site.zeek

Site

Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.

Namespace: Site
Imports: base/utils/patterns.zeek

Summary

Runtime Options

`Site::local_admins`: `table` `&redef`	If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.
`Site::local_nets`: `set` `&redef`	Networks that are considered “local”.
`Site::local_zones`: `set` `&redef`	DNS zones that are considered “local”.
`Site::neighbor_nets`: `set` `&redef`	Networks that are considered “neighbors”.
`Site::neighbor_zones`: `set` `&redef`	DNS zones that are considered “neighbors”.
`Site::private_address_space`: `set` `&redef`	A list of subnets that are considered private address space.

Redefinable Options

Site::private_address_space_is_local: bool &redef

Whether Zeek should automatically consider private address ranges “local”.

State Variables

Site::local_nets_table: table

This is used for retrieving the subnet when using multiple entries in Site::local_nets.

Functions

`Site::get_emails`: `function`	Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument.
`Site::is_local_addr`: `function`	Function that returns true if an address corresponds to one of the local networks, false if not.
`Site::is_local_name`: `function`	Function that returns true if a host name is within a local DNS zone.
`Site::is_neighbor_addr`: `function`	Function that returns true if an address corresponds to one of the neighbor networks, false if not.
`Site::is_neighbor_name`: `function`	Function that returns true if a host name is within a neighbor DNS zone.
`Site::is_private_addr`: `function`	Function that returns true if an address corresponds to one of the private/unrouted networks, false if not.

Detailed Interface

Runtime Options

Site::local_admins 

Type: table [subnet] of set [string]
Attributes: &redef
Default: {}

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets 

Type: set [subnet]
Attributes: &redef
Default: {}

Networks that are considered “local”. Note that ZeekControl sets this automatically.

Site::local_zones 

Type: set [string]
Attributes: &redef
Default: {}

DNS zones that are considered “local”.

Site::neighbor_nets 

Type: set [subnet]
Attributes: &redef
Default: {}

Networks that are considered “neighbors”.

Site::neighbor_zones 

Type: set [string]
Attributes: &redef
Default: {}

DNS zones that are considered “neighbors”.

Site::private_address_space 

Type

set [subnet]

Attributes

&redef

Default

{
ff9b:1::/48,
18.0.0/15,
   fc00::/7,
64.0.0/10,
   ::/128,
ffff:ffff::/48,
   ::1/128,
cb00:7100::/40,
0.0.0/4,
c633:6400::/40,
a00::/24,
:/64,
255.255.255/32,
0.0.0/24,
0.0.0/8,
2::/48,
c000:200::/40,
16.0.0/12,
f000::/20,
7f00::/24,
:/23,
6440::/26,
c000::/40,
0.0.0/8,
0.0.0/8,
0.2.0/24,
168.0.0/16,
ac10::/28,
a9fe::/32,
c612::/31,
254.0.0/16,
:/24,
   fe80::/10,
db8::/32,
0.113.0/24,
c0a8::/32,
51.100.0/24
}

A list of subnets that are considered private address space.

By default, it has address blocks defined by IANA as not being routable over the Internet.

See the IPv4 Special-Purpose Address Registry and the IPv6 Special-Purpose Address Registry

Redefinable Options

Site::private_address_space_is_local 

Type: bool
Attributes: &redef
Default: T

Whether Zeek should automatically consider private address ranges “local”. On by default, this setting ensures that the initial value of Site::private_address_space as well as any later updates to it get copied over into Site::local_nets.

State Variables

Site::local_nets_table 

Type: table [subnet] of subnet
Default: {}

This is used for retrieving the subnet when using multiple entries in Site::local_nets. It’s populated automatically from there. A membership query can be done with an addr and the table will yield the subnet it was found within.

Functions

Site::get_emails 

Type: function (a: addr) : string

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects Site::local_admins.

Site::is_local_addr 

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects Site::local_nets.

Site::is_local_name 

Type: function (name: string) : bool

Function that returns true if a host name is within a local DNS zone. The function inspects Site::local_zones.

Site::is_neighbor_addr 

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects Site::neighbor_nets.

Site::is_neighbor_name 

Type: function (name: string) : bool

Function that returns true if a host name is within a neighbor DNS zone. The function inspects Site::neighbor_zones.

Site::is_private_addr 

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects Site::private_address_space.