nfspath: string &optional

The string containing the symbolic link data.

NFS symlinkdata attributes. Field names are based on RFC 1813

See also: nfs_proc_symlink

NFS3::wcc_attr_t
Type

record

size: count

The size.

atime: time

Access time.

mtime: time

Modification time.

NFS wcc attributes.

See also: NFS3::write_reply_t

NFS3::write_reply_t
Type

record

preattr: NFS3::wcc_attr_t &optional

Pre operation attributes.

postattr: NFS3::fattr_t &optional

Post operation attributes.

size: count &optional

Size.

commited: NFS3::stable_how_t &optional

TODO.

verf: count &optional

Write verifier cookie.

NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.

See also: nfs_proc_write

NFS3::writeargs_t
Type

record

fh: string

File handle to write to.

offset: count

Offset in file.

size: count

Number of bytes to write.

stable: NFS3::stable_how_t

How and when data is committed.

data: string &optional

The actual data; not implemented yet.

NFS write arguments.

See also: nfs_proc_write

NTLM::AVs
Type

record

nb_computer_name: string

The server’s NetBIOS computer name

nb_domain_name: string

The server’s NetBIOS domain name

dns_computer_name: string &optional

The FQDN of the computer

dns_domain_name: string &optional

The FQDN of the domain

dns_tree_name: string &optional

The FQDN of the forest

constrained_auth: bool &optional

Indicates to the client that the account authentication is constrained

timestamp: time &optional

The associated timestamp, if present

single_host_id: count &optional

Indicates that the client is providing a machine ID created at computer startup to identify the calling machine

target_name: string &optional

The SPN of the target server

NTLM::Authenticate
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain or computer name hosting the account

user_name: string &optional

The name of the user to be authenticated.

workstation: string &optional

The name of the computer to which the user was logged on.

session_key: string &optional

The session key

version: NTLM::Version &optional

The Windows version information, if supplied

response: string &optional

The client’s response for the challenge

NTLM::Challenge
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

challenge: count

A 64-bit value that contains the NTLM challenge.

target_name: string &optional

The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server

version: NTLM::Version &optional

The Windows version information, if supplied

target_info: NTLM::AVs &optional

Attribute-value pairs specified by the server

NTLM::Negotiate
Type

record

flags: NTLM::NegotiateFlags

The negotiate flags

domain_name: string &optional

The domain name of the client, if known

workstation: string &optional

The machine name of the client, if known

version: NTLM::Version &optional

The Windows version information, if supplied

NTLM::NegotiateFlags
Type

record

negotiate_56: bool

If set, requires 56-bit encryption

negotiate_key_exch: bool

If set, requests an explicit key exchange

negotiate_128: bool

If set, requests 128-bit session key negotiation

negotiate_version: bool

If set, requests the protocol version number

negotiate_target_info: bool

If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE are populated

request_non_nt_session_key: bool

If set, requests the usage of the LMOWF function

negotiate_identify: bool

If set, requests and identify level token

negotiate_extended_sessionsecurity: bool

If set, requests usage of NTLM v2 session security Note: NTLM v2 session security is actually NTLM v1

target_type_server: bool

If set, TargetName must be a server name

target_type_domain: bool

If set, TargetName must be a domain name

negotiate_always_sign: bool

If set, requests the presence of a signature block on all messages

negotiate_oem_workstation_supplied: bool

If set, the workstation name is provided

negotiate_oem_domain_supplied: bool

If set, the domain name is provided

negotiate_anonymous_connection: bool

If set, the connection should be anonymous

negotiate_ntlm: bool

If set, requests usage of NTLM v1

negotiate_lm_key: bool

If set, requests LAN Manager session key computation

negotiate_datagram: bool

If set, requests connectionless authentication

negotiate_seal: bool

If set, requests session key negotiation for message confidentiality

negotiate_sign: bool

If set, requests session key negotiation for message signatures

request_target: bool

If set, the TargetName field is present

negotiate_oem: bool

If set, requests OEM character set encoding

negotiate_unicode: bool

If set, requests Unicode character set encoding

NTLM::Version
Type

record

major: count

The major version of the Windows operating system in use

minor: count

The minor version of the Windows operating system in use

build: count

The build number of the Windows operating system in use

ntlmssp: count

The current revision of NTLMSSP in use

NTP::ControlMessage
Type

record

op_code: count

An integer specifying the command function. Values currently defined:

  • 1 read status command/response

  • 2 read variables command/response

  • 3 write variables command/response

  • 4 read clock variables command/response

  • 5 write clock variables command/response

  • 6 set trap address/port command/response

  • 7 trap response

Other values are reserved.

resp_bit: bool

The response bit. Set to zero for commands, one for responses.

err_bit: bool

The error bit. Set to zero for normal response, one for error response.

more_bit: bool

The more bit. Set to zero for last fragment, one for all others.

sequence: count

The sequence number of the command or response.

status: count

The current status of the system, peer or clock.

association_id: count

A 16-bit integer identifying a valid association.

data: string &optional

Message data for the command or response + Authenticator (optional).

key_id: count &optional

This is an integer identifying the cryptographic key used to generate the message-authentication code.

crypto_checksum: string &optional

This is a crypto-checksum computed by the encryption procedure.

NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.

NTP::Message
Type

record

version: count

The NTP version number (1, 2, 3, 4).

mode: count

The NTP mode being used. Possible values are:

  • 1 - symmetric active

  • 2 - symmetric passive

  • 3 - client

  • 4 - server

  • 5 - broadcast

  • 6 - NTP control message

  • 7 - reserved for private use

std_msg: NTP::StandardMessage &optional

If mode 1-5, the standard fields for synchronization operations are here. See RFC 5905

control_msg: NTP::ControlMessage &optional

If mode 6, the fields for control operations are here. See RFC 1119

mode7_msg: NTP::Mode7Message &optional

If mode 7, the fields for extra operations are here. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration.

NTP message as defined in RFC 5905. Does include fields for mode 7, reserved for private use in RFC 5905, but used in some implementation for commands such as “monlist”.

NTP::Mode7Message
Type

record

req_code: count

An implementation-specific code which specifies the operation to be (which has been) performed and/or the format and semantics of the data included in the packet.

auth_bit: bool

The authenticated bit. If set, this packet is authenticated.

sequence: count

For a multipacket response, contains the sequence number of this packet. 0 is the first in the sequence, 127 (or less) is the last. The More Bit must be set in all packets but the last.

implementation: count

The number of the implementation this request code is defined by. An implementation number of zero is used for request codes/data formats which all implementations agree on. Implementation number 255 is reserved (for extensions, in case we run out).

err: count

Must be 0 for a request. For a response, holds an error code relating to the request. If nonzero, the operation requested wasn’t performed.

  • 0 - no error

  • 1 - incompatible implementation number

  • 2 - unimplemented request code

  • 3 - format error (wrong data items, data size, packet size etc.)

  • 4 - no data available (e.g. request for details on unknown peer)

  • 5 - unknown

  • 6 - unknown

  • 7 - authentication failure (i.e. permission denied)

data: string &optional

Rest of data

NTP mode 7 message. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration. For details see the documentation from the NTP official project, code v. ntp-4.2.8p13, in include/ntp_request.h.

NTP::StandardMessage
Type

record

stratum: count

This value mainly identifies the type of server (primary server, secondary server, etc.). Possible values, as in RFC 5905, are:

  • 0 -> unspecified or invalid

  • 1 -> primary server (e.g., equipped with a GPS receiver)

  • 2-15 -> secondary server (via NTP)

  • 16 -> unsynchronized

  • 17-255 -> reserved

For stratum 0, a kiss_code can be given for debugging and monitoring.

poll: interval

The maximum interval between successive messages.

precision: interval

The precision of the system clock.

root_delay: interval

Root delay. The total round-trip delay to the reference clock.

root_disp: interval

Root Dispersion. The total dispersion to the reference clock.

kiss_code: string &optional

For stratum 0, four-character ASCII string used for debugging and monitoring. Values are defined in RFC 1345.

ref_id: string &optional

Reference ID. For stratum 1, this is the ID assigned to the reference clock by IANA. For example: GOES, GPS, GAL, etc. (see RFC 5905)

ref_addr: addr &optional

Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).

ref_time: time

Reference timestamp. Time when the system clock was last set or correct.

org_time: time

Origin timestamp. Time at the client when the request departed for the NTP server.

rec_time: time

Receive timestamp. Time at the server when the request arrived from the NTP client.

xmt_time: time

Transmit timestamp. Time at the server when the response departed

key_id: count &optional

Key used to designate a secret MD5 key.

digest: string &optional

MD5 hash computed over the key followed by the NTP packet header and extension fields.

num_exts: count &default = 0 &optional

Number of extension fields (which are not currently parsed).

NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations.

NetStats
Type

record

pkts_recvd: count &default = 0 &optional

Packets received by Zeek.

pkts_dropped: count &default = 0 &optional

Packets reported dropped by the system.

pkts_link: count &default = 0 &optional

Packets seen on the link. Note that this may differ from pkts_recvd because of a potential capture_filter. See base/frameworks/packet-filter/main.zeek. Depending on the packet capture system, this value may not be available and will then be always set to zero.

bytes_recvd: count &default = 0 &optional

Bytes received by Zeek.

pkts_filtered: count &optional

Packets filtered by the packet source.

Packet capture statistics. All counts are cumulative.

See also: get_net_stats

PE::DOSHeader
Type

record

signature: string

The magic number of a portable executable file (“MZ”).

used_bytes_in_last_page: count

The number of bytes in the last page that are used.

file_in_pages: count

The number of pages in the file that are part of the PE file itself.

num_reloc_items: count

Number of relocation entries stored after the header.

header_in_paragraphs: count

Number of paragraphs in the header.

min_extra_paragraphs: count

Number of paragraphs of additional memory that the program will need.

max_extra_paragraphs: count

Maximum number of paragraphs of additional memory.

init_relative_ss: count

Relative value of the stack segment.

init_sp: count

Initial value of the SP register.

checksum: count

Checksum. The 16-bit sum of all words in the file should be 0. Normally not set.

init_ip: count

Initial value of the IP register.

init_relative_cs: count

Initial value of the CS register (relative to the initial segment).

addr_of_reloc_table: count

Offset of the first relocation table.

overlay_num: count

Overlays allow you to append data to the end of the file. If this is the main program, this will be 0.

oem_id: count

OEM identifier.

oem_info: count

Additional OEM info, specific to oem_id.

addr_of_new_exe_header: count

Address of the new EXE header.

PE::FileHeader
Type

record

machine: count

The target machine that the file was compiled for.

ts: time

The time that the file was created at.

sym_table_ptr: count

Pointer to the symbol table.

num_syms: count

Number of symbols.

optional_header_size: count

The size of the optional header.

characteristics: set [count]

Bit flags that determine if this file is executable, non-relocatable, and/or a DLL.

PE::OptionalHeader
Type

record

magic: count

PE32 or PE32+ indicator.

major_linker_version: count

The major version of the linker used to create the PE.

minor_linker_version: count

The minor version of the linker used to create the PE.

size_of_code: count

Size of the .text section.

size_of_init_data: count

Size of the .data section.

size_of_uninit_data: count

Size of the .bss section.

addr_of_entry_point: count

The relative virtual address (RVA) of the entry point.

base_of_code: count

The relative virtual address (RVA) of the .text section.

base_of_data: count &optional

The relative virtual address (RVA) of the .data section.

image_base: count

Preferred memory location for the image to be based at.

section_alignment: count

The alignment (in bytes) of sections when they’re loaded in memory.

file_alignment: count

The alignment (in bytes) of the raw data of sections.

os_version_major: count

The major version of the required OS.

os_version_minor: count

The minor version of the required OS.

major_image_version: count

The major version of this image.

minor_image_version: count

The minor version of this image.

major_subsys_version: count

The major version of the subsystem required to run this file.

minor_subsys_version: count

The minor version of the subsystem required to run this file.

size_of_image: count

The size (in bytes) of the image as the image is loaded in memory.

size_of_headers: count

The size (in bytes) of the headers, rounded up to file_alignment.

checksum: count

The image file checksum.

subsystem: count

The subsystem that’s required to run this image.

dll_characteristics: set [count]

Bit flags that determine how to execute or load this file.

table_sizes: vector of count

A vector with the sizes of various tables and strings that are defined in the optional header data directories. Examples include the import table, the resource table, and debug information.

PE::SectionHeader
Type

record

name: string

The name of the section

virtual_size: count

The total size of the section when loaded into memory.

virtual_addr: count

The relative virtual address (RVA) of the section.

size_of_raw_data: count

The size of the initialized data for the section, as it is in the file on disk.

ptr_to_raw_data: count

The virtual address of the initialized dat for the section, as it is in the file on disk.

ptr_to_relocs: count

The file pointer to the beginning of relocation entries for the section.

ptr_to_line_nums: count

The file pointer to the beginning of line-number entries for the section.

num_of_relocs: count

The number of relocation entries for the section.

num_of_line_nums: count

The number of line-number entries for the section.

characteristics: set [count]

Bit-flags that describe the characteristics of the section.

Record for Portable Executable (PE) section headers.

PacketSource
Type

record

live: bool

Whether the packet source is a live interface or offline pcap file.

path: string

The interface name for a live interface or filesystem path of an offline pcap file.

link_type: int

The data link-layer type of the packet source.

netmask: count

The netmask associated with the source or NETMASK_UNKNOWN.

Properties of an I/O packet source being read by Zeek.

Pcap::Interface
Type

record

name: string

The interface/device name.

description: string &optional

A human-readable description of the device.

addrs: set [addr]

The network addresses associated with the device.

is_loopback: bool

Whether the device is a loopback interface. E.g. addresses of 127.0.0.1 or [::1] are used by loopback interfaces.

is_up: bool &optional

Whether the device is up. Not set when that info is unavailable.

is_running: bool &optional

Whether the device is running. Not set when that info is unavailable.

The definition of a “pcap interface”.

Pcap::Interfaces
Type

set [Pcap::Interface]

Pcap::filter_state
Type

enum

Pcap::ok
Pcap::fatal
Pcap::warning

The state of the compilation for a pcap filter.

PcapFilterID
Type

enum

None
PacketFilter::DefaultPcapFilter

(present if base/frameworks/packet-filter/main.zeek is loaded)

PacketFilter::FilterTester

(present if base/frameworks/packet-filter/main.zeek is loaded)

Enum type identifying dynamic BPF filters. These are used by Pcap::precompile_pcap_filter and Pcap::precompile_pcap_filter.

ProcStats
Type

record

debug: bool

True if compiled with –enable-debug.

start_time: time

Start time of process.

real_time: interval

Elapsed real time since Zeek started running.

user_time: interval

User CPU seconds.

system_time: interval

System CPU seconds.

mem: count

Maximum memory consumed, in bytes.

minor_faults: count

Page faults not requiring actual I/O.

major_faults: count

Page faults requiring actual I/O.

num_swap: count

Times swapped out.

blocking_input: count

Blocking input operations.

blocking_output: count

Blocking output operations.

num_context: count

Number of involuntary context switches.

Statistics about Zeek’s process.

See also: get_proc_stats

Note

All process-level values refer to Zeek’s main process only, not to the child process it spawns for doing communication.

RADIUS::AttributeList
Type

vector of string

RADIUS::Attributes
Type

table [count] of RADIUS::AttributeList

RADIUS::Message
Type

record

code: count

The type of message (Access-Request, Access-Accept, etc.).

trans_id: count

The transaction ID.

authenticator: string

The “authenticator” string.

attributes: RADIUS::Attributes &optional

Any attributes.

RDP::ClientChannelDef
Type

record

name: string

A unique name for the channel

options: count

Channel Def raw options as count

initialized: bool

Absence of this flag indicates that this channel is a placeholder and that the server MUST NOT set it up.

encrypt_rdp: bool

Unused, must be ignored by the server.

encrypt_sc: bool

Unused, must be ignored by the server.

encrypt_cs: bool

Unused, must be ignored by the server.

pri_high: bool

Channel data must be sent with high MCS priority.

pri_med: bool

Channel data must be sent with medium MCS priority.

pri_low: bool

Channel data must be sent with low MCS priority.

compress_rdp: bool

Virtual channel data must be compressed if RDP data is being compressed.

compress: bool

Virtual channel data must be compressed.

show_protocol: bool

Ignored by the server.

persistent: bool

Channel must be persistent across remote control transactions.

Name and flags for a single channel requested by the client.

RDP::ClientChannelList
Type

vector of RDP::ClientChannelDef

The list of channels requested by the client.

RDP::ClientClusterData
Type

record

flags: count

Cluster information flags.

redir_session_id: count

If the redir_sessionid_field_valid flag is set, this field contains a valid session identifier to which the client requests to connect.

redir_supported: bool

The client can receive server session redirection packets. If this flag is set, the svr_session_redir_version_mask field MUST contain the server session redirection version that the client supports.

svr_session_redir_version_mask: count

The server session redirection version that the client supports.

redir_sessionid_field_valid: bool

Whether the redir_session_id field identifies a session on the server to associate with the connection.

redir_smartcard: bool

The client logged on with a smart card.

The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.

RDP::ClientCoreData
Type

record

version_major: count

version_minor: count

desktop_width: count

desktop_height: count

color_depth: count

sas_sequence: count

keyboard_layout: count

client_build: count

client_name: string

keyboard_type: count

keyboard_sub: count

keyboard_function_key: count

ime_file_name: string

post_beta2_color_depth: count &optional

client_product_id: count &optional

serial_number: count &optional

high_color_depth: count &optional

supported_color_depths: count &optional

ec_flags: RDP::EarlyCapabilityFlags &optional

dig_product_id: string &optional

RDP::ClientSecurityData
Type

record

encryption_methods: count

Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security. Known flags:

  • 0x00000001: support for 40-bit session encryption keys

  • 0x00000002: support for 128-bit session encryption keys

  • 0x00000008: support for 56-bit session encryption keys

  • 0x00000010: support for FIPS compliant encryption and MAC methods

ext_encryption_methods: count

Only used in French locale and designates the encryption method. If non-zero, then encryption_methods should be set to 0.

The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.

RDP::EarlyCapabilityFlags
Type

record

support_err_info_pdu: bool

want_32bpp_session: bool

support_statusinfo_pdu: bool

strong_asymmetric_keys: bool

support_monitor_layout_pdu: bool

support_netchar_autodetect: bool

support_dynvc_gfx_protocol: bool

support_dynamic_time_zone: bool

support_heartbeat_pdu: bool

ReassemblerStats
Type

record

file_size: count

Byte size of File reassembly tracking.

frag_size: count

Byte size of Fragment reassembly tracking.

tcp_size: count

Byte size of TCP reassembly tracking.

unknown_size: count

Byte size of reassembly tracking for unknown purposes.

Holds statistics for all types of reassembly.

See also: get_reassembler_stats

ReporterStats
Type

record

weirds: count

Number of total weirds encountered, before any rate-limiting.

weirds_by_type: table [string] of count

Number of times each individual weird is encountered, before any rate-limiting is applied.

Statistics about reporter messages and weirds.

See also: get_reporter_stats

SMB1::Find_First2_Request_Args
Type

record

search_attrs: count

File attributes to apply as a constraint to the search

search_count: count

Max search results

flags: count

Misc. flags for how the server should manage the transaction once results are returned

info_level: count

How detailed the information returned in the results should be

search_storage_type: count

Specify whether to search for directories or files

file_name: string

The string to search for (note: may contain wildcards)

SMB1::Find_First2_Response_Args
Type

record

sid: count

The server generated search identifier

search_count: count

Number of results returned by the search

end_of_search: bool

Whether or not the search can be continued using the TRANS2_FIND_NEXT2 transaction

ext_attr_error: string &optional

An extended attribute name that couldn’t be retrieved

SMB1::Header
Type

record

command: count

The command number

status: count

The status code

flags: count

Flag set 1

flags2: count

Flag set 2

tid: count

Tree ID

pid: count

Process ID

uid: count

User ID

mid: count

Multiplex ID

An SMB1 header.

See also: smb1_message, smb1_empty_response, smb1_error, smb1_check_directory_request, smb1_check_directory_response, smb1_close_request, smb1_create_directory_request, smb1_create_directory_response, smb1_echo_request, smb1_echo_response, smb1_negotiate_request, smb1_negotiate_response, smb1_nt_cancel_request, smb1_nt_create_andx_request, smb1_nt_create_andx_response, smb1_query_information_request, smb1_read_andx_request, smb1_read_andx_response, smb1_session_setup_andx_request, smb1_session_setup_andx_response, smb1_transaction_request, smb1_transaction2_request, smb1_trans2_find_first2_request, smb1_trans2_query_path_info_request, smb1_trans2_get_dfs_referral_request, smb1_tree_connect_andx_request, smb1_tree_connect_andx_response, smb1_tree_disconnect, smb1_write_andx_request, smb1_write_andx_response

SMB1::NegotiateCapabilities
Type

record

raw_mode: bool

The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW

mpx_mode: bool

The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX

unicode: bool

The server supports unicode strings

large_files: bool

The server supports large files with 64 bit offsets

nt_smbs: bool

The server supports the SMBs particular to the NT LM 0.12 dialect. Implies nt_find.

rpc_remote_apis: bool

The server supports remote admin API requests via DCE-RPC

status32: bool

The server can respond with 32 bit status codes in Status.Status

level_2_oplocks: bool

The server supports level 2 oplocks

lock_and_read: bool

The server supports SMB_COM_LOCK_AND_READ

nt_find: bool

Reserved

dfs: bool

The server is DFS aware

infolevel_passthru: bool

The server supports NT information level requests passing through

large_readx: bool

The server supports large SMB_COM_READ_ANDX (up to 64k)

large_writex: bool

The server supports large SMB_COM_WRITE_ANDX (up to 64k)

unix: bool

The server supports CIFS Extensions for UNIX

bulk_transfer: bool

The server supports SMB_BULK_READ, SMB_BULK_WRITE Note: No known implementations support this

compressed_data: bool

The server supports compressed data transfer. Requires bulk_transfer. Note: No known implementations support this

extended_security: bool

The server supports extended security exchanges

SMB1::NegotiateRawMode
Type

record

read_raw: bool

Read raw supported

write_raw: bool

Write raw supported

SMB1::NegotiateResponse
Type

record

core: SMB1::NegotiateResponseCore &optional

If the server does not understand any of the dialect strings, or if PC NETWORK PROGRAM 1.0 is the chosen dialect.

lanman: SMB1::NegotiateResponseLANMAN &optional

If the chosen dialect is greater than core up to and including LANMAN 2.1.

ntlm: SMB1::NegotiateResponseNTLM &optional

If the chosen dialect is NT LM 0.12.

SMB1::NegotiateResponseCore
Type

record

dialect_index: count

Index of selected dialect

SMB1::NegotiateResponseLANMAN
Type

record

word_count: count

Count of parameter words (should be 13)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size (>= 1024)

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

raw_mode: SMB1::NegotiateRawMode

Raw mode

session_key: count

Unique token identifying this session

server_time: time

Current date and time at server

encryption_key: string

The challenge encryption key

primary_domain: string

The server’s primary domain

SMB1::NegotiateResponseNTLM
Type

record

word_count: count

Count of parameter words (should be 17)

dialect_index: count

Index of selected dialect

security_mode: SMB1::NegotiateResponseSecurity

Security mode

max_buffer_size: count

Max transmit buffer size

max_mpx_count: count

Max pending multiplexed requests

max_number_vcs: count

Max number of virtual circuits (VCs - transport-layer connections) between client and server

max_raw_size: count

Max raw buffer size

session_key: count

Unique token identifying this session

capabilities: SMB1::NegotiateCapabilities

Server capabilities

server_time: time

Current date and time at server

encryption_key: string &optional

The challenge encryption key. Present only for non-extended security (i.e. capabilities$extended_security = F)

domain_name: string &optional

The name of the domain. Present only for non-extended security (i.e. capabilities$extended_security = F)

guid: string &optional

A globally unique identifier assigned to the server. Present only for extended security (i.e. capabilities$extended_security = T)

security_blob: string

Opaque security blob associated with the security package if capabilities$extended_security = T Otherwise, the challenge for challenge/response authentication.

SMB1::NegotiateResponseSecurity
Type

record

user_level: bool

This indicates whether the server, as a whole, is operating under Share Level or User Level security.

challenge_response: bool

This indicates whether or not the server supports Challenge/Response authentication. If the bit is false, then plaintext passwords must be used.

signatures_enabled: bool &optional

This indicates if the server is capable of performing MAC message signing. Note: Requires NT LM 0.12 or later.

signatures_required: bool &optional

This indicates if the server is requiring the use of a MAC in each packet. If false, message signing is optional. Note: Requires NT LM 0.12 or later.

SMB1::SessionSetupAndXCapabilities
Type

record

unicode: bool

The client can use unicode strings

large_files: bool

The client can deal with files having 64 bit offsets

nt_smbs: bool

The client understands the SMBs introduced with NT LM 0.12 Implies nt_find

status32: bool

The client can receive 32 bit errors encoded in Status.Status

level_2_oplocks: bool

The client understands Level II oplocks

nt_find: bool

Reserved. Implied by nt_smbs.

SMB1::SessionSetupAndXRequest
Type

record

word_count: count
Count of parameter words
  • 10 for pre NT LM 0.12

  • 12 for NT LM 0.12 with extended security

  • 13 for NT LM 0.12 without extended security

max_buffer_size: count

Client maximum buffer size

max_mpx_count: count

Actual maximum multiplexed pending request

vc_number: count

Virtual circuit number. First VC == 0

session_key: count

Session key (valid iff vc_number > 0)

native_os: string

Client’s native operating system

native_lanman: string

Client’s native LAN Manager type

account_name: string &optional

Account name Note: not set for NT LM 0.12 with extended security

account_password: string &optional

If challenge/response auth is not being used, this is the password. Otherwise, it’s the response to the server’s challenge. Note: Only set for pre NT LM 0.12

primary_domain: string &optional

Client’s primary domain, if known Note: not set for NT LM 0.12 with extended security

case_insensitive_password: string &optional

Case insensitive password Note: only set for NT LM 0.12 without extended security

case_sensitive_password: string &optional

Case sensitive password Note: only set for NT LM 0.12 without extended security

security_blob: string &optional

Security blob Note: only set for NT LM 0.12 with extended security

capabilities: SMB1::SessionSetupAndXCapabilities &optional

Client capabilities Note: only set for NT LM 0.12

SMB1::SessionSetupAndXResponse
Type

record

word_count: count

Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)

is_guest: bool &optional

Were we logged in as a guest user?

native_os: string &optional

Server’s native operating system

native_lanman: string &optional

Server’s native LAN Manager type

primary_domain: string &optional

Server’s primary domain

security_blob: string &optional

Security blob if NTLM

SMB1::Trans2_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

max_param_count: count

Max parameter count

max_data_count: count

Max data count

max_setup_count: count

Max setup count

flags: count

Flags

trans_timeout: count

Timeout

param_count: count

Parameter count

param_offset: count

Parameter offset

data_count: count

Data count

data_offset: count

Data offset

setup_count: count

Setup count

SMB1::Trans2_Sec_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

FID: count

File ID

SMB1::Trans_Sec_Args
Type

record

total_param_count: count

Total parameter count

total_data_count: count

Total data count

param_count: count

Parameter count

param_offset: count

Parameter offset

param_displacement: count

Parameter displacement

data_count: count

Data count

data_offset: count

Data offset

data_displacement: count

Data displacement

SMB2::CloseResponse
Type

record

alloc_size: count

The size, in bytes of the data that is allocated to the file.

eof: count

The size, in bytes, of the file.

times: SMB::MACTimes

The creation, last access, last write, and change times.

attrs: SMB2::FileAttrs

The attributes of the file.

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

For more information, see MS-SMB2:2.2.16

See also: smb2_close_response

SMB2::CompressionCapabilities
Type

record

alg_count: count

The number of algorithms.

algs: vector of count

An array of compression algorithms.

Compression information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.3

SMB2::CreateRequest
Type

record

filename: string

Name of the file

disposition: count

Defines the action the server MUST take if the file that is specified already exists.

create_options: count

Specifies the options to be applied when creating or opening the file.

The request sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.13

See also: smb2_create_request

SMB2::CreateResponse
Type

record

file_id: SMB2::GUID

The SMB2 GUID for the file.

size: count

Size of the file.

times: SMB::MACTimes

Timestamps associated with the file in question.

attrs: SMB2::FileAttrs

File attributes.

create_action: count

The action taken in establishing the open.

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

For more information, see MS-SMB2:2.2.14

See also: smb2_create_response

SMB2::EncryptionCapabilities
Type

record

cipher_count: count

The number of ciphers.

ciphers: vector of count

An array of ciphers.

Encryption information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.2

SMB2::FileAttrs
Type

record

read_only: bool

The file is read only. Applications can read the file but cannot write to it or delete it.

hidden: bool

The file is hidden. It is not to be included in an ordinary directory listing.

system: bool

The file is part of or is used exclusively by the operating system.

directory: bool

The file is a directory.

archive: bool

The file has not been archived since it was last modified. Applications use this attribute to mark files for backup or removal.

normal: bool

The file has no other attributes set. This attribute is valid only if used alone.

temporary: bool

The file is temporary. This is a hint to the cache manager that it does not need to flush the file to backing storage.

sparse_file: bool

A file that is a sparse file.

reparse_point: bool

A file or directory that has an associated reparse point.

compressed: bool

The file or directory is compressed. For a file, this means that all of the data in the file is compressed. For a directory, this means that compression is the default for newly created files and subdirectories.

offline: bool

The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.

not_content_indexed: bool

A file or directory that is not indexed by the content indexing service.

encrypted: bool

A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.

integrity_stream: bool

A file or directory that is configured with integrity support. For a file, all data streams in the file have integrity support. For a directory, integrity support is the default for newly created files and subdirectories, unless the caller specifies otherwise.

no_scrub_data: bool

A file or directory that is configured to be excluded from the data integrity scan.

A series of boolean flags describing basic and extended file attributes for SMB2.

For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6

See also: smb2_create_response

SMB2::FileEA
Type

record

ea_name: string

Specifies the extended attribute name

ea_value: string

Contains the extended attribute value

This information class is used to query or set extended attribute (EA) information for a file.

For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15

SMB2::FileEAs
Type

vector of SMB2::FileEA

A vector of extended attribute (EA) information for a file.

For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15

SMB2::Fscontrol
Type

record

free_space_start_filtering: int

minimum amount of free disk space required to begin document filtering

free_space_threshold: int

minimum amount of free disk space required to continue filtering documents and merging word lists

free_space_stop_filtering: int

minimum amount of free disk space required to continue content filtering

delete_quota_threshold: count

default per-user disk quota

default_quota_limit: count

default per-user disk limit

fs_control_flags: count

file systems control flags passed as unsigned int

A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.

For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2

SMB2::GUID
Type

record

persistent: count

A file handle that remains persistent when reconnected after a disconnect

volatile: count

A file handle that can be changed when reconnected after a disconnect

An SMB2 globally unique identifier which identifies a file.

For more information, see MS-SMB2:2.2.14.1

See also: smb2_close_request, smb2_create_response, smb2_read_request, smb2_file_rename, smb2_file_delete, smb2_write_request

SMB2::Header
Type

record

credit_charge: count

The number of credits that this request consumes

status: count

In a request, this is an indication to the server about the client’s channel change. In a response, this is the status field

command: count

The command code of the packet

credits: count

The number of credits the client is requesting, or the number of credits granted to the client in a response.

flags: count

A flags field, which indicates how to process the operation (e.g. asynchronously)

message_id: count

A value that uniquely identifies the message request/response pair across all messages that are sent on the same transport protocol connection

process_id: count

A value that uniquely identifies the process that generated the event.

tree_id: count

A value that uniquely identifies the tree connect for the command.

session_id: count

A value that uniquely identifies the established session for the command.

signature: string

The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in the flags field.

An SMB2 header.

For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2

See also: smb2_message, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_file_rename, smb2_file_delete, smb2_tree_connect_request, smb2_tree_connect_response, smb2_write_request

SMB2::NegotiateContextValue
Type

record

context_type: count

Specifies the type of context (preauth or encryption).

data_length: count

The length in byte of the data field.

preauth_info: SMB2::PreAuthIntegrityCapabilities &optional

The preauthentication information.

encryption_info: SMB2::EncryptionCapabilities &optional

The encryption information.

compression_info: SMB2::CompressionCapabilities &optional

The compression information.

netname: string &optional

Indicates the server name the client must connect to.

The context type information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1

SMB2::NegotiateContextValues
Type

vector of SMB2::NegotiateContextValue

SMB2::NegotiateResponse
Type

record

dialect_revision: count

The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 NEGOTIATE Request.

security_mode: count

The security mode field specifies whether SMB signing is enabled, required at the server, or both.

server_guid: SMB2::GUID

A globally unique identifier that is generate by the server to uniquely identify the server.

system_time: time

The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.

server_start_time: time

The SMB2 server start time.

negotiate_context_count: count

The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.

negotiate_context_values: SMB2::NegotiateContextValues

An array of context values in SMB v. 3.1.1.

The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands.

For more information, see MS-SMB2:2.2.4

See also: smb2_negotiate_response

SMB2::PreAuthIntegrityCapabilities
Type

record

hash_alg_count: count

The number of hash algorithms.

salt_length: count

The salt length.

hash_alg: vector of count

An array of hash algorithms (counts).

salt: string

The salt.

Preauthentication information as defined in SMB v. 3.1.1

For more information, see MS-SMB2:2.3.1.1

SMB2::SessionSetupFlags
Type

record

guest: bool

If set, the client has been authenticated as a guest user.

anonymous: bool

If set, the client has been authenticated as an anonymous user.

encrypt: bool

If set, the server requires encryption of messages on this session.

A flags field that indicates additional information about the session that’s sent in the session_setup response.

For more information, see MS-SMB2:2.2.6

See also: smb2_session_setup_response

SMB2::SessionSetupRequest
Type

record

security_mode: count

The security mode field specifies whether SMB signing is enabled or required at the client.

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.5

See also: smb2_session_setup_request

SMB2::SessionSetupResponse
Type

record

flags: SMB2::SessionSetupFlags

Additional information about the session

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

For more information, see MS-SMB2:2.2.6

See also: smb2_session_setup_response

SMB2::Transform_header
Type

record

signature: string

The 16-byte signature of the encrypted message, generated by using Session.EncryptionKey.

nonce: string

An implementation specific value assigned for every encrypted message.

orig_msg_size: count

The size, in bytes, of the SMB2 message.

flags: count

A flags field, interpreted in different ways depending of the SMB2 dialect.

session_id: count

A value that uniquely identifies the established session for the command.

An SMB2 transform header (for SMB 3.x dialects with encryption enabled).

For more information, see MS-SMB2:2.2.41

See also: smb2_transform_header, smb2_message, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_file_rename, smb2_file_delete, smb2_tree_connect_request, smb2_tree_connect_response, smb2_write_request

SMB2::TreeConnectResponse
Type

record

share_type: count

The type of share being accessed. Physical disk, named pipe, or printer.

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

For more information, see MS-SMB2:2.2.9

See also: smb2_tree_connect_response

SMB::MACTimes
Type

record

modified: time &log

The time when data was last written to the file.

modified_raw: count

Same as modified but in SMB’s original FILETIME integer format.

accessed: time &log

The time when the file was last accessed.

accessed_raw: count

Same as accessed but in SMB’s original FILETIME integer format.

created: time &log

The time the file was created.

created_raw: count

Same as created but in SMB’s original FILETIME integer format.

changed: time &log

The time when the file was last modified.

changed_raw: count

Same as changed but in SMB’s original FILETIME integer format.

MAC times for a file.

For more information, see MS-SMB2:2.2.16

See also: smb1_nt_create_andx_response, smb2_create_response

SNMP::Binding
Type

record

oid: string

value: SNMP::ObjectValue

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings
Type

vector of SNMP::Binding

A VarBindList data structure from either RFC 1157 or RFC 3416. A sequences of SNMP::Binding, which maps an OIDs to values.

SNMP::BulkPDU
Type

record

request_id: int

non_repeaters: count

max_repetitions: count

bindings: SNMP::Bindings

A BulkPDU data structure from RFC 3416.

SNMP::Header
Type

record

version: count

v1: SNMP::HeaderV1 &optional

Set when version is 0.

v2: SNMP::HeaderV2 &optional

Set when version is 1.

v3: SNMP::HeaderV3 &optional

Set when version is 3.

A generic SNMP header data structure that may include data from any version of SNMP. The value of the version field determines what header field is initialized.

SNMP::HeaderV1
Type

record

community: string

The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.

SNMP::HeaderV2
Type

record

community: string

The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.

SNMP::HeaderV3
Type

record

id: count

max_size: count

flags: count

auth_flag: bool

priv_flag: bool

reportable_flag: bool

security_model: count

security_params: string

pdu_context: SNMP::ScopedPDU_Context &optional

The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.

SNMP::ObjectValue
Type

record

tag: count

oid: string &optional

signed: int &optional

unsigned: count &optional

address: addr &optional

octets: string &optional

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of the tag field. For tags that can’t be mapped to an appropriate type, the octets field holds the BER encoded ASN.1 content if there is any (though, octets is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.

SNMP::PDU
Type

record

request_id: int

error_status: int

error_index: int

bindings: SNMP::Bindings

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context
Type

record

engine_id: string

name: string

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.

SNMP::TrapPDU
Type

record

enterprise: string

agent: addr

generic_trap: int

specific_trap: int

time_stamp: count

bindings: SNMP::Bindings

A Trap-PDU data structure from RFC 1157.

SOCKS::Address
Type

record

host: addr &optional &log

name: string &optional &log

Attributes

&log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SSH::Algorithm_Prefs
Type

record

client_to_server: vector of string &optional

The algorithm preferences for client to server communication

server_to_client: vector of string &optional

The algorithm preferences for server to client communication

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities
Type

record

kex_algorithms: string_vec

Key exchange algorithms

server_host_key_algorithms: string_vec

The algorithms supported for the server host key

encryption_algorithms: SSH::Algorithm_Prefs

Symmetric encryption algorithm preferences

mac_algorithms: SSH::Algorithm_Prefs

Symmetric MAC algorithm preferences

compression_algorithms: SSH::Algorithm_Prefs

Compression algorithm preferences

languages: SSH::Algorithm_Prefs &optional

Language preferences

is_server: bool

Are these the capabilities of the server?

This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.

SSL::PSKIdentity
Type

record

identity: string

PSK identity

obfuscated_ticket_age: count

SSL::SignatureAndHashAlgorithm
Type

record

HashAlgorithm: count

Hash algorithm number

SignatureAlgorithm: count

Signature algorithm number

SYN_packet
Type

record

is_orig: bool

True if the packet was sent the connection’s originator.

DF: bool

True if the don’t fragment is set in the IP header.

ttl: count

The IP header’s time-to-live.

size: count

The size of the packet’s payload as specified in the IP header.

win_size: count

The window size from the TCP header.

win_scale: int

The window scale option if present, or -1 if not.

MSS: count

The maximum segment size if present, or 0 if not.

SACK_OK: bool

True if the SACK option is present.

TSval: count &optional

The TCP TS value if present.

TSecr: count &optional

The TCP TS echo reply if present.

Fields of a SYN packet.

See also: connection_SYN_packet

TCP::Option
Type

record

kind: count

The kind number associated with the option. Other optional fields of this record may be set depending on this value.

length: count

The total length of the option in bytes, including the kind byte and length byte (if present).

data: string &optional

This field is set to the raw option bytes if the kind is not otherwise known/parsed. It’s also set for known kinds whose length was invalid.

mss: count &optional

Kind 2: Maximum Segment Size.

window_scale: count &optional

Kind 3: Window scale.

sack: index_vec &optional

Kind 5: Selective ACKnowledgement (SACK). This is a list of 2, 4, 6, or 8 numbers with each consecutive pair being a 32-bit begin-pointer and 32-bit end pointer.

send_timestamp: count &optional

Kind 8: 4-byte sender timestamp value.

echo_timestamp: count &optional

Kind 8: 4-byte echo reply timestamp value.

rate: count &optional

Kind 27: TCP Quick Start Response value.

ttl_diff: count &optional

qs_nonce: count &optional

A TCP Option field parsed from a TCP header.

TCP::OptionList
Type

vector of TCP::Option

The full list of TCP Option fields parsed from a TCP header.

ThreadStats
Type

record

num_threads: count

Statistics about threads.

See also: get_thread_stats

TimerStats
Type

record

current: count

Current number of pending timers.

max: count

Maximum number of concurrent timers pending so far.

cumulative: count

Cumulative number of timers scheduled.

Statistics of timers.

See also: get_timer_stats

Tunnel::EncapsulatingConn
Type

record

cid: conn_id &log

The 4-tuple of the encapsulating “connection”. In case of an IP-in-IP tunnel the ports will be set to 0. The direction (i.e., orig and resp) are set according to the first tunneled packet seen and not according to the side that established the tunnel.

tunnel_type: Tunnel::Type &log

The type of tunnel.

uid: string &optional &log

A globally unique identifier that, for non-IP-in-IP tunnels, cross-references the uid field of connection.

Attributes

&log

Records the identity of an encapsulating parent of a tunneled connection.

WebSocket::AnalyzerConfig
Type

record

analyzer: Analyzer::Tag &optional

The analyzer to attach for analysis of the WebSocket frame payload. See use_dpd below for the behavior when unset.

use_dpd: bool &default = WebSocket::use_dpd_default &optional

If analyzer is unset, determines whether to attach a PIA_TCP analyzer for dynamic protocol detection with WebSocket payload.

subprotocol: string &optional

The subprotocol as selected by the server, if any.

server_extensions: vector of string &optional

The WebSocket extensions as selected by the server, if any.

Record type that is passed to WebSocket::configure_analyzer.

This record allows to configure the WebSocket analyzer given parameters collected from HTTP headers.

X509::BasicConstraints
Type

record

ca: bool &log

CA flag set?

path_len: count &optional &log

Maximum path length

Attributes

&log

X509::Certificate
Type

record

version: count &log

Version number.

serial: string &log

Serial number.

subject: string &log

Subject.

issuer: string &log

Issuer.

cn: string &optional

Last (most specific) common name.

not_valid_before: time &log

Timestamp before when certificate is not valid.

not_valid_after: time &log

Timestamp after when certificate is not valid.

key_alg: string &log

Name of the key algorithm

sig_alg: string &log

Name of the signature algorithm

key_type: string &optional &log

Key type, if key parseable by openssl (either rsa, dsa or ec)

key_length: count &optional &log

Key length in bits

exponent: string &optional &log

Exponent, if RSA-certificate

curve: string &optional &log

Curve, if EC-certificate

tbs_sig_alg: string

Name of the signature algorithm given inside the tbsCertificate. Should be equivalent to sig_alg.

X509::Extension
Type

record

name: string

Long name of extension. oid if name not known

short_name: string &optional

Short name of extension if known

oid: string

Oid of extension

critical: bool

True if extension is critical

value: string

Extension content parsed to string for known extensions. Raw data otherwise.

X509::Result
Type

record

result: int

OpenSSL result code

result_string: string

Result as string

chain_certs: vector of opaque of x509 &optional

References to the final certificate chain, if verification successful. End-host certificate is first.

Result of an X509 certificate chain verification

X509::SubjectAlternativeName
Type

record

dns: string_vec &optional &log

List of DNS entries in SAN

uri: string_vec &optional &log

List of URI entries in SAN

email: string_vec &optional &log

List of email entries in SAN

ip: addr_vec &optional &log

List of IP entries in SAN

other_fields: bool

True if the certificate contained other, not recognized or parsed name fields

addr_set
Type

set [addr]

A set of addresses.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

addr_vec
Type

vector of addr

A vector of addresses.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

any_vec
Type

vector of any

A vector of any, used by some builtin functions to store a list of varying types.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

assertion_failure
Type

hook (cond: string, msg: string, bt: Backtrace) : bool

A hook that is invoked when an assert statement fails.

By default, a reporter error message is logged describing the failing assert similarly to how scripting errors are reported after invoking this hook. Using the break statement in an assertion_failure hook handler allows to suppress this message.

Param cond

The string representation of the condition.

Param msg

Evaluated message as string given to the assert statement.

Param bt

Backtrace of the assertion error. The top element will contain the location of the assert statement that failed.

See also: assertion_result

assertion_result
Type

hook (result: bool, cond: string, msg: string, bt: Backtrace) : bool

A hook that is invoked with the result of every assert statement.

This is a potentially expensive hook meant to be used by testing frameworks to summarize assert results. In a production setup, this hook is likely detrimental to performance.

Using the break statement within an assertion_failure hook handler allows to suppress the reporter error message generated for failing assert statements.

Param result

The result of evaluating cond.

Param cond

The string representation of the condition.

Param msg

Evaluated message as string given to the assert statement.

Param bt

Backtrace of the assertion error. The top element will contain the location of the assert statement that failed.

See also: assertion_failure

bittorrent_benc_dir
Type

table [string] of bittorrent_benc_value

A table of BitTorrent “benc” values.

See also: bt_tracker_response

bittorrent_benc_value
Type

record

i: int &optional

TODO.

s: string &optional

TODO.

d: string &optional

TODO.

l: string &optional

TODO.

BitTorrent “benc” value. Note that “benc” = Bencode (“Bee-Encode”), per http://en.wikipedia.org/wiki/Bencode.

See also: bittorrent_benc_dir

bittorrent_peer
Type

record

h: addr

The peer’s address.

p: port

The peer’s port.

A BitTorrent peer.

See also: bittorrent_peer_set

bittorrent_peer_set
Type

set [bittorrent_peer]

A set of BitTorrent peers.

See also: bt_tracker_response

bt_tracker_headers
Type

table [string] of string

Header table type used by BitTorrent analyzer.

See also: bt_tracker_request, bt_tracker_response, bt_tracker_response_not_ok

call_argument
Type

record

name: string

The name of the parameter.

type_name: string

The name of the parameters’s type.

default_val: any &optional

The value of the &default attribute if defined.

value: any &optional

The value of the parameter as passed into a given call instance. Might be unset in the case a &default attribute is defined.

Meta-information about a parameter to a function/event.

See also: call_argument_vector, new_event, backtrace, print_backtrace

call_argument_vector
Type

vector of call_argument

Vector type used to capture parameters of a function/event call.

See also: call_argument, new_event, backtrace, print_backtrace

conn_id
Type

record

orig_h: addr &log

The originator’s IP address.

orig_p: port &log

The originator’s port number.

resp_h: addr &log

The responder’s IP address.

resp_p: port &log

The responder’s port number.

Attributes

&log

A connection’s identifying 4-tuple of endpoints and ports.

Note

It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, orig_p and resp_p, and can be extracted from them with get_port_transport_proto.

Note

For explanation of Zeek’s “originator” and “responder” terminology, see the manual’s description of the connection record.

connection
Type

record

id: conn_id

The connection’s identifying 4-tuple.

orig: endpoint

Statistics about originator side.

resp: endpoint

Statistics about responder side.

start_time: time

The timestamp of the connection’s first packet.

duration: interval

The duration of the conversation. Roughly speaking, this is the interval between first and last data packet (low-level TCP details may adjust it somewhat in ambiguous cases).

service: set [string]

The set of services the connection is using as determined by Zeek’s dynamic protocol detection. Each entry is the label of an analyzer that confirmed that it could parse the connection payload. While typically, there will be at most one entry for each connection, in principle it is possible that more than one protocol analyzer is able to parse the same data. If so, all will be recorded. Also note that the recorded services are independent of any transport-level protocols.

history: string

State history of connections. See history in Conn::Info.

uid: string

A globally unique connection identifier. For each connection, Zeek creates an ID that is very likely unique across independent Zeek runs. These IDs can thus be used to tag and locate information associated with that connection.

tunnel: EncapsulatingConnVector &optional

If the connection is tunneled, this field contains information about the encapsulating “connection(s)” with the outermost one starting at index zero. It’s also always the first such encapsulation seen for the connection unless the tunnel_changed event is handled and reassigns this field to the new encapsulation.

vlan: int &optional

The outer VLAN, if applicable for this connection.

inner_vlan: int &optional

The inner VLAN, if applicable for this connection.

dpd: DPD::Info &optional

(present if base/frameworks/analyzer/dpd.zeek is loaded)

dpd_state: DPD::State &optional

(present if base/frameworks/analyzer/dpd.zeek is loaded)

service_violation: set [string] &default = {  } &optional

(present if base/frameworks/analyzer/dpd.zeek is loaded)

The set of services (analyzers) for which Zeek has observed a violation after the same service had previously been confirmed.

removal_hooks: set [Conn::RemovalHook] &optional

(present if base/protocols/conn/removal-hooks.zeek is loaded)

conn: Conn::Info &optional

(present if base/protocols/conn/main.zeek is loaded)

extract_orig: bool &default = Conn::default_extract &optional

(present if base/protocols/conn/contents.zeek is loaded)

extract_resp: bool &default = Conn::default_extract &optional

(present if base/protocols/conn/contents.zeek is loaded)

thresholds: ConnThreshold::Thresholds &optional

(present if base/protocols/conn/thresholds.zeek is loaded)

dce_rpc: DCE_RPC::Info &optional

(present if base/protocols/dce-rpc/main.zeek is loaded)

dce_rpc_state: DCE_RPC::State &optional

(present if base/protocols/dce-rpc/main.zeek is loaded)

dce_rpc_backing: table [count] of DCE_RPC::BackingState &optional

(present if base/protocols/dce-rpc/main.zeek is loaded)

dhcp: DHCP::Info &optional

(present if base/protocols/dhcp/main.zeek is loaded)

dnp3: DNP3::Info &optional

(present if base/protocols/dnp3/main.zeek is loaded)

dns: DNS::Info &optional

(present if base/protocols/dns/main.zeek is loaded)

dns_state: DNS::State &optional

(present if base/protocols/dns/main.zeek is loaded)

ftp: FTP::Info &optional

(present if base/protocols/ftp/main.zeek is loaded)

ftp_data_reuse: bool &default = F &optional

(present if base/protocols/ftp/main.zeek is loaded)

ssl: SSL::Info &optional

(present if base/protocols/ssl/main.zeek is loaded)

http: HTTP::Info &optional

(present if base/protocols/http/main.zeek is loaded)

http_state: HTTP::State &optional

(present if base/protocols/http/main.zeek is loaded)

irc: IRC::Info &optional

(present if base/protocols/irc/main.zeek is loaded)

IRC session information.

krb: KRB::Info &optional

(present if base/protocols/krb/main.zeek is loaded)

ldap: LDAP::State &optional

(present if base/protocols/ldap/main.zeek is loaded)

modbus: Modbus::Info &optional

(present if base/protocols/modbus/main.zeek is loaded)

mqtt: MQTT::ConnectInfo &optional

(present if base/protocols/mqtt/main.zeek is loaded)

mqtt_state: MQTT::State &optional

(present if base/protocols/mqtt/main.zeek is loaded)

mysql: MySQL::Info &optional

(present if base/protocols/mysql/main.zeek is loaded)

ntlm: NTLM::Info &optional

(present if base/protocols/ntlm/main.zeek is loaded)

ntp: NTP::Info &optional

(present if base/protocols/ntp/main.zeek is loaded)

quic: QUIC::Info &optional

(present if base/protocols/quic/main.zeek is loaded)

radius: RADIUS::Info &optional

(present if base/protocols/radius/main.zeek is loaded)

rdp: RDP::Info &optional

(present if base/protocols/rdp/main.zeek is loaded)

rfb: RFB::Info &optional

(present if base/protocols/rfb/main.zeek is loaded)

sip: SIP::Info &optional

(present if base/protocols/sip/main.zeek is loaded)

sip_state: SIP::State &optional

(present if base/protocols/sip/main.zeek is loaded)

snmp: SNMP::Info &optional

(present if base/protocols/snmp/main.zeek is loaded)

smb_state: SMB::State &optional

(present if base/protocols/smb/main.zeek is loaded)

smtp: SMTP::Info &optional

(present if base/protocols/smtp/main.zeek is loaded)

smtp_state: SMTP::State &optional

(present if base/protocols/smtp/main.zeek is loaded)

socks: SOCKS::Info &optional

(present if base/protocols/socks/main.zeek is loaded)

ssh: SSH::Info &optional

(present if base/protocols/ssh/main.zeek is loaded)

syslog: Syslog::Info &optional

(present if base/protocols/syslog/main.zeek is loaded)

websocket: WebSocket::Info &optional

(present if base/protocols/websocket/main.zeek is loaded)

known_services_done: bool &default = F &optional

(present if policy/protocols/conn/known-services.zeek is loaded)

speculative_service: set [string] &default = {  } &optional

(present if policy/protocols/conn/speculative-service.zeek is loaded)

A connection. This is Zeek’s basic connection type describing IP- and transport-layer information about the conversation. Note that Zeek uses a liberal interpretation of “connection” and associates instances of this type also with UDP and ICMP flows.

count_set
Type

set [count]

A set of counts.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

dns_answer
Type

record

answer_type: count

Answer type. One of DNS_QUERY, DNS_ANS, DNS_AUTH and DNS_ADDL.

query: string

Query.

qtype: count

Query type.

qclass: count

Query class.

TTL: interval

Time-to-live.

The general part of a DNS reply.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TXT_reply, dns_WKS_reply

dns_binds_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

algorithm: count

Algorithm for Public Key.

key_id: count

key tag.

removal_flag: count

rm flag.

complte_flag: string

complete flag.

is_query: count

The RR is a query/Response.

A Private RR type BINDS record.

See also: dns_BINDS

dns_dnskey_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

flags: count

flags filed.

protocol: count

Protocol, should be always 3 for DNSSEC.

algorithm: count

Algorithm for Public Key.

public_key: string

Public Key

is_query: count

The RR is a query/Response.

A DNSSEC DNSKEY record.

See also: dns_DNSKEY

dns_ds_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

key_tag: count

flags filed.

algorithm: count

Algorithm for Public Key.

digest_type: count

Digest Type.

digest_val: string

Digest Value.

is_query: count

The RR is a query/Response.

A DNSSEC DS record.

See also: dns_DS

dns_edns_additional
Type

record

query: string

Query.

qtype: count

Query type.

t: count

TODO.

payload_size: count

TODO.

extended_rcode: count

Extended return code.

version: count

Version.

z_field: count

TODO.

TTL: interval

Time-to-live.

is_query: count

TODO.

An additional DNS EDNS record.

See also: dns_EDNS_addl

Type

record

client_cookie: string

Cookie from the client (fixed 8 bytes).

server_cookie: string &default = "" &optional

Cookie from the server (0 bytes if missing, or 8 to 32 bytes).

An DNS EDNS COOKIE (COOKIE) record.

See also: dns_EDNS_cookie

dns_edns_ecs
Type

record

family: string

IP Family

source_prefix_len: count

Source Prefix Length.

scope_prefix_len: count

Scope Prefix Length.

address: addr

Client Subnet Address.

An DNS EDNS Client Subnet (ECS) record.

See also: dns_EDNS_ecs

dns_edns_tcp_keepalive
Type

record

keepalive_timeout_omitted: bool

Whether timeout value is omitted.

keepalive_timeout: count

Timeout value, in 100ms.

An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.

See also: dns_EDNS_tcp_keepalive

dns_loc_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

version: count

version number of the representation.

size: count

Diameter of a sphere enclosing the entity.

horiz_pre: count

The horizontal precision of the data, in centimeters.

vert_pre: count

The vertical precision of the data, in centimeters.

latitude: count

The latitude of the center of the sphere.

longitude: count

The longitude of the center of the sphere.

altitude: count

The altitude of the center of the sphere.

is_query: count

The RR is a query/Response.

A Private RR type LOC record.

See also: dns_LOC

dns_mapping
Type

record

creation_time: time

The time when the mapping was created, which corresponds to when the DNS query was sent out.

req_host: string

If the mapping is the result of a name lookup, the queried host name; otherwise empty.

req_addr: addr

If the mapping is the result of a pointer lookup, the queried address; otherwise null.

valid: bool

True if the lookup returned success. Only then are the result fields valid.

hostname: string

If the mapping is the result of a pointer lookup, the resolved hostname; otherwise empty.

addrs: addr_set

If the mapping is the result of an address lookup, the resolved address(es); otherwise empty.

dns_msg
Type

record

id: count

Transaction ID.

opcode: count

Operation code.

rcode: count

Return code.

QR: bool

Query response flag.

AA: bool

Authoritative answer flag.

TC: bool

Truncated packet flag.

RD: bool

Recursion desired flag.

RA: bool

Recursion available flag.

Z: count

3 bit field (includes AD and CD)

AD: bool

authentic data

CD: bool

checking disabled

num_queries: count

Number of query records.

num_answers: count

Number of answer records.

num_auth: count

Number of authoritative records.

num_addl: count

Number of additional records.

A DNS message.

See also: dns_AAAA_reply, dns_A_reply, dns_CNAME_reply, dns_EDNS_addl, dns_HINFO_reply, dns_MX_reply, dns_NS_reply, dns_PTR_reply, dns_SOA_reply, dns_SRV_reply, dns_TSIG_addl, dns_TXT_reply, dns_WKS_reply, dns_end, dns_message, dns_query_reply, dns_rejected, dns_request

dns_nsec3_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

nsec_flags: count

flags field.

nsec_hash_algo: count

Hash algorithm.

nsec_iter: count

Iterations.

nsec_salt_len: count

Salt length.

nsec_salt: string

Salt value

nsec_hlen: count

Hash length.

nsec_hash: string

Hash value.

bitmaps: string_vec

Type Bit Maps.

is_query: count

The RR is a query/Response.

A DNSSEC NSEC3 record.

See also: dns_NSEC3

dns_nsec3param_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

nsec_flags: count

flags field.

nsec_hash_algo: count

Hash algorithm.

nsec_iter: count

Iterations.

nsec_salt_len: count

Salt length.

nsec_salt: string

Salt value

is_query: count

The RR is a query/Response.

A DNSSEC NSEC3PARAM record.

See also: dns_NSEC3PARAM

dns_rrsig_rr
Type

record

query: string

Query.

answer_type: count

Ans type.

type_covered: count

qtype covered by RRSIG RR.

algorithm: count

Algorithm.

labels: count

Labels in the owner’s name.

orig_ttl: interval

Original TTL.

sig_exp: time

Time when signed RR expires.

sig_incep: time

Time when signed.

key_tag: count

Key tag value.

signer_name: string

Signature.

signature: string

Hash of the RRDATA.

is_query: count

The RR is a query/Response.

A DNSSEC RRSIG record.

See also: dns_RRSIG

dns_soa
Type

record

mname: string

Primary source of data for zone.

rname: string

Mailbox for responsible person.

serial: count

Version number of zone.

refresh: interval

Seconds before refreshing.

retry: interval

How long before retrying failed refresh.

expire: interval

When zone no longer authoritative.

minimum: interval

Minimum TTL to use when exporting.

A DNS SOA record.

See also: dns_SOA_reply

dns_svcb_rr
Type

record

svc_priority: count

Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params

target_name: string

Target name, the hostname of the service endpoint.

DNS SVCB and HTTPS RRs

See also: dns_SVCB, dns_HTTPS

dns_tsig_additional
Type

record

query: string

Query.

qtype: count

Query type.

alg_name: string

Algorithm name.

sig: string

Signature.

time_signed: time

Time when signed.

fudge: time

TODO.

orig_id: count

TODO.

rr_error: count

TODO.

is_query: count

TODO.

An additional DNS TSIG record.

See also: dns_TSIG_addl

double_vec
Type

vector of double

A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

endpoint
Type

record

size: count

Logical size of data sent (for TCP: derived from sequence numbers).

state: count

Endpoint state. For a TCP connection, one of the constants: TCP_INACTIVE TCP_SYN_SENT TCP_SYN_ACK_SENT TCP_PARTIAL TCP_ESTABLISHED TCP_CLOSED TCP_RESET. For UDP, one of UDP_ACTIVE and UDP_INACTIVE.

num_pkts: count &optional

Number of packets sent. Only set if use_conn_size_analyzer is true.

num_bytes_ip: count &optional

Number of IP-level bytes sent. Only set if use_conn_size_analyzer is true.

flow_label: count

The current IPv6 flow label that the connection endpoint is using. Always 0 if the connection is over IPv4.

l2_addr: string &optional

The link-layer address seen in the first packet (if available).

Statistics about a connection endpoint.

See also: connection

endpoint_stats
Type

record

num_pkts: count

Number of packets.

num_rxmit: count

Number of retransmissions.

num_rxmit_bytes: count

Number of retransmitted bytes.

num_in_order: count

Number of in-order packets.

num_OO: count

Number of out-of-order packets.

num_repl: count

Number of replicated packets (last packet was sent again).

endian_type: count

Endian type used by the endpoint, if it could be determined from the sequence numbers used. This is one of ENDIAN_UNKNOWN, ENDIAN_BIG, ENDIAN_LITTLE, and ENDIAN_CONFUSED.

Statistics about what a TCP endpoint sent.

See also: conn_stats

entropy_test_result
Type

record

entropy: double

Information density.

chi_square: double

Chi-Square value.

mean: double

Arithmetic Mean.

monte_carlo_pi: double

Monte-carlo value for pi.

serial_correlation: double

Serial correlation coefficient.

Computed entropy values. The record captures a number of measures that are computed in parallel. See A Pseudorandom Number Sequence Test Program for more information, Zeek uses the same code.

See also: entropy_test_add, entropy_test_finish, entropy_test_init, find_entropy

fa_file
Type

record

id: string

A hash serving as the identifier associated with a single file.

parent_id: string &optional

Identifier associated with a container file from which this one was extracted as part of the file analysis.

source: string

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path including filename which was read, or some other input source. Examples are: “HTTP”, “SMTP”, “IRC_DATA”, or the filename, or even the full path and filename.

is_orig: bool &optional

If the source of this file is a network connection, this field may be set to indicate the directionality.

conns: table [conn_id] of connection &optional

The set of connections over which the file was transferred.

last_active: time

The time at which the last activity for the file was seen.

seen_bytes: count &default = 0 &optional

Number of bytes provided to the file analysis engine for the file.

total_bytes: count &optional

Total number of bytes that are supposed to comprise the full file.

missing_bytes: count &default = 0 &optional

The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.

overflow_bytes: count &default = 0 &optional

The number of bytes in the file stream that were not delivered to stream file analyzers. Generally, this consists of bytes that couldn’t be reassembled, either because reassembly simply isn’t enabled, or due to size limitations of the reassembly buffer.

timeout_interval: interval &default = default_file_timeout_interval &optional

The amount of time between receiving new data for this file that the analysis engine will wait before giving up on it.

bof_buffer_size: count &default = default_file_bof_buffer_size &optional

The number of bytes at the beginning of a file to save for later inspection in the bof_buffer field.

bof_buffer: string &optional

The content of the beginning of a file up to bof_buffer_size bytes. This is also the buffer that’s used for file/mime type detection.

info: Files::Info &optional

(present if base/frameworks/files/main.zeek is loaded)

ftp: FTP::Info &optional

(present if base/protocols/ftp/files.zeek is loaded)

http: HTTP::Info &optional

(present if base/protocols/http/entities.zeek is loaded)

irc: IRC::Info &optional

(present if base/protocols/irc/files.zeek is loaded)

pe: PE::Info &optional

(present if base/files/pe/main.zeek is loaded)

Attributes

&redef

File Analysis handle for a file that Zeek is analyzing. This holds information about, but not the content of, a conceptual “file”; essentially any byte stream that is e.g. pulled from a network connection or possibly some other input source. Note that fa_file is also used in cases where there isn’t a filename to be had.

fa_metadata
Type

record

mime_type: string &optional

The strongest matching MIME type if one was discovered.

mime_types: mime_matches &optional

All matching MIME types if any were discovered.

inferred: bool &default = T &optional

Specifies whether the MIME type was inferred using signatures, or provided directly by the protocol the file appeared in.

File Analysis metadata that’s been inferred about a particular file.

files_tag_set
Type

set [Files::Tag]

A set of file analyzer tags.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

flow_id
Type

record

src_h: addr &log

The source IP address.

src_p: port &log

The source port number.

dst_h: addr &log

The destination IP address.

dst_p: port &log

The destination port number.

Attributes

&log

The identifying 4-tuple of a uni-directional flow.

Note

It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, src_p and dst_p, and can be extracted from them with get_port_transport_proto.

from_json_result
Type

record

v: any &optional

Parsed value.

valid: bool

True if parsing was successful.

Return type for from_json BIF.

See also: from_json

ftp_port
Type

record

h: addr

The host’s address.

p: port

The host’s port.

valid: bool

True if format was right. Only then are h and p valid.

A parsed host/port combination describing server endpoint for an upcoming data transfer.

See also: fmt_ftp_port, parse_eftp_port, parse_ftp_epsv, parse_ftp_pasv, parse_ftp_port

geo_autonomous_system
Type

record

number: count &optional &log

The autonomous system number.

organization: string &optional &log

Associated organization.

Attributes

&log

GeoIP autonomous system information.

See also: lookup_autonomous_system

geo_location
Type

record

country_code: string &optional &log

The country code.

region: string &optional &log

The region.

city: string &optional &log

The city.

latitude: double &optional &log

Latitude.

longitude: double &optional &log

Longitude.

Attributes

&log

GeoIP location information.

See also: lookup_location

gtp_access_point_name
Type

string

gtp_cause
Type

count

gtp_charging_characteristics
Type

count

gtp_charging_gateway_addr
Type

addr

gtp_charging_id
Type

count

gtp_create_pdp_ctx_request_elements
Type

record

imsi: gtp_imsi &optional

rai: gtp_rai &optional

recovery: gtp_recovery &optional

select_mode: gtp_selection_mode &optional

data1: gtp_teid1

cp: gtp_teid_control_plane &optional

nsapi: gtp_nsapi

linked_nsapi: gtp_nsapi &optional

charge_character: gtp_charging_characteristics &optional

trace_ref: gtp_trace_reference &optional

trace_type: gtp_trace_type &optional

end_user_addr: gtp_end_user_addr &optional

ap_name: gtp_access_point_name &optional

opts: gtp_proto_config_options &optional

signal_addr: gtp_gsn_addr

user_addr: gtp_gsn_addr

msisdn: gtp_msisdn &optional

qos_prof: gtp_qos_profile

tft: gtp_tft &optional

trigger_id: gtp_trigger_id &optional

omc_id: gtp_omc_id &optional

ext: gtp_private_extension &optional

gtp_create_pdp_ctx_response_elements
Type

record

cause: gtp_cause

reorder_req: gtp_reordering_required &optional

recovery: gtp_recovery &optional

data1: gtp_teid1 &optional

cp: gtp_teid_control_plane &optional

charging_id: gtp_charging_id &optional

end_user_addr: gtp_end_user_addr &optional

opts: gtp_proto_config_options &optional

cp_addr: gtp_gsn_addr &optional

user_addr: gtp_gsn_addr &optional

qos_prof: gtp_qos_profile &optional

charge_gateway: gtp_charging_gateway_addr &optional

ext: gtp_private_extension &optional

gtp_delete_pdp_ctx_request_elements
Type

record

teardown_ind: gtp_teardown_ind &optional

nsapi: gtp_nsapi

ext: gtp_private_extension &optional

gtp_delete_pdp_ctx_response_elements
Type

record

cause: gtp_cause

ext: gtp_private_extension &optional

gtp_end_user_addr
Type

record

pdp_type_org: count

pdp_type_num: count

pdp_ip: addr &optional

Set if the End User Address information element is IPv4/IPv6.

pdp_other_addr: string &optional

Set if the End User Address information element isn’t IPv4/IPv6.

gtp_gsn_addr
Type

record

ip: addr &optional

If the GSN Address information element has length 4 or 16, then this field is set to be the informational element’s value interpreted as an IPv4 or IPv6 address, respectively.

other: string &optional

This field is set if it’s not an IPv4 or IPv6 address.

gtp_imsi
Type

count

gtp_msisdn
Type

string

gtp_nsapi
Type

count

gtp_omc_id
Type

string

gtp_private_extension
Type

record

id: count

value: string

gtp_proto_config_options
Type

string

gtp_qos_profile
Type

record

priority: count

data: string

gtp_rai
Type

record

mcc: count

mnc: count

lac: count

rac: count

gtp_recovery
Type

count

gtp_reordering_required
Type

bool

gtp_selection_mode
Type

count

gtp_teardown_ind
Type

bool

gtp_teid1
Type

count

gtp_teid_control_plane
Type

count

gtp_tft
Type

string

gtp_trace_reference
Type

count

gtp_trace_type
Type

count

gtp_trigger_id
Type

string

gtp_update_pdp_ctx_request_elements
Type

record

imsi: gtp_imsi &optional

rai: gtp_rai &optional

recovery: gtp_recovery &optional

data1: gtp_teid1

cp: gtp_teid_control_plane &optional

nsapi: gtp_nsapi

trace_ref: gtp_trace_reference &optional

trace_type: gtp_trace_type &optional

cp_addr: gtp_gsn_addr

user_addr: gtp_gsn_addr

qos_prof: gtp_qos_profile

tft: gtp_tft &optional

trigger_id: gtp_trigger_id &optional

omc_id: gtp_omc_id &optional

ext: gtp_private_extension &optional

end_user_addr: gtp_end_user_addr &optional

gtp_update_pdp_ctx_response_elements
Type

record

cause: gtp_cause

recovery: gtp_recovery &optional

data1: gtp_teid1 &optional

cp: gtp_teid_control_plane &optional

charging_id: gtp_charging_id &optional

cp_addr: gtp_gsn_addr &optional

user_addr: gtp_gsn_addr &optional

qos_prof: gtp_qos_profile &optional

charge_gateway: gtp_charging_gateway_addr &optional

ext: gtp_private_extension &optional

gtpv1_hdr
Type

record

version: count

The 3-bit version field, which for GTPv1 should be 1.

pt_flag: bool

Protocol Type value differentiates GTP (value 1) from GTP’ (value 0).

rsv: bool

Reserved field, should be 0.

e_flag: bool

Extension Header flag. When 0, the next_type field may or may not be present, but shouldn’t be meaningful. When 1, next_type is present and meaningful.

s_flag: bool

Sequence Number flag. When 0, the seq field may or may not be present, but shouldn’t be meaningful. When 1, seq is present and meaningful.

pn_flag: bool

N-PDU flag. When 0, the n_pdu field may or may not be present, but shouldn’t be meaningful. When 1, n_pdu is present and meaningful.

msg_type: count

Message Type. A value of 255 indicates user-plane data is encapsulated.

length: count

Length of the GTP packet payload (the rest of the packet following the mandatory 8-byte GTP header).

teid: count

Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint in receiving GTP-U or GTP-C protocol entity.

seq: count &optional

Sequence Number. Set if any e_flag, s_flag, or pn_flag field is set.

n_pdu: count &optional

N-PDU Number. Set if any e_flag, s_flag, or pn_flag field is set.

next_type: count &optional

Next Extension Header Type. Set if any e_flag, s_flag, or pn_flag field is set.

A GTPv1 (GPRS Tunneling Protocol) header.

http_message_stat
Type

record

start: time

When the request/reply line was complete.

interrupted: bool

Whether the message was interrupted.

finish_msg: string

Reason phrase if interrupted.

body_length: count

Length of body processed (before finished/interrupted).

content_gap_length: count

Total length of gaps within body_length.

header_length: count

Length of headers (including the req/reply line, but not CR/LF’s).

HTTP message statistics.

See also: http_message_done

http_stats_rec
Type

record

num_requests: count

Number of requests.

num_replies: count

Number of replies.

request_version: double

HTTP version of the requests.

reply_version: double

HTTP Version of the replies.

HTTP session statistics.

See also: http_stats

icmp6_nd_option
Type

record

otype: count

8-bit identifier of the type of option.

len: count

8-bit integer representing the length of the option (including the type and length fields) in units of 8 octets.

link_address: string &optional

Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2). Byte ordering of this is dependent on the actual link-layer.

prefix: icmp6_nd_prefix_info &optional

Prefix Information (Type 3).

redirect: icmp_context &optional

Redirected header (Type 4). This field contains the context of the original, redirected packet.

mtu: count &optional

Recommended MTU for the link (Type 5).

payload: string &optional

The raw data of the option (everything after type & length fields), useful for unknown option types or when the full option payload is truncated in the captured packet. In those cases, option fields won’t be pre-extracted into the fields above.

Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.

See also: icmp_router_solicitation, icmp_router_advertisement, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_redirect, icmp6_nd_options

icmp6_nd_options
Type

vector of icmp6_nd_option

A type alias for a vector of ICMPv6 neighbor discovery message options.

icmp6_nd_prefix_info
Type

record

prefix_len: count

Number of leading bits of the prefix that are valid.

L_flag: bool

Flag indicating the prefix can be used for on-link determination.

A_flag: bool

Autonomous address-configuration flag.

valid_lifetime: interval

Length of time in seconds that the prefix is valid for purpose of on-link determination (0xffffffff represents infinity).

preferred_lifetime: interval

Length of time in seconds that the addresses generated from the prefix via stateless address autoconfiguration remain preferred (0xffffffff represents infinity).

prefix: addr

An IP address or prefix of an IP address. Use the prefix_len field to convert this into a subnet.

Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.

See also: icmp6_nd_option

icmp_context
Type

record

id: conn_id

The packet’s 4-tuple.

len: count

The length of the IP packet (headers + payload).

proto: count

The packet’s transport-layer protocol.

frag_offset: count

The packet’s fragmentation offset.

bad_hdr_len: bool

True if the packet’s IP header is not fully included in the context or if there is not enough of the transport header to determine source and destination ports. If that is the case, the appropriate fields of this record will be set to null values.

bad_checksum: bool

True if the packet’s IP checksum is not correct.

MF: bool

True if the packet’s more fragments flag is set.

DF: bool

True if the packet’s don’t fragment flag is set.

Packet context part of an ICMP message. The fields of this record reflect the packet that is described by the context.

See also: icmp_time_exceeded, icmp_unreachable

icmp_hdr
Type

record

icmp_type: count

type of message

Values extracted from an ICMP header.

See also: pkt_hdr, discarder_check_icmp

icmp_info
Type

record

v6: bool

True if it’s an ICMPv6 packet.

itype: count

The ICMP type of the current packet.

icode: count

The ICMP code of the current packet.

len: count

The length of the ICMP payload.

ttl: count

The encapsulating IP header’s TTL (IPv4) or Hop Limit (IPv6).

Specifics about an ICMP conversation/packet. ICMP events typically pass this in addition to conn_id.

See also: icmp_echo_reply, icmp_echo_request, icmp_redirect, icmp_sent, icmp_time_exceeded, icmp_unreachable

id_table
Type

table [string] of script_id

Table type used to map script-level identifiers to meta-information describing them.

See also: global_ids, script_id

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

index_vec
Type

vector of count

A vector of counts, used by some builtin functions to store a list of indices.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

int_vec
Type

vector of int

A vector of integers, used by telemetry builtin functions to store histogram bounds.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

interval_set
Type

set [interval]

A set of intervals.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

ip4_hdr
Type

record

hl: count

Header length in bytes.

tos: count

Type of service.

len: count

Total length.

id: count

Identification.

DF: bool

True if the packet’s don’t fragment flag is set.

MF: bool

True if the packet’s more fragments flag is set.

offset: count

Fragment offset.

ttl: count

Time to live.

p: count

Protocol.

sum: count

Checksum.

src: addr

Source address.

dst: addr

Destination address.

Values extracted from an IPv4 header.

See also: pkt_hdr, ip6_hdr, discarder_check_ip

ip6_ah
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 4-octet units, excluding first two units.

rsv: count

Reserved field.

spi: count

Security Parameter Index.

seq: count &optional

Sequence number, unset in the case that len field is zero.

data: string &optional

Authentication data, unset in the case that len field is zero.

Values extracted from an IPv6 Authentication extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_dstopts
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

options: ip6_options

The TLV encoded options;

Values extracted from an IPv6 Destination options extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr, ip6_option

ip6_esp
Type

record

spi: count

Security Parameters Index.

seq: count

Sequence number.

Values extracted from an IPv6 ESP extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_ext_hdr
Type

record

id: count

The RFC 1700 et seq. IANA assigned number identifying the type of the extension header.

hopopts: ip6_hopopts &optional

Hop-by-hop option extension header.

dstopts: ip6_dstopts &optional

Destination option extension header.

routing: ip6_routing &optional

Routing extension header.

fragment: ip6_fragment &optional

Fragment header.

ah: ip6_ah &optional

Authentication extension header.

esp: ip6_esp &optional

Encapsulating security payload header.

mobility: ip6_mobility_hdr &optional

Mobility header.

A general container for a more specific IPv6 extension header.

See also: pkt_hdr, ip4_hdr, ip6_hopopts, ip6_dstopts, ip6_routing, ip6_fragment, ip6_ah, ip6_esp

ip6_ext_hdr_chain
Type

vector of ip6_ext_hdr

A type alias for a vector of IPv6 extension headers.

ip6_fragment
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

rsv1: count

8-bit reserved field.

offset: count

Fragmentation offset.

rsv2: count

2-bit reserved field.

more: bool

More fragments.

id: count

Fragment identification.

Values extracted from an IPv6 Fragment extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_hdr
Type

record

class: count

Traffic class.

flow: count

Flow label.

len: count

Payload length.

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number) e.g. IPPROTO_ICMP.

hlim: count

Hop limit.

src: addr

Source address.

dst: addr

Destination address.

exts: ip6_ext_hdr_chain

Extension header chain.

Values extracted from an IPv6 header.

See also: pkt_hdr, ip4_hdr, ip6_ext_hdr, ip6_hopopts, ip6_dstopts, ip6_routing, ip6_fragment, ip6_ah, ip6_esp

ip6_hopopts
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

options: ip6_options

The TLV encoded options;

Values extracted from an IPv6 Hop-by-Hop options extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr, ip6_option

ip6_mobility_back
Type

record

status: count

Status.

k: bool

Key Management Mobility Capability.

seq: count

Sequence number.

life: count

Lifetime.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Acknowledgement message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_be
Type

record

status: count

Status.

hoa: addr

Home Address.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Error message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_brr
Type

record

rsv: count

Reserved.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Refresh Request message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_bu
Type

record

seq: count

Sequence number.

a: bool

Acknowledge bit.

h: bool

Home Registration bit.

l: bool

Link-Local Address Compatibility bit.

k: bool

Key Management Mobility Capability bit.

life: count

Lifetime.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Binding Update message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_cot
Type

record

nonce_idx: count

Care-of Nonce Index.

cookie: count

Care-of Init Cookie.

token: count

Care-of Keygen Token.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Care-of Test message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_coti
Type

record

rsv: count

Reserved.

cookie: count

Care-of Init Cookie.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Care-of Test Init message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_hdr
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

mh_type: count

Mobility header type used to identify header’s the message.

rsv: count

Reserved field.

chksum: count

Mobility header checksum.

msg: ip6_mobility_msg

Mobility header message

Values extracted from an IPv6 Mobility header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

ip6_mobility_hot
Type

record

nonce_idx: count

Home Nonce Index.

cookie: count

Home Init Cookie.

token: count

Home Keygen Token.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Home Test message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_hoti
Type

record

rsv: count

Reserved.

cookie: count

Home Init Cookie.

options: vector of ip6_option

Mobility Options.

Values extracted from an IPv6 Mobility Home Test Init message.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr, ip6_mobility_msg

ip6_mobility_msg
Type

record

id: count

The type of message from the header’s MH Type field.

brr: ip6_mobility_brr &optional

Binding Refresh Request.

hoti: ip6_mobility_hoti &optional

Home Test Init.

coti: ip6_mobility_coti &optional

Care-of Test Init.

hot: ip6_mobility_hot &optional

Home Test.

cot: ip6_mobility_cot &optional

Care-of Test.

bu: ip6_mobility_bu &optional

Binding Update.

back: ip6_mobility_back &optional

Binding Acknowledgement.

be: ip6_mobility_be &optional

Binding Error.

Values extracted from an IPv6 Mobility header’s message data.

See also: ip6_mobility_hdr, ip6_hdr, ip6_ext_hdr

ip6_option
Type

record

otype: count

Option type.

len: count

Option data length.

data: string

Option data.

Values extracted from an IPv6 extension header’s (e.g. hop-by-hop or destination option headers) option field.

See also: ip6_hdr, ip6_ext_hdr, ip6_hopopts, ip6_dstopts

ip6_options
Type

vector of ip6_option

A type alias for a vector of IPv6 options.

ip6_routing
Type

record

nxt: count

Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g. IPPROTO_ICMP.

len: count

Length of header in 8-octet units, excluding first unit.

rtype: count

Routing type.

segleft: count

Segments left.

data: string

Type-specific data.

Values extracted from an IPv6 Routing extension header.

See also: pkt_hdr, ip4_hdr, ip6_hdr, ip6_ext_hdr

irc_join_info
Type

record

nick: string

channel: string

password: string

usermode: string

IRC join information.

See also: irc_join_list

irc_join_list
Type

set [irc_join_info]

Set of IRC join information.

See also: irc_join_message

l2_hdr
Type

record

encap: link_encap

L2 link encapsulation.

len: count

Total frame length on wire.

cap_len: count

Captured length.

src: string &optional

L2 source (if Ethernet).

dst: string &optional

L2 destination (if Ethernet).

vlan: count &optional

Outermost VLAN tag if any (and Ethernet).

inner_vlan: count &optional

Innermost VLAN tag if any (and Ethernet).

eth_type: count &optional

Innermost Ethertype (if Ethernet).

proto: layer3_proto

L3 protocol.

Values extracted from the layer 2 header.

See also: pkt_hdr

mime_header_list
Type

table [count] of mime_header_rec

A list of MIME headers.

See also: mime_header_rec, http_all_headers, mime_all_headers

mime_header_rec
Type

record

original_name: string

The header name (unaltered).

name: string

The header name (converted to all upper-case).

value: string

The header value.

A MIME header key/value pair.

See also: mime_header_list, http_all_headers, mime_all_headers, mime_one_header

mime_match
Type

record

strength: int

How strongly the signature matched. Used for prioritization when multiple file magic signatures match.

mime: string

The MIME type of the file magic signature match.

A structure indicating a MIME type and strength of a match against file magic signatures.

file_magic

mime_matches
Type

vector of mime_match

A vector of file magic signature matches, ordered by strength of the signature, strongest first.

file_magic

pcap_packet
Type

record

ts_sec: count

The non-fractional part of the packet’s timestamp (i.e., full seconds since the epoch).

ts_usec: count

The fractional part of the packet’s timestamp.

caplen: count

The number of bytes captured (<= len).

len: count

The length of the packet in bytes, including link-level header.

data: string

The payload of the packet, including link-level header.

link_type: link_encap

Layer 2 link encapsulation type.

Policy-level representation of a packet passed on by libpcap. The data includes the complete packet as returned by libpcap, including the link-layer header.

See also: dump_packet, get_current_packet

pkt_hdr
Type

record

ip: ip4_hdr &optional

The IPv4 header if an IPv4 packet.

ip6: ip6_hdr &optional

The IPv6 header if an IPv6 packet.

tcp: tcp_hdr &optional

The TCP header if a TCP packet.

udp: udp_hdr &optional

The UDP header if a UDP packet.

icmp: icmp_hdr &optional

The ICMP header if an ICMP packet.

A packet header, consisting of an IP header and transport-layer header.

See also: new_packet

pkt_profile_modes
Type

enum

PKT_PROFILE_MODE_NONE

No output.

PKT_PROFILE_MODE_SECS

Output every pkt_profile_freq seconds.

PKT_PROFILE_MODE_PKTS

Output every pkt_profile_freq packets.

PKT_PROFILE_MODE_BYTES

Output every pkt_profile_freq bytes.

Output modes for packet profiling information.

See also: pkt_profile_mode, pkt_profile_freq, pkt_profile_file

pm_callit_request
Type

record

program: count

The RPC program.

version: count

The program version.

proc: count

The procedure being called.

arg_size: count

The size of the argument.

An RPC portmapper callit request.

See also: pm_attempt_callit, pm_request_callit

pm_mapping
Type

record

program: count

The RPC program.

version: count

The program version.

p: port

The port.

An RPC portmapper mapping.

See also: pm_mappings

pm_mappings
Type

table [count] of pm_mapping

Table of RPC portmapper mappings.

See also: pm_request_dump

pm_port_request
Type

record

program: count

The RPC program.

version: count

The program version.

is_tcp: bool

True if using TCP.

An RPC portmapper request.

See also: pm_attempt_getport, pm_request_getport

psk_identity_vec
Type

vector of SSL::PSKIdentity

raw_pkt_hdr
Type

record

l2: l2_hdr

The layer 2 header.

ip: ip4_hdr &optional

The IPv4 header if an IPv4 packet.

ip6: ip6_hdr &optional

The IPv6 header if an IPv6 packet.

tcp: tcp_hdr &optional

The TCP header if a TCP packet.

udp: udp_hdr &optional

The UDP header if a UDP packet.

icmp: icmp_hdr &optional

The ICMP header if an ICMP packet.

A raw packet header, consisting of L2 header and everything in pkt_hdr. .

See also: raw_packet, pkt_hdr

record_field
Type

record

type_name: string

The name of the field’s type.

log: bool

True if the field is declared with &log attribute.

value: any &optional

The current value of the field in the record instance passed into record_fields (if it has one).

default_val: any &optional

The value of the &default attribute if defined.

optional: bool

True if the field is &optional, else false.

Meta-information about a record field.

See also: record_fields, record_field_table

record_field_table
Type

table [string] of record_field

Table type used to map record field declarations to meta-information describing them.

See also: record_fields, record_field

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

rotate_info
Type

record

old_name: string

Original filename.

new_name: string

File name after rotation.

open: time

Time when opened.

close: time

Time when closed.

See also: rotate_file, rotate_file_by_name

script_id
Type

record

type_name: string

The name of the identifier’s type.

exported: bool

True if the identifier is exported.

constant: bool

True if the identifier is a constant.

enum_constant: bool

True if the identifier is an enum value.

option_value: bool

True if the identifier is an option.

redefinable: bool

True if the identifier is declared with the &redef attribute.

broker_backend: bool

True if the identifier has a Broker backend defined using the &backend attribute.

value: any &optional

The current value of the identifier.

Meta-information about a script-level identifier.

See also: global_ids, id_table

signature_and_hashalgorithm_vec
Type

vector of SSL::SignatureAndHashAlgorithm

A vector of Signature and Hash Algorithms.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

signature_state
Type

record

sig_id: string

ID of the matching signature.

conn: connection

Matching connection.

is_orig: bool

True if matching endpoint is originator.

payload_size: count

Payload size of the first matching packet of current endpoint.

Description of a signature match.

See also: signature_match

string_any_file_hook
Type

hook (f: fa_file, e: any, str: string) : bool

A hook taking a fa_file, an any, and a string. Used by the X509 analyzer as callback.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_any_table
Type

table [string] of any

A string-table of any.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_array
Type

table [count] of string

An ordered array of strings. The entries are indexed by successive numbers. Note that it depends on the usage whether the first index is zero or one.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_mapper
Type

function (s: string) : string

Function mapping a string to a string.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_set
Type

set [string]

A set of strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

string_vec
Type

vector of string

A vector of strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

subnet_set
Type

set [subnet]

A set of subnets.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

subnet_vec
Type

vector of subnet

A vector of subnets.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

sw_align
Type

record

str: string

String a substring is part of.

index: count

Offset substring is located.

Helper type for return value of Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring_vec, sw_substring, sw_align_vec, sw_params

sw_align_vec
Type

vector of sw_align

Helper type for return value of Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring_vec, sw_substring, sw_align, sw_params

sw_params
Type

record

min_strlen: count &default = 3 &optional

Minimum size of a substring, minimum “granularity”.

sw_variant: count &default = 0 &optional

Smith-Waterman flavor to use.

Parameters for the Smith-Waterman algorithm.

See also: str_smith_waterman

sw_substring
Type

record

str: string

A substring.

aligns: sw_align_vec

All strings of which it’s a substring.

new: bool

True if start of new alignment.

Helper type for return value of Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring_vec, sw_align_vec, sw_align, sw_params

sw_substring_vec
Type

vector of sw_substring

Return type for Smith-Waterman algorithm.

See also: str_smith_waterman, sw_substring, sw_align_vec, sw_align, sw_params

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

table_string_of_count
Type

table [string] of count

A table of counts indexed by strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

table_string_of_string
Type

table [string] of string

A table of strings indexed by strings.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

tcp_hdr
Type

record

sport: port

source port.

dport: port

destination port

seq: count

sequence number

ack: count

acknowledgement number

hl: count

header length (in bytes)

dl: count

data length (xxx: not in original tcphdr!)

reserved: count

The “reserved” 4 bits after the “data offset” field.

flags: count

The 8 bits of flags after the “reserved” field.

win: count

window

Values extracted from a TCP header.

See also: pkt_hdr, discarder_check_tcp

teredo_auth
Type

record

id: string

Teredo client identifier.

value: string

HMAC-SHA1 over shared secret key between client and server, nonce, confirmation byte, origin indication (if present), and the IPv6 packet.

nonce: count

Nonce chosen by Teredo client to be repeated by Teredo server.

confirm: count

Confirmation byte to be set to 0 by Teredo client and non-zero by server if client needs new key.

A Teredo origin indication header. See RFC 4380 for more information about the Teredo protocol.

See also: teredo_bubble, teredo_origin_indication, teredo_authentication, teredo_hdr

teredo_hdr
Type

record

auth: teredo_auth &optional

Teredo authentication header.

origin: teredo_origin &optional

Teredo origin indication header.

hdr: pkt_hdr

IPv6 and transport protocol headers.

A Teredo packet header. See RFC 4380 for more information about the Teredo protocol.

See also: teredo_bubble, teredo_origin_indication, teredo_authentication

teredo_origin
Type

record

p: port

Unobfuscated UDP port of Teredo client.

a: addr

Unobfuscated IPv4 address of Teredo client.

A Teredo authentication header. See RFC 4380 for more information about the Teredo protocol.

See also: teredo_bubble, teredo_origin_indication, teredo_authentication, teredo_hdr

transport_proto
Type

enum

unknown_transport

An unknown transport-layer protocol.

tcp

TCP.

udp

UDP.

icmp

ICMP.

A connection’s transport-layer protocol. Note that Zeek uses the term “connection” broadly, using flow semantics for ICMP and UDP.

udp_hdr
Type

record

sport: port

source port

dport: port

destination port

ulen: count

udp length

Values extracted from a UDP header.

See also: pkt_hdr, discarder_check_udp

var_sizes
Type

table [string] of count

Table type used to map variable names to their memory allocation.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

x509_opaque_vector
Type

vector of opaque of x509

A vector of x509 opaques.

Todo

We need this type definition only for declaring builtin functions via bifcl. We should extend bifcl to understand composite types directly and then remove this alias.

Functions

add_interface
Type

function (iold: string, inew: string) : string

Internal function.

add_signature_file
Type

function (sold: string, snew: string) : string

Internal function.

discarder_check_icmp
Type

function (p: pkt_hdr) : bool

Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters

p – The IP and ICMP headers of the considered packet.

Returns

True if the packet should not be analyzed any further.

See also: discarder_check_ip, discarder_check_tcp, discarder_check_udp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_ip
Type

function (p: pkt_hdr) : bool

Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters

p – The IP header of the considered packet.

Returns

True if the packet should not be analyzed any further.

See also: discarder_check_tcp, discarder_check_udp, discarder_check_icmp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_tcp
Type

function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters
  • p – The IP and TCP headers of the considered packet.

  • d – Up to discarder_maxlen bytes of the TCP payload.

Returns

True if the packet should not be analyzed any further.

See also: discarder_check_ip, discarder_check_udp, discarder_check_icmp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_udp
Type

function (p: pkt_hdr, d: string) : bool

Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

Parameters
  • p – The IP and UDP headers of the considered packet.

  • d – Up to discarder_maxlen bytes of the UDP payload.

Returns

True if the packet should not be analyzed any further.

See also: discarder_check_ip, discarder_check_tcp, discarder_check_icmp, discarder_maxlen

Note

This is very low-level functionality and potentially expensive. Avoid using it.

from_json_default_key_mapper
Type

function (s: string) : string

The default JSON key mapper function. Identity function.

max_count
Type

function (a: count, b: count) : count

Returns maximum of two count values.

Parameters
  • a – First value.

  • b – Second value.

Returns

The maximum of a and b.

max_double
Type

function (a: double, b: double) : double

Returns maximum of two double values.

Parameters
  • a – First value.

  • b – Second value.

Returns

The maximum of a and b.

max_interval
Type

function (a: interval, b: interval) : interval

Returns maximum of two interval values.

Parameters
  • a – First value.

  • b – Second value.

Returns

The maximum of a and b.

min_count
Type

function (a: count, b: count) : count

Returns minimum of two count values.

Parameters
  • a – First value.

  • b – Second value.

Returns

The minimum of a and b.

min_double
Type

function (a: double, b: double) : double

Returns minimum of two double values.

Parameters
  • a – First value.

  • b – Second value.

Returns

The minimum of a and b.

min_interval
Type

function (a: interval, b: interval) : interval

Returns minimum of two interval values.

Parameters
  • a – First value.

  • b – Second value.

Returns

The minimum of a and b.