base/utils/directions-and-hosts.zeek

Imports:base/utils/site.zeek

Summary

Types

Direction: enum
Host: enum

Functions

addr_matches_host: function	Checks whether a given host (IP address) matches a given host type.
id_matches_direction: function	Checks whether a given connection is of a given direction with respect to the locally-monitored network.

Detailed Interface

Types

Direction

Type:

enum

INBOUND

The connection originator is not within the locally-monitored network, but the other endpoint is.

OUTBOUND

The connection originator is within the locally-monitored network, but the other endpoint is not.

BIDIRECTIONAL

Only one endpoint is within the locally-monitored network, meaning the connection is either outbound or inbound.

NO_DIRECTION

This value doesn’t match any connection.

Host

Type:

enum

LOCAL_HOSTS

A host within the locally-monitored network.

REMOTE_HOSTS

A host not within the locally-monitored network.

ALL_HOSTS

Any host.

NO_HOSTS

This value doesn’t match any host.

Functions

addr_matches_host

Type:function (ip: addr, h: Host) : bool

Checks whether a given host (IP address) matches a given host type.

Ip:address of a host. H:a host type. Returns:T if the given host matches the given type, else F.

id_matches_direction

Type:function (id: conn_id, d: Direction) : bool

Checks whether a given connection is of a given direction with respect to the locally-monitored network.

Id:a connection record containing the originator/responder hosts. D:a direction with respect to the locally-monitored network. Returns:T if the two connection endpoints match the given direction, else F.