base/init-bare.zeek¶
-
BinPAC¶
-
Cluster¶
-
DCE_RPC¶
-
DHCP¶
-
GLOBAL¶
-
JSON¶
-
KRB¶
-
MOUNT3¶
-
MQTT¶
-
NCP¶
-
NFS3¶
-
NTLM¶
-
NTP¶
-
PE¶
-
Pcap¶
-
RADIUS¶
-
RDP¶
-
Reporter¶
-
SMB¶
-
SMB1¶
-
SMB2¶
-
SNMP¶
-
SOCKS¶
-
SSH¶
-
SSL¶
-
TCP¶
-
Threading¶
-
Tunnel¶
-
Unified2¶
-
UnknownProtocol¶
-
Weird¶
-
X509¶
- Namespaces
BinPAC, Cluster, DCE_RPC, DHCP, GLOBAL, JSON, KRB, MOUNT3, MQTT, NCP, NFS3, NTLM, NTP, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SNMP, SOCKS, SSH, SSL, TCP, Threading, Tunnel, Unified2, UnknownProtocol, Weird, X509
- Imports
base/bif/CPP-load.bif.zeek, base/bif/const.bif.zeek, base/bif/event.bif.zeek, base/bif/option.bif.zeek, base/bif/packet_analysis.bif.zeek, base/bif/plugins/Zeek_KRB.types.bif.zeek, base/bif/plugins/Zeek_SNMP.types.bif.zeek, base/bif/reporter.bif.zeek, base/bif/stats.bif.zeek, base/bif/strings.bif.zeek, base/bif/supervisor.bif.zeek, base/bif/types.bif.zeek, base/bif/zeek.bif.zeek, base/frameworks/supervisor/api.zeek, base/packet-protocols
Summary¶
Runtime Options¶
The maximum payload size to allocate for the purpose of
payload information in |
|
How long a weird of a given type is allowed to keep state/counters in memory. |
|
Rate-limits weird names in the table globally instead of per connection/flow. |
|
The rate-limiting sampling rate. |
|
How many weirds of a given type to tolerate before sampling begins. |
|
Prevents rate-limiting sampling of any weirds named in the table. |
|
Default amount of bytes that file analysis will buffer in order to use for mime type matching. |
|
Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. |
|
Checksums are ignored for all packets with a src address within this set of networks. |
|
Whether ports given in |
|
Defines UDP ports (source or destination) for which the contents of
either originator or responder streams should be delivered via
|
Redefinable Options¶
Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer. |
|
The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. |
|
The threshold, in bytes, at which the BinPAC flowbuffer of a given
connection/analyzer will have its capacity contracted to
|
|
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input. |
|
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input. |
|
Kerberos keytab file name. |
|
The maximum number of bytes to allocate when parsing NCP frames. |
|
If true, |
|
If |
|
If |
|
Number of Mbytes to provide as buffer space when capturing from live interfaces. |
|
Number of bytes per packet to capture from live interfaces. |
|
Tunable for sending reporter error messages to STDERR. |
|
Tunable for sending reporter info messages to STDERR. |
|
Tunable for sending reporter warning messages to STDERR. |
|
A set of file names used as named pipes over SMB. |
|
Maximum number of invalid version errors to report in one DTLS connection. |
|
Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. |
|
The heartbeat interval used by the threading framework. |
|
With this set, the GTP analyzer waits until the most-recent upflow
and downflow packets are a valid GTPv1 encapsulation before
issuing |
|
With this set, the Teredo analyzer waits until it sees both sides
of a connection using a valid Teredo encapsulation before issuing
a |
|
Toggle whether to do IPv{4,6}-in-AYIYA decapsulation. |
|
Toggle whether to do GRE decapsulation. |
|
Toggle whether to do GTPv1 decapsulation. |
|
Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation. |
|
Toggle whether to do IPv6-in-Teredo decapsulation. |
|
The set of UDP ports used for Geneve traffic. |
|
How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels). |
|
The maximum depth of a tunnel to decapsulate until giving up. |
|
Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. |
|
The set of UDP ports used for VXLAN traffic. |
|
The number of bytes to extract from the next header and log in the first bytes field. |
|
How long an analyzer/protocol pair is allowed to keep state/counters in in memory. |
|
The rate-limiting sampling rate. |
|
How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited. |
|
Number of bits in UIDs that are generated to identify connections and files. |
|
If true, warns about unused event handlers at startup. |
|
BPF filter the user has set via the -f command line options. |
|
Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. |
|
This salt value is used for several message digests in Zeek. |
|
Time to wait before timing out a DNS request. |
|
Size of per-connection buffer used for dynamic protocol detection. |
|
If true, don’t consider any ports for deciding which protocol analyzer to use. |
|
If true, stops signature matching after a late match. |
|
If true, stops signature matching if |
|
Reassemble the beginning of all TCP connections before doing signature matching. |
|
Flag to prevent Zeek from exiting automatically when input is exhausted. |
|
Multiples of |
|
How long to hold onto fragments for possible reassembly. |
|
Seed for hashes computed internally for probabilistic data structures. |
|
If an ICMP flow is inactive, time it out after this interval. |
|
If true, don’t verify checksums. |
|
Ignore certain TCP retransmissions for |
|
Ports which the core considers being likely used by servers. |
|
Base time of log rotations in 24-hour time format ( |
|
The maximum number of timers to expire after processing each new packet. |
|
The directory containing MaxMind DB (.mmdb) files to use for GeoIP support. |
|
If a connection belongs to an application that we don’t analyze, time it out after this interval. |
|
Default mode for Zeek’s user-space dynamic packet filter. |
|
If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen. |
|
Description transmitted to remote communication peers for identification. |
|
Frequency associated with packet profiling. |
|
Output mode for packet profiling information. |
|
Update interval for profiling (0 disables). |
|
If a trace file is given with |
|
Whether we want |
|
Time to wait before timing out an RPC request. |
|
If true, then write segment profiling information (very high volume!) in addition to profiling statistics. |
|
Maximum size of regular expression groups for signature matching. |
|
Skip HTTP data for performance considerations. |
|
Internal to the stepping stone detector. |
|
Internal to the stepping stone detector. |
|
When expiring table entries, wait this amount of time before checking the next chunk of entries. |
|
Check for expired table entries after this amount of time. |
|
When expiring/serializing table entries, don’t work on more than this many table entries at a time. |
|
If true, instantiate connection state when a SYN/ACK is seen but not the
initial SYN (even if |
|
Check up on the result of an initial SYN after this much time. |
|
Wait this long upon seeing an initial SYN before timing out the connection attempt. |
|
Upon seeing a normal connection close, flush state after this much time. |
|
When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. |
|
If true, all TCP originator-side traffic is reported via
|
|
If true, all TCP responder-side traffic is reported via
|
|
Defines destination TCP ports for which the contents of the originator stream
should be delivered via |
|
Defines destination TCP ports for which the contents of the responder stream
should be delivered via |
|
If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. |
|
If a TCP connection is inactive, time it out after this interval. |
|
If true, pass any undelivered to the signature engine before flushing the state. |
|
If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. |
|
Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). |
|
Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. |
|
Generate a |
|
For services without a handler, these sets define originator-side ports that still trigger reassembly. |
|
For services without a handler, these sets define responder-side ports that still trigger reassembly. |
|
Upon seeing a RST, flush state after this much time. |
|
After a connection has closed, wait this long for further activity before checking whether to time out its state. |
|
FINs/RSTs must come with this much time or less between them to be considered a “storm”. |
|
Number of FINs/RSTs in a row that constitute a “storm”. |
|
If true, output profiling for Time-Machine queries. |
|
Per-incident timer managers are drained after this amount of inactivity. |
|
Maximum length of HTTP URIs passed to events. |
|
If true, all UDP originator-side traffic is reported via
|
|
If true, all UDP responder-side traffic is reported via
|
|
Defines UDP destination ports for which the contents of the originator stream
should be delivered via |
|
Defines UDP destination ports for which the contents of the responder stream
should be delivered via |
|
If a UDP flow is inactive, time it out after this interval. |
|
Whether to use the |
|
Zeek’s watchdog interval. |
Constants¶
Record both originator and responder contents. |
|
Turn off recording of contents. |
|
Record originator contents. |
|
Record responder contents. |
|
An additional record. |
|
An answer record. |
|
An authoritative record. |
|
A query. |
|
Big endian. |
|
Tried to determine endian, but failed. |
|
Little endian. |
|
Endian not yet determined. |
|
Administratively prohibited. |
|
Host unreachable. |
|
Fragment needed. |
|
Network unreachable. |
|
Port unreachable. |
|
Protocol unreachable. |
|
IPv6 authentication header. |
|
IPv6 destination options header. |
|
IPv6 encapsulating security payload header. |
|
IPv6 fragment header. |
|
IPv6 hop-by-hop-options header. |
|
Control message protocol. |
|
ICMP for IPv6. |
|
Group management protocol. |
|
Dummy for IP. |
|
IP encapsulation in IP. |
|
IPv6 header. |
|
IPv6 mobility header. |
|
IPv6 no next header. |
|
Raw IP packet. |
|
IPv6 routing header. |
|
TCP. |
|
User datagram protocol. |
|
Mapping of numerical RPC status codes to readable messages. |
|
Unsigned 32-bit integer. |
|
Unsigned 64-bit integer. |
|
A NULL value. |
|
Signed 64-bit integer. |
|
An IP address. |
|
A NULL value. |
|
A NULL value. |
|
An octet string. |
|
An Object Identifier. |
|
An octet string. |
|
Unsigned 32-bit integer. |
|
Unsigned 32-bit integer. |
|
A NULL value. |
|
Endpoint has closed connection. |
|
Endpoint has finished initial handshake regularly. |
|
Endpoint is still inactive. |
|
Endpoint has sent data but no initial SYN. |
|
Endpoint has sent RST. |
|
Endpoint has sent SYN/ACK. |
|
Endpoint has sent SYN. |
|
ACK. |
|
FIN. |
|
Mask combining all flags. |
|
PUSH. |
|
RST. |
|
SYN. |
|
URG. |
|
Endpoint has sent something. |
|
Endpoint is still inactive. |
|
Holds the filename of the trace file given with |
|
Arguments given to Zeek from the command line. |
State Variables¶
Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). |
|
TODO. |
|
Maximum length of payload passed to discarder functions. |
|
If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. |
|
For DNS servers in these sets, omit processing the ADDL records they include in their replies. |
|
If true, all DNS ADDL records are skipped. |
|
If true, all DNS AUTH records are skipped. |
|
For DNS servers in these sets, omit processing the AUTH records they include in their replies. |
|
Maximum number of HTTP entity data delivered to events. |
|
Network interfaces to listen on. |
|
Rate at which to generate |
|
TODO. |
|
TODO. |
|
TODO. |
|
TODO. |
|
TODO. |
|
The length of MIME data segments delivered to handlers of
|
|
The number of bytes of overlap between successive segments passed to
|
|
File where packet profiles are logged. |
|
Write profiling info into this file in regular intervals. |
|
Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique). |
|
Definition of “secondary filters”. |
|
|
Signature files to read. |
TODO. |
|
Internal to the stepping stone detector. |
Types¶
A representation of a Zeek script’s call stack. |
|
A representation of an element in a Zeek script’s call stack. |
|
Statistics about Broker communication. |
|
A pool used for distributing data/work among a set of cluster nodes. |
|
A list of addresses offered by a DHCP server. |
|
DHCP Client FQDN Option information (Option 81) |
|
DHCP Client Identifier (Option 61) .. |
|
A DHCP message. |
|
DHCP Relay Agent Information Option (Option 82) .. |
|
Statistics related to Zeek’s active use of DNS. |
|
A type alias for a vector of encapsulating “connections”, i.e. |
|
Statistics of file analysis. |
|
Statistics about number of gaps in TCP connections. |
|
AP Options. |
|
The data from the ERROR_MSG message. |
|
A Kerberos host address See RFC 4120. |
|
KDC Options. |
|
The data from the AS_REQ and TGS_REQ messages. |
|
The data from the AS_REQ and TGS_REQ messages. |
|
The data from the SAFE message. |
|
A Kerberos ticket. |
|
Used in a few places in the Kerberos analyzer for elements that have a type and a string value. |
|
MOUNT mnt arguments. |
|
Record summarizing the general results and status of MOUNT3 request/reply pairs. |
|
MOUNT lookup reply. |
|
Statistics of all regular expression matchers. |
|
A vector of boolean values that indicate the setting for a range of modbus coils. |
|
A vector of count values that represent 16bit modbus register values. |
|
NFS reply for remove, rmdir. |
|
NFS direntry. |
|
Vector of NFS direntry. |
|
NFS readdir arguments. |
|
NFS file attributes. |
|
NFS fsstat. |
|
Record summarizing the general results and status of NFSv3 request/reply pairs. |
|
NFS link reply. |
|
NFS link arguments. |
|
NFS lookup reply. |
|
NFS reply for create, mkdir, and symlink. |
|
NFS read reply. |
|
NFS read arguments. |
|
NFS readdir reply. |
|
NFS readdir arguments. |
|
NFS readline reply. |
|
NFS reply for rename. |
|
NFS rename arguments. |
|
NFS sattr reply. |
|
NFS file attributes. |
|
NFS sattr arguments. |
|
NFS symlink arguments. |
|
NFS symlinkdata attributes. |
|
NFS wcc attributes. |
|
NFS write reply. |
|
NFS write arguments. |
|
NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations. |
|
NTP message as defined in RFC 5905. |
|
NTP mode 7 message. |
|
NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard syncronization operations. |
|
Packet capture statistics. |
|
Record for Portable Executable (PE) section headers. |
|
Properties of an I/O packet source being read by Zeek. |
|
The definition of a “pcap interface”. |
|
Enum type identifying dynamic BPF filters. |
|
Statistics about Zeek’s process. |
|
Name and flags for a single channel requested by the client. |
|
The list of channels requested by the client. |
|
The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier. |
|
The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support. |
|
Holds statistics for all types of reassembly. |
|
Statistics about reporter messages and weirds. |
|
An SMB1 header. |
|
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously. |
|
Compression information as defined in SMB v. |
|
The request sent by the client to request either creation of or access to a file. |
|
The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file. |
|
Encryption information as defined in SMB v. |
|
A series of boolean flags describing basic and extended file attributes for SMB2. |
|
This information class is used to query or set extended attribute (EA) information for a file. |
|
A vector of extended attribute (EA) information for a file. |
|
A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2. |
|
An SMB2 globally unique identifier which identifies a file. |
|
An SMB2 header. |
|
The context type information as defined in SMB v. |
|
The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands. |
|
Preauthentication information as defined in SMB v. |
|
A flags field that indicates additional information about the session that’s sent in the session_setup response. |
|
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server. |
|
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server. |
|
An SMB2 transform header (for SMB 3.x dialects with encryption enabled). |
|
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server. |
|
MAC times for a file. |
|
The |
|
A |
|
A |
|
A generic SNMP header data structure that may include data from any version of SNMP. |
|
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. |
|
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. |
|
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. |
|
A generic SNMP object value, that may include any of the
valid |
|
The |
|
A |
|
This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection. |
|
The client and server each have some preferences for the algorithms used in each direction. |
|
This record lists the preferences of an SSH endpoint for algorithm selection. |
|
Fields of a SYN packet. |
|
A TCP Option field parsed from a TCP header. |
|
The full list of TCP Option fields parsed from a TCP header. |
|
Statistics about threads. |
|
Statistics of timers. |
|
Records the identity of an encapsulating parent of a tunneled connection. |
|
Result of an X509 certificate chain verification |
|
A set of addresses. |
|
A vector of addresses. |
|
A vector of any, used by some builtin functions to store a list of varying types. |
|
A table of BitTorrent “benc” values. |
|
BitTorrent “benc” value. |
|
A BitTorrent peer. |
|
A set of BitTorrent peers. |
|
Header table type used by BitTorrent analyzer. |
|
Meta-information about a parameter to a function/event. |
|
Vector type used to capture parameters of a function/event call. |
|
A connection’s identifying 4-tuple of endpoints and ports. |
|
A connection. |
|
A set of counts. |
|
The general part of a DNS reply. |
|
A Private RR type BINDS record. |
|
A DNSSEC DNSKEY record. |
|
A DNSSEC DS record. |
|
An additional DNS EDNS record. |
|
An DNS EDNS COOKIE (COOKIE) record. |
|
An DNS EDNS Client Subnet (ECS) record. |
|
An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record. |
|
A Private RR type LOC record. |
|
A DNS message. |
|
A DNSSEC NSEC3 record. |
|
A DNSSEC NSEC3PARAM record. |
|
A DNSSEC RRSIG record. |
|
A DNS SOA record. |
|
An additional DNS TSIG record. |
|
A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds. |
|
Statistics about a |
|
Statistics about what a TCP endpoint sent. |
|
Computed entropy values. |
|
File Analysis handle for a file that Zeek is analyzing. |
|
File Analysis metadata that’s been inferred about a particular file. |
|
A set of file analyzer tags. |
|
The identifying 4-tuple of a uni-directional flow. |
|
A parsed host/port combination describing server endpoint for an upcoming data transfer. |
|
GeoIP location information. |
|
A GTPv1 (GPRS Tunneling Protocol) header. |
|
HTTP message statistics. |
|
HTTP session statistics. |
|
Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861. |
|
A type alias for a vector of ICMPv6 neighbor discovery message options. |
|
Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861. |
|
Specifics about an ICMP conversation. |
|
Packet context part of an ICMP message. |
|
Values extracted from an ICMP header. |
|
Specifics about an ICMP conversation/packet. |
|
Table type used to map script-level identifiers to meta-information describing them. |
|
A vector of counts, used by some builtin functions to store a list of indices. |
|
A vector of integers, used by telemetry builtin functions to store histogram bounds. |
|
A set of intervals. |
|
Values extracted from an IPv4 header. |
|
Values extracted from an IPv6 Authentication extension header. |
|
Values extracted from an IPv6 Destination options extension header. |
|
Values extracted from an IPv6 ESP extension header. |
|
A general container for a more specific IPv6 extension header. |
|
A type alias for a vector of IPv6 extension headers. |
|
Values extracted from an IPv6 Fragment extension header. |
|
Values extracted from an IPv6 header. |
|
Values extracted from an IPv6 Hop-by-Hop options extension header. |
|
Values extracted from an IPv6 Mobility Binding Acknowledgement message. |
|
Values extracted from an IPv6 Mobility Binding Error message. |
|
Values extracted from an IPv6 Mobility Binding Refresh Request message. |
|
Values extracted from an IPv6 Mobility Binding Update message. |
|
Values extracted from an IPv6 Mobility Care-of Test message. |
|
Values extracted from an IPv6 Mobility Care-of Test Init message. |
|
Values extracted from an IPv6 Mobility header. |
|
Values extracted from an IPv6 Mobility Home Test message. |
|
Values extracted from an IPv6 Mobility Home Test Init message. |
|
Values extracted from an IPv6 Mobility header’s message data. |
|
Values extracted from an IPv6 extension header’s (e.g. |
|
A type alias for a vector of IPv6 options. |
|
Values extracted from an IPv6 Routing extension header. |
|
IRC join information. |
|
Set of IRC join information. |
|
Values extracted from the layer 2 header. |
|
A list of MIME headers. |
|
A MIME header key/value pair. |
|
A structure indicating a MIME type and strength of a match against file magic signatures. |
|
A vector of file magic signature matches, ordered by strength of the signature, strongest first. |
|
Policy-level representation of a packet passed on by libpcap. |
|
A packet header, consisting of an IP header and transport-layer header. |
|
Output modes for packet profiling information. |
|
An RPC portmapper callit request. |
|
An RPC portmapper mapping. |
|
Table of RPC portmapper mappings. |
|
An RPC portmapper request. |
|
A raw packet header, consisting of L2 header and everything in
|
|
Meta-information about a record field. |
|
Table type used to map record field declarations to meta-information describing them. |
|
Meta-information about a script-level identifier. |
|
A vector of Signature and Hash Algorithms. |
|
Description of a signature match. |
|
A hook taking a fa_file, an any, and a string. |
|
A string-table of any. |
|
An ordered array of strings. |
|
A set of strings. |
|
A vector of strings. |
|
A vector of subnets. |
|
Helper type for return value of Smith-Waterman algorithm. |
|
Helper type for return value of Smith-Waterman algorithm. |
|
Parameters for the Smith-Waterman algorithm. |
|
Helper type for return value of Smith-Waterman algorithm. |
|
Return type for Smith-Waterman algorithm. |
|
A table of counts indexed by strings. |
|
A table of strings indexed by strings. |
|
Values extracted from a TCP header. |
|
A Teredo origin indication header. |
|
A Teredo packet header. |
|
A Teredo authentication header. |
|
A connection’s transport-layer protocol. |
|
Values extracted from a UDP header. |
|
Table type used to map variable names to their memory allocation. |
|
A vector of x509 opaques. |
Functions¶
Internal function. |
|
Internal function. |
|
Function for skipping packets based on their ICMP header. |
|
Function for skipping packets based on their IP header. |
|
Function for skipping packets based on their TCP header. |
|
Function for skipping packets based on their UDP header. |
|
Returns maximum of two |
|
Returns maximum of two |
|
Returns maximum of two |
|
Returns minimum of two |
|
Returns minimum of two |
|
Returns minimum of two |
Detailed Interface¶
Runtime Options¶
- MQTT::max_payload_size¶
-
The maximum payload size to allocate for the purpose of payload information in
mqtt_publishevents (and the default MQTT logs generated from that).
- Weird::sampling_duration¶
-
How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than
Weird::sampling_thresholdtimes, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.
- Weird::sampling_global_list¶
-
Rate-limits weird names in the table globally instead of per connection/flow.
- Weird::sampling_rate¶
-
The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.
- Weird::sampling_threshold¶
-
How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.
- Weird::sampling_whitelist¶
-
Prevents rate-limiting sampling of any weirds named in the table.
- default_file_bof_buffer_size¶
-
Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.
- default_file_timeout_interval¶
-
Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
- ignore_checksums_nets¶
-
Checksums are ignored for all packets with a src address within this set of networks. Useful for cases where a host might be seeing packets collected from local hosts before checksums were applied by hardware. This frequently manifests when sniffing a local management interface on a host and Zeek sees packets before the hardware has had a chance to apply the checksums.
- udp_content_delivery_ports_use_resp¶
-
Whether ports given in
udp_content_delivery_ports_origandudp_content_delivery_ports_respare in terms of UDP packet’s destination port or the UDP connection’s “responder” port.
- udp_content_ports¶
-
Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via
udp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_orig,tcp_content_deliver_all_resp,udp_content_delivery_ports_orig,udp_content_deliver_all_orig,udp_content_deliver_all_resp,udp_contents,udp_content_delivery_ports_use_resp,udp_content_delivery_ports_resp
Redefinable Options¶
- BinPAC::flowbuffer_capacity_max¶
-
Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.
- BinPAC::flowbuffer_capacity_min¶
-
The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. If the buffer buffer is later contracted, its capacity is also reduced to this size.
- BinPAC::flowbuffer_contract_threshold¶
-
The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to
BinPAC::flowbuffer_capacity_minafter parsing a full unit. I.e. this is the maximum capacity to reserve in between the parsing of units. If, after parsing a unit, the flowbuffer capacity is greater than this value, it will be contracted.
- DCE_RPC::max_cmd_reassembly¶
-
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
- DCE_RPC::max_frag_data¶
-
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
- KRB::keytab¶
-
Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
- NCP::max_frame_size¶
-
The maximum number of bytes to allocate when parsing NCP frames.
- NFS3::return_data¶
-
If true,
nfs_proc_readandnfs_proc_writeevents return the file data that has been read/written.See also:
NFS3::return_data_max,NFS3::return_data_first_only
- NFS3::return_data_first_only¶
-
If
NFS3::return_datais true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.
- NFS3::return_data_max¶
-
If
NFS3::return_datais true, how much data should be returned at most.
- Pcap::bufsize¶
-
Number of Mbytes to provide as buffer space when capturing from live interfaces.
- Pcap::snaplen¶
-
Number of bytes per packet to capture from live interfaces.
- Reporter::errors_to_stderr¶
-
Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.
- Reporter::info_to_stderr¶
-
Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.
- Reporter::warnings_to_stderr¶
-
Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.
- SMB::pipe_filenames¶
- Type
- Attributes
- Default
{}- Redefinition
from base/protocols/smb/consts.zeek
=:spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds
A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.
See also:
smb_pipe_connect_heuristic
- SSL::dtls_max_reported_version_errors¶
-
Maximum number of invalid version errors to report in one DTLS connection.
- SSL::dtls_max_version_errors¶
-
Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.
- Threading::heartbeat_interval¶
-
The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.
- Tunnel::delay_gtp_confirmation¶
-
With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing
protocol_confirmation. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.
- Tunnel::delay_teredo_confirmation¶
-
With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a
protocol_confirmation. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation.
- Tunnel::enable_ayiya¶
-
Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
- Tunnel::enable_gre¶
-
Toggle whether to do GRE decapsulation.
- Tunnel::enable_gtpv1¶
-
Toggle whether to do GTPv1 decapsulation.
- Tunnel::enable_ip¶
-
Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
- Tunnel::enable_teredo¶
-
Toggle whether to do IPv6-in-Teredo decapsulation.
- Tunnel::geneve_ports¶
-
The set of UDP ports used for Geneve traffic. Traffic using this UDP destination port will attempt to be decapsulated. Note that if if you customize this, you may still want to manually ensure that
likely_server_portsalso gets populated accordingly.
- Tunnel::ip_tunnel_timeout¶
-
How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
- Tunnel::max_depth¶
-
The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.
- Tunnel::validate_vxlan_checksums¶
-
Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. The spec says the checksum should be transmitted as zero, but if not, then the decapsulating destination may choose whether to perform the validation.
- Tunnel::vxlan_ports¶
-
The set of UDP ports used for VXLAN traffic. Traffic using this UDP destination port will attempt to be decapsulated. Note that if if you customize this, you may still want to manually ensure that
likely_server_portsalso gets populated accordingly.
- UnknownProtocol::first_bytes_count¶
-
The number of bytes to extract from the next header and log in the first bytes field.
- UnknownProtocol::sampling_duration¶
-
How long an analyzer/protocol pair is allowed to keep state/counters in in memory. Once the threshold has been hit, this is the amount of time before the rate-limiting for a pair expires and is reset.
- UnknownProtocol::sampling_rate¶
-
The rate-limiting sampling rate. One out of every of this number of rate-limited pairs of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited pairs.
- UnknownProtocol::sampling_threshold¶
-
How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.
- bits_per_uid¶
-
Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.
- check_for_unused_event_handlers¶
-
If true, warns about unused event handlers at startup.
- cmd_line_bpf_filter¶
-
BPF filter the user has set via the -f command line options. Empty if none.
- detect_filtered_trace¶
-
Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via
content_gap.
- digest_salt¶
-
This salt value is used for several message digests in Zeek. We use a salt to help mitigate the possibility of an attacker manipulating source data to, e.g., mount complexity attacks or cause ID collisions. This salt is, for example, used by
get_file_handleto generate installation-unique file IDs (the id field offa_file).
- dns_session_timeout¶
-
Time to wait before timing out a DNS request.
- dpd_buffer_size¶
-
Size of per-connection buffer used for dynamic protocol detection. For each connection, Zeek buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.
See also:
dpd_reassemble_first_packets,dpd_match_only_beginning,dpd_ignore_ports
- dpd_ignore_ports¶
-
If true, don’t consider any ports for deciding which protocol analyzer to use.
See also:
dpd_reassemble_first_packets,dpd_buffer_size,dpd_match_only_beginning
- dpd_late_match_stop¶
- Type
- Attributes
- Default
F- Redefinition
from policy/protocols/conn/speculative-service.zeek
=:T
If true, stops signature matching after a late match. A late match may occur in case the DPD buffer is exhausted but a protocol signature matched. To allow late matching,
dpd_match_only_beginningmust be disabled.See also:
dpd_reassemble_first_packets,dpd_buffer_size,dpd_match_only_beginningNote
Despite the name, this option stops all signature matching, not only signatures used for dynamic protocol detection but is triggered by DPD signatures only.
- dpd_match_only_beginning¶
- Type
- Attributes
- Default
T- Redefinition
from policy/protocols/conn/speculative-service.zeek
=:F
If true, stops signature matching if
dpd_buffer_sizehas been reached.See also:
dpd_reassemble_first_packets,dpd_buffer_size,dpd_ignore_portsNote
Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.
- dpd_reassemble_first_packets¶
-
Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.
See also:
dpd_buffer_size,dpd_match_only_beginning,dpd_ignore_portsNote
Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.
- exit_only_after_terminate¶
-
Flag to prevent Zeek from exiting automatically when input is exhausted. Normally Zeek terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Zeek’s main loop will instead keep idling until
terminateis explicitly called.This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.
- expensive_profiling_multiple¶
- Type
- Attributes
- Default
0- Redefinition
from policy/misc/profiling.zeek
=:20
Multiples of
profiling_intervalat which (more expensive) memory profiling is done (0 disables).See also:
profiling_interval,profiling_file,segment_profiling
- frag_timeout¶
- Type
- Attributes
- Default
0 secs- Redefinition
from policy/tuning/defaults/packet-fragments.zeek
=:5.0 mins
How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.
- global_hash_seed¶
-
Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Zeek instances. If left unset, Zeek will use a temporary local seed.
- icmp_inactivity_timeout¶
-
If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
tcp_inactivity_timeout,udp_inactivity_timeout,set_inactivity_timeout
- ignore_checksums¶
-
If true, don’t verify checksums. Useful for running on altered trace files, and for saving a few cycles, but at the risk of analyzing invalid data. Note that the
-Ccommand-line option overrides the setting of this variable.
- ignore_keep_alive_rexmit¶
-
Ignore certain TCP retransmissions for
conn_stats. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter inconn_stats.See also:
conn_stats
- likely_server_ports¶
- Type
- Attributes
- Default
{}- Redefinition
from base/frameworks/tunnels/main.zeek
+=:Tunnel::ayiya_ports, Tunnel::teredo_ports, Tunnel::gtpv1_ports, Tunnel::vxlan_ports, Tunnel::geneve_ports
- Redefinition
from base/protocols/dce-rpc/main.zeek
+=:DCE_RPC::ports
- Redefinition
from base/protocols/dhcp/main.zeek
+=:67/udp
- Redefinition
from base/protocols/dnp3/main.zeek
+=:DNP3::ports
- Redefinition
from base/protocols/dns/main.zeek
+=:DNS::ports
- Redefinition
from base/protocols/ftp/main.zeek
+=:FTP::ports
- Redefinition
from base/protocols/ssl/main.zeek
+=:SSL::ssl_ports, SSL::dtls_ports
- Redefinition
from base/protocols/http/main.zeek
+=:HTTP::ports
- Redefinition
from base/protocols/imap/main.zeek
+=:IMAP::ports
- Redefinition
from base/protocols/irc/main.zeek
+=:IRC::ports
- Redefinition
from base/protocols/krb/main.zeek
+=:KRB::tcp_ports, KRB::udp_ports
- Redefinition
from base/protocols/modbus/main.zeek
+=:Modbus::ports
- Redefinition
from base/protocols/ntp/main.zeek
+=:NTP::ports
- Redefinition
from base/protocols/radius/main.zeek
+=:RADIUS::ports
- Redefinition
from base/protocols/rdp/main.zeek
+=:RDP::rdp_ports, RDP::rdpeudp_ports
- Redefinition
from base/protocols/sip/main.zeek
+=:SIP::ports
- Redefinition
from base/protocols/snmp/main.zeek
+=:SNMP::ports
- Redefinition
from base/protocols/smb/main.zeek
+=:SMB::ports
- Redefinition
from base/protocols/smtp/main.zeek
+=:SMTP::ports
- Redefinition
from base/protocols/socks/main.zeek
+=:SOCKS::ports
- Redefinition
from base/protocols/ssh/main.zeek
+=:SSH::ports
- Redefinition
from base/protocols/syslog/main.zeek
+=:Syslog::ports
- Redefinition
from base/protocols/xmpp/main.zeek
+=:XMPP::ports
- Redefinition
from policy/protocols/mqtt/main.zeek
+=:MQTT::ports
Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.
- log_rotate_base_time¶
-
Base time of log rotations in 24-hour time format (
%H:%M), e.g. “12:00”.
- max_timer_expires¶
-
The maximum number of timers to expire after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.
- non_analyzed_lifetime¶
-
If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but
tcp_inactivity_timeout,udp_inactivity_timeout, andicmp_inactivity_timeoutstill apply).
- packet_filter_default¶
-
Default mode for Zeek’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.
Note
This is not the BPF packet filter but an additional dynamic filter that Zeek optionally applies just before normal processing starts.
See also:
install_dst_addr_filter,install_dst_net_filter,install_src_addr_filter,install_src_net_filter,uninstall_dst_addr_filter,uninstall_dst_net_filter,uninstall_src_addr_filter,uninstall_src_net_filter
- partial_connection_ok¶
-
If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
- peer_description¶
-
Description transmitted to remote communication peers for identification.
- pkt_profile_freq¶
-
Frequency associated with packet profiling.
See also:
pkt_profile_modes,pkt_profile_mode,pkt_profile_file
- pkt_profile_mode¶
- Type
- Attributes
- Default
PKT_PROFILE_MODE_NONE
Output mode for packet profiling information.
See also:
pkt_profile_modes,pkt_profile_freq,pkt_profile_file
- profiling_interval¶
- Type
- Attributes
- Default
0 secs- Redefinition
from policy/misc/profiling.zeek
=:15.0 secs
Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.zeek.
See also:
profiling_file,expensive_profiling_multiple,segment_profiling
- record_all_packets¶
-
If a trace file is given with
-w, dump all packets seen by Zeek into it. By default, Zeek applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.See also:
trace_output_file
- report_gaps_for_partial¶
-
Whether we want
content_gapfor partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.See also:
content_gap,partial_connection
- rpc_timeout¶
-
Time to wait before timing out an RPC request.
- segment_profiling¶
-
If true, then write segment profiling information (very high volume!) in addition to profiling statistics.
See also:
profiling_interval,expensive_profiling_multiple,profiling_file
- sig_max_group_size¶
-
Maximum size of regular expression groups for signature matching.
- skip_http_data¶
-
Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.
See also:
http_entity_data,skip_http_entity_data,http_entity_data_delivery_size
- stp_idle_min¶
-
Internal to the stepping stone detector.
- table_expire_delay¶
-
When expiring table entries, wait this amount of time before checking the next chunk of entries.
See also:
table_expire_interval,table_incremental_step
- table_expire_interval¶
-
Check for expired table entries after this amount of time.
See also:
table_incremental_step,table_expire_delay
- table_incremental_step¶
-
When expiring/serializing table entries, don’t work on more than this many table entries at a time.
See also:
table_expire_interval,table_expire_delay
- tcp_SYN_ack_ok¶
-
If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if
partial_connection_okis false).
- tcp_SYN_timeout¶
-
Check up on the result of an initial SYN after this much time.
- tcp_attempt_delay¶
-
Wait this long upon seeing an initial SYN before timing out the connection attempt.
- tcp_close_delay¶
-
Upon seeing a normal connection close, flush state after this much time.
- tcp_connection_linger¶
-
When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.
- tcp_content_deliver_all_orig¶
-
If true, all TCP originator-side traffic is reported via
tcp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_resp,udp_content_delivery_ports_orig,udp_content_delivery_ports_resp,udp_content_deliver_all_orig,udp_content_deliver_all_resp,tcp_contents
- tcp_content_deliver_all_resp¶
-
If true, all TCP responder-side traffic is reported via
tcp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_orig,udp_content_delivery_ports_orig,udp_content_delivery_ports_resp,udp_content_deliver_all_orig,udp_content_deliver_all_resp,tcp_contents
- tcp_content_delivery_ports_orig¶
-
Defines destination TCP ports for which the contents of the originator stream should be delivered via
tcp_contents.See also:
tcp_content_delivery_ports_resp,tcp_content_deliver_all_orig,tcp_content_deliver_all_resp,udp_content_delivery_ports_orig,udp_content_delivery_ports_resp,udp_content_deliver_all_orig,udp_content_deliver_all_resp,tcp_contents
- tcp_content_delivery_ports_resp¶
-
Defines destination TCP ports for which the contents of the responder stream should be delivered via
tcp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_deliver_all_orig,tcp_content_deliver_all_resp,udp_content_delivery_ports_orig,udp_content_delivery_ports_resp,udp_content_deliver_all_orig,udp_content_deliver_all_resp,tcp_contents
- tcp_excessive_data_without_further_acks¶
-
If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Zeek would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.
See also:
tcp_max_initial_window,tcp_max_above_hole_without_any_acks
- tcp_inactivity_timeout¶
-
If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
udp_inactivity_timeout,icmp_inactivity_timeout,set_inactivity_timeout
- tcp_match_undelivered¶
-
If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.
- tcp_max_above_hole_without_any_acks¶
-
If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.
See also:
tcp_max_initial_window,tcp_excessive_data_without_further_acks
- tcp_max_initial_window¶
-
Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.
See also:
tcp_max_above_hole_without_any_acks,tcp_excessive_data_without_further_acks
- tcp_max_old_segments¶
-
Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additonal buffering.
- tcp_partial_close_delay¶
-
Generate a
connection_partial_closeevent this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
- tcp_reassembler_ports_orig¶
-
For services without a handler, these sets define originator-side ports that still trigger reassembly.
See also:
tcp_reassembler_ports_resp
- tcp_reassembler_ports_resp¶
-
For services without a handler, these sets define responder-side ports that still trigger reassembly.
See also:
tcp_reassembler_ports_orig
- tcp_reset_delay¶
-
Upon seeing a RST, flush state after this much time.
- tcp_session_timer¶
-
After a connection has closed, wait this long for further activity before checking whether to time out its state.
- tcp_storm_interarrival_thresh¶
-
FINs/RSTs must come with this much time or less between them to be considered a “storm”.
See also:
tcp_storm_thresh
- tcp_storm_thresh¶
-
Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as
weirdvia the notice framework, and they must also come within intervals of at mosttcp_storm_interarrival_thresh.See also:
tcp_storm_interarrival_thresh
- time_machine_profiling¶
-
If true, output profiling for Time-Machine queries.
- timer_mgr_inactivity_timeout¶
-
Per-incident timer managers are drained after this amount of inactivity.
- truncate_http_URI¶
-
Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.
See also:
http_request
- udp_content_deliver_all_orig¶
-
If true, all UDP originator-side traffic is reported via
udp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_resptcp_content_delivery_ports_orig,udp_content_delivery_ports_orig,udp_content_delivery_ports_resp,udp_content_deliver_all_resp,udp_contents,udp_content_delivery_ports_use_resp
- udp_content_deliver_all_resp¶
-
If true, all UDP responder-side traffic is reported via
udp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_resptcp_content_delivery_ports_orig,udp_content_delivery_ports_orig,udp_content_delivery_ports_resp,udp_content_deliver_all_orig,udp_contents,udp_content_delivery_ports_use_resp
- udp_content_delivery_ports_orig¶
-
Defines UDP destination ports for which the contents of the originator stream should be delivered via
udp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_orig,tcp_content_deliver_all_resp,udp_content_delivery_ports_resp,udp_content_deliver_all_orig,udp_content_deliver_all_resp,udp_contents,udp_content_delivery_ports_use_resp,udp_content_ports
- udp_content_delivery_ports_resp¶
-
Defines UDP destination ports for which the contents of the responder stream should be delivered via
udp_contents.See also:
tcp_content_delivery_ports_orig,tcp_content_delivery_ports_resp,tcp_content_deliver_all_orig,tcp_content_deliver_all_resp,udp_content_delivery_ports_orig,udp_content_deliver_all_orig,udp_content_deliver_all_resp,udp_contents,udp_content_delivery_ports_use_resp,udp_content_ports
- udp_inactivity_timeout¶
-
If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also:
tcp_inactivity_timeout,icmp_inactivity_timeout,set_inactivity_timeout
- use_conn_size_analyzer¶
-
Whether to use the
ConnSizeanalyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’sendpointrecord value.
- watchdog_interval¶
-
Zeek’s watchdog interval.
Constants¶
- CONTENTS_BOTH¶
- Type
- Default
3
Record both originator and responder contents.
- CONTENTS_NONE¶
- Type
- Default
0
Turn off recording of contents.
- CONTENTS_ORIG¶
- Type
- Default
1
Record originator contents.
- CONTENTS_RESP¶
- Type
- Default
2
Record responder contents.
- ENDIAN_BIG¶
- Type
- Default
2
Big endian.
- ENDIAN_CONFUSED¶
- Type
- Default
3
Tried to determine endian, but failed.
- ENDIAN_LITTLE¶
- Type
- Default
1
Little endian.
- ENDIAN_UNKNOWN¶
- Type
- Default
0
Endian not yet determined.
- ICMP_UNREACH_ADMIN_PROHIB¶
- Type
- Default
13
Administratively prohibited.
- ICMP_UNREACH_HOST¶
- Type
- Default
1
Host unreachable.
- ICMP_UNREACH_NEEDFRAG¶
- Type
- Default
4
Fragment needed.
- ICMP_UNREACH_NET¶
- Type
- Default
0
Network unreachable.
- ICMP_UNREACH_PORT¶
- Type
- Default
3
Port unreachable.
- ICMP_UNREACH_PROTOCOL¶
- Type
- Default
2
Protocol unreachable.
- IPPROTO_AH¶
- Type
- Default
51
IPv6 authentication header.
- IPPROTO_DSTOPTS¶
- Type
- Default
60
IPv6 destination options header.
- IPPROTO_ESP¶
- Type
- Default
50
IPv6 encapsulating security payload header.
- IPPROTO_FRAGMENT¶
- Type
- Default
44
IPv6 fragment header.
- IPPROTO_HOPOPTS¶
- Type
- Default
0
IPv6 hop-by-hop-options header.
- IPPROTO_ICMP¶
- Type
- Default
1
Control message protocol.
- IPPROTO_ICMPV6¶
- Type
- Default
58
ICMP for IPv6.
- IPPROTO_IGMP¶
- Type
- Default
2
Group management protocol.
- IPPROTO_IP¶
- Type
- Default
0
Dummy for IP.
- IPPROTO_IPIP¶
- Type
- Default
4
IP encapsulation in IP.
- IPPROTO_IPV6¶
- Type
- Default
41
IPv6 header.
- IPPROTO_MOBILITY¶
- Type
- Default
135
IPv6 mobility header.
- IPPROTO_NONE¶
- Type
- Default
59
IPv6 no next header.
- IPPROTO_RAW¶
- Type
- Default
255
Raw IP packet.
- IPPROTO_ROUTING¶
- Type
- Default
43
IPv6 routing header.
- IPPROTO_TCP¶
- Type
- Default
6
TCP.
- IPPROTO_UDP¶
- Type
- Default
17
User datagram protocol.
- LOGIN_STATE_AUTHENTICATE¶
- Type
- Default
0
- LOGIN_STATE_CONFUSED¶
- Type
- Default
3
- LOGIN_STATE_LOGGED_IN¶
- Type
- Default
1
- LOGIN_STATE_SKIP¶
- Type
- Default
2
- RPC_status¶
- Type
table[rpc_status] ofstring- Default
{ [RPC_PROG_MISMATCH] = "mismatch", [RPC_AUTH_ERROR] = "auth error", [RPC_SYSTEM_ERR] = "system err", [RPC_PROC_UNAVAIL] = "proc unavail", [RPC_SUCCESS] = "ok", [RPC_UNKNOWN_ERROR] = "unknown", [RPC_TIMEOUT] = "timeout", [RPC_GARBAGE_ARGS] = "garbage args", [RPC_PROG_UNAVAIL] = "prog unavail" }
Mapping of numerical RPC status codes to readable messages.
See also:
pm_attempt_callit,pm_attempt_dump,pm_attempt_getport,pm_attempt_null,pm_attempt_set,pm_attempt_unset,rpc_dialogue,rpc_reply
- SNMP::OBJ_COUNTER32_TAG¶
- Type
- Default
65
Unsigned 32-bit integer.
- SNMP::OBJ_COUNTER64_TAG¶
- Type
- Default
70
Unsigned 64-bit integer.
- SNMP::OBJ_ENDOFMIBVIEW_TAG¶
- Type
- Default
130
A NULL value.
- SNMP::OBJ_INTEGER_TAG¶
- Type
- Default
2
Signed 64-bit integer.
- SNMP::OBJ_IPADDRESS_TAG¶
- Type
- Default
64
An IP address.
- SNMP::OBJ_NOSUCHINSTANCE_TAG¶
- Type
- Default
129
A NULL value.
- SNMP::OBJ_NOSUCHOBJECT_TAG¶
- Type
- Default
128
A NULL value.
- SNMP::OBJ_OCTETSTRING_TAG¶
- Type
- Default
4
An octet string.
- SNMP::OBJ_OID_TAG¶
- Type
- Default
6
An Object Identifier.
- SNMP::OBJ_OPAQUE_TAG¶
- Type
- Default
68
An octet string.
- SNMP::OBJ_TIMETICKS_TAG¶
- Type
- Default
67
Unsigned 32-bit integer.
- SNMP::OBJ_UNSIGNED32_TAG¶
- Type
- Default
66
Unsigned 32-bit integer.
- SNMP::OBJ_UNSPECIFIED_TAG¶
- Type
- Default
5
A NULL value.
- TCP_CLOSED¶
- Type
- Default
5
Endpoint has closed connection.
- TCP_ESTABLISHED¶
- Type
- Default
4
Endpoint has finished initial handshake regularly.
- TCP_INACTIVE¶
- Type
- Default
0
Endpoint is still inactive.
- TCP_PARTIAL¶
- Type
- Default
3
Endpoint has sent data but no initial SYN.
- TCP_SYN_ACK_SENT¶
- Type
- Default
2
Endpoint has sent SYN/ACK.
- TCP_SYN_SENT¶
- Type
- Default
1
Endpoint has sent SYN.
- UDP_ACTIVE¶
- Type
- Default
1
Endpoint has sent something.
- UDP_INACTIVE¶
- Type
- Default
0
Endpoint is still inactive.
- trace_output_file¶
- Type
- Default
""
Holds the filename of the trace file given with
-w(empty if none).See also:
record_all_packets
- zeek_script_args¶
-
Arguments given to Zeek from the command line. In order to use this, Zeek must use a
--command line argument immediately followed by a script file and additional arguments after that. For example:zeek --bare-mode -- myscript.zeek -a -b -c
To use Zeek as an executable interpreter, include a line at the top of a script like the following and make the script executable:
#!/usr/local/zeek/bin/zeek --
State Variables¶
- capture_filters¶
-
Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Zeek is not configured with
PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all inrestrict_filters) will be analyzed.See also:
PacketFilter,PacketFilter::enable_auto_protocol_capture_filters,PacketFilter::unrestricted_filter,restrict_filters
- direct_login_prompts¶
-
TODO.
- discarder_maxlen¶
-
Maximum length of payload passed to discarder functions.
See also:
discarder_check_tcp,discarder_check_udp,discarder_check_icmp,discarder_check_ip
- dns_max_queries¶
-
If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.
- dns_skip_addl¶
-
For DNS servers in these sets, omit processing the ADDL records they include in their replies.
See also:
dns_skip_all_addl,dns_skip_auth
- dns_skip_all_addl¶
- Type
- Attributes
- Default
T- Redefinition
from policy/protocols/dns/auth-addl.zeek
=:F
If true, all DNS ADDL records are skipped.
See also:
dns_skip_all_auth,dns_skip_addl
- dns_skip_all_auth¶
- Type
- Attributes
- Default
T- Redefinition
from policy/protocols/dns/auth-addl.zeek
=:F
If true, all DNS AUTH records are skipped.
See also:
dns_skip_all_addl,dns_skip_auth
- dns_skip_auth¶
-
For DNS servers in these sets, omit processing the AUTH records they include in their replies.
See also:
dns_skip_all_auth,dns_skip_addl
- done_with_network¶
- Type
- Default
F
- http_entity_data_delivery_size¶
-
Maximum number of HTTP entity data delivered to events.
See also:
http_entity_data,skip_http_entity_data,skip_http_data
- interfaces¶
- Type
- Attributes
- Default
""
Network interfaces to listen on. Use
redef interfaces += "eth0"to extend.
- load_sample_freq¶
-
Rate at which to generate
load_sampleevents. As all events, the event is only generated if you’ve also defined aload_samplehandler. Units are inverse number of packets; e.g., a value of 20 means “roughly one in every 20 packets”.See also:
load_sample
- login_failure_msgs¶
-
TODO.
- login_non_failure_msgs¶
-
TODO.
- login_prompts¶
-
TODO.
- login_success_msgs¶
-
TODO.
- login_timeouts¶
-
TODO.
- mime_segment_length¶
-
The length of MIME data segments delivered to handlers of
mime_segment_data.See also:
mime_segment_data,mime_segment_overlap_length
- mime_segment_overlap_length¶
-
The number of bytes of overlap between successive segments passed to
mime_segment_data.
- pkt_profile_file¶
-
File where packet profiles are logged.
See also:
pkt_profile_modes,pkt_profile_freq,pkt_profile_mode
- profiling_file¶
- Type
- Attributes
- Default
file "prof.log" of string
- Redefinition
from policy/misc/profiling.zeek
=:open(fmt(prof.%s, Profiling::log_suffix()))
Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.zeek.
See also:
profiling_interval,expensive_profiling_multiple,segment_profiling
- restrict_filters¶
-
Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
See also:
PacketFilter,PacketFilter::enable_auto_protocol_capture_filters,PacketFilter::unrestricted_filter,capture_filters
- secondary_filters¶
-
Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.
- signature_files¶
- Type
- Attributes
- Default
""
Signature files to read. Use
redef signature_files += "foo.sig"to extend. Signature files added this way will be searched relative toZEEKPATH. Using the@load-sigsdirective instead is preferred since that can search paths relative to the current script.
- skip_authentication¶
-
TODO.
- stp_skip_src¶
-
Internal to the stepping stone detector.
Types¶
- Backtrace¶
- Type
A representation of a Zeek script’s call stack.
See also:
backtrace,print_backtrace
- BacktraceElement¶
- Type
-
- function_name:
string The name of the function being called at this point in the call stack.
- function_args:
call_argument_vector The arguments passed to the function being called.
- file_location:
string&optional The file in which the function call is being made.
- line_location:
count&optional The line number at which the function call is being made.
- function_name:
A representation of an element in a Zeek script’s call stack.
See also:
backtrace,print_backtrace
- BrokerStats¶
- Type
-
num_peers:
count- num_stores:
count Number of active data stores.
- num_pending_queries:
count Number of pending data store queries.
- num_events_incoming:
count Number of total log messages received.
- num_events_outgoing:
count Number of total log messages sent.
- num_logs_incoming:
count Number of total log records received.
- num_logs_outgoing:
count Number of total log records sent.
- num_ids_incoming:
count Number of total identifiers received.
- num_ids_outgoing:
count Number of total identifiers sent.
- num_stores:
Statistics about Broker communication.
See also:
get_broker_stats
- Cluster::Pool¶
- Type
-
- spec:
Cluster::PoolSpec&default= [topic=, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]&optional (present if base/frameworks/cluster/pools.zeek is loaded)
The specification of the pool that was used when registering it.
- nodes:
Cluster::PoolNodeTable&default={ }&optional (present if base/frameworks/cluster/pools.zeek is loaded)
Nodes in the pool, indexed by their name (e.g. “manager”).
- node_list:
vectorofCluster::PoolNode&default=[]&optional (present if base/frameworks/cluster/pools.zeek is loaded)
A list of nodes in the pool in a deterministic order.
- hrw_pool:
HashHRW::Pool&default=[sites={ }]&optional (present if base/frameworks/cluster/pools.zeek is loaded)
The Rendezvous hashing structure.
- rr_key_seq:
Cluster::RoundRobinTable&default={ }&optional (present if base/frameworks/cluster/pools.zeek is loaded)
Round-Robin table indexed by arbitrary key and storing the next index of node_list that will be eligible to receive work (if it’s alive at the time of next request).
- alive_count:
count&default=0&optional (present if base/frameworks/cluster/pools.zeek is loaded)
Number of pool nodes that are currently alive.
- spec:
A pool used for distributing data/work among a set of cluster nodes.
- ConnStats¶
- Type
-
total_conns:
countcurrent_conns:
countsess_current_conns:
countnum_packets:
countnum_fragments:
countmax_fragments:
count- num_tcp_conns:
count Current number of TCP connections in memory.
- max_tcp_conns:
count Maximum number of concurrent TCP connections so far.
- cumulative_tcp_conns:
count Total number of TCP connections so far.
- num_udp_conns:
count Current number of UDP flows in memory.
- max_udp_conns:
count Maximum number of concurrent UDP flows so far.
- cumulative_udp_conns:
count Total number of UDP flows so far.
- num_icmp_conns:
count Current number of ICMP flows in memory.
- max_icmp_conns:
count Maximum number of concurrent ICMP flows so far.
- cumulative_icmp_conns:
count Total number of ICMP flows so far.
killed_by_inactivity:
count - num_tcp_conns:
- DHCP::Addrs¶
-
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also:
dhcp_message
- DHCP::ClientFQDN¶
- Type
DHCP Client FQDN Option information (Option 81)
- DHCP::ClientID¶
-
DHCP Client Identifier (Option 61) .. zeek:see:: dhcp_message
- DHCP::Msg¶
- Type
-
- op:
count Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
- m_type:
count The type of DHCP message.
- xid:
count Transaction ID of a DHCP session.
- secs:
interval Number of seconds since client began address acquisition or renewal process
flags:
count- ciaddr:
addr Original IP address of the client.
- yiaddr:
addr IP address assigned to the client.
- siaddr:
addr IP address of the server.
- giaddr:
addr IP address of the relaying gateway.
- chaddr:
string Client hardware address.
- sname:
string&default=""&optional Server host name.
- file_n:
string&default=""&optional Boot file name.
- op:
A DHCP message. .. zeek:see:: dhcp_message
- DHCP::Options¶
- Type
-
- options:
index_vec&optional The ordered list of all DHCP option numbers.
- subnet_mask:
addr&optional Subnet Mask Value (option 1)
- routers:
DHCP::Addrs&optional Router addresses (option 3)
- dns_servers:
DHCP::Addrs&optional DNS Server addresses (option 6)
- host_name:
string&optional The Hostname of the client (option 12)
- domain_name:
string&optional The DNS domain name of the client (option 15)
- forwarding:
bool&optional Enable/Disable IP Forwarding (option 19)
- broadcast:
addr&optional Broadcast Address (option 28)
- vendor:
string&optional Vendor specific data. This can frequently be unparsed binary data. (option 43)
- nbns:
DHCP::Addrs&optional NETBIOS name server list (option 44)
- addr_request:
addr&optional Address requested by the client (option 50)
- lease:
interval&optional Lease time offered by the server. (option 51)
- serv_addr:
addr&optional Server address to allow clients to distinguish between lease offers. (option 54)
- param_list:
index_vec&optional DHCP Parameter Request list (option 55)
- message:
string&optional Textual error message (option 56)
- max_msg_size:
count&optional Maximum Message Size (option 57)
- renewal_time:
interval&optional This option specifies the time interval from address assignment until the client transitions to the RENEWING state. (option 58)
- rebinding_time:
interval&optional This option specifies the time interval from address assignment until the client transitions to the REBINDING state. (option 59)
- vendor_class:
string&optional This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. (option 60)
- client_id:
DHCP::ClientID&optional DHCP Client Identifier (Option 61)
- user_class:
string&optional User Class opaque value (Option 77)
- client_fqdn:
DHCP::ClientFQDN&optional DHCP Client FQDN (Option 81)
- sub_opt:
DHCP::SubOpts&optional DHCP Relay Agent Information Option (Option 82)
- auto_config:
bool&optional Auto Config option to let host know if it’s allowed to auto assign an IP address. (Option 116)
- auto_proxy_config:
string&optional URL to find a proxy.pac for auto proxy config (Option 252)
- time_offset:
int&optional The offset of the client’s subnet in seconds from UTC. (Option 2)
- time_servers:
DHCP::Addrs&optional A list of RFC 868 time servers available to the client. (Option 4)
- name_servers:
DHCP::Addrs&optional A list of IEN 116 name servers available to the client. (Option 5)
- ntp_servers:
DHCP::Addrs&optional A list of IP addresses indicating NTP servers available to the client. (Option 42)
- options:
- DHCP::SubOpt¶
-
DHCP Relay Agent Information Option (Option 82) .. zeek:see:: dhcp_message
- DHCP::SubOpts¶
- Type
- DNSStats¶
- Type
Statistics related to Zeek’s active use of DNS. These numbers are about Zeek performing DNS queries on it’s own, not traffic being seen.
See also:
get_dns_stats
- EncapsulatingConnVector¶
- Type
A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.
Todo
We need this type definition only for declaring builtin functions via
bifcl. We should extendbifclto understand composite types directly and then remove this alias.
- FileAnalysisStats¶
- Type
Statistics of file analysis.
See also:
get_file_analysis_stats
- GapStats¶
- Type
Statistics about number of gaps in TCP connections.
See also:
get_gap_stats
- IPAddrAnonymization¶
- Type
-
-
KEEP_ORIG_ADDR¶
-
SEQUENTIALLY_NUMBERED¶
-
RANDOM_MD5¶
-
PREFIX_PRESERVING_A50¶
-
PREFIX_PRESERVING_MD5¶
-
See also:
anonymize_addr
- IPAddrAnonymizationClass¶
-
See also:
anonymize_addr
- JSON::TimestampFormat¶
- Type
-
-
JSON::TS_EPOCH¶ Timestamps will be formatted as UNIX epoch doubles. This is the format that Zeek typically writes out timestamps.
-
JSON::TS_MILLIS¶ Timestamps will be formatted as unsigned integers that represent the number of milliseconds since the UNIX epoch.
-
JSON::TS_ISO8601¶ Timestamps will be formatted in the ISO8601 DateTime format. Subseconds are also included which isn’t actually part of the standard but most consumers that parse ISO8601 seem to be able to cope with that.
-
- KRB::AP_Options¶
- Type
AP Options. See RFC 4120
- KRB::Error_Msg¶
- Type
-
- pvno:
count&optional Protocol version number (5 for KRB5)
- msg_type:
count&optional The message type (30 for ERROR_MSG)
- client_time:
time&optional Current time on the client
- server_time:
time&optional Current time on the server
- error_code:
count The specific error code
- client_realm:
string&optional Realm of the ticket
- client_name:
string&optional Name on the ticket
- service_realm:
string&optional Realm of the service
- service_name:
string&optional Name of the service
- error_text:
string&optional Additional text to explain the error
- pa_data:
vectorofKRB::Type_Value&optional Optional pre-authentication data
- pvno:
The data from the ERROR_MSG message. See RFC 4120.
- KRB::Host_Address¶
- Type
A Kerberos host address See RFC 4120.
- KRB::KDC_Options¶
- Type
-
- forwardable:
bool The ticket to be issued should have its forwardable flag set.
- forwarded:
bool A (TGT) request for forwarding.
- proxiable:
bool The ticket to be issued should have its proxiable flag set.
- proxy:
bool A request for a proxy.
- allow_postdate:
bool The ticket to be issued should have its may-postdate flag set.
- postdated:
bool A request for a postdated ticket.
- renewable:
bool The ticket to be issued should have its renewable flag set.
- opt_hardware_auth:
bool Reserved for opt_hardware_auth
- disable_transited_check:
bool Request that the KDC not check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT.
- renewable_ok:
bool If a ticket with the requested lifetime cannot be issued, a renewable ticket is acceptable
- enc_tkt_in_skey:
bool The ticket for the end server is to be encrypted in the session key from the additional TGT provided
- renew:
bool The request is for a renewal
- validate:
bool The request is to validate a postdated ticket.
- forwardable:
KDC Options. See RFC 4120
- KRB::KDC_Request¶
- Type
-
- pvno:
count Protocol version number (5 for KRB5)
- msg_type:
count The message type (10 for AS_REQ, 12 for TGS_REQ)
- pa_data:
vectorofKRB::Type_Value&optional Optional pre-authentication data
- kdc_options:
KRB::KDC_Options&optional Options specified in the request
- client_name:
string&optional Name on the ticket
- service_realm:
string&optional Realm of the service
- service_name:
string&optional Name of the service
- from:
time&optional Time the ticket is good from
- till:
time&optional Time the ticket is good till
- rtime:
time&optional The requested renew-till time
- nonce:
count&optional A random nonce generated by the client
- encryption_types:
vectorofcount&optional The desired encryption algorithms, in order of preference
- host_addrs:
vectorofKRB::Host_Address&optional Any additional addresses the ticket should be valid for
- additional_tickets:
vectorofKRB::Ticket&optional Additional tickets may be included for certain transactions
- pvno:
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
- KRB::KDC_Response¶
- Type
-
- pvno:
count Protocol version number (5 for KRB5)
- msg_type:
count The message type (11 for AS_REP, 13 for TGS_REP)
- pa_data:
vectorofKRB::Type_Value&optional Optional pre-authentication data
- client_realm:
string&optional Realm on the ticket
- client_name:
string Name on the service
- ticket:
KRB::Ticket The ticket that was issued
- pvno:
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
- KRB::SAFE_Msg¶
- Type
-
- pvno:
count Protocol version number (5 for KRB5)
- msg_type:
count The message type (20 for SAFE_MSG)
- data:
string The application-specific data that is being passed from the sender to the reciever
- timestamp:
time&optional Current time from the sender of the message
- seq:
count&optional Sequence number used to detect replays
- sender:
KRB::Host_Address&optional Sender address
- recipient:
KRB::Host_Address&optional Recipient address
- pvno:
The data from the SAFE message. See RFC 4120.
- KRB::Ticket¶
- Type
A Kerberos ticket. See RFC 4120.
- KRB::Ticket_Vector¶
- Type
- KRB::Type_Value¶
-
Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
- MOUNT3::dirmntargs_t¶
-
MOUNT mnt arguments.
See also:
mount_proc_mnt
- MOUNT3::info_t¶
- Type
-
- rpc_stat:
rpc_status The RPC status.
- mnt_stat:
MOUNT3::status_t The MOUNT status.
- req_start:
time The start time of the request.
- req_dur:
interval The duration of the request.
- req_len:
count The length in bytes of the request.
- rep_start:
time The start time of the reply.
- rep_dur:
interval The duration of the reply.
- rep_len:
count The length in bytes of the reply.
- rpc_uid:
count The user id of the reply.
- rpc_gid:
count The group id of the reply.
- rpc_stamp:
count The stamp of the reply.
- rpc_machine_name:
string The machine name of the reply.
- rpc_auxgids:
index_vec The auxiliary ids of the reply.
- rpc_stat:
Record summarizing the general results and status of MOUNT3 request/reply pairs.
Note that when rpc_stat or mount_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time
- MOUNT3::mnt_reply_t¶
- Type
-
- dirfh:
string&optional Dir handle
- auth_flavors:
vectorofMOUNT3::auth_flavor_t&optional Returned authentication flavors
- dirfh:
MOUNT lookup reply. If the mount failed, dir_attr may be set. If the mount succeeded, fh is always set.
See also:
mount_proc_mnt
- MQTT::ConnectMsg¶
- Type
-
- protocol_name:
string Protocol name
- protocol_version:
count Protocol version
- client_id:
string Identifies the Client to the Server.
- keep_alive:
interval The maximum time interval that is permitted to elapse between the point at which the Client finishes transmitting one Control Packet and the point it starts sending the next.
- clean_session:
bool The clean_session flag indicates if the server should or shouldn’t use a clean session or use existing previous session state.
- will_retain:
bool Specifies if the Will Message is to be retained when it is published.
- will_qos:
count Specifies the QoS level to be used when publishing the Will Message.
- will_topic:
string&optional Topic to publish the Will message to.
- will_msg:
string&optional The actual Will message to publish.
- username:
string&optional Username to use for authentication to the server.
- password:
string&optional Pass to use for authentication to the server.
- protocol_name:
- MQTT::PublishMsg¶
- Type
-
- dup:
bool Indicates if this is the first attempt at publishing the message.
- qos:
count Indicates what level of QoS is enabled for this message.
- retain:
bool Indicates if the server should retain this message so that clients subscribing to the topic in the future will receive this message automatically.
- topic:
string Name of the topic the published message is directed into.
- payload:
string Payload of the published message.
- payload_len:
count The actual length of the payload in the case the payload field’s contents were truncated according to
MQTT::max_payload_size.
- dup:
- MatcherStats¶
- Type
-
- matchers:
count Number of distinct RE matchers.
- nfa_states:
count Number of NFA states across all matchers.
- dfa_states:
count Number of DFA states across all matchers.
- computed:
count Number of computed DFA state transitions.
- mem:
count Number of bytes used by DFA states.
- hits:
count Number of cache hits.
- misses:
count Number of cache misses.
- matchers:
Statistics of all regular expression matchers.
See also:
get_matcher_stats
- ModbusCoils¶
-
A vector of boolean values that indicate the setting for a range of modbus coils.
- ModbusRegisters¶
-
A vector of count values that represent 16bit modbus register values.
- NFS3::delobj_reply_t¶
- Type
-
- dir_pre_attr:
NFS3::wcc_attr_t&optional Optional attributes associated w/ dir.
- dir_post_attr:
NFS3::fattr_t&optional Optional attributes associated w/ dir.
- dir_pre_attr:
NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.
See also:
nfs_proc_remove,nfs_proc_rmdir
- NFS3::direntry_t¶
- Type
NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.
See also:
NFS3::direntry_vec_t,NFS3::readdir_reply_t
- NFS3::direntry_vec_t¶
- Type
Vector of NFS direntry.
See also:
NFS3::readdir_reply_t
- NFS3::diropargs_t¶
- Type
NFS readdir arguments.
See also:
nfs_proc_readdir
- NFS3::fattr_t¶
- Type
-
- ftype:
NFS3::file_type_t File type.
- mode:
count Mode
- nlink:
count Number of links.
- uid:
count User ID.
- gid:
count Group ID.
- size:
count Size.
- used:
count TODO.
- rdev1:
count TODO.
- rdev2:
count TODO.
- fsid:
count TODO.
- fileid:
count TODO.
- atime:
time Time of last access.
- mtime:
time Time of last modification.
- ctime:
time Time of creation.
- ftype:
NFS file attributes. Field names are based on RFC 1813.
See also:
nfs_proc_getattr
- NFS3::fsstat_t¶
- Type
NFS fsstat.
- NFS3::info_t¶
- Type
-
- rpc_stat:
rpc_status The RPC status.
- nfs_stat:
NFS3::status_t The NFS status.
- req_start:
time The start time of the request.
- req_dur:
interval The duration of the request.
- req_len:
count The length in bytes of the request.
- rep_start:
time The start time of the reply.
- rep_dur:
interval The duration of the reply.
- rep_len:
count The length in bytes of the reply.
- rpc_uid:
count The user id of the reply.
- rpc_gid:
count The group id of the reply.
- rpc_stamp:
count The stamp of the reply.
- rpc_machine_name:
string The machine name of the reply.
- rpc_auxgids:
index_vec The auxiliary ids of the reply.
- rpc_stat:
Record summarizing the general results and status of NFSv3 request/reply pairs.
Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.
See also:
nfs_proc_create,nfs_proc_getattr,nfs_proc_lookup,nfs_proc_mkdir,nfs_proc_not_implemented,nfs_proc_null,nfs_proc_read,nfs_proc_readdir,nfs_proc_readlink,nfs_proc_remove,nfs_proc_rmdir,nfs_proc_write,nfs_reply_status
- NFS3::link_reply_t¶
- Type
-
- post_attr:
NFS3::fattr_t&optional Optional post-operation attributes of the file system object identified by file
- preattr:
NFS3::wcc_attr_t&optional Optional attributes associated w/ file.
- postattr:
NFS3::fattr_t&optional Optional attributes associated w/ file.
- post_attr:
NFS link reply.
See also:
nfs_proc_link
- NFS3::linkargs_t¶
- Type
-
- fh:
string The file handle for the existing file system object.
- link:
NFS3::diropargs_t The location of the link to be created.
- fh:
NFS link arguments.
See also:
nfs_proc_link
- NFS3::lookup_reply_t¶
- Type
-
- fh:
string&optional File handle of object looked up.
- obj_attr:
NFS3::fattr_t&optional Optional attributes associated w/ file
- dir_attr:
NFS3::fattr_t&optional Optional attributes associated w/ dir.
- fh:
NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.
See also:
nfs_proc_lookup
- NFS3::newobj_reply_t¶
- Type
-
- fh:
string&optional File handle of object created.
- obj_attr:
NFS3::fattr_t&optional Optional attributes associated w/ new object.
- dir_pre_attr:
NFS3::wcc_attr_t&optional Optional attributes associated w/ dir.
- dir_post_attr:
NFS3::fattr_t&optional Optional attributes associated w/ dir.
- fh:
NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr’s may be set. Note: no guarantee that fh is set after success.
See also:
nfs_proc_create,nfs_proc_mkdir
- NFS3::read_reply_t¶
- Type
NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.
- NFS3::readargs_t¶
- Type
NFS read arguments.
See also:
nfs_proc_read
- NFS3::readdir_reply_t¶
- Type
-
- isplus:
bool True if the reply for a readdirplus request.
- dir_attr:
NFS3::fattr_t&optional Directory attributes.
- cookieverf:
count&optional TODO.
- entries:
NFS3::direntry_vec_t&optional Returned directory entries.
- eof:
bool If true, no more entries in directory.
- isplus:
NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.
- NFS3::readdirargs_t¶
- Type
-
- isplus:
bool Is this a readdirplus request?
- dirfh:
string The directory filehandle.
- cookie:
count Cookie / pos in dir; 0 for first call.
- cookieverf:
count The cookie verifier.
- dircount:
count “count” field for readdir; maxcount otherwise (in bytes).
- maxcount:
count&optional Only used for readdirplus. in bytes.
- isplus:
NFS readdir arguments. Used for both readdir and readdirplus.
See also:
nfs_proc_readdir
- NFS3::readlink_reply_t¶
- Type
-
- attr:
NFS3::fattr_t&optional Attributes.
- nfspath:
string&optional Contents of the symlink; in general a pathname as text.
- attr:
NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.
See also:
nfs_proc_readlink
- NFS3::renameobj_reply_t¶
- Type
-
src_dir_pre_attr:
NFS3::wcc_attr_tsrc_dir_post_attr:
NFS3::fattr_tdst_dir_pre_attr:
NFS3::wcc_attr_tdst_dir_post_attr:
NFS3::fattr_t
NFS reply for rename. Corresponds to wcc_data in the spec.
See also:
nfs_proc_rename
- NFS3::renameopargs_t¶
-
NFS rename arguments.
See also:
nfs_proc_rename
- NFS3::sattr_reply_t¶
- Type
-
- dir_pre_attr:
NFS3::wcc_attr_t&optional Optional attributes associated w/ dir.
- dir_post_attr:
NFS3::fattr_t&optional Optional attributes associated w/ dir.
- dir_pre_attr:
NFS sattr reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr are set.
- NFS3::sattr_t¶
- Type
NFS file attributes. Field names are based on RFC 1813.
See also:
nfs_proc_sattr
- NFS3::sattrargs_t¶
- Type
-
- fh:
string The file handle for the existing file system object.
- new_attributes:
NFS3::sattr_t The new attributes for the file.
- fh:
NFS sattr arguments.
See also:
nfs_proc_sattr
- NFS3::symlinkargs_t¶
- Type
-
- link:
NFS3::diropargs_t The location of the link to be created.
- symlinkdata:
NFS3::symlinkdata_t The symbolic link to be created.
- link:
NFS symlink arguments.
See also:
nfs_proc_symlink
- NFS3::symlinkdata_t¶
- Type
-
- symlink_attributes:
NFS3::sattr_t The initial attributes for the symbolic link
- nfspath:
string&optional The string containing the symbolic link data.
- symlink_attributes:
NFS symlinkdata attributes. Field names are based on RFC 1813
See also:
nfs_proc_symlink
- NFS3::wcc_attr_t¶
-
NFS wcc attributes.
See also:
NFS3::write_reply_t
- NFS3::write_reply_t¶
- Type
-
- preattr:
NFS3::wcc_attr_t&optional Pre operation attributes.
- postattr:
NFS3::fattr_t&optional Post operation attributes.
- size:
count&optional Size.
- commited:
NFS3::stable_how_t&optional TODO.
- verf:
count&optional Write verifier cookie.
- preattr:
NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.
See also:
nfs_proc_write
- NFS3::writeargs_t¶
- Type
NFS write arguments.
See also:
nfs_proc_write
- NTLM::AVs¶
- Type
-
- nb_computer_name:
string The server’s NetBIOS computer name
- nb_domain_name:
string The server’s NetBIOS domain name
- dns_computer_name:
string&optional The FQDN of the computer
- dns_domain_name:
string&optional The FQDN of the domain
- dns_tree_name:
string&optional The FQDN of the forest
- constrained_auth:
bool&optional Indicates to the client that the account authentication is constrained
- timestamp:
time&optional The associated timestamp, if present
- single_host_id:
count&optional Indicates that the client is providing a machine ID created at computer startup to identify the calling machine
- target_name:
string&optional The SPN of the target server
- nb_computer_name:
- NTLM::Authenticate¶
- Type
-
- flags:
NTLM::NegotiateFlags The negotiate flags
- domain_name:
string&optional The domain or computer name hosting the account
- user_name:
string&optional The name of the user to be authenticated.
- workstation:
string&optional The name of the computer to which the user was logged on.
- session_key:
string&optional The session key
- version:
NTLM::Version&optional The Windows version information, if supplied
- flags:
- NTLM::Challenge¶
- Type
-
- flags:
NTLM::NegotiateFlags The negotiate flags
- target_name:
string&optional The server authentication realm. If the server is domain-joined, the name of the domain. Otherwise the server name. See flags.target_type_domain and flags.target_type_server
- version:
NTLM::Version&optional The Windows version information, if supplied
- target_info:
NTLM::AVs&optional Attribute-value pairs specified by the server
- flags:
- NTLM::Negotiate¶
- Type
-
- flags:
NTLM::NegotiateFlags The negotiate flags
- domain_name:
string&optional The domain name of the client, if known
- workstation:
string&optional The machine name of the client, if known
- version:
NTLM::Version&optional The Windows version information, if supplied
- flags:
- NTLM::NegotiateFlags¶
- Type
-
- negotiate_56:
bool If set, requires 56-bit encryption
- negotiate_key_exch:
bool If set, requests an explicit key exchange
- negotiate_128:
bool If set, requests 128-bit session key negotiation
- negotiate_version:
bool If set, requests the protocol version number
- negotiate_target_info:
bool If set, indicates that the TargetInfo fields in the CHALLENGE_MESSAGE are populated
- request_non_nt_session_key:
bool If set, requests the usage of the LMOWF function
- negotiate_identify:
bool If set, requests and identify level token
- negotiate_extended_sessionsecurity:
bool If set, requests usage of NTLM v2 session security Note: NTML v2 session security is actually NTLM v1
- target_type_server:
bool If set, TargetName must be a server name
- target_type_domain:
bool If set, TargetName must be a domain name
- negotiate_always_sign:
bool If set, requests the presence of a signature block on all messages
- negotiate_oem_workstation_supplied:
bool If set, the workstation name is provided
- negotiate_oem_domain_supplied:
bool If set, the domain name is provided
- negotiate_anonymous_connection:
bool If set, the connection should be anonymous
- negotiate_ntlm:
bool If set, requests usage of NTLM v1
- negotiate_lm_key:
bool If set, requests LAN Manager session key computation
- negotiate_datagram:
bool If set, requests connectionless authentication
- negotiate_seal:
bool If set, requests session key negotiation for message confidentiality
- negotiate_sign:
bool If set, requests session key negotiation for message signatures
- request_target:
bool If set, the TargetName field is present
- negotiate_oem:
bool If set, requests OEM character set encoding
- negotiate_unicode:
bool If set, requests Unicode character set encoding
- negotiate_56:
- NTP::ControlMessage¶
- Type
-
- op_code:
count An integer specifying the command function. Values currently defined:
1 read status command/response
2 read variables command/response
3 write variables command/response
4 read clock variables command/response
5 write clock variables command/response
6 set trap address/port command/response
7 trap response
Other values are reserved.
- resp_bit:
bool The response bit. Set to zero for commands, one for responses.
- err_bit:
bool The error bit. Set to zero for normal response, one for error response.
- more_bit:
bool The more bit. Set to zero for last fragment, one for all others.
- sequence:
count The sequence number of the command or response.
- status:
count The current status of the system, peer or clock.
- association_id:
count A 16-bit integer identifying a valid association.
- data:
string&optional Message data for the command or response + Authenticator (optional).
- key_id:
count&optional This is an integer identifying the cryptographic key used to generate the message-authentication code.
- crypto_checksum:
string&optional This is a crypto-checksum computed by the encryption procedure.
- op_code:
NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.
- NTP::Message¶
- Type
-
- version:
count The NTP version number (1, 2, 3, 4).
- mode:
count The NTP mode being used. Possible values are:
1 - symmetric active
2 - symmetric passive
3 - client
4 - server
5 - broadcast
6 - NTP control message
7 - reserved for private use
- std_msg:
NTP::StandardMessage&optional If mode 1-5, the standard fields for syncronization operations are here. See RFC 5905
- control_msg:
NTP::ControlMessage&optional If mode 6, the fields for control operations are here. See RFC 1119
- mode7_msg:
NTP::Mode7Message&optional If mode 7, the fields for extra operations are here. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration.
- version:
NTP message as defined in RFC 5905. Does include fields for mode 7, reserved for private use in RFC 5905, but used in some implementation for commands such as “monlist”.
- NTP::Mode7Message¶
- Type
-
- req_code:
count An implementation-specific code which specifies the operation to be (which has been) performed and/or the format and semantics of the data included in the packet.
- auth_bit:
bool The authenticated bit. If set, this packet is authenticated.
- sequence:
count For a multipacket response, contains the sequence number of this packet. 0 is the first in the sequence, 127 (or less) is the last. The More Bit must be set in all packets but the last.
- implementation:
count The number of the implementation this request code is defined by. An implementation number of zero is used for requst codes/data formats which all implementations agree on. Implementation number 255 is reserved (for extensions, in case we run out).
- err:
count Must be 0 for a request. For a response, holds an error code relating to the request. If nonzero, the operation requested wasn’t performed.
0 - no error
1 - incompatible implementation number
2 - unimplemented request code
3 - format error (wrong data items, data size, packet size etc.)
4 - no data available (e.g. request for details on unknown peer)
5 - unknown
6 - unknown
7 - authentication failure (i.e. permission denied)
- data:
string&optional Rest of data
- req_code:
NTP mode 7 message. Note that this is not defined in any RFC and is implementation dependent. We used the official implementation from the NTP official project. A mode 7 packet is used exchanging data between an NTP server and a client for purposes other than time synchronization, e.g. monitoring, statistics gathering and configuration. For details see the documentation from the NTP official project, code v. ntp-4.2.8p13, in include/ntp_request.h.
- NTP::StandardMessage¶
- Type
-
- stratum:
count This value mainly identifies the type of server (primary server, secondary server, etc.). Possible values, as in RFC 5905, are:
0 -> unspecified or invalid
1 -> primary server (e.g., equipped with a GPS receiver)
2-15 -> secondary server (via NTP)
16 -> unsynchronized
17-255 -> reserved
For stratum 0, a kiss_code can be given for debugging and monitoring.
- poll:
interval The maximum interval between successive messages.
- precision:
interval The precision of the system clock.
- root_delay:
interval Root delay. The total round-trip delay to the reference clock.
- root_disp:
interval Root Dispersion. The total dispersion to the reference clock.
- kiss_code:
string&optional For stratum 0, four-character ASCII string used for debugging and monitoring. Values are defined in RFC 1345.
- ref_id:
string&optional Reference ID. For stratum 1, this is the ID assigned to the reference clock by IANA. For example: GOES, GPS, GAL, etc. (see RFC 5905)
- ref_addr:
addr&optional Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
- ref_time:
time Reference timestamp. Time when the system clock was last set or correct.
- org_time:
time Origin timestamp. Time at the client when the request departed for the NTP server.
- rec_time:
time Receive timestamp. Time at the server when the request arrived from the NTP client.
- xmt_time:
time Transmit timestamp. Time at the server when the response departed
- key_id:
count&optional Key used to designate a secret MD5 key.
- digest:
string&optional MD5 hash computed over the key followed by the NTP packet header and extension fields.
- num_exts:
count&default=0&optional Number of extension fields (which are not currently parsed).
- stratum:
NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard syncronization operations.
- NetStats¶
- Type
-
- pkts_recvd:
count&default=0&optional Packets received by Zeek.
- pkts_dropped:
count&default=0&optional Packets reported dropped by the system.
- pkts_link:
count&default=0&optional Packets seen on the link. Note that this may differ from pkts_recvd because of a potential capture_filter. See base/frameworks/packet-filter/main.zeek. Depending on the packet capture system, this value may not be available and will then be always set to zero.
- bytes_recvd:
count&default=0&optional Bytes received by Zeek.
- pkts_recvd:
Packet capture statistics. All counts are cumulative.
See also:
get_net_stats
- PE::DOSHeader¶
- Type
-
- signature:
string The magic number of a portable executable file (“MZ”).
- used_bytes_in_last_page:
count The number of bytes in the last page that are used.
- file_in_pages:
count The number of pages in the file that are part of the PE file itself.
- num_reloc_items:
count Number of relocation entries stored after the header.
- header_in_paragraphs:
count Number of paragraphs in the header.
- min_extra_paragraphs:
count Number of paragraps of additional memory that the program will need.
- max_extra_paragraphs:
count Maximum number of paragraphs of additional memory.
- init_relative_ss:
count Relative value of the stack segment.
- init_sp:
count Initial value of the SP register.
- checksum:
count Checksum. The 16-bit sum of all words in the file should be 0. Normally not set.
- init_ip:
count Initial value of the IP register.
- init_relative_cs:
count Initial value of the CS register (relative to the initial segment).
- addr_of_reloc_table:
count Offset of the first relocation table.
- overlay_num:
count Overlays allow you to append data to the end of the file. If this is the main program, this will be 0.
- oem_id:
count OEM identifier.
- oem_info:
count Additional OEM info, specific to oem_id.
- addr_of_new_exe_header:
count Address of the new EXE header.
- signature:
- PE::FileHeader¶
- Type
-
- machine:
count The target machine that the file was compiled for.
- ts:
time The time that the file was created at.
- sym_table_ptr:
count Pointer to the symbol table.
- num_syms:
count Number of symbols.
- optional_header_size:
count The size of the optional header.
- characteristics:
set[count] Bit flags that determine if this file is executable, non-relocatable, and/or a DLL.
- machine:
- PE::OptionalHeader¶
- Type
-
- magic:
count PE32 or PE32+ indicator.
- major_linker_version:
count The major version of the linker used to create the PE.
- minor_linker_version:
count The minor version of the linker used to create the PE.
- size_of_code:
count Size of the .text section.
- size_of_init_data:
count Size of the .data section.
- size_of_uninit_data:
count Size of the .bss section.
- addr_of_entry_point:
count The relative virtual address (RVA) of the entry point.
- base_of_code:
count The relative virtual address (RVA) of the .text section.
- base_of_data:
count&optional The relative virtual address (RVA) of the .data section.
- image_base:
count Preferred memory location for the image to be based at.
- section_alignment:
count The alignment (in bytes) of sections when they’re loaded in memory.
- file_alignment:
count The alignment (in bytes) of the raw data of sections.
- os_version_major:
count The major version of the required OS.
- os_version_minor:
count The minor version of the required OS.
- major_image_version:
count The major version of this image.
- minor_image_version:
count The minor version of this image.
- major_subsys_version:
count The major version of the subsystem required to run this file.
- minor_subsys_version:
count The minor version of the subsystem required to run this file.
- size_of_image:
count The size (in bytes) of the iamge as the image is loaded in memory.
- size_of_headers:
count The size (in bytes) of the headers, rounded up to file_alignment.
- checksum:
count The image file checksum.
- subsystem:
count The subsystem that’s required to run this image.
- dll_characteristics:
set[count] Bit flags that determine how to execute or load this file.
- table_sizes:
vectorofcount A vector with the sizes of various tables and strings that are defined in the optional header data directories. Examples include the import table, the resource table, and debug information.
- magic:
- PE::SectionHeader¶
- Type
-
- name:
string The name of the section
- virtual_size:
count The total size of the section when loaded into memory.
- virtual_addr:
count The relative virtual address (RVA) of the section.
- size_of_raw_data:
count The size of the initialized data for the section, as it is in the file on disk.
- ptr_to_raw_data:
count The virtual address of the initialized dat for the section, as it is in the file on disk.
- ptr_to_relocs:
count The file pointer to the beginning of relocation entries for the section.
- ptr_to_line_nums:
count The file pointer to the beginning of line-number entries for the section.
- num_of_relocs:
count The number of relocation entries for the section.
- num_of_line_nums:
count The number of line-number entrie for the section.
- characteristics:
set[count] Bit-flags that describe the characteristics of the section.
- name:
Record for Portable Executable (PE) section headers.
- PacketSource¶
- Type
-
- live:
bool Whether the packet source is a live interface or offline pcap file.
- path:
string The interface name for a live interface or filesystem path of an offline pcap file.
- link_type:
int The data link-layer type of the packet source.
- netmask:
count The netmask assoicated with the source or
NETMASK_UNKNOWN.
- live:
Properties of an I/O packet source being read by Zeek.
- Pcap::Interface¶
- Type
-
- name:
string The interface/device name.
- description:
string&optional A human-readable description of the device.
- addrs:
set[addr] The network addresses associated with the device.
- is_loopback:
bool Whether the device is a loopback interface. E.g. addresses of
127.0.0.1or[::1]are used by loopback interfaces.- is_up:
bool&optional Whether the device is up. Not set when that info is unavailable.
- is_running:
bool&optional Whether the device is running. Not set when that info is unavailable.
- name:
The definition of a “pcap interface”.
- Pcap::Interfaces¶
- Type
- PcapFilterID¶
- Type
-
-
None¶
-
PacketFilter::DefaultPcapFilter¶ (present if base/frameworks/packet-filter/main.zeek is loaded)
-
PacketFilter::FilterTester¶ (present if base/frameworks/packet-filter/main.zeek is loaded)
-
Enum type identifying dynamic BPF filters. These are used by
Pcap::precompile_pcap_filterandPcap::precompile_pcap_filter.
- ProcStats¶
- Type
-
- debug:
bool True if compiled with –enable-debug.
- start_time:
time Start time of process.
- real_time:
interval Elapsed real time since Zeek started running.
- user_time:
interval User CPU seconds.
- system_time:
interval System CPU seconds.
- mem:
count Maximum memory consumed, in KB.
- minor_faults:
count Page faults not requiring actual I/O.
- major_faults:
count Page faults requiring actual I/O.
- num_swap:
count Times swapped out.
- blocking_input:
count Blocking input operations.
- blocking_output:
count Blocking output operations.
- num_context:
count Number of involuntary context switches.
- debug:
Statistics about Zeek’s process.
See also:
get_proc_statsNote
All process-level values refer to Zeek’s main process only, not to the child process it spawns for doing communication.
- RADIUS::Attributes¶
- Type
- RDP::ClientChannelDef¶
- Type
-
- name:
string A unique name for the channel
- options:
count Channel Def raw options as count
- initialized:
bool Absence of this flag indicates that this channel is a placeholder and that the server MUST NOT set it up.
- encrypt_rdp:
bool Unused, must be ignored by the server.
- encrypt_sc:
bool Unused, must be ignored by the server.
- encrypt_cs:
bool Unused, must be ignored by the server.
- pri_high:
bool Channel data must be sent with high MCS priority.
- pri_med:
bool Channel data must be sent with medium MCS priority.
- pri_low:
bool Channel data must be sent with low MCS priority.
- compress_rdp:
bool Virtual channel data must be compressed if RDP data is being compressed.
- compress:
bool Virtual channel data must be compressed.
- show_protocol:
bool Ignored by the server.
- persistent:
bool Channel must be persistent across remote control transactions.
- name:
Name and flags for a single channel requested by the client.
- RDP::ClientChannelList¶
- Type
The list of channels requested by the client.
- RDP::ClientClusterData¶
- Type
-
- flags:
count Cluster information flags.
- redir_session_id:
count If the redir_sessionid_field_valid flag is set, this field contains a valid session identifier to which the client requests to connect.
- redir_supported:
bool The client can receive server session redirection packets. If this flag is set, the svr_session_redir_version_mask field MUST contain the server session redirection version that the client supports.
- svr_session_redir_version_mask:
count The server session redirection version that the client supports.
- redir_sessionid_field_valid:
bool Whether the redir_session_id field identifies a session on the server to associate with the connection.
- redir_smartcard:
bool The client logged on with a smart card.
- flags:
The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.
- RDP::ClientCoreData¶
- Type
-
version_major:
countversion_minor:
countdesktop_width:
countdesktop_height:
countcolor_depth:
countsas_sequence:
countkeyboard_layout:
countclient_build:
countclient_name:
stringkeyboard_type:
countkeyboard_sub:
countkeyboard_function_key:
countime_file_name:
stringpost_beta2_color_depth:
count&optionalclient_product_id:
count&optionalserial_number:
count&optionalhigh_color_depth:
count&optionalsupported_color_depths:
count&optionalec_flags:
RDP::EarlyCapabilityFlags&optional
- RDP::ClientSecurityData¶
- Type
-
- encryption_methods:
count Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security. Known flags:
0x00000001: support for 40-bit session encryption keys
0x00000002: support for 128-bit session encryption keys
0x00000008: support for 56-bit session encryption keys
0x00000010: support for FIPS compliant encryption and MAC methods
- ext_encryption_methods:
count Only used in French locale and designates the encryption method. If non-zero, then encryption_methods should be set to 0.
- encryption_methods:
The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.
- ReassemblerStats¶
- Type
Holds statistics for all types of reassembly.
See also:
get_reassembler_stats
- ReporterStats¶
- Type
Statistics about reporter messages and weirds.
See also:
get_reporter_stats
- SMB1::Find_First2_Request_Args¶
- Type
-
- search_attrs:
count File attributes to apply as a constraint to the search
- search_count:
count Max search results
- flags:
count Misc. flags for how the server should manage the transaction once results are returned
- info_level:
count How detailed the information returned in the results should be
- search_storage_type:
count Specify whether to search for directories or files
- file_name:
string The string to serch for (note: may contain wildcards)
- search_attrs:
- SMB1::Header¶
- Type
An SMB1 header.
See also:
smb1_message,smb1_empty_response,smb1_error,smb1_check_directory_request,smb1_check_directory_response,smb1_close_request,smb1_create_directory_request,smb1_create_directory_response,smb1_echo_request,smb1_echo_response,smb1_negotiate_request,smb1_negotiate_response,smb1_nt_cancel_request,smb1_nt_create_andx_request,smb1_nt_create_andx_response,smb1_query_information_request,smb1_read_andx_request,smb1_read_andx_response,smb1_session_setup_andx_request,smb1_session_setup_andx_response,smb1_transaction_request,smb1_transaction2_request,smb1_trans2_find_first2_request,smb1_trans2_query_path_info_request,smb1_trans2_get_dfs_referral_request,smb1_tree_connect_andx_request,