base/utils/site.zeek
- Site
Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.
- Namespace:
Site
- Imports:
Summary
Runtime Options
If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses. |
|
Networks that are considered “local”. |
|
DNS zones that are considered “local”. |
|
Networks that are considered “neighbors”. |
|
DNS zones that are considered “neighbors”. |
|
A list of subnets that are considered private address space. |
Redefinable Options
Whether Zeek should automatically consider private address ranges “local”. |
State Variables
This is used for retrieving the subnet when using multiple entries in
|
Functions
Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. |
|
Function that returns true if an address corresponds to one of the local networks, false if not. |
|
Function that returns true if a host name is within a local DNS zone. |
|
Function that returns true if an address corresponds to one of the neighbor networks, false if not. |
|
Function that returns true if a host name is within a neighbor DNS zone. |
|
Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. |
Detailed Interface
Runtime Options
- Site::local_admins
-
If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.
- Site::local_nets
-
Networks that are considered “local”. Note that ZeekControl sets this automatically.
- Site::local_zones
-
DNS zones that are considered “local”.
- Site::neighbor_nets
-
Networks that are considered “neighbors”.
- Site::neighbor_zones
-
DNS zones that are considered “neighbors”.
- Site::private_address_space
- Type:
- Attributes:
- Default:
{ 64:ff9b:1::/48, 198.18.0.0/15, fc00::/7, 100.64.0.0/10, ::/128, 2002:ffff:ffff::/48, ::1/128, fec0::/10, 2002:cb00:7100::/40, 2002:c633:6400::/40, 240.0.0.0/4, 2002:a00::/24, 100::/64, 255.255.255.255/32, 192.0.0.0/24, 0.0.0.0/8, 239.0.0.0/8, 2001:2::/48, 172.16.0.0/12, 2002:c000:200::/40, 2002:f000::/20, 2002:7f00::/24, 2001::/23, 2002:6440::/26, 2002:c000::/40, 10.0.0.0/8, 127.0.0.0/8, 224.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 2002:ac10::/28, 2002:a9fe::/32, 169.254.0.0/16, 2002:c612::/31, 2002::/24, fe80::/10, 2001:db8::/32, 2002:ef00::/24, 203.0.113.0/24, 2002:e000::/40, 2002:c0a8::/32, 198.51.100.0/24 }
A list of subnets that are considered private address space.
By default, it has address blocks defined by IANA as not being routable over the Internet. Some address blocks are reserved for purposes inconsistent with the address architecture (such as 5f00::/16), making them neither clearly private nor routable. We do not include such blocks in this list.
See the IPv4 Special-Purpose Address Registry and the IPv6 Special-Purpose Address Registry
Redefinable Options
- Site::private_address_space_is_local
-
Whether Zeek should automatically consider private address ranges “local”. On by default, this setting ensures that the initial value of
Site::private_address_space
as well as any later updates to it get copied over intoSite::local_nets
.
State Variables
- Site::local_nets_table
-
This is used for retrieving the subnet when using multiple entries in
Site::local_nets
. It’s populated automatically from there. A membership query can be done with anaddr
and the table will yield the subnet it was found within.
Functions
- Site::get_emails
-
Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects
Site::local_admins
.
- Site::is_local_addr
-
Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects
Site::local_nets
.
- Site::is_local_name
-
Function that returns true if a host name is within a local DNS zone. The function inspects
Site::local_zones
.
- Site::is_neighbor_addr
-
Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects
Site::neighbor_nets
.
- Site::is_neighbor_name
-
Function that returns true if a host name is within a neighbor DNS zone. The function inspects
Site::neighbor_zones
.
- Site::is_private_addr
-
Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects
Site::private_address_space
.