base/utils/site.zeek

Site

Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.

Namespace

Site

Imports

base/utils/patterns.zeek

Summary

Runtime Options

Site::local_admins: table &redef

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets: set &redef

Networks that are considered “local”.

Site::local_zones: set &redef

DNS zones that are considered “local”.

Site::neighbor_nets: set &redef

Networks that are considered “neighbors”.

Site::neighbor_zones: set &redef

DNS zones that are considered “neighbors”.

Site::private_address_space: set &redef

A list of subnets that are considered private address space.

State Variables

Site::local_nets_table: table

This is used for retrieving the subnet when using multiple entries in Site::local_nets.

Functions

Site::get_emails: function

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument.

Site::is_local_addr: function

Function that returns true if an address corresponds to one of the local networks, false if not.

Site::is_local_name: function

Function that returns true if a host name is within a local DNS zone.

Site::is_neighbor_addr: function

Function that returns true if an address corresponds to one of the neighbor networks, false if not.

Site::is_neighbor_name: function

Function that returns true if a host name is within a neighbor DNS zone.

Site::is_private_addr: function

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not.

Detailed Interface

Runtime Options

Site::local_admins
Type

table [subnet] of set [string]

Attributes

&redef

Default

{}

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Networks that are considered “local”. Note that ZeekControl sets this automatically.

Site::local_zones
Type

set [string]

Attributes

&redef

Default

{}

DNS zones that are considered “local”.

Site::neighbor_nets
Type

set [subnet]

Attributes

&redef

Default

{}

Networks that are considered “neighbors”.

Site::neighbor_zones
Type

set [string]

Attributes

&redef

Default

{}

DNS zones that are considered “neighbors”.

Site::private_address_space
Type

set [subnet]

Attributes

&redef

Default
{
   64:ff9b:1::/48,
   198.18.0.0/15,
   fc00::/7,
   100.64.0.0/10,
   ::/128,
   2002:ffff:ffff::/48,
   ::1/128,
   2002:cb00:7100::/40,
   240.0.0.0/4,
   2002:c633:6400::/40,
   2002:a00::/24,
   100::/64,
   255.255.255.255/32,
   192.0.0.0/24,
   0.0.0.0/8,
   2001:2::/48,
   2002:c000:200::/40,
   172.16.0.0/12,
   2002:f000::/20,
   2002:7f00::/24,
   2001::/23,
   2002:6440::/26,
   2002:c000::/40,
   10.0.0.0/8,
   127.0.0.0/8,
   192.0.2.0/24,
   2002:a9fe::/32,
   192.168.0.0/16,
   2002:ac10::/28,
   169.254.0.0/16,
   2002:c612::/31,
   2002::/24,
   fe80::/10,
   0.0.0.0/0,
   2001:db8::/32,
   203.0.113.0/24,
   2002:c0a8::/32,
   198.51.100.0/24
}

A list of subnets that are considered private address space.

By default, it has address blocks defined by IANA as not being routable over the Internet.

See the IPv4 Special-Purpose Address Registry and the IPv6 Special-Purpose Address Registry

State Variables

Site::local_nets_table
Type

table [subnet] of subnet

Default

{}

This is used for retrieving the subnet when using multiple entries in Site::local_nets. It’s populated automatically from there. A membership query can be done with an addr and the table will yield the subnet it was found within.

Functions

Site::get_emails
Type

function (a: addr) : string

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects Site::local_admins.

Site::is_local_addr
Type

function (a: addr) : bool

Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects Site::local_nets.

Site::is_local_name
Type

function (name: string) : bool

Function that returns true if a host name is within a local DNS zone. The function inspects Site::local_zones.

Site::is_neighbor_addr
Type

function (a: addr) : bool

Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects Site::neighbor_nets.

Site::is_neighbor_name
Type

function (name: string) : bool

Function that returns true if a host name is within a neighbor DNS zone. The function inspects Site::neighbor_zones.

Site::is_private_addr
Type

function (a: addr) : bool

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects Site::private_address_space.