base/bif/zeek.bif.zeek

GLOBAL

A collection of built-in functions that implement a variety of things such as general programming algorithms, string processing, math functions, introspection, type conversion, file/directory manipulation, packet filtering, interprocess communication and controlling protocol analyzer behavior.

You’ll find most of Zeek’s built-in functions that aren’t protocol-specific in this file.

Namespace

GLOBAL

Summary

Functions

__init_secondary_bifs: function

An internal function that helps initialize BIFs.

active_file: function

Checks whether a given file is open.

addr_to_counts: function

Converts an addr to an index_vec.

addr_to_ptr_name: function

Converts an IP address to a reverse pointer name.

addr_to_subnet: function

Converts a addr to a subnet.

all_set: function

Tests whether all elements of a boolean vector (vector of bool) are true.

anonymize_addr: function

Anonymizes an IP address.

any_set: function

Tests whether a boolean vector (vector of bool) has any true element.

backtrace: function

Returns a representation of the call stack as a vector of call stack elements, each containing call location information.

bare_mode: function

Returns whether Zeek was started in bare mode.

bytestring_to_count: function

Converts a string of bytes to a count.

bytestring_to_double: function

Converts a string of bytes representing a double value (in network byte order) to a double.

bytestring_to_float: function

Converts a string of bytes representing a float value (in network byte order) to a double.

bytestring_to_hexstr: function

Converts a string of bytes into its hexadecimal representation.

calc_next_rotate: function

Calculates the duration until the next time a file is to be rotated, based on a given rotate interval.

cat: function

Returns the concatenation of the string representation of its arguments.

cat_sep: function

Concatenates all arguments, with a separator placed between each one.

ceil: function

Computes the smallest integer greater or equal than the given double value.

check_subnet: function

Checks if a specific subnet is a member of a set/table[subnet].

clear_table: function

Removes all elements from a set or table.

close: function

Closes an open file and flushes any buffered content.

compress_path: function

Compresses a given path by removing ‘..’s and the parent directory it references and also removing dual ‘/’s and extraneous ‘/./’s.

connection_exists: function

Checks whether a connection is (still) active.

continue_processing: function

Resumes Zeek’s packet processing.

convert_for_pattern: function

Escapes a string so that it becomes a valid pattern and can be used with the string_to_pattern.

count_to_double: function

Converts a count to a double.

count_to_port: function

Converts a count and transport_proto to a port.

count_to_v4_addr: function

Converts a count to an addr.

counts_to_addr: function

Converts an index_vec to an addr.

current_analyzer: function

Returns the ID of the analyzer which raised the current event.

current_event_time: function

Returns the timestamp of the last raised event.

current_time: function

Returns the current wall-clock time.

decode_base64: function

Decodes a Base64-encoded string.

decode_base64_conn: function

Decodes a Base64-encoded string that was derived from processing a connection.

disable_analyzer: function

Disables the analyzer which raised the current event (if the analyzer belongs to the given connection).

disable_event_group: function

Disabled the given event group.

disable_module_events: function

Disable all event handlers and hooks in the given module.

do_profiling: function

Enables detailed collection of profiling statistics.

double_to_count: function

Converts a double to a int.

double_to_int: function

Converts a double to a count.

double_to_interval: function

Converts a double to an interval.

double_to_time: function

Converts a double value to a time.

dump_current_packet: function

Writes the current packet to a file.

dump_packet: function

Writes a given packet to a file.

dump_rule_stats: function

Write rule matcher statistics (DFA states, transitions, memory usage, cache hits/misses) to a file.

enable_event_group: function

Enabled the given event group.

enable_module_events: function

Enable all event handlers and hooks in the given module.

enable_raw_output: function

Prevents escaping of non-ASCII characters when writing to a file.

encode_base64: function

Encodes a Base64-encoded string.

entropy_test_add: function

Adds data to an incremental entropy calculation.

entropy_test_finish: function

Finishes an incremental entropy calculation.

entropy_test_init: function

Initializes data structures for incremental entropy calculation.

enum_names: function

Returns all value names associated with an enum type.

enum_to_int: function

Converts an enum to an int.

exit: function

Shuts down the Zeek process immediately.

exp: function

Computes the exponential function.

file_magic: function

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

file_mode: function

Converts UNIX file permissions given by a mode to an ASCII string.

file_size: function

Returns the size of a given file.

filter_subnet_table: function

For a set[subnet]/table[subnet], create a new table that contains all entries that contain a given subnet.

find_entropy: function

Performs an entropy test on the given data.

find_in_zeekpath: function

Determine the path used by a non-relative @load directive.

floor: function

Computes the greatest integer less than the given double value.

flush_all: function

Flushes all open files to disk.

fmt: function

Produces a formatted string à la printf.

fnv1a32: function

Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm.

from_json: function

A function to convert a JSON string into Zeek values of a given type.

generate_all_events: function

By default, zeek does not generate (raise) events that have not handled by any scripts.

get_conn_transport_proto: function

Extracts the transport protocol from a connection.

get_current_packet: function

Returns the currently processed PCAP packet.

get_current_packet_header: function

Function to get the raw headers of the currently processed packet.

get_file_name: function

Gets the filename associated with a file handle.

get_port_transport_proto: function

Extracts the transport protocol from a port.

getenv: function

Returns a system environment variable.

gethostname: function

Returns the hostname of the machine Zeek runs on.

getpid: function

Returns Zeek’s process ID.

global_container_footprints: function

Generates a table of the “footprint” of all global container variables.

global_ids: function

Generates a table with information about all global identifiers.

global_options: function

Returns a set giving the names of all global options.

has_event_group: function

Does an attribute event group with this name exist?

has_module_events: function

Does a module event group with this name exist?

have_spicy: function

Returns true if Zeek was built with support for using Spicy analyzers (which

have_spicy_analyzers: function

Returns true if Zeek was built with support for its in-tree Spicy analyzers (which is the default if Spicy support is available).

haversine_distance: function

Calculates distance between two geographic locations using the haversine formula.

hexstr_to_bytestring: function

Converts a hex-string into its binary representation.

hrw_weight: function

Calculates a weight value for use in a Rendezvous Hashing algorithm.

identify_data: function

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

install_dst_addr_filter: function

Installs a filter to drop packets destined to a given IP address with a certain probability if none of a given set of TCP flags are set.

install_dst_net_filter: function

Installs a filter to drop packets destined to a given subnet with a certain probability if none of a given set of TCP flags are set.

install_src_addr_filter: function

Installs a filter to drop packets from a given IP source address with a certain probability if none of a given set of TCP flags are set.

install_src_net_filter: function

Installs a filter to drop packets originating from a given subnet with a certain probability if none of a given set of TCP flags are set.

int_to_count: function

Converts a (positive) int to a count.

int_to_double: function

Converts an int to a double.

interval_to_double: function

Converts an interval to a double.

is_file_analyzer: function

Returns true if the given tag belongs to a file analyzer.

is_icmp_port: function

Checks whether a given port has ICMP as transport protocol.

is_local_interface: function

Checks whether a given IP address belongs to a local interface.

is_packet_analyzer: function

Returns true if the given tag belongs to a packet analyzer.

is_processing_suspended: function

Returns whether or not processing is currently suspended.

is_protocol_analyzer: function

Returns true if the given tag belongs to a protocol analyzer.

is_remote_event: function

Checks whether the last raised event came from a remote peer.

is_tcp_port: function

Checks whether a given port has TCP as transport protocol.

is_udp_port: function

Checks whether a given port has UDP as transport protocol.

is_v4_addr: function

Returns whether an address is IPv4 or not.

is_v4_subnet: function

Returns whether a subnet specification is IPv4 or not.

is_v6_addr: function

Returns whether an address is IPv6 or not.

is_v6_subnet: function

Returns whether a subnet specification is IPv6 or not.

is_valid_ip: function

Checks if a string is a valid IPv4 or IPv6 address.

ln: function

Computes the natural logarithm of a number.

log10: function

Computes the common logarithm of a number.

log2: function

Computes the base 2 logarithm of a number.

lookup_ID: function

Returns the value of a global identifier.

lookup_addr: function

Issues an asynchronous reverse DNS lookup and delays the function result.

lookup_connection: function

Returns the connection record for a given connection identifier.

lookup_connection_analyzer_id: function

Returns the numeric ID of the requested protocol analyzer for the given connection.

lookup_hostname: function

Issues an asynchronous DNS lookup and delays the function result.

lookup_hostname_txt: function

Issues an asynchronous TEXT DNS lookup and delays the function result.

mask_addr: function

Masks an address down to the number of given upper bits.

match_signatures: function

Manually triggers the signature engine for a given connection.

matching_subnets: function

Gets all subnets that contain a given subnet from a set/table[subnet].

md5_hash: function

Computes the MD5 hash value of the provided list of arguments.

md5_hash_finish: function

Returns the final MD5 digest of an incremental hash computation.

md5_hash_init: function

Constructs an MD5 handle to enable incremental hash computation.

md5_hash_update: function

Updates the MD5 value associated with a given index.

md5_hmac: function

Computes an HMAC-MD5 hash value of the provided list of arguments.

mkdir: function

Creates a new directory.

network_time: function

Returns the timestamp of the last packet processed.

open: function

Opens a file for writing.

open_for_append: function

Opens a file for writing or appending.

order: function

Returns the order of the elements in a vector according to some comparison function.

packet_source: function

Returns: the packet source being read by Zeek.

paraglob_equals: function

Compares two paraglobs for equality.

paraglob_init: function

Initializes and returns a new paraglob.

paraglob_match: function

Gets all the patterns inside the handle associated with an input string.

piped_exec: function

Opens a program with popen and writes a given string to the returned stream to send it to the opened process’s stdin.

port_to_count: function

Converts a port to a count.

pow: function

Computes the x raised to the power y.

preserve_prefix: function

Preserves the prefix of an IP address in anonymization.

preserve_subnet: function

Preserves the prefix of a subnet in anonymization.

print_raw: function

Renders a sequence of values to a string of bytes and outputs them directly to stdout with no additional escape sequences added.

ptr_name_to_addr: function

Converts a reverse pointer name to an address.

rand: function

Generates a random number.

raw_bytes_to_v4_addr: function

Converts a string of bytes into an IPv4 address.

raw_bytes_to_v6_addr: function

Converts a string of bytes into an IPv6 address.

reading_live_traffic: function

Checks whether Zeek reads traffic from one or more network interfaces (as opposed to from a network trace in a file).

reading_traces: function

Checks whether Zeek reads traffic from a trace file (as opposed to from a network interface).

record_fields: function

Generates metadata about a record’s fields.

record_type_to_vector: function

Converts a record type name to a vector of strings, where each element is the name of a record field.

remask_addr: function

Takes some top bits (such as a subnet address) from one address and the other bits (intra-subnet part) from a second address and merges them to get a new address.

rename: function

Renames a file from src_f to dst_f.

resize: function

Resizes a vector.

rmdir: function

Removes a directory.

rotate_file: function

Rotates a file.

rotate_file_by_name: function

Rotates a file identified by its name.

routing0_data_to_addrs: function

Converts the data field of ip6_routing records that have rtype of 0 into a vector of addresses.

same_object: function

Checks whether two objects reference the same internal object.

set_buf: function

Alters the buffering behavior of a file.

set_inactivity_timeout: function

Sets an individual inactivity timeout for a connection and thus overrides the global inactivity timeout.

set_network_time: function

Sets the timestamp associated with the last packet processed.

set_record_packets: function

Controls whether packet contents belonging to a connection should be recorded (when -w option is provided on the command line).

setenv: function

Sets a system environment variable.

sha1_hash: function

Computes the SHA1 hash value of the provided list of arguments.

sha1_hash_finish: function

Returns the final SHA1 digest of an incremental hash computation.

sha1_hash_init: function

Constructs an SHA1 handle to enable incremental hash computation.

sha1_hash_update: function

Updates the SHA1 value associated with a given index.

sha256_hash: function

Computes the SHA256 hash value of the provided list of arguments.

sha256_hash_finish: function

Returns the final SHA256 digest of an incremental hash computation.

sha256_hash_init: function

Constructs an SHA256 handle to enable incremental hash computation.

sha256_hash_update: function

Updates the SHA256 value associated with a given index.

skip_further_processing: function

Informs Zeek that it should skip any further processing of the contents of a given connection.

sort: function

Sorts a vector in place.

sqrt: function

Computes the square root of a double.

srand: function

Sets the seed for subsequent rand calls.

strftime: function

Formats a given time value according to a format string.

string_to_pattern: function

Converts a string into a pattern.

strptime: function

Parse a textual representation of a date/time value into a time type value.

subnet_to_addr: function

Converts a subnet to an addr by extracting the prefix.

subnet_width: function

Returns the width of a subnet.

suspend_processing: function

Stops Zeek’s packet processing.

syslog: function

Send a string to syslog.

system: function

Invokes a command via the system function of the OS.

system_env: function

Invokes a command via the system function of the OS with a prepared environment.

table_keys: function

Gets all keys from a table.

table_pattern_matcher_stats: function

Return MatcherStats for a table[pattern] or set[pattern] value.

table_values: function

Gets all values from a table.

terminate: function

Gracefully shut down Zeek by terminating outstanding processing.

time_to_double: function

Converts a time value to a double.

to_addr: function

Converts a string to an addr.

to_count: function

Converts a string to a count.

to_double: function

Converts a string to a double.

to_int: function

Converts a string to an int.

to_json: function

A function to convert arbitrary Zeek data into a JSON string.

to_port: function

Converts a string to a port.

to_subnet: function

Converts a string to a subnet.

type_aliases: function

Returns all type name aliases of a value or type.

type_name: function

Returns the type name of an arbitrary Zeek variable.

uninstall_dst_addr_filter: function

Removes a destination address filter.

uninstall_dst_net_filter: function

Removes a destination subnet filter.

uninstall_src_addr_filter: function

Removes a source address filter.

uninstall_src_net_filter: function

Removes a source subnet filter.

unique_id: function

Creates an identifier that is unique with high probability.

unique_id_from: function

Creates an identifier that is unique with high probability.

unlink: function

Removes a file from a directory.

uuid_to_string: function

Converts a bytes representation of a UUID into its string form.

val_footprint: function

Computes a value’s “footprint”: the number of objects the value contains either directly or indirectly.

write_file: function

Writes data to an open file.

zeek_args: function

Returns: list of command-line arguments (argv) used to run Zeek.

zeek_is_terminating: function

Checks if Zeek is terminating.

zeek_version: function

Returns the Zeek version string.

Detailed Interface

Functions

__init_secondary_bifs
Type

function () : bool

An internal function that helps initialize BIFs.

active_file
Type

function (f: file) : bool

Checks whether a given file is open.

Parameters

f – The file to check.

Returns

True if f is an open file.

Todo

Rename to is_open.

addr_to_counts
Type

function (a: addr) : index_vec

Converts an addr to an index_vec.

Parameters

a – The address to convert into a vector of counts.

Returns

A vector containing the host-order address representation, four elements in size for IPv6 addresses, or one element for IPv4.

See also: counts_to_addr

addr_to_ptr_name
Type

function (a: addr) : string

Converts an IP address to a reverse pointer name. For example, 192.168.0.1 to 1.0.168.192.in-addr.arpa.

Parameters

a – The IP address to convert to a reverse pointer name.

Returns

The reverse pointer representation of a.

See also: ptr_name_to_addr, to_addr

addr_to_subnet
Type

function (a: addr) : subnet

Converts a addr to a subnet.

Parameters

a – The address to convert.

Returns

The address as a subnet.

See also: to_subnet

all_set
Type

function (v: any) : bool

Tests whether all elements of a boolean vector (vector of bool) are true.

Parameters

v – The boolean vector instance.

Returns

True iff all elements in v are true or there are no elements.

See also: any_set

Note

Missing elements count as false.

anonymize_addr
Type

function (a: addr, cl: IPAddrAnonymizationClass) : addr

Anonymizes an IP address.

Parameters
  • a – The address to anonymize.

  • cl

    The anonymization class, which can take on three different values:

    • ORIG_ADDR: Tag a as an originator address.

    • RESP_ADDR: Tag a as an responder address.

    • OTHER_ADDR: Tag a as an arbitrary address.

Returns

An anonymized version of a.

See also: preserve_prefix, preserve_subnet

Todo

Currently dysfunctional.

any_set
Type

function (v: any) : bool

Tests whether a boolean vector (vector of bool) has any true element.

Parameters

v – The boolean vector instance.

Returns

True if any element in v is true.

See also: all_set

backtrace
Type

function () : Backtrace

Returns a representation of the call stack as a vector of call stack elements, each containing call location information.

Returns

the call stack information, including function, file, and line location information.

bare_mode
Type

function () : bool

Returns whether Zeek was started in bare mode.

Returns

True if Zeek was started in bare mode, false otherwise.

bytestring_to_count
Type

function (s: string, is_le: bool &default = F &optional) : count

Converts a string of bytes to a count.

Parameters
  • s – A string of bytes containing the binary representation of the value.

  • is_le – If true, s is assumed to be in little endian format, else it’s big endian.

Returns

The value contained in s, or 0 if the conversion failed.

bytestring_to_double
Type

function (s: string) : double

Converts a string of bytes representing a double value (in network byte order) to a double. This is similar to bytestring_to_float but works on 8-byte strings.

Parameters

s – A string of bytes containing the binary representation of a double value.

Returns

The double value contained in s, or 0 if the conversion failed.

See also: bytestring_to_float

bytestring_to_float
Type

function (s: string) : double

Converts a string of bytes representing a float value (in network byte order) to a double. This is similar to bytestring_to_double but works on 4-byte strings.

Parameters

s – A string of bytes containing the binary representation of a float value.

Returns

The float value contained in s, or 0 if the conversion failed.

See also: bytestring_to_double

bytestring_to_hexstr
Type

function (bytestring: string) : string

Converts a string of bytes into its hexadecimal representation. For example, "04" would be converted to "3034".

Parameters

bytestring – The string of bytes.

Returns

The hexadecimal representation of bytestring.

See also: hexdump, hexstr_to_bytestring

calc_next_rotate
Type

function (i: interval) : interval

Calculates the duration until the next time a file is to be rotated, based on a given rotate interval.

Parameters

i – The rotate interval to base the calculation on.

Returns

The duration until the next file rotation time.

See also: rotate_file, rotate_file_by_name

cat
Type

function (…) : string

Returns the concatenation of the string representation of its arguments. The arguments can be of any type. For example, cat("foo", 3, T) returns "foo3T".

Returns

A string concatenation of all arguments.

cat_sep
Type

function (…) : string

Concatenates all arguments, with a separator placed between each one. This function is similar to cat, but places a separator between each given argument. If any of the variable arguments is an empty string it is replaced by the given default string instead.

Parameters
  • sep – The separator to place between each argument.

  • def – The default string to use when an argument is the empty string.

Returns

A concatenation of all arguments with sep between each one and empty strings replaced with def.

See also: cat, string_cat

ceil
Type

function (d: double) : double

Computes the smallest integer greater or equal than the given double value. For example, ceil(3.14) returns 4.0, and ceil(-3.14) returns -3.0.

Parameters

d – The double to manipulate.

Returns

The next lowest integer of d as double.

See also: floor, sqrt, exp, ln, log2, log10, pow

check_subnet
Type

function (search: subnet, t: any) : bool

Checks if a specific subnet is a member of a set/table[subnet]. In contrast to the in operator, this performs an exact match, not a longest prefix match.

Parameters
  • search – the subnet to search for.

  • t – the set[subnet] or table[subnet].

Returns

True if the exact subnet is a member, false otherwise.

clear_table
Type

function (v: any) : any

Removes all elements from a set or table.

Parameters

v – The set or table

close
Type

function (f: file) : bool

Closes an open file and flushes any buffered content.

Parameters

f – A file handle to an open file.

Returns

True on success.

See also: active_file, open, open_for_append, write_file, get_file_name, set_buf, flush_all, mkdir, enable_raw_output, rmdir, unlink, rename

compress_path
Type

function (dir: string) : string

Compresses a given path by removing ‘..’s and the parent directory it references and also removing dual ‘/’s and extraneous ‘/./’s.

Parameters

dir – a path string, either relative or absolute.

Returns

a compressed version of the input path.

connection_exists
Type

function (c: conn_id) : bool

Checks whether a connection is (still) active.

Parameters

c – The connection id to check.

Returns

True if the connection identified by c exists.

See also: lookup_connection

continue_processing
Type

function () : any

Resumes Zeek’s packet processing.

See also: suspend_processing, is_processing_suspended

convert_for_pattern
Type

function (s: string) : string

Escapes a string so that it becomes a valid pattern and can be used with the string_to_pattern. Any character from the set ^$-:"\/|*+?.(){}[] is prefixed with a \.

Parameters

s – The string to escape.

Returns

An escaped version of s that has the structure of a valid pattern.

See also: string_to_pattern

count_to_double
Type

function (c: count) : double

Converts a count to a double.

Parameters

c – The count to convert.

Returns

The count c as double.

See also: int_to_double, double_to_count

count_to_port
Type

function (num: count, proto: transport_proto) : port

Converts a count and transport_proto to a port.

Parameters
  • num – The port number.

  • proto – The transport protocol.

Returns

The count num as port.

See also: port_to_count

count_to_v4_addr
Type

function (ip: count) : addr

Converts a count to an addr.

Parameters

ip – The count to convert.

Returns

The count ip as addr.

See also: raw_bytes_to_v4_addr, to_addr, to_subnet, raw_bytes_to_v6_addr

counts_to_addr
Type

function (v: index_vec) : addr

Converts an index_vec to an addr.

Parameters

v – The vector containing host-order IP address representation, one element for IPv4 addresses, four elements for IPv6 addresses.

Returns

An IP address.

See also: addr_to_counts

current_analyzer
Type

function () : count

Returns the ID of the analyzer which raised the current event.

Returns

The ID of the analyzer which raised the current event, or 0 if none.

current_event_time
Type

function () : time

Returns the timestamp of the last raised event. The timestamp reflects the network time the event was intended to be executed. For scheduled events, this is the time the event was scheduled for. For any other event, this is the time when the event was created.

Returns

The timestamp of the last raised event.

See also: current_time, set_network_time

current_time
Type

function () : time

Returns the current wall-clock time.

In general, you should use network_time instead unless you are using Zeek for non-networking uses (such as general scripting; not particularly recommended), because otherwise your script may behave very differently on live traffic versus played-back traffic from a save file.

Returns

The wall-clock time.

See also: network_time, set_network_time

decode_base64
Type

function (s: string, a: string &default = "" &optional) : string

Decodes a Base64-encoded string.

Parameters
  • s – The Base64-encoded string.

  • a – An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.

Returns

The decoded version of s.

See also: decode_base64_conn, encode_base64

decode_base64_conn
Type

function (cid: conn_id, s: string, a: string &default = "" &optional) : string

Decodes a Base64-encoded string that was derived from processing a connection. If an error is encountered decoding the string, that will be logged to weird.log with the associated connection.

Parameters
  • cid – The identifier of the connection that the encoding originates from.

  • s – The Base64-encoded string.

  • a – An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.

Returns

The decoded version of s.

See also: decode_base64

disable_analyzer
Type

function (cid: conn_id, aid: count, err_if_no_conn: bool &default = T &optional, prevent: bool &default = F &optional) : bool

Disables the analyzer which raised the current event (if the analyzer belongs to the given connection).

Parameters
  • cid – The connection identifier.

  • aid – The analyzer ID.

  • err_if_no_conn – Emit an error message if the connection does not exit.

  • prevent – Prevent the same analyzer type from being attached in the future. This is useful for preventing the same analyzer from being automatically reattached in the future, e.g. as a result of a DPD signature suddenly matching.

Returns

True if the connection identified by cid exists and has analyzer aid and it is scheduled for removal.

See also: Analyzer::schedule_analyzer, Analyzer::name

disable_event_group
Type

function (group: string) : bool

Disabled the given event group.

All event and hook handlers with a matching &group attribute will be disabled if not already disabled through another group.

Parameters

group – The group to disable.

See also: enable_event_group, disable_event_group, has_event_group, enable_module_events, disable_module_events, has_module_events

disable_module_events
Type

function (module_name: string) : bool

Disable all event handlers and hooks in the given module.

All event handlers and hooks defined in the given module will be disabled.

Parameters

module_name – The module to disable.

See also: enable_event_group, disable_event_group, has_event_group, enable_module_events, disable_module_events, has_module_events

do_profiling
Type

function () : any

Enables detailed collection of profiling statistics. Statistics include CPU/memory usage, connections, TCP states/reassembler, DNS lookups, timers, and script-level state. The script variable profiling_file holds the name of the file.

See also: get_conn_stats, get_dns_stats, get_event_stats, get_file_analysis_stats, get_gap_stats, get_matcher_stats, get_net_stats, get_proc_stats, get_reassembler_stats, get_thread_stats, get_timer_stats

double_to_count
Type

function (d: double) : count

Converts a double to a int.

Parameters

d – The double to convert.

Returns

The double d as signed integer. The value returned follows typical rounding rules, as implemented by rint().

See also: double_to_time

double_to_int
Type

function (d: double) : int

Converts a double to a count.

Parameters

d – The double to convert.

Returns

The double d as unsigned integer, or 0 if d < 0.0. The value returned follows typical rounding rules, as implemented by rint().

double_to_interval
Type

function (d: double) : interval

Converts a double to an interval.

Parameters

d – The double to convert.

Returns

The double d as interval.

See also: interval_to_double

double_to_time
Type

function (d: double) : time

Converts a double value to a time.

Parameters

d – The double to convert.

Returns

The double value d as time.

See also: time_to_double, double_to_count

dump_current_packet
Type

function (file_name: string) : bool

Writes the current packet to a file.

Parameters

file_name – The name of the file to write the packet to.

Returns

True on success.

See also: dump_packet, get_current_packet

Note

See get_current_packet for caveats.

dump_packet
Type

function (pkt: pcap_packet, file_name: string) : bool

Writes a given packet to a file.

Parameters
  • pkt – The PCAP packet.

  • file_name – The name of the file to write pkt to.

Returns

True on success

See also: get_current_packet, dump_current_packet

dump_rule_stats
Type

function (f: file) : bool

Write rule matcher statistics (DFA states, transitions, memory usage, cache hits/misses) to a file.

Parameters

f – The file to write to.

Returns

True (unconditionally).

See also: get_matcher_stats

enable_event_group
Type

function (group: string) : bool

Enabled the given event group.

All event and hook handlers with a matching &group attribute will be enabled if this group was the last disabled group of these handlers.

Parameters

group – The group to enable.

See also: enable_event_group, disable_event_group, has_event_group, enable_module_events, disable_module_events, has_module_events

enable_module_events
Type

function (module_name: string) : bool

Enable all event handlers and hooks in the given module.

All event handlers and hooks defined in the given module will be enabled if not disabled otherwise through an event group.

Parameters

module_name – The module to enable.

See also: enable_event_group, disable_event_group, has_event_group, enable_module_events, disable_module_events, has_module_events

enable_raw_output
Type

function (f: file) : any

Prevents escaping of non-ASCII characters when writing to a file. This function is equivalent to &raw_output.

Parameters

f – The file to disable raw output for.

encode_base64
Type

function (s: string, a: string &default = "" &optional) : string

Encodes a Base64-encoded string.

Parameters
  • s – The string to encode.

  • a – An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.

Returns

The encoded version of s.

See also: decode_base64

entropy_test_add
Type

function (handle: opaque of entropy, data: string) : bool

Adds data to an incremental entropy calculation.

Parameters
  • handle – The opaque handle representing the entropy calculation state.

  • data – The data to add to the entropy calculation.

Returns

True on success.

See also: find_entropy, entropy_test_add, entropy_test_finish

entropy_test_finish
Type

function (handle: opaque of entropy) : entropy_test_result

Finishes an incremental entropy calculation. Before using this function, one needs to obtain an opaque handle with entropy_test_init and add data to it via entropy_test_add.

Parameters

handle – The opaque handle representing the entropy calculation state.

Returns

The result of the entropy test. See find_entropy for a description of the individual components.

See also: find_entropy, entropy_test_init, entropy_test_add

entropy_test_init
Type

function () : opaque of entropy

Initializes data structures for incremental entropy calculation.

Returns

An opaque handle to be used in subsequent operations.

See also: find_entropy, entropy_test_add, entropy_test_finish

enum_names
Type

function (et: any) : string_set

Returns all value names associated with an enum type.

Parameters

et – An enum type or a string naming one.

Returns

All enum value names associated with enum type et. If et is not an enum type or does not name one, an empty set is returned.

enum_to_int
Type

function (e: any) : int

Converts an enum to an int.

Parameters

e – The enum to convert.

Returns

The int value that corresponds to the enum.

exit
Type

function (code: int) : any

Shuts down the Zeek process immediately.

Parameters

code – The exit code to return with.

See also: terminate

exp
Type

function (d: double) : double

Computes the exponential function.

Parameters

d – The argument to the exponential function.

Returns

e to the power of d.

See also: floor, ceil, sqrt, ln, log2, log10, pow

file_magic
Type

function (data: string) : mime_matches

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

Parameters

data – The data for which to find matching MIME types.

Returns

All matching signatures, in order of strength.

See also: identify_data

file_mode
Type

function (mode: count) : string

Converts UNIX file permissions given by a mode to an ASCII string.

Parameters

mode – The permissions (an octal number like 0644 converted to decimal).

Returns

A string representation of mode in the format rw[xsS]rw[xsS]rw[xtT].

file_size
Type

function (f: string) : double

Returns the size of a given file.

Parameters

f – The name of the file whose size to lookup.

Returns

The size of f in bytes.

filter_subnet_table
Type

function (search: subnet, t: any) : any

For a set[subnet]/table[subnet], create a new table that contains all entries that contain a given subnet.

Parameters
  • search – the subnet to search for.

  • t – the set[subnet] or table[subnet].

Returns

A new table that contains all the entries that cover the subnet searched for.

find_entropy
Type

function (data: string) : entropy_test_result

Performs an entropy test on the given data. See http://www.fourmilab.ch/random.

Parameters

data – The data to compute the entropy for.

Returns

The result of the entropy test, which contains the following fields.

  • entropy: The information density expressed as a number of bits per character.

  • chi_square: The chi-square test value expressed as an absolute number and a percentage which indicates how frequently a truly random sequence would exceed the value calculated, i.e., the degree to which the sequence tested is suspected of being non-random.

    If the percentage is greater than 99% or less than 1%, the sequence is almost certainly not random. If the percentage is between 99% and 95% or between 1% and 5%, the sequence is suspect. Percentages between 90% and 95% and 5% and 10% indicate the sequence is “almost suspect.”

  • mean: The arithmetic mean of all the bytes. If the data are close to random, it should be around 127.5.

  • monte_carlo_pi: Each successive sequence of six bytes is used as 24-bit x and y coordinates within a square. If the distance of the randomly-generated point is less than the radius of a circle inscribed within the square, the six-byte sequence is considered a “hit.” The percentage of hits can be used to calculate the value of pi. For very large streams the value will approach the correct value of pi if the sequence is close to random.

  • serial_correlation: This quantity measures the extent to which each byte in the file depends upon the previous byte. For random sequences this value will be close to zero.

See also: entropy_test_init, entropy_test_add, entropy_test_finish

find_in_zeekpath
Type

function (p: string) : string

Determine the path used by a non-relative @load directive.

This function is package aware: Passing package will yield the path to package.zeek, package/__load__.zeek or an empty string if neither can be found. Note that passing a relative path or absolute path is an error.

Parameters

path – The filename, package or path to search for in ZEEKPATH.

Returns

Path of script file that would be loaded by an @load directive.

floor
Type

function (d: double) : double

Computes the greatest integer less than the given double value. For example, floor(3.14) returns 3.0, and floor(-3.14) returns -4.0.

Parameters

d – The double to manipulate.

Returns

The next lowest integer of d as double.

See also: ceil, sqrt, exp, ln, log2, log10, pow

flush_all
Type

function () : bool

Flushes all open files to disk.

Returns

True on success.

See also: active_file, open, open_for_append, close, get_file_name, write_file, set_buf, mkdir, enable_raw_output, rmdir, unlink, rename

fmt
Type

function (…) : string

Produces a formatted string à la printf. The first argument is the format string and specifies how subsequent arguments are converted for output. It is composed of zero or more directives: ordinary characters (not %), which are copied unchanged to the output, and conversion specifications, each of which fetches zero or more subsequent arguments. Conversion specifications begin with % and the arguments must properly correspond to the specifier. After the %, the following characters may appear in sequence:

  • %: Literal %

  • -: Left-align field

  • [0-9]+: The field width (< 128)

  • .: Precision of floating point specifiers [efg] (< 128)

  • [DTdxsefg]: Format specifier

    • [DT]: ISO timestamp with microsecond precision

    • d: Signed/Unsigned integer (using C-style %lld/%llu

      for int/count)

    • x: Unsigned hexadecimal (using C-style %llx);

      addresses/ports are converted to host-byte order

    • s: String (byte values less than 32 or greater than 126

      will be escaped)

    • [efg]: Double

Returns

Returns the formatted string. Given no arguments, fmt returns an empty string. Given no format string or the wrong number of additional arguments for the given format specifier, fmt generates a run-time error.

See also: cat, cat_sep, string_cat

fnv1a32
Type

function (input: any) : count

Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm. See https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function.

Parameters

input – The desired input value to hash.

Returns

The hashed value.

See also: hrw_weight

from_json
Type

function (s: string, t: any, key_func: string_mapper &default = from_json_default_key_mapper &optional) : from_json_result

A function to convert a JSON string into Zeek values of a given type.

Implicit conversion from JSON to Zeek types is implemented for:

  • bool

  • int, count, real

  • interval from numbers as seconds

  • time from numbers as unix timestamp

  • port from strings in “80/tcp” notation

  • addr, subnet

  • enum

  • sets

  • vectors

  • records (from JSON objects)

Optional or default record fields are allowed to be missing or null in the input.

Parameters
  • s – The JSON string to parse.

  • t – Type of Zeek data.

  • key_func – Optional function to normalize key names in JSON objects. Useful when keys are not valid field identifiers, or represent reserved keywords like port or type.

  • returns – A value of type t.

See also: to_json

generate_all_events
Type

function () : bool

By default, zeek does not generate (raise) events that have not handled by any scripts. This means that these events will be invisible to a lot of other event handlers - and will not raise new_event.

Calling this function will cause all event handlers to be raised. This is, likely, only useful for debugging and causes reduced performance.

get_conn_transport_proto
Type

function (cid: conn_id) : transport_proto

Extracts the transport protocol from a connection.

Parameters

cid – The connection identifier.

Returns

The transport protocol of the connection identified by cid.

See also: get_port_transport_proto, get_orig_seq, get_resp_seq

get_current_packet
Type

function () : pcap_packet

Returns the currently processed PCAP packet.

Returns

The currently processed packet, which is a record containing the timestamp, snaplen, and packet data.

See also: dump_current_packet, dump_packet

Note

Calling get_current_packet() within events that are not directly raised as a result of processing a specific packet may result in unexpected behavior. For example, out-of-order TCP segments or IP defragmentation may result in such scenarios. Details depend on the involved packet and protocol analyzers. As a rule of thumb, in low-level events, like raw_packet, the behavior is well defined.

The returned packet is directly taken from the packet source and any tunnel or encapsulation layers will be present in the payload. Correctly inspecting the payload using Zeek script is therefore a non-trivial task.

The return value of get_current_packet() further should be considered undefined when called within event handlers raised via event, schedule or by recipient of Broker messages.

get_current_packet_header
Type

function () : raw_pkt_hdr

Function to get the raw headers of the currently processed packet.

Returns

The raw_pkt_hdr record containing the Layer 2, 3 and 4 headers of the currently processed packet.

See also: raw_pkt_hdr, get_current_packet

Note

See get_current_packet for caveats.

get_file_name
Type

function (f: file) : string

Gets the filename associated with a file handle.

Parameters

f – The file handle to inquire the name for.

Returns

The filename associated with f.

See also: open

get_port_transport_proto
Type

function (p: port) : transport_proto

Extracts the transport protocol from a port.

Parameters

p – The port.

Returns

The transport protocol of the port p.

See also: get_conn_transport_proto, get_orig_seq, get_resp_seq

getenv
Type

function (var: string) : string

Returns a system environment variable.

Parameters

var – The name of the variable whose value to request.

Returns

The system environment variable identified by var, or an empty string if it is not defined.

See also: setenv

gethostname
Type

function () : string

Returns the hostname of the machine Zeek runs on.

Returns

The hostname of the machine Zeek runs on.

getpid
Type

function () : count

Returns Zeek’s process ID.

Returns

Zeek’s process ID.

global_container_footprints
Type

function () : var_sizes

Generates a table of the “footprint” of all global container variables. This is (approximately) the number of objects the global contains either directly or indirectly. The number is not meant to be precise, but rather comparable: larger footprint correlates with more memory consumption. The table index is the variable name and the value is the footprint.

Returns

A table that maps variable names to their footprints.

See also: val_footprint

global_ids
Type

function () : id_table

Generates a table with information about all global identifiers. The table value is a record containing the type name of the identifier, whether it is exported, a constant, an enum constant, redefinable, and its value (if it has one).

Module names are included in the returned table as well. The type_name field is set to “module” and their names are prefixed with “module ” to avoid clashing with global identifiers. Note that there is no module type in Zeek.

Returns

A table that maps identifier names to information about them.

global_options
Type

function () : string_set

Returns a set giving the names of all global options.

has_event_group
Type

function (group: string) : bool

Does an attribute event group with this name exist?

Parameters

group – The group name.

See also: enable_event_group, disable_event_group, has_event_group, enable_module_events, disable_module_events, has_module_events

has_module_events
Type

function (group: string) : bool

Does a module event group with this name exist?

Parameters

group – The group name.

See also: enable_event_group, disable_event_group, has_event_group, enable_module_events, disable_module_events, has_module_events

have_spicy
Type

function () : bool

Returns true if Zeek was built with support for using Spicy analyzers (which

have_spicy_analyzers
Type

function () : bool

Returns true if Zeek was built with support for its in-tree Spicy analyzers (which is the default if Spicy support is available).

haversine_distance
Type

function (lat1: double, long1: double, lat2: double, long2: double) : double

Calculates distance between two geographic locations using the haversine formula. Latitudes and longitudes must be given in degrees, where southern hemisphere latitudes are negative and western hemisphere longitudes are negative.

Parameters
  • lat1 – Latitude (in degrees) of location 1.

  • long1 – Longitude (in degrees) of location 1.

  • lat2 – Latitude (in degrees) of location 2.

  • long2 – Longitude (in degrees) of location 2.

Returns

Distance in miles.

See also: haversine_distance_ip

hexstr_to_bytestring
Type

function (hexstr: string) : string

Converts a hex-string into its binary representation. For example, "3034" would be converted to "04".

The input string is assumed to contain an even number of hexadecimal digits (0-9, a-f, or A-F), otherwise behavior is undefined.

Parameters

hexstr – The hexadecimal string representation.

Returns

The binary representation of hexstr.

See also: hexdump, bytestring_to_hexstr

hrw_weight
Type

function (key_digest: count, site_id: count) : count

Calculates a weight value for use in a Rendezvous Hashing algorithm. See https://en.wikipedia.org/wiki/Rendezvous_hashing. The weight function used is the one recommended in the original

Parameters
Returns

The weight value for the key/site pair.

See also: fnv1a32

identify_data
Type

function (data: string, return_mime: bool &default = T &optional) : string

Determines the MIME type of a piece of data using Zeek’s file magic signatures.

Parameters
  • data – The data to find the MIME type for.

  • return_mime – Deprecated argument; does nothing, except emit a warning when false.

Returns

The MIME type of data, or “<unknown>” if there was an error or no match. This is the strongest signature match.

See also: file_magic

install_dst_addr_filter
Type

function (ip: addr, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets destined to a given IP address with a certain probability if none of a given set of TCP flags are set. Note that for IPv6 packets with a routing type header and non-zero segments left, this filters out against the final destination of the packet according to the routing extension header.

Parameters
  • ip – Drop packets to this IP address.

  • tcp_flags – If none of these TCP flags are set, drop packets to ip with probability prob.

  • prob – The probability [0.0, 1.0] used to drop packets to ip.

Returns

True (unconditionally).

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, install_src_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter, install_dst_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, Pcap::error

Todo

The return value should be changed to any.

install_dst_net_filter
Type

function (snet: subnet, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets destined to a given subnet with a certain probability if none of a given set of TCP flags are set.

Parameters
  • snet – Drop packets to this subnet.

  • tcp_flags – If none of these TCP flags are set, drop packets to snet with probability prob.

  • prob – The probability [0.0, 1.0] used to drop packets to snet.

Returns

True (unconditionally).

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, install_src_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter, install_dst_addr_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, Pcap::error

Todo

The return value should be changed to any.

install_src_addr_filter
Type

function (ip: addr, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets from a given IP source address with a certain probability if none of a given set of TCP flags are set. Note that for IPv6 packets with a Destination options header that has the Home Address option, this filters out against that home address.

Parameters
  • ip – The IP address to drop.

  • tcp_flags – If none of these TCP flags are set, drop packets from ip with probability prob.

  • prob – The probability [0.0, 1.0] used to drop packets from ip.

Returns

True (unconditionally).

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter, install_dst_addr_filter, install_dst_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, Pcap::error

Todo

The return value should be changed to any.

install_src_net_filter
Type

function (snet: subnet, tcp_flags: count, prob: double) : bool

Installs a filter to drop packets originating from a given subnet with a certain probability if none of a given set of TCP flags are set.

Parameters
  • snet – The subnet to drop packets from.

  • tcp_flags – If none of these TCP flags are set, drop packets from snet with probability prob.

  • prob – The probability [0.0, 1.0] used to drop packets from snet.

Returns

True (unconditionally).

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, uninstall_src_addr_filter, uninstall_src_net_filter, install_dst_addr_filter, install_dst_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, Pcap::error

Todo

The return value should be changed to any.

int_to_count
Type

function (n: int) : count

Converts a (positive) int to a count.

Parameters

n – The int to convert.

Returns

The int n as unsigned integer, or 0 if n < 0.

int_to_double
Type

function (i: int) : double

Converts an int to a double.

Parameters

i – The int to convert.

Returns

The int i as double.

See also: count_to_double, double_to_count

interval_to_double
Type

function (i: interval) : double

Converts an interval to a double.

Parameters

i – The interval to convert.

Returns

The interval i as double.

See also: double_to_interval

is_file_analyzer
Type

function (atype: AllAnalyzers::Tag) : bool

Returns true if the given tag belongs to a file analyzer.

Parameters

atype – The analyzer tag to check.

Returns

true if atype is a tag of a file analyzer, else false.

is_icmp_port
Type

function (p: port) : bool

Checks whether a given port has ICMP as transport protocol.

Parameters

p – The port to check.

Returns

True iff p is an ICMP port.

See also: is_tcp_port, is_udp_port

is_local_interface
Type

function (ip: addr) : bool

Checks whether a given IP address belongs to a local interface.

Parameters

ip – The IP address to check.

Returns

True if ip belongs to a local interface.

is_packet_analyzer
Type

function (atype: AllAnalyzers::Tag) : bool

Returns true if the given tag belongs to a packet analyzer.

Parameters

atype – The analyzer type to check.

Returns

true if atype is a tag of a packet analyzer, else false.

is_processing_suspended
Type

function () : bool

Returns whether or not processing is currently suspended.

See also: suspend_processing, continue_processing

is_protocol_analyzer
Type

function (atype: AllAnalyzers::Tag) : bool

Returns true if the given tag belongs to a protocol analyzer.

Parameters

atype – The analyzer tag to check.

Returns

true if atype is a tag of a protocol analyzer, else false.

is_remote_event
Type

function () : bool

Checks whether the last raised event came from a remote peer.

Returns

True if the last raised event came from a remote peer.

is_tcp_port
Type

function (p: port) : bool

Checks whether a given port has TCP as transport protocol.

Parameters

p – The port to check.

Returns

True iff p is a TCP port.

See also: is_udp_port, is_icmp_port

is_udp_port
Type

function (p: port) : bool

Checks whether a given port has UDP as transport protocol.

Parameters

p – The port to check.

Returns

True iff p is a UDP port.

See also: is_icmp_port, is_tcp_port

is_v4_addr
Type

function (a: addr) : bool

Returns whether an address is IPv4 or not.

Parameters

a – the address to check.

Returns

true if a is an IPv4 address, else false.

is_v4_subnet
Type

function (s: subnet) : bool

Returns whether a subnet specification is IPv4 or not.

Parameters

s – the subnet to check.

Returns

true if s is an IPv4 subnet, else false.

is_v6_addr
Type

function (a: addr) : bool

Returns whether an address is IPv6 or not.

Parameters

a – the address to check.

Returns

true if a is an IPv6 address, else false.

is_v6_subnet
Type

function (s: subnet) : bool

Returns whether a subnet specification is IPv6 or not.

Parameters

s – the subnet to check.

Returns

true if s is an IPv6 subnet, else false.

is_valid_ip
Type

function (ip: string) : bool

Checks if a string is a valid IPv4 or IPv6 address.

Parameters

ip – the string to check for valid IP formatting.

Returns

T if the string is a valid IPv4 or IPv6 address format.

ln
Type

function (d: double) : double

Computes the natural logarithm of a number.

Parameters

d – The argument to the logarithm.

Returns

The natural logarithm of d.

See also: floor, ceil, sqrt, exp, log2, log10, pow

log10
Type

function (d: double) : double

Computes the common logarithm of a number.

Parameters

d – The argument to the logarithm.

Returns

The common logarithm of d.

See also: floor, ceil, sqrt, exp, ln, log2, pow

log2
Type

function (d: double) : double

Computes the base 2 logarithm of a number.

Parameters

d – The argument to the logarithm.

Returns

The base 2 logarithm of d.

See also: floor, ceil, sqrt, exp, ln, log10, pow

lookup_ID
Type

function (id: string) : any

Returns the value of a global identifier.

Parameters

id – The global identifier.

Returns

The value of id. If id does not describe a valid identifier, the string "<unknown id>" or "<no ID value>" is returned.

lookup_addr
Type

function (host: addr) : string

Issues an asynchronous reverse DNS lookup and delays the function result. This function can therefore only be called inside a when condition, e.g., when ( local host = lookup_addr(10.0.0.1) ) { f(host); }.

Parameters

host – The IP address to lookup.

Returns

The DNS name of host.

See also: lookup_hostname

lookup_connection
Type

function (cid: conn_id) : connection

Returns the connection record for a given connection identifier.

Parameters

cid – The connection ID.

Returns

The connection record for cid. If cid does not point to an existing connection, the function generates a run-time error and returns a dummy value.

See also: connection_exists

lookup_connection_analyzer_id
Type

function (cid: conn_id, atype: AllAnalyzers::Tag) : count

Returns the numeric ID of the requested protocol analyzer for the given connection.

Parameters
  • cid – The connection identifier.

  • atype – The analyzer tag, such as Analyzer::ANALYZER_HTTP.

Returns

a numeric identifier for the analyzer, valid for the given connection. When no such analyzer exists the function returns 0, which is never a valid analyzer ID value.

See also: disable_analyzer, Analyzer::disabling_analyzer

lookup_hostname
Type

function (host: string) : addr_set

Issues an asynchronous DNS lookup and delays the function result. This function can therefore only be called inside a when condition, e.g., when ( local h = lookup_hostname("www.zeek.org") ) { f(h); }.

Parameters

host – The hostname to lookup.

Returns

A set of DNS A and AAAA records associated with host.

See also: lookup_addr

lookup_hostname_txt
Type

function (host: string) : string

Issues an asynchronous TEXT DNS lookup and delays the function result. This function can therefore only be called inside a when condition, e.g., when ( local h = lookup_hostname_txt("www.zeek.org") ) { f(h); }.

Parameters

host – The hostname to lookup.

Returns

The DNS TXT record associated with host.

See also: lookup_hostname

mask_addr
Type

function (a: addr, top_bits_to_keep: count) : subnet

Masks an address down to the number of given upper bits. For example, mask_addr(1.2.3.4, 18) returns 1.2.0.0.

Parameters
  • a – The address to mask.

  • top_bits_to_keep – The number of top bits to keep in a; must be greater than 0 and less than 33 for IPv4, or 129 for IPv6.

Returns

The address a masked down to top_bits_to_keep bits.

See also: remask_addr

match_signatures
Type

function (c: connection, pattern_type: int, s: string, bol: bool, eol: bool, from_orig: bool, clear: bool) : bool

Manually triggers the signature engine for a given connection. This is an internal function.

matching_subnets
Type

function (search: subnet, t: any) : subnet_vec

Gets all subnets that contain a given subnet from a set/table[subnet].

Parameters
  • search – the subnet to search for.

  • t – the set[subnet] or table[subnet].

Returns

All the keys of the set or table that cover the subnet searched for.

md5_hash
Type

function (…) : string

Computes the MD5 hash value of the provided list of arguments.

Returns

The MD5 hash value of the concatenated arguments.

See also: md5_hmac, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

Note

This function performs a one-shot computation of its arguments. For incremental hash computation, see md5_hash_init and friends.

md5_hash_finish
Type

function (handle: opaque of md5) : string

Returns the final MD5 digest of an incremental hash computation.

Parameters

handle – The opaque handle associated with this hash computation.

Returns

The hash value associated with the computation of handle.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

md5_hash_init
Type

function () : opaque of md5

Constructs an MD5 handle to enable incremental hash computation. You can feed data to the returned opaque value with md5_hash_update and eventually need to call md5_hash_finish to finish the computation and get the hash digest.

For example, when computing incremental MD5 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call c$http$md5_handle = md5_hash_init() once before invoking md5_hash_update(c$http$md5_handle, some_more_data) in the http_entity_data event handler. When all data has arrived, a call to md5_hash_finish returns the final hash value.

Returns

The opaque handle associated with this hash computation.

See also: md5_hmac, md5_hash, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

md5_hash_update
Type

function (handle: opaque of md5, data: string) : bool

Updates the MD5 value associated with a given index. It is required to call md5_hash_init once before calling this function.

Parameters
  • handle – The opaque handle associated with this hash computation.

  • data – The data to add to the hash computation.

Returns

True on success.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

md5_hmac
Type

function (…) : string

Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC secret key is generated from available entropy when Zeek starts up, or it can be specified for repeatability using the -K command line flag.

Returns

The HMAC-MD5 hash value of the concatenated arguments.

See also: md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

mkdir
Type

function (f: string) : bool

Creates a new directory.

Parameters

f – The directory name.

Returns

True if the operation succeeds or if f already exists, and false if the file creation fails.

See also: active_file, open_for_append, close, write_file, get_file_name, set_buf, flush_all, enable_raw_output, rmdir, unlink, rename

network_time
Type

function () : time

Returns the timestamp of the last packet processed. This function returns the timestamp of the most recently read packet, whether read from a live network interface or from a save file.

Returns

The timestamp of the packet processed.

See also: current_time, set_network_time

open
Type

function (f: string) : file

Opens a file for writing. If a file with the same name already exists, this function overwrites it (as opposed to open_for_append).

Parameters

f – The path to the file.

Returns

A file handle for subsequent operations.

See also: active_file, open_for_append, close, write_file, get_file_name, set_buf, flush_all, mkdir, enable_raw_output, rmdir, unlink, rename

open_for_append
Type

function (f: string) : file

Opens a file for writing or appending. If a file with the same name already exists, this function appends to it (as opposed to open).

Parameters

f – The path to the file.

Returns

A file handle for subsequent operations.

See also: active_file, open, close, write_file, get_file_name, set_buf, flush_all, mkdir, enable_raw_output, rmdir, unlink, rename

order
Type

function (…) : index_vec

Returns the order of the elements in a vector according to some comparison function. See sort for details about the comparison function.

Parameters

v – The vector whose order to compute.

Returns

A vector of count with the indices of the ordered elements. For example, the elements of v in order are (assuming o is the vector returned by order): v[o[0]], v[o[1]], etc.

See also: sort

packet_source
Type

function () : PacketSource

Returns

the packet source being read by Zeek.

See also: reading_live_traffic, reading_traces

paraglob_equals
Type

function (p_one: opaque of paraglob, p_two: opaque of paraglob) : bool

Compares two paraglobs for equality.

Parameters
  • p_one – A compiled paraglob.

  • p_two – A compiled paraglob.

Returns

True if both paraglobs contain the same patterns, false otherwise.

## .. zeek:see::paraglob_add paraglob_match paraglob_init

paraglob_init
Type

function (v: any) : opaque of paraglob

Initializes and returns a new paraglob.

Parameters

v – Vector of patterns to initialize the paraglob with.

Returns

A new, compiled, paraglob with the patterns in v

paraglob_match
Type

function (handle: opaque of paraglob, match: string) : string_vec

Gets all the patterns inside the handle associated with an input string.

Parameters
  • handle – A compiled paraglob.

  • match – string to match against the paraglob.

Returns

A vector of strings matching the input string.

## .. zeek:see::paraglob_add paraglob_equals paraglob_init

piped_exec
Type

function (program: string, to_write: string) : bool

Opens a program with popen and writes a given string to the returned stream to send it to the opened process’s stdin.

Parameters
  • program – The program to execute.

  • to_write – Data to pipe to the opened program’s process via stdin.

Returns

True on success.

See also: system, system_env

port_to_count
Type

function (p: port) : count

Converts a port to a count.

Parameters

p – The port to convert.

Returns

The port p as count.

See also: count_to_port

pow
Type

function (x: double, y: double) : double

Computes the x raised to the power y.

Parameters
  • x – The number to be raised to a power.

  • y – The number that specifies a power.

Returns

The number x raised to the power y.

See also: floor, ceil, sqrt, exp, ln, log2, log10

preserve_prefix
Type

function (a: addr, width: count) : any

Preserves the prefix of an IP address in anonymization.

Parameters
  • a – The address to preserve.

  • width – The number of bits from the top that should remain intact.

See also: preserve_subnet, anonymize_addr

Todo

Currently dysfunctional.

preserve_subnet
Type

function (a: subnet) : any

Preserves the prefix of a subnet in anonymization.

Parameters

a – The subnet to preserve.

See also: preserve_prefix, anonymize_addr

Todo

Currently dysfunctional.

print_raw
Type

function (…) : bool

Renders a sequence of values to a string of bytes and outputs them directly to stdout with no additional escape sequences added. No additional newline is added to the end either.

Returns

Always true.

See also: fmt, cat, cat_sep, string_cat, to_json

ptr_name_to_addr
Type

function (s: string) : addr

Converts a reverse pointer name to an address. For example, 1.0.168.192.in-addr.arpa to 192.168.0.1.

Parameters

s – The string with the reverse pointer name.

Returns

The IP address corresponding to s.

See also: addr_to_ptr_name, to_addr

rand
Type

function (max: count) : count

Generates a random number.

Parameters

max – The maximum value of the random number.

Returns

a random positive integer in the interval [0, max).

See also: srand

Note

This function is a wrapper about the function random provided by the OS.

raw_bytes_to_v4_addr
Type

function (b: string) : addr

Converts a string of bytes into an IPv4 address. In particular, this function interprets the first 4 bytes of the string as an IPv4 address in network order.

Parameters

b – The raw bytes (string) to convert.

Returns

The byte string b as addr.

See also: raw_bytes_to_v4_addr, to_addr, to_subnet

raw_bytes_to_v6_addr
Type

function (x: string) : addr

Converts a string of bytes into an IPv6 address. In particular, this function interprets the first 16 bytes of the string as an IPv6 address in network order.

Parameters

b – The raw bytes (string) to convert.

Returns

The byte string b as addr.

See also: raw_bytes_to_v6_addr, to_addr, to_subnet

reading_live_traffic
Type

function () : bool

Checks whether Zeek reads traffic from one or more network interfaces (as opposed to from a network trace in a file). Note that this function returns true even after Zeek has stopped reading network traffic, for example due to receiving a termination signal.

Returns

True if reading traffic from a network interface.

See also: reading_traces, packet_source

reading_traces
Type

function () : bool

Checks whether Zeek reads traffic from a trace file (as opposed to from a network interface).

Returns

True if reading traffic from a network trace.

See also: reading_live_traffic, packet_source

record_fields
Type

function (rec: any) : record_field_table

Generates metadata about a record’s fields. The returned information includes the field name, whether it is logged, its value (if it has one), and its default value (if specified).

Parameters

rec – The record value or type to inspect.

Returns

A table that describes the fields of a record.

record_type_to_vector
Type

function (rt: string) : string_vec

Converts a record type name to a vector of strings, where each element is the name of a record field. Nested records are flattened.

Parameters

rt – The name of the record type.

Returns

A string vector with the field names of rt.

remask_addr
Type

function (a1: addr, a2: addr, top_bits_from_a1: count) : addr

Takes some top bits (such as a subnet address) from one address and the other bits (intra-subnet part) from a second address and merges them to get a new address. This is useful for anonymizing at subnet level while preserving serial scans.

Parameters
  • a1 – The address to mask with top_bits_from_a1.

  • a2 – The address to take the remaining bits from.

  • top_bits_from_a1 – The number of top bits to keep in a1; must be greater than 0 and less than 129. This value is always interpreted relative to the IPv6 bit width (v4-mapped addresses start at bit number 96).

Returns

The address a masked down to top_bits_to_keep bits.

See also: mask_addr

rename
Type

function (src_f: string, dst_f: string) : bool

Renames a file from src_f to dst_f.

Parameters
  • src_f – the name of the file to rename.

  • dest_f – the name of the file after the rename operation.

Returns

True if the rename succeeds and false otherwise.

See also: active_file, open_for_append, close, write_file, get_file_name, set_buf, flush_all, enable_raw_output, mkdir, rmdir, unlink

resize
Type

function (aggr: any, newsize: count) : count

Resizes a vector.

Parameters
  • aggr – The vector instance.

  • newsize – The new size of aggr.

Returns

The old size of aggr, or 0 if aggr is not a vector.

rmdir
Type

function (d: string) : bool

Removes a directory.

Parameters

d – The directory name.

Returns

True if the operation succeeds, and false if the directory delete operation fails.

See also: active_file, open_for_append, close, write_file, get_file_name, set_buf, flush_all, enable_raw_output, mkdir, unlink, rename

rotate_file
Type

function (f: file) : rotate_info

Rotates a file.

Parameters

f – An open file handle.

Returns

Rotation statistics which include the original file name, the name after the rotation, and the time when f was opened/closed.

See also: rotate_file_by_name, calc_next_rotate

rotate_file_by_name
Type

function (f: string) : rotate_info

Rotates a file identified by its name.

Parameters

f – The name of the file to rotate

Returns

Rotation statistics which include the original file name, the name after the rotation, and the time when f was opened/closed.

See also: rotate_file, calc_next_rotate

routing0_data_to_addrs
Type

function (s: string) : addr_vec

Converts the data field of ip6_routing records that have rtype of 0 into a vector of addresses.

Parameters

s – The data field of an ip6_routing record that has an rtype of 0.

Returns

The vector of addresses contained in the routing header data.

same_object
Type

function (o1: any, o2: any) : bool

Checks whether two objects reference the same internal object. This function uses equality comparison of C++ raw pointer values to determine if the two objects are the same.

Parameters
  • o1 – The first object.

  • o2 – The second object.

Returns

True if o1 and o2 are equal.

set_buf
Type

function (f: file, buffered: bool) : any

Alters the buffering behavior of a file.

Parameters
  • f – A file handle to an open file.

  • buffered – When true, f is fully buffered, i.e., bytes are saved in a buffer until the block size has been reached. When false, f is line buffered, i.e., bytes are saved up until a newline occurs.

See also: active_file, open, open_for_append, close, get_file_name, write_file, flush_all, mkdir, enable_raw_output, rmdir, unlink, rename

set_inactivity_timeout
Type

function (cid: conn_id, t: interval) : interval

Sets an individual inactivity timeout for a connection and thus overrides the global inactivity timeout.

Parameters
  • cid – The connection ID.

  • t – The new inactivity timeout for the connection identified by cid.

Returns

The previous timeout interval.

set_network_time
Type

function (nt: time) : bool

Sets the timestamp associated with the last packet processed. Used for event replaying.

Parameters

nt – The time to which to set “network time”.

Returns

The timestamp of the packet processed.

See also: current_time, network_time

set_record_packets
Type

function (cid: conn_id, do_record: bool) : bool

Controls whether packet contents belonging to a connection should be recorded (when -w option is provided on the command line).

Parameters
  • cid – The connection identifier.

  • do_record – True to enable packet contents, and false to disable for the connection identified by cid.

Returns

False if cid does not point to an active connection, and true otherwise.

See also: skip_further_processing

Note

This is independent of whether Zeek processes the packets of this connection, which is controlled separately by skip_further_processing.

See also: get_contents_file, set_contents_file

setenv
Type

function (var: string, val: string) : bool

Sets a system environment variable.

Parameters
  • var – The name of the variable.

  • val – The (new) value of the variable var.

Returns

True on success.

See also: getenv

sha1_hash
Type

function (…) : string

Computes the SHA1 hash value of the provided list of arguments.

Returns

The SHA1 hash value of the concatenated arguments.

See also: md5_hash, md5_hmac, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

Note

This function performs a one-shot computation of its arguments. For incremental hash computation, see sha1_hash_init and friends.

sha1_hash_finish
Type

function (handle: opaque of sha1) : string

Returns the final SHA1 digest of an incremental hash computation.

Parameters

handle – The opaque handle associated with this hash computation.

Returns

The hash value associated with the computation of handle.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

sha1_hash_init
Type

function () : opaque of sha1

Constructs an SHA1 handle to enable incremental hash computation. You can feed data to the returned opaque value with sha1_hash_update and finally need to call sha1_hash_finish to finish the computation and get the hash digest.

For example, when computing incremental SHA1 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call c$http$sha1_handle = sha1_hash_init() once before invoking sha1_hash_update(c$http$sha1_handle, some_more_data) in the http_entity_data event handler. When all data has arrived, a call to sha1_hash_finish returns the final hash value.

Returns

The opaque handle associated with this hash computation.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

sha1_hash_update
Type

function (handle: opaque of sha1, data: string) : bool

Updates the SHA1 value associated with a given index. It is required to call sha1_hash_init once before calling this function.

Parameters
  • handle – The opaque handle associated with this hash computation.

  • data – The data to add to the hash computation.

Returns

True on success.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update, sha256_hash_finish

sha256_hash
Type

function (…) : string

Computes the SHA256 hash value of the provided list of arguments.

Returns

The SHA256 hash value of the concatenated arguments.

See also: md5_hash, md5_hmac, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash_init, sha256_hash_update, sha256_hash_finish

Note

This function performs a one-shot computation of its arguments. For incremental hash computation, see sha256_hash_init and friends.

sha256_hash_finish
Type

function (handle: opaque of sha256) : string

Returns the final SHA256 digest of an incremental hash computation.

Parameters

handle – The opaque handle associated with this hash computation.

Returns

The hash value associated with the computation of handle.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_update

sha256_hash_init
Type

function () : opaque of sha256

Constructs an SHA256 handle to enable incremental hash computation. You can feed data to the returned opaque value with sha256_hash_update and finally need to call sha256_hash_finish to finish the computation and get the hash digest.

For example, when computing incremental SHA256 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call c$http$sha256_handle = sha256_hash_init() once before invoking sha256_hash_update(c$http$sha256_handle, some_more_data) in the http_entity_data event handler. When all data has arrived, a call to sha256_hash_finish returns the final hash value.

Returns

The opaque handle associated with this hash computation.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_update, sha256_hash_finish

sha256_hash_update
Type

function (handle: opaque of sha256, data: string) : bool

Updates the SHA256 value associated with a given index. It is required to call sha256_hash_init once before calling this function.

Parameters
  • handle – The opaque handle associated with this hash computation.

  • data – The data to add to the hash computation.

Returns

True on success.

See also: md5_hmac, md5_hash, md5_hash_init, md5_hash_update, md5_hash_finish, sha1_hash, sha1_hash_init, sha1_hash_update, sha1_hash_finish, sha256_hash, sha256_hash_init, sha256_hash_finish

skip_further_processing
Type

function (cid: conn_id) : bool

Informs Zeek that it should skip any further processing of the contents of a given connection. In particular, Zeek will refrain from reassembling the TCP byte stream and from generating events relating to any analyzers that have been processing the connection.

Parameters

cid – The connection ID.

Returns

False if cid does not point to an active connection, and true otherwise.

Note

Zeek will still generate connection-oriented events such as connection_finished.

sort
Type

function (…) : any

Sorts a vector in place. The second argument is a comparison function that takes two arguments: if the vector type is vector of T, then the comparison function must be function(a: T, b: T): int, which returns a value less than zero if a < b for some type-specific notion of the less-than operator. The comparison function is optional if the type is a numeric type (int, count, double, time, etc.).

Parameters

v – The vector instance to sort.

Returns

The vector, sorted from minimum to maximum value. If the vector could not be sorted, then the original vector is returned instead.

See also: order

sqrt
Type

function (x: double) : double

Computes the square root of a double.

Parameters

x – The number to compute the square root of.

Returns

The square root of x.

See also: floor, ceil, exp, ln, log2, log10, pow

srand
Type

function (seed: count) : any

Sets the seed for subsequent rand calls.

Parameters

seed – The seed for the PRNG.

See also: rand

Note

This function is a wrapper about the function srandom provided by the OS.

strftime
Type

function (fmt: string, d: time) : string

Formats a given time value according to a format string.

Parameters
  • fmt – The format string. See man strftime for the syntax.

  • d – The time value.

Returns

The time d formatted according to fmt.

string_to_pattern
Type

function (s: string, convert: bool) : pattern

Converts a string into a pattern.

Parameters
  • s – The string to convert.

  • convert – If true, s is first passed through the function convert_for_pattern to escape special characters of patterns.

Returns

s as pattern.

See also: convert_for_pattern

strptime
Type

function (fmt: string, d: string) : time

Parse a textual representation of a date/time value into a time type value.

Parameters
  • fmt – The format string used to parse the following d argument. See man strftime for the syntax.

  • d – The string representing the time.

Returns

The time value calculated from parsing d with fmt.

subnet_to_addr
Type

function (sn: subnet) : addr

Converts a subnet to an addr by extracting the prefix.

Parameters

sn – The subnet to convert.

Returns

The subnet as an addr.

See also: to_subnet

subnet_width
Type

function (sn: subnet) : count

Returns the width of a subnet.

Parameters

sn – The subnet.

Returns

The width of the subnet.

See also: to_subnet

suspend_processing
Type

function () : any

Stops Zeek’s packet processing. This function is used to synchronize distributed trace processing with communication enabled (pseudo-realtime mode).

See also: continue_processing, is_processing_suspended

syslog
Type

function (s: string) : any

Send a string to syslog.

Parameters

s – The string to log via syslog

system
Type

function (str: string) : int

Invokes a command via the system function of the OS. The command runs in the background with stdout redirecting to stderr. Here is a usage example: system(fmt("rm %s", safe_shell_quote(sniffed_data)));

Parameters

str – The command to execute.

Returns

The return value from the OS system function.

See also: system_env, safe_shell_quote, piped_exec

Note

Note that this corresponds to the status of backgrounding the given command, not to the exit status of the command itself. A value of 127 corresponds to a failure to execute sh, and -1 to an internal system failure.

system_env
Type

function (str: string, env: table_string_of_string) : int

Invokes a command via the system function of the OS with a prepared environment. The function is essentially the same as system, but changes the environment before invoking the command.

Parameters
  • str – The command to execute.

  • env – A table with the environment variables in the form of key-value pairs. Each specified environment variable name will be automatically prepended with ZEEK_ARG_.

Returns

The return value from the OS system function.

See also: system, safe_shell_quote, piped_exec

table_keys
Type

function (t: any) : any

Gets all keys from a table.

Parameters

t – The table

Returns

A set of T of all the keys in t.

See also: table_values

table_pattern_matcher_stats
Type

function (tbl: any) : MatcherStats

Return MatcherStats for a table[pattern] or set[pattern] value.

This returns a MatcherStats objects that can be used for introspection of the DFA used for such a table. Statistics reset whenever elements are added or removed to the table as these operations result in the underlying DFA being rebuilt.

This function iterates over all states of the DFA. Calling it at a high frequency is likely detrimental to performance.

Parameters

tbl – The table to get stats for.

Returns

A record with matcher statistics.

table_values
Type

function (t: any) : any_vec

Gets all values from a table.

Parameters

t – The table

Returns

A vector of T of all the values in t.

See also: table_keys

terminate
Type

function () : bool

Gracefully shut down Zeek by terminating outstanding processing.

Returns

True after successful termination and false when Zeek is still in the process of shutting down.

See also: exit, zeek_is_terminating

time_to_double
Type

function (t: time) : double

Converts a time value to a double.

Parameters

t – The time to convert.

Returns

The time value t as double.

See also: double_to_time

to_addr
Type

function (ip: string) : addr

Converts a string to an addr.

Parameters

ip – The string to convert.

Returns

The string ip as addr, or the unspecified address :: if the input string does not parse correctly.

See also: to_count, to_int, to_port, count_to_v4_addr, raw_bytes_to_v4_addr, raw_bytes_to_v6_addr, to_subnet

to_count
Type

function (str: string) : count

Converts a string to a count.

Parameters

str – The string to convert.

Returns

The string str as unsigned integer, or 0 if str has an invalid format.

See also: to_addr, to_int, to_port, to_subnet

to_double
Type

function (str: string) : double

Converts a string to a double.

Parameters

str – The string to convert.

Returns

The string str as double, or 0 if str has an invalid format.

to_int
Type

function (str: string) : int

Converts a string to an int.

Parameters

str – The string to convert.

Returns

The string str as int.

See also: to_addr, to_port, to_subnet

to_json
Type

function (val: any, only_loggable: bool &default = F &optional, field_escape_pattern: pattern &default = /^?(^_)$?/ &optional) : string

A function to convert arbitrary Zeek data into a JSON string.

Parameters
  • v – The value to convert to JSON. Typically a record.

  • only_loggable – If the v value is a record this will only cause fields with the &log attribute to be included in the JSON.

  • field_escape_pattern – If the v value is a record, the given pattern is matched against the field names of its type, and the first match, if any, is stripped from the rendered name. The default pattern strips a leading underscore.

  • returns – a JSON formatted string.

See also: fmt, cat, cat_sep, string_cat, print_raw, from_json

to_port
Type

function (s: string) : port

Converts a string to a port.

Parameters

s – The string to convert.

Returns

A port converted from s.

See also: to_addr, to_count, to_int, to_subnet

to_subnet
Type

function (sn: string) : subnet

Converts a string to a subnet.

Parameters

sn – The subnet to convert.

Returns

The sn string as a subnet, or the unspecified subnet ::/0 if the input string does not parse correctly.

See also: to_count, to_int, to_port, count_to_v4_addr, raw_bytes_to_v4_addr, raw_bytes_to_v6_addr, to_addr

type_aliases
Type

function (x: any) : string_set

Returns all type name aliases of a value or type.

Parameters

x – An arbitrary value or type.

Returns

The set of all type name aliases of x (or the type of x if it’s a value instead of a type). For primitive values and types like string or count, this returns an empty set. For types with user-defined names like record or enum, the returned set contains the original user-defined name for the type along with all aliases. For other compound types, like table, the returned set is empty unless explicitly requesting aliases for a user-defined type alias or a value that was explicitly created using a type alias (as opposed to originating from an “anonymous” constructor or initializer for that compound type).

type_name
Type

function (t: any) : string

Returns the type name of an arbitrary Zeek variable.

Parameters

t – An arbitrary object.

Returns

The type name of t.

uninstall_dst_addr_filter
Type

function (ip: addr) : bool

Removes a destination address filter.

Parameters

ip – The IP address for which a destination filter was previously installed.

Returns

True on success.

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, install_src_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter, install_dst_addr_filter, install_dst_net_filter, uninstall_dst_net_filter, Pcap::error

uninstall_dst_net_filter
Type

function (snet: subnet) : bool

Removes a destination subnet filter.

Parameters

snet – The subnet for which a destination filter was previously installed.

Returns

True on success.

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, install_src_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter, install_dst_addr_filter, install_dst_net_filter, uninstall_dst_addr_filter, Pcap::error

uninstall_src_addr_filter
Type

function (ip: addr) : bool

Removes a source address filter.

Parameters

ip – The IP address for which a source filter was previously installed.

Returns

True on success.

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, install_src_net_filter, uninstall_src_net_filter, install_dst_addr_filter, install_dst_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, Pcap::error

uninstall_src_net_filter
Type

function (snet: subnet) : bool

Removes a source subnet filter.

Parameters

snet – The subnet for which a source filter was previously installed.

Returns

True on success.

See also: Pcap::precompile_pcap_filter, Pcap::install_pcap_filter, install_src_addr_filter, install_src_net_filter, uninstall_src_addr_filter, install_dst_addr_filter, install_dst_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, Pcap::error

unique_id
Type

function (prefix: string) : string

Creates an identifier that is unique with high probability.

Parameters

prefix – A custom string prepended to the result.

Returns

A string identifier that is unique.

See also: unique_id_from

unique_id_from
Type

function (pool: int, prefix: string) : string

Creates an identifier that is unique with high probability.

Parameters
  • pool – A seed for determinism.

  • prefix – A custom string prepended to the result.

Returns

A string identifier that is unique.

See also: unique_id

Type

function (f: string) : bool

Removes a file from a directory.

Parameters

f – the file to delete.

Returns

True if the operation succeeds and the file was deleted, and false if the deletion fails.

See also: active_file, open_for_append, close, write_file, get_file_name, set_buf, flush_all, enable_raw_output, mkdir, rmdir, rename

uuid_to_string
Type

function (uuid: string) : string

Converts a bytes representation of a UUID into its string form. For example, given a string of 16 bytes, it produces an output string in this format: 550e8400-e29b-41d4-a716-446655440000. See http://en.wikipedia.org/wiki/Universally_unique_identifier.

Parameters

uuid – The 16 bytes of the UUID.

Returns

The string representation of uuid.

val_footprint
Type

function (v: any) : count

Computes a value’s “footprint”: the number of objects the value contains either directly or indirectly. The number is not meant to be precise, but rather comparable: larger footprint correlates with more memory consumption.

Returns

the footprint.

See also: global_container_footprints

write_file
Type

function (f: file, data: string) : bool

Writes data to an open file.

Parameters
  • f – A file handle to an open file.

  • data – The data to write to f.

Returns

True on success.

See also: active_file, open, open_for_append, close, get_file_name, set_buf, flush_all, mkdir, enable_raw_output, rmdir, unlink, rename

zeek_args
Type

function () : string_vec

Returns

list of command-line arguments (argv) used to run Zeek.

zeek_is_terminating
Type

function () : bool

Checks if Zeek is terminating.

Returns

True if Zeek is in the process of shutting down.

See also: terminate

zeek_version
Type

function () : string

Returns the Zeek version string.

Returns

Zeek’s version, e.g., 2.0-beta-47-debug.