site.zeek¶

Site¶

Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.

Namespace:	Site
Imports:	base/utils/patterns.zeek

Summary¶

Runtime Options¶

`Site::local_admins`: `table` `&redef`	If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.
`Site::local_nets`: `set` `&redef`	Networks that are considered “local”.
`Site::local_zones`: `set` `&redef`	DNS zones that are considered “local”.
`Site::neighbor_nets`: `set` `&redef`	Networks that are considered “neighbors”.
`Site::neighbor_zones`: `set` `&redef`	DNS zones that are considered “neighbors”.
`Site::private_address_space`: `set` `&redef`	Address space that is considered private and unrouted.

State Variables¶

Site::local_nets_table: table This is used for retrieving the subnet when using multiple entries in Site::local_nets.

Functions¶

`Site::get_emails`: `function`	Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument.
`Site::is_local_addr`: `function`	Function that returns true if an address corresponds to one of the local networks, false if not.
`Site::is_local_name`: `function`	Function that returns true if a host name is within a local DNS zone.
`Site::is_neighbor_addr`: `function`	Function that returns true if an address corresponds to one of the neighbor networks, false if not.
`Site::is_neighbor_name`: `function`	Function that returns true if a host name is within a neighbor DNS zone.
`Site::is_private_addr`: `function`	Function that returns true if an address corresponds to one of the private/unrouted networks, false if not.

Detailed Interface¶

Runtime Options¶

Site::local_admins¶

Type:	`table` [`subnet`] of `set` [`string`]
Attributes:	`&redef`
Default:	`{}`

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets¶

Type:	`set` [`subnet`]
Attributes:	`&redef`
Default:	`{}`

Networks that are considered “local”. Note that ZeekControl sets this automatically.

Site::local_zones¶

Type:	`set` [`string`]
Attributes:	`&redef`
Default:	`{}`

DNS zones that are considered “local”.

Site::neighbor_nets¶

Type:	`set` [`subnet`]
Attributes:	`&redef`
Default:	`{}`

Networks that are considered “neighbors”.

Site::neighbor_zones¶

Type:	`set` [`string`]
Attributes:	`&redef`
Default:	`{}`

DNS zones that are considered “neighbors”.

Site::private_address_space¶

Type:	`set` [`subnet`]
Attributes:	`&redef`
Default:	{ 192.168.0.0/16, 127.0.0.0/8, ::1/128, 172.16.0.0/12, 10.0.0.0/8, fe80::/10, 100.64.0.0/10 }

Address space that is considered private and unrouted. By default it has RFC defined non-routable IPv4 address space.

State Variables¶

Site::local_nets_table¶

Type:	`table` [`subnet`] of `subnet`
Default:	`{}`

This is used for retrieving the subnet when using multiple entries in Site::local_nets. It’s populated automatically from there. A membership query can be done with an addr and the table will yield the subnet it was found within.

Functions¶

Site::get_emails¶

Type:	`function` (a: `addr`) : `string`

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects Site::local_admins.

Site::is_local_addr¶

Type:	`function` (a: `addr`) : `bool`

Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects Site::local_nets.

Site::is_local_name¶

Type:	`function` (name: `string`) : `bool`

Function that returns true if a host name is within a local DNS zone. The function inspects Site::local_zones.

Site::is_neighbor_addr¶

Type:	`function` (a: `addr`) : `bool`

Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects Site::neighbor_nets.

Site::is_neighbor_name¶

Type:	`function` (name: `string`) : `bool`

Function that returns true if a host name is within a neighbor DNS zone. The function inspects Site::neighbor_zones.

Site::is_private_addr¶

Type:	`function` (a: `addr`) : `bool`

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects Site::private_address_space.