site.zeek¶

Site¶

Definitions describing a site - which networks and DNS zones are “local” and “neighbors”, and servers running particular services.

Namespace: Site
Imports: base/utils/patterns.zeek

Summary¶

Runtime Options¶

`Site::local_admins`: `table` `&redef`	If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.
`Site::local_nets`: `set` `&redef`	Networks that are considered “local”.
`Site::local_zones`: `set` `&redef`	DNS zones that are considered “local”.
`Site::neighbor_nets`: `set` `&redef`	Networks that are considered “neighbors”.
`Site::neighbor_zones`: `set` `&redef`	DNS zones that are considered “neighbors”.
`Site::private_address_space`: `set` `&redef`	Address space that is considered private and unrouted.

State Variables¶

Site::local_nets_table: table

This is used for retrieving the subnet when using multiple entries in Site::local_nets.

Functions¶

`Site::get_emails`: `function`	Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument.
`Site::is_local_addr`: `function`	Function that returns true if an address corresponds to one of the local networks, false if not.
`Site::is_local_name`: `function`	Function that returns true if a host name is within a local DNS zone.
`Site::is_neighbor_addr`: `function`	Function that returns true if an address corresponds to one of the neighbor networks, false if not.
`Site::is_neighbor_name`: `function`	Function that returns true if a host name is within a neighbor DNS zone.
`Site::is_private_addr`: `function`	Function that returns true if an address corresponds to one of the private/unrouted networks, false if not.

Detailed Interface¶

Runtime Options¶

Site::local_admins¶

Type: table [subnet] of set [string]
Attributes: &redef
Default: {}

If local network administrators are known and they have responsibility for defined address space, then a mapping can be defined here between networks for which they have responsibility and a set of email addresses.

Site::local_nets¶

Type: set [subnet]
Attributes: &redef
Default: {}

Networks that are considered “local”. Note that ZeekControl sets this automatically.

Site::local_zones¶

Type: set [string]
Attributes: &redef
Default: {}

DNS zones that are considered “local”.

Site::neighbor_nets¶

Type: set [subnet]
Attributes: &redef
Default: {}

Networks that are considered “neighbors”.

Site::neighbor_zones¶

Type: set [string]
Attributes: &redef
Default: {}

DNS zones that are considered “neighbors”.

Site::private_address_space¶

Type

set [subnet]

Attributes

&redef

Default

{
   ::1/128,
   fe80::/10,
   192.168.0.0/16,
   172.16.0.0/12,
   10.0.0.0/8,
   127.0.0.0/8,
   100.64.0.0/10
}

Address space that is considered private and unrouted. By default it has RFC defined non-routable IPv4 address space.

State Variables¶

Site::local_nets_table¶

Type: table [subnet] of subnet
Default: {}

This is used for retrieving the subnet when using multiple entries in Site::local_nets. It’s populated automatically from there. A membership query can be done with an addr and the table will yield the subnet it was found within.

Functions¶

Site::get_emails¶

Type: function (a: addr) : string

Function that returns a comma-separated list of email addresses that are considered administrators for the IP address provided as an argument. The function inspects Site::local_admins.

Site::is_local_addr¶

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the local networks, false if not. The function inspects Site::local_nets.

Site::is_local_name¶

Type: function (name: string) : bool

Function that returns true if a host name is within a local DNS zone. The function inspects Site::local_zones.

Site::is_neighbor_addr¶

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the neighbor networks, false if not. The function inspects Site::neighbor_nets.

Site::is_neighbor_name¶

Type: function (name: string) : bool

Function that returns true if a host name is within a neighbor DNS zone. The function inspects Site::neighbor_zones.

Site::is_private_addr¶

Type: function (a: addr) : bool

Function that returns true if an address corresponds to one of the private/unrouted networks, false if not. The function inspects Site::private_address_space.