base/bif/zeek.bif.zeek
- GLOBAL
A collection of built-in functions that implement a variety of things such as general programming algorithms, string processing, math functions, introspection, type conversion, file/directory manipulation, packet filtering, interprocess communication and controlling protocol analyzer behavior.
You’ll find most of Zeek’s built-in functions that aren’t protocol-specific in this file.
- Namespace
GLOBAL
Summary
Functions
An internal function that helps initialize BIFs. |
|
Checks whether a given file is open. |
|
Converts an IP address to a reverse pointer name. |
|
Tests whether all elements of a boolean vector ( |
|
Anonymizes an IP address. |
|
Tests whether a boolean vector ( |
|
Returns a representation of the call stack as a vector of call stack elements, each containing call location information. |
|
Returns whether Zeek was started in bare mode. |
|
Converts a string of bytes to a |
|
Converts a string of bytes representing a double value (in network byte order)
to a |
|
Converts a string of bytes representing a float value (in network byte order)
to a |
|
Converts a string of bytes into its hexadecimal representation. |
|
Calculates the duration until the next time a file is to be rotated, based on a given rotate interval. |
|
Returns the concatenation of the string representation of its arguments. |
|
Concatenates all arguments, with a separator placed between each one. |
|
Computes the smallest integer greater or equal than the given |
|
Checks if a specific subnet is a member of a set/table[subnet]. |
|
Removes all elements from a set or table. |
|
Closes an open file and flushes any buffered content. |
|
Compresses a given path by removing ‘..’s and the parent directory it references and also removing dual ‘/’s and extraneous ‘/./’s. |
|
Checks whether a connection is (still) active. |
|
Resumes Zeek’s packet processing. |
|
Escapes a string so that it becomes a valid |
|
Returns the ID of the analyzer which raised the current event. |
|
Returns the timestamp of the last raised event. |
|
Returns the current wall-clock time. |
|
Decodes a Base64-encoded string. |
|
Decodes a Base64-encoded string that was derived from processing a connection. |
|
Disables the analyzer which raised the current event (if the analyzer belongs to the given connection). |
|
Disabled the given event group. |
|
Disable all event handlers and hooks in the given module. |
|
Enables detailed collection of profiling statistics. |
|
Writes the current packet to a file. |
|
Writes a given packet to a file. |
|
Write rule matcher statistics (DFA states, transitions, memory usage, cache hits/misses) to a file. |
|
Enabled the given event group. |
|
Enable all event handlers and hooks in the given module. |
|
Prevents escaping of non-ASCII characters when writing to a file. |
|
Encodes a Base64-encoded string. |
|
Adds data to an incremental entropy calculation. |
|
Finishes an incremental entropy calculation. |
|
Initializes data structures for incremental entropy calculation. |
|
Returns all value names associated with an enum type. |
|
Shuts down the Zeek process immediately. |
|
Computes the exponential function. |
|
Determines the MIME type of a piece of data using Zeek’s file magic signatures. |
|
Converts UNIX file permissions given by a mode to an ASCII string. |
|
Returns the size of a given file. |
|
For a set[subnet]/table[subnet], create a new table that contains all entries that contain a given subnet. |
|
Performs an entropy test on the given data. |
|
Determine the path used by a non-relative @load directive. |
|
Computes the greatest integer less than the given |
|
Flushes all open files to disk. |
|
Produces a formatted string à la |
|
Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm. |
|
A function to convert a JSON string into Zeek values of a given type. |
|
By default, zeek does not generate (raise) events that have not handled by any scripts. |
|
Extracts the transport protocol from a connection. |
|
Returns the currently processed PCAP packet. |
|
Function to get the raw headers of the currently processed packet. |
|
Gets the filename associated with a file handle. |
|
Extracts the transport protocol from a |
|
Returns a system environment variable. |
|
Returns the hostname of the machine Zeek runs on. |
|
Returns Zeek’s process ID. |
|
Generates a table of the “footprint” of all global container variables. |
|
Generates a table with information about all global identifiers. |
|
Returns a set giving the names of all global options. |
|
Does an attribute event group with this name exist? |
|
Does a module event group with this name exist? |
|
Returns true if Zeek was built with support for using Spicy analyzers (which |
|
Returns true if Zeek was built with support for its in-tree Spicy analyzers (which is the default if Spicy support is available). |
|
Calculates distance between two geographic locations using the haversine formula. |
|
Converts a hex-string into its binary representation. |
|
Calculates a weight value for use in a Rendezvous Hashing algorithm. |
|
Determines the MIME type of a piece of data using Zeek’s file magic signatures. |
|
Installs a filter to drop packets destined to a given IP address with a certain probability if none of a given set of TCP flags are set. |
|
Installs a filter to drop packets destined to a given subnet with a certain probability if none of a given set of TCP flags are set. |
|
Installs a filter to drop packets from a given IP source address with a certain probability if none of a given set of TCP flags are set. |
|
Installs a filter to drop packets originating from a given subnet with a certain probability if none of a given set of TCP flags are set. |
|
Returns true if the given tag belongs to a file analyzer. |
|
Checks whether a given |
|
Checks whether a given IP address belongs to a local interface. |
|
Returns true if the given tag belongs to a packet analyzer. |
|
Returns whether or not processing is currently suspended. |
|
Returns true if the given tag belongs to a protocol analyzer. |
|
Checks whether the last raised event came from a remote peer. |
|
Checks whether a given |
|
Checks whether a given |
|
Returns whether an address is IPv4 or not. |
|
Returns whether a subnet specification is IPv4 or not. |
|
Returns whether an address is IPv6 or not. |
|
Returns whether a subnet specification is IPv6 or not. |
|
Checks if a string is a valid IPv4 or IPv6 address. |
|
Computes the natural logarithm of a number. |
|
Computes the common logarithm of a number. |
|
Computes the base 2 logarithm of a number. |
|
Returns the value of a global identifier. |
|
Issues an asynchronous reverse DNS lookup and delays the function result. |
|
Returns the |
|
Returns the numeric ID of the requested protocol analyzer for the given connection. |
|
Issues an asynchronous DNS lookup and delays the function result. |
|
Issues an asynchronous TEXT DNS lookup and delays the function result. |
|
Masks an address down to the number of given upper bits. |
|
Manually triggers the signature engine for a given connection. |
|
Gets all subnets that contain a given subnet from a set/table[subnet]. |
|
Computes the MD5 hash value of the provided list of arguments. |
|
Returns the final MD5 digest of an incremental hash computation. |
|
Constructs an MD5 handle to enable incremental hash computation. |
|
Updates the MD5 value associated with a given index. |
|
Computes an HMAC-MD5 hash value of the provided list of arguments. |
|
Creates a new directory. |
|
Returns the timestamp of the last packet processed. |
|
Opens a file for writing. |
|
Opens a file for writing or appending. |
|
Returns the order of the elements in a vector according to some comparison function. |
|
Returns: the packet source being read by Zeek. |
|
Compares two paraglobs for equality. |
|
Initializes and returns a new paraglob. |
|
Gets all the patterns inside the handle associated with an input string. |
|
Opens a program with |
|
Computes the x raised to the power y. |
|
Preserves the prefix of an IP address in anonymization. |
|
Preserves the prefix of a subnet in anonymization. |
|
Renders a sequence of values to a string of bytes and outputs them directly
to |
|
Converts a reverse pointer name to an address. |
|
Generates a random number. |
|
Converts a |
|
Converts a |
|
Checks whether Zeek reads traffic from one or more network interfaces (as opposed to from a network trace in a file). |
|
Checks whether Zeek reads traffic from a trace file (as opposed to from a network interface). |
|
Generates metadata about a record’s fields. |
|
Converts a record type name to a vector of strings, where each element is the name of a record field. |
|
Takes some top bits (such as a subnet address) from one address and the other bits (intra-subnet part) from a second address and merges them to get a new address. |
|
Renames a file from src_f to dst_f. |
|
Resizes a vector. |
|
Removes a directory. |
|
Rotates a file. |
|
Rotates a file identified by its name. |
|
Converts the data field of |
|
Checks whether two objects reference the same internal object. |
|
Alters the buffering behavior of a file. |
|
Sets an individual inactivity timeout for a connection and thus overrides the global inactivity timeout. |
|
Sets the timestamp associated with the last packet processed. |
|
Controls whether packet contents belonging to a connection should be
recorded (when |
|
Sets a system environment variable. |
|
Computes the SHA1 hash value of the provided list of arguments. |
|
Returns the final SHA1 digest of an incremental hash computation. |
|
Constructs an SHA1 handle to enable incremental hash computation. |
|
Updates the SHA1 value associated with a given index. |
|
Computes the SHA256 hash value of the provided list of arguments. |
|
Returns the final SHA256 digest of an incremental hash computation. |
|
Constructs an SHA256 handle to enable incremental hash computation. |
|
Updates the SHA256 value associated with a given index. |
|
Informs Zeek that it should skip any further processing of the contents of a given connection. |
|
Sorts a vector in place. |
|
Computes the square root of a |
|
Sets the seed for subsequent |
|
Formats a given time value according to a format string. |
|
Parse a textual representation of a date/time value into a |
|
Returns the width of a |
|
Stops Zeek’s packet processing. |
|
Send a string to syslog. |
|
Invokes a command via the |
|
Invokes a command via the |
|
Gets all keys from a table. |
|
Return MatcherStats for a table[pattern] or set[pattern] value. |
|
Gets all values from a table. |
|
Gracefully shut down Zeek by terminating outstanding processing. |
|
A function to convert arbitrary Zeek data into a JSON string. |
|
Returns all type name aliases of a value or type. |
|
Returns the type name of an arbitrary Zeek variable. |
|
Removes a destination address filter. |
|
Removes a destination subnet filter. |
|
Removes a source address filter. |
|
Removes a source subnet filter. |
|
Creates an identifier that is unique with high probability. |
|
Creates an identifier that is unique with high probability. |
|
Removes a file from a directory. |
|
Converts a bytes representation of a UUID into its string form. |
|
Computes a value’s “footprint”: the number of objects the value contains either directly or indirectly. |
|
Writes data to an open file. |
|
Returns: list of command-line arguments ( |
|
Checks if Zeek is terminating. |
|
Returns the Zeek version string. |
Detailed Interface
Functions
- active_file
-
Checks whether a given file is open.
- Parameters
f – The file to check.
- Returns
True if f is an open
file
.
Todo
Rename to
is_open
.
- addr_to_counts
-
Converts an
addr
to anindex_vec
.- Parameters
a – The address to convert into a vector of counts.
- Returns
A vector containing the host-order address representation, four elements in size for IPv6 addresses, or one element for IPv4.
See also:
counts_to_addr
- addr_to_ptr_name
-
Converts an IP address to a reverse pointer name. For example,
192.168.0.1
to1.0.168.192.in-addr.arpa
.- Parameters
a – The IP address to convert to a reverse pointer name.
- Returns
The reverse pointer representation of a.
See also:
ptr_name_to_addr
,to_addr
- addr_to_subnet
-
- Parameters
a – The address to convert.
- Returns
The address as a
subnet
.
See also:
to_subnet
- all_set
-
Tests whether all elements of a boolean vector (
vector of bool
) are true.- Parameters
v – The boolean vector instance.
- Returns
True iff all elements in v are true or there are no elements.
See also:
any_set
Note
Missing elements count as false.
- anonymize_addr
- Type
function
(a:addr
, cl:IPAddrAnonymizationClass
) :addr
Anonymizes an IP address.
- Parameters
a – The address to anonymize.
cl –
The anonymization class, which can take on three different values:
ORIG_ADDR
: Tag a as an originator address.RESP_ADDR
: Tag a as an responder address.OTHER_ADDR
: Tag a as an arbitrary address.
- Returns
An anonymized version of a.
See also:
preserve_prefix
,preserve_subnet
Todo
Currently dysfunctional.
- any_set
-
Tests whether a boolean vector (
vector of bool
) has any true element.- Parameters
v – The boolean vector instance.
- Returns
True if any element in v is true.
See also:
all_set
- backtrace
-
Returns a representation of the call stack as a vector of call stack elements, each containing call location information.
- Returns
the call stack information, including function, file, and line location information.
- bare_mode
-
Returns whether Zeek was started in bare mode.
- Returns
True if Zeek was started in bare mode, false otherwise.
- bytestring_to_count
-
Converts a string of bytes to a
count
.- Parameters
s – A string of bytes containing the binary representation of the value.
is_le – If true, s is assumed to be in little endian format, else it’s big endian.
- Returns
The value contained in s, or 0 if the conversion failed.
- bytestring_to_double
-
Converts a string of bytes representing a double value (in network byte order) to a
double
. This is similar tobytestring_to_float
but works on 8-byte strings.- Parameters
s – A string of bytes containing the binary representation of a double value.
- Returns
The double value contained in s, or 0 if the conversion failed.
See also:
bytestring_to_float
- bytestring_to_float
-
Converts a string of bytes representing a float value (in network byte order) to a
double
. This is similar tobytestring_to_double
but works on 4-byte strings.- Parameters
s – A string of bytes containing the binary representation of a float value.
- Returns
The float value contained in s, or 0 if the conversion failed.
See also:
bytestring_to_double
- bytestring_to_hexstr
-
Converts a string of bytes into its hexadecimal representation. For example,
"04"
would be converted to"3034"
.- Parameters
bytestring – The string of bytes.
- Returns
The hexadecimal representation of bytestring.
See also:
hexdump
,hexstr_to_bytestring
- calc_next_rotate
-
Calculates the duration until the next time a file is to be rotated, based on a given rotate interval.
- Parameters
i – The rotate interval to base the calculation on.
- Returns
The duration until the next file rotation time.
See also:
rotate_file
,rotate_file_by_name
- cat
-
Returns the concatenation of the string representation of its arguments. The arguments can be of any type. For example,
cat("foo", 3, T)
returns"foo3T"
.- Returns
A string concatenation of all arguments.
- cat_sep
-
Concatenates all arguments, with a separator placed between each one. This function is similar to
cat
, but places a separator between each given argument. If any of the variable arguments is an empty string it is replaced by the given default string instead.- Parameters
sep – The separator to place between each argument.
def – The default string to use when an argument is the empty string.
- Returns
A concatenation of all arguments with sep between each one and empty strings replaced with def.
See also:
cat
,string_cat
- ceil
-
Computes the smallest integer greater or equal than the given
double
value. For example,ceil(3.14)
returns4.0
, andceil(-3.14)
returns-3.0
.
- check_subnet
-
Checks if a specific subnet is a member of a set/table[subnet]. In contrast to the
in
operator, this performs an exact match, not a longest prefix match.- Parameters
search – the subnet to search for.
t – the set[subnet] or table[subnet].
- Returns
True if the exact subnet is a member, false otherwise.
- clear_table
-
Removes all elements from a set or table.
- Parameters
v – The set or table
- close
-
Closes an open file and flushes any buffered content.
- Parameters
f – A
file
handle to an open file.- Returns
True on success.
See also:
active_file
,open
,open_for_append
,write_file
,get_file_name
,set_buf
,flush_all
,mkdir
,enable_raw_output
,rmdir
,unlink
,rename
- compress_path
-
Compresses a given path by removing ‘..’s and the parent directory it references and also removing dual ‘/’s and extraneous ‘/./’s.
- Parameters
dir – a path string, either relative or absolute.
- Returns
a compressed version of the input path.
- connection_exists
-
Checks whether a connection is (still) active.
- Parameters
c – The connection id to check.
- Returns
True if the connection identified by c exists.
See also:
lookup_connection
- continue_processing
-
Resumes Zeek’s packet processing.
See also:
suspend_processing
,is_processing_suspended
- convert_for_pattern
-
Escapes a string so that it becomes a valid
pattern
and can be used with thestring_to_pattern
. Any character from the set^$-:"\/|*+?.(){}[]
is prefixed with a\
.- Parameters
s – The string to escape.
- Returns
An escaped version of s that has the structure of a valid
pattern
.
See also:
string_to_pattern
- count_to_double
-
See also:
int_to_double
,double_to_count
- count_to_port
- Type
function
(num:count
, proto:transport_proto
) :port
Converts a
count
andtransport_proto
to aport
.See also:
port_to_count
- count_to_v4_addr
-
See also:
raw_bytes_to_v4_addr
,to_addr
,to_subnet
,raw_bytes_to_v6_addr
- counts_to_addr
-
Converts an
index_vec
to anaddr
.- Parameters
v – The vector containing host-order IP address representation, one element for IPv4 addresses, four elements for IPv6 addresses.
- Returns
An IP address.
See also:
addr_to_counts
- current_analyzer
-
Returns the ID of the analyzer which raised the current event.
- Returns
The ID of the analyzer which raised the current event, or 0 if none.
- current_event_time
-
Returns the timestamp of the last raised event. The timestamp reflects the network time the event was intended to be executed. For scheduled events, this is the time the event was scheduled for. For any other event, this is the time when the event was created.
- Returns
The timestamp of the last raised event.
See also:
current_time
,set_network_time
- current_time
-
Returns the current wall-clock time.
In general, you should use
network_time
instead unless you are using Zeek for non-networking uses (such as general scripting; not particularly recommended), because otherwise your script may behave very differently on live traffic versus played-back traffic from a save file.- Returns
The wall-clock time.
See also:
network_time
,set_network_time
- decode_base64
-
Decodes a Base64-encoded string.
- Parameters
s – The Base64-encoded string.
a – An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.
- Returns
The decoded version of s.
See also:
decode_base64_conn
,encode_base64
- decode_base64_conn
-
Decodes a Base64-encoded string that was derived from processing a connection. If an error is encountered decoding the string, that will be logged to
weird.log
with the associated connection.- Parameters
cid – The identifier of the connection that the encoding originates from.
s – The Base64-encoded string.
a – An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.
- Returns
The decoded version of s.
See also:
decode_base64
- disable_analyzer
- Type
function
(cid:conn_id
, aid:count
, err_if_no_conn:bool
&default
=T
&optional
, prevent:bool
&default
=F
&optional
) :bool
Disables the analyzer which raised the current event (if the analyzer belongs to the given connection).
- Parameters
cid – The connection identifier.
aid – The analyzer ID.
err_if_no_conn – Emit an error message if the connection does not exit.
prevent – Prevent the same analyzer type from being attached in the future. This is useful for preventing the same analyzer from being automatically reattached in the future, e.g. as a result of a DPD signature suddenly matching.
- Returns
True if the connection identified by cid exists and has analyzer aid and it is scheduled for removal.
See also:
Analyzer::schedule_analyzer
,Analyzer::name
- disable_event_group
-
Disabled the given event group.
All event and hook handlers with a matching
&group
attribute will be disabled if not already disabled through another group.- Parameters
group – The group to disable.
See also:
enable_event_group
,disable_event_group
,has_event_group
,enable_module_events
,disable_module_events
,has_module_events
- disable_module_events
-
Disable all event handlers and hooks in the given module.
All event handlers and hooks defined in the given module will be disabled.
- Parameters
module_name – The module to disable.
See also:
enable_event_group
,disable_event_group
,has_event_group
,enable_module_events
,disable_module_events
,has_module_events
- do_profiling
-
Enables detailed collection of profiling statistics. Statistics include CPU/memory usage, connections, TCP states/reassembler, DNS lookups, timers, and script-level state. The script variable
profiling_file
holds the name of the file.See also:
get_conn_stats
,get_dns_stats
,get_event_stats
,get_file_analysis_stats
,get_gap_stats
,get_matcher_stats
,get_net_stats
,get_proc_stats
,get_reassembler_stats
,get_thread_stats
,get_timer_stats
- double_to_count
-
- Parameters
d – The
double
to convert.- Returns
The
double
d as signed integer. The value returned follows typical rounding rules, as implemented by rint().
See also:
double_to_time
- double_to_int
- double_to_interval
-
Converts a
double
to aninterval
.See also:
interval_to_double
- double_to_time
-
Converts a
double
value to atime
.See also:
time_to_double
,double_to_count
- dump_current_packet
-
Writes the current packet to a file.
- Parameters
file_name – The name of the file to write the packet to.
- Returns
True on success.
See also:
dump_packet
,get_current_packet
Note
See
get_current_packet
for caveats.
- dump_packet
- Type
function
(pkt:pcap_packet
, file_name:string
) :bool
Writes a given packet to a file.
- Parameters
pkt – The PCAP packet.
file_name – The name of the file to write pkt to.
- Returns
True on success
See also:
get_current_packet
,dump_current_packet
- dump_rule_stats
-
Write rule matcher statistics (DFA states, transitions, memory usage, cache hits/misses) to a file.
- Parameters
f – The file to write to.
- Returns
True (unconditionally).
See also:
get_matcher_stats
- enable_event_group
-
Enabled the given event group.
All event and hook handlers with a matching
&group
attribute will be enabled if this group was the last disabled group of these handlers.- Parameters
group – The group to enable.
See also:
enable_event_group
,disable_event_group
,has_event_group
,enable_module_events
,disable_module_events
,has_module_events
- enable_module_events
-
Enable all event handlers and hooks in the given module.
All event handlers and hooks defined in the given module will be enabled if not disabled otherwise through an event group.
- Parameters
module_name – The module to enable.
See also:
enable_event_group
,disable_event_group
,has_event_group
,enable_module_events
,disable_module_events
,has_module_events
- enable_raw_output
-
Prevents escaping of non-ASCII characters when writing to a file. This function is equivalent to
&raw_output
.- Parameters
f – The file to disable raw output for.
- encode_base64
-
Encodes a Base64-encoded string.
- Parameters
s – The string to encode.
a – An optional custom alphabet. The empty string indicates the default alphabet. If given, the string must consist of 64 unique characters.
- Returns
The encoded version of s.
See also:
decode_base64
- entropy_test_add
-
Adds data to an incremental entropy calculation.
- Parameters
handle – The opaque handle representing the entropy calculation state.
data – The data to add to the entropy calculation.
- Returns
True on success.
See also:
find_entropy
,entropy_test_add
,entropy_test_finish
- entropy_test_finish
- Type
function
(handle:opaque
of entropy) :entropy_test_result
Finishes an incremental entropy calculation. Before using this function, one needs to obtain an opaque handle with
entropy_test_init
and add data to it viaentropy_test_add
.- Parameters
handle – The opaque handle representing the entropy calculation state.
- Returns
The result of the entropy test. See
find_entropy
for a description of the individual components.
See also:
find_entropy
,entropy_test_init
,entropy_test_add
- entropy_test_init
-
Initializes data structures for incremental entropy calculation.
- Returns
An opaque handle to be used in subsequent operations.
See also:
find_entropy
,entropy_test_add
,entropy_test_finish
- enum_names
- Type
function
(et:any
) :string_set
Returns all value names associated with an enum type.
- Parameters
et – An enum type or a string naming one.
- Returns
All enum value names associated with enum type et. If et is not an enum type or does not name one, an empty set is returned.
- enum_to_int
- exit
-
Shuts down the Zeek process immediately.
- Parameters
code – The exit code to return with.
See also:
terminate
- exp
-
Computes the exponential function.
- Parameters
d – The argument to the exponential function.
- Returns
e to the power of d.
- file_magic
- Type
function
(data:string
) :mime_matches
Determines the MIME type of a piece of data using Zeek’s file magic signatures.
- Parameters
data – The data for which to find matching MIME types.
- Returns
All matching signatures, in order of strength.
See also:
identify_data
- file_mode
-
Converts UNIX file permissions given by a mode to an ASCII string.
- Parameters
mode – The permissions (an octal number like 0644 converted to decimal).
- Returns
A string representation of mode in the format
rw[xsS]rw[xsS]rw[xtT]
.
- file_size
-
Returns the size of a given file.
- Parameters
f – The name of the file whose size to lookup.
- Returns
The size of f in bytes.
- filter_subnet_table
-
For a set[subnet]/table[subnet], create a new table that contains all entries that contain a given subnet.
- Parameters
search – the subnet to search for.
t – the set[subnet] or table[subnet].
- Returns
A new table that contains all the entries that cover the subnet searched for.
- find_entropy
- Type
function
(data:string
) :entropy_test_result
Performs an entropy test on the given data. See http://www.fourmilab.ch/random.
- Parameters
data – The data to compute the entropy for.
- Returns
The result of the entropy test, which contains the following fields.
entropy
: The information density expressed as a number of bits per character.chi_square
: The chi-square test value expressed as an absolute number and a percentage which indicates how frequently a truly random sequence would exceed the value calculated, i.e., the degree to which the sequence tested is suspected of being non-random.If the percentage is greater than 99% or less than 1%, the sequence is almost certainly not random. If the percentage is between 99% and 95% or between 1% and 5%, the sequence is suspect. Percentages between 90% and 95% and 5% and 10% indicate the sequence is “almost suspect.”
mean
: The arithmetic mean of all the bytes. If the data are close to random, it should be around 127.5.monte_carlo_pi
: Each successive sequence of six bytes is used as 24-bit x and y coordinates within a square. If the distance of the randomly-generated point is less than the radius of a circle inscribed within the square, the six-byte sequence is considered a “hit.” The percentage of hits can be used to calculate the value of pi. For very large streams the value will approach the correct value of pi if the sequence is close to random.serial_correlation
: This quantity measures the extent to which each byte in the file depends upon the previous byte. For random sequences this value will be close to zero.
See also:
entropy_test_init
,entropy_test_add
,entropy_test_finish
- find_in_zeekpath
-
Determine the path used by a non-relative @load directive.
This function is package aware: Passing package will yield the path to package.zeek, package/__load__.zeek or an empty string if neither can be found. Note that passing a relative path or absolute path is an error.
- Parameters
path – The filename, package or path to search for in ZEEKPATH.
- Returns
Path of script file that would be loaded by an @load directive.
- floor
-
Computes the greatest integer less than the given
double
value. For example,floor(3.14)
returns3.0
, andfloor(-3.14)
returns-4.0
.
- flush_all
-
Flushes all open files to disk.
- Returns
True on success.
See also:
active_file
,open
,open_for_append
,close
,get_file_name
,write_file
,set_buf
,mkdir
,enable_raw_output
,rmdir
,unlink
,rename
- fmt
-
Produces a formatted string à la
printf
. The first argument is the format string and specifies how subsequent arguments are converted for output. It is composed of zero or more directives: ordinary characters (not%
), which are copied unchanged to the output, and conversion specifications, each of which fetches zero or more subsequent arguments. Conversion specifications begin with%
and the arguments must properly correspond to the specifier. After the%
, the following characters may appear in sequence:%
: Literal%
-
: Left-align field[0-9]+
: The field width (< 128).
: Precision of floating point specifiers[efg]
(< 128)[DTdxsefg]
: Format specifier[DT]
: ISO timestamp with microsecond precisiond
: Signed/Unsigned integer (using C-style%lld
/%llu
for
int
/count
)
x
: Unsigned hexadecimal (using C-style%llx
);addresses/ports are converted to host-byte order
s
: String (byte values less than 32 or greater than 126will be escaped)
[efg]
: Double
- Returns
Returns the formatted string. Given no arguments,
fmt
returns an empty string. Given no format string or the wrong number of additional arguments for the given format specifier,fmt
generates a run-time error.
See also:
cat
,cat_sep
,string_cat
- fnv1a32
-
Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm. See https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function.
- Parameters
input – The desired input value to hash.
- Returns
The hashed value.
See also:
hrw_weight
- from_json
- Type
function
(s:string
, t:any
, key_func:string_mapper
&default
=from_json_default_key_mapper
&optional
) :from_json_result
A function to convert a JSON string into Zeek values of a given type.
Implicit conversion from JSON to Zeek types is implemented for:
bool
int, count, real
interval from numbers as seconds
time from numbers as unix timestamp
port from strings in “80/tcp” notation
addr, subnet
enum
sets
vectors
records (from JSON objects)
Optional or default record fields are allowed to be missing or null in the input.
- Parameters
s – The JSON string to parse.
t – Type of Zeek data.
key_func – Optional function to normalize key names in JSON objects. Useful when keys are not valid field identifiers, or represent reserved keywords like port or type.
returns – A value of type t.
See also:
to_json
- generate_all_events
-
By default, zeek does not generate (raise) events that have not handled by any scripts. This means that these events will be invisible to a lot of other event handlers - and will not raise
new_event
.Calling this function will cause all event handlers to be raised. This is, likely, only useful for debugging and causes reduced performance.
- get_conn_transport_proto
- Type
function
(cid:conn_id
) :transport_proto
Extracts the transport protocol from a connection.
- Parameters
cid – The connection identifier.
- Returns
The transport protocol of the connection identified by cid.
See also:
get_port_transport_proto
,get_orig_seq
,get_resp_seq
- get_current_packet
- Type
function
() :pcap_packet
Returns the currently processed PCAP packet.
- Returns
The currently processed packet, which is a record containing the timestamp,
snaplen
, and packet data.
See also:
dump_current_packet
,dump_packet
Note
Calling
get_current_packet()
within events that are not directly raised as a result of processing a specific packet may result in unexpected behavior. For example, out-of-order TCP segments or IP defragmentation may result in such scenarios. Details depend on the involved packet and protocol analyzers. As a rule of thumb, in low-level events, likeraw_packet
, the behavior is well defined.The returned packet is directly taken from the packet source and any tunnel or encapsulation layers will be present in the payload. Correctly inspecting the payload using Zeek script is therefore a non-trivial task.
The return value of
get_current_packet()
further should be considered undefined when called within event handlers raised viaevent
,schedule
or by recipient of Broker messages.
- get_current_packet_header
- Type
function
() :raw_pkt_hdr
Function to get the raw headers of the currently processed packet.
- Returns
The
raw_pkt_hdr
record containing the Layer 2, 3 and 4 headers of the currently processed packet.
See also:
raw_pkt_hdr
,get_current_packet
Note
See
get_current_packet
for caveats.
- get_file_name
-
Gets the filename associated with a file handle.
- Parameters
f – The file handle to inquire the name for.
- Returns
The filename associated with f.
See also:
open
- get_port_transport_proto
- Type
function
(p:port
) :transport_proto
Extracts the transport protocol from a
port
.- Parameters
p – The port.
- Returns
The transport protocol of the port p.
See also:
get_conn_transport_proto
,get_orig_seq
,get_resp_seq
- getenv
-
Returns a system environment variable.
- Parameters
var – The name of the variable whose value to request.
- Returns
The system environment variable identified by var, or an empty string if it is not defined.
See also:
setenv
- gethostname
-
Returns the hostname of the machine Zeek runs on.
- Returns
The hostname of the machine Zeek runs on.
- global_container_footprints
-
Generates a table of the “footprint” of all global container variables. This is (approximately) the number of objects the global contains either directly or indirectly. The number is not meant to be precise, but rather comparable: larger footprint correlates with more memory consumption. The table index is the variable name and the value is the footprint.
- Returns
A table that maps variable names to their footprints.
See also:
val_footprint
- global_ids
-
Generates a table with information about all global identifiers. The table value is a record containing the type name of the identifier, whether it is exported, a constant, an enum constant, redefinable, and its value (if it has one).
Module names are included in the returned table as well. The
type_name
field is set to “module” and their names are prefixed with “module ” to avoid clashing with global identifiers. Note that there is no module type in Zeek.- Returns
A table that maps identifier names to information about them.
- global_options
- Type
function
() :string_set
Returns a set giving the names of all global options.
- has_event_group
-
Does an attribute event group with this name exist?
- Parameters
group – The group name.
See also:
enable_event_group
,disable_event_group
,has_event_group
,enable_module_events
,disable_module_events
,has_module_events
- has_module_events
-
Does a module event group with this name exist?
- Parameters
group – The group name.
See also:
enable_event_group
,disable_event_group
,has_event_group
,enable_module_events
,disable_module_events
,has_module_events
- have_spicy
-
Returns true if Zeek was built with support for using Spicy analyzers (which
- have_spicy_analyzers
-
Returns true if Zeek was built with support for its in-tree Spicy analyzers (which is the default if Spicy support is available).
- haversine_distance
-
Calculates distance between two geographic locations using the haversine formula. Latitudes and longitudes must be given in degrees, where southern hemisphere latitudes are negative and western hemisphere longitudes are negative.
- Parameters
lat1 – Latitude (in degrees) of location 1.
long1 – Longitude (in degrees) of location 1.
lat2 – Latitude (in degrees) of location 2.
long2 – Longitude (in degrees) of location 2.
- Returns
Distance in miles.
See also:
haversine_distance_ip
- hexstr_to_bytestring
-
Converts a hex-string into its binary representation. For example,
"3034"
would be converted to"04"
.The input string is assumed to contain an even number of hexadecimal digits (0-9, a-f, or A-F), otherwise behavior is undefined.
- Parameters
hexstr – The hexadecimal string representation.
- Returns
The binary representation of hexstr.
See also:
hexdump
,bytestring_to_hexstr
- hrw_weight
-
Calculates a weight value for use in a Rendezvous Hashing algorithm. See https://en.wikipedia.org/wiki/Rendezvous_hashing. The weight function used is the one recommended in the original
- Parameters
paper – http://www.eecs.umich.edu/techreports/cse/96/CSE-TR-316-96.pdf.
key_digest – A 32-bit digest of a key. E.g. use
fnv1a32
to produce this.site_id – A 32-bit site/node identifier.
- Returns
The weight value for the key/site pair.
See also:
fnv1a32
- identify_data
-
Determines the MIME type of a piece of data using Zeek’s file magic signatures.
- Parameters
data – The data to find the MIME type for.
return_mime – Deprecated argument; does nothing, except emit a warning when false.
- Returns
The MIME type of data, or “<unknown>” if there was an error or no match. This is the strongest signature match.
See also:
file_magic
- install_dst_addr_filter
-
Installs a filter to drop packets destined to a given IP address with a certain probability if none of a given set of TCP flags are set. Note that for IPv6 packets with a routing type header and non-zero segments left, this filters out against the final destination of the packet according to the routing extension header.
- Parameters
ip – Drop packets to this IP address.
tcp_flags – If none of these TCP flags are set, drop packets to ip with probability prob.
prob – The probability [0.0, 1.0] used to drop packets to ip.
- Returns
True (unconditionally).
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
,install_dst_net_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,Pcap::error
Todo
The return value should be changed to any.
- install_dst_net_filter
-
Installs a filter to drop packets destined to a given subnet with a certain probability if none of a given set of TCP flags are set.
- Parameters
snet – Drop packets to this subnet.
tcp_flags – If none of these TCP flags are set, drop packets to snet with probability prob.
prob – The probability [0.0, 1.0] used to drop packets to snet.
- Returns
True (unconditionally).
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
,install_dst_addr_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,Pcap::error
Todo
The return value should be changed to any.
- install_src_addr_filter
-
Installs a filter to drop packets from a given IP source address with a certain probability if none of a given set of TCP flags are set. Note that for IPv6 packets with a Destination options header that has the Home Address option, this filters out against that home address.
- Parameters
ip – The IP address to drop.
tcp_flags – If none of these TCP flags are set, drop packets from ip with probability prob.
prob – The probability [0.0, 1.0] used to drop packets from ip.
- Returns
True (unconditionally).
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_net_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
,install_dst_addr_filter
,install_dst_net_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,Pcap::error
Todo
The return value should be changed to any.
- install_src_net_filter
-
Installs a filter to drop packets originating from a given subnet with a certain probability if none of a given set of TCP flags are set.
- Parameters
snet – The subnet to drop packets from.
tcp_flags – If none of these TCP flags are set, drop packets from snet with probability prob.
prob – The probability [0.0, 1.0] used to drop packets from snet.
- Returns
True (unconditionally).
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
,install_dst_addr_filter
,install_dst_net_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,Pcap::error
Todo
The return value should be changed to any.
- int_to_count
- int_to_double
-
See also:
count_to_double
,double_to_count
- interval_to_double
-
Converts an
interval
to adouble
.See also:
double_to_interval
- is_file_analyzer
- Type
function
(atype:AllAnalyzers::Tag
) :bool
Returns true if the given tag belongs to a file analyzer.
- Parameters
atype – The analyzer tag to check.
- Returns
true if atype is a tag of a file analyzer, else false.
- is_icmp_port
-
Checks whether a given
port
has ICMP as transport protocol.- Parameters
p – The
port
to check.- Returns
True iff p is an ICMP port.
See also:
is_tcp_port
,is_udp_port
- is_local_interface
-
Checks whether a given IP address belongs to a local interface.
- Parameters
ip – The IP address to check.
- Returns
True if ip belongs to a local interface.
- is_packet_analyzer
- Type
function
(atype:AllAnalyzers::Tag
) :bool
Returns true if the given tag belongs to a packet analyzer.
- Parameters
atype – The analyzer type to check.
- Returns
true if atype is a tag of a packet analyzer, else false.
- is_processing_suspended
-
Returns whether or not processing is currently suspended.
See also:
suspend_processing
,continue_processing
- is_protocol_analyzer
- Type
function
(atype:AllAnalyzers::Tag
) :bool
Returns true if the given tag belongs to a protocol analyzer.
- Parameters
atype – The analyzer tag to check.
- Returns
true if atype is a tag of a protocol analyzer, else false.
- is_remote_event
-
Checks whether the last raised event came from a remote peer.
- Returns
True if the last raised event came from a remote peer.
- is_tcp_port
-
Checks whether a given
port
has TCP as transport protocol.- Parameters
p – The
port
to check.- Returns
True iff p is a TCP port.
See also:
is_udp_port
,is_icmp_port
- is_udp_port
-
Checks whether a given
port
has UDP as transport protocol.- Parameters
p – The
port
to check.- Returns
True iff p is a UDP port.
See also:
is_icmp_port
,is_tcp_port
- is_v4_addr
-
Returns whether an address is IPv4 or not.
- Parameters
a – the address to check.
- Returns
true if a is an IPv4 address, else false.
- is_v4_subnet
-
Returns whether a subnet specification is IPv4 or not.
- Parameters
s – the subnet to check.
- Returns
true if s is an IPv4 subnet, else false.
- is_v6_addr
-
Returns whether an address is IPv6 or not.
- Parameters
a – the address to check.
- Returns
true if a is an IPv6 address, else false.
- is_v6_subnet
-
Returns whether a subnet specification is IPv6 or not.
- Parameters
s – the subnet to check.
- Returns
true if s is an IPv6 subnet, else false.
- is_valid_ip
-
Checks if a string is a valid IPv4 or IPv6 address.
- Parameters
ip – the string to check for valid IP formatting.
- Returns
T if the string is a valid IPv4 or IPv6 address format.
- ln
-
Computes the natural logarithm of a number.
- Parameters
d – The argument to the logarithm.
- Returns
The natural logarithm of d.
- log10
-
Computes the common logarithm of a number.
- Parameters
d – The argument to the logarithm.
- Returns
The common logarithm of d.
- log2
-
Computes the base 2 logarithm of a number.
- Parameters
d – The argument to the logarithm.
- Returns
The base 2 logarithm of d.
- lookup_ID
-
Returns the value of a global identifier.
- Parameters
id – The global identifier.
- Returns
The value of id. If id does not describe a valid identifier, the string
"<unknown id>"
or"<no ID value>"
is returned.
- lookup_addr
-
Issues an asynchronous reverse DNS lookup and delays the function result. This function can therefore only be called inside a
when
condition, e.g.,when ( local host = lookup_addr(10.0.0.1) ) { f(host); }
.- Parameters
host – The IP address to lookup.
- Returns
The DNS name of host.
See also:
lookup_hostname
- lookup_connection
- Type
function
(cid:conn_id
) :connection
Returns the
connection
record for a given connection identifier.- Parameters
cid – The connection ID.
- Returns
The
connection
record for cid. If cid does not point to an existing connection, the function generates a run-time error and returns a dummy value.
See also:
connection_exists
- lookup_connection_analyzer_id
- Type
function
(cid:conn_id
, atype:AllAnalyzers::Tag
) :count
Returns the numeric ID of the requested protocol analyzer for the given connection.
- Parameters
cid – The connection identifier.
atype – The analyzer tag, such as
Analyzer::ANALYZER_HTTP
.
- Returns
a numeric identifier for the analyzer, valid for the given connection. When no such analyzer exists the function returns 0, which is never a valid analyzer ID value.
See also:
disable_analyzer
,Analyzer::disabling_analyzer
- lookup_hostname
-
Issues an asynchronous DNS lookup and delays the function result. This function can therefore only be called inside a
when
condition, e.g.,when ( local h = lookup_hostname("www.zeek.org") ) { f(h); }
.- Parameters
host – The hostname to lookup.
- Returns
A set of DNS A and AAAA records associated with host.
See also:
lookup_addr
- lookup_hostname_txt
-
Issues an asynchronous TEXT DNS lookup and delays the function result. This function can therefore only be called inside a
when
condition, e.g.,when ( local h = lookup_hostname_txt("www.zeek.org") ) { f(h); }
.- Parameters
host – The hostname to lookup.
- Returns
The DNS TXT record associated with host.
See also:
lookup_hostname
- mask_addr
-
Masks an address down to the number of given upper bits. For example,
mask_addr(1.2.3.4, 18)
returns1.2.0.0
.- Parameters
a – The address to mask.
top_bits_to_keep – The number of top bits to keep in a; must be greater than 0 and less than 33 for IPv4, or 129 for IPv6.
- Returns
The address a masked down to top_bits_to_keep bits.
See also:
remask_addr
- match_signatures
- Type
function
(c:connection
, pattern_type:int
, s:string
, bol:bool
, eol:bool
, from_orig:bool
, clear:bool
) :bool
Manually triggers the signature engine for a given connection. This is an internal function.
- matching_subnets
- Type
function
(search:subnet
, t:any
) :subnet_vec
Gets all subnets that contain a given subnet from a set/table[subnet].
- Parameters
search – the subnet to search for.
t – the set[subnet] or table[subnet].
- Returns
All the keys of the set or table that cover the subnet searched for.
- md5_hash
-
Computes the MD5 hash value of the provided list of arguments.
- Returns
The MD5 hash value of the concatenated arguments.
See also:
md5_hmac
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
Note
This function performs a one-shot computation of its arguments. For incremental hash computation, see
md5_hash_init
and friends.
- md5_hash_finish
-
Returns the final MD5 digest of an incremental hash computation.
- Parameters
handle – The opaque handle associated with this hash computation.
- Returns
The hash value associated with the computation of handle.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- md5_hash_init
-
Constructs an MD5 handle to enable incremental hash computation. You can feed data to the returned opaque value with
md5_hash_update
and eventually need to callmd5_hash_finish
to finish the computation and get the hash digest.For example, when computing incremental MD5 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call
c$http$md5_handle = md5_hash_init()
once before invokingmd5_hash_update(c$http$md5_handle, some_more_data)
in thehttp_entity_data
event handler. When all data has arrived, a call tomd5_hash_finish
returns the final hash value.- Returns
The opaque handle associated with this hash computation.
See also:
md5_hmac
,md5_hash
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- md5_hash_update
-
Updates the MD5 value associated with a given index. It is required to call
md5_hash_init
once before calling this function.- Parameters
handle – The opaque handle associated with this hash computation.
data – The data to add to the hash computation.
- Returns
True on success.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- md5_hmac
-
Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC secret key is generated from available entropy when Zeek starts up, or it can be specified for repeatability using the
-K
command line flag.- Returns
The HMAC-MD5 hash value of the concatenated arguments.
See also:
md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- mkdir
-
Creates a new directory.
- Parameters
f – The directory name.
- Returns
True if the operation succeeds or if f already exists, and false if the file creation fails.
See also:
active_file
,open_for_append
,close
,write_file
,get_file_name
,set_buf
,flush_all
,enable_raw_output
,rmdir
,unlink
,rename
- network_time
-
Returns the timestamp of the last packet processed. This function returns the timestamp of the most recently read packet, whether read from a live network interface or from a save file.
- Returns
The timestamp of the packet processed.
See also:
current_time
,set_network_time
- open
-
Opens a file for writing. If a file with the same name already exists, this function overwrites it (as opposed to
open_for_append
).- Parameters
f – The path to the file.
- Returns
A
file
handle for subsequent operations.
See also:
active_file
,open_for_append
,close
,write_file
,get_file_name
,set_buf
,flush_all
,mkdir
,enable_raw_output
,rmdir
,unlink
,rename
- open_for_append
-
Opens a file for writing or appending. If a file with the same name already exists, this function appends to it (as opposed to
open
).- Parameters
f – The path to the file.
- Returns
A
file
handle for subsequent operations.
See also:
active_file
,open
,close
,write_file
,get_file_name
,set_buf
,flush_all
,mkdir
,enable_raw_output
,rmdir
,unlink
,rename
- order
-
Returns the order of the elements in a vector according to some comparison function. See
sort
for details about the comparison function.- Parameters
v – The vector whose order to compute.
- Returns
A
vector of count
with the indices of the ordered elements. For example, the elements of v in order are (assumingo
is the vector returned byorder
): v[o[0]], v[o[1]], etc.
See also:
sort
- packet_source
- Type
function
() :PacketSource
- Returns
the packet source being read by Zeek.
See also:
reading_live_traffic
,reading_traces
- paraglob_equals
-
Compares two paraglobs for equality.
- Parameters
p_one – A compiled paraglob.
p_two – A compiled paraglob.
- Returns
True if both paraglobs contain the same patterns, false otherwise.
## .. zeek:see::paraglob_add paraglob_match paraglob_init
- paraglob_init
-
Initializes and returns a new paraglob.
- Parameters
v – Vector of patterns to initialize the paraglob with.
- Returns
A new, compiled, paraglob with the patterns in v
- paraglob_match
- Type
function
(handle:opaque
of paraglob, match:string
) :string_vec
Gets all the patterns inside the handle associated with an input string.
- Parameters
handle – A compiled paraglob.
match – string to match against the paraglob.
- Returns
A vector of strings matching the input string.
## .. zeek:see::paraglob_add paraglob_equals paraglob_init
- piped_exec
-
Opens a program with
popen
and writes a given string to the returned stream to send it to the opened process’s stdin.- Parameters
program – The program to execute.
to_write – Data to pipe to the opened program’s process via
stdin
.
- Returns
True on success.
See also:
system
,system_env
- port_to_count
-
See also:
count_to_port
- pow
-
Computes the x raised to the power y.
- Parameters
x – The number to be raised to a power.
y – The number that specifies a power.
- Returns
The number x raised to the power y.
- preserve_prefix
-
Preserves the prefix of an IP address in anonymization.
- Parameters
a – The address to preserve.
width – The number of bits from the top that should remain intact.
See also:
preserve_subnet
,anonymize_addr
Todo
Currently dysfunctional.
- preserve_subnet
-
Preserves the prefix of a subnet in anonymization.
- Parameters
a – The subnet to preserve.
See also:
preserve_prefix
,anonymize_addr
Todo
Currently dysfunctional.
- print_raw
-
Renders a sequence of values to a string of bytes and outputs them directly to
stdout
with no additional escape sequences added. No additional newline is added to the end either.- Returns
Always true.
See also:
fmt
,cat
,cat_sep
,string_cat
,to_json
- ptr_name_to_addr
-
Converts a reverse pointer name to an address. For example,
1.0.168.192.in-addr.arpa
to192.168.0.1
.- Parameters
s – The string with the reverse pointer name.
- Returns
The IP address corresponding to s.
See also:
addr_to_ptr_name
,to_addr
- rand
-
Generates a random number.
- Parameters
max – The maximum value of the random number.
- Returns
a random positive integer in the interval [0, max).
See also:
srand
Note
This function is a wrapper about the function
random
provided by the OS.
- raw_bytes_to_v4_addr
-
Converts a
string
of bytes into an IPv4 address. In particular, this function interprets the first 4 bytes of the string as an IPv4 address in network order.See also:
raw_bytes_to_v4_addr
,to_addr
,to_subnet
- raw_bytes_to_v6_addr
-
Converts a
string
of bytes into an IPv6 address. In particular, this function interprets the first 16 bytes of the string as an IPv6 address in network order.See also:
raw_bytes_to_v6_addr
,to_addr
,to_subnet
- reading_live_traffic
-
Checks whether Zeek reads traffic from one or more network interfaces (as opposed to from a network trace in a file). Note that this function returns true even after Zeek has stopped reading network traffic, for example due to receiving a termination signal.
- Returns
True if reading traffic from a network interface.
See also:
reading_traces
,packet_source
- reading_traces
-
Checks whether Zeek reads traffic from a trace file (as opposed to from a network interface).
- Returns
True if reading traffic from a network trace.
See also:
reading_live_traffic
,packet_source
- record_fields
- Type
function
(rec:any
) :record_field_table
Generates metadata about a record’s fields. The returned information includes the field name, whether it is logged, its value (if it has one), and its default value (if specified).
- Parameters
rec – The record value or type to inspect.
- Returns
A table that describes the fields of a record.
- record_type_to_vector
- Type
function
(rt:string
) :string_vec
Converts a record type name to a vector of strings, where each element is the name of a record field. Nested records are flattened.
- Parameters
rt – The name of the record type.
- Returns
A string vector with the field names of rt.
- remask_addr
-
Takes some top bits (such as a subnet address) from one address and the other bits (intra-subnet part) from a second address and merges them to get a new address. This is useful for anonymizing at subnet level while preserving serial scans.
- Parameters
a1 – The address to mask with top_bits_from_a1.
a2 – The address to take the remaining bits from.
top_bits_from_a1 – The number of top bits to keep in a1; must be greater than 0 and less than 129. This value is always interpreted relative to the IPv6 bit width (v4-mapped addresses start at bit number 96).
- Returns
The address a masked down to top_bits_to_keep bits.
See also:
mask_addr
- rename
-
Renames a file from src_f to dst_f.
- Parameters
src_f – the name of the file to rename.
dest_f – the name of the file after the rename operation.
- Returns
True if the rename succeeds and false otherwise.
See also:
active_file
,open_for_append
,close
,write_file
,get_file_name
,set_buf
,flush_all
,enable_raw_output
,mkdir
,rmdir
,unlink
- resize
-
Resizes a vector.
- Parameters
aggr – The vector instance.
newsize – The new size of aggr.
- Returns
The old size of aggr, or 0 if aggr is not a
vector
.
- rmdir
-
Removes a directory.
- Parameters
d – The directory name.
- Returns
True if the operation succeeds, and false if the directory delete operation fails.
See also:
active_file
,open_for_append
,close
,write_file
,get_file_name
,set_buf
,flush_all
,enable_raw_output
,mkdir
,unlink
,rename
- rotate_file
- Type
function
(f:file
) :rotate_info
Rotates a file.
- Parameters
f – An open file handle.
- Returns
Rotation statistics which include the original file name, the name after the rotation, and the time when f was opened/closed.
See also:
rotate_file_by_name
,calc_next_rotate
- rotate_file_by_name
- Type
function
(f:string
) :rotate_info
Rotates a file identified by its name.
- Parameters
f – The name of the file to rotate
- Returns
Rotation statistics which include the original file name, the name after the rotation, and the time when f was opened/closed.
See also:
rotate_file
,calc_next_rotate
- routing0_data_to_addrs
-
Converts the data field of
ip6_routing
records that have rtype of 0 into a vector of addresses.- Parameters
s – The data field of an
ip6_routing
record that has an rtype of 0.- Returns
The vector of addresses contained in the routing header data.
- same_object
-
Checks whether two objects reference the same internal object. This function uses equality comparison of C++ raw pointer values to determine if the two objects are the same.
- Parameters
o1 – The first object.
o2 – The second object.
- Returns
True if o1 and o2 are equal.
- set_buf
-
Alters the buffering behavior of a file.
- Parameters
f – A
file
handle to an open file.buffered – When true, f is fully buffered, i.e., bytes are saved in a buffer until the block size has been reached. When false, f is line buffered, i.e., bytes are saved up until a newline occurs.
See also:
active_file
,open
,open_for_append
,close
,get_file_name
,write_file
,flush_all
,mkdir
,enable_raw_output
,rmdir
,unlink
,rename
- set_inactivity_timeout
-
Sets an individual inactivity timeout for a connection and thus overrides the global inactivity timeout.
- Parameters
cid – The connection ID.
t – The new inactivity timeout for the connection identified by cid.
- Returns
The previous timeout interval.
- set_network_time
-
Sets the timestamp associated with the last packet processed. Used for event replaying.
- Parameters
nt – The time to which to set “network time”.
- Returns
The timestamp of the packet processed.
See also:
current_time
,network_time
- set_record_packets
-
Controls whether packet contents belonging to a connection should be recorded (when
-w
option is provided on the command line).- Parameters
cid – The connection identifier.
do_record – True to enable packet contents, and false to disable for the connection identified by cid.
- Returns
False if cid does not point to an active connection, and true otherwise.
See also:
skip_further_processing
Note
This is independent of whether Zeek processes the packets of this connection, which is controlled separately by
skip_further_processing
.See also:
get_contents_file
,set_contents_file
- setenv
-
Sets a system environment variable.
- Parameters
var – The name of the variable.
val – The (new) value of the variable var.
- Returns
True on success.
See also:
getenv
- sha1_hash
-
Computes the SHA1 hash value of the provided list of arguments.
- Returns
The SHA1 hash value of the concatenated arguments.
See also:
md5_hash
,md5_hmac
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
Note
This function performs a one-shot computation of its arguments. For incremental hash computation, see
sha1_hash_init
and friends.
- sha1_hash_finish
-
Returns the final SHA1 digest of an incremental hash computation.
- Parameters
handle – The opaque handle associated with this hash computation.
- Returns
The hash value associated with the computation of handle.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- sha1_hash_init
-
Constructs an SHA1 handle to enable incremental hash computation. You can feed data to the returned opaque value with
sha1_hash_update
and finally need to callsha1_hash_finish
to finish the computation and get the hash digest.For example, when computing incremental SHA1 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call
c$http$sha1_handle = sha1_hash_init()
once before invokingsha1_hash_update(c$http$sha1_handle, some_more_data)
in thehttp_entity_data
event handler. When all data has arrived, a call tosha1_hash_finish
returns the final hash value.- Returns
The opaque handle associated with this hash computation.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- sha1_hash_update
-
Updates the SHA1 value associated with a given index. It is required to call
sha1_hash_init
once before calling this function.- Parameters
handle – The opaque handle associated with this hash computation.
data – The data to add to the hash computation.
- Returns
True on success.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
- sha256_hash
-
Computes the SHA256 hash value of the provided list of arguments.
- Returns
The SHA256 hash value of the concatenated arguments.
See also:
md5_hash
,md5_hmac
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash_init
,sha256_hash_update
,sha256_hash_finish
Note
This function performs a one-shot computation of its arguments. For incremental hash computation, see
sha256_hash_init
and friends.
- sha256_hash_finish
-
Returns the final SHA256 digest of an incremental hash computation.
- Parameters
handle – The opaque handle associated with this hash computation.
- Returns
The hash value associated with the computation of handle.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_update
- sha256_hash_init
-
Constructs an SHA256 handle to enable incremental hash computation. You can feed data to the returned opaque value with
sha256_hash_update
and finally need to callsha256_hash_finish
to finish the computation and get the hash digest.For example, when computing incremental SHA256 values of transferred files in multiple concurrent HTTP connections, one keeps an optional handle in the HTTP session record. Then, one would call
c$http$sha256_handle = sha256_hash_init()
once before invokingsha256_hash_update(c$http$sha256_handle, some_more_data)
in thehttp_entity_data
event handler. When all data has arrived, a call tosha256_hash_finish
returns the final hash value.- Returns
The opaque handle associated with this hash computation.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_update
,sha256_hash_finish
- sha256_hash_update
-
Updates the SHA256 value associated with a given index. It is required to call
sha256_hash_init
once before calling this function.- Parameters
handle – The opaque handle associated with this hash computation.
data – The data to add to the hash computation.
- Returns
True on success.
See also:
md5_hmac
,md5_hash
,md5_hash_init
,md5_hash_update
,md5_hash_finish
,sha1_hash
,sha1_hash_init
,sha1_hash_update
,sha1_hash_finish
,sha256_hash
,sha256_hash_init
,sha256_hash_finish
- skip_further_processing
-
Informs Zeek that it should skip any further processing of the contents of a given connection. In particular, Zeek will refrain from reassembling the TCP byte stream and from generating events relating to any analyzers that have been processing the connection.
- Parameters
cid – The connection ID.
- Returns
False if cid does not point to an active connection, and true otherwise.
Note
Zeek will still generate connection-oriented events such as
connection_finished
.
- sort
-
Sorts a vector in place. The second argument is a comparison function that takes two arguments: if the vector type is
vector of T
, then the comparison function must befunction(a: T, b: T): int
, which returns a value less than zero ifa < b
for some type-specific notion of the less-than operator. The comparison function is optional if the type is a numeric type (int, count, double, time, etc.).- Parameters
v – The vector instance to sort.
- Returns
The vector, sorted from minimum to maximum value. If the vector could not be sorted, then the original vector is returned instead.
See also:
order
- sqrt
-
Computes the square root of a
double
.- Parameters
x – The number to compute the square root of.
- Returns
The square root of x.
- srand
-
Sets the seed for subsequent
rand
calls.- Parameters
seed – The seed for the PRNG.
See also:
rand
Note
This function is a wrapper about the function
srandom
provided by the OS.
- strftime
-
Formats a given time value according to a format string.
- Parameters
fmt – The format string. See
man strftime
for the syntax.d – The time value.
- Returns
The time d formatted according to fmt.
- string_to_pattern
-
Converts a
string
into apattern
.- Parameters
s – The string to convert.
convert – If true, s is first passed through the function
convert_for_pattern
to escape special characters of patterns.
- Returns
s as
pattern
.
See also:
convert_for_pattern
- strptime
-
Parse a textual representation of a date/time value into a
time
type value.- Parameters
fmt – The format string used to parse the following d argument. See
man strftime
for the syntax.d – The string representing the time.
- Returns
The time value calculated from parsing d with fmt.
- subnet_to_addr
-
Converts a
subnet
to anaddr
by extracting the prefix.- Parameters
sn – The subnet to convert.
- Returns
The subnet as an
addr
.
See also:
to_subnet
- subnet_width
-
Returns the width of a
subnet
.- Parameters
sn – The subnet.
- Returns
The width of the subnet.
See also:
to_subnet
- suspend_processing
-
Stops Zeek’s packet processing. This function is used to synchronize distributed trace processing with communication enabled (pseudo-realtime mode).
See also:
continue_processing
,is_processing_suspended
- syslog
-
Send a string to syslog.
- Parameters
s – The string to log via syslog
- system
-
Invokes a command via the
system
function of the OS. The command runs in the background withstdout
redirecting tostderr
. Here is a usage example:system(fmt("rm %s", safe_shell_quote(sniffed_data)));
- Parameters
str – The command to execute.
- Returns
The return value from the OS
system
function.
See also:
system_env
,safe_shell_quote
,piped_exec
Note
Note that this corresponds to the status of backgrounding the given command, not to the exit status of the command itself. A value of 127 corresponds to a failure to execute
sh
, and -1 to an internal system failure.
- system_env
- Type
function
(str:string
, env:table_string_of_string
) :int
Invokes a command via the
system
function of the OS with a prepared environment. The function is essentially the same assystem
, but changes the environment before invoking the command.- Parameters
str – The command to execute.
env – A
table
with the environment variables in the form of key-value pairs. Each specified environment variable name will be automatically prepended withZEEK_ARG_
.
- Returns
The return value from the OS
system
function.
See also:
system
,safe_shell_quote
,piped_exec
- table_keys
-
Gets all keys from a table.
- Parameters
t – The
table
- Returns
A
set of T
of all the keys in t.
See also:
table_values
- table_pattern_matcher_stats
- Type
function
(tbl:any
) :MatcherStats
Return MatcherStats for a table[pattern] or set[pattern] value.
This returns a MatcherStats objects that can be used for introspection of the DFA used for such a table. Statistics reset whenever elements are added or removed to the table as these operations result in the underlying DFA being rebuilt.
This function iterates over all states of the DFA. Calling it at a high frequency is likely detrimental to performance.
- Parameters
tbl – The table to get stats for.
- Returns
A record with matcher statistics.
- table_values
-
Gets all values from a table.
- Parameters
t – The
table
- Returns
A
vector of T
of all the values in t.
See also:
table_keys
- terminate
-
Gracefully shut down Zeek by terminating outstanding processing.
- Returns
True after successful termination and false when Zeek is still in the process of shutting down.
See also:
exit
,zeek_is_terminating
- time_to_double
-
Converts a
time
value to adouble
.See also:
double_to_time
- to_addr
-
- Parameters
ip – The
string
to convert.- Returns
The
string
ip asaddr
, or the unspecified address::
if the input string does not parse correctly.
See also:
to_count
,to_int
,to_port
,count_to_v4_addr
,raw_bytes_to_v4_addr
,raw_bytes_to_v6_addr
,to_subnet
- to_count
- to_double
- to_int
- to_json
- Type
function
(val:any
, only_loggable:bool
&default
=F
&optional
, field_escape_pattern:pattern
&default
=/^?(^_)$?/
&optional
) :string
A function to convert arbitrary Zeek data into a JSON string.
- Parameters
v – The value to convert to JSON. Typically a record.
only_loggable – If the v value is a record this will only cause fields with the &log attribute to be included in the JSON.
field_escape_pattern – If the v value is a record, the given pattern is matched against the field names of its type, and the first match, if any, is stripped from the rendered name. The default pattern strips a leading underscore.
returns – a JSON formatted string.
See also:
fmt
,cat
,cat_sep
,string_cat
,print_raw
,from_json
- to_port
- to_subnet
-
Converts a
string
to asubnet
.- Parameters
sn – The subnet to convert.
- Returns
The sn string as a
subnet
, or the unspecified subnet::/0
if the input string does not parse correctly.
See also:
to_count
,to_int
,to_port
,count_to_v4_addr
,raw_bytes_to_v4_addr
,raw_bytes_to_v6_addr
,to_addr
- type_aliases
- Type
function
(x:any
) :string_set
Returns all type name aliases of a value or type.
- Parameters
x – An arbitrary value or type.
- Returns
The set of all type name aliases of x (or the type of x if it’s a value instead of a type). For primitive values and types like
string
orcount
, this returns an empty set. For types with user-defined names likerecord
orenum
, the returned set contains the original user-defined name for the type along with all aliases. For other compound types, liketable
, the returned set is empty unless explicitly requesting aliases for a user-defined type alias or a value that was explicitly created using a type alias (as opposed to originating from an “anonymous” constructor or initializer for that compound type).
- type_name
-
Returns the type name of an arbitrary Zeek variable.
- Parameters
t – An arbitrary object.
- Returns
The type name of t.
- uninstall_dst_addr_filter
-
Removes a destination address filter.
- Parameters
ip – The IP address for which a destination filter was previously installed.
- Returns
True on success.
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
,install_dst_addr_filter
,install_dst_net_filter
,uninstall_dst_net_filter
,Pcap::error
- uninstall_dst_net_filter
-
Removes a destination subnet filter.
- Parameters
snet – The subnet for which a destination filter was previously installed.
- Returns
True on success.
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
,install_dst_addr_filter
,install_dst_net_filter
,uninstall_dst_addr_filter
,Pcap::error
- uninstall_src_addr_filter
-
Removes a source address filter.
- Parameters
ip – The IP address for which a source filter was previously installed.
- Returns
True on success.
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_src_net_filter
,install_dst_addr_filter
,install_dst_net_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,Pcap::error
- uninstall_src_net_filter
-
Removes a source subnet filter.
- Parameters
snet – The subnet for which a source filter was previously installed.
- Returns
True on success.
See also:
Pcap::precompile_pcap_filter
,Pcap::install_pcap_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_src_addr_filter
,install_dst_addr_filter
,install_dst_net_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,Pcap::error
- unique_id
-
Creates an identifier that is unique with high probability.
- Parameters
prefix – A custom string prepended to the result.
- Returns
A string identifier that is unique.
See also:
unique_id_from
- unique_id_from
-
Creates an identifier that is unique with high probability.
- Parameters
pool – A seed for determinism.
prefix – A custom string prepended to the result.
- Returns
A string identifier that is unique.
See also:
unique_id
- unlink
-
Removes a file from a directory.
- Parameters
f – the file to delete.
- Returns
True if the operation succeeds and the file was deleted, and false if the deletion fails.
See also:
active_file
,open_for_append
,close
,write_file
,get_file_name
,set_buf
,flush_all
,enable_raw_output
,mkdir
,rmdir
,rename
- uuid_to_string
-
Converts a bytes representation of a UUID into its string form. For example, given a string of 16 bytes, it produces an output string in this format:
550e8400-e29b-41d4-a716-446655440000
. See http://en.wikipedia.org/wiki/Universally_unique_identifier.- Parameters
uuid – The 16 bytes of the UUID.
- Returns
The string representation of uuid.
- val_footprint
-
Computes a value’s “footprint”: the number of objects the value contains either directly or indirectly. The number is not meant to be precise, but rather comparable: larger footprint correlates with more memory consumption.
- Returns
the footprint.
See also:
global_container_footprints
- write_file
-
Writes data to an open file.
- Parameters
f – A
file
handle to an open file.data – The data to write to f.
- Returns
True on success.
See also:
active_file
,open
,open_for_append
,close
,get_file_name
,set_buf
,flush_all
,mkdir
,enable_raw_output
,rmdir
,unlink
,rename
- zeek_args
- Type
function
() :string_vec
- Returns
list of command-line arguments (
argv
) used to run Zeek.