base/init-bare.zeek

Analyzer
BinPAC
Cluster
DCE_RPC
DHCP
FTP
GLOBAL
HTTP
JSON
KRB
MIME
MOUNT3
MQTT
NCP
NFS3
NTLM
NTP
PE
Pcap
RADIUS
RDP
Reporter
SMB
SMB1
SMB2
SMTP
SNMP
SOCKS
SSH
SSL
TCP
Telemetry
Threading
Tunnel
UnknownProtocol
WebSocket
Weird
X509
Namespaces

Analyzer, BinPAC, Cluster, DCE_RPC, DHCP, FTP, GLOBAL, HTTP, JSON, KRB, MIME, MOUNT3, MQTT, NCP, NFS3, NTLM, NTP, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SMTP, SNMP, SOCKS, SSH, SSL, TCP, Telemetry, Threading, Tunnel, UnknownProtocol, WebSocket, Weird, X509

Imports

base/bif/CPP-load.bif.zeek, base/bif/communityid.bif.zeek, base/bif/const.bif.zeek, base/bif/event.bif.zeek, base/bif/mmdb.bif.zeek, base/bif/option.bif.zeek, base/bif/packet_analysis.bif.zeek, base/bif/plugins/Zeek_KRB.types.bif.zeek, base/bif/plugins/Zeek_SNMP.types.bif.zeek, base/bif/reporter.bif.zeek, base/bif/stats.bif.zeek, base/bif/strings.bif.zeek, base/bif/supervisor.bif.zeek, base/bif/types.bif.zeek, base/bif/zeek.bif.zeek, base/frameworks/spicy/init-bare.zeek, base/frameworks/supervisor/api.zeek, base/packet-protocols

Summary

Runtime Options

MQTT::max_payload_size: count &redef

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration: interval &redef

How long a weird of a given type is allowed to keep state/counters in memory.

Weird::sampling_global_list: set &redef

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate: count &redef

The rate-limiting sampling rate.

Weird::sampling_threshold: count &redef

How many weirds of a given type to tolerate before sampling begins.

Weird::sampling_whitelist: set &redef

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size: count &redef

Default amount of bytes that file analysis will buffer in order to use for mime type matching.

default_file_timeout_interval: interval &redef

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets: set &redef

Checksums are ignored for all packets with a src address within this set of networks.

udp_content_delivery_ports_use_resp: bool &redef

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports: set &redef

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.

Redefinable Options

BinPAC::flowbuffer_capacity_max: count &redef

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min: count &redef

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer.

BinPAC::flowbuffer_contract_threshold: count &redef

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit.

DCE_RPC::max_cmd_reassembly: count &redef

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data: count &redef

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

HTTP::upgrade_analyzers: table &redef

Lookup table for Upgrade analyzers.

KRB::keytab: string &redef

Kerberos keytab file name.

MIME::max_depth: count &redef

Stop analysis of nested multipart MIME entities if this depth is reached.

NCP::max_frame_size: count &redef

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data: bool &redef

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

NFS3::return_data_first_only: bool &redef

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max: count &redef

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize: count &redef

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::bufsize_offline_bytes: count &redef

Number of bytes to use for buffering file read operations when reading from a PCAP file.

Pcap::non_fd_timeout: interval &redef

Default timeout for packet sources without file descriptors.

Pcap::snaplen: count &redef

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr: bool &redef

Tunable for sending reporter error messages to STDERR.

Reporter::info_to_stderr: bool &redef

Tunable for sending reporter info messages to STDERR.

Reporter::warnings_to_stderr: bool &redef

Tunable for sending reporter warning messages to STDERR.

SMB::max_dce_rpc_analyzers: count &redef

Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.

SMB::max_pending_messages: count &redef

The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser.

SMB::pipe_filenames: set &redef

A set of file names used as named pipes over SMB.

SSL::dtls_max_reported_version_errors: count &redef

Maximum number of invalid version errors to report in one DTLS connection.

SSL::dtls_max_version_errors: count &redef

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended.

SSL::max_alerts_per_record: count &redef

Maximum number of Alert messages parsed from an SSL record with content_type alert (21).

Threading::heartbeat_interval: interval &redef

The heartbeat interval used by the threading framework.

Tunnel::delay_gtp_confirmation: bool &redef

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing analyzer_confirmation_info.

Tunnel::delay_teredo_confirmation: bool &redef

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a analyzer_confirmation_info.

Tunnel::ip_tunnel_timeout: interval &redef

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_changes_per_connection: count &redef

The number of tunnel_changed events that will be sent for a connection.

Tunnel::max_depth: count &redef

The maximum depth of a tunnel to decapsulate until giving up.

Tunnel::validate_vxlan_checksums: bool &redef

Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation.

UnknownProtocol::first_bytes_count: count &redef

The number of bytes to extract from the next header and log in the first bytes field.

UnknownProtocol::sampling_duration: interval &redef

How long an analyzer/protocol pair is allowed to keep state/counters in in memory.

UnknownProtocol::sampling_rate: count &redef

The rate-limiting sampling rate.

UnknownProtocol::sampling_threshold: count &redef

How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.

WebSocket::payload_chunk_size: count &redef

The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded.

WebSocket::use_dpd_default: bool &redef

Whether to enable DPD on WebSocket frame payload by default.

WebSocket::use_spicy_analyzer: bool &redef

Whether to use the Spicy WebSocket protocol analyzer.

allow_network_time_forward: bool &redef

Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source).

bits_per_uid: count &redef

Number of bits in UIDs that are generated to identify connections and files.

check_for_unused_event_handlers: bool &redef &deprecated =

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter: string &redef

BPF filter the user has set via the -f command line options.

detect_filtered_trace: bool &redef

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.

digest_salt: string &redef

This salt value is used for several message digests in Zeek.

dns_session_timeout: interval &redef

Time to wait before timing out a DNS request.

dpd_buffer_size: count &redef

Size of per-connection buffer used for dynamic protocol detection.

dpd_ignore_ports: bool &redef

If true, don’t consider any ports for deciding which protocol analyzer to use.

dpd_late_match_stop: bool &redef

If true, stops signature matching after a late match.

dpd_match_only_beginning: bool &redef

If true, stops signature matching if dpd_buffer_size has been reached.

dpd_max_packets: count &redef

Maximum number of per-connection packets that will be buffered for dynamic protocol detection.

dpd_reassemble_first_packets: bool &redef

Reassemble the beginning of all TCP connections before doing signature matching.

exit_only_after_terminate: bool &redef

Flag to prevent Zeek from exiting automatically when input is exhausted.

expensive_profiling_multiple: count &redef

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

frag_timeout: interval &redef

How long to hold onto fragments for possible reassembly.

global_hash_seed: string &redef

Seed for hashes computed internally for probabilistic data structures.

icmp_inactivity_timeout: interval &redef

If an ICMP flow is inactive, time it out after this interval.

ignore_checksums: bool &redef

If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header.

ignore_keep_alive_rexmit: bool &redef

Ignore certain TCP retransmissions for conn_stats.

io_poll_interval_default: count &redef

How many rounds to go without checking IO sources with file descriptors for readiness by default.

io_poll_interval_live: count &redef

How often to check IO sources with file descriptors for readiness when monitoring with a live packet source.

likely_server_ports: set &redef

Ports which the core considers being likely used by servers.

log_rotate_base_time: string &redef

Base time of log rotations in 24-hour time format (%H:%M), e.g.

max_analyzer_violations: count &redef

The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance.

max_find_all_string_length: int &redef

Maximum string length allowed for calls to the find_all and find_all_ordered BIFs.

max_timer_expires: count &redef

The maximum number of expired timers to process after processing each new packet.

mmdb_asn_db: string &redef

Default name of the MaxMind ASN database file:

mmdb_city_db: string &redef

Default name of the MaxMind City database file:

mmdb_country_db: string &redef

Default name of the MaxMind Country database file:

mmdb_dir: string &redef

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

mmdb_dir_fallbacks: vector &redef

Fallback locations for MaxMind databases.

mmdb_stale_check_interval: interval &redef

Sets the interval for MaxMind DB file staleness checks.

non_analyzed_lifetime: interval &redef

If a connection belongs to an application that we don’t analyze, time it out after this interval.

packet_filter_default: bool &redef

Default mode for Zeek’s user-space dynamic packet filter.

packet_source_inactivity_timeout: interval &redef

If a packet source does not yield packets for this amount of time, it is considered idle.

partial_connection_ok: bool &redef

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

peer_description: string &redef

Description transmitted to remote communication peers for identification.

pkt_profile_freq: double &redef

Frequency associated with packet profiling.

pkt_profile_mode: pkt_profile_modes &redef

Output mode for packet profiling information.

profiling_interval: interval &redef

Update interval for profiling (0 disables).

record_all_packets: bool &redef

If a trace file is given with -w, dump all packets seen by Zeek into it.

report_gaps_for_partial: bool &redef

Whether we want content_gap for partial connections.

rpc_timeout: interval &redef

Time to wait before timing out an RPC request.

running_under_test: bool &redef

Whether Zeek is being run under test.

sig_max_group_size: count &redef

Maximum size of regular expression groups for signature matching.

skip_http_data: bool &redef

Skip HTTP data for performance considerations.

table_expire_delay: interval &redef

When expiring table entries, wait this amount of time before checking the next chunk of entries.

table_expire_interval: interval &redef

Check for expired table entries after this amount of time.

table_incremental_step: count &redef

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

tcp_SYN_ack_ok: bool &redef

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout: interval &redef

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay: interval &redef

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay: interval &redef

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger: interval &redef

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.

tcp_content_deliver_all_orig: bool &redef

If true, all TCP originator-side traffic is reported via tcp_contents.

tcp_content_deliver_all_resp: bool &redef

If true, all TCP responder-side traffic is reported via tcp_contents.

tcp_content_delivery_ports_orig: table &redef

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

tcp_content_delivery_ports_resp: table &redef

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

tcp_excessive_data_without_further_acks: count &redef

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.

tcp_inactivity_timeout: interval &redef

If a TCP connection is inactive, time it out after this interval.

tcp_match_undelivered: bool &redef

If true, pass any undelivered to the signature engine before flushing the state.

tcp_max_above_hole_without_any_acks: count &redef

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.

tcp_max_initial_window: count &redef

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).

tcp_max_old_segments: count &redef

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies.

tcp_partial_close_delay: interval &redef

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig: set &redef

For services without a handler, these sets define originator-side ports that still trigger reassembly.

tcp_reassembler_ports_resp: set &redef

For services without a handler, these sets define responder-side ports that still trigger reassembly.

tcp_reset_delay: interval &redef

Upon seeing a RST, flush state after this much time.

tcp_session_timer: interval &redef

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh: interval &redef

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

tcp_storm_thresh: count &redef

Number of FINs/RSTs in a row that constitute a “storm”.

time_machine_profiling: bool &redef &deprecated = "Remove in v7.1. Unused."

If true, output profiling for Time-Machine queries.

truncate_http_URI: int &redef

Maximum length of HTTP URIs passed to events.

udp_content_deliver_all_orig: bool &redef

If true, all UDP originator-side traffic is reported via udp_contents.

udp_content_deliver_all_resp: bool &redef

If true, all UDP responder-side traffic is reported via udp_contents.

udp_content_delivery_ports_orig: table &redef

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

udp_content_delivery_ports_resp: table &redef

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

udp_inactivity_timeout: interval &redef

If a UDP flow is inactive, time it out after this interval.

use_conn_size_analyzer: bool &redef

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint.

watchdog_interval: interval &redef

Zeek’s watchdog interval.

Constants

CONTENTS_BOTH: count

Record both originator and responder contents.

CONTENTS_NONE: count

Turn off recording of contents.

CONTENTS_ORIG: count

Record originator contents.

CONTENTS_RESP: count

Record responder contents.

DNS_ADDL: count

An additional record.

DNS_ANS: count

An answer record.

DNS_AUTH: count

An authoritative record.

DNS_QUERY: count

A query.

ENDIAN_BIG: count

Big endian.

ENDIAN_CONFUSED: count

Tried to determine endian, but failed.

ENDIAN_LITTLE: count

Little endian.

ENDIAN_UNKNOWN: count

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB: count

Administratively prohibited.

ICMP_UNREACH_HOST: count

Host unreachable.

ICMP_UNREACH_NEEDFRAG: count

Fragment needed.

ICMP_UNREACH_NET: count

Network unreachable.

ICMP_UNREACH_PORT: count

Port unreachable.

ICMP_UNREACH_PROTOCOL: count

Protocol unreachable.

IPPROTO_AH: count

IPv6 authentication header.

IPPROTO_DSTOPTS: count

IPv6 destination options header.

IPPROTO_ESP: count

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT: count

IPv6 fragment header.

IPPROTO_HOPOPTS: count

IPv6 hop-by-hop-options header.

IPPROTO_ICMP: count

Control message protocol.

IPPROTO_ICMPV6: count

ICMP for IPv6.

IPPROTO_IGMP: count

Group management protocol.

IPPROTO_IP: count

Dummy for IP.

IPPROTO_IPIP: count

IP encapsulation in IP.

IPPROTO_IPV6: count

IPv6 header.

IPPROTO_MOBILITY: count

IPv6 mobility header.

IPPROTO_NONE: count

IPv6 no next header.

IPPROTO_RAW: count

Raw IP packet.

IPPROTO_ROUTING: count

IPv6 routing header.

IPPROTO_TCP: count

TCP.

IPPROTO_UDP: count

User datagram protocol.

LOGIN_STATE_AUTHENTICATE: count

LOGIN_STATE_CONFUSED: count

LOGIN_STATE_LOGGED_IN: count

LOGIN_STATE_SKIP: count

RPC_status: table

Mapping of numerical RPC status codes to readable messages.

SNMP::OBJ_COUNTER32_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG: count

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG: count

A NULL value.

SNMP::OBJ_INTEGER_TAG: count

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG: count

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG: count

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG: count

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG: count

An octet string.

SNMP::OBJ_OID_TAG: count

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG: count

An octet string.

SNMP::OBJ_TIMETICKS_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG: count

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG: count

A NULL value.

TCP_CLOSED: count

Endpoint has closed connection.

TCP_ESTABLISHED: count

Endpoint has finished initial handshake regularly.

TCP_INACTIVE: count

Endpoint is still inactive.

TCP_PARTIAL: count

Endpoint has sent data but no initial SYN.

TCP_RESET: count

Endpoint has sent RST.

TCP_SYN_ACK_SENT: count

Endpoint has sent SYN/ACK.

TCP_SYN_SENT: count

Endpoint has sent SYN.

TH_ACK: count

ACK.

TH_FIN: count

FIN.

TH_FLAGS: count

Mask combining all flags.

TH_PUSH: count

PUSH.

TH_RST: count

RST.

TH_SYN: count

SYN.

TH_URG: count

URG.

UDP_ACTIVE: count

Endpoint has sent something.

UDP_INACTIVE: count

Endpoint is still inactive.

trace_output_file: string

Holds the filename of the trace file given with -w (empty if none).

zeek_script_args: vector

Arguments given to Zeek from the command line.

State Variables

capture_filters: table &redef

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).

direct_login_prompts: set &redef

TODO.

discarder_maxlen: count &redef

Maximum length of payload passed to discarder functions.

dns_max_queries: count &redef

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.

dns_skip_addl: set &redef

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

dns_skip_all_addl: bool &redef

If true, all DNS ADDL records are skipped.

dns_skip_all_auth: bool &redef

If true, all DNS AUTH records are skipped.

dns_skip_auth: set &redef

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

done_with_network: bool

http_entity_data_delivery_size: count &redef

Maximum number of HTTP entity data delivered to events.

interfaces: string &add_func = add_interface &redef

Network interfaces to listen on.

login_failure_msgs: set &redef

TODO.

login_non_failure_msgs: set &redef

TODO.

login_prompts: set &redef

TODO.

login_success_msgs: set &redef

TODO.

login_timeouts: set &redef

TODO.

mime_segment_length: count &redef

The length of MIME data segments delivered to handlers of mime_segment_data.

mime_segment_overlap_length: count &redef

The number of bytes of overlap between successive segments passed to mime_segment_data.

pkt_profile_file: file &redef

File where packet profiles are logged.

profiling_file: file &redef

Write profiling info into this file in regular intervals.

restrict_filters: table &redef

Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).

secondary_filters: table &redef

Definition of “secondary filters”.

signature_files: string &add_func = add_signature_file &redef

Signature files to read.

skip_authentication: set &redef

TODO.

Types

Analyzer::disabling_analyzer: hook &redef

A hook taking a connection, analyzer tag and analyzer id that can be used to veto disabling protocol analyzers.

AnalyzerConfirmationInfo: record

Generic analyzer confirmation info record.

AnalyzerViolationInfo: record

Generic analyzer violation info record.

Backtrace: vector

A representation of a Zeek script’s call stack.

BacktraceElement: record

A representation of an element in a Zeek script’s call stack.

BrokerStats: record

Statistics about Broker communication.

Cluster::Pool: record

A pool used for distributing data/work among a set of cluster nodes.

ConnStats: record

DHCP::Addrs: vector

A list of addresses offered by a DHCP server.

DHCP::ClientFQDN: record

DHCP Client FQDN Option information (Option 81)

DHCP::ClientID: record

DHCP Client Identifier (Option 61) ..

DHCP::Msg: record

A DHCP message.

DHCP::Options: record

DHCP::SubOpt: record

DHCP Relay Agent Information Option (Option 82) ..

DHCP::SubOpts: vector

DNSStats: record

Statistics related to Zeek’s active use of DNS.

EncapsulatingConnVector: vector

A type alias for a vector of encapsulating “connections”, i.e.

EventNameCounter: record &log

Statistics about how many times each event name is queued.

EventNameStats: vector

EventStats: record

FileAnalysisStats: record

Statistics of file analysis.

GapStats: record

Statistics about number of gaps in TCP connections.

IPAddrAnonymization: enum

IPAddrAnonymizationClass: enum

JSON::TimestampFormat: enum

KRB::AP_Options: record

AP Options.

KRB::Error_Msg: record

The data from the ERROR_MSG message.

KRB::Host_Address: record

A Kerberos host address See RFC 4120.

KRB::Host_Address_Vector: vector

KRB::KDC_Options: record

KDC Options.

KRB::KDC_Request: record

The data from the AS_REQ and TGS_REQ messages.

KRB::KDC_Response: record

The data from the AS_REQ and TGS_REQ messages.

KRB::SAFE_Msg: record

The data from the SAFE message.

KRB::Ticket: record

A Kerberos ticket.

KRB::Ticket_Vector: vector

KRB::Type_Value: record

Used in a few places in the Kerberos analyzer for elements that have a type and a string value.

KRB::Type_Value_Vector: vector

MOUNT3::dirmntargs_t: record

MOUNT mnt arguments.

MOUNT3::info_t: record

Record summarizing the general results and status of MOUNT3 request/reply pairs.

MOUNT3::mnt_reply_t: record

MOUNT lookup reply.

MQTT::ConnectAckMsg: record

MQTT::ConnectMsg: record

MQTT::PublishMsg: record

MatcherStats: record

Statistics of all regular expression matchers.

ModbusCoils: vector

A vector of boolean values that indicate the setting for a range of modbus coils.

ModbusFileRecordRequest: record

ModbusFileRecordRequests: vector

ModbusFileRecordResponse: record

ModbusFileRecordResponses: vector

ModbusFileReference: record

ModbusFileReferences: vector

ModbusHeaders: record

ModbusRegisters: vector

A vector of count values that represent 16bit modbus register values.

NFS3::delobj_reply_t: record

NFS reply for remove, rmdir.

NFS3::direntry_t: record

NFS direntry.

NFS3::direntry_vec_t: vector

Vector of NFS direntry.

NFS3::diropargs_t: record

NFS readdir arguments.

NFS3::fattr_t: record

NFS file attributes.

NFS3::fsstat_t: record

NFS fsstat.

NFS3::info_t: record

Record summarizing the general results and status of NFSv3 request/reply pairs.

NFS3::link_reply_t: record

NFS link reply.

NFS3::linkargs_t: record

NFS link arguments.

NFS3::lookup_reply_t: record

NFS lookup reply.

NFS3::newobj_reply_t: record

NFS reply for create, mkdir, and symlink.

NFS3::read_reply_t: record

NFS read reply.

NFS3::readargs_t: record

NFS read arguments.

NFS3::readdir_reply_t: record

NFS readdir reply.

NFS3::readdirargs_t: record

NFS readdir arguments.

NFS3::readlink_reply_t: record

NFS readline reply.

NFS3::renameobj_reply_t: record

NFS reply for rename.

NFS3::renameopargs_t: record

NFS rename arguments.

NFS3::sattr_reply_t: record

NFS sattr reply.

NFS3::sattr_t: record

NFS file attributes.

NFS3::sattrargs_t: record

NFS sattr arguments.

NFS3::symlinkargs_t: record

NFS symlink arguments.

NFS3::symlinkdata_t: record

NFS symlinkdata attributes.

NFS3::wcc_attr_t: record

NFS wcc attributes.

NFS3::write_reply_t: record

NFS write reply.

NFS3::writeargs_t: record

NFS write arguments.

NTLM::AVs: record

NTLM::Authenticate: record

NTLM::Challenge: record

NTLM::Negotiate: record

NTLM::NegotiateFlags: record

NTLM::Version: record

NTP::ControlMessage: record

NTP control message as defined in RFC 1119 for mode=6 This record contains the fields used by the NTP protocol for control operations.

NTP::Message: record

NTP message as defined in RFC 5905.

NTP::Mode7Message: record

NTP mode 7 message.

NTP::StandardMessage: record

NTP standard message as defined in RFC 5905 for modes 1-5 This record contains the standard fields used by the NTP protocol for standard synchronization operations.

NetStats: record

Packet capture statistics.

PE::DOSHeader: record

PE::FileHeader: record

PE::OptionalHeader: record

PE::SectionHeader: record

Record for Portable Executable (PE) section headers.

PacketSource: record

Properties of an I/O packet source being read by Zeek.

Pcap::Interface: record

The definition of a “pcap interface”.

Pcap::Interfaces: set

Pcap::filter_state: enum

The state of the compilation for a pcap filter.

PcapFilterID: enum

Enum type identifying dynamic BPF filters.

ProcStats: record

Statistics about Zeek’s process.

RADIUS::AttributeList: vector

RADIUS::Attributes: table

RADIUS::Message: record

RDP::ClientChannelDef: record

Name and flags for a single channel requested by the client.

RDP::ClientChannelList: vector

The list of channels requested by the client.

RDP::ClientClusterData: record

The TS_UD_CS_CLUSTER data block is sent by the client to the server either to advertise that it can support the Server Redirection PDUs or to request a connection to a given session identifier.

RDP::ClientCoreData: record

RDP::ClientSecurityData: record

The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.

RDP::EarlyCapabilityFlags: record

ReassemblerStats: record

Holds statistics for all types of reassembly.

ReporterStats: record

Statistics about reporter messages and weirds.

SMB1::Find_First2_Request_Args: record

SMB1::Find_First2_Response_Args: record

SMB1::Header: record

An SMB1 header.

SMB1::NegotiateCapabilities: record

SMB1::NegotiateRawMode: record

SMB1::NegotiateResponse: record

SMB1::NegotiateResponseCore: record

SMB1::NegotiateResponseLANMAN: record

SMB1::NegotiateResponseNTLM: record

SMB1::NegotiateResponseSecurity: record

SMB1::SessionSetupAndXCapabilities: record

SMB1::SessionSetupAndXRequest: record

SMB1::SessionSetupAndXResponse: record

SMB1::Trans2_Args: record

SMB1::Trans2_Sec_Args: record

SMB1::Trans_Sec_Args: record

SMB2::CloseResponse: record

The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.

SMB2::CompressionCapabilities: record

Compression information as defined in SMB v.

SMB2::CreateRequest: record

The request sent by the client to request either creation of or access to a file.

SMB2::CreateResponse: record

The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.

SMB2::EncryptionCapabilities: record

Encryption information as defined in SMB v.

SMB2::FileAttrs: record

A series of boolean flags describing basic and extended file attributes for SMB2.

SMB2::FileEA: record

This information class is used to query or set extended attribute (EA) information for a file.

SMB2::FileEAs: vector

A vector of extended attribute (EA) information for a file.

SMB2::Fscontrol: record

A series of integers flags used to set quota and content indexing control information for a file system volume in SMB2.

SMB2::GUID: record

An SMB2 globally unique identifier which identifies a file.

SMB2::Header: record

An SMB2 header.

SMB2::NegotiateContextValue: record

The context type information as defined in SMB v.

SMB2::NegotiateContextValues: vector

SMB2::NegotiateResponse: record

The response to an SMB2 negotiate request, which is used by the client to notify the server what dialects of the SMB2 protocol the client understands.

SMB2::PreAuthIntegrityCapabilities: record

Preauthentication information as defined in SMB v.

SMB2::SessionSetupFlags: record

A flags field that indicates additional information about the session that’s sent in the session_setup response.

SMB2::SessionSetupRequest: record

The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

SMB2::SessionSetupResponse: record

The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.

SMB2::Transform_header: record

An SMB2 transform header (for SMB 3.x dialects with encryption enabled).

SMB2::TreeConnectResponse: record

The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.

SMB::MACTimes: record

MAC times for a file.

SNMP::Binding: record

The VarBind data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.

SNMP::Bindings: vector

A VarBindList data structure from either RFC 1157 or RFC 3416.

SNMP::BulkPDU: record

A BulkPDU data structure from RFC 3416.

SNMP::Header: record

A generic SNMP header data structure that may include data from any version of SNMP.

SNMP::HeaderV1: record

The top-level message data structure of an SNMPv1 datagram, not including the PDU data.

SNMP::HeaderV2: record

The top-level message data structure of an SNMPv2 datagram, not including the PDU data.

SNMP::HeaderV3: record

The top-level message data structure of an SNMPv3 datagram, not including the PDU data.

SNMP::ObjectValue: record

A generic SNMP object value, that may include any of the valid ObjectSyntax values from RFC 1155 or RFC 3416.

SNMP::PDU: record

A PDU data structure from either RFC 1157 or RFC 3416.

SNMP::ScopedPDU_Context: record

The ScopedPduData data structure of an SNMPv3 datagram, not including the PDU data (i.e.

SNMP::TrapPDU: record

A Trap-PDU data structure from RFC 1157.

SOCKS::Address: record &log

This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.

SSH::Algorithm_Prefs: record

The client and server each have some preferences for the algorithms used in each direction.

SSH::Capabilities: record

This record lists the preferences of an SSH endpoint for algorithm selection.

SSL::PSKIdentity: record

SSL::SignatureAndHashAlgorithm: record

SYN_packet: record

Fields of a SYN packet.

TCP::Option: record

A TCP Option field parsed from a TCP header.

TCP::OptionList: vector

The full list of TCP Option fields parsed from a TCP header.

Telemetry::HistogramMetric: record

Histograms returned by the Telemetry::collect_histogram_metrics function.

Telemetry::HistogramMetricVector: vector

Telemetry::Metric: record

Metrics returned by the Telemetry::collect_metrics function.

Telemetry::MetricOpts: record

Type that captures options used to create metrics.

Telemetry::MetricType: enum

Telemetry::MetricVector: vector

ThreadStats: record

Statistics about threads.

TimerStats: record

Statistics of timers.

Tunnel::EncapsulatingConn: record &log

Records the identity of an encapsulating parent of a tunneled connection.

WebSocket::AnalyzerConfig: record

Record type that is passed to WebSocket::configure_analyzer.

X509::BasicConstraints: record &log

X509::Certificate: record

X509::Extension: record

X509::Result: record

Result of an X509 certificate chain verification

X509::SubjectAlternativeName: record

addr_set: set

A set of addresses.

addr_vec: vector

A vector of addresses.

any_vec: vector

A vector of any, used by some builtin functions to store a list of varying types.

assertion_failure: hook

A hook that is invoked when an assert statement fails.

assertion_result: hook

A hook that is invoked with the result of every assert statement.

bittorrent_benc_dir: table

A table of BitTorrent “benc” values.

bittorrent_benc_value: record

BitTorrent “benc” value.

bittorrent_peer: record

A BitTorrent peer.

bittorrent_peer_set: set

A set of BitTorrent peers.

bt_tracker_headers: table

Header table type used by BitTorrent analyzer.

call_argument: record

Meta-information about a parameter to a function/event.

call_argument_vector: vector

Vector type used to capture parameters of a function/event call.

conn_id: record &log

A connection’s identifying 4-tuple of endpoints and ports.

connection: record

A connection.

count_set: set

A set of counts.

dns_answer: record

The general part of a DNS reply.

dns_binds_rr: record

A Private RR type BINDS record.

dns_dnskey_rr: record

A DNSSEC DNSKEY record.

dns_ds_rr: record

A DNSSEC DS record.

dns_edns_additional: record

An additional DNS EDNS record.

dns_edns_cookie: record

An DNS EDNS COOKIE (COOKIE) record.

dns_edns_ecs: record

An DNS EDNS Client Subnet (ECS) record.

dns_edns_tcp_keepalive: record

An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.

dns_loc_rr: record

A Private RR type LOC record.

dns_mapping: record

dns_msg: record

A DNS message.

dns_nsec3_rr: record

A DNSSEC NSEC3 record.

dns_nsec3param_rr: record

A DNSSEC NSEC3PARAM record.

dns_rrsig_rr: record

A DNSSEC RRSIG record.

dns_soa: record

A DNS SOA record.

dns_svcb_rr: record

DNS SVCB and HTTPS RRs

dns_tsig_additional: record

An additional DNS TSIG record.

double_vec: vector

A vector of floating point numbers, used by telemetry builtin functions to store histogram bounds.

endpoint: record

Statistics about a connection endpoint.

endpoint_stats: record

Statistics about what a TCP endpoint sent.

entropy_test_result: record

Computed entropy values.

fa_file: record &redef

File Analysis handle for a file that Zeek is analyzing.

fa_metadata: record

File Analysis metadata that’s been inferred about a particular file.

files_tag_set: set

A set of file analyzer tags.

flow_id: record &log

The identifying 4-tuple of a uni-directional flow.

from_json_result: record

Return type for from_json BIF.

ftp_port: record

A parsed host/port combination describing server endpoint for an upcoming data transfer.

geo_autonomous_system: record &log

GeoIP autonomous system information.

geo_location: record &log

GeoIP location information.

gtp_access_point_name: string

gtp_cause: count

gtp_charging_characteristics: count

gtp_charging_gateway_addr: addr

gtp_charging_id: count

gtp_create_pdp_ctx_request_elements: record

gtp_create_pdp_ctx_response_elements: record

gtp_delete_pdp_ctx_request_elements: record

gtp_delete_pdp_ctx_response_elements: record

gtp_end_user_addr: record

gtp_gsn_addr: record

gtp_imsi: count

gtp_msisdn: string

gtp_nsapi: count

gtp_omc_id: string

gtp_private_extension: record

gtp_proto_config_options: string

gtp_qos_profile: record

gtp_rai: record

gtp_recovery: count

gtp_reordering_required: bool

gtp_selection_mode: count

gtp_teardown_ind: bool

gtp_teid1: count

gtp_teid_control_plane: count

gtp_tft: string

gtp_trace_reference: count

gtp_trace_type: count

gtp_trigger_id: string

gtp_update_pdp_ctx_request_elements: record

gtp_update_pdp_ctx_response_elements: record

gtpv1_hdr: record

A GTPv1 (GPRS Tunneling Protocol) header.

http_message_stat: record

HTTP message statistics.

http_stats_rec: record

HTTP session statistics.

icmp6_nd_option: record

Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.

icmp6_nd_options: vector

A type alias for a vector of ICMPv6 neighbor discovery message options.

icmp6_nd_prefix_info: record

Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.

icmp_context: record

Packet context part of an ICMP message.

icmp_hdr: record

Values extracted from an ICMP header.

icmp_info: record

Specifics about an ICMP conversation/packet.

id_table: table

Table type used to map script-level identifiers to meta-information describing them.

index_vec: vector

A vector of counts, used by some builtin functions to store a list of indices.

int_vec: vector

A vector of integers, used by telemetry builtin functions to store histogram bounds.

interval_set: set

A set of intervals.

ip4_hdr: record

Values extracted from an IPv4 header.

ip6_ah: record

Values extracted from an IPv6 Authentication extension header.

ip6_dstopts: record

Values extracted from an IPv6 Destination options extension header.

ip6_esp: record

Values extracted from an IPv6 ESP extension header.

ip6_ext_hdr: record

A general container for a more specific IPv6 extension header.

ip6_ext_hdr_chain: vector

A type alias for a vector of IPv6 extension headers.

ip6_fragment: record

Values extracted from an IPv6 Fragment extension header.

ip6_hdr: record

Values extracted from an IPv6 header.

ip6_hopopts: record

Values extracted from an IPv6 Hop-by-Hop options extension header.

ip6_mobility_back: record

Values extracted from an IPv6 Mobility Binding Acknowledgement message.

ip6_mobility_be: record

Values extracted from an IPv6 Mobility Binding Error message.

ip6_mobility_brr: record

Values extracted from an IPv6 Mobility Binding Refresh Request message.

ip6_mobility_bu: record

Values extracted from an IPv6 Mobility Binding Update message.

ip6_mobility_cot: record

Values extracted from an IPv6 Mobility Care-of Test message.

ip6_mobility_coti: record

Values extracted from an IPv6 Mobility Care-of Test Init message.

ip6_mobility_hdr: record

Values extracted from an IPv6 Mobility header.

ip6_mobility_hot: record

Values extracted from an IPv6 Mobility Home Test message.

ip6_mobility_hoti: record

Values extracted from an IPv6 Mobility Home Test Init message.

ip6_mobility_msg: record

Values extracted from an IPv6 Mobility header’s message data.

ip6_option: record

Values extracted from an IPv6 extension header’s (e.g.

ip6_options: vector

A type alias for a vector of IPv6 options.

ip6_routing: record

Values extracted from an IPv6 Routing extension header.

irc_join_info: record

IRC join information.

irc_join_list: set

Set of IRC join information.

l2_hdr: record

Values extracted from the layer 2 header.

mime_header_list: table

A list of MIME headers.

mime_header_rec: record

A MIME header key/value pair.

mime_match: record

A structure indicating a MIME type and strength of a match against file magic signatures.

mime_matches: vector

A vector of file magic signature matches, ordered by strength of the signature, strongest first.

pcap_packet: record

Policy-level representation of a packet passed on by libpcap.

pkt_hdr: record

A packet header, consisting of an IP header and transport-layer header.

pkt_profile_modes: enum

Output modes for packet profiling information.

pm_callit_request: record

An RPC portmapper callit request.

pm_mapping: record

An RPC portmapper mapping.

pm_mappings: table

Table of RPC portmapper mappings.

pm_port_request: record

An RPC portmapper request.

psk_identity_vec: vector

raw_pkt_hdr: record

A raw packet header, consisting of L2 header and everything in pkt_hdr.

record_field: record

Meta-information about a record field.

record_field_table: table

Table type used to map record field declarations to meta-information describing them.

rotate_info: record

script_id: record

Meta-information about a script-level identifier.

signature_and_hashalgorithm_vec: vector

A vector of Signature and Hash Algorithms.

signature_state: record

Description of a signature match.

string_any_file_hook: hook

A hook taking a fa_file, an any, and a string.

string_any_table: table

A string-table of any.

string_array: table

An ordered array of strings.

string_mapper: function

Function mapping a string to a string.

string_set: set

A set of strings.

string_vec: vector

A vector of strings.

subnet_set: set

A set of subnets.

subnet_vec: vector

A vector of subnets.

sw_align: record

Helper type for return value of Smith-Waterman algorithm.

sw_align_vec: vector

Helper type for return value of Smith-Waterman algorithm.

sw_params: record

Parameters for the Smith-Waterman algorithm.

sw_substring: record

Helper type for return value of Smith-Waterman algorithm.

sw_substring_vec: vector

Return type for Smith-Waterman algorithm.

table_string_of_count: table

A table of counts indexed by strings.

table_string_of_string: table

A table of strings indexed by strings.

tcp_hdr: record

Values extracted from a TCP header.

teredo_auth: record

A Teredo origin indication header.

teredo_hdr: record

A Teredo packet header.

teredo_origin: record

A Teredo authentication header.

transport_proto: enum

A connection’s transport-layer protocol.

udp_hdr: record

Values extracted from a UDP header.

var_sizes: table

Table type used to map variable names to their memory allocation.

x509_opaque_vector: vector

A vector of x509 opaques.

Functions

add_interface: function

Internal function.

add_signature_file: function

Internal function.

discarder_check_icmp: function

Function for skipping packets based on their ICMP header.

discarder_check_ip: function

Function for skipping packets based on their IP header.

discarder_check_tcp: function

Function for skipping packets based on their TCP header.

discarder_check_udp: function

Function for skipping packets based on their UDP header.

from_json_default_key_mapper: function

The default JSON key mapper function.

max_count: function

Returns maximum of two count values.

max_double: function

Returns maximum of two double values.

max_interval: function

Returns maximum of two interval values.

min_count: function

Returns minimum of two count values.

min_double: function

Returns minimum of two double values.

min_interval: function

Returns minimum of two interval values.

Detailed Interface

Runtime Options

MQTT::max_payload_size
Type

count

Attributes

&redef

Default

100

The maximum payload size to allocate for the purpose of payload information in mqtt_publish events (and the default MQTT logs generated from that).

Weird::sampling_duration
Type

interval

Attributes

&redef

Default

10.0 mins

How long a weird of a given type is allowed to keep state/counters in memory. For “net” weirds an expiration timer starts per weird name when first initializing its counter. For “flow” weirds an expiration timer starts once per src/dst IP pair for the first weird of any name. For “conn” weirds, counters and expiration timers are kept for the duration of the connection for each named weird and reset when necessary. E.g. if a “conn” weird by the name of “foo” is seen more than Weird::sampling_threshold times, then an expiration timer begins for “foo” and upon triggering will reset the counter for “foo” and unthrottle its rate-limiting until it once again exceeds the threshold.

Weird::sampling_global_list
Type

set [string]

Attributes

&redef

Default

{}

Rate-limits weird names in the table globally instead of per connection/flow.

Weird::sampling_rate
Type

count

Attributes

&redef

Default

1000

The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.

Weird::sampling_threshold
Type

count

Attributes

&redef

Default

25

How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.

Weird::sampling_whitelist
Type

set [string]

Attributes

&redef

Default

{}

Prevents rate-limiting sampling of any weirds named in the table.

default_file_bof_buffer_size
Type

count

Attributes

&redef

Default

4096

Redefinition

from policy/frameworks/signatures/iso-9660.zeek

=:

2048 * (16 + 1)

Default amount of bytes that file analysis will buffer in order to use for mime type matching. File analyzers attached at the time of mime type matching or later, will receive a copy of this buffer.

default_file_timeout_interval
Type

interval

Attributes

&redef

Default

2.0 mins

Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.

ignore_checksums_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Checksums are ignored for all packets with a src address within this set of networks. Useful for cases where a host might be seeing packets collected from local hosts before checksums were applied by hardware. This frequently manifests when sniffing a local management interface on a host and Zeek sees packets before the hardware has had a chance to apply the checksums.

udp_content_delivery_ports_use_resp
Type

bool

Attributes

&redef

Default

F

Whether ports given in udp_content_delivery_ports_orig and udp_content_delivery_ports_resp are in terms of UDP packet’s destination port or the UDP connection’s “responder” port.

udp_content_ports
Type

set [port]

Attributes

&redef

Default

{}

Defines UDP ports (source or destination) for which the contents of either originator or responder streams should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp, udp_content_delivery_ports_resp

Redefinable Options

BinPAC::flowbuffer_capacity_max
Type

count

Attributes

&redef

Default

10485760

Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to grow to for use with incremental parsing of a given connection/analyzer.

BinPAC::flowbuffer_capacity_min
Type

count

Attributes

&redef

Default

512

The initial capacity, in bytes, that will be allocated to the BinPAC flowbuffer of a given connection/analyzer. If the buffer is later contracted, its capacity is also reduced to this size.

BinPAC::flowbuffer_contract_threshold
Type

count

Attributes

&redef

Default

2097152

The threshold, in bytes, at which the BinPAC flowbuffer of a given connection/analyzer will have its capacity contracted to BinPAC::flowbuffer_capacity_min after parsing a full unit. I.e. this is the maximum capacity to reserve in between the parsing of units. If, after parsing a unit, the flowbuffer capacity is greater than this value, it will be contracted.

DCE_RPC::max_cmd_reassembly
Type

count

Attributes

&redef

Default

20

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data
Type

count

Attributes

&redef

Default

30000

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

HTTP::upgrade_analyzers
Type

table [string] of Analyzer::Tag

Attributes

&redef

Default

{}

Redefinition

from base/protocols/websocket/main.zeek

+=:

websocket = Analyzer::ANALYZER_WEBSOCKET

Lookup table for Upgrade analyzers. First, a case sensitive lookup is done using the client’s Upgrade header. If no match is found, the all lower-case value is used. If there’s still no match Zeek uses dynamic protocol detection for the upgraded to protocol instead.

KRB::keytab
Type

string

Attributes

&redef

Default

""

Kerberos keytab file name. Used to decrypt tickets encountered on the wire.

MIME::max_depth
Type

count

Attributes

&redef

Default

100

Stop analysis of nested multipart MIME entities if this depth is reached. Setting this value to 0 removes the limit.

NCP::max_frame_size
Type

count

Attributes

&redef

Default

65536

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data
Type

bool

Attributes

&redef

Default

F

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

See also: NFS3::return_data_max, NFS3::return_data_first_only

NFS3::return_data_first_only
Type

bool

Attributes

&redef

Default

T

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max
Type

count

Attributes

&redef

Default

512

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize
Type

count

Attributes

&redef

Default

128

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::bufsize_offline_bytes
Type

count

Attributes

&redef

Default

131072

Number of bytes to use for buffering file read operations when reading from a PCAP file. Setting this to 0 uses operating system defaults as chosen by fopen().

Pcap::non_fd_timeout
Type

interval

Attributes

&redef

Default

20.0 usecs

Default timeout for packet sources without file descriptors.

For libpcap based packet sources that do not provide a usable file descriptor for select(), the timeout provided to the IO loop is either zero if a packet was most recently available or else this value.

Depending on the expected packet rate per-worker and the amount of available packet buffer, raising this value can significantly reduce Zeek’s CPU usage at the cost of a small delay before processing packets. Setting this value too high may cause packet drops due to running out of available buffer space.

Increasing this value to 200usec on low-traffic Myricom based systems (5 kpps per Zeek worker) has shown a 50% reduction in CPU usage.

This is an advanced setting. Do monitor dropped packets and capture loss information when changing it.

Note

Packet sources that override GetNextTimeout() method may not respect this value.

See also: io_poll_interval_live

Pcap::snaplen
Type

count

Attributes

&redef

Default

9216

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

Reporter::info_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

Reporter::warnings_to_stderr
Type

bool

Attributes

&redef

Default

T

Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Zeek is being run by some external harness and shouldn’t output anything to the console.

SMB::max_dce_rpc_analyzers
Type

count

Attributes

&redef

Default

1000

Maximum number of DCE-RPC analyzers per connection before discarding them to avoid unbounded state growth.

See also: smb_discarded_dce_rpc_analyzers

SMB::max_pending_messages
Type

count

Attributes

&redef

Default

1000

The maximum number of messages for which to retain state about offsets, fids, or tree ids within the parser. When the limit is reached, internal parser state is discarded and smb2_discarded_messages_state raised.

Setting this to zero will disable the functionality.

See also: smb2_discarded_messages_state

SMB::pipe_filenames
Type

set [string]

Attributes

&redef

Default

{}

Redefinition

from base/protocols/smb/consts.zeek

=:

spoolss, winreg, samr, srvsvc, netdfs, lsarpc, wkssvc, MsFteWds

A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Zeek.

See also: smb_pipe_connect_heuristic

SSL::dtls_max_reported_version_errors
Type

count

Attributes

&redef

Default

1

Maximum number of invalid version errors to report in one DTLS connection.

SSL::dtls_max_version_errors
Type

count

Attributes

&redef

Default

10

Number of non-DTLS frames that can occur in a DTLS connection before parsing of the connection is suspended. DTLS does not immediately stop parsing a connection because other protocols might be interleaved in the same UDP “connection”.

SSL::max_alerts_per_record
Type

count

Attributes

&redef

Default

10

Maximum number of Alert messages parsed from an SSL record with content_type alert (21). The remaining alerts are discarded. For TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446.

Threading::heartbeat_interval
Type

interval

Attributes

&redef

Default

1.0 sec

The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.

Tunnel::delay_gtp_confirmation
Type

bool

Attributes

&redef

Default

F

With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing analyzer_confirmation_info. If it’s false, the first occurrence of a packet with valid GTPv1 encapsulation causes confirmation. Since the same inner connection can be carried differing outer upflow/downflow connections, setting to false may work better.

Tunnel::delay_teredo_confirmation
Type

bool

Attributes

&redef

Default

T

With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a analyzer_confirmation_info. If it’s false, the first occurrence of a packet with valid Teredo encapsulation causes a confirmation.

Tunnel::ip_tunnel_timeout
Type

interval

Attributes

&redef

Default

1.0 day

How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).

Tunnel::max_changes_per_connection
Type

count

Attributes

&redef

Default

5

The number of tunnel_changed events that will be sent for a connection. Once this limit is hit, no more of those events will be sent to avoid a large number of events being sent for connections that regularly swap. This can be set to zero to disable this limiting.

Tunnel::max_depth
Type

count

Attributes

&redef

Default

4

The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.

Tunnel::validate_vxlan_checksums
Type

bool

Attributes

&redef

Default

T

Whether to validate the checksum supplied in the outer UDP header of a VXLAN encapsulation. The spec says the checksum should be transmitted as zero, but if not, then the decapsulating destination may choose whether to perform the validation.

UnknownProtocol::first_bytes_count
Type

count

Attributes

&redef

Default

10

The number of bytes to extract from the next header and log in the first bytes field.

UnknownProtocol::sampling_duration
Type

interval

Attributes

&redef

Default

1.0 hr

How long an analyzer/protocol pair is allowed to keep state/counters in in memory. Once the threshold has been hit, this is the amount of time before the rate-limiting for a pair expires and is reset.

UnknownProtocol::sampling_rate
Type

count

Attributes

&redef

Default

100000

The rate-limiting sampling rate. One out of every of this number of rate-limited pairs of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited pairs.

UnknownProtocol::sampling_threshold
Type

count

Attributes

&redef

Default

3

How many reports for an analyzer/protocol pair will be allowed to raise events before becoming rate-limited.

WebSocket::payload_chunk_size
Type

count

Attributes

&redef

Default

8192

The WebSocket analyzer consumes and forwards frame payload in chunks to keep memory usage bounded. There should not be a reason to change this value except for debugging and testing reasons.

WebSocket::use_dpd_default
Type

bool

Attributes

&redef

Default

T

Whether to enable DPD on WebSocket frame payload by default.

WebSocket::use_spicy_analyzer
Type

bool

Attributes

&redef

Default

F

Whether to use the Spicy WebSocket protocol analyzer.

As of now, the BinPac version has better performance, but we may change the default in the future.

allow_network_time_forward
Type

bool

Attributes

&redef

Default

T

Whether Zeek will forward network_time to the current time upon observing an idle packet source (or no configured packet source).

Only set this to F if you really know what you’re doing. Setting this to F on non-worker systems causes network_time to be stuck at 0.0 and timer expiration will be non-functional.

The main purpose of this option is to yield control over network time to plugins or scripts via broker or other non-timer events.

See also: network_time, set_network_time, packet_source_inactivity_timeout

bits_per_uid
Type

count

Attributes

&redef

Default

96

Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.

check_for_unused_event_handlers
Type

bool

Attributes

&redef &deprecated = “Remove in v7.1. This has been replaced by usage analyzer functionality.”

Default

F

If true, warns about unused event handlers at startup.

cmd_line_bpf_filter
Type

string

Attributes

&redef

Default

""

BPF filter the user has set via the -f command line options. Empty if none.

detect_filtered_trace
Type

bool

Attributes

&redef

Default

F

Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. If this is enabled, then missing data at the end of connections may not be reported via content_gap.

digest_salt
Type

string

Attributes

&redef

Default

"Please change this value."

This salt value is used for several message digests in Zeek. We use a salt to help mitigate the possibility of an attacker manipulating source data to, e.g., mount complexity attacks or cause ID collisions. This salt is, for example, used by get_file_handle to generate installation-unique file IDs (the id field of fa_file).

dns_session_timeout
Type

interval

Attributes

&redef

Default

10.0 secs

Time to wait before timing out a DNS request.

dpd_buffer_size
Type

count

Attributes

&redef

Default

1024

Size of per-connection buffer used for dynamic protocol detection. For each connection, Zeek buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also: dpd_reassemble_first_packets, dpd_match_only_beginning, dpd_ignore_ports, dpd_max_packets

dpd_ignore_ports
Type

bool

Attributes

&redef

Default

F

If true, don’t consider any ports for deciding which protocol analyzer to use.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_match_only_beginning

dpd_late_match_stop
Type

bool

Attributes

&redef

Default

F

Redefinition

from policy/protocols/conn/speculative-service.zeek

=:

T

If true, stops signature matching after a late match. A late match may occur in case the DPD buffer is exhausted but a protocol signature matched. To allow late matching, dpd_match_only_beginning must be disabled.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_match_only_beginning

Note

Despite the name, this option stops all signature matching, not only signatures used for dynamic protocol detection but is triggered by DPD signatures only.

dpd_match_only_beginning
Type

bool

Attributes

&redef

Default

T

Redefinition

from policy/protocols/conn/speculative-service.zeek

=:

F

If true, stops signature matching if dpd_buffer_size has been reached.

See also: dpd_reassemble_first_packets, dpd_buffer_size, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

dpd_max_packets
Type

count

Attributes

&redef

Default

100

Maximum number of per-connection packets that will be buffered for dynamic protocol detection. For each connection, Zeek buffers up to this amount of packets in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.

See also: dpd_reassemble_first_packets, dpd_match_only_beginning, dpd_ignore_ports, dpd_buffer_size

dpd_reassemble_first_packets
Type

bool

Attributes

&redef

Default

T

Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.

See also: dpd_buffer_size, dpd_match_only_beginning, dpd_ignore_ports

Note

Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.

exit_only_after_terminate
Type

bool

Attributes

&redef

Default

F

Flag to prevent Zeek from exiting automatically when input is exhausted. Normally Zeek terminates when all packet sources have gone dry and communication isn’t enabled. If this flag is set, Zeek’s main loop will instead keep idling until terminate is explicitly called.

This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.

expensive_profiling_multiple
Type

count

Attributes

&redef

Default

0

Redefinition

from policy/misc/profiling.zeek

=:

20

Multiples of profiling_interval at which (more expensive) memory profiling is done (0 disables).

See also: profiling_interval, profiling_file

frag_timeout
Type

interval

Attributes

&redef

Default

5.0 mins

How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.

global_hash_seed
Type

string

Attributes

&redef

Default

""

Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Zeek instances. If left unset, Zeek will use a temporary local seed.

icmp_inactivity_timeout
Type

interval

Attributes

&redef

Default

1.0 min

If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, udp_inactivity_timeout, set_inactivity_timeout

ignore_checksums
Type

bool

Attributes

&redef

Default

F

If true, don’t verify checksums, and accept packets that give a length of zero in the IPv4 header. This is useful when running against traces of local traffic and the NIC checksum offloading feature is enabled. It can also be useful for running on altered trace files, and for saving a few cycles at the risk of analyzing invalid data. With this option, packets that have a value of zero in the total-length field of the IPv4 header are also accepted, and the capture-length is used instead. The total-length field is commonly set to zero when the NIC sequence offloading feature is enabled. Note that the -C command-line option overrides the setting of this variable.

ignore_keep_alive_rexmit
Type

bool

Attributes

&redef

Default

F

Ignore certain TCP retransmissions for conn_stats. Some connections (e.g., SSH) retransmit the acknowledged last byte to keep the connection alive. If ignore_keep_alive_rexmit is set to true, such retransmissions will be excluded in the rexmit counter in conn_stats.

See also: conn_stats

io_poll_interval_default
Type

count

Attributes

&redef

Default

100

How many rounds to go without checking IO sources with file descriptors for readiness by default. This is used when reading from traces.

Very roughly, when reading from a pcap, setting this to 100 results in 100 packets being processed without checking FD based IO sources.

Note

This should not be changed outside of development or when debugging problems with the main-loop, or developing features with tight main-loop interaction.

See also: io_poll_interval_live

io_poll_interval_live
Type

count

Attributes

&redef

Default

10

How often to check IO sources with file descriptors for readiness when monitoring with a live packet source.

The poll interval gets defaulted to 100 which is good for cases like reading from pcap files and when there isn’t a packet source, but is a little too infrequent for live sources (especially fast live sources). Set it down a little bit for those sources.

Note

This should not be changed outside of development or when debugging problems with the main-loop, or developing features with tight main-loop interaction.

See also: io_poll_interval_default

likely_server_ports
Type

set [port]

Attributes

&redef

Default

{}

Redefinition

from base/packet-protocols/ayiya/main.zeek

+=:

PacketAnalyzer::AYIYA::ayiya_ports
Redefinition

from base/packet-protocols/geneve/main.zeek

+=:

PacketAnalyzer::Geneve::geneve_ports
Redefinition

from base/packet-protocols/vxlan/main.zeek

+=:

PacketAnalyzer::VXLAN::vxlan_ports
Redefinition

from base/packet-protocols/teredo/main.zeek

+=:

PacketAnalyzer::TEREDO::teredo_ports
Redefinition

from base/packet-protocols/gtpv1/main.zeek

+=:

PacketAnalyzer::GTPV1::gtpv1_ports
Redefinition

from base/protocols/dce-rpc/main.zeek

+=:

DCE_RPC::ports
Redefinition

from base/protocols/dhcp/main.zeek

+=:

67/udp
Redefinition

from base/protocols/dnp3/main.zeek

+=:

DNP3::ports
Redefinition

from base/protocols/dns/main.zeek

+=:

DNS::ports
Redefinition

from base/protocols/finger/main.zeek

+=:

Finger::ports
Redefinition

from base/protocols/ftp/main.zeek

+=:

FTP::ports
Redefinition

from base/protocols/ssl/main.zeek

+=:

SSL::ssl_ports, SSL::dtls_ports
Redefinition

from base/protocols/http/main.zeek

+=:

HTTP::ports
Redefinition

from base/protocols/imap/main.zeek

+=:

IMAP::ports
Redefinition

from base/protocols/irc/main.zeek

+=:

IRC::ports
Redefinition

from base/protocols/krb/main.zeek

+=:

KRB::tcp_ports, KRB::udp_ports
Redefinition

from base/protocols/ldap/main.zeek

+=:

LDAP::ports_tcp, LDAP::ports_udp
Redefinition

from base/protocols/modbus/main.zeek

+=:

Modbus::ports
Redefinition

from base/protocols/mqtt/main.zeek

+=:

MQTT::ports
Redefinition

from base/protocols/ntp/main.zeek

+=:

NTP::ports
Redefinition

from base/protocols/radius/main.zeek

+=:

RADIUS::ports
Redefinition

from base/protocols/rdp/main.zeek

+=:

RDP::rdp_ports, RDP::rdpeudp_ports
Redefinition

from base/protocols/sip/main.zeek

+=:

SIP::ports
Redefinition

from base/protocols/snmp/main.zeek

+=:

SNMP::ports
Redefinition

from base/protocols/smb/main.zeek

+=:

SMB::ports
Redefinition

from base/protocols/smtp/main.zeek

+=:

SMTP::ports
Redefinition

from base/protocols/socks/main.zeek

+=:

SOCKS::ports
Redefinition

from base/protocols/ssh/main.zeek

+=:

SSH::ports
Redefinition

from base/protocols/syslog/main.zeek

+=:

Syslog::ports
Redefinition

from base/protocols/xmpp/main.zeek

+=:

XMPP::ports

Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.

log_rotate_base_time
Type

string

Attributes

&redef

Default

"0:00"

Base time of log rotations in 24-hour time format (%H:%M), e.g. “12:00”.

max_analyzer_violations
Type

count

Attributes

&redef

Default

1000

The maximum number of analyzer violations the core generates before suppressing them for a given analyzer instance. A weird providing information about the analyzer and connection is generated once the limit is reached.

An analyzer generating this many violations is unlikely parsing the right protocol or potentially buggy.

See also DPD::max_violations which controls disabling analyzers through script logic after a certain number of violations was observed.

max_find_all_string_length
Type

int

Attributes

&redef

Default

10000

Maximum string length allowed for calls to the find_all and find_all_ordered BIFs.

max_timer_expires
Type

count

Attributes

&redef

Default

300

The maximum number of expired timers to process after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.

mmdb_asn_db
Type

string

Attributes

&redef

Default

"GeoLite2-ASN.mmdb"

Default name of the MaxMind ASN database file:

mmdb_city_db
Type

string

Attributes

&redef

Default

"GeoLite2-City.mmdb"

Default name of the MaxMind City database file:

mmdb_country_db
Type

string

Attributes

&redef

Default

"GeoLite2-Country.mmdb"

Default name of the MaxMind Country database file:

mmdb_dir
Type

string

Attributes

&redef

Default

""

The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.

mmdb_dir_fallbacks
Type

vector of string

Attributes

&redef

Default
["/usr/share/GeoIP", "/var/lib/GeoIP", "/usr/local/share/GeoIP", "/usr/local/var/GeoIP"]

Fallback locations for MaxMind databases. Zeek attempts these when mmdb_dir is not set, or it cannot read a DB file from it. For geolocation lookups, Zeek will first attempt to locate the city database in each of the fallback locations, and should this fail, attempt to locate the country one.

mmdb_stale_check_interval
Type

interval

Attributes

&redef

Default

5.0 mins

Sets the interval for MaxMind DB file staleness checks. When Zeek detects a change in inode or modification time, the database is re-opened. Setting a negative interval disables staleness checks.

non_analyzed_lifetime
Type

interval

Attributes

&redef

Default

0 secs

If a connection belongs to an application that we don’t analyze, time it out after this interval. If 0 secs, then don’t time it out (but tcp_inactivity_timeout, udp_inactivity_timeout, and icmp_inactivity_timeout still apply).

packet_filter_default
Type

bool

Attributes

&redef

Default

F

Default mode for Zeek’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.

Note

This is not the BPF packet filter but an additional dynamic filter that Zeek optionally applies just before normal processing starts.

See also: install_dst_addr_filter, install_dst_net_filter, install_src_addr_filter, install_src_net_filter, uninstall_dst_addr_filter, uninstall_dst_net_filter, uninstall_src_addr_filter, uninstall_src_net_filter

packet_source_inactivity_timeout
Type

interval

Attributes

&redef

Default

100.0 msecs

If a packet source does not yield packets for this amount of time, it is considered idle. When a packet source is found to be idle, Zeek will update network_time to current time in order for timer expiration to function. A packet source queueing up packets and not yielding them for longer than this interval without yielding any packets will provoke not-very-well-defined timer behavior.

On Zeek workers with low packet rates, timer expiration may be delayed by this many milliseconds after the last packet has been received.

partial_connection_ok
Type

bool

Attributes

&redef

Default

T

If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.

peer_description
Type

string

Attributes

&redef

Default

"zeek"

Description transmitted to remote communication peers for identification.

pkt_profile_freq
Type

double

Attributes

&redef

Default

0.0

Frequency associated with packet profiling.

See also: pkt_profile_modes, pkt_profile_mode, pkt_profile_file

pkt_profile_mode
Type

pkt_profile_modes

Attributes

&redef

Default

PKT_PROFILE_MODE_NONE

Output mode for packet profiling information.

See also: pkt_profile_modes, pkt_profile_freq, pkt_profile_file

profiling_interval
Type

interval

Attributes

&redef

Default

0 secs

Redefinition

from policy/misc/profiling.zeek

=:

15.0 secs

Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.zeek.

See also: profiling_file, expensive_profiling_multiple

record_all_packets
Type

bool

Attributes

&redef

Default

F

If a trace file is given with -w, dump all packets seen by Zeek into it. By default, Zeek applies (very few) heuristics to reduce the volume. A side effect of setting this to true is that we can write the packets out before we actually process them, which can be helpful for debugging in case the analysis triggers a crash.

See also: trace_output_file

report_gaps_for_partial
Type

bool

Attributes

&redef

Default

F

Whether we want content_gap for partial connections. A connection is partial if it is missing a full handshake. Note that gap reports for partial connections might not be reliable.

See also: content_gap, partial_connection

rpc_timeout
Type

interval

Attributes

&redef

Default

24.0 secs

Time to wait before timing out an RPC request.

running_under_test
Type

bool

Attributes

&redef

Default

F

Whether Zeek is being run under test. This can be used to alter functionality while testing, but should be used sparingly.

sig_max_group_size
Type

count

Attributes

&redef

Default

50

Maximum size of regular expression groups for signature matching.

skip_http_data
Type

bool

Attributes

&redef

Default

F

Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.

See also: http_entity_data, skip_http_entity_data, http_entity_data_delivery_size

table_expire_delay
Type

interval

Attributes

&redef

Default

10.0 msecs

When expiring table entries, wait this amount of time before checking the next chunk of entries.

See also: table_expire_interval, table_incremental_step

table_expire_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Redefinition

from policy/frameworks/management/agent/main.zeek

=:

2.0 secs
Redefinition

from policy/frameworks/management/controller/main.zeek

=:

2.0 secs

Check for expired table entries after this amount of time.

See also: table_incremental_step, table_expire_delay

table_incremental_step
Type

count

Attributes

&redef

Default

5000

When expiring/serializing table entries, don’t work on more than this many table entries at a time.

See also: table_expire_interval, table_expire_delay

tcp_SYN_ack_ok
Type

bool

Attributes

&redef

Default

T

If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if partial_connection_ok is false).

tcp_SYN_timeout
Type

interval

Attributes

&redef

Default

5.0 secs

Check up on the result of an initial SYN after this much time.

tcp_attempt_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Wait this long upon seeing an initial SYN before timing out the connection attempt.

tcp_close_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Upon seeing a normal connection close, flush state after this much time.

tcp_connection_linger
Type

interval

Attributes

&redef

Default

5.0 secs

When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.

tcp_content_deliver_all_orig
Type

bool

Attributes

&redef

Default

F

If true, all TCP originator-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_deliver_all_resp
Type

bool

Attributes

&redef

Default

F

If true, all TCP responder-side traffic is reported via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_orig
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines destination TCP ports for which the contents of the originator stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_content_delivery_ports_resp
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines destination TCP ports for which the contents of the responder stream should be delivered via tcp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, tcp_contents

tcp_excessive_data_without_further_acks
Type

count

Attributes

&redef

Default

10485760

If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Zeek would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.

See also: tcp_max_initial_window, tcp_max_above_hole_without_any_acks

tcp_inactivity_timeout
Type

interval

Attributes

&redef

Default

5.0 mins

If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: udp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

tcp_match_undelivered
Type

bool

Attributes

&redef

Default

T

If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.

tcp_max_above_hole_without_any_acks
Type

count

Attributes

&redef

Default

16384

If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.

See also: tcp_max_initial_window, tcp_excessive_data_without_further_acks

tcp_max_initial_window
Type

count

Attributes

&redef

Default

16384

Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.

See also: tcp_max_above_hole_without_any_acks, tcp_excessive_data_without_further_acks

tcp_max_old_segments
Type

count

Attributes

&redef

Default

0

Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additional buffering.

tcp_partial_close_delay
Type

interval

Attributes

&redef

Default

3.0 secs

Generate a connection_partial_close event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.

tcp_reassembler_ports_orig
Type

set [port]

Attributes

&redef

Default

{}

For services without a handler, these sets define originator-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_resp

tcp_reassembler_ports_resp
Type

set [port]

Attributes

&redef

Default

{}

For services without a handler, these sets define responder-side ports that still trigger reassembly.

See also: tcp_reassembler_ports_orig

tcp_reset_delay
Type

interval

Attributes

&redef

Default

5.0 secs

Upon seeing a RST, flush state after this much time.

tcp_session_timer
Type

interval

Attributes

&redef

Default

6.0 secs

After a connection has closed, wait this long for further activity before checking whether to time out its state.

tcp_storm_interarrival_thresh
Type

interval

Attributes

&redef

Default

1.0 sec

FINs/RSTs must come with this much time or less between them to be considered a “storm”.

See also: tcp_storm_thresh

tcp_storm_thresh
Type

count

Attributes

&redef

Default

1000

Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported as weird via the notice framework, and they must also come within intervals of at most tcp_storm_interarrival_thresh.

See also: tcp_storm_interarrival_thresh

time_machine_profiling
Type

bool

Attributes

&redef &deprecated = "Remove in v7.1. Unused."

Default

F

If true, output profiling for Time-Machine queries.

truncate_http_URI
Type

int

Attributes

&redef

Default

-1

Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.

See also: http_request

udp_content_deliver_all_orig
Type

bool

Attributes

&redef

Default

F

If true, all UDP originator-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp

udp_content_deliver_all_resp
Type

bool

Attributes

&redef

Default

F

If true, all UDP responder-side traffic is reported via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_resp tcp_content_delivery_ports_orig, udp_content_delivery_ports_orig, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_contents, udp_content_delivery_ports_use_resp

udp_content_delivery_ports_orig
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines UDP destination ports for which the contents of the originator stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_resp, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp, udp_content_ports

udp_content_delivery_ports_resp
Type

table [port] of bool

Attributes

&redef

Default

{}

Defines UDP destination ports for which the contents of the responder stream should be delivered via udp_contents.

See also: tcp_content_delivery_ports_orig, tcp_content_delivery_ports_resp, tcp_content_deliver_all_orig, tcp_content_deliver_all_resp, udp_content_delivery_ports_orig, udp_content_deliver_all_orig, udp_content_deliver_all_resp, udp_contents, udp_content_delivery_ports_use_resp, udp_content_ports

udp_inactivity_timeout
Type

interval

Attributes

&redef

Default

1.0 min

If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.

See also: tcp_inactivity_timeout, icmp_inactivity_timeout, set_inactivity_timeout

use_conn_size_analyzer
Type

bool

Attributes

&redef

Default

T

Whether to use the ConnSize analyzer to count the number of packets and IP-level bytes transferred by each endpoint. If true, these values are returned in the connection’s endpoint record value.

watchdog_interval
Type

interval

Attributes

&redef

Default

10.0 secs

Zeek’s watchdog interval.

Constants

CONTENTS_BOTH
Type

count

Default

3

Record both originator and responder contents.

CONTENTS_NONE
Type

count

Default

0

Turn off recording of contents.

CONTENTS_ORIG
Type

count

Default

1

Record originator contents.

CONTENTS_RESP
Type

count

Default

2

Record responder contents.

DNS_ADDL
Type

count

Default

3

An additional record.

DNS_ANS
Type

count

Default

1

An answer record.

DNS_AUTH
Type

count

Default

2

An authoritative record.

DNS_QUERY
Type

count

Default

0

A query. This shouldn’t occur, just for completeness.

ENDIAN_BIG
Type

count

Default

2

Big endian.

ENDIAN_CONFUSED
Type

count

Default

3

Tried to determine endian, but failed.

ENDIAN_LITTLE
Type

count

Default

1

Little endian.

ENDIAN_UNKNOWN
Type

count

Default

0

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB
Type

count

Default

13

Administratively prohibited.

ICMP_UNREACH_HOST
Type

count

Default

1

Host unreachable.

ICMP_UNREACH_NEEDFRAG
Type

count

Default

4

Fragment needed.

ICMP_UNREACH_NET
Type

count

Default

0

Network unreachable.

ICMP_UNREACH_PORT
Type

count

Default

3

Port unreachable.

ICMP_UNREACH_PROTOCOL
Type

count

Default

2

Protocol unreachable.

IPPROTO_AH
Type

count

Default

51

IPv6 authentication header.

IPPROTO_DSTOPTS
Type

count

Default

60

IPv6 destination options header.

IPPROTO_ESP
Type

count

Default

50

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT
Type

count

Default

44

IPv6 fragment header.

IPPROTO_HOPOPTS
Type

count

Default

0

IPv6 hop-by-hop-options header.

IPPROTO_ICMP
Type

count

Default

1

Control message protocol.

IPPROTO_ICMPV6
Type

count

Default

58

ICMP for IPv6.

IPPROTO_IGMP
Type

count

Default

2

Group management protocol.

IPPROTO_IP
Type

count

Default

0

Dummy for IP.

IPPROTO_IPIP
Type

count

Default

4

IP encapsulation in IP.

IPPROTO_IPV6
Type

count

Default

41

IPv6 header.

IPPROTO_MOBILITY
Type

count

Default

135

IPv6 mobility header.

IPPROTO_NONE
Type

count

Default

59

IPv6 no next header.

IPPROTO_RAW
Type

count

Default

255

Raw IP packet.

IPPROTO_ROUTING
Type

count

Default

43

IPv6 routing header.

IPPROTO_TCP
Type

count

Default

6

TCP.

IPPROTO_UDP
Type

count

Default

17

User datagram protocol.

LOGIN_STATE_AUTHENTICATE
Type

count

Default

0

LOGIN_STATE_CONFUSED
Type

count

Default

3

LOGIN_STATE_LOGGED_IN