policy/files/unified2/main.zeek

Unified2

Namespace

Unified2

Imports

base/utils/dir.zeek, base/utils/paths.zeek

Summary

Redefinable Options

Unified2::classification_config: string &redef	The classification.config file you would like to use for your alerts.
Unified2::gen_msg: string &redef	The gen-msg.map file you would like to use for your alerts.
Unified2::sid_msg: string &redef	The sid-msg.map file you would like to use for your alerts.
Unified2::watch_dir: string &redef	Directory to watch for Unified2 records.
Unified2::watch_file: string &redef	File to watch for Unified2 files.

Types

Unified2::Info: record &log
Unified2::PacketID: record &log

Redefinitions

Log::ID: enum	Unified2::LOG
fa_file: record &redef	New Fields fa_file u2_events: table [count] of Unified2::IDSEvent &optional &create_expire = 5.0 secs &expire_func = function Recently received IDS events.

Events

Unified2::alert: event	Reconstructed “alert” which combines related events and packets.
Unified2::log_unified2: event	The event for accessing logged records.

Hooks

Unified2::log_policy: Log::PolicyHook

Detailed Interface

Redefinable Options

Unified2::classification_config

Type

string

Attributes

&redef

Default

""

The classification.config file you would like to use for your alerts.

Unified2::gen_msg

Type

string

Attributes

&redef

Default

""

The gen-msg.map file you would like to use for your alerts.

Unified2::sid_msg

Type

string

Attributes

&redef

Default

""

The sid-msg.map file you would like to use for your alerts.

Unified2::watch_dir

Type

string

Attributes

&redef

Default

""

Directory to watch for Unified2 records.

Unified2::watch_file

Type

string

Attributes

&redef

Default

""

File to watch for Unified2 files.

Types

Unified2::Info

Type

record

ts: time &log

Timestamp attached to the alert.

id: Unified2::PacketID &log

Addresses and ports for the connection.

sensor_id: count &log

Sensor that originated this event.

signature_id: count &log

Sig id for this generator.

signature: string &optional &log

A string representation of the signature_id field if a sid_msg.map file was loaded.

generator_id: count &log

Which generator generated the alert?

generator: string &optional &log

A string representation of the generator_id field if a gen_msg.map file was loaded.

signature_revision: count &log

Sig revision for this id.

classification_id: count &log

Event classification.

classification: string &optional &log

Descriptive classification string.

priority_id: count &log

Event priority.

event_id: count &log

Event ID.

packet: string &optional &log

Some of the packet data.

Attributes

&log

Unified2::PacketID

Type

record

src_ip: addr &log

src_p: port &log

dst_ip: addr &log

dst_p: port &log

Attributes

&log

Events

Unified2::alert

Type

event (f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet)

Reconstructed “alert” which combines related events and packets.

Unified2::log_unified2

Type

event (rec: Unified2::Info)

The event for accessing logged records.

Hooks

Unified2::log_policy

Type

Log::PolicyHook