base/init-bare.zeek
- Analyzer
- BinPAC
- Cluster
- DCE_RPC
- DHCP
- EventMetadata
- FTP
- GLOBAL
- HTTP
- IP
- JSON
- KRB
- Log
- MIME
- MOUNT3
- MQTT
- NCP
- NFS3
- NTLM
- NTP
- PE
- POP3
- Pcap
- RADIUS
- RDP
- Reporter
- SMB
- SMB1
- SMB2
- SMTP
- SNMP
- SOCKS
- SSH
- SSL
- Storage
- TCP
- Telemetry
- Threading
- Tunnel
- UnknownProtocol
- WebSocket
- Weird
- X509
- Namespaces:
Analyzer, BinPAC, Cluster, DCE_RPC, DHCP, EventMetadata, FTP, GLOBAL, HTTP, IP, JSON, KRB, Log, MIME, MOUNT3, MQTT, NCP, NFS3, NTLM, NTP, PE, POP3, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SMTP, SNMP, SOCKS, SSH, SSL, Storage, TCP, Telemetry, Threading, Tunnel, UnknownProtocol, WebSocket, Weird, X509
- Imports:
base/bif/CPP-load.bif.zeek, base/bif/communityid.bif.zeek, base/bif/const.bif.zeek, base/bif/event.bif.zeek, base/bif/mmdb.bif.zeek, base/bif/option.bif.zeek, base/bif/packet_analysis.bif.zeek, base/bif/plugins/Zeek_KRB.types.bif.zeek, base/bif/plugins/Zeek_SNMP.types.bif.zeek, base/bif/reporter.bif.zeek, base/bif/stats.bif.zeek, base/bif/strings.bif.zeek, base/bif/supervisor.bif.zeek, base/bif/telemetry_functions.bif.zeek, base/bif/telemetry_types.bif.zeek, base/bif/types.bif.zeek, base/bif/zeek.bif.zeek, base/frameworks/spicy/init-bare.zeek, base/frameworks/supervisor/api.zeek, base/packet-protocols
Summary
Runtime Options
The maximum payload size to allocate for the purpose of
payload information in |
|
How long a weird of a given type is allowed to keep state/counters in memory. |
|
Rate-limits weird names in the table globally instead of per connection/flow. |
|
The rate-limiting sampling rate. |
|
How many weirds of a given type to tolerate before sampling begins. |
|
Prevents rate-limiting sampling of any weirds named in the table. |
|
Default amount of bytes that file analysis will buffer in order to use for mime type matching. |
|
Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. |
|
Checksums are ignored for all packets with a src address within this set of networks. |
|
Whether ports given in |
|
Defines UDP ports (source or destination) for which the contents of
either originator or responder streams should be delivered via
|
Redefinable Options
Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer. |
|
The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. |
|
The threshold, in bytes, at which the BinPAC flowbuffer of a given
connection/analyzer will have its capacity contracted to
|
|
Cluster backend to use. |
|
|
The event serializer to use by the cluster backend. |
The log serializer to use by the backend. |
|
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input. |
|
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input. |
|
|
By default, remote events without network timestamp metadata will yield a negative zeek:see:current_event_time during processing. |
Add network timestamp metadata to all events. |
|
Limits the size of commands accepted by the FTP analyzer. |
|
Lookup table for Upgrade analyzers. |
|
Mapping from IP protocol identifier values to string names. |
|
Kerberos keytab file name. |
|
Default interval for flushing the write buffers of all enabled log streams. |
|
Default maximum size of the log write buffer per filter/path pair. |
|
Stop analysis of nested multipart MIME entities if this depth is reached. |
|
The maximum number of bytes to allocate when parsing NCP frames. |
|
If true, |
|
If |
|
If |
|
How many commands a POP3 client may have pending before Zeek forcefully removes the oldest. |
|
How many invalid commands a POP3 client may use before Zeek starts raising analyzer violations. |
|
Number of Mbytes to provide as buffer space when capturing from live interfaces. |
|
Number of bytes to use for buffering file read operations when reading from a PCAP file. |
|
Default timeout for packet sources without file descriptors. |
|
Number of bytes per packet to capture from live interfaces. |
|
Tunable for sending reporter error messages to STDERR. |
|
Tunable for sending reporter info messages to STDERR. |
|
Tunable for sending reporter warning messages to STDERR. |
|
Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth. |
|
The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser. |
|
A set of file names used as named pipes over SMB. |
|
The maximum line length within a BDAT chunk before a forceful linebreak is introduced and a weird is raised. |
|
Maximum number of invalid version errors to report in one DTLS connection. |
|
Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. |
|
Maximum number of Alert messages parsed from an SSL record with content_type alert (21). |
|
The interval used by the storage framework for automatic expiration of elements in all backends that don’t support it natively, or if using expiration while reading pcap files. |
|
Maximum amount of time for CivetWeb HTTP threads to wait for metric callbacks to complete on the IO loop. |
|
Number of CivetWeb threads to use. |
|
The heartbeat interval used by the threading framework. |
|
With this set, the GTP analyzer waits until the most-recent upflow
and downflow packets are a valid GTPv1 encapsulation before
issuing |
|
With this set, the Teredo analyzer waits until it sees both sides
of a connection using a valid Teredo encapsulation before issuing
a |
|
How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels). |
|
The number of tunnel_changed events that will be sent for a connection. |
|
The maximum depth of a tunnel to decapsulate until giving up. |
|
Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. |
|
The number of bytes to extract from the next header and log in the first bytes field. |
|
How long an analyzer/protocol pair is allowed to keep state/counters in in memory. |
|
The rate-limiting sampling rate. |
|
How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited. |
|
The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded. |
|
Whether to enable DPD on WebSocket frame payload by default. |
|
Whether to use the Spicy WebSocket protocol analyzer. |
|
Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source). |
|
Number of bits in UIDs that are generated to identify connections and files. |
|
BPF filter the user has set via the -f command line options. |
|
Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. |
|
This salt value is used for several message digests in Zeek. |
|
Time to wait before timing out a DNS request. |
|
Size of per-connection buffer used for dynamic protocol detection. |
|
If true, don’t consider any ports for deciding which protocol analyzer to use. |
|
If true, stops signature matching after a late match. |
|
If true, stops signature matching if |
|
Maximum number of per-connection packets that will be buffered for dynamic protocol detection. |
|
Reassemble the beginning of all TCP connections before doing signature matching. |
|
Flag to prevent Zeek from exiting automatically when input is exhausted. |
|
Multiples of |
|
How long to hold onto fragments for possible reassembly. |
|
Seed for hashes computed internally for probabilistic data structures. |
|
If an ICMP flow is inactive, time it out after this interval. |
|
If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header. |
|
Ignore certain TCP retransmissions for |
|
How many rounds to go without checking IO sources with file descriptors for readiness by default. |
|
How often to check IO sources with file descriptors for readiness when monitoring with a live packet source. |
|
Ports which the core considers being likely used by servers. |
|
Base time of log rotations in 24-hour time format ( |
|
The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance. |
|
Maximum string length allowed for calls to the |
|
The maximum number of expired timers to process after processing each new packet. |
|
Default name of the MaxMind ASN database file: |
|
Default name of the MaxMind City database file: |
|
Default name of the MaxMind Country database file: |
|
The directory containing MaxMind DB (.mmdb) files to use for GeoIP support. |
|
Fallback locations for MaxMind databases. |
|
Sets the interval for MaxMind DB file staleness checks. |
|
The amount of time before a connection created by the netbios analyzer times out and is removed. |
|
If a connection belongs to an application that we don’t analyze, time it out after this interval. |
|
Default mode for Zeek’s user-space dynamic packet filter. |
|
If a packet source does not yield packets for this amount of time, it is considered idle. |
|
If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen. |
|
Description transmitted to remote communication peers for identification. |
|
Frequency associated with packet profiling. |
|
Output mode for packet profiling information. |
|
Update interval for profiling (0 disables). |
|
If a trace file is given with |
|
Whether we want |
|
Time to wait before timing out an RPC request. |
|
Whether Zeek is being run under test. |
|
Maximum size of regular expression groups for signature matching. |
|
Skip HTTP data for performance considerations. |
|
When expiring table entries, wait this amount of time before checking the next chunk of entries. |
|
Check for expired table entries after this amount of time. |
|
When expiring/serializing table entries, don’t work on more than this many table entries at a time. |
|
If true, instantiate connection state when a SYN/ACK is seen but not the
initial SYN (even if |
|
Check up on the result of an initial SYN after this much time. |
|
Wait this long upon seeing an initial SYN before timing out the connection attempt. |
|
Upon seeing a normal connection close, flush state after this much time. |
|
When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. |
|
If true, all TCP originator-side traffic is reported via
|
|
If true, all TCP responder-side traffic is reported via
|
|
Defines destination TCP ports for which the contents of the originator stream
should be delivered via |
|
Defines destination TCP ports for which the contents of the responder stream
should be delivered via |
|
If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. |
|
If a TCP connection is inactive, time it out after this interval. |
|
If true, pass any undelivered to the signature engine before flushing the state. |
|
If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. |
|
Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). |
|
Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. |
|
Generate a |
|
For services without a handler, these sets define originator-side ports that still trigger reassembly. |
|
For services without a handler, these sets define responder-side ports that still trigger reassembly. |
|
Upon seeing a RST, flush state after this much time. |
|
After a connection has closed, wait this long for further activity before checking whether to time out its state. |
|
FINs/RSTs must come with this much time or less between them to be considered a “storm”. |
|
Number of FINs/RSTs in a row that constitute a “storm”. |
|
Maximum length of HTTP URIs passed to events. |
|
If true, all UDP originator-side traffic is reported via
|
|
If true, all UDP responder-side traffic is reported via
|
|
Defines UDP destination ports for which the contents of the originator stream
should be delivered via |
|
Defines UDP destination ports for which the contents of the responder stream
should be delivered via |
|
If a UDP flow is inactive, time it out after this interval. |
|
If a flow with an unknown IP-based protocol is inactive, time it out after this interval. |
|
Whether to use the |
|
Zeek’s watchdog interval. |
Constants
Record both originator and responder contents. |
|
Turn off recording of contents. |
|
Record originator contents. |
|
Record responder contents. |
|
An additional record. |
|
An answer record. |
|
An authoritative record. |
|
A query. |
|
Big endian. |
|
Tried to determine endian, but failed. |
|
Little endian. |
|
Endian not yet determined. |
|
Administratively prohibited. |
|
Host unreachable. |
|
Fragment needed. |
|
Network unreachable. |
|
Port unreachable. |
|
Protocol unreachable. |
|
IPv6 authentication header. |
|
IPv6 destination options header. |
|
IPv6 encapsulating security payload header. |
|
IPv6 fragment header. |
|
IPv6 hop-by-hop-options header. |
|
Control message protocol. |
|
ICMP for IPv6. |
|
Group management protocol. |
|
Dummy for IP. |
|
IP encapsulation in IP. |
|
IPv6 header. |
|
IPv6 mobility header. |
|
IPv6 no next header. |
|
Raw IP packet. |
|
IPv6 routing header. |
|
TCP. |
|
User datagram protocol. |
|
Mapping of numerical RPC status codes to readable messages. |
|
Unsigned 32-bit integer. |
|
Unsigned 64-bit integer. |
|
A NULL value. |
|
Signed 64-bit integer. |
|
An IP address. |
|
A NULL value. |
|
A NULL value. |
|
An octet string. |
|
An Object Identifier. |
|
An octet string. |
|
Unsigned 32-bit integer. |
|
Unsigned 32-bit integer. |
|
A NULL value. |
|
Endpoint has closed connection. |
|
Endpoint has finished initial handshake regularly. |
|
Error string if unsuccessful. |
|
Endpoint has sent data but no initial SYN. |
|
Endpoint has sent RST. |
|
Endpoint has sent SYN/ACK. |
|
Endpoint has sent SYN. |
|
ACK. |
|
FIN. |
|
Mask combining all flags. |
|
PUSH. |
|
RST. |
|
SYN. |
|
URG. |
|
Endpoint has sent something. |
|
Endpoint is still inactive. |
|
Holds the filename of the trace file given with |
|
Arguments given to Zeek from the command line. |
State Variables
Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). |
|
TODO. |
|
Maximum length of payload passed to discarder functions. |
|
If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. |
|
For DNS servers in these sets, omit processing the ADDL records they include in their replies. |
|
If true, all DNS ADDL records are skipped. |
|
If true, all DNS AUTH records are skipped. |
|
For DNS servers in these sets, omit processing the AUTH records they include in their replies. |
|
Maximum number of HTTP entity data delivered to events. |
|
Network interfaces to listen on. |
|
TODO. |
|
TODO. |
|
TODO. |
|
TODO. |
|
TODO. |
|
The length of MIME data segments delivered to handlers of
|
|
The number of bytes of overlap between successive segments passed to
|
|
File where packet profiles are logged. |
|
Write profiling info into this file in regular intervals. |
|
Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique). |
|
Definition of “secondary filters”. |
|
|
Signature files to read. |
TODO. |
Types
A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers. |
|
Generic analyzer confirmation info record. |
|
Generic analyzer violation info record. |
|
A representation of a Zeek script’s call stack. |
|
A representation of an element in a Zeek script’s call stack. |
|
Broker statistics for an individual peering. |
|
Statistics about Broker communication. |
|
A pool used for distributing data/work among a set of cluster nodes. |
|
A list of addresses offered by a DHCP server. |
|
DHCP Client FQDN Option information (Option 81) |
|
DHCP Client Identifier (Option 61) |
|
A DHCP message. |
|
DHCP Relay Agent Information Option (Option 82) |
|
Statistics related to Zeek’s active use of DNS. |
|
A type alias for a vector of encapsulating “connections”, i.e. |
|
A event metadata entry. |
|
Enum type for metadata identifiers. |
|
Statistics about how many times each event name is queued. |
|
Statistics of file analysis. |
|
Statistics about number of gaps in TCP connections. |
|
AP Options. |
|
The data from the ERROR_MSG message. |
|
A Kerberos host address See RFC 4120. |
|
KDC Options. |
|
The data from the AS_REQ and TGS_REQ messages. |
|
The data from the AS_REQ and TGS_REQ messages. |
|
The data from the SAFE message. |
|
A Kerberos ticket. |
|
Used in a few places in the Kerberos analyzer for elements that have a type and a string value. |
|
MOUNT mnt arguments. |
|
Record summarizing the general results and status of MOUNT3 request/reply pairs. |
|
MOUNT lookup reply. |
|
Statistics of all regular expression matchers. |
|
A vector of boolean values that indicate the setting for a range of modbus coils. |
|
A vector of count values that represent 16bit modbus register values. |
|
NFS reply for remove, rmdir. |
|
NFS direntry. |
|
Vector of NFS direntry. |
|
NFS readdir arguments. |
|
NFS file attributes. |
|
NFS fsstat. |
|
Record summarizing the general results and status of NFSv3 request/reply pairs. |
|
NFS link reply. |
|
NFS link arguments. |
|
NFS lookup reply. |
|
NFS reply for create, mkdir, and symlink. |
|
NFS read reply. |
|
NFS read arguments. |
|
NFS readdir reply. |
|
NFS readdir arguments. |
|
NFS readline reply. |
|
NFS reply for rename. |
|
NFS rename arguments. |
|
NFS sattr reply. |
|
NFS file attributes. |
|
NFS sattr arguments. |
|
NFS symlink arguments. |
|
NFS symlinkdata attributes. |
|
NFS wcc attributes. |
|
NFS write reply. |
|
NFS write arguments. |
|
NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations. |
|
NTP message as defined in RFC 5905. |
|
NTP mode 7 message. |
|
NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations. |
|
Packet capture statistics. |
|
Record for Portable Executable (PE) section headers. |
|
Properties of an I/O packet source being read by Zeek. |
|
The definition of a “pcap interface”. |
|
The state of the compilation for a pcap filter. |
|
Enum type identifying dynamic BPF filters. |
|
Statistics about Zeek’s process. |
|
Name and flags for a single channel requested by the client. |
|
The list of channels requested by the client. |
|
The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier. |
|
The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support. |
|
Holds statistics for all types of reassembly. |
|
Statistics about reporter messages and weirds. |
|
An SMB1 header. |
|
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously. |
|
Compression information as defined in SMB v. |
|
The request sent by the client to request either creation of or access to a file. |
|
The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file. |
|
Encryption information as defined in SMB v. |
|
A series of boolean flags describing basic and extended file attributes for SMB2. |
|
This information class is used to query or set extended attribute (EA) information for a file. |
|
A vector of extended attribute (EA) information for a file. |
|
A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2. |
|
An SMB2 globally unique identifier which identifies a file. |
|
An SMB2 header. |
|
The context type information as defined in SMB v. |
|
The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands. |
|
Preauthentication information as defined in SMB v. |
|
A flags field that indicates additional information about the session that’s sent in the session_setup response. |
|
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server. |
|
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server. |
|
An SMB2 transform header (for SMB 3.x dialects with encryption enabled). |
|
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server. |
|
MAC times for a file. |
|
The |
|
A |
|
A |
|
A generic SNMP header data structure that may include data from any version of SNMP. |
|
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. |
|
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. |
|
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. |
|
A generic SNMP object value, that may include any of the
valid |
|
The |
|
A |
|
This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection. |
|
The client and server each have some preferences for the algorithms used in each direction. |
|
This record lists the preferences of an SSH endpoint for algorithm selection. |
|
Fields of a SYN packet. |
|
Returned as the result of the various storage operations. |
|
Common set of statuses that can be returned by storage operations. |
|
A TCP Option field parsed from a TCP header. |
|
The full list of TCP Option fields parsed from a TCP header. |
|
Histograms returned by the |
|
Metrics returned by the |
|
Type that captures options used to create metrics. |
|
Statistics about threads. |
|
Statistics of timers. |
|
Records the identity of an encapsulating parent of a tunneled connection. |
|
Record type that is passed to |
|
Result of an X509 certificate chain verification |
|
A set of addresses. |
|
A vector of addresses. |
|
A vector of any, used by some builtin functions to store a list of varying types. |
|
A hook that is invoked when an assert statement fails. |
|
A hook that is invoked with the result of every assert statement. |
|
A table of BitTorrent “benc” values. |
|
BitTorrent “benc” value. |
|
A BitTorrent peer. |
|
A set of BitTorrent peers. |
|
Header table type used by BitTorrent analyzer. |
|
Meta-information about a parameter to a function/event. |
|
Vector type used to capture parameters of a function/event call. |
|
A connection’s identifying 4-tuple of endpoints and ports. |
|
A connection. |
|
A set of counts. |
|
The general part of a DNS reply. |
|
A Private RR type BINDS record. |
|
A DNSSEC DNSKEY record. |
|
A DNSSEC DS record. |
|
An additional DNS EDNS record. |
|
An DNS EDNS COOKIE (COOKIE) record. |
|
An DNS EDNS Client Subnet (ECS) record. |
|
An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record. |
|
A Private RR type LOC record. |
|
A DNS message. |
|
A DNSSEC NSEC3 record. |
|
A DNSSEC NSEC3PARAM record. |
|
A DNSSEC RRSIG record. |
|
A DNS SOA record. |
|
DNS SVCB and HTTPS RRs |
|
A DNS TKEY record. |
|
An additional DNS TSIG record. |
|
A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds. |
|
Statistics about a |
|
Statistics about what a TCP endpoint sent. |
|
Computed entropy values. |
|
A type alias for event metadata. |
|
File Analysis handle for a file that Zeek is analyzing. |
|
File Analysis metadata that’s been inferred about a particular file. |
|
A set of file analyzer tags. |
|
The identifying 4-tuple of a uni-directional flow. |
|
Return type for from_json BIF. |
|
A parsed host/port combination describing server endpoint for an upcoming data transfer. |
|
GeoIP autonomous system information. |
|
GeoIP location information. |
|
A GTPv1 (GPRS Tunneling Protocol) header. |
|
HTTP message statistics. |
|
HTTP session statistics. |
|
Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861. |
|
A type alias for a vector of ICMPv6 neighbor discovery message options. |
|
Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861. |
|
Packet context part of an ICMP message. |
|
Values extracted from an ICMP header. |
|
Specifics about an ICMP conversation/packet. |
|
Table type used to map script-level identifiers to meta-information describing them. |
|
A vector of counts, used by some builtin functions to store a list of indices. |
|
A vector of integers, used by telemetry builtin functions to store histogram bounds. |
|
A set of intervals. |
|
Values extracted from an IPv4 header. |
|
Values extracted from an IPv6 Authentication extension header. |
|
Values extracted from an IPv6 Destination options extension header. |
|
Values extracted from an IPv6 ESP extension header. |
|
A general container for a more specific IPv6 extension header. |
|
A type alias for a vector of IPv6 extension headers. |
|
Values extracted from an IPv6 Fragment extension header. |
|
Values extracted from an IPv6 header. |
|
Values extracted from an IPv6 Hop-by-Hop options extension header. |
|
Values extracted from an IPv6 Mobility Binding Acknowledgement message. |
|
Values extracted from an IPv6 Mobility Binding Error message. |
|
Values extracted from an IPv6 Mobility Binding Refresh Request message. |
|
Values extracted from an IPv6 Mobility Binding Update message. |
|
Values extracted from an IPv6 Mobility Care-of Test message. |
|
Values extracted from an IPv6 Mobility Care-of Test Init message. |
|
Values extracted from an IPv6 Mobility header. |
|
Values extracted from an IPv6 Mobility Home Test message. |
|
Values extracted from an IPv6 Mobility Home Test Init message. |
|
Values extracted from an IPv6 Mobility header’s message data. |
|
Values extracted from an IPv6 extension header’s (e.g. |
|
A type alias for a vector of IPv6 options. |
|
Values extracted from an IPv6 Routing extension header. |
|
IRC join information. |
|
Set of IRC join information. |
|
Values extracted from the layer 2 header. |
|
A list of MIME headers. |
|
A MIME header key/value pair. |
|
A structure indicating a MIME type and strength of a match against file magic signatures. |
|
A vector of file magic signature matches, ordered by strength of the signature, strongest first. |
|
Policy-level representation of a packet passed on by libpcap. |
|
A packet header, consisting of an IP header and transport-layer header. |
|
Output modes for packet profiling information. |
|
An RPC portmapper callit request. |
|
An RPC portmapper mapping. |
|
Table of RPC portmapper mappings. |
|
An RPC portmapper request. |
|
A raw packet header, consisting of L2 header and everything in
|
|
Meta-information about a record field. |
|
Table type used to map record field declarations to meta-information describing them. |
|
Meta-information about a script-level identifier. |
|
A vector of Signature and Hash Algorithms. |
|
Description of a signature match. |
|
A hook taking a fa_file, an any, and a string. |
|
A string-table of any. |
|
An ordered array of strings. |
|
Function mapping a string to a string. |
|
A set of strings. |
|
A vector of strings. |
|
A set of subnets. |
|
A vector of subnets. |
|
Helper type for return value of Smith-Waterman algorithm. |
|
Helper type for return value of Smith-Waterman algorithm. |
|
Parameters for the Smith-Waterman algorithm. |
|
Helper type for return value of Smith-Waterman algorithm. |
|
Return type for Smith-Waterman algorithm. |
|
A table of counts indexed by strings. |
|
A table of strings indexed by strings. |
|
Values extracted from a TCP header. |
|
A Teredo origin indication header. |
|
A Teredo packet header. |
|
A Teredo authentication header. |
|
A connection’s transport-layer protocol. |
|
Values extracted from a UDP header. |
|
Table type used to map variable names to their memory allocation. |
|
A vector of x509 opaques. |
Hooks
Telemetry sync hook. |
Functions
Internal function. |
|
Internal function. |
|
Function for skipping packets based on their ICMP header. |
|
Function for skipping packets based on their IP header. |
|
Function for skipping packets based on their TCP header. |
|
Function for skipping packets based on their UDP header. |
|
The default JSON key mapper function. |
|
Returns maximum of two |
|
Returns maximum of two |
|
Returns maximum of two |
|
Returns minimum of two |
|
Returns minimum of two |
|
Returns minimum of two |
Detailed Interface
Runtime Options
- MQTT::max_payload_size
-
The maximum payload size to allocate for the purpose of payload information in
mqtt_publish
events (and the default MQTT logs generated from that).
- Weird::sampling_duration
-
How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than
Weird::sampling_threshold
times, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.
- Weird::sampling_global_list
-
Rate-limits weird names in the table globally instead of per connection/flow.
- Weird::sampling_rate
-
The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.
- Weird::sampling_threshold
-
How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.
- Weird::sampling_whitelist
-
Prevents rate-limiting sampling of any weirds named in the table.
- default_file_bof_buffer_size
- Type:
- Attributes:
- Default:
4096
- Redefinition:
from policy/frameworks/signatures/iso-9660.zeek
=
:2048 * (16 + 1)
Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.
- default_file_timeout_interval
-
Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
- ignore_checksums_nets
-
Checksums are ignored for all packets with a src address within this set of networks. Useful for cases where a host might be seeing packets collected from local hosts before checksums were applied by hardware. This frequently manifests when sniffing a local management interface on a host and Zeek sees packets before the hardware has had a chance to apply the checksums.
- udp_content_delivery_ports_use_resp
-
Whether ports given in
udp_content_delivery_ports_orig
andudp_content_delivery_ports_resp
are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.
- udp_content_ports
-
Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via
udp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_orig
,tcp_content_deliver_all_resp
,udp_content_delivery_ports_orig
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,udp_contents
,udp_content_delivery_ports_use_resp
,udp_content_delivery_ports_resp
Redefinable Options
- BinPAC::flowbuffer_capacity_max
-
Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.
- BinPAC::flowbuffer_capacity_min
-
The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. If the buffer is later contracted, its capacity is also reduced to this size.
- BinPAC::flowbuffer_contract_threshold
-
The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to
BinPAC::flowbuffer_capacity_min
after parsing a full unit. I.e. this is the maximum capacity to reserve in between the parsing of units. If, after parsing a unit, the flowbuffer capacity is greater than this value, it will be contracted.
- Cluster::backend
- Type:
- Attributes:
- Default:
Cluster::CLUSTER_BACKEND_BROKER
- Redefinition:
from policy/frameworks/cluster/backend/zeromq/main.zeek
=
:Cluster::CLUSTER_BACKEND_ZEROMQ
Cluster backend to use. Default is the broker backend.
- Cluster::event_serializer
- Type:
- Attributes:
- Default:
Cluster::EVENT_SERIALIZER_BROKER_BIN_V1
The event serializer to use by the cluster backend.
This currently has no effect for backend BROKER.
- Cluster::log_serializer
- Type:
- Attributes:
- Default:
Cluster::LOG_SERIALIZER_ZEEK_BIN_V1
The log serializer to use by the backend.
This currently has no effect for backend BROKER.
- DCE_RPC::max_cmd_reassembly
-
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
- DCE_RPC::max_frag_data
-
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
- EventMetadata::add_missing_remote_network_timestamp
-
By default, remote events without network timestamp metadata will yield a negative zeek:see:current_event_time during processing. To have the receiving Zeek node set the event’s network timestamp metadata with its current local network time, set this option to true.
This setting is only in effect if
EventMetadata::add_network_timestamp
is also set to true.
- EventMetadata::add_network_timestamp
-
Add network timestamp metadata to all events.
Adding network timestamp metadata affects local and remote events. Events scheduled have a network timestamp of when the scheduled timer was supposed to expire, which might be a value before the network_time() when the event was actually dispatched.
- FTP::max_command_length
-
Limits the size of commands accepted by the FTP analyzer. Longer commands raise a FTP_max_command_length_exceeded weird and are discarded.
- HTTP::upgrade_analyzers
- Type:
table
[string
] ofAnalyzer::Tag
- Attributes:
- Default:
{}
- Redefinition:
from base/protocols/websocket/main.zeek
+=
:websocket = Analyzer::ANALYZER_WEBSOCKET
Lookup table for Upgrade analyzers. First, a case sensitive lookup is done using the client’s Upgrade header. If no match is found, the all lower-case value is used. If there’s still no match Zeek uses dynamic protocol detection for the upgraded to protocol instead.
- IP::protocol_names
- Type:
- Attributes:
- Default:
{ [96] = "scc-sp", [73] = "cphb", [39] = "tp++", [46] = "rsvp", [28] = "irtp", [9] = "igp", [68] = "distributed-files", [107] = "a/n", [53] = "swipe", [71] = "ipcu", [127] = "crudp", [52] = "i-nlsp", [41] = "ipv6", [17] = "udp", [105] = "scps", [119] = "srp", [81] = "vmtp", [88] = "eigrp", [111] = "ipx-in-ip", [29] = "iso-tp4", [115] = "l2tp", [133] = "fc", [95] = "micp", [54] = "narp", [90] = "sprite-rpc", [146] = "homa", [86] = "dgp", [1] = "icmp", [116] = "ddx", [35] = "idpr", [102] = "pnni", [135] = "mobility-header", [3] = "ggp", [114] = "zero-hop", [140] = "shim6", [44] = "ipv6-frag", [129] = "iplt", [34] = "3pc", [45] = "idrp", [14] = "emcon", [31] = "mfe-nsp", [82] = "secure-vmtp", [56] = "tlsp", [7] = "cbt", [66] = "rvd", [26] = "leaf-2", [128] = "sccopmce", [47] = "gre", [70] = "visa", [93] = "ax.25", [2] = "igmp", [132] = "sctp", [72] = "cpnx", [24] = "trunk-2", [69] = "sat-on", [99] = "private-encryption", [109] = "snp", [103] = "pim", [126] = "crtp", [104] = "aris", [61] = "host-protocol", [60] = "ipv6-opts", [51] = "ah", [37] = "ddp", [18] = "mux", [0] = "hopopt", [110] = "compaq-peer", [137] = "mpls-in-ip", [94] = "os", [19] = "dcn-meas", [20] = "hmp", [33] = "dccp", [75] = "pvp", [67] = "ippc", [15] = "xnet", [30] = "netblt", [77] = "sun-and", [64] = "sat-expak", [106] = "qnx", [91] = "larp", [97] = "etherip", [55] = "mobile", [21] = "prm", [4] = "ip-in-ip", [12] = "pup", [124] = "is-is-over-ipv4", [130] = "sps", [58] = "ipv6-icmp", [134] = "rsvp-e2e-ignore", [80] = "iso-ip", [76] = "br-sat-mon", [25] = "leaf-1", [142] = "rohc", [16] = "chaos", [59] = "ipv6-nonxt", [38] = "idpr-cmtp", [63] = "local-network", [42] = "sdrp", [57] = "skip", [78] = "wb-mon", [98] = "encap", [11] = "nvp-ii", [113] = "pgm", [108] = "ipcomp", [22] = "xns-idp", [43] = "ipv6-route", [143] = "ethernet", [136] = "udplite", [144] = "aggfrag", [40] = "il", [36] = "xtp", [6] = "tcp", [125] = "fire", [141] = "wesp", [8] = "egp", [23] = "trunk-1", [27] = "rdp", [145] = "nsh", [83] = "vines", [122] = "sm", [92] = "mtp", [10] = "bbc-rcc-mon", [65] = "kryptolan", [13] = "argus", [32] = "merit-inp", [74] = "wsn", [62] = "cftp", [101] = "ifmp", [89] = "ospf", [118] = "stp", [138] = "manet", [139] = "hip", [50] = "esp", [120] = "uti", [79] = "wb-expak", [121] = "smp", [48] = "dsr", [85] = "nsfnet-igp", [49] = "bna", [5] = "st", [112] = "vrrp", [100] = "gtmp", [117] = "iatp", [123] = "ptp", [131] = "pipe", [87] = "tcf", [84] = "ttp or iptm" }
Mapping from IP protocol identifier values to string names.
- KRB::keytab
-
Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
- Log::flush_interval
-
Default interval for flushing the write buffers of all enabled log streams.
In earlier Zeek releases this was governed by
Threading::heartbeat_interval
. For Broker, see alsoBroker::log_batch_interval
.
- Log::write_buffer_size
-
Default maximum size of the log write buffer per filter/path pair. If this many log writes are buffered, the writer frontend flushes its writes to its backend before flush_interval expires.
In earlier Zeek releases this was hard-coded to 1000.
- MIME::max_depth
-
Stop analysis of nested multipart MIME entities if this depth is reached. Setting this value to 0 removes the limit.
- NCP::max_frame_size
-
The maximum number of bytes to allocate when parsing NCP frames.
- NFS3::return_data
-
If true,
nfs_proc_read
andnfs_proc_write
events return the file data that has been read/written.See also:
NFS3::return_data_max
,NFS3::return_data_first_only
- NFS3::return_data_first_only
-
If
NFS3::return_data
is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.
- NFS3::return_data_max
-
If
NFS3::return_data
is true, how much data should be returned at most.
- POP3::max_pending_commands
-
How many commands a POP3 client may have pending before Zeek forcefully removes the oldest.
Setting this value to 0 removes the limit.
- POP3::max_unknown_client_commands
-
How many invalid commands a POP3 client may use before Zeek starts raising analyzer violations.
Setting this value to 0 removes the limit.
- Pcap::bufsize
-
Number of Mbytes to provide as buffer space when capturing from live interfaces.
- Pcap::bufsize_offline_bytes
-
Number of bytes to use for buffering file read operations when reading from a PCAP file. Setting this to 0 uses operating system defaults as chosen by fopen().
- Pcap::non_fd_timeout
-
Default timeout for packet sources without file descriptors.
For libpcap based packet sources that do not provide a usable file descriptor for select(), the timeout provided to the IO loop is either zero if a packet was most recently available or else this value.
Depending on the expected packet rate per-worker and the amount of available packet buffer, raising this value can significantly reduce Zeek’s CPU usage at the cost of a small delay before processing packets. Setting this value too high may cause packet drops due to running out of available buffer space.
Increasing this value to 200usec on low-traffic Myricom based systems (5 kpps per Zeek worker) has shown a 50% reduction in CPU usage.
This is an advanced setting. Do monitor dropped packets and capture loss information when changing it.
Note
Packet sources that override
GetNextTimeout()
method may not respect this value.See also:
io_poll_interval_live
- Pcap::snaplen
-
Number of bytes per packet to capture from live interfaces.
- Reporter::errors_to_stderr
-
Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.
- Reporter::info_to_stderr
-
Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.
- Reporter::warnings_to_stderr
-
Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.
- SMB::max_dce_rpc_analyzers
-
Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.
See also:
smb_discarded_dce_rpc_analyzers
- SMB::max_pending_messages
-
The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser. When the limit is reached, internal parser state is discarded and
smb2_discarded_messages_state
raised.Setting this to zero will disable the functionality.
See also:
smb2_discarded_messages_state
- SMB::pipe_filenames
- Type:
- Attributes:
- Default:
{}
- Redefinition:
from base/protocols/smb/consts.zeek
=
:spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds
A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.
See also:
smb_pipe_connect_heuristic
- SMTP::bdat_max_line_length
-
The maximum line length within a BDAT chunk before a forceful linebreak is introduced and a weird is raised. Conventionally, MIME messages have a maximum line length of 1000 octets when properly encoded.
- SSL::dtls_max_reported_version_errors
-
Maximum number of invalid version errors to report in one DTLS connection.
- SSL::dtls_max_version_errors
-
Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.
- SSL::max_alerts_per_record
-
Maximum number of Alert messages parsed from an SSL record with content_type alert (21). The remaining alerts are discarded. For TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446.
- Storage::expire_interval
-
The interval used by the storage framework for automatic expiration of elements in all backends that don’t support it natively, or if using expiration while reading pcap files.
- Telemetry::callback_timeout
-
Maximum amount of time for CivetWeb HTTP threads to wait for metric callbacks to complete on the IO loop.
- Telemetry::civetweb_threads
-
Number of CivetWeb threads to use.
- Threading::heartbeat_interval
-
The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.
- Tunnel::delay_gtp_confirmation
-
With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing
analyzer_confirmation_info
. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.
- Tunnel::delay_teredo_confirmation
-
With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a
analyzer_confirmation_info
. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation.
- Tunnel::ip_tunnel_timeout
-
How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
- Tunnel::max_changes_per_connection
-
The number of tunnel_changed events that will be sent for a connection. Once this limit is hit, no more of those events will be sent to avoid a large number of events being sent for connections that regularly swap. This can be set to zero to disable this limiting.
- Tunnel::max_depth
-
The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.
- Tunnel::validate_vxlan_checksums
-
Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. The spec says the checksum should be transmitted as zero, but if not, then the decapsulating destination may choose whether to perform the validation.
- UnknownProtocol::first_bytes_count
-
The number of bytes to extract from the next header and log in the first bytes field.
- UnknownProtocol::sampling_duration
-
How long an analyzer/protocol pair is allowed to keep state/counters in in memory. Once the threshold has been hit, this is the amount of time before the rate-limiting for a pair expires and is reset.
- UnknownProtocol::sampling_rate
-
The rate-limiting sampling rate. One out of every of this number of rate-limited pairs of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited pairs.
- UnknownProtocol::sampling_threshold
-
How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.
- WebSocket::payload_chunk_size
-
The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded. There should not be a reason to change this value except for debugging and testing reasons.
- WebSocket::use_dpd_default
-
Whether to enable DPD on WebSocket frame payload by default.
- WebSocket::use_spicy_analyzer
-
Whether to use the Spicy WebSocket protocol analyzer.
As of now, the BinPac version has better performance, but we may change the default in the future.
- allow_network_time_forward
-
Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source).
Only set this to F if you really know what you’re doing. Setting this to F on non-worker systems causes
network_time
to be stuck at 0.0 and timer expiration will be non-functional.The main purpose of this option is to yield control over network time to plugins or scripts via broker or other non-timer events.
See also:
network_time
,set_network_time
,packet_source_inactivity_timeout
- bits_per_uid
-
Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.
- cmd_line_bpf_filter
-
BPF filter the user has set via the -f command line options. Empty if none.
- detect_filtered_trace
-
Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via
content_gap
.
- digest_salt
-
This salt value is used for several message digests in Zeek. We use a salt to help mitigate the possibility of an attacker manipulating source data to, e.g., mount complexity attacks or cause ID collisions. This salt is, for example, used by
get_file_handle
to generate installation-unique file IDs (the id field offa_file
).
- dns_session_timeout
-
Time to wait before timing out a DNS request.
- dpd_buffer_size
-
Size of per-connection buffer used for dynamic protocol detection. For each connection, Zeek buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.
See also:
dpd_reassemble_first_packets
,dpd_match_only_beginning
,dpd_ignore_ports
,dpd_max_packets
- dpd_ignore_ports
-
If true, don’t consider any ports for deciding which protocol analyzer to use.
See also:
dpd_reassemble_first_packets
,dpd_buffer_size
,dpd_match_only_beginning
- dpd_late_match_stop
- Type:
- Attributes:
- Default:
F
- Redefinition:
from policy/protocols/conn/speculative-service.zeek
=
:T
If true, stops signature matching after a late match. A late match may occur in case the DPD buffer is exhausted but a protocol signature matched. To allow late matching,
dpd_match_only_beginning
must be disabled.See also:
dpd_reassemble_first_packets
,dpd_buffer_size
,dpd_match_only_beginning
Note
Despite the name, this option stops all signature matching, not only signatures used for dynamic protocol detection but is triggered by DPD signatures only.
- dpd_match_only_beginning
- Type:
- Attributes:
- Default:
T
- Redefinition:
from policy/protocols/conn/speculative-service.zeek
=
:F
If true, stops signature matching if
dpd_buffer_size
has been reached.See also:
dpd_reassemble_first_packets
,dpd_buffer_size
,dpd_ignore_ports
Note
Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.
- dpd_max_packets
-
Maximum number of per-connection packets that will be buffered for dynamic protocol detection. For each connection, Zeek buffers up to this amount of packets in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.
See also:
dpd_reassemble_first_packets
,dpd_match_only_beginning
,dpd_ignore_ports
,dpd_buffer_size
- dpd_reassemble_first_packets
-
Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.
See also:
dpd_buffer_size
,dpd_match_only_beginning
,dpd_ignore_ports
Note
Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.
- exit_only_after_terminate
-
Flag to prevent Zeek from exiting automatically when input is exhausted. Normally Zeek terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Zeek’s main loop will instead keep idling until
terminate
is explicitly called.This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.
- expensive_profiling_multiple
- Type:
- Attributes:
- Default:
0
- Redefinition:
from policy/misc/profiling.zeek
=
:20
Multiples of
profiling_interval
at which (more expensive) memory profiling is done (0 disables).See also:
profiling_interval
,profiling_file
- frag_timeout
-
How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.
- global_hash_seed
-
Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Zeek instances. If left unset, Zeek will use a temporary local seed.
- icmp_inactivity_timeout
-
If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
tcp_inactivity_timeout
,udp_inactivity_timeout
,unknown_ip_inactivity_timeout
,set_inactivity_timeout
- ignore_checksums
-
If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header. This is useful when running against traces of local traffic and the NIC checksum offloading feature is enabled. It can also be useful for running on altered trace files, and for saving a few cycles at the risk of analyzing invalid data. With this option, packets that have a value of zero in the total-length field of the IPv4 header are also accepted, and the capture-length is used instead. The total-length field is commonly set to zero when the NIC sequence offloading feature is enabled. Note that the
-C
command-line option overrides the setting of this variable.
- ignore_keep_alive_rexmit
-
Ignore certain TCP retransmissions for
conn_stats
. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter inconn_stats
.See also:
conn_stats
- io_poll_interval_default
-
How many rounds to go without checking IO sources with file descriptors for readiness by default. This is used when reading from traces.
Very roughly, when reading from a pcap, setting this to 100 results in 100 packets being processed without checking FD based IO sources.
Note
This should not be changed outside of development or when debugging problems with the main-loop, or developing features with tight main-loop interaction.
See also:
io_poll_interval_live
- io_poll_interval_live
-
How often to check IO sources with file descriptors for readiness when monitoring with a live packet source.
The poll interval gets defaulted to 100 which is good for cases like reading from pcap files and when there isn’t a packet source, but is a little too infrequent for live sources (especially fast live sources). Set it down a little bit for those sources.
Note
This should not be changed outside of development or when debugging problems with the main-loop, or developing features with tight main-loop interaction.
See also:
io_poll_interval_default
- likely_server_ports
- Type:
- Attributes:
- Default:
{}
- Redefinition:
from base/packet-protocols/ayiya/main.zeek
+=
:PacketAnalyzer::AYIYA::ayiya_ports
- Redefinition:
from base/packet-protocols/geneve/main.zeek
+=
:PacketAnalyzer::Geneve::geneve_ports
- Redefinition:
from base/packet-protocols/vxlan/main.zeek
+=
:PacketAnalyzer::VXLAN::vxlan_ports
- Redefinition:
from base/packet-protocols/teredo/main.zeek
+=
:PacketAnalyzer::TEREDO::teredo_ports
- Redefinition:
from base/packet-protocols/gtpv1/main.zeek
+=
:PacketAnalyzer::GTPV1::gtpv1_ports
- Redefinition:
from base/protocols/dce-rpc/main.zeek
+=
:DCE_RPC::ports
- Redefinition:
from base/protocols/dhcp/main.zeek
+=
:67/udp
- Redefinition:
from base/protocols/dnp3/main.zeek
+=
:DNP3::ports
- Redefinition:
from base/protocols/dns/main.zeek
+=
:DNS::ports
- Redefinition:
from base/protocols/finger/main.zeek
+=
:Finger::ports
- Redefinition:
from base/protocols/ftp/main.zeek
+=
:FTP::ports
- Redefinition:
from base/protocols/ssl/main.zeek
+=
:SSL::ssl_ports, SSL::dtls_ports
- Redefinition:
from base/protocols/http/main.zeek
+=
:HTTP::ports
- Redefinition:
from base/protocols/imap/main.zeek
+=
:IMAP::ports
- Redefinition:
from base/protocols/irc/main.zeek
+=
:IRC::ports
- Redefinition:
from base/protocols/krb/main.zeek
+=
:KRB::tcp_ports, KRB::udp_ports
- Redefinition:
from base/protocols/ldap/main.zeek
+=
:LDAP::ports_tcp, LDAP::ports_udp
- Redefinition:
from base/protocols/modbus/main.zeek
+=
:Modbus::ports
- Redefinition:
from base/protocols/mqtt/main.zeek
+=
:MQTT::ports
- Redefinition:
from base/protocols/ntp/main.zeek
+=
:NTP::ports
- Redefinition:
from base/protocols/postgresql/main.zeek
+=
:PostgreSQL::ports
- Redefinition:
from base/protocols/radius/main.zeek
+=
:RADIUS::ports
- Redefinition:
from base/protocols/rdp/main.zeek
+=
:RDP::rdp_ports, RDP::rdpeudp_ports
- Redefinition:
from base/protocols/redis/main.zeek
+=
:Redis::ports
- Redefinition:
from base/protocols/sip/main.zeek
+=
:SIP::ports
- Redefinition:
from base/protocols/snmp/main.zeek
+=
:SNMP::ports
- Redefinition:
from base/protocols/smb/main.zeek
+=
:SMB::ports
- Redefinition:
from base/protocols/smtp/main.zeek
+=
:SMTP::ports
- Redefinition:
from base/protocols/socks/main.zeek
+=
:SOCKS::ports
- Redefinition:
from base/protocols/ssh/main.zeek
+=
:SSH::ports
- Redefinition:
from base/protocols/syslog/main.zeek
+=
:Syslog::ports
- Redefinition:
from base/protocols/xmpp/main.zeek
+=
:XMPP::ports
Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.
- log_rotate_base_time
-
Base time of log rotations in 24-hour time format (
%H:%M
), e.g. “12:00”.
- max_analyzer_violations
-
The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance. A weird providing information about the analyzer and connection is generated once the limit is reached.
An analyzer generating this many violations is unlikely parsing the right protocol or potentially buggy.
- max_find_all_string_length
-
Maximum string length allowed for calls to the
find_all
andfind_all_ordered
BIFs.
- max_timer_expires
-
The maximum number of expired timers to process after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.
- mmdb_asn_db
-
Default name of the MaxMind ASN database file:
- mmdb_city_db
-
Default name of the MaxMind City database file:
- mmdb_country_db
-
Default name of the MaxMind Country database file:
- mmdb_dir_fallbacks
- Type:
- Attributes:
- Default:
["/usr/share/GeoIP", "/var/lib/GeoIP", "/usr/local/share/GeoIP", "/usr/local/var/GeoIP"]
Fallback locations for MaxMind databases. Zeek attempts these when
mmdb_dir
is not set, or it cannot read a DB file from it. For geolocation lookups, Zeek will first attempt to locate the city database in each of the fallback locations, and should this fail, attempt to locate the country one.
- mmdb_stale_check_interval
-
Sets the interval for MaxMind DB file staleness checks. When Zeek detects a change in inode or modification time, the database is re-opened. Setting a negative interval disables staleness checks.
- netbios_ssn_session_timeout
-
The amount of time before a connection created by the netbios analyzer times out and is removed.
- non_analyzed_lifetime
-
If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but
tcp_inactivity_timeout
,udp_inactivity_timeout
, andicmp_inactivity_timeout
still apply).
- packet_filter_default
-
Default mode for Zeek’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.
Note
This is not the BPF packet filter but an additional dynamic filter that Zeek optionally applies just before normal processing starts.
See also:
install_dst_addr_filter
,install_dst_net_filter
,install_src_addr_filter
,install_src_net_filter
,uninstall_dst_addr_filter
,uninstall_dst_net_filter
,uninstall_src_addr_filter
,uninstall_src_net_filter
- packet_source_inactivity_timeout
-
If a packet source does not yield packets for this amount of time, it is considered idle. When a packet source is found to be idle, Zeek will update network_time to current time in order for timer expiration to function. A packet source queueing up packets and not yielding them for longer than this interval without yielding any packets will provoke not-very-well-defined timer behavior.
On Zeek workers with low packet rates, timer expiration may be delayed by this many milliseconds after the last packet has been received.
- partial_connection_ok
-
If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
- peer_description
-
Description transmitted to remote communication peers for identification.
- pkt_profile_freq
-
Frequency associated with packet profiling.
See also:
pkt_profile_modes
,pkt_profile_mode
,pkt_profile_file
- pkt_profile_mode
- Type:
- Attributes:
- Default:
PKT_PROFILE_MODE_NONE
Output mode for packet profiling information.
See also:
pkt_profile_modes
,pkt_profile_freq
,pkt_profile_file
- profiling_interval
- Type:
- Attributes:
- Default:
0 secs
- Redefinition:
from policy/misc/profiling.zeek
=
:15.0 secs
Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.zeek.
See also:
profiling_file
,expensive_profiling_multiple
- record_all_packets
-
If a trace file is given with
-w
, dump all packets seen by Zeek into it. By default, Zeek applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.See also:
trace_output_file
- report_gaps_for_partial
-
Whether we want
content_gap
for partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.See also:
content_gap
,partial_connection
- rpc_timeout
-
Time to wait before timing out an RPC request.
- running_under_test
-
Whether Zeek is being run under test. This can be used to alter functionality while testing, but should be used sparingly.
- sig_max_group_size
-
Maximum size of regular expression groups for signature matching.
- skip_http_data
-
Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.
See also:
http_entity_data
,skip_http_entity_data
,http_entity_data_delivery_size
- table_expire_delay
-
When expiring table entries, wait this amount of time before checking the next chunk of entries.
See also:
table_expire_interval
,table_incremental_step
- table_expire_interval
- Type:
- Attributes:
- Default:
10.0 secs
- Redefinition:
from policy/frameworks/management/agent/main.zeek
=
:2.0 secs
- Redefinition:
from policy/frameworks/management/controller/main.zeek
=
:2.0 secs
Check for expired table entries after this amount of time.
See also:
table_incremental_step
,table_expire_delay
- table_incremental_step
-
When expiring/serializing table entries, don’t work on more than this many table entries at a time.
See also:
table_expire_interval
,table_expire_delay
- tcp_SYN_ack_ok
-
If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if
partial_connection_ok
is false).
- tcp_SYN_timeout
-
Check up on the result of an initial SYN after this much time.
- tcp_attempt_delay
-
Wait this long upon seeing an initial SYN before timing out the connection attempt.
- tcp_close_delay
-
Upon seeing a normal connection close, flush state after this much time.
- tcp_connection_linger
-
When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.
- tcp_content_deliver_all_orig
-
If true, all TCP originator-side traffic is reported via
tcp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_resp
,udp_content_delivery_ports_orig
,udp_content_delivery_ports_resp
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,tcp_contents
- tcp_content_deliver_all_resp
-
If true, all TCP responder-side traffic is reported via
tcp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_orig
,udp_content_delivery_ports_orig
,udp_content_delivery_ports_resp
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,tcp_contents
- tcp_content_delivery_ports_orig
-
Defines destination TCP ports for which the contents of the originator stream should be delivered via
tcp_contents
.See also:
tcp_content_delivery_ports_resp
,tcp_content_deliver_all_orig
,tcp_content_deliver_all_resp
,udp_content_delivery_ports_orig
,udp_content_delivery_ports_resp
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,tcp_contents
- tcp_content_delivery_ports_resp
-
Defines destination TCP ports for which the contents of the responder stream should be delivered via
tcp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_deliver_all_orig
,tcp_content_deliver_all_resp
,udp_content_delivery_ports_orig
,udp_content_delivery_ports_resp
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,tcp_contents
- tcp_excessive_data_without_further_acks
-
If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Zeek would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.
See also:
tcp_max_initial_window
,tcp_max_above_hole_without_any_acks
- tcp_inactivity_timeout
-
If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
udp_inactivity_timeout
,icmp_inactivity_timeout
,unknown_ip_inactivity_timeout
,set_inactivity_timeout
- tcp_match_undelivered
-
If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.
- tcp_max_above_hole_without_any_acks
-
If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.
See also:
tcp_max_initial_window
,tcp_excessive_data_without_further_acks
- tcp_max_initial_window
-
Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.
See also:
tcp_max_above_hole_without_any_acks
,tcp_excessive_data_without_further_acks
- tcp_max_old_segments
-
Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additional buffering.
- tcp_partial_close_delay
-
Generate a
connection_partial_close
event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
- tcp_reassembler_ports_orig
- Type:
- Attributes:
&redef
&deprecated
= “Remove in v8.1. Non-functional since v4.1”- Default:
{}
For services without a handler, these sets define originator-side ports that still trigger reassembly.
See also:
tcp_reassembler_ports_resp
- tcp_reassembler_ports_resp
- Type:
- Attributes:
&redef
&deprecated
= “Remove in v8.1. Non-functional since v4.1”- Default:
{}
For services without a handler, these sets define responder-side ports that still trigger reassembly.
See also:
tcp_reassembler_ports_orig
- tcp_reset_delay
-
Upon seeing a RST, flush state after this much time.
- tcp_session_timer
-
After a connection has closed, wait this long for further activity before checking whether to time out its state.
- tcp_storm_interarrival_thresh
-
FINs/RSTs must come with this much time or less between them to be considered a “storm”.
See also:
tcp_storm_thresh
- tcp_storm_thresh
-
Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as
weird
via the notice framework, and they must also come within intervals of at mosttcp_storm_interarrival_thresh
.See also:
tcp_storm_interarrival_thresh
- truncate_http_URI
-
Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.
See also:
http_request
- udp_content_deliver_all_orig
-
If true, all UDP originator-side traffic is reported via
udp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_resp
tcp_content_delivery_ports_orig
,udp_content_delivery_ports_orig
,udp_content_delivery_ports_resp
,udp_content_deliver_all_resp
,udp_contents
,udp_content_delivery_ports_use_resp
- udp_content_deliver_all_resp
-
If true, all UDP responder-side traffic is reported via
udp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_resp
tcp_content_delivery_ports_orig
,udp_content_delivery_ports_orig
,udp_content_delivery_ports_resp
,udp_content_deliver_all_orig
,udp_contents
,udp_content_delivery_ports_use_resp
- udp_content_delivery_ports_orig
-
Defines UDP destination ports for which the contents of the originator stream should be delivered via
udp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_orig
,tcp_content_deliver_all_resp
,udp_content_delivery_ports_resp
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,udp_contents
,udp_content_delivery_ports_use_resp
,udp_content_ports
- udp_content_delivery_ports_resp
-
Defines UDP destination ports for which the contents of the responder stream should be delivered via
udp_contents
.See also:
tcp_content_delivery_ports_orig
,tcp_content_delivery_ports_resp
,tcp_content_deliver_all_orig
,tcp_content_deliver_all_resp
,udp_content_delivery_ports_orig
,udp_content_deliver_all_orig
,udp_content_deliver_all_resp
,udp_contents
,udp_content_delivery_ports_use_resp
,udp_content_ports
- udp_inactivity_timeout
-
If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
tcp_inactivity_timeout
,icmp_inactivity_timeout
,unknown_ip_inactivity_timeout
,set_inactivity_timeout
- unknown_ip_inactivity_timeout
-
If a flow with an unknown IP-based protocol is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
tcp_inactivity_timeout
,udp_inactivity_timeout
,icmp_inactivity_timeout
,set_inactivity_timeout
- use_conn_size_analyzer
-
Whether to use the
ConnSize
analyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’sendpoint
record value.
- watchdog_interval
-
Zeek’s watchdog interval.
Constants
- CONTENTS_BOTH
- Type:
- Default:
3
Record both originator and responder contents.
- CONTENTS_NONE
- Type:
- Default:
0
Turn off recording of contents.
- CONTENTS_ORIG
- Type:
- Default:
1
Record originator contents.
- CONTENTS_RESP
- Type:
- Default:
2
Record responder contents.
- ENDIAN_BIG
- Type:
- Default:
2
Big endian.
- ENDIAN_CONFUSED
- Type:
- Default:
3
Tried to determine endian, but failed.
- ENDIAN_LITTLE
- Type:
- Default:
1
Little endian.
- ENDIAN_UNKNOWN
- Type:
- Default:
0
Endian not yet determined.
- ICMP_UNREACH_ADMIN_PROHIB
- Type:
- Default:
13
Administratively prohibited.
- ICMP_UNREACH_HOST
- Type:
- Default:
1
Host unreachable.
- ICMP_UNREACH_NEEDFRAG
- Type:
- Default:
4
Fragment needed.
- ICMP_UNREACH_NET
- Type:
- Default:
0
Network unreachable.
- ICMP_UNREACH_PORT
- Type:
- Default:
3
Port unreachable.
- ICMP_UNREACH_PROTOCOL
- Type:
- Default:
2
Protocol unreachable.
- IPPROTO_AH
- Type:
- Default:
51
IPv6 authentication header.
- IPPROTO_DSTOPTS
- Type:
- Default:
60
IPv6 destination options header.
- IPPROTO_ESP
- Type:
- Default:
50
IPv6 encapsulating security payload header.
- IPPROTO_FRAGMENT
- Type:
- Default:
44
IPv6 fragment header.
- IPPROTO_HOPOPTS
- Type:
- Default:
0
IPv6 hop-by-hop-options header.
- IPPROTO_ICMP
- Type:
- Default:
1
Control message protocol.
- IPPROTO_ICMPV6
- Type:
- Default:
58
ICMP for IPv6.
- IPPROTO_IGMP
- Type:
- Default:
2
Group management protocol.
- IPPROTO_IP
- Type:
- Default:
0
Dummy for IP.
- IPPROTO_IPIP
- Type:
- Default:
4
IP encapsulation in IP.
- IPPROTO_IPV6
- Type:
- Default:
41
IPv6 header.
- IPPROTO_MOBILITY
- Type:
- Default:
135
IPv6 mobility header.
- IPPROTO_NONE
- Type:
- Default:
59
IPv6 no next header.
- IPPROTO_RAW
- Type:
- Default:
255
Raw IP packet.
- IPPROTO_ROUTING
- Type:
- Default:
43
IPv6 routing header.
- IPPROTO_TCP
- Type:
- Default:
6
TCP.
- IPPROTO_UDP
- Type:
- Default:
17
User datagram protocol.
- LOGIN_STATE_AUTHENTICATE
- Type:
- Default:
0
- LOGIN_STATE_CONFUSED
- Type:
- Default:
3
- LOGIN_STATE_LOGGED_IN
- Type:
- Default:
1
- LOGIN_STATE_SKIP
- Type:
- Default:
2
- RPC_status
- Type:
table
[rpc_status
] ofstring
- Default:
{ [RPC_PROG_MISMATCH] = "mismatch", [RPC_AUTH_ERROR] = "auth error", [RPC_SYSTEM_ERR] = "system err", [RPC_PROC_UNAVAIL] = "proc unavail", [RPC_SUCCESS] = "ok", [RPC_UNKNOWN_ERROR] = "unknown", [RPC_TIMEOUT] = "timeout", [RPC_GARBAGE_ARGS] = "garbage args", [RPC_PROG_UNAVAIL] = "prog unavail" }
Mapping of numerical RPC status codes to readable messages.
See also:
pm_attempt_callit
,pm_attempt_dump
,pm_attempt_getport
,pm_attempt_null
,pm_attempt_set
,pm_attempt_unset
,rpc_dialogue
,rpc_reply
- SNMP::OBJ_COUNTER32_TAG
- Type:
- Default:
65
Unsigned 32-bit integer.
- SNMP::OBJ_COUNTER64_TAG
- Type:
- Default:
70
Unsigned 64-bit integer.
- SNMP::OBJ_ENDOFMIBVIEW_TAG
- Type:
- Default:
130
A NULL value.
- SNMP::OBJ_INTEGER_TAG
- Type:
- Default:
2
Signed 64-bit integer.
- SNMP::OBJ_IPADDRESS_TAG
- Type:
- Default:
64
An IP address.
- SNMP::OBJ_NOSUCHINSTANCE_TAG
- Type:
- Default:
129
A NULL value.
- SNMP::OBJ_NOSUCHOBJECT_TAG
- Type:
- Default:
128
A NULL value.
- SNMP::OBJ_OCTETSTRING_TAG
- Type:
- Default:
4
An octet string.
- SNMP::OBJ_OID_TAG
- Type:
- Default:
6
An Object Identifier.
- SNMP::OBJ_OPAQUE_TAG
- Type:
- Default:
68
An octet string.
- SNMP::OBJ_TIMETICKS_TAG
- Type:
- Default:
67
Unsigned 32-bit integer.
- SNMP::OBJ_UNSIGNED32_TAG
- Type:
- Default:
66
Unsigned 32-bit integer.
- SNMP::OBJ_UNSPECIFIED_TAG
- Type:
- Default:
5
A NULL value.
- TCP_CLOSED
- Type:
- Default:
5
Endpoint has closed connection.
- TCP_ESTABLISHED
- Type:
- Default:
4
Endpoint has finished initial handshake regularly.
- TCP_INACTIVE
- Type:
- Default:
0
Error string if unsuccessful. Endpoint is still inactive.
- TCP_PARTIAL
- Type:
- Default:
3
Endpoint has sent data but no initial SYN.
- TCP_SYN_ACK_SENT
- Type:
- Default:
2
Endpoint has sent SYN/ACK.
- TCP_SYN_SENT
- Type:
- Default:
1
Endpoint has sent SYN.
- UDP_ACTIVE
- Type:
- Default:
1
Endpoint has sent something.
- UDP_INACTIVE
- Type:
- Default:
0
Endpoint is still inactive.
- trace_output_file
- Type:
- Default:
""
Holds the filename of the trace file given with
-w
(empty if none).See also:
record_all_packets
- zeek_script_args
-
Arguments given to Zeek from the command line. In order to use this, Zeek must use a
--
command line argument immediately followed by a script file and additional arguments after that. For example:zeek --bare-mode -- myscript.zeek -a -b -c
To use Zeek as an executable interpreter, include a line at the top of a script like the following and make the script executable:
#!/usr/local/zeek/bin/zeek --
State Variables
- capture_filters
-
Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Zeek is not configured with
PacketFilter::enable_auto_protocol_capture_filters
, all packets matching at least one of the filters in this table (and all inrestrict_filters
) will be analyzed.See also:
PacketFilter
,PacketFilter::enable_auto_protocol_capture_filters
,PacketFilter::unrestricted_filter
,restrict_filters
- direct_login_prompts
-
TODO.
- discarder_maxlen
-
Maximum length of payload passed to discarder functions.
See also:
discarder_check_tcp
,discarder_check_udp
,discarder_check_icmp
,discarder_check_ip
- dns_max_queries
-
If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.
- dns_skip_addl
-
For DNS servers in these sets, omit processing the ADDL records they include in their replies.
See also:
dns_skip_all_addl
,dns_skip_auth
- dns_skip_all_addl
- Type:
- Attributes:
- Default:
T
- Redefinition:
from policy/protocols/dns/auth-addl.zeek
=
:F
If true, all DNS ADDL records are skipped.
See also:
dns_skip_all_auth
,dns_skip_addl
- dns_skip_all_auth
- Type:
- Attributes:
- Default:
T
- Redefinition:
from policy/protocols/dns/auth-addl.zeek
=
:F
If true, all DNS AUTH records are skipped.
See also:
dns_skip_all_addl
,dns_skip_auth
- dns_skip_auth
-
For DNS servers in these sets, omit processing the AUTH records they include in their replies.
See also:
dns_skip_all_auth
,dns_skip_addl
- done_with_network
- Type:
- Default:
F
- http_entity_data_delivery_size
-
Maximum number of HTTP entity data delivered to events.
See also:
http_entity_data
,skip_http_entity_data
,skip_http_data
- interfaces
- Type:
- Attributes:
- Default:
""
Network interfaces to listen on. Use
redef interfaces += "eth0"
to extend.
- login_failure_msgs
-
TODO.
- login_non_failure_msgs
-
TODO.
- login_prompts
-
TODO.
- login_success_msgs
-
TODO.
- login_timeouts
-
TODO.
- mime_segment_length
-
The length of MIME data segments delivered to handlers of
mime_segment_data
.See also:
mime_segment_data
,mime_segment_overlap_length
- mime_segment_overlap_length
-
The number of bytes of overlap between successive segments passed to
mime_segment_data
.
- pkt_profile_file
-
File where packet profiles are logged.
See also:
pkt_profile_modes
,pkt_profile_freq
,pkt_profile_mode
- profiling_file
- Type:
- Attributes:
- Default:
file "prof.log" of string
- Redefinition:
from policy/misc/profiling.zeek
=
:open(fmt(prof.%s, Profiling::log_suffix()))
Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.zeek.
See also:
profiling_interval
,expensive_profiling_multiple
- restrict_filters
-
Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
See also:
PacketFilter
,PacketFilter::enable_auto_protocol_capture_filters
,PacketFilter::unrestricted_filter
,capture_filters
- secondary_filters
-
Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.
- signature_files
- Type:
- Attributes:
- Default:
""
Signature files to read. Use
redef signature_files += "foo.sig"
to extend. Signature files added this way will be searched relative toZEEKPATH
. Using the@load-sigs
directive instead is preferred since that can search paths relative to the current script.
- skip_authentication
-
TODO.
Types
- Analyzer::disabling_analyzer
- Type:
hook
(c:connection
, atype:AllAnalyzers::Tag
, aid:count
) :bool
- Attributes:
A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers. Specifically, an analyzer can be prevented from being disabled by using a
break
statement within the hook. This hook is invoked synchronously during adisable_analyzer
call.Scripts implementing this hook should have other logic that will eventually disable the analyzer for the given connection. That is, if a script vetoes disabling an analyzer, it takes responsibility for a later call to
disable_analyzer
, which may be never.- Param c:
The connection
- Param atype:
The type / tag of the analyzer being disabled.
- Param aid:
The analyzer ID.
- AnalyzerConfirmationInfo
- Type:
- Fields:
-
c:
connection
&optional
The connection related to this confirmation, if any. This field may be set if there’s any connection related information available for this confirmation. For protocol analyzers it is guaranteed to be set, but may also be added by file analyzers as additional contextual information.
-
aid:
count
&optional
Specific analyzer instance that can be used to reference the analyzer when using builtin functions like
disable_analyzer
.
-
c:
Generic analyzer confirmation info record.
See also:
analyzer_confirmation_info
- AnalyzerViolationInfo
- Type:
- Fields:
-
-
c:
connection
&optional
The connection related to this violation, if any. This field may be set if there’s any connection related information available for this violation. For protocol analyzers it is guaranteed to be set, but may also be added by file analyzers as additional contextual information.
-
aid:
count
&optional
Specific analyzer instance that can be used to reference the analyzer when using builtin functions like
disable_analyzer
.
-
c:
Generic analyzer violation info record.
See also:
analyzer_violation_info
- Backtrace
- Type:
A representation of a Zeek script’s call stack.
See also:
backtrace
,print_backtrace
- BacktraceElement
- Type:
- Fields:
-
-
function_args:
call_argument_vector
The arguments passed to the function being called.
-
function_args:
A representation of an element in a Zeek script’s call stack.
See also:
backtrace
,print_backtrace
- BrokerPeeringStats
- Type:
- Fields:
-
-
max_queued_recently:
count
The maximum number of messages queued in the recent
Broker::buffer_stats_reset_interval
time interval.
-
max_queued_recently:
Broker statistics for an individual peering.
- BrokerPeeringStatsTable
- Type:
- BrokerStats
- Type:
- Fields:
Statistics about Broker communication.
See also:
get_broker_stats
- Cluster::Pool
- Type:
- Fields:
-
spec:
Cluster::PoolSpec
(present if base/frameworks/cluster/pools.zeek is loaded)
The specification of the pool that was used when registering it.
-
nodes:
Cluster::PoolNodeTable
&default
={ }
&optional
(present if base/frameworks/cluster/pools.zeek is loaded)
Nodes in the pool, indexed by their name (e.g. “manager”).
-
node_list:
vector
ofCluster::PoolNode
&default
=[]
&optional
(present if base/frameworks/cluster/pools.zeek is loaded)
A list of nodes in the pool in a deterministic order.
-
hrw_pool:
HashHRW::Pool
&default
=[sites={ }]
&optional
(present if base/frameworks/cluster/pools.zeek is loaded)
The Rendezvous hashing structure.
-
rr_key_seq:
Cluster::RoundRobinTable
&default
={ }
&optional
(present if base/frameworks/cluster/pools.zeek is loaded)
Round-Robin table indexed by arbitrary key and storing the next index of node_list that will be eligible to receive work (if it’s alive at the time of next request).
-
alive_count:
count
&default
=0
&optional
(present if base/frameworks/cluster/pools.zeek is loaded)
Number of pool nodes that are currently alive.
-
spec:
A pool used for distributing data/work among a set of cluster nodes.
- DHCP::Addrs
-
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also:
dhcp_message
- DHCP::ClientFQDN
- Type:
- Fields:
DHCP Client FQDN Option information (Option 81)
- DHCP::ClientID
-
DHCP Client Identifier (Option 61)
See also:
dhcp_message
- DHCP::Msg
- Type:
- Fields:
A DHCP message.
See also:
dhcp_message
- DHCP::Options
- Type:
- Fields:
-
-
routers:
DHCP::Addrs
&optional
Router addresses (option 3)
-
dns_servers:
DHCP::Addrs
&optional
DNS Server addresses (option 6)
-
vendor:
string
&optional
Vendor specific data. This can frequently be unparsed binary data. (option 43)
-
nbns:
DHCP::Addrs
&optional
NETBIOS name server list (option 44)
-
serv_addr:
addr
&optional
Server address to allow clients to distinguish between lease offers. (option 54)
-
renewal_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)
-
rebinding_time:
interval
&optional
This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)
-
vendor_class:
string
&optional
This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)
-
client_id:
DHCP::ClientID
&optional
DHCP Client Identifier (Option 61)
-
client_fqdn:
DHCP::ClientFQDN
&optional
DHCP Client FQDN (Option 81)
-
sub_opt:
DHCP::SubOpts
&optional
DHCP Relay Agent Information Option (Option 82)
-
auto_config:
bool
&optional
Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)
-
time_servers:
DHCP::Addrs
&optional
A list of RFC 868 time servers available to the client. (Option 4)
-
name_servers:
DHCP::Addrs
&optional
A list of IEN 116 name servers available to the client. (Option 5)
-
ntp_servers:
DHCP::Addrs
&optional
A list of IP addresses indicating NTP servers available to the client. (Option 42)
-
routers:
- DHCP::SubOpt
-
DHCP Relay Agent Information Option (Option 82)
See also:
dhcp_message
- DHCP::SubOpts
- Type:
- DNSStats
- Type:
- Fields:
Statistics related to Zeek’s active use of DNS. These numbers are about Zeek performing DNS queries on it’s own, not traffic being seen.
See also:
get_dns_stats
- EncapsulatingConnVector
- Type:
A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- EventMetadata::Entry
- Type:
- Fields:
-
id:
EventMetadata::ID
The registered
EventMetadata::ID
value.
-
val:
any
The value. Its type matches what was passed to
EventMetadata::register
.
-
id:
A event metadata entry.
- EventMetadata::ID
-
Enum type for metadata identifiers.
- EventNameCounter
- Type:
- Fields:
- Attributes:
Statistics about how many times each event name is queued.
See also:
get_event_handler_stats
- EventNameStats
- Type:
- FileAnalysisStats
- Type:
- Fields:
Statistics of file analysis.
See also:
get_file_analysis_stats
- GapStats
- Type:
- Fields:
Statistics about number of gaps in TCP connections.
See also:
get_gap_stats
- IPAddrAnonymization
- Type:
-
- KEEP_ORIG_ADDR
- SEQUENTIALLY_NUMBERED
- RANDOM_MD5
- PREFIX_PRESERVING_A50
- PREFIX_PRESERVING_MD5
See also:
anonymize_addr
- IPAddrAnonymizationClass
-
See also:
anonymize_addr
- JSON::TimestampFormat
- Type:
-
- JSON::TS_EPOCH
Timestamps will be formatted as UNIX epoch doubles. This is the format that Zeek typically writes out timestamps.
- JSON::TS_MILLIS
Timestamps will be formatted as signed integers that represent the number of milliseconds since the UNIX epoch. Timestamps before the UNIX epoch are represented as negative values.
- JSON::TS_MILLIS_UNSIGNED
Timestamps will be formatted as unsigned integers that represent the number of milliseconds since the UNIX epoch. Timestamps before the UNIX epoch result in negative values being interpreted as large unsigned integers.
- JSON::TS_ISO8601
Timestamps will be formatted in the ISO8601 DateTime format. Subseconds are also included which isn’t actually part of the standard but most consumers that parse ISO8601 seem to be able to cope with that.
- KRB::AP_Options
- Type:
- Fields:
AP Options. See RFC 4120
- KRB::Error_Msg
- Type:
- Fields:
-
-
pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
-
pa_data:
The data from the ERROR_MSG message. See RFC 4120.
- KRB::Host_Address
- Type:
- Fields:
-
-
unknown:
KRB::Type_Value
&optional
Some other type that we don’t support yet
-
unknown:
A Kerberos host address See RFC 4120.
- KRB::KDC_Options
- Type:
- Fields:
-
-
disable_transited_check:
bool
Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.
-
renewable_ok:
bool
If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable
-
disable_transited_check:
KDC Options. See RFC 4120
- KRB::KDC_Request
- Type:
- Fields:
-
-
pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
-
kdc_options:
KRB::KDC_Options
&optional
Options specified in the request
-
encryption_types:
vector
ofcount
&optional
The desired encryption algorithms, in order of preference
-
host_addrs:
vector
ofKRB::Host_Address
&optional
Any additional addresses the ticket should be valid for
-
additional_tickets:
vector
ofKRB::Ticket
&optional
Additional tickets may be included for certain transactions
-
pa_data:
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
- KRB::KDC_Response
- Type:
- Fields:
-
-
pa_data:
vector
ofKRB::Type_Value
&optional
Optional pre-authentication data
-
ticket:
KRB::Ticket
The ticket that was issued
-
enc_part:
KRB::Encrypted_Data
The encrypted session key for the client
-
pa_data:
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
- KRB::SAFE_Msg
- Type:
- Fields:
-
-
sender:
KRB::Host_Address
&optional
Sender address
-
recipient:
KRB::Host_Address
&optional
Recipient address
-
sender:
The data from the SAFE message. See RFC 4120.
- KRB::Ticket
- Type:
- Fields:
A Kerberos ticket. See RFC 4120.
- KRB::Ticket_Vector
- Type:
- KRB::Type_Value
-
Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
- KRB::Type_Value_Vector
- Type:
- MOUNT3::dirmntargs_t
-
MOUNT mnt arguments.
See also:
mount_proc_mnt
- MOUNT3::info_t
- Type:
- Fields:
-
rpc_stat:
rpc_status
The RPC status.
-
mnt_stat:
MOUNT3::status_t
The MOUNT status.
-
rpc_stat:
Record summarizing the general results and status of MOUNT3 request/reply pairs.
Note that when rpc_stat or mount_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time
- MOUNT3::mnt_reply_t
- Type:
- Fields:
-
-
auth_flavors:
vector
ofMOUNT3::auth_flavor_t
&optional
Returned authentication flavors
-
auth_flavors:
MOUNT lookup reply. If the mount failed, dir_attr may be set. If the mount succeeded, fh is always set.
See also:
mount_proc_mnt
- MQTT::ConnectMsg
- Type:
- Fields:
-
-
keep_alive:
interval
The maximum time interval that is permitted to elapse between the point at which the Client finishes transmitting one Control Packet and the point it starts sending the next.
-
keep_alive:
- MQTT::PublishMsg
- Type:
- Fields:
-
-
retain:
bool
Indicates if the server should retain this message so that clients subscribing to the topic in the future will receive this message automatically.
-
payload_len:
count
The actual length of the payload in the case the payload field’s contents were truncated according to
MQTT::max_payload_size
.
-
retain:
- MatcherStats
- Type:
- Fields:
Statistics of all regular expression matchers.
See also:
get_matcher_stats
- ModbusCoils
-
A vector of boolean values that indicate the setting for a range of modbus coils.
- ModbusRegisters
-
A vector of count values that represent 16bit modbus register values.
- NFS3::delobj_reply_t
- Type:
- Fields:
-
dir_pre_attr:
NFS3::wcc_attr_t
&optional
Optional attributes associated w/ dir.
-
dir_post_attr:
NFS3::fattr_t
&optional
Optional attributes associated w/ dir.
-
dir_pre_attr:
NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.
See also:
nfs_proc_remove
,nfs_proc_rmdir
- NFS3::direntry_t
- Type:
- Fields:
-
-
attr:
NFS3::fattr_t
&optional
readdirplus: the fh attributes for the entry.
-
attr:
NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.
See also:
NFS3::direntry_vec_t
,NFS3::readdir_reply_t
- NFS3::direntry_vec_t
- Type:
Vector of NFS direntry.
See also:
NFS3::readdir_reply_t
- NFS3::diropargs_t
- Type:
- Fields:
NFS readdir arguments.
See also:
nfs_proc_readdir
- NFS3::fattr_t
- Type:
- Fields:
-
ftype:
NFS3::file_type_t
File type.
-
ftype:
NFS file attributes. Field names are based on RFC 1813.
See also:
nfs_proc_getattr
- NFS3::fsstat_t
- Type:
- Fields:
-
attrs:
NFS3::fattr_t
&optional
Attributes.
-
attrs:
NFS fsstat.
- NFS3::info_t
- Type:
- Fields:
-
rpc_stat:
rpc_status
The RPC status.
-
nfs_stat:
NFS3::status_t
The NFS status.
-
rpc_stat:
Record summarizing the general results and status of NFSv3 request/reply pairs.
Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.
See also:
nfs_proc_create
,nfs_proc_getattr
,nfs_proc_lookup
,nfs_proc_mkdir
,nfs_proc_not_implemented
,nfs_proc_null
,nfs_proc_read
,nfs_proc_readdir
,nfs_proc_readlink
,nfs_proc_remove
,nfs_proc_rmdir
,nfs_proc_write
,nfs_reply_status
- NFS3::link_reply_t
- Type:
- Fields:
-
post_attr:
NFS3::fattr_t
&optional
Optional post-operation attributes of the file system object identified by file
-
preattr:
NFS3::wcc_attr_t
&optional
Optional attributes associated w/ file.
-
postattr:
NFS3::fattr_t
&optional
Optional attributes associated w/ file.
-
post_attr:
NFS link reply.
See also:
nfs_proc_link
- NFS3::linkargs_t
- Type:
- Fields:
-
-
link:
NFS3::diropargs_t
The location of the link to be created.
-
link:
NFS link arguments.
See also:
nfs_proc_link
- NFS3::lookup_reply_t
- Type:
- Fields:
-
-
obj_attr:
NFS3::fattr_t
&optional
Optional attributes associated w/ file
-
dir_attr:
NFS3::fattr_t
&optional
Optional attributes associated w/ dir.
-
obj_attr:
NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.
See also:
nfs_proc_lookup
- NFS3::newobj_reply_t
- Type:
- Fields:
-
-
obj_attr:
NFS3::fattr_t
&optional
Optional attributes associated w/ new object.
-
dir_pre_attr:
NFS3::wcc_attr_t
&optional
Optional attributes associated w/ dir.
-
dir_post_attr:
NFS3::fattr_t
&optional
Optional attributes associated w/ dir.
-
obj_attr:
NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr’s may be set. Note: no guarantee that fh is set after success.
See also:
nfs_proc_create
,nfs_proc_mkdir
- NFS3::read_reply_t
- Type:
- Fields:
-
attr:
NFS3::fattr_t
&optional
Attributes.
-
attr:
NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.
- NFS3::readargs_t
- Type:
- Fields:
NFS read arguments.
See also:
nfs_proc_read
- NFS3::readdir_reply_t
- Type:
- Fields:
-
-
dir_attr:
NFS3::fattr_t
&optional
Directory attributes.
-
entries:
NFS3::direntry_vec_t
&optional
Returned directory entries.
-
dir_attr:
NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.
- NFS3::readdirargs_t
- Type:
- Fields:
NFS readdir arguments. Used for both readdir and readdirplus.
See also:
nfs_proc_readdir
- NFS3::readlink_reply_t
- Type:
- Fields:
-
attr:
NFS3::fattr_t
&optional
Attributes.
-
attr:
NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.
See also:
nfs_proc_readlink
- NFS3::renameobj_reply_t
- Type:
- Fields:
-
src_dir_pre_attr:
NFS3::wcc_attr_t
-
src_dir_post_attr:
NFS3::fattr_t
-
dst_dir_pre_attr:
NFS3::wcc_attr_t
-
dst_dir_post_attr:
NFS3::fattr_t
-
src_dir_pre_attr:
NFS reply for rename. Corresponds to wcc_data in the spec.
See also:
nfs_proc_rename
- NFS3::renameopargs_t
-
NFS rename arguments.
See also:
nfs_proc_rename
- NFS3::sattr_reply_t
- Type:
- Fields:
-
dir_pre_attr:
NFS3::wcc_attr_t
&optional
Optional attributes associated w/ dir.
-
dir_post_attr:
NFS3::fattr_t
&optional
Optional attributes associated w/ dir.
-
dir_pre_attr:
NFS sattr reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr are set.
- NFS3::sattr_t
- Type:
- Fields:
-
-
atime:
NFS3::time_how_t
&optional
Time of last access.
-
mtime:
NFS3::time_how_t
&optional
Time of last modification.
-
atime:
NFS file attributes. Field names are based on RFC 1813.
See also:
nfs_proc_sattr
- NFS3::sattrargs_t
- Type:
- Fields:
-
-
new_attributes:
NFS3::sattr_t
The new attributes for the file.
-
new_attributes:
NFS sattr arguments.
See also:
nfs_proc_sattr
- NFS3::symlinkargs_t
- Type:
- Fields:
-
link:
NFS3::diropargs_t
The location of the link to be created.
-
symlinkdata:
NFS3::symlinkdata_t
The symbolic link to be created.
-
link:
NFS symlink arguments.
See also:
nfs_proc_symlink
- NFS3::symlinkdata_t
- Type:
- Fields:
-
symlink_attributes:
NFS3::sattr_t
The initial attributes for the symbolic link
-
symlink_attributes:
NFS symlinkdata attributes. Field names are based on RFC 1813
See also:
nfs_proc_symlink
- NFS3::wcc_attr_t
- Type:
- Fields:
NFS wcc attributes.
See also:
NFS3::write_reply_t
- NFS3::write_reply_t
- Type:
- Fields:
-
preattr:
NFS3::wcc_attr_t
&optional
Pre operation attributes.
-
postattr:
NFS3::fattr_t
&optional
Post operation attributes.
-
commited:
NFS3::stable_how_t
&optional
TODO.
-
preattr:
NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.
See also:
nfs_proc_write
- NFS3::writeargs_t
- Type:
- Fields:
-
-
stable:
NFS3::stable_how_t
How and when data is committed.
-
stable:
NFS write arguments.
See also:
nfs_proc_write
- NTLM::AVs
- NTLM::Authenticate
- Type:
- Fields:
-
flags:
NTLM::NegotiateFlags
The negotiate flags
-
version:
NTLM::Version
&optional
The Windows version information, if supplied
-
flags:
- NTLM::Challenge
- Type:
- Fields:
-
flags:
NTLM::NegotiateFlags
The negotiate flags
-
target_name:
string
&optional
The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server
-
version:
NTLM::Version
&optional
The Windows version information, if supplied
-
flags:
- NTLM::NegotiateFlags
- NTP::ControlMessage
- Type:
- Fields:
-
op_code:
count
An integer specifying the command function. Values currently defined:
1 read status command/response
2 read variables command/response
3 write variables command/response
4 read clock variables command/response
5 write clock variables command/response
6 set trap address/port command/response
7 trap response
Other values are reserved.
-
op_code:
NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.
- NTP::Message
- Type:
- Fields:
-
-
mode:
count
The NTP mode being used. Possible values are:
1 - symmetric active
2 - symmetric passive
3 - client
4 - server
5 - broadcast
6 - NTP control message
7 - reserved for private use
-
std_msg:
NTP::StandardMessage
&optional
If mode 1-5, the standard fields for synchronization operations are here. See RFC 5905
-
control_msg:
NTP::ControlMessage
&optional
If mode 6, the fields for control operations are here. See RFC 1119
-
mode7_msg:
NTP::Mode7Message
&optional
If mode 7, the fields for extra operations are here. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration.
-
mode:
NTP message as defined in RFC 5905. Does include fields for mode 7, reserved for private use in RFC 5905, but used in some implementation for commands such as “monlist”.
- NTP::Mode7Message
- Type:
- Fields:
-
req_code:
count
An implementation-specific code which specifies the operation to be (which has been) performed and/or the format and semantics of the data included in the packet.
-
sequence:
count
For a multipacket response, contains the sequence number of this packet. 0 is the first in the sequence, 127 (or less) is the last. The More Bit must be set in all packets but the last.
-
implementation:
count
The number of the implementation this request code is defined by. An implementation number of zero is used for request codes/data formats which all implementations agree on. Implementation number 255 is reserved (for extensions, in case we run out).
-
err:
count
Must be 0 for a request. For a response, holds an error code relating to the request. If nonzero, the operation requested wasn’t performed.
0 - no error
1 - incompatible implementation number
2 - unimplemented request code
3 - format error (wrong data items, data size, packet size etc.)
4 - no data available (e.g. request for details on unknown peer)
5 - unknown
6 - unknown
7 - authentication failure (i.e. permission denied)
-
req_code:
NTP mode 7 message. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration. For details see the documentation from the NTP official project, code v. ntp-4.2.8p13, in include/ntp_request.h.
- NTP::StandardMessage
- Type:
- Fields:
-
stratum:
count
This value mainly identifies the type of server (primary server, secondary server, etc.). Possible values, as in RFC 5905, are:
0 -> unspecified or invalid
1 -> primary server (e.g., equipped with a GPS receiver)
2-15 -> secondary server (via NTP)
16 -> unsynchronized
17-255 -> reserved
For stratum 0, a kiss_code can be given for debugging and monitoring.
-
kiss_code:
string
&optional
For stratum 0, four-character ASCII string used for debugging and monitoring. Values are defined in RFC 1345.
-
ref_id:
string
&optional
Reference ID. For stratum 1, this is the ID assigned to the reference clock by IANA. For example: GOES, GPS, GAL, etc. (see RFC 5905)
-
ref_addr:
addr
&optional
Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
-
stratum:
NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations.
- NetStats
- Type:
- Fields:
-
-
pkts_link:
count
&default
=0
&optional
Packets seen on the link. Note that this may differ from pkts_recvd because of a potential capture_filter. See base/frameworks/packet-filter/main.zeek. Depending on the packet capture system, this value may not be available and will then be always set to zero.
-
pkts_link:
Packet capture statistics. All counts are cumulative.
See also:
get_net_stats
- PE::DOSHeader
- PE::FileHeader
- Type:
- Fields:
- PE::OptionalHeader
- Type:
- Fields:
- PE::SectionHeader
- Type:
- Fields:
-
-
size_of_raw_data:
count
The size of the initialized data for the section, as it is in the file on disk.
-
size_of_raw_data:
Record for Portable Executable (PE) section headers.
- PacketSource
- Type:
- Fields:
Properties of an I/O packet source being read by Zeek.
- Pcap::Interface
- Type:
- Fields:
The definition of a “pcap interface”.
- Pcap::Interfaces
- Type:
- Pcap::filter_state
-
The state of the compilation for a pcap filter.
- PcapFilterID
- Type:
-
- None
- PacketFilter::DefaultPcapFilter
(present if base/frameworks/packet-filter/main.zeek is loaded)
- PacketFilter::FilterTester
(present if base/frameworks/packet-filter/main.zeek is loaded)
Enum type identifying dynamic BPF filters. These are used by
Pcap::precompile_pcap_filter
andPcap::precompile_pcap_filter
.
- ProcStats
- Type:
- Fields:
Statistics about Zeek’s process.
See also:
get_proc_stats
Note
All process-level values refer to Zeek’s main process only, not to the child process it spawns for doing communication.
- RADIUS::Attributes
- Type:
- RDP::ClientChannelDef
- Type:
- Fields:
Name and flags for a single channel requested by the client.
- RDP::ClientChannelList
- Type:
The list of channels requested by the client.
- RDP::ClientClusterData
- Type:
- Fields:
-
-
redir_session_id:
count
If the redir_sessionid_field_valid flag is set, this field contains a valid session identifier to which the client requests to connect.
-
redir_supported:
bool
The client can receive server session redirection packets. If this flag is set, the svr_session_redir_version_mask field MUST contain the server session redirection version that the client supports.
-
svr_session_redir_version_mask:
count
The server session redirection version that the client supports.
-
redir_session_id:
The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.
- RDP::ClientCoreData
- Type:
- Fields:
-
-
ec_flags:
RDP::EarlyCapabilityFlags
&optional
-
ec_flags:
- RDP::ClientSecurityData
- Type:
- Fields:
-
encryption_methods:
count
Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security. Known flags:
0x00000001: support for 40-bit session encryption keys
0x00000002: support for 128-bit session encryption keys
0x00000008: support for 56-bit session encryption keys
0x00000010: support for FIPS compliant encryption and MAC methods
-
encryption_methods:
The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.
- ReassemblerStats
- Type:
- Fields:
Holds statistics for all types of reassembly.
See also:
get_reassembler_stats
- ReporterStats
- Type:
- Fields:
Statistics about reporter messages and weirds.
See also:
get_reporter_stats
- SMB1::Find_First2_Request_Args
- SMB1::Find_First2_Response_Args
- SMB1::Header
- Type:
- Fields:
An SMB1 header.
See also:
smb1_message
,smb1_empty_response
,smb1_error
,smb1_check_directory_request
,smb1_check_directory_response
,smb1_close_request
,smb1_create_directory_request
,smb1_create_directory_response
,smb1_echo_request
,smb1_echo_response
,smb1_negotiate_request
,smb1_negotiate_response
,smb1_nt_cancel_request
,smb1_nt_create_andx_request
,smb1_nt_create_andx_response
,smb1_query_information_request
,smb1_read_andx_request
,smb1_read_andx_response
,smb1_session_setup_andx_request
,smb1_session_setup_andx_response
,smb1_transaction_request
,smb1_transaction2_request
,smb1_trans2_find_first2_request
,smb1_trans2_query_path_info_request
,smb1_trans2_get_dfs_referral_request
,smb1_tree_connect_andx_request
,smb1_tree_connect_andx_response
,smb1_tree_disconnect
,smb1_write_andx_request
,smb1_write_andx_response
- SMB1::NegotiateCapabilities
- SMB1::NegotiateResponse
- Type:
- Fields:
-
core:
SMB1::NegotiateResponseCore
&optional
If the server does not understand any of the dialect strings, or if PC NETWORK PROGRAM 1.0 is the chosen dialect.
-
lanman:
SMB1::NegotiateResponseLANMAN
&optional
If the chosen dialect is greater than core up to and including LANMAN 2.1.
-
ntlm:
SMB1::NegotiateResponseNTLM
&optional
If the chosen dialect is NT LM 0.12.
-
core:
- SMB1::NegotiateResponseLANMAN
- Type:
- Fields:
-
-
security_mode:
SMB1::NegotiateResponseSecurity
Security mode
-
max_number_vcs:
count
Max number of virtual circuits (VCs - transport-layer connections) between client and server
-
raw_mode:
SMB1::NegotiateRawMode
Raw mode
-
security_mode:
- SMB1::NegotiateResponseNTLM
- Type:
- Fields:
-
-
security_mode:
SMB1::NegotiateResponseSecurity
Security mode
-
max_number_vcs:
count
Max number of virtual circuits (VCs - transport-layer connections) between client and server
-
capabilities:
SMB1::NegotiateCapabilities
Server capabilities
-
encryption_key:
string
&optional
The challenge encryption key. Present only for non-extended security (i.e. capabilities$extended_security = F)
-
domain_name:
string
&optional
The name of the domain. Present only for non-extended security (i.e. capabilities$extended_security = F)
-
security_mode:
- SMB1::NegotiateResponseSecurity
- Type:
- Fields:
-
user_level:
bool
This indicates whether the server, as a whole, is operating under Share Level or User Level security.
-
challenge_response:
bool
This indicates whether or not the server supports Challenge/Response authentication. If the bit is false, then plaintext passwords must be used.
-
user_level:
- SMB1::SessionSetupAndXCapabilities
- Type:
- Fields:
- SMB1::SessionSetupAndXRequest
- Type:
- Fields:
-
word_count:
count
- Count of parameter words
10 for pre NT LM 0.12
12 for NT LM 0.12 with extended security
13 for NT LM 0.12 without extended security
-
account_password:
string
&optional
If challenge/response auth is not being used, this is the password. Otherwise, it’s the response to the server’s challenge. Note: Only set for pre NT LM 0.12
-
primary_domain:
string
&optional
Client’s primary domain, if known Note: not set for NT LM 0.12 with extended security
-
case_insensitive_password:
string
&optional
Case insensitive password Note: only set for NT LM 0.12 without extended security
-
case_sensitive_password:
string
&optional
Case sensitive password Note: only set for NT LM 0.12 without extended security
-
capabilities:
SMB1::SessionSetupAndXCapabilities
&optional
Client capabilities Note: only set for NT LM 0.12
-
word_count:
- SMB1::SessionSetupAndXResponse
- Type:
- Fields:
- SMB1::Trans2_Args
- Type:
- Fields:
- SMB1::Trans2_Sec_Args
- Type:
- Fields:
- SMB1::Trans_Sec_Args
- Type:
- Fields:
- SMB2::CloseResponse
- Type:
- Fields:
-
-
times:
SMB::MACTimes
The creation, last access, last write, and change times.
-
attrs:
SMB2::FileAttrs
The attributes of the file.
-
times:
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
For more information, see MS-SMB2:2.2.16
See also:
smb2_close_response
- SMB2::CompressionCapabilities
- Type:
- Fields:
Compression information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1.3
- SMB2::CreateRequest
- Type:
- Fields:
The request sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.13
See also:
smb2_create_request
- SMB2::CreateResponse
- Type:
- Fields:
-
file_id:
SMB2::GUID
The SMB2 GUID for the file.
-
times:
SMB::MACTimes
Timestamps associated with the file in question.
-
attrs:
SMB2::FileAttrs
File attributes.
-
file_id:
The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.14
See also:
smb2_create_response
- SMB2::EncryptionCapabilities
- Type:
- Fields:
Encryption information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1.2
- SMB2::FileAttrs
- Type:
- Fields:
-
read_only:
bool
The file is read only. Applications can read the file but cannot write to it or delete it.
The file is hidden. It is not to be included in an ordinary directory listing.
-
archive:
bool
The file has not been archived since it was last modified. Applications use this attribute to mark files for backup or removal.
-
temporary:
bool
The file is temporary. This is a hint to the cache manager that it does not need to flush the file to backing storage.
-
compressed:
bool
The file or directory is compressed. For a file, this means that all of the data in the file is compressed. For a directory, this means that compression is the default for newly created files and subdirectories.
-
offline:
bool
The data in this file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is hierarchical storage management software.
-
encrypted:
bool
A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
-
read_only:
A series of boolean flags describing basic and extended file attributes for SMB2.
For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
See also:
smb2_create_response
- SMB2::FileEA
- Type:
- Fields:
This information class is used to query or set extended attribute (EA) information for a file.
For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
- SMB2::FileEAs
- Type:
A vector of extended attribute (EA) information for a file.
For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.4.15
- SMB2::Fscontrol
- Type:
- Fields:
-
free_space_start_filtering:
int
minimum amount of free disk space required to begin document filtering
-
free_space_threshold:
int
minimum amount of free disk space required to continue filtering documents and merging word lists
-
free_space_start_filtering:
A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.
For more information, see MS-SMB2:2.2.39 and MS-FSCC:2.5.2
- SMB2::GUID
- Type:
- Fields:
An SMB2 globally unique identifier which identifies a file.
For more information, see MS-SMB2:2.2.14.1
See also:
smb2_close_request
,smb2_create_response
,smb2_read_request
,smb2_file_rename
,smb2_file_delete
,smb2_write_request
- SMB2::Header
- Type:
- Fields:
-
-
status:
count
In a request, this is an indication to the server about the client’s channel change. In a response, this is the status field
-
credits:
count
The number of credits the client is requesting, or the number of credits granted to the client in a response.
-
status:
An SMB2 header.
For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
See also:
smb2_message
,smb2_close_request
,smb2_close_response
,smb2_create_request
,smb2_create_response
,smb2_negotiate_request
,smb2_negotiate_response
,smb2_read_request
,smb2_session_setup_request
,smb2_session_setup_response
,smb2_file_rename
,smb2_file_delete
,smb2_tree_connect_request
,smb2_tree_connect_response
,smb2_write_request
- SMB2::NegotiateContextValue
- Type:
- Fields:
-
-
preauth_info:
SMB2::PreAuthIntegrityCapabilities
&optional
The preauthentication information.
-
encryption_info:
SMB2::EncryptionCapabilities
&optional
The encryption information.
-
compression_info:
SMB2::CompressionCapabilities
&optional
The compression information.
-
preauth_info:
The context type information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1
- SMB2::NegotiateResponse
- Type:
- Fields:
-
dialect_revision:
count
The preferred common SMB2 Protocol dialect number from the array that was sent in the SMB2 NEGOTIATE Request.
-
security_mode:
count
The security mode field specifies whether SMB signing is enabled, required at the server, or both.
-
server_guid:
SMB2::GUID
A globally unique identifier that is generate by the server to uniquely identify the server.
-
system_time:
time
The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.
-
negotiate_context_count:
count
The number of negotiate context values in SMB v. 3.1.1, otherwise reserved to 0.
-
negotiate_context_values:
SMB2::NegotiateContextValues
An array of context values in SMB v. 3.1.1.
-
dialect_revision:
The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands.
For more information, see MS-SMB2:2.2.4
See also:
smb2_negotiate_response
- SMB2::PreAuthIntegrityCapabilities
- Type:
- Fields:
Preauthentication information as defined in SMB v. 3.1.1
For more information, see MS-SMB2:2.3.1.1
- SMB2::SessionSetupFlags
- Type:
- Fields:
A flags field that indicates additional information about the session that’s sent in the session_setup response.
For more information, see MS-SMB2:2.2.6
See also:
smb2_session_setup_response
- SMB2::SessionSetupRequest
- Type:
- Fields:
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.5
See also:
smb2_session_setup_request
- SMB2::SessionSetupResponse
- Type:
- Fields:
-
flags:
SMB2::SessionSetupFlags
Additional information about the session
-
flags:
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.6
See also:
smb2_session_setup_response
- SMB2::Transform_header
- Type:
- Fields:
An SMB2 transform header (for SMB 3.x dialects with encryption enabled).
For more information, see MS-SMB2:2.2.41
See also:
smb2_transform_header
,smb2_message
,smb2_close_request
,smb2_close_response
,smb2_create_request
,smb2_create_response
,smb2_negotiate_request
,smb2_negotiate_response
,smb2_read_request
,smb2_session_setup_request
,smb2_session_setup_response
,smb2_file_rename
,smb2_file_delete
,smb2_tree_connect_request
,smb2_tree_connect_response
,smb2_write_request
- SMB2::TreeConnectResponse
- Type:
- Fields:
The type of share being accessed. Physical disk, named pipe, or printer.
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
For more information, see MS-SMB2:2.2.9
See also:
smb2_tree_connect_response
- SMB::MACTimes
- Type:
- Fields:
MAC times for a file.
For more information, see MS-SMB2:2.2.16
See also:
smb1_nt_create_andx_response
,smb2_create_response
- SNMP::Binding
- Type:
- Fields:
-
-
value:
SNMP::ObjectValue
-
value:
The
VarBind
data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.
- SNMP::Bindings
- Type:
A
VarBindList
data structure from either RFC 1157 or RFC 3416. A sequences ofSNMP::Binding
, which maps an OIDs to values.
- SNMP::BulkPDU
- Type:
- Fields:
-
-
bindings:
SNMP::Bindings
-
bindings:
A
BulkPDU
data structure from RFC 3416.
- SNMP::Header
- Type:
- Fields:
-
-
v1:
SNMP::HeaderV1
&optional
Set when
version
is 0.
-
v2:
SNMP::HeaderV2
&optional
Set when
version
is 1.
-
v3:
SNMP::HeaderV3
&optional
Set when
version
is 3.
-
v1:
A generic SNMP header data structure that may include data from any version of SNMP. The value of the
version
field determines what header field is initialized.
- SNMP::HeaderV1
-
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.
- SNMP::HeaderV2
-
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.
- SNMP::HeaderV3
- Type:
- Fields:
-
-
pdu_context:
SNMP::ScopedPDU_Context
&optional
-
pdu_context:
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.
- SNMP::ObjectValue
- Type:
- Fields:
A generic SNMP object value, that may include any of the valid
ObjectSyntax
values from RFC 1155 or RFC 3416. The value is decoded whenever possible and assigned to the appropriate field, which can be determined from the value of thetag
field. For tags that can’t be mapped to an appropriate type, theoctets
field holds the BER encoded ASN.1 content if there is any (though,octets
is may also be used for other tags such as OCTET STRINGS or Opaque). Null values will only have their corresponding tag value set.
- SNMP::PDU
- Type:
- Fields:
-
-
bindings:
SNMP::Bindings
-
bindings:
- SNMP::ScopedPDU_Context
-
The
ScopedPduData
data structure of an SNMPv3 datagram, not including the PDU data (i.e. just the “context” fields). See RFC 3412.
- SNMP::TrapPDU
- Type:
- Fields:
-
-
bindings:
SNMP::Bindings
-
bindings:
A
Trap-PDU
data structure from RFC 1157.
- SOCKS::Address
-
- Attributes:
This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.
- SSH::Algorithm_Prefs
- Type:
- Fields:
The client and server each have some preferences for the algorithms used in each direction.
- SSH::Capabilities
- Type:
- Fields:
-
kex_algorithms:
string_vec
Key exchange algorithms
-
server_host_key_algorithms:
string_vec
The algorithms supported for the server host key
-
encryption_algorithms:
SSH::Algorithm_Prefs
Symmetric encryption algorithm preferences
-
mac_algorithms:
SSH::Algorithm_Prefs
Symmetric MAC algorithm preferences
-
compression_algorithms:
SSH::Algorithm_Prefs
Compression algorithm preferences
-
languages:
SSH::Algorithm_Prefs
&optional
Language preferences
-
kex_algorithms:
This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.
- SYN_packet
- Type:
- Fields:
Fields of a SYN packet.
See also:
connection_SYN_packet
- Storage::OperationResult
- Type:
- Fields:
-
code:
Storage::ReturnCode
One of a set of backend-redefinable return codes.
-
code:
Returned as the result of the various storage operations.
- Storage::ReturnCode
- Type:
-
- Storage::SUCCESS
Operation succeeded.
- Storage::VAL_TYPE_MISMATCH
Type of value passed to operation does not match type of value passed when opening backend.
- Storage::KEY_TYPE_MISMATCH
Type of key passed to operation does not match type of key passed when opening backend.
- Storage::NOT_CONNECTED
Backend is not connected.
- Storage::TIMEOUT
Operation timed out.
- Storage::CONNECTION_LOST
Connection to backed was lost unexpectedly.
- Storage::OPERATION_FAILED
Generic operation failure.
- Storage::KEY_NOT_FOUND
Key requested was not found in backend.
- Storage::KEY_EXISTS
Key requested for overwrite already exists.
- Storage::CONNECTION_FAILED
Generic connection-setup failure. This is not if the connection was lost, but if it failed to be setup in the first place.
- Storage::DISCONNECTION_FAILED
Generic disconnection failure.
- Storage::INITIALIZATION_FAILED
Generic initialization failure.
- Storage::IN_PROGRESS
Returned from async operations when the backend is waiting for a result.
- Attributes:
Common set of statuses that can be returned by storage operations. Backend plugins can add to this enum if custom values are needed.
- TCP::Option
- Type:
- Fields:
-
kind:
count
The kind number associated with the option. Other optional fields of this record may be set depending on this value.
-
length:
count
The total length of the option in bytes, including the kind byte and length byte (if present).
-
data:
string
&optional
This field is set to the raw option bytes if the kind is not otherwise known/parsed. It’s also set for known kinds whose length was invalid.
-
kind:
A TCP Option field parsed from a TCP header.
- TCP::OptionList
- Type:
The full list of TCP Option fields parsed from a TCP header.
- Telemetry::HistogramMetric
- Type:
- Fields:
-
opts:
Telemetry::MetricOpts
A
Telemetry::MetricOpts
record describing this histogram.
-
label_names:
vector
ofstring
&default
=[]
&optional
The label names (also called dimensions) of the metric. When instantiating or working with concrete metrics, corresponding label values have to be provided. Examples of a label might be the protocol a general observation applies to, the directionality in a traffic flow, or protocol-specific context like a particular message type.
-
opts:
Histograms returned by the
Telemetry::collect_histogram_metrics
function.
- Telemetry::Metric
- Type:
- Fields:
-
opts:
Telemetry::MetricOpts
A
Telemetry::MetricOpts
record describing this metric.
-
label_names:
vector
ofstring
&default
=[]
&optional
The label names (also called dimensions) of the metric. When instantiating or working with concrete metrics, corresponding label values have to be provided. Examples of a label might be the protocol a general observation applies to, the directionality in a traffic flow, or protocol-specific context like a particular message type.
-
opts:
Metrics returned by the
Telemetry::collect_metrics
function.
- Telemetry::MetricOpts
- Type:
- Fields:
-
prefix:
string
The prefix (namespace) of the metric. Zeek uses the
zeek
prefix for any internal metrics and theprocess
prefix for any metrics involving process state (CPU, memory, etc).
-
name:
string
The human-readable name of the metric. This is set to the full prefixed name including the unit when returned from
Telemetry::collect_metrics
orTelemetry::collect_histogram_metrics
.
-
unit:
string
&optional
The unit of the metric. Leave this unset for a unit-less metric. Will be unset when returned from
Telemetry::collect_metrics
orTelemetry::collect_histogram_metrics
.
-
label_names:
vector
ofstring
&default
=[]
&optional
The label names (also called dimensions) of the metric. When instantiating or working with concrete metrics, corresponding label values have to be provided. Examples of a label might be the protocol a general observation applies to, the directionality in a traffic flow, or protocol-specific context like a particular message type. This field is only used in the construction of new metrics and will not be filled in when returned from
Telemetry::collect_metrics
orTelemetry::collect_histogram_metrics
,
-
is_total:
bool
&optional
Whether the metric represents something that is accumulating. Defaults to
T
for counters andF
for gauges and histograms.
-
bounds:
vector
ofdouble
&optional
When creating a
Telemetry::HistogramFamily
, describes the number and bounds of the individual buckets.
-
metric_type:
Telemetry::MetricType
&optional
Describes the underlying metric type. Only set in the return value of
Telemetry::collect_metrics
orTelemetry::collect_histogram_metrics
, otherwise ignored.
-
prefix:
Type that captures options used to create metrics.
- ThreadStats
-
Statistics about threads.
See also:
get_thread_stats
- TimerStats
- Type:
- Fields:
Statistics of timers.
See also:
get_timer_stats
- Tunnel::EncapsulatingConn
- Type:
- Fields:
-
cid:
conn_id
&log
The 4-tuple of the encapsulating “connection”. In case of an IP-in-IP tunnel the ports will be set to 0. The direction (i.e., orig and resp) are set according to the first tunneled packet seen and not according to the side that established the tunnel.
-
tunnel_type:
Tunnel::Type
&log
The type of tunnel.
-
uid:
string
&optional
&log
A globally unique identifier that, for non-IP-in-IP tunnels, cross-references the uid field of
connection
.
-
cid:
- Attributes:
Records the identity of an encapsulating parent of a tunneled connection.
- WebSocket::AnalyzerConfig
- Type:
- Fields:
-
analyzer:
Analyzer::Tag
&optional
The analyzer to attach for analysis of the WebSocket frame payload. See use_dpd below for the behavior when unset.
-
use_dpd:
bool
&default
=WebSocket::use_dpd_default
&optional
If analyzer is unset, determines whether to attach a PIA_TCP analyzer for dynamic protocol detection with WebSocket payload.
-
analyzer:
Record type that is passed to
WebSocket::configure_analyzer
.This record allows to configure the WebSocket analyzer given parameters collected from HTTP headers.
- X509::BasicConstraints
- Type:
- Fields:
- Attributes:
- X509::Certificate
- Type:
- Fields:
- X509::Extension
- Type:
- Fields:
- X509::Result
- Type:
- Fields:
Result of an X509 certificate chain verification
- X509::SubjectAlternativeName
- Type:
- Fields:
-
dns:
string_vec
&optional
&log
List of DNS entries in SAN
-
uri:
string_vec
&optional
&log
List of URI entries in SAN
-
email:
string_vec
&optional
&log
List of email entries in SAN
-
dns:
- addr_set
-
A set of addresses.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- addr_vec
-
A vector of addresses.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- any_vec
-
A vector of any, used by some builtin functions to store a list of varying types.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- assertion_failure
-
A hook that is invoked when an assert statement fails.
By default, a reporter error message is logged describing the failing assert similarly to how scripting errors are reported after invoking this hook. Using the
break
statement in an assertion_failure hook handler allows to suppress this message.- Param cond:
The string representation of the condition.
- Param msg:
Evaluated message as string given to the assert statement.
- Param bt:
Backtrace of the assertion error. The top element will contain the location of the assert statement that failed.
See also:
assertion_result
- assertion_result
-
A hook that is invoked with the result of every assert statement.
This is a potentially expensive hook meant to be used by testing frameworks to summarize assert results. In a production setup, this hook is likely detrimental to performance.
Using the
break
statement within an assertion_failure hook handler allows to suppress the reporter error message generated for failing assert statements.- Param result:
The result of evaluating cond.
- Param cond:
The string representation of the condition.
- Param msg:
Evaluated message as string given to the assert statement.
- Param bt:
Backtrace of the assertion error. The top element will contain the location of the assert statement that failed.
See also:
assertion_failure
- bittorrent_benc_dir
- Type:
A table of BitTorrent “benc” values.
See also:
bt_tracker_response
- bittorrent_benc_value
- Type:
- Fields:
BitTorrent “benc” value. Note that “benc” = Bencode (“Bee-Encode”), per http://en.wikipedia.org/wiki/Bencode.
See also:
bittorrent_benc_dir
- bittorrent_peer
-
A BitTorrent peer.
See also:
bittorrent_peer_set
- bittorrent_peer_set
- Type:
A set of BitTorrent peers.
See also:
bt_tracker_response
- bt_tracker_headers
-
Header table type used by BitTorrent analyzer.
See also:
bt_tracker_request
,bt_tracker_response
,bt_tracker_response_not_ok
- call_argument
- Type:
- Fields:
Meta-information about a parameter to a function/event.
See also:
call_argument_vector
,new_event
,backtrace
,print_backtrace
- call_argument_vector
- Type:
Vector type used to capture parameters of a function/event call.
See also:
call_argument
,new_event
,backtrace
,print_backtrace
- conn_id
- Type:
- Fields:
A connection’s identifying 4-tuple of endpoints and ports.
Note
It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, orig_p and resp_p, and can be extracted from them with
get_port_transport_proto
.Note
For explanation of Zeek’s “originator” and “responder” terminology, see the manual’s description of the connection record.
- connection
- Type:
- Fields:
-
-
duration:
interval
The duration of the conversation. Roughly speaking, this is the interval between first and last data packet (low-level TCP details may adjust it somewhat in ambiguous cases).
-
service:
set
[string
]&ordered
The set of services the connection is using as determined by Zeek’s dynamic protocol detection. Each entry is the label of an analyzer that confirmed that it could parse the connection payload. While typically, there will be at most one entry for each connection, in principle it is possible that more than one protocol analyzer is able to parse the same data. If so, all will be recorded. Also note that the recorded services are independent of any transport-level protocols.
-
history:
string
State history of connections. See history in
Conn::Info
.
-
uid:
string
A globally unique connection identifier. For each connection, Zeek creates an ID that is very likely unique across independent Zeek runs. These IDs can thus be used to tag and locate information associated with that connection.
-
tunnel:
EncapsulatingConnVector
&optional
If the connection is tunneled, this field contains information about the encapsulating “connection(s)” with the outermost one starting at index zero. It’s also always the first such encapsulation seen for the connection unless the
tunnel_changed
event is handled and reassigns this field to the new encapsulation.
-
removal_hooks:
set
[Conn::RemovalHook
]&optional
(present if base/protocols/conn/removal-hooks.zeek is loaded)
-
service_violation:
set
[string
]&default
={ }
&optional
(present if base/frameworks/analyzer/dpd.zeek is loaded)
The set of services (analyzers) for which Zeek has observed a violation after the same service had previously been confirmed.
-
failed_analyzers:
set
[string
]&default
={ }
&optional
(present if base/frameworks/analyzer/dpd.zeek is loaded)
The set of prototol analyzers that were removed due to a protocol violation after the same analyzer had previously been confirmed.
-
conn:
Conn::Info
&optional
(present if base/protocols/conn/main.zeek is loaded)
-
extract_orig:
bool
&default
=Conn::default_extract
&optional
(present if base/protocols/conn/contents.zeek is loaded)
-
extract_resp:
bool
&default
=Conn::default_extract
&optional
(present if base/protocols/conn/contents.zeek is loaded)
-
thresholds:
ConnThreshold::Thresholds
&optional
(present if base/protocols/conn/thresholds.zeek is loaded)
-
dce_rpc:
DCE_RPC::Info
&optional
(present if base/protocols/dce-rpc/main.zeek is loaded)
-
dce_rpc_state:
DCE_RPC::State
&optional
(present if base/protocols/dce-rpc/main.zeek is loaded)
-
dce_rpc_backing:
table
[count
] ofDCE_RPC::BackingState
&optional
(present if base/protocols/dce-rpc/main.zeek is loaded)
-
dhcp:
DHCP::Info
&optional
(present if base/protocols/dhcp/main.zeek is loaded)
-
dnp3:
DNP3::Info
&optional
(present if base/protocols/dnp3/main.zeek is loaded)
-
dns:
DNS::Info
&optional
(present if base/protocols/dns/main.zeek is loaded)
-
dns_state:
DNS::State
&optional
(present if base/protocols/dns/main.zeek is loaded)
-
ftp:
FTP::Info
&optional
(present if base/protocols/ftp/main.zeek is loaded)
-
ftp_data_reuse:
bool
&default
=F
&optional
(present if base/protocols/ftp/main.zeek is loaded)
-
ssl:
SSL::Info
&optional
(present if base/protocols/ssl/main.zeek is loaded)
-
http:
HTTP::Info
&optional
(present if base/protocols/http/main.zeek is loaded)
-
http_state:
HTTP::State
&optional
(present if base/protocols/http/main.zeek is loaded)
-
irc:
IRC::Info
&optional
(present if base/protocols/irc/main.zeek is loaded)
IRC session information.
-
krb:
KRB::Info
&optional
(present if base/protocols/krb/main.zeek is loaded)
-
ldap:
LDAP::State
&optional
(present if base/protocols/ldap/main.zeek is loaded)
-
modbus:
Modbus::Info
&optional
(present if base/protocols/modbus/main.zeek is loaded)
-
mqtt:
MQTT::ConnectInfo
&optional
(present if base/protocols/mqtt/main.zeek is loaded)
-
mqtt_state:
MQTT::State
&optional
(present if base/protocols/mqtt/main.zeek is loaded)
-
mysql:
MySQL::Info
&optional
(present if base/protocols/mysql/main.zeek is loaded)
-
ntlm:
NTLM::Info
&optional
(present if base/protocols/ntlm/main.zeek is loaded)
-
ntp:
NTP::Info
&optional
(present if base/protocols/ntp/main.zeek is loaded)
-
postgresql:
PostgreSQL::Info
&optional
(present if base/protocols/postgresql/main.zeek is loaded)
-
postgresql_state:
PostgreSQL::State
&optional
(present if base/protocols/postgresql/main.zeek is loaded)
-
quic:
QUIC::Info
&optional
(present if base/protocols/quic/main.zeek is loaded)
-
radius:
RADIUS::Info
&optional
(present if base/protocols/radius/main.zeek is loaded)
-
rdp:
RDP::Info
&optional
(present if base/protocols/rdp/main.zeek is loaded)
-
redis:
Redis::Info
&optional
(present if base/protocols/redis/main.zeek is loaded)
-
redis_state:
Redis::State
&optional
(present if base/protocols/redis/main.zeek is loaded)
-
rfb:
RFB::Info
&optional
(present if base/protocols/rfb/main.zeek is loaded)
-
sip:
SIP::Info
&optional
(present if base/protocols/sip/main.zeek is loaded)
-
sip_state:
SIP::State
&optional
(present if base/protocols/sip/main.zeek is loaded)
-
snmp:
SNMP::Info
&optional
(present if base/protocols/snmp/main.zeek is loaded)
-
smb_state:
SMB::State
&optional
(present if base/protocols/smb/main.zeek is loaded)
-
smtp:
SMTP::Info
&optional
(present if base/protocols/smtp/main.zeek is loaded)
-
smtp_state:
SMTP::State
&optional
(present if base/protocols/smtp/main.zeek is loaded)
-
socks:
SOCKS::Info
&optional
(present if base/protocols/socks/main.zeek is loaded)
-
ssh:
SSH::Info
&optional
(present if base/protocols/ssh/main.zeek is loaded)
-
syslog:
Syslog::Info
&optional
(present if base/protocols/syslog/main.zeek is loaded)
-
websocket:
WebSocket::Info
&optional
(present if base/protocols/websocket/main.zeek is loaded)
-
packet_segment:
string
&optional
&log
(present if policy/frameworks/analyzer/packet-segment-logging.zeek is loaded)
A chunk of the payload that most likely resulted in a analyzer violation.
-
known_services_done:
bool
&default
=F
&optional
(present if policy/protocols/conn/known-services.zeek is loaded)
-
dpd:
DPD::Info
&optional
(present if policy/frameworks/analyzer/deprecated-dpd-log.zeek is loaded)
-
duration:
A connection. This is Zeek’s basic connection type describing IP- and transport-layer information about the conversation. Note that Zeek uses a liberal interpretation of “connection” and associates instances of this type also with UDP and ICMP flows.
- count_set
-
A set of counts.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- dns_answer
- Type:
- Fields:
The general part of a DNS reply.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TXT_reply
,dns_WKS_reply
- dns_binds_rr
- Type:
- Fields:
-
-
complte_flag:
string
&deprecated
= ... complete flag.
-
complte_flag:
A Private RR type BINDS record.
See also:
dns_BINDS
- dns_dnskey_rr
- Type:
- Fields:
A DNSSEC DNSKEY record.
See also:
dns_DNSKEY
- dns_edns_additional
- Type:
- Fields:
An additional DNS EDNS record.
See also:
dns_EDNS_addl
- dns_edns_cookie
- Type:
- Fields:
An DNS EDNS COOKIE (COOKIE) record.
See also:
dns_EDNS_cookie
- dns_edns_ecs
- Type:
- Fields:
An DNS EDNS Client Subnet (ECS) record.
See also:
dns_EDNS_ecs
- dns_edns_tcp_keepalive
- Type:
- Fields:
An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.
See also:
dns_EDNS_tcp_keepalive
- dns_loc_rr
- Type:
- Fields:
A Private RR type LOC record.
See also:
dns_LOC
- dns_mapping
- Type:
- Fields:
-
creation_time:
time
The time when the mapping was created, which corresponds to when the DNS query was sent out.
-
req_host:
string
If the mapping is the result of a name lookup, the queried host name; otherwise empty.
-
req_addr:
addr
If the mapping is the result of a pointer lookup, the queried address; otherwise null.
-
creation_time:
- dns_msg
- Type:
- Fields:
A DNS message.
See also:
dns_AAAA_reply
,dns_A_reply
,dns_CNAME_reply
,dns_EDNS_addl
,dns_HINFO_reply
,dns_MX_reply
,dns_NS_reply
,dns_PTR_reply
,dns_SOA_reply
,dns_SRV_reply
,dns_TSIG_addl
,dns_TXT_reply
,dns_WKS_reply
,dns_end
,dns_message
,dns_query_reply
,dns_rejected
,dns_request
- dns_nsec3_rr
- Type:
- Fields:
-
-
bitmaps:
string_vec
Type Bit Maps.
-
bitmaps:
A DNSSEC NSEC3 record.
See also:
dns_NSEC3
- dns_nsec3param_rr
- Type:
- Fields:
A DNSSEC NSEC3PARAM record.
See also:
dns_NSEC3PARAM
- dns_rrsig_rr
- Type:
- Fields:
A DNSSEC RRSIG record.
See also:
dns_RRSIG
- dns_soa
- Type:
- Fields:
A DNS SOA record.
See also:
dns_SOA_reply
- dns_svcb_rr
- Type:
- Fields:
DNS SVCB and HTTPS RRs
- dns_tsig_additional
- Type:
- Fields:
An additional DNS TSIG record.
See also:
dns_TSIG_addl
- double_vec
-
A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- endpoint
- Type:
- Fields:
-
-
state:
count
Endpoint state. For a TCP connection, one of the constants:
TCP_INACTIVE
TCP_SYN_SENT
TCP_SYN_ACK_SENT
TCP_PARTIAL
TCP_ESTABLISHED
TCP_CLOSED
TCP_RESET
. For UDP, one ofUDP_ACTIVE
andUDP_INACTIVE
.
-
num_pkts:
count
&optional
Number of packets sent. Only set if
use_conn_size_analyzer
is true.
-
num_bytes_ip:
count
&optional
Number of IP-level bytes sent. Only set if
use_conn_size_analyzer
is true.
-
state:
Statistics about a
connection
endpoint.See also:
connection
- endpoint_stats
- Type:
- Fields:
-
-
endian_type:
count
Endian type used by the endpoint, if it could be determined from the sequence numbers used. This is one of
ENDIAN_UNKNOWN
,ENDIAN_BIG
,ENDIAN_LITTLE
, andENDIAN_CONFUSED
.
-
endian_type:
Statistics about what a TCP endpoint sent.
See also:
conn_stats
- entropy_test_result
- Type:
- Fields:
Computed entropy values. The record captures a number of measures that are computed in parallel. See A Pseudorandom Number Sequence Test Program for more information, Zeek uses the same code.
See also:
entropy_test_add
,entropy_test_finish
,entropy_test_init
,find_entropy
- event_metadata_vec
- Type:
A type alias for event metadata.
- fa_file
- Type:
- Fields:
-
-
parent_id:
string
&optional
Identifier associated with a container file from which this one was extracted as part of the file analysis.
-
source:
string
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path including filename which was read, or some other input source. Examples are: “HTTP”, “SMTP”, “IRC_DATA”, or the filename, or even the full path and filename.
-
is_orig:
bool
&optional
If the source of this file is a network connection, this field may be set to indicate the directionality.
-
conns:
table
[conn_id
] ofconnection
&optional
The set of connections over which the file was transferred.
-
seen_bytes:
count
&default
=0
&optional
Number of bytes provided to the file analysis engine for the file.
-
missing_bytes:
count
&default
=0
&optional
The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.
-
overflow_bytes:
count
&default
=0
&optional
The number of bytes in the file stream that were not delivered to stream file analyzers. Generally, this consists of bytes that couldn’t be reassembled, either because reassembly simply isn’t enabled, or due to size limitations of the reassembly buffer.
-
timeout_interval:
interval
&default
=default_file_timeout_interval
&optional
The amount of time between receiving new data for this file that the analysis engine will wait before giving up on it.
-
bof_buffer_size:
count
&default
=default_file_bof_buffer_size
&optional
The number of bytes at the beginning of a file to save for later inspection in the bof_buffer field.
-
bof_buffer:
string
&optional
The content of the beginning of a file up to bof_buffer_size bytes. This is also the buffer that’s used for file/mime type detection.
-
info:
Files::Info
&optional
(present if base/frameworks/files/main.zeek is loaded)
-
ftp:
FTP::Info
&optional
(present if base/protocols/ftp/files.zeek is loaded)
-
http:
HTTP::Info
&optional
(present if base/protocols/http/entities.zeek is loaded)
-
irc:
IRC::Info
&optional
(present if base/protocols/irc/files.zeek is loaded)
-
pe:
PE::Info
&optional
(present if base/files/pe/main.zeek is loaded)
-
parent_id:
- Attributes:
File Analysis handle for a file that Zeek is analyzing. This holds information about, but not the content of, a conceptual “file”; essentially any byte stream that is e.g. pulled from a network connection or possibly some other input source. Note that fa_file is also used in cases where there isn’t a filename to be had.
- fa_metadata
- Type:
- Fields:
-
-
mime_types:
mime_matches
&optional
All matching MIME types if any were discovered.
-
mime_types:
File Analysis metadata that’s been inferred about a particular file.
- files_tag_set
- Type:
A set of file analyzer tags.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- flow_id
- Type:
- Fields:
- Attributes:
The identifying 4-tuple of a uni-directional flow.
Note
It’s actually a 5-tuple: the transport-layer protocol is stored as part of the port values, src_p and dst_p, and can be extracted from them with
get_port_transport_proto
.
- from_json_result
- Type:
- Fields:
Return type for from_json BIF.
See also:
from_json
- ftp_port
- Type:
- Fields:
A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also:
fmt_ftp_port
,parse_eftp_port
,parse_ftp_epsv
,parse_ftp_pasv
,parse_ftp_port
- geo_autonomous_system
- Type:
- Fields:
- Attributes:
GeoIP autonomous system information.
See also:
lookup_autonomous_system
- geo_location
- Type:
- Fields:
- Attributes:
GeoIP location information.
See also:
lookup_location
- gtp_access_point_name
- Type:
- gtp_charging_id
- Type:
- gtp_create_pdp_ctx_request_elements
- Type:
- Fields:
-
-
recovery:
gtp_recovery
&optional
-
select_mode:
gtp_selection_mode
&optional
-
charge_character:
gtp_charging_characteristics
&optional
-
trace_ref:
gtp_trace_reference
&optional
-
trace_type:
gtp_trace_type
&optional
-
end_user_addr:
gtp_end_user_addr
&optional
-
ap_name:
gtp_access_point_name
&optional
-
signal_addr:
gtp_gsn_addr
-
user_addr:
gtp_gsn_addr
-
msisdn:
gtp_msisdn
&optional
-
qos_prof:
gtp_qos_profile
-
trigger_id:
gtp_trigger_id
&optional
-
omc_id:
gtp_omc_id
&optional
-
recovery:
- gtp_create_pdp_ctx_response_elements
- Type:
- Fields:
-
-
reorder_req:
gtp_reordering_required
&optional
-
recovery:
gtp_recovery
&optional
-
charging_id:
gtp_charging_id
&optional
-
end_user_addr:
gtp_end_user_addr
&optional
-
cp_addr:
gtp_gsn_addr
&optional
-
user_addr:
gtp_gsn_addr
&optional
-
qos_prof:
gtp_qos_profile
&optional
-
charge_gateway:
gtp_charging_gateway_addr
&optional
-
reorder_req:
- gtp_delete_pdp_ctx_request_elements
- Type:
- Fields:
-
teardown_ind:
gtp_teardown_ind
&optional
-
teardown_ind:
- gtp_msisdn
- Type:
- gtp_omc_id
- Type:
- gtp_recovery
- Type:
- gtp_reordering_required
- Type:
- gtp_selection_mode
- Type:
- gtp_teardown_ind
- Type:
- gtp_teid_control_plane
- Type:
- gtp_trace_reference
- Type:
- gtp_trace_type
- Type:
- gtp_trigger_id
- Type:
- gtp_update_pdp_ctx_request_elements
- Type:
- Fields:
-
-
recovery:
gtp_recovery
&optional
-
trace_ref:
gtp_trace_reference
&optional
-
trace_type:
gtp_trace_type
&optional
-
cp_addr:
gtp_gsn_addr
-
user_addr:
gtp_gsn_addr
-
qos_prof:
gtp_qos_profile
-
trigger_id:
gtp_trigger_id
&optional
-
omc_id:
gtp_omc_id
&optional
-
end_user_addr:
gtp_end_user_addr
&optional
-
recovery:
- gtp_update_pdp_ctx_response_elements
- Type:
- Fields:
-
-
recovery:
gtp_recovery
&optional
-
charging_id:
gtp_charging_id
&optional
-
cp_addr:
gtp_gsn_addr
&optional
-
user_addr:
gtp_gsn_addr
&optional
-
qos_prof:
gtp_qos_profile
&optional
-
charge_gateway:
gtp_charging_gateway_addr
&optional
-
recovery:
- gtpv1_hdr
- Type:
- Fields:
-
-
e_flag:
bool
Extension Header flag. When 0, the next_type field may or may not be present, but shouldn’t be meaningful. When 1, next_type is present and meaningful.
-
s_flag:
bool
Sequence Number flag. When 0, the seq field may or may not be present, but shouldn’t be meaningful. When 1, seq is present and meaningful.
-
pn_flag:
bool
N-PDU flag. When 0, the n_pdu field may or may not be present, but shouldn’t be meaningful. When 1, n_pdu is present and meaningful.
-
length:
count
Length of the GTP packet payload (the rest of the packet following the mandatory 8-byte GTP header).
-
e_flag:
A GTPv1 (GPRS Tunneling Protocol) header.
- http_message_stat
- Type:
- Fields:
HTTP message statistics.
See also:
http_message_done
- http_stats_rec
- Type:
- Fields:
HTTP session statistics.
See also:
http_stats
- icmp6_nd_option
- Type:
- Fields:
-
-
len:
count
8-bit integer representing the length of the option (including the type and length fields) in units of 8 octets.
-
link_address:
string
&optional
Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2). Byte ordering of this is dependent on the actual link-layer.
-
prefix:
icmp6_nd_prefix_info
&optional
Prefix Information (Type 3).
-
redirect:
icmp_context
&optional
Redirected header (Type 4). This field contains the context of the original, redirected packet.
-
len:
Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.
See also:
icmp_router_solicitation
,icmp_router_advertisement
,icmp_neighbor_advertisement
,icmp_neighbor_solicitation
,icmp_redirect
,icmp6_nd_options
- icmp6_nd_options
- Type:
A type alias for a vector of ICMPv6 neighbor discovery message options.
- icmp6_nd_prefix_info
- Type:
- Fields:
-
-
valid_lifetime:
interval
Length of time in seconds that the prefix is valid for purpose of on-link determination (0xffffffff represents infinity).
-
valid_lifetime:
Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.
See also:
icmp6_nd_option
- icmp_context
- Type:
- Fields:
Packet context part of an ICMP message. The fields of this record reflect the packet that is described by the context.
See also:
icmp_time_exceeded
,icmp_unreachable
- icmp_hdr
-
Values extracted from an ICMP header.
See also:
pkt_hdr
,discarder_check_icmp
- icmp_info
- Type:
- Fields:
Specifics about an ICMP conversation/packet. ICMP events typically pass this in addition to
conn_id
.See also:
icmp_echo_reply
,icmp_echo_request
,icmp_redirect
,icmp_sent
,icmp_time_exceeded
,icmp_unreachable
- id_table
-
Table type used to map script-level identifiers to meta-information describing them.
See also:
global_ids
,script_id
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- index_vec
-
A vector of counts, used by some builtin functions to store a list of indices.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- int_vec
-
A vector of integers, used by telemetry builtin functions to store histogram bounds.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- interval_set
-
A set of intervals.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- ip4_hdr
- Type:
- Fields:
Values extracted from an IPv4 header.
See also:
pkt_hdr
,ip6_hdr
,discarder_check_ip
- ip6_ah
- Type:
- Fields:
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g.
IPPROTO_ICMP
.
-
nxt:
Values extracted from an IPv6 Authentication extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
- ip6_dstopts
- Type:
- Fields:
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g.
IPPROTO_ICMP
.
-
options:
ip6_options
The TLV encoded options;
-
nxt:
Values extracted from an IPv6 Destination options extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_option
- ip6_esp
-
Values extracted from an IPv6 ESP extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
- ip6_ext_hdr
- Type:
- Fields:
-
-
hopopts:
ip6_hopopts
&optional
Hop-by-hop option extension header.
-
dstopts:
ip6_dstopts
&optional
Destination option extension header.
-
routing:
ip6_routing
&optional
Routing extension header.
-
fragment:
ip6_fragment
&optional
Fragment header.
-
mobility:
ip6_mobility_hdr
&optional
Mobility header.
-
hopopts:
A general container for a more specific IPv6 extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hopopts
,ip6_dstopts
,ip6_routing
,ip6_fragment
,ip6_ah
,ip6_esp
- ip6_ext_hdr_chain
- Type:
A type alias for a vector of IPv6 extension headers.
- ip6_fragment
- Type:
- Fields:
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g.
IPPROTO_ICMP
.
-
nxt:
Values extracted from an IPv6 Fragment extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
- ip6_hdr
- Type:
- Fields:
-
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number) e.g.
IPPROTO_ICMP
.
-
exts:
ip6_ext_hdr_chain
Extension header chain.
-
nxt:
Values extracted from an IPv6 header.
See also:
pkt_hdr
,ip4_hdr
,ip6_ext_hdr
,ip6_hopopts
,ip6_dstopts
,ip6_routing
,ip6_fragment
,ip6_ah
,ip6_esp
- ip6_hopopts
- Type:
- Fields:
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g.
IPPROTO_ICMP
.
-
options:
ip6_options
The TLV encoded options;
-
nxt:
Values extracted from an IPv6 Hop-by-Hop options extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_option
- ip6_mobility_back
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Binding Acknowledgement message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_be
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Binding Error message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_brr
-
Values extracted from an IPv6 Mobility Binding Refresh Request message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_bu
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Binding Update message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_cot
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Care-of Test message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_coti
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Care-of Test Init message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_hdr
- Type:
- Fields:
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g.
IPPROTO_ICMP
.
-
msg:
ip6_mobility_msg
Mobility header message
-
nxt:
Values extracted from an IPv6 Mobility header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
- ip6_mobility_hot
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Home Test message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_hoti
- Type:
- Fields:
-
-
options:
vector
ofip6_option
Mobility Options.
-
options:
Values extracted from an IPv6 Mobility Home Test Init message.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
,ip6_mobility_msg
- ip6_mobility_msg
- Type:
- Fields:
-
-
brr:
ip6_mobility_brr
&optional
Binding Refresh Request.
-
hoti:
ip6_mobility_hoti
&optional
Home Test Init.
-
coti:
ip6_mobility_coti
&optional
Care-of Test Init.
-
hot:
ip6_mobility_hot
&optional
Home Test.
-
cot:
ip6_mobility_cot
&optional
Care-of Test.
-
bu:
ip6_mobility_bu
&optional
Binding Update.
-
back:
ip6_mobility_back
&optional
Binding Acknowledgement.
-
be:
ip6_mobility_be
&optional
Binding Error.
-
brr:
Values extracted from an IPv6 Mobility header’s message data.
See also:
ip6_mobility_hdr
,ip6_hdr
,ip6_ext_hdr
- ip6_option
- Type:
- Fields:
Values extracted from an IPv6 extension header’s (e.g. hop-by-hop or destination option headers) option field.
See also:
ip6_hdr
,ip6_ext_hdr
,ip6_hopopts
,ip6_dstopts
- ip6_options
- Type:
vector
ofip6_option
A type alias for a vector of IPv6 options.
- ip6_routing
- Type:
- Fields:
-
nxt:
count
Protocol number of the next header (RFC 1700 et seq., IANA assigned number), e.g.
IPPROTO_ICMP
.
-
nxt:
Values extracted from an IPv6 Routing extension header.
See also:
pkt_hdr
,ip4_hdr
,ip6_hdr
,ip6_ext_hdr
- irc_join_info
-
IRC join information.
See also:
irc_join_list
- irc_join_list
- Type:
Set of IRC join information.
See also:
irc_join_message
- l2_hdr
- Type:
- Fields:
-
encap:
link_encap
L2 link encapsulation.
-
proto:
layer3_proto
L3 protocol.
-
encap:
Values extracted from the layer 2 header.
See also:
pkt_hdr
- mime_header_list
- Type:
table
[count
] ofmime_header_rec
A list of MIME headers.
See also:
mime_header_rec
,http_all_headers
,mime_all_headers
- mime_header_rec
- Type:
- Fields:
A MIME header key/value pair.
See also:
mime_header_list
,http_all_headers
,mime_all_headers
,mime_one_header
- mime_match
- Type:
- Fields:
A structure indicating a MIME type and strength of a match against file magic signatures.
- mime_matches
- Type:
vector
ofmime_match
A vector of file magic signature matches, ordered by strength of the signature, strongest first.
- pcap_packet
- Type:
- Fields:
-
ts_sec:
count
The non-fractional part of the packet’s timestamp (i.e., full seconds since the epoch).
-
link_type:
link_encap
Layer 2 link encapsulation type.
-
ts_sec:
Policy-level representation of a packet passed on by libpcap. The data includes the complete packet as returned by libpcap, including the link-layer header.
See also:
dump_packet
,get_current_packet
- pkt_hdr
- Type:
- Fields:
A packet header, consisting of an IP header and transport-layer header.
See also:
new_packet
- pkt_profile_modes
- Type:
-
- PKT_PROFILE_MODE_NONE
No output.
- PKT_PROFILE_MODE_SECS
Output every
pkt_profile_freq
seconds.
- PKT_PROFILE_MODE_PKTS
Output every
pkt_profile_freq
packets.
- PKT_PROFILE_MODE_BYTES
Output every
pkt_profile_freq
bytes.
Output modes for packet profiling information.
See also:
pkt_profile_mode
,pkt_profile_freq
,pkt_profile_file
- pm_callit_request
- Type:
- Fields:
An RPC portmapper callit request.
See also:
pm_attempt_callit
,pm_request_callit
- pm_mapping
- Type:
- Fields:
An RPC portmapper mapping.
See also:
pm_mappings
- pm_mappings
- Type:
table
[count
] ofpm_mapping
Table of RPC portmapper mappings.
See also:
pm_request_dump
- pm_port_request
- Type:
- Fields:
An RPC portmapper request.
See also:
pm_attempt_getport
,pm_request_getport
- psk_identity_vec
- Type:
- raw_pkt_hdr
- Type:
- Fields:
A raw packet header, consisting of L2 header and everything in
pkt_hdr
. .See also:
raw_packet
,pkt_hdr
- record_field
- Type:
- Fields:
-
-
value:
any
&optional
The current value of the field in the record instance passed into
record_fields
(if it has one).
-
value:
Meta-information about a record field.
See also:
record_fields
,record_field_table
- record_field_table
- Type:
table
[string
] ofrecord_field
Table type used to map record field declarations to meta-information describing them.
See also:
record_fields
,record_field
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- rotate_info
- Type:
- Fields:
See also:
rotate_file
,rotate_file_by_name
- script_id
- Type:
- Fields:
Meta-information about a script-level identifier.
See also:
global_ids
,id_table
- signature_and_hashalgorithm_vec
- Type:
A vector of Signature and Hash Algorithms.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- signature_state
- Type:
- Fields:
-
-
conn:
connection
Matching connection.
-
conn:
Description of a signature match.
See also:
signature_match
- string_any_file_hook
-
A hook taking a fa_file, an any, and a string. Used by the X509 analyzer as callback.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- string_any_table
-
A string-table of any.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- string_array
-
An ordered array of strings. The entries are indexed by successive numbers. Note that it depends on the usage whether the first index is zero or one.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- string_mapper
-
Function mapping a string to a string.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- string_set
-
A set of strings.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- string_vec
-
A vector of strings.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- subnet_set
-
A set of subnets.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- subnet_vec
-
A vector of subnets.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- sw_align
- Type:
- Fields:
Helper type for return value of Smith-Waterman algorithm.
See also:
str_smith_waterman
,sw_substring_vec
,sw_substring
,sw_align_vec
,sw_params
- sw_align_vec
-
Helper type for return value of Smith-Waterman algorithm.
See also:
str_smith_waterman
,sw_substring_vec
,sw_substring
,sw_align
,sw_params
- sw_params
- Type:
- Fields:
Parameters for the Smith-Waterman algorithm.
See also:
str_smith_waterman
- sw_substring
- Type:
- Fields:
-
-
aligns:
sw_align_vec
All strings of which it’s a substring.
-
aligns:
Helper type for return value of Smith-Waterman algorithm.
See also:
str_smith_waterman
,sw_substring_vec
,sw_align_vec
,sw_align
,sw_params
- sw_substring_vec
- Type:
Return type for Smith-Waterman algorithm.
See also:
str_smith_waterman
,sw_substring
,sw_align_vec
,sw_align
,sw_params
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- table_string_of_count
-
A table of counts indexed by strings.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- table_string_of_string
-
A table of strings indexed by strings.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- tcp_hdr
- Type:
- Fields:
Values extracted from a TCP header.
See also:
pkt_hdr
,discarder_check_tcp
- teredo_auth
- Type:
- Fields:
A Teredo origin indication header. See RFC 4380 for more information about the Teredo protocol.
See also:
teredo_bubble
,teredo_origin_indication
,teredo_authentication
,teredo_hdr
- teredo_hdr
- Type:
- Fields:
-
auth:
teredo_auth
&optional
Teredo authentication header.
-
origin:
teredo_origin
&optional
Teredo origin indication header.
-
auth:
A Teredo packet header. See RFC 4380 for more information about the Teredo protocol.
See also:
teredo_bubble
,teredo_origin_indication
,teredo_authentication
- teredo_origin
- Type:
- Fields:
A Teredo authentication header. See RFC 4380 for more information about the Teredo protocol.
See also:
teredo_bubble
,teredo_origin_indication
,teredo_authentication
,teredo_hdr
- transport_proto
-
A connection’s transport-layer protocol. Note that Zeek uses the term “connection” broadly, using flow semantics for ICMP and UDP.
- udp_hdr
-
Values extracted from a UDP header.
See also:
pkt_hdr
,discarder_check_udp
- var_sizes
-
Table type used to map variable names to their memory allocation.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
- x509_opaque_vector
-
A vector of x509 opaques.
Todo
We need this type definition only for declaring builtin functions via
bifcl
. We should extendbifcl
to understand composite types directly and then remove this alias.
Hooks
- Telemetry::sync
-
Telemetry sync hook.
This hook is invoked when metrics are requested via functions
Telemetry::collect_metrics
andTelemetry::collect_histogram_metrics
, or just before Zeek collects metrics when being scraped through its Prometheus endpoint. Script writers can use it to synchronize (or mirror) metrics with the telemetry subsystem. For example, when tracking table or value footprints with gauges, the value in question can be set on an actualTelemetry::Gauge
instance during execution of this hook.Implementations should be lightweight, this hook may be called multiple times per minute.
Functions
- discarder_check_icmp
-
Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
- Parameters:
p – The IP and ICMP headers of the considered packet.
- Returns:
True if the packet should not be analyzed any further.
See also:
discarder_check_ip
,discarder_check_tcp
,discarder_check_udp
,discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
- discarder_check_ip
-
Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
- Parameters:
p – The IP header of the considered packet.
- Returns:
True if the packet should not be analyzed any further.
See also:
discarder_check_tcp
,discarder_check_udp
,discarder_check_icmp
,discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
- discarder_check_tcp
-
Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
- Parameters:
p – The IP and TCP headers of the considered packet.
d – Up to
discarder_maxlen
bytes of the TCP payload.
- Returns:
True if the packet should not be analyzed any further.
See also:
discarder_check_ip
,discarder_check_udp
,discarder_check_icmp
,discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
- discarder_check_udp
-
Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Zeek performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
- Parameters:
p – The IP and UDP headers of the considered packet.
d – Up to
discarder_maxlen
bytes of the UDP payload.
- Returns:
True if the packet should not be analyzed any further.
See also:
discarder_check_ip
,discarder_check_tcp
,discarder_check_icmp
,discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
- from_json_default_key_mapper
-
The default JSON key mapper function. Identity function.
- max_count
-
Returns maximum of two
count
values.- Parameters:
a – First value.
b – Second value.
- Returns:
The maximum of a and b.
- max_double
-
Returns maximum of two
double
values.- Parameters:
a – First value.
b – Second value.
- Returns:
The maximum of a and b.
- max_interval
-
Returns maximum of two
interval
values.- Parameters:
a – First value.
b – Second value.
- Returns:
The maximum of a and b.
- min_count
-
Returns minimum of two
count
values.- Parameters:
a – First value.
b – Second value.
- Returns:
The minimum of a and b.
- min_double
-
Returns minimum of two
double
values.- Parameters:
a – First value.
b – Second value.
- Returns:
The minimum of a and b.