├── .github
└── workflows
│ ├── generate-docs.yml
│ └── pre-commit.yml
├── .gitignore
├── .pre-commit-config.yaml
├── .readthedocs.yml
├── .typos.toml
├── LICENSE
├── Makefile
├── README
├── README.rst
├── _static
└── theme_overrides.css
├── _templates
├── breadcrumbs.html
└── layout.html
├── about.rst
├── acknowledgements.rst
├── building-from-source.rst
├── cluster-setup.rst
├── cluster
└── pf_ring.rst
├── components
└── index.rst
├── conf.py
├── customizations.rst
├── devel
├── cluster-backend-zeromq.rst
├── contributors.rst
├── index.rst
├── maintainers.rst
├── plugins.rst
└── spicy
│ ├── autogen-spicy-docs
│ ├── autogen
│ ├── init-bare.zeek
│ ├── init-framework.zeek
│ ├── tftp-no-accept.spicy
│ ├── tftp.evt
│ ├── tftp.spicy
│ ├── tftp.zeek
│ └── zeek-functions.spicy
│ ├── examples
│ ├── my-http.evt
│ ├── my-http.spicy
│ ├── my-http.zeek
│ ├── request-line.pcap
│ ├── tftp-schedule-analyzer.zeek
│ ├── tftp-single-request-more-args.evt
│ ├── tftp-single-request-more-args.zeek
│ ├── tftp-single-request.evt
│ ├── tftp-single-request.zeek
│ └── tftp-two-requests.zeek
│ ├── faq.rst
│ ├── getting-started.rst
│ ├── index.rst
│ ├── installation.rst
│ ├── reference.rst
│ └── tutorial.rst
├── ext
├── literal-emph.py
├── spicy-pygments.py
├── zeek.py
└── zeek_pygments.py
├── frameworks
├── broker.rst
├── broker
│ ├── cluster-layout.png
│ ├── cluster-layout.xml
│ ├── connecting-connector.zeek
│ ├── connecting-listener.zeek
│ ├── events-connector.zeek
│ ├── events-listener.zeek
│ ├── logs-connector.zeek
│ ├── logs-listener.zeek
│ ├── store-sqlite-tuning.zeek
│ ├── stores-connector.zeek
│ ├── stores-listener.zeek
│ └── testlog.zeek
├── cluster.rst
├── configuration.rst
├── denylist.jsonl
├── file-analysis.rst
├── file_analysis_01.zeek
├── file_analysis_02.zeek
├── file_analysis_03.zeek
├── index.rst
├── input.rst
├── input_json_1.zeek
├── intel.rst
├── logging-input-sqlite.rst
├── logging.rst
├── logging
│ └── delay1.zeek
├── management.rst
├── management
│ ├── full-config.ini
│ ├── get-id-value-complex.console
│ ├── get-id-value-simple.console
│ ├── mini-config-with-error.ini
│ ├── mini-config.ini
│ ├── mini-deployment-error.console
│ ├── mini-deployment-get-config-deployed.console
│ ├── mini-deployment-get-config-staged-json.console
│ ├── mini-deployment-get-config-staged.console
│ ├── mini-deployment-get-nodes.console
│ ├── mini-deployment.console
│ ├── zeek-client-help.console
│ └── zeek-client-show-settings.console
├── netcontrol-1-drop-with-debug.zeek
├── netcontrol-10-use-skeleton.zeek
├── netcontrol-2-ssh-guesser.zeek
├── netcontrol-3-ssh-guesser.zeek
├── netcontrol-4-drop.zeek
├── netcontrol-5-hook.zeek
├── netcontrol-6-find.zeek
├── netcontrol-7-catch-release.zeek
├── netcontrol-8-multiple.zeek
├── netcontrol-9-skeleton.zeek
├── netcontrol-architecture.graffle
├── netcontrol-architecture.png
├── netcontrol-openflow.graffle
├── netcontrol-openflow.png
├── netcontrol-rules.png
├── netcontrol.rst
├── notice.rst
├── notice_ssh_guesser.zeek
├── packet-analysis-1-ethernet.zeek
├── packet-analysis-2-llc.cc
├── packet-analysis-pdu.svg
├── packet-analysis.rst
├── signatures.rst
├── sqlite-conn-filter.zeek
├── sqlite-read-events.zeek
├── sqlite-read-table.zeek
├── storage.rst
├── sumstats-countconns.zeek
├── sumstats-toy-scan.zeek
├── sumstats.rst
├── supervisor.rst
├── supervisor
│ ├── cluster-supervisor.zeek
│ ├── simple-supervisor.zeek
│ ├── supervisor-control.zeek
│ └── zeek-supervisor-architecture.png
├── telemetry.rst
├── telemetry
│ ├── connection-durations.zeek
│ ├── global-http-counter.zeek
│ ├── log-writes-cached.zeek
│ ├── log-writes-immediate.zeek
│ ├── log-writes-sync.zeek
│ ├── table-size-tracking.zeek
│ └── version.zeek
├── tls-decryption.rst
└── tls_decryption-1-suspend-processing.zeek
├── get-started.rst
├── images
├── architecture.png
├── cluster-diagram.png
├── cluster
│ ├── Makefile
│ ├── README.md
│ ├── zeromq-cluster.mermaid
│ ├── zeromq-cluster.png
│ ├── zeromq-logging.mermaid
│ ├── zeromq-logging.png
│ ├── zeromq-pubsub.mermaid
│ └── zeromq-pubsub.png
├── collection-figure1.png
├── collection-figure2.png
├── collection-figure3.png
├── deployment.png
├── intel-architecture.png
├── management-all-in-one-two-zeeks.png
├── management-all-in-one-two-zeeks.svgz
├── management-all-in-one.png
├── management-all-in-one.svgz
├── management.png
├── management.svgz
├── troubleshooting
│ ├── flamegraph.png
│ └── http-fake-state-growth.gif
├── zeek-favicon.ico
├── zeek-logo-sidebar.png
├── zeek-logo-text.png
└── zeek-logo.png
├── index.rst
├── install.rst
├── log-formats.rst
├── logs
├── capture-loss-and-reporter.rst
├── conn.rst
├── dhcp.rst
├── dns.rst
├── dpd.rst
├── files.rst
├── ftp.rst
├── http.rst
├── index.rst
├── irc.rst
├── known-and-software.rst
├── ldap.rst
├── ntp.rst
├── pe.rst
├── postgresql.rst
├── quic.rst
├── rdp.rst
├── smb.rst
├── smtp.rst
├── ssh.rst
├── ssl.rst
├── traceroute.rst
├── tunnel.rst
├── weird-and-notice.rst
└── x509.rst
├── monitoring.rst
├── quickstart.rst
├── redirects.yml
├── requirements.txt
├── ruff.toml
├── script-reference
├── assert_1.zeek
├── attributes.rst
├── autogenerated-file-analyzer-index.rst
├── autogenerated-package-index.rst
├── autogenerated-packet-analyzer-index.rst
├── autogenerated-protocol-analyzer-index.rst
├── autogenerated-script-index.rst
├── directives.rst
├── file-analyzers.rst
├── index.rst
├── log-files.rst
├── notices.rst
├── operators.rst
├── packages.rst
├── packet-analyzers.rst
├── proto-analyzers.rst
├── scripts.rst
├── statements.rst
└── types.rst
├── scripting
├── basics.rst
├── connection_record_01.zeek
├── connection_record_02.zeek
├── data_struct_record_01.zeek
├── data_struct_record_02.zeek
├── data_struct_set_declaration.zeek
├── data_struct_table_complex.zeek
├── data_struct_table_complex_blank_value.zeek
├── data_struct_table_declaration.zeek
├── data_struct_vector.zeek
├── data_struct_vector_declaration.zeek
├── data_struct_vector_iter.zeek
├── data_struct_vector_iter_value.zeek
├── data_type_const.zeek
├── data_type_const_simple.zeek
├── data_type_declaration.zeek
├── data_type_interval.zeek
├── data_type_local.zeek
├── data_type_pattern_01.zeek
├── data_type_pattern_02.zeek
├── data_type_record.zeek
├── data_type_subnets.zeek
├── data_type_time.zeek
├── event-groups.rst
├── event_groups_attr_01.zeek
├── event_groups_attr_02.zeek
├── event_groups_module_01.zeek
├── framework_logging_factorial_01.zeek
├── framework_logging_factorial_02.zeek
├── framework_logging_factorial_03.zeek
├── framework_logging_factorial_04.zeek
├── framework_notice_hook_01.zeek
├── framework_notice_hook_suppression_01.zeek
├── framework_notice_shortcuts_01.zeek
├── framework_notice_shortcuts_02.zeek
├── http_main.zeek
├── index.rst
├── javascript.rst
├── js
│ ├── api.js
│ ├── api.zeek
│ ├── connection-service.js
│ ├── global-vars.js
│ ├── hello.js
│ ├── intel-insert.js
│ └── zeek-as.js
├── optimization.rst
├── tracing-events.rst
└── usage.rst
├── scripts
├── base
│ ├── bif
│ │ ├── CPP-load.bif.zeek.rst
│ │ ├── __load__.zeek.rst
│ │ ├── analyzer.bif.zeek.rst
│ │ ├── bloom-filter.bif.zeek.rst
│ │ ├── cardinality-counter.bif.zeek.rst
│ │ ├── cluster.bif.zeek.rst
│ │ ├── comm.bif.zeek.rst
│ │ ├── communityid.bif.zeek.rst
│ │ ├── const.bif.zeek.rst
│ │ ├── data.bif.zeek.rst
│ │ ├── event.bif.zeek.rst
│ │ ├── file_analysis.bif.zeek.rst
│ │ ├── index.rst
│ │ ├── input.bif.zeek.rst
│ │ ├── logging.bif.zeek.rst
│ │ ├── messaging.bif.zeek.rst
│ │ ├── mmdb.bif.zeek.rst
│ │ ├── option.bif.zeek.rst
│ │ ├── packet_analysis.bif.zeek.rst
│ │ ├── pcap.bif.zeek.rst
│ │ ├── plugins
│ │ │ ├── Zeek_AF_Packet.af_packet.bif.zeek.rst
│ │ │ ├── Zeek_ARP.events.bif.zeek.rst
│ │ │ ├── Zeek_AsciiReader.ascii.bif.zeek.rst
│ │ │ ├── Zeek_AsciiWriter.ascii.bif.zeek.rst
│ │ │ ├── Zeek_BenchmarkReader.benchmark.bif.zeek.rst
│ │ │ ├── Zeek_BinaryReader.binary.bif.zeek.rst
│ │ │ ├── Zeek_BitTorrent.events.bif.zeek.rst
│ │ │ ├── Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek.rst
│ │ │ ├── Zeek_Cluster_WebSocket.events.bif.zeek.rst
│ │ │ ├── Zeek_ConfigReader.config.bif.zeek.rst
│ │ │ ├── Zeek_ConnSize.events.bif.zeek.rst
│ │ │ ├── Zeek_ConnSize.functions.bif.zeek.rst
│ │ │ ├── Zeek_DCE_RPC.consts.bif.zeek.rst
│ │ │ ├── Zeek_DCE_RPC.events.bif.zeek.rst
│ │ │ ├── Zeek_DCE_RPC.types.bif.zeek.rst
│ │ │ ├── Zeek_DHCP.events.bif.zeek.rst
│ │ │ ├── Zeek_DHCP.types.bif.zeek.rst
│ │ │ ├── Zeek_DNP3.events.bif.zeek.rst
│ │ │ ├── Zeek_DNS.events.bif.zeek.rst
│ │ │ ├── Zeek_FTP.events.bif.zeek.rst
│ │ │ ├── Zeek_FTP.functions.bif.zeek.rst
│ │ │ ├── Zeek_File.events.bif.zeek.rst
│ │ │ ├── Zeek_FileEntropy.events.bif.zeek.rst
│ │ │ ├── Zeek_FileExtract.events.bif.zeek.rst
│ │ │ ├── Zeek_FileExtract.functions.bif.zeek.rst
│ │ │ ├── Zeek_FileHash.events.bif.zeek.rst
│ │ │ ├── Zeek_GSSAPI.events.bif.zeek.rst
│ │ │ ├── Zeek_GTPv1.events.bif.zeek.rst
│ │ │ ├── Zeek_GTPv1.functions.bif.zeek.rst
│ │ │ ├── Zeek_Geneve.events.bif.zeek.rst
│ │ │ ├── Zeek_Geneve.functions.bif.zeek.rst
│ │ │ ├── Zeek_Gnutella.events.bif.zeek.rst
│ │ │ ├── Zeek_HTTP.events.bif.zeek.rst
│ │ │ ├── Zeek_HTTP.functions.bif.zeek.rst
│ │ │ ├── Zeek_ICMP.events.bif.zeek.rst
│ │ │ ├── Zeek_IMAP.events.bif.zeek.rst
│ │ │ ├── Zeek_IRC.events.bif.zeek.rst
│ │ │ ├── Zeek_Ident.events.bif.zeek.rst
│ │ │ ├── Zeek_JavaScript.zeekjs.bif.zeek.rst
│ │ │ ├── Zeek_KRB.events.bif.zeek.rst
│ │ │ ├── Zeek_KRB.types.bif.zeek.rst
│ │ │ ├── Zeek_Login.events.bif.zeek.rst
│ │ │ ├── Zeek_Login.functions.bif.zeek.rst
│ │ │ ├── Zeek_MIME.consts.bif.zeek.rst
│ │ │ ├── Zeek_MIME.events.bif.zeek.rst
│ │ │ ├── Zeek_MQTT.events.bif.zeek.rst
│ │ │ ├── Zeek_MQTT.types.bif.zeek.rst
│ │ │ ├── Zeek_Modbus.events.bif.zeek.rst
│ │ │ ├── Zeek_MySQL.events.bif.zeek.rst
│ │ │ ├── Zeek_NCP.consts.bif.zeek.rst
│ │ │ ├── Zeek_NCP.events.bif.zeek.rst
│ │ │ ├── Zeek_NTLM.events.bif.zeek.rst
│ │ │ ├── Zeek_NTLM.types.bif.zeek.rst
│ │ │ ├── Zeek_NTP.events.bif.zeek.rst
│ │ │ ├── Zeek_NTP.types.bif.zeek.rst
│ │ │ ├── Zeek_NetBIOS.events.bif.zeek.rst
│ │ │ ├── Zeek_NetBIOS.functions.bif.zeek.rst
│ │ │ ├── Zeek_NoneWriter.none.bif.zeek.rst
│ │ │ ├── Zeek_PE.events.bif.zeek.rst
│ │ │ ├── Zeek_POP3.consts.bif.zeek.rst
│ │ │ ├── Zeek_POP3.events.bif.zeek.rst
│ │ │ ├── Zeek_RADIUS.events.bif.zeek.rst
│ │ │ ├── Zeek_RDP.events.bif.zeek.rst
│ │ │ ├── Zeek_RDP.types.bif.zeek.rst
│ │ │ ├── Zeek_RFB.events.bif.zeek.rst
│ │ │ ├── Zeek_RPC.events.bif.zeek.rst
│ │ │ ├── Zeek_RawReader.raw.bif.zeek.rst
│ │ │ ├── Zeek_SIP.events.bif.zeek.rst
│ │ │ ├── Zeek_SMB.consts.bif.zeek.rst
│ │ │ ├── Zeek_SMB.events.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_check_directory.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_close.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_create_directory.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_echo.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_logoff_andx.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_negotiate.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_nt_cancel.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_nt_create_andx.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_query_information.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_read_andx.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_session_setup_andx.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_transaction.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_transaction2.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_transaction_secondary.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_tree_disconnect.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_com_write_andx.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb1_events.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_close.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_create.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_negotiate.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_read.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_session_setup.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_set_info.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_transform_header.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_tree_connect.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_tree_disconnect.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_com_write.bif.zeek.rst
│ │ │ ├── Zeek_SMB.smb2_events.bif.zeek.rst
│ │ │ ├── Zeek_SMB.types.bif.zeek.rst
│ │ │ ├── Zeek_SMTP.consts.bif.zeek.rst
│ │ │ ├── Zeek_SMTP.events.bif.zeek.rst
│ │ │ ├── Zeek_SMTP.functions.bif.zeek.rst
│ │ │ ├── Zeek_SNMP.events.bif.zeek.rst
│ │ │ ├── Zeek_SNMP.types.bif.zeek.rst
│ │ │ ├── Zeek_SOCKS.events.bif.zeek.rst
│ │ │ ├── Zeek_SQLiteReader.sqlite.bif.zeek.rst
│ │ │ ├── Zeek_SQLiteWriter.sqlite.bif.zeek.rst
│ │ │ ├── Zeek_SSH.events.bif.zeek.rst
│ │ │ ├── Zeek_SSH.types.bif.zeek.rst
│ │ │ ├── Zeek_SSL.consts.bif.zeek.rst
│ │ │ ├── Zeek_SSL.events.bif.zeek.rst
│ │ │ ├── Zeek_SSL.functions.bif.zeek.rst
│ │ │ ├── Zeek_SSL.types.bif.zeek.rst
│ │ │ ├── Zeek_StreamEvent.events.bif.zeek.rst
│ │ │ ├── Zeek_TCP.events.bif.zeek.rst
│ │ │ ├── Zeek_TCP.functions.bif.zeek.rst
│ │ │ ├── Zeek_TCP.types.bif.zeek.rst
│ │ │ ├── Zeek_Teredo.events.bif.zeek.rst
│ │ │ ├── Zeek_Teredo.functions.bif.zeek.rst
│ │ │ ├── Zeek_UDP.events.bif.zeek.rst
│ │ │ ├── Zeek_VXLAN.events.bif.zeek.rst
│ │ │ ├── Zeek_WebSocket.consts.bif.zeek.rst
│ │ │ ├── Zeek_WebSocket.events.bif.zeek.rst
│ │ │ ├── Zeek_WebSocket.functions.bif.zeek.rst
│ │ │ ├── Zeek_WebSocket.types.bif.zeek.rst
│ │ │ ├── Zeek_X509.events.bif.zeek.rst
│ │ │ ├── Zeek_X509.functions.bif.zeek.rst
│ │ │ ├── Zeek_X509.ocsp_events.bif.zeek.rst
│ │ │ ├── Zeek_X509.types.bif.zeek.rst
│ │ │ ├── Zeek_XMPP.events.bif.zeek.rst
│ │ │ ├── __load__.zeek.rst
│ │ │ └── index.rst
│ │ ├── reporter.bif.zeek.rst
│ │ ├── spicy.bif.zeek.rst
│ │ ├── stats.bif.zeek.rst
│ │ ├── storage-async.bif.zeek.rst
│ │ ├── storage-events.bif.zeek.rst
│ │ ├── storage-sync.bif.zeek.rst
│ │ ├── storage.bif.zeek.rst
│ │ ├── store.bif.zeek.rst
│ │ ├── strings.bif.zeek.rst
│ │ ├── supervisor.bif.zeek.rst
│ │ ├── telemetry_consts.bif.zeek.rst
│ │ ├── telemetry_functions.bif.zeek.rst
│ │ ├── telemetry_types.bif.zeek.rst
│ │ ├── top-k.bif.zeek.rst
│ │ ├── types.bif.zeek.rst
│ │ ├── zeek.bif.zeek.rst
│ │ └── zeekygen.bif.zeek.rst
│ ├── files
│ │ ├── extract
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── hash
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── pe
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ └── x509
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── certificate-event-cache.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── log-ocsp.zeek.rst
│ │ │ └── main.zeek.rst
│ ├── frameworks
│ │ ├── analyzer
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── dpd.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── logging.zeek.rst
│ │ │ └── main.zeek.rst
│ │ ├── broker
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── backpressure.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── log.zeek.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── store.zeek.rst
│ │ ├── cluster
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── pools.zeek.rst
│ │ ├── config
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── input.zeek.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── weird.zeek.rst
│ │ ├── control
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── files
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── magic
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ └── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── input
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── readers
│ │ │ │ ├── ascii.zeek.rst
│ │ │ │ ├── benchmark.zeek.rst
│ │ │ │ ├── binary.zeek.rst
│ │ │ │ ├── config.zeek.rst
│ │ │ │ ├── raw.zeek.rst
│ │ │ │ └── sqlite.zeek.rst
│ │ ├── intel
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── input.zeek.rst
│ │ │ └── main.zeek.rst
│ │ ├── logging
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── postprocessors
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ ├── scp.zeek.rst
│ │ │ │ └── sftp.zeek.rst
│ │ │ └── writers
│ │ │ │ ├── ascii.zeek.rst
│ │ │ │ ├── none.zeek.rst
│ │ │ │ └── sqlite.zeek.rst
│ │ ├── netcontrol
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── drop.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── non-cluster.zeek.rst
│ │ │ ├── plugin.zeek.rst
│ │ │ ├── plugins
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── acld.zeek.rst
│ │ │ │ ├── broker.zeek.rst
│ │ │ │ ├── debug.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ ├── openflow.zeek.rst
│ │ │ │ └── packetfilter.zeek.rst
│ │ │ ├── shunt.zeek.rst
│ │ │ └── types.zeek.rst
│ │ ├── notice
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── actions
│ │ │ │ ├── add-geodata.zeek.rst
│ │ │ │ ├── email_admin.zeek.rst
│ │ │ │ ├── page.zeek.rst
│ │ │ │ └── pp-alarms.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── weird.zeek.rst
│ │ ├── openflow
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── non-cluster.zeek.rst
│ │ │ ├── plugins
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── broker.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ ├── log.zeek.rst
│ │ │ │ └── ryu.zeek.rst
│ │ │ └── types.zeek.rst
│ │ ├── packet-filter
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── netstats.zeek.rst
│ │ │ └── utils.zeek.rst
│ │ ├── reporter
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── signatures
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── software
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── spicy
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── init-bare.zeek.rst
│ │ │ ├── init-framework.zeek.rst
│ │ │ └── main.zeek.rst
│ │ ├── storage
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── async.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── sync.zeek.rst
│ │ ├── sumstats
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── non-cluster.zeek.rst
│ │ │ └── plugins
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── average.zeek.rst
│ │ │ │ ├── hll_unique.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ ├── last.zeek.rst
│ │ │ │ ├── max.zeek.rst
│ │ │ │ ├── min.zeek.rst
│ │ │ │ ├── sample.zeek.rst
│ │ │ │ ├── std-dev.zeek.rst
│ │ │ │ ├── sum.zeek.rst
│ │ │ │ ├── topk.zeek.rst
│ │ │ │ ├── unique.zeek.rst
│ │ │ │ └── variance.zeek.rst
│ │ ├── supervisor
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── api.zeek.rst
│ │ │ ├── control.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── telemetry
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── options.zeek.rst
│ │ └── tunnels
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ ├── init-bare.zeek.rst
│ ├── init-default.zeek.rst
│ ├── init-frameworks-and-bifs.zeek.rst
│ ├── misc
│ │ ├── find-checksum-offloading.zeek.rst
│ │ ├── find-filtered-trace.zeek.rst
│ │ ├── installation.zeek.rst
│ │ └── version.zeek.rst
│ ├── packet-protocols
│ │ ├── __load__.zeek.rst
│ │ ├── ayiya
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ethernet
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── fddi
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── geneve
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── gre
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── gtpv1
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── icmp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ieee802_11
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ieee802_11_radio
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── index.rst
│ │ ├── ip
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── iptunnel
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── linux_sll
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── linux_sll2
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── llc
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── main.zeek.rst
│ │ ├── mpls
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── nflog
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── novell_802_3
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── null
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── pbb
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ppp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ppp_serial
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── pppoe
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── root
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── skip
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── snap
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── tcp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── teredo
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── udp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── vlan
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── vntag
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ └── vxlan
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ ├── protocols
│ │ ├── conn
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── contents.zeek.rst
│ │ │ ├── inactivity.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── polling.zeek.rst
│ │ │ ├── removal-hooks.zeek.rst
│ │ │ └── thresholds.zeek.rst
│ │ ├── dce-rpc
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── dhcp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── dnp3
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── dns
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── check-event-handlers.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── finger
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── spicy-events.zeek.rst
│ │ ├── ftp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── gridftp.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── info.zeek.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── utils-commands.zeek.rst
│ │ │ └── utils.zeek.rst
│ │ ├── http
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── entities.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── utils.zeek.rst
│ │ ├── imap
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── irc
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── dcc-send.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── krb
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ldap
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── spicy-events.zeek.rst
│ │ ├── modbus
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── mqtt
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── mysql
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ntlm
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ntp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── pop3
│ │ │ ├── __load__.zeek.rst
│ │ │ └── index.rst
│ │ ├── postgresql
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── spicy-events.zeek.rst
│ │ ├── quic
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── spicy-events.zeek.rst
│ │ ├── radius
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── rdp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── redis
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── spicy-events.zeek.rst
│ │ ├── rfb
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── sip
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── smb
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── const-dos-error.zeek.rst
│ │ │ ├── const-nt-status.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ ├── smb1-main.zeek.rst
│ │ │ └── smb2-main.zeek.rst
│ │ ├── smtp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── entities.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── snmp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── socks
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ssh
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── ssl
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── ct-list.zeek.rst
│ │ │ ├── files.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── mozilla-ca-list.zeek.rst
│ │ ├── syslog
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── main.zeek.rst
│ │ │ └── spicy-events.zeek.rst
│ │ ├── tunnels
│ │ │ ├── __load__.zeek.rst
│ │ │ └── index.rst
│ │ ├── websocket
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── consts.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ └── xmpp
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ └── utils
│ │ ├── active-http.zeek.rst
│ │ ├── addrs.zeek.rst
│ │ ├── backtrace.zeek.rst
│ │ ├── conn-ids.zeek.rst
│ │ ├── dir.zeek.rst
│ │ ├── directions-and-hosts.zeek.rst
│ │ ├── email.zeek.rst
│ │ ├── exec.zeek.rst
│ │ ├── files.zeek.rst
│ │ ├── geoip-distance.zeek.rst
│ │ ├── hash_hrw.zeek.rst
│ │ ├── numbers.zeek.rst
│ │ ├── packages.zeek.rst
│ │ ├── paths.zeek.rst
│ │ ├── patterns.zeek.rst
│ │ ├── queue.zeek.rst
│ │ ├── site.zeek.rst
│ │ ├── strings.zeek.rst
│ │ ├── thresholds.zeek.rst
│ │ ├── time.zeek.rst
│ │ └── urls.zeek.rst
├── builtin-plugins
│ ├── Zeek_AF_Packet
│ │ ├── __load__.zeek.rst
│ │ ├── index.rst
│ │ └── init.zeek.rst
│ ├── Zeek_JavaScript
│ │ ├── __load__.zeek.rst
│ │ └── index.rst
│ ├── __load__.zeek.rst
│ ├── __preload__.zeek.rst
│ └── index.rst
├── policy
│ ├── files
│ │ └── x509
│ │ │ └── disable-certificate-events-known-certs.zeek.rst
│ ├── frameworks
│ │ ├── analyzer
│ │ │ ├── debug-logging.zeek.rst
│ │ │ ├── deprecated-dpd-log.zeek.rst
│ │ │ ├── detect-protocols.zeek.rst
│ │ │ └── packet-segment-logging.zeek.rst
│ │ ├── cluster
│ │ │ ├── backend
│ │ │ │ └── zeromq
│ │ │ │ │ ├── __load__.zeek.rst
│ │ │ │ │ ├── connect.zeek.rst
│ │ │ │ │ ├── index.rst
│ │ │ │ │ └── main.zeek.rst
│ │ │ ├── experimental.zeek.rst
│ │ │ └── nodes-experimental
│ │ │ │ └── manager.zeek.rst
│ │ ├── control
│ │ │ ├── controllee.zeek.rst
│ │ │ └── controller.zeek.rst
│ │ ├── dpd
│ │ │ ├── detect-protocols.zeek.rst
│ │ │ └── packet-segment-logging.zeek.rst
│ │ ├── files
│ │ │ ├── detect-MHR.zeek.rst
│ │ │ ├── entropy-test-all-files.zeek.rst
│ │ │ ├── extract-all-files.zeek.rst
│ │ │ └── hash-all-files.zeek.rst
│ │ ├── intel
│ │ │ ├── do_expire.zeek.rst
│ │ │ ├── do_notice.zeek.rst
│ │ │ ├── removal.zeek.rst
│ │ │ ├── seen
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── conn-established.zeek.rst
│ │ │ │ ├── dns.zeek.rst
│ │ │ │ ├── file-hashes.zeek.rst
│ │ │ │ ├── file-names.zeek.rst
│ │ │ │ ├── http-headers.zeek.rst
│ │ │ │ ├── http-url.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ ├── manage-event-groups.zeek.rst
│ │ │ │ ├── pubkey-hashes.zeek.rst
│ │ │ │ ├── smb-filenames.zeek.rst
│ │ │ │ ├── smtp-url-extraction.zeek.rst
│ │ │ │ ├── smtp.zeek.rst
│ │ │ │ ├── ssl.zeek.rst
│ │ │ │ ├── where-locations.zeek.rst
│ │ │ │ └── x509.zeek.rst
│ │ │ └── whitelist.zeek.rst
│ │ ├── management
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── agent
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── api.zeek.rst
│ │ │ │ ├── boot.zeek.rst
│ │ │ │ ├── config.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ └── main.zeek.rst
│ │ │ ├── config.zeek.rst
│ │ │ ├── controller
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── api.zeek.rst
│ │ │ │ ├── boot.zeek.rst
│ │ │ │ ├── config.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ └── main.zeek.rst
│ │ │ ├── index.rst
│ │ │ ├── log.zeek.rst
│ │ │ ├── node
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── api.zeek.rst
│ │ │ │ ├── config.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ └── main.zeek.rst
│ │ │ ├── persistence.zeek.rst
│ │ │ ├── request.zeek.rst
│ │ │ ├── supervisor
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── api.zeek.rst
│ │ │ │ ├── config.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ └── main.zeek.rst
│ │ │ ├── types.zeek.rst
│ │ │ └── util.zeek.rst
│ │ ├── netcontrol
│ │ │ └── catch-and-release.zeek.rst
│ │ ├── notice
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── actions
│ │ │ │ └── drop.zeek.rst
│ │ │ ├── community-id.zeek.rst
│ │ │ ├── extend-email
│ │ │ │ └── hostnames.zeek.rst
│ │ │ └── index.rst
│ │ ├── packet-filter
│ │ │ └── shunt.zeek.rst
│ │ ├── signatures
│ │ │ └── iso-9660.zeek.rst
│ │ ├── software
│ │ │ ├── version-changes.zeek.rst
│ │ │ ├── vulnerable.zeek.rst
│ │ │ └── windows-version-detection.zeek.rst
│ │ ├── spicy
│ │ │ └── resource-usage.zeek.rst
│ │ ├── storage
│ │ │ └── backend
│ │ │ │ ├── redis
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ └── main.zeek.rst
│ │ │ │ └── sqlite
│ │ │ │ ├── __load__.zeek.rst
│ │ │ │ ├── index.rst
│ │ │ │ └── main.zeek.rst
│ │ └── telemetry
│ │ │ └── log.zeek.rst
│ ├── integration
│ │ └── collective-intel
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ ├── misc
│ │ ├── capture-loss.zeek.rst
│ │ ├── detect-traceroute
│ │ │ ├── __load__.zeek.rst
│ │ │ ├── index.rst
│ │ │ └── main.zeek.rst
│ │ ├── dump-events.zeek.rst
│ │ ├── loaded-scripts.zeek.rst
│ │ ├── profiling.zeek.rst
│ │ ├── stats.zeek.rst
│ │ ├── trim-trace-file.zeek.rst
│ │ ├── unknown-protocols.zeek.rst
│ │ └── weird-stats.zeek.rst
│ ├── protocols
│ │ ├── conn
│ │ │ ├── community-id-logging.zeek.rst
│ │ │ ├── disable-unknown-ip-proto-support.zeek.rst
│ │ │ ├── failed-service-logging.zeek.rst
│ │ │ ├── ip-proto-name-logging.zeek.rst
│ │ │ ├── known-hosts.zeek.rst
│ │ │ ├── known-services.zeek.rst
│ │ │ ├── mac-logging.zeek.rst
│ │ │ ├── speculative-service.zeek.rst
│ │ │ ├── vlan-logging.zeek.rst
│ │ │ └── weirds.zeek.rst
│ │ ├── dhcp
│ │ │ ├── msg-orig.zeek.rst
│ │ │ ├── software.zeek.rst
│ │ │ └── sub-opts.zeek.rst
│ │ ├── dns
│ │ │ ├── auth-addl.zeek.rst
│ │ │ ├── detect-external-names.zeek.rst
│ │ │ └── log-original-query-case.zeek.rst
│ │ ├── ftp
│ │ │ ├── detect-bruteforcing.zeek.rst
│ │ │ ├── detect.zeek.rst
│ │ │ └── software.zeek.rst
│ │ ├── http
│ │ │ ├── detect-sql-injection.zeek.rst
│ │ │ ├── detect-webapps.zeek.rst
│ │ │ ├── header-names.zeek.rst
│ │ │ ├── software-browser-plugins.zeek.rst
│ │ │ ├── software.zeek.rst
│ │ │ ├── var-extraction-cookies.zeek.rst
│ │ │ └── var-extraction-uri.zeek.rst
│ │ ├── krb
│ │ │ └── ticket-logging.zeek.rst
│ │ ├── modbus
│ │ │ ├── known-masters-slaves.zeek.rst
│ │ │ └── track-memmap.zeek.rst
│ │ ├── mysql
│ │ │ └── software.zeek.rst
│ │ ├── rdp
│ │ │ └── indicate_ssl.zeek.rst
│ │ ├── smb
│ │ │ └── log-cmds.zeek.rst
│ │ ├── smtp
│ │ │ ├── blocklists.zeek.rst
│ │ │ ├── detect-suspicious-orig.zeek.rst
│ │ │ ├── entities-excerpt.zeek.rst
│ │ │ └── software.zeek.rst
│ │ ├── ssh
│ │ │ ├── detect-bruteforcing.zeek.rst
│ │ │ ├── geo-data.zeek.rst
│ │ │ ├── interesting-hostnames.zeek.rst
│ │ │ └── software.zeek.rst
│ │ └── ssl
│ │ │ ├── certificate-request-info.zeek.rst
│ │ │ ├── decryption.zeek.rst
│ │ │ ├── expiring-certs.zeek.rst
│ │ │ ├── heartbleed.zeek.rst
│ │ │ ├── known-certs.zeek.rst
│ │ │ ├── log-certs-base64.zeek.rst
│ │ │ ├── log-hostcerts-only.zeek.rst
│ │ │ ├── ssl-log-ext.zeek.rst
│ │ │ ├── validate-certs.zeek.rst
│ │ │ ├── validate-ocsp.zeek.rst
│ │ │ ├── validate-sct.zeek.rst
│ │ │ └── weak-keys.zeek.rst
│ └── tuning
│ │ ├── json-logs.zeek.rst
│ │ └── track-all-assets.zeek.rst
├── test-all-policy.zeek.rst
└── zeekygen
│ ├── __load__.zeek.rst
│ ├── example.zeek.rst
│ └── index.rst
├── traces
├── 20171220_smb_at_schedule.pcap
├── README
├── get.trace
└── quickstart.pcap
└── troubleshooting.rst
/.github/workflows/generate-docs.yml:
--------------------------------------------------------------------------------
1 | name: Generate Documentation
2 |
3 | on:
4 | pull_request
5 |
6 | jobs:
7 | generate:
8 | if: github.repository == 'zeek/zeek-docs'
9 | strategy:
10 | fail-fast: false
11 | matrix:
12 | os:
13 | - 'ubuntu-latest'
14 | - 'macos-latest'
15 | python-version:
16 | - '3.9'
17 | - '3.10'
18 | - '3.11'
19 | - '3.12'
20 | - '3.13'
21 | runs-on: ${{ matrix.os }}
22 | steps:
23 | - uses: actions/checkout@v4
24 | - uses: actions/setup-python@v5
25 | with:
26 | python-version: ${{ matrix.python-version }}
27 | - name: Fetch Dependencies
28 | run: pip3 install -r requirements.txt
29 | - name: Generate Docs
30 | run: make SPHINXOPTS="-W --keep-going"
31 |
--------------------------------------------------------------------------------
/.github/workflows/pre-commit.yml:
--------------------------------------------------------------------------------
1 | name: pre-commit
2 |
3 | on:
4 | pull_request:
5 | push:
6 | branches: [master]
7 |
8 | jobs:
9 | pre-commit:
10 | runs-on: ubuntu-22.04
11 | steps:
12 | - uses: actions/checkout@v4
13 | - uses: actions/setup-python@v5
14 | - uses: pre-commit/action@v3.0.1
15 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | *.pyc
3 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | # See https://pre-commit.com for more information
2 | # See https://pre-commit.com/hooks.html for more hooks
3 | repos:
4 | - repo: https://github.com/astral-sh/ruff-pre-commit
5 | rev: v0.8.1
6 | hooks:
7 | - id: ruff-format
8 | - id: ruff
9 | args: [--fix]
10 |
11 | - repo: https://github.com/pre-commit/pygrep-hooks
12 | rev: v1.10.0
13 | hooks:
14 | - id: rst-directive-colons
15 | stages: ["pre-commit"]
16 | - id: rst-backticks
17 | stages: ["pre-commit"]
18 | exclude: 'scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek.rst'
19 |
20 | - repo: https://github.com/crate-ci/typos
21 | rev: v1.30.1
22 | hooks:
23 | - id: typos
24 |
--------------------------------------------------------------------------------
/.readthedocs.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 |
3 | formats:
4 | - htmlzip
5 |
6 | build:
7 | os: ubuntu-22.04
8 | tools:
9 | python: "3.11"
10 |
11 | python:
12 | install:
13 | - requirements: requirements.txt
14 |
15 | sphinx:
16 | configuration: conf.py
17 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | This work is licensed under the Creative Commons
2 | Attribution 4.0 International License. To view a copy of this
3 | license, visit https://creativecommons.org/licenses/by/4.0/ or send
4 | a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
5 | View, California, 94041, USA.
6 |
--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
1 | README
--------------------------------------------------------------------------------
/_static/theme_overrides.css:
--------------------------------------------------------------------------------
1 | /* override table width restrictions */
2 | @media screen and (min-width: 767px) {
3 |
4 | .wy-table-responsive table td {
5 | /* !important prevents the common CSS stylesheets from overriding
6 | this as on RTD they are loaded after this stylesheet */
7 | white-space: normal !important;
8 | }
9 |
10 | .wy-table-responsive {
11 | overflow: visible !important;
12 | }
13 | }
14 |
15 | h1, h2, h3, h4, h5, h6 {
16 | color: #294488;
17 | font-family: 'Open Sans',Helvetica,Arial,Lucida,sans-serif!important;
18 | }
19 |
20 | a {
21 | color: #2ea3f2;
22 | }
23 |
24 | body {
25 | font-family: "Open Sans",Arial,sans-serif;
26 | color: #666;
27 | }
28 |
29 | div.highlight pre strong {
30 | font-weight: 800;
31 | background-color: #ffffcc;
32 | }
33 |
--------------------------------------------------------------------------------
/_templates/breadcrumbs.html:
--------------------------------------------------------------------------------
1 | {% extends "!breadcrumbs.html" %}
2 |
3 | {% block breadcrumbs_aside %}
4 |
5 | {% if pagename != "search" %}
6 | {% if display_github %}
7 | {% if github_version == "master" %}
8 | {{ _('Edit on GitHub') }}
9 | {% endif %}
10 | {% elif show_source and has_source and sourcename %}
11 | {{ _('View page source') }}
12 | {% endif %}
13 | {% endif %}
14 |
15 | {% endblock %}
16 |
--------------------------------------------------------------------------------
/_templates/layout.html:
--------------------------------------------------------------------------------
1 | {% extends "!layout.html" %}
2 |
3 | {% if READTHEDOCS and current_version %}
4 | {% if current_version == "latest" or current_version == "stable"
5 | or current_version == "master" or current_version == "current"
6 | or current_version == "lts" or current_version == "LTS" %}
7 | {% set current_version = current_version ~ " (" ~ version ~ ")" %}
8 | {% endif %}
9 | {% endif %}
10 |
11 | {% block menu %}
12 | {{ super() }}
13 | Index
14 | {% endblock %}
15 |
--------------------------------------------------------------------------------
/acknowledgements.rst:
--------------------------------------------------------------------------------
1 | ================
2 | Acknowledgements
3 | ================
4 |
5 | Thanks to everyone who contributed in making Zeek's documentation
6 | (alphabetically):
7 |
8 | * Johanna Amann
9 | * Richard Bejtlich
10 | * Michael Dopheide
11 | * Amber Graner
12 | * Jan Grashöfer
13 | * Christian Kreibich
14 | * Terry Leach
15 | * Aashish Sharma
16 | * Jon Siwek
17 | * Stephen Smoot
18 | * Robin Sommer
19 | * Aaron Soto
20 | * Nick Turley
21 | * Fatema Bannat Wala
22 | * Tim Wojtulewicz
23 |
--------------------------------------------------------------------------------
/devel/index.rst:
--------------------------------------------------------------------------------
1 |
2 | ================
3 | Developer Guides
4 | ================
5 |
6 | In addition to documentation found or mentioned below, some developer-oriented
7 | content is maintained directly in the `Zeek wiki
8 | `_ due to the nature of
9 | the content (e.g. the author finds it to be more dynamic, informal, meta,
10 | transient, etc. compared to other documentation).
11 |
12 | .. toctree::
13 | :maxdepth: 2
14 |
15 | plugins
16 | spicy/index
17 | Documentation Guide
18 | contributors
19 | maintainers
20 | cluster-backend-zeromq
21 |
--------------------------------------------------------------------------------
/devel/maintainers.rst:
--------------------------------------------------------------------------------
1 |
2 | ==================
3 | Maintainer's Guide
4 | ==================
5 |
6 | Some notable guidelines for maintainers are linked below for convenience, but
7 | they are generally maintained directly in the `Zeek wiki
8 | `_.
9 |
10 | Release Process
11 | ===============
12 |
13 | See https://github.com/zeek/zeek/wiki/Release-Process
14 |
--------------------------------------------------------------------------------
/devel/spicy/autogen/tftp.evt:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
2 | #
3 | # Note: When line numbers change in this file, update the documentation that pulls it in.
4 |
5 | protocol analyzer spicy::TFTP over UDP:
6 | parse with TFTP::Packet,
7 | port 69/udp;
8 |
9 | import TFTP;
10 |
11 | on TFTP::Request if ( is_read ) -> event tftp::read_request($conn, $is_orig, self.filename, self.mode);
12 | on TFTP::Request if ( ! is_read ) -> event tftp::write_request($conn, $is_orig, self.filename, self.mode);
13 |
14 | on TFTP::Data -> event tftp::data($conn, $is_orig, self.num, self.data);
15 | on TFTP::Acknowledgement -> event tftp::ack($conn, $is_orig, self.num);
16 | on TFTP::Error -> event tftp::error($conn, $is_orig, self.code, self.msg);
17 |
--------------------------------------------------------------------------------
/devel/spicy/examples/my-http.evt:
--------------------------------------------------------------------------------
1 | protocol analyzer spicy::MyHTTP over TCP:
2 | parse originator with MyHTTP::RequestLine,
3 | port 12345/tcp;
4 |
5 | on MyHTTP::RequestLine -> event MyHTTP::request_line($conn, self.method, self.uri, self.version.number);
6 |
--------------------------------------------------------------------------------
/devel/spicy/examples/my-http.spicy:
--------------------------------------------------------------------------------
1 | # @TEST-EXEC: echo "GET /index.html HTTP/1.0" | spicy-driver %INPUT >output
2 | # @TEST-EXEC: btest-diff output
3 |
4 | module MyHTTP;
5 |
6 | const Token = /[^ \t\r\n]+/;
7 | const WhiteSpace = /[ \t]+/;
8 | const NewLine = /\r?\n/;
9 |
10 | type Version = unit {
11 | : /HTTP\//;
12 | number: /[0-9]+\.[0-9]+/;
13 | };
14 |
15 | public type RequestLine = unit {
16 | method: Token;
17 | : WhiteSpace;
18 | uri: Token;
19 | : WhiteSpace;
20 | version: Version;
21 | : NewLine;
22 |
23 | on %done {
24 | print self.method, self.uri, self.version.number;
25 | }
26 | };
27 |
--------------------------------------------------------------------------------
/devel/spicy/examples/my-http.zeek:
--------------------------------------------------------------------------------
1 | event MyHTTP::request_line(c: connection, method: string, uri: string, version: string)
2 | {
3 | print fmt("Zeek saw from %s: %s %s %s", c$id$orig_h, method, uri, version);
4 | }
5 |
--------------------------------------------------------------------------------
/devel/spicy/examples/request-line.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/devel/spicy/examples/request-line.pcap
--------------------------------------------------------------------------------
/devel/spicy/examples/tftp-single-request-more-args.evt:
--------------------------------------------------------------------------------
1 | protocol analyzer spicy::TFTP over UDP:
2 | parse with TFTP::Packet,
3 | port 69/udp;
4 |
5 | import TFTP;
6 |
7 | on TFTP::Request -> event tftp::request($conn, $is_orig, self.filename, self.mode);
8 |
--------------------------------------------------------------------------------
/devel/spicy/examples/tftp-single-request-more-args.zeek:
--------------------------------------------------------------------------------
1 | event tftp::request(c: connection, is_orig: bool, filename: string, mode: string)
2 | {
3 | print "TFTP request", c$id, is_orig, filename, mode;
4 | }
5 |
--------------------------------------------------------------------------------
/devel/spicy/examples/tftp-single-request.evt:
--------------------------------------------------------------------------------
1 | protocol analyzer spicy::TFTP over UDP:
2 | parse with TFTP::Packet,
3 | port 69/udp;
4 |
5 | import TFTP;
6 |
7 | on TFTP::Request -> event tftp::request($conn);
8 |
--------------------------------------------------------------------------------
/devel/spicy/examples/tftp-single-request.zeek:
--------------------------------------------------------------------------------
1 | event tftp::request(c: connection)
2 | {
3 | print "TFTP request", c$id;
4 | }
5 |
--------------------------------------------------------------------------------
/devel/spicy/examples/tftp-two-requests.zeek:
--------------------------------------------------------------------------------
1 | event tftp::read_request(c: connection, is_orig: bool, filename: string, mode: string)
2 | {
3 | print "TFTP read request", c$id, is_orig, filename, mode;
4 | }
5 |
6 | event tftp::write_request(c: connection, is_orig: bool, filename: string, mode: string)
7 | {
8 | print "TFTP write request", c$id, is_orig, filename, mode;
9 | }
10 |
--------------------------------------------------------------------------------
/devel/spicy/installation.rst:
--------------------------------------------------------------------------------
1 |
2 | .. _spicy_installation:
3 |
4 | Installation
5 | ============
6 |
7 | Since Zeek version 5.0, support for Spicy is built right into Zeek by
8 | default. To confirm that Spicy is indeed available, you can inspect
9 | the output of ``zeek -N``::
10 |
11 | # zeek -N Zeek::Spicy
12 | Zeek::Spicy - Support for Spicy parsers (*.hlto) (built-in)
13 |
14 | It remains possible to build Zeek against an external Spicy
15 | installation through Zeek's ``configure`` option
16 | ``--with-spicy=PATH``, where ``PATH`` points to the Spicy installation
17 | directory. In that case, you also need to ensure that the Spicy tools
18 | (e.g., ``spicyc``, ``spicy-config``) are available in ``PATH``.
19 |
--------------------------------------------------------------------------------
/frameworks/broker/cluster-layout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/broker/cluster-layout.png
--------------------------------------------------------------------------------
/frameworks/broker/connecting-connector.zeek:
--------------------------------------------------------------------------------
1 | redef exit_only_after_terminate = T;
2 |
3 | event zeek_init()
4 | {
5 | Broker::peer("127.0.0.1");
6 | }
7 |
8 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
9 | {
10 | print "peer added", endpoint;
11 | terminate();
12 | }
13 |
--------------------------------------------------------------------------------
/frameworks/broker/connecting-listener.zeek:
--------------------------------------------------------------------------------
1 | redef exit_only_after_terminate = T;
2 |
3 | event zeek_init()
4 | {
5 | Broker::listen("127.0.0.1");
6 | }
7 |
8 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
9 | {
10 | print "peer added", endpoint;
11 | }
12 |
13 | event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
14 | {
15 | print "peer lost", endpoint;
16 | terminate();
17 | }
18 |
--------------------------------------------------------------------------------
/frameworks/broker/events-connector.zeek:
--------------------------------------------------------------------------------
1 | redef exit_only_after_terminate = T;
2 | global my_event: event(msg: string, c: count);
3 |
4 | event zeek_init()
5 | {
6 | Broker::peer("127.0.0.1");
7 | }
8 |
9 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
10 | {
11 | print "peer added", endpoint;
12 | Broker::publish("zeek/event/my_event", my_event, "hi", 0);
13 | Broker::publish("zeek/event/my_event", my_event, "...", 1);
14 | local e = Broker::make_event(my_event, "bye", 2);
15 | Broker::publish("zeek/event/my_event", e);
16 | }
17 |
18 | event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
19 | {
20 | terminate();
21 | }
22 |
23 | event my_event(msg: string, c: count)
24 | {
25 | print "got my_event", msg, c;
26 | }
27 |
--------------------------------------------------------------------------------
/frameworks/broker/events-listener.zeek:
--------------------------------------------------------------------------------
1 | redef exit_only_after_terminate = T;
2 | global msg_count = 0;
3 | global my_event: event(msg: string, c: count);
4 | global my_auto_event: event(msg: string, c: count);
5 |
6 | event zeek_init()
7 | {
8 | Broker::subscribe("zeek/event/");
9 | Broker::listen("127.0.0.1");
10 | }
11 |
12 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
13 | {
14 | print "peer added", endpoint;
15 | }
16 |
17 | event my_event(msg: string, c: count)
18 | {
19 | ++msg_count;
20 | print "got my_event", msg, c;
21 |
22 | if ( msg_count == 5 )
23 | terminate();
24 | }
25 |
--------------------------------------------------------------------------------
/frameworks/broker/logs-connector.zeek:
--------------------------------------------------------------------------------
1 | @load ./testlog
2 |
3 | redef exit_only_after_terminate = T;
4 | global n = 0;
5 |
6 | event zeek_init()
7 | {
8 | Broker::peer("127.0.0.1");
9 | }
10 |
11 | event do_write()
12 | {
13 | if ( n == 6 )
14 | return;
15 |
16 | Log::write(Test::LOG, [$msg = "ping", $num = n]);
17 | ++n;
18 | event do_write();
19 | }
20 |
21 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
22 | {
23 | print "peer added", endpoint;
24 | event do_write();
25 | }
26 |
27 | event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
28 | {
29 | terminate();
30 | }
31 |
32 | event Test::log_test(rec: Test::Info)
33 | {
34 | print "wrote log", rec;
35 | Broker::publish("zeek/logs/forward/test", Test::log_test, rec);
36 | }
37 |
--------------------------------------------------------------------------------
/frameworks/broker/logs-listener.zeek:
--------------------------------------------------------------------------------
1 | @load ./testlog
2 |
3 | redef exit_only_after_terminate = T;
4 |
5 | event zeek_init()
6 | {
7 | Broker::subscribe("zeek/logs");
8 | Broker::listen("127.0.0.1");
9 | }
10 |
11 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
12 | {
13 | print "peer added", endpoint;
14 | }
15 |
16 | event Test::log_test(rec: Test::Info)
17 | {
18 | print "got log event", rec;
19 |
20 | if ( rec$num == 5 )
21 | terminate();
22 | }
23 |
--------------------------------------------------------------------------------
/frameworks/broker/store-sqlite-tuning.zeek:
--------------------------------------------------------------------------------
1 | global h: opaque of Broker::Store;
2 |
3 | event zeek_init()
4 | {
5 | # Use WAL mode.
6 | local sqlite_options=Broker::SQLiteOptions(
7 | $synchronous=Broker::SQLITE_SYNCHRONOUS_NORMAL,
8 | $journal_mode=Broker::SQLITE_JOURNAL_MODE_WAL,
9 | );
10 | local options = Broker::BackendOptions($sqlite=sqlite_options);
11 | h = Broker::create_master("persistent-store", Broker::SQLITE, options);
12 |
13 | local c = 1000;
14 | while (c > 0)
15 | {
16 | Broker::put(h, cat(c), rand(10000));
17 | --c;
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/frameworks/broker/testlog.zeek:
--------------------------------------------------------------------------------
1 | module Test;
2 |
3 | export {
4 | redef enum Log::ID += { LOG };
5 |
6 | type Info: record {
7 | msg: string &log;
8 | num: count &log;
9 | };
10 |
11 | global log_test: event(rec: Test::Info);
12 | }
13 |
14 | event zeek_init() &priority=5
15 | {
16 | Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
17 | }
18 |
--------------------------------------------------------------------------------
/frameworks/denylist.jsonl:
--------------------------------------------------------------------------------
1 | {"ip": "192.168.17.1", "timestamp": 1333252748, "reason": "Malware host"}
2 | {"ip": "192.168.27.2", "timestamp": 1330235733, "reason": "Botnet server"}
3 | {"ip": "192.168.250.3", "timestamp": 1333145108, "reason": "Virus detected"}
4 |
--------------------------------------------------------------------------------
/frameworks/file_analysis_01.zeek:
--------------------------------------------------------------------------------
1 | event connection_state_remove(c: connection)
2 | {
3 | print "connection_state_remove";
4 | print c$uid;
5 | print c$id;
6 | for ( s in c$service )
7 | print s;
8 | }
9 |
10 | event file_state_remove(f: fa_file)
11 | {
12 | print "file_state_remove";
13 | print f$id;
14 | for ( cid in f$conns )
15 | {
16 | print f$conns[cid]$uid;
17 | print cid;
18 | }
19 | print f$source;
20 | }
21 |
--------------------------------------------------------------------------------
/frameworks/file_analysis_02.zeek:
--------------------------------------------------------------------------------
1 | event file_sniff(f: fa_file, meta: fa_metadata)
2 | {
3 | if ( ! meta?$mime_type ) return;
4 | print "new file", f$id;
5 | if ( meta$mime_type == "text/plain" )
6 | Files::add_analyzer(f, Files::ANALYZER_MD5);
7 | }
8 |
9 | event file_hash(f: fa_file, kind: string, hash: string)
10 | {
11 | print "file_hash", f$id, kind, hash;
12 | }
13 |
--------------------------------------------------------------------------------
/frameworks/file_analysis_03.zeek:
--------------------------------------------------------------------------------
1 | redef exit_only_after_terminate = T;
2 |
3 | event file_new(f: fa_file)
4 | {
5 | print "new file", f$id;
6 | Files::add_analyzer(f, Files::ANALYZER_MD5);
7 | }
8 |
9 | event file_state_remove(f: fa_file)
10 | {
11 | print "file_state_remove";
12 | Input::remove(f$source);
13 | terminate();
14 | }
15 |
16 | event file_hash(f: fa_file, kind: string, hash: string)
17 | {
18 | print "file_hash", f$id, kind, hash;
19 | }
20 |
21 | event zeek_init()
22 | {
23 | local source: string = "./myfile";
24 | Input::add_analysis([$source=source, $name=source]);
25 | }
26 |
--------------------------------------------------------------------------------
/frameworks/logging-input-sqlite.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | ====================
4 | SQLite Input/Logging
5 | ====================
6 |
7 | * :ref:`SQLite Input Reader `
8 | * :ref:`SQLite Log Writer `
9 |
--------------------------------------------------------------------------------
/frameworks/management/get-id-value-simple.console:
--------------------------------------------------------------------------------
1 | $ zeek-client get-id-value LogAscii::use_json
2 | {
3 | "errors": [],
4 | "results": {
5 | "logger": false,
6 | "manager": false,
7 | "worker-01": false,
8 | "worker-02": false
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/frameworks/management/mini-config-with-error.ini:
--------------------------------------------------------------------------------
1 | [manager]
2 | role = manager
3 |
4 | [logger]
5 | role = logger
6 |
7 | [worker-01]
8 | role = worker
9 | interface = lo
10 |
11 | [worker-02]
12 | role = worker
13 | interface = not-a-valid-interface
14 |
--------------------------------------------------------------------------------
/frameworks/management/mini-config.ini:
--------------------------------------------------------------------------------
1 | [manager]
2 | role = manager
3 |
4 | [logger]
5 | role = logger
6 |
7 | [worker-01]
8 | role = worker
9 | interface = lo
10 |
11 | [worker-02]
12 | role = worker
13 | interface = eth0
14 |
--------------------------------------------------------------------------------
/frameworks/management/mini-deployment-get-config-deployed.console:
--------------------------------------------------------------------------------
1 | $ zeek-client get-config --deployed
2 | [instances]
3 | agent-testbox
4 |
5 | [logger]
6 | instance = agent-testbox
7 | role = LOGGER
8 | port = 2201
9 |
10 | [manager]
11 | instance = agent-testbox
12 | role = MANAGER
13 | port = 2200
14 |
15 | [worker-01]
16 | instance = agent-testbox
17 | role = WORKER
18 | interface = lo
19 |
20 | [worker-02]
21 | instance = agent-testbox
22 | role = WORKER
23 | interface = eth0
24 |
--------------------------------------------------------------------------------
/frameworks/management/mini-deployment-get-config-staged.console:
--------------------------------------------------------------------------------
1 | $ zeek-client get-config
2 | [instances]
3 | agent-testbox
4 |
5 | [logger]
6 | instance = agent-testbox
7 | role = LOGGER
8 |
9 | [manager]
10 | instance = agent-testbox
11 | role = MANAGER
12 |
13 | [worker-01]
14 | instance = agent-testbox
15 | role = WORKER
16 | interface = lo
17 |
18 | [worker-02]
19 | instance = agent-testbox
20 | role = WORKER
21 | interface = eth0
22 |
--------------------------------------------------------------------------------
/frameworks/management/mini-deployment.console:
--------------------------------------------------------------------------------
1 | $ zeek-client deploy-config cluster.cfg
2 | {
3 | "errors": [],
4 | "results": {
5 | "id": "9befc56c-f7e8-11ec-8626-7c10c94416bb",
6 | "nodes": {
7 | "logger": {
8 | "instance": "agent-testbox",
9 | "success": true
10 | },
11 | "manager": {
12 | "instance": "agent-testbox",
13 | "success": true
14 | },
15 | "worker-01": {
16 | "instance": "agent-testbox",
17 | "success": true
18 | },
19 | "worker-02": {
20 | "instance": "agent-testbox",
21 | "success": true
22 | }
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/frameworks/management/zeek-client-show-settings.console:
--------------------------------------------------------------------------------
1 | $ zeek-client show-settings
2 | [client]
3 | request_timeout_secs = 20
4 | peer_retry_secs = 1
5 | peering_status_attempts = 10
6 | peering_status_retry_delay_secs = 0.5
7 | rich_logging_format = False
8 | pretty_json = True
9 | verbosity = 0
10 |
11 | [controller]
12 | host = 127.0.0.1
13 | port = 2150
14 |
15 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-1-drop-with-debug.zeek:
--------------------------------------------------------------------------------
1 | event NetControl::init()
2 | {
3 | local debug_plugin = NetControl::create_debug(T);
4 | NetControl::activate(debug_plugin, 0);
5 | }
6 |
7 | event connection_established(c: connection)
8 | {
9 | NetControl::drop_connection(c$id, 20 secs);
10 | }
11 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-10-use-skeleton.zeek:
--------------------------------------------------------------------------------
1 | event NetControl::init()
2 | {
3 | local skeleton_plugin = NetControl::create_skeleton("");
4 | NetControl::activate(skeleton_plugin, 0);
5 | }
6 |
7 | event connection_established(c: connection)
8 | {
9 | NetControl::drop_connection(c$id, 20 secs);
10 | }
11 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-2-ssh-guesser.zeek:
--------------------------------------------------------------------------------
1 |
2 | @load protocols/ssh/detect-bruteforcing
3 |
4 | redef SSH::password_guesses_limit=10;
5 |
6 | event NetControl::init()
7 | {
8 | local debug_plugin = NetControl::create_debug(T);
9 | NetControl::activate(debug_plugin, 0);
10 | }
11 |
12 | hook Notice::policy(n: Notice::Info)
13 | {
14 | if ( n$note == SSH::Password_Guessing )
15 | NetControl::drop_address(n$src, 60min);
16 | }
17 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-3-ssh-guesser.zeek:
--------------------------------------------------------------------------------
1 |
2 | @load protocols/ssh/detect-bruteforcing
3 |
4 | redef SSH::password_guesses_limit=10;
5 |
6 | event NetControl::init()
7 | {
8 | local debug_plugin = NetControl::create_debug(T);
9 | NetControl::activate(debug_plugin, 0);
10 | }
11 |
12 | hook Notice::policy(n: Notice::Info)
13 | {
14 | if ( n$note == SSH::Password_Guessing )
15 | add n$actions[Notice::ACTION_DROP];
16 | }
17 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-4-drop.zeek:
--------------------------------------------------------------------------------
1 | function our_drop_connection(c: conn_id, t: interval)
2 | {
3 | # As a first step, create the NetControl::Entity that we want to block
4 | local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c);
5 | # Then, use the entity to create the rule to drop the entity in the forward path
6 | local r = NetControl::Rule($ty=NetControl::DROP,
7 | $target=NetControl::FORWARD, $entity=e, $expire=t);
8 |
9 | # Add the rule
10 | local id = NetControl::add_rule(r);
11 |
12 | if ( id == "" )
13 | print "Error while dropping";
14 | }
15 |
16 | event NetControl::init()
17 | {
18 | local debug_plugin = NetControl::create_debug(T);
19 | NetControl::activate(debug_plugin, 0);
20 | }
21 |
22 | event connection_established(c: connection)
23 | {
24 | our_drop_connection(c$id, 20 secs);
25 | }
26 |
27 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-5-hook.zeek:
--------------------------------------------------------------------------------
1 | hook NetControl::rule_policy(r: NetControl::Rule)
2 | {
3 | if ( r$ty == NetControl::DROP &&
4 | r$entity$ty == NetControl::CONNECTION &&
5 | r$entity$conn$orig_h in 192.168.0.0/16 )
6 | {
7 | print "Ignored connection from", r$entity$conn$orig_h;
8 | break;
9 | }
10 | }
11 |
12 | event NetControl::init()
13 | {
14 | local debug_plugin = NetControl::create_debug(T);
15 | NetControl::activate(debug_plugin, 0);
16 | }
17 |
18 | event connection_established(c: connection)
19 | {
20 | NetControl::drop_connection(c$id, 20 secs);
21 | }
22 |
23 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-6-find.zeek:
--------------------------------------------------------------------------------
1 | event NetControl::init()
2 | {
3 | local netcontrol_debug = NetControl::create_debug(T);
4 | NetControl::activate(netcontrol_debug, 0);
5 | }
6 |
7 | event connection_established(c: connection)
8 | {
9 | if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 )
10 | {
11 | print "Rule already exists";
12 | return;
13 | }
14 |
15 | NetControl::drop_connection(c$id, 20 secs);
16 | print "Rule added";
17 | }
18 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-7-catch-release.zeek:
--------------------------------------------------------------------------------
1 | event NetControl::init()
2 | {
3 | local debug_plugin = NetControl::create_debug(T);
4 | NetControl::activate(debug_plugin, 0);
5 | }
6 |
7 | event connection_established(c: connection)
8 | {
9 | NetControl::drop_address_catch_release(c$id$orig_h);
10 | }
11 |
--------------------------------------------------------------------------------
/frameworks/netcontrol-architecture.graffle:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/netcontrol-architecture.graffle
--------------------------------------------------------------------------------
/frameworks/netcontrol-architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/netcontrol-architecture.png
--------------------------------------------------------------------------------
/frameworks/netcontrol-openflow.graffle:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/netcontrol-openflow.graffle
--------------------------------------------------------------------------------
/frameworks/netcontrol-openflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/netcontrol-openflow.png
--------------------------------------------------------------------------------
/frameworks/netcontrol-rules.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/netcontrol-rules.png
--------------------------------------------------------------------------------
/frameworks/notice_ssh_guesser.zeek:
--------------------------------------------------------------------------------
1 |
2 | @load protocols/ssh/detect-bruteforcing
3 |
4 | redef SSH::password_guesses_limit=10;
5 |
6 | hook Notice::policy(n: Notice::Info)
7 | {
8 | if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
9 | add n$actions[Notice::ACTION_EMAIL];
10 | }
11 |
--------------------------------------------------------------------------------
/frameworks/packet-analysis-2-llc.cc:
--------------------------------------------------------------------------------
1 | bool LLCDemo::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
2 | {
3 | // Rudimentary parsing of 802.2 LLC
4 | if ( 17 >= len )
5 | {
6 | packet->Weird("truncated_llc_header");
7 | return false;
8 | }
9 |
10 | if ( ! llc_demo_message )
11 | return true;
12 |
13 | auto dsap = data[14];
14 | auto ssap = data[15];
15 | auto control = data[16];
16 |
17 | event_mgr.Enqueue(llc_demo_message,
18 | val_mgr->Count(dsap),
19 | val_mgr->Count(ssap),
20 | val_mgr->Count(control));
21 |
22 | return true;
23 | }
24 |
--------------------------------------------------------------------------------
/frameworks/sqlite-conn-filter.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local filter: Log::Filter =
4 | [
5 | $name="sqlite",
6 | $path="/var/db/conn",
7 | $config=table(["tablename"] = "conn"),
8 | $writer=Log::WRITER_SQLITE
9 | ];
10 |
11 | Log::add_filter(Conn::LOG, filter);
12 | }
13 |
--------------------------------------------------------------------------------
/frameworks/supervisor/simple-supervisor.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | if ( Supervisor::is_supervisor() )
4 | {
5 | local sn = Supervisor::NodeConfig($name="foo", $interface="en0");
6 | local res = Supervisor::create(sn);
7 |
8 | if ( res == "" )
9 | print "supervisor created a new node";
10 | else
11 | print "supervisor failed to create node", res;
12 | }
13 | else
14 | print fmt("supervised node '%s' zeek_init()", Supervisor::node()$name);
15 | }
16 |
17 | event zeek_done()
18 | {
19 | if ( Supervisor::is_supervised() )
20 | print fmt("supervised node '%s' zeek_done()", Supervisor::node()$name);
21 | else
22 | print "supervisor zeek_done()";
23 | }
24 |
--------------------------------------------------------------------------------
/frameworks/supervisor/supervisor-control.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | Broker::peer("127.0.0.1", 9999/tcp, 1sec);
4 | }
5 |
6 | event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
7 | {
8 | Broker::publish(SupervisorControl::topic_prefix, SupervisorControl::restart_request, "", "");
9 | }
10 |
11 | event SupervisorControl::restart_response(reqid: string, result: bool)
12 | {
13 | print fmt("got result of supervisor restart request: %s", result);
14 | terminate();
15 | }
16 |
--------------------------------------------------------------------------------
/frameworks/supervisor/zeek-supervisor-architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/frameworks/supervisor/zeek-supervisor-architecture.png
--------------------------------------------------------------------------------
/frameworks/telemetry/connection-durations.zeek:
--------------------------------------------------------------------------------
1 | global conn_durations_hf = Telemetry::register_histogram_family([
2 | $prefix="zeek",
3 | $name="monitored_connection_duration",
4 | $unit="seconds",
5 | $help_text="Duration of monitored connections",
6 | $bounds=vector(0.1, 1.0, 10.0, 30.0, 60.0),
7 | $label_names=vector("proto", "service")
8 | ]);
9 |
10 | event connection_state_remove(c: connection)
11 | {
12 | local proto = cat(c$conn$proto);
13 | local service: set[string] = {"unknown"};
14 |
15 | if ( |c$service| != 0 )
16 | service = c$service;
17 |
18 | for (s in service )
19 | {
20 | local h = Telemetry::histogram_with(conn_durations_hf, vector(proto, to_lower(s)));
21 | Telemetry::histogram_observe(h, interval_to_double(c$duration));
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/frameworks/telemetry/global-http-counter.zeek:
--------------------------------------------------------------------------------
1 | global http_counter_cf = Telemetry::register_counter_family([
2 | $prefix="zeek",
3 | $name="monitored_http_requests",
4 | $unit="1",
5 | $help_text="Number of http requests observed"
6 | ]);
7 |
8 | global http_counter = Telemetry::counter_with(http_counter_cf);
9 |
10 | event http_request(c: connection, method: string, original_URI: string,
11 | unescaped_URI: string, version: string)
12 | {
13 | Telemetry::counter_inc(http_counter);
14 | }
15 |
--------------------------------------------------------------------------------
/frameworks/telemetry/log-writes-cached.zeek:
--------------------------------------------------------------------------------
1 | global log_writes_cf = Telemetry::register_counter_family([
2 | $prefix="zeek",
3 | $name="log_writes",
4 | $unit="1",
5 | $help_text="Number of log writes per stream",
6 | $label_names=vector("log_id")
7 | ]);
8 |
9 | # Cache for the Telemetry::Counter instances.
10 | global log_write_counters: table[Log::ID] of Telemetry::Counter;
11 |
12 | hook Log::log_stream_policy(rec: any, id: Log::ID)
13 | {
14 | if ( id !in log_write_counters )
15 | {
16 | local log_id = to_lower(gsub(cat(id), /:+/, "_"));
17 | log_write_counters[id] = Telemetry::counter_with(log_writes_cf,
18 | vector(log_id));
19 | }
20 |
21 | Telemetry::counter_inc(log_write_counters[id]);
22 | }
23 |
--------------------------------------------------------------------------------
/frameworks/telemetry/log-writes-immediate.zeek:
--------------------------------------------------------------------------------
1 | global log_writes_cf = Telemetry::register_counter_family([
2 | $prefix="zeek",
3 | $name="log_writes",
4 | $unit="1",
5 | $help_text="Number of log writes per stream",
6 | $label_names=vector("log_id")
7 | ]);
8 |
9 | hook Log::log_stream_policy(rec: any, id: Log::ID)
10 | {
11 | local log_id = to_lower(gsub(cat(id), /:+/, "_"));
12 | Telemetry::counter_family_inc(log_writes_cf, vector(log_id));
13 | }
14 |
--------------------------------------------------------------------------------
/frameworks/telemetry/log-writes-sync.zeek:
--------------------------------------------------------------------------------
1 | global log_writes_cf = Telemetry::register_counter_family([
2 | $prefix="zeek",
3 | $name="log_writes",
4 | $unit="1",
5 | $help_text="Number of log writes per stream",
6 | $label_names=vector("log_id")
7 | ]);
8 |
9 | global log_writes: table[Log::ID] of count &default=0;
10 |
11 | hook Log::log_stream_policy(rec: any, id: Log::ID)
12 | {
13 | ++log_writes[id];
14 | }
15 |
16 | hook Telemetry::sync()
17 | {
18 | for ( id, v in log_writes )
19 | {
20 | local log_id = to_lower(gsub(cat(id), /:+/, "_"));
21 | Telemetry::counter_family_inc(log_writes_cf, vector(log_id));
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/frameworks/telemetry/version.zeek:
--------------------------------------------------------------------------------
1 | global version_gf = Telemetry::register_gauge_family([
2 | $prefix="zeek",
3 | $name="version_info",
4 | $unit="1",
5 | $help_text="The Zeek version",
6 | $label_names=vector("version_number", "major", "minor", "patch", "commit", "beta", "debug","version_string")
7 | ]);
8 |
9 | event zeek_init()
10 | {
11 | local v = Version::info;
12 | local labels = vector(cat(v$version_number),
13 | cat(v$major), cat(v$minor), cat (v$patch),
14 | cat(v$commit),
15 | v$beta ? "true" : "false",
16 | v$debug ? "true" : "false",
17 | v$version_string);
18 | Telemetry::gauge_family_set(version_gf, labels, 1.0);
19 | }
20 |
--------------------------------------------------------------------------------
/frameworks/tls_decryption-1-suspend-processing.zeek:
--------------------------------------------------------------------------------
1 | @load protocols/ssl/decryption
2 | @load base/protocols/http
3 |
4 | event zeek_init()
5 | {
6 | suspend_processing();
7 | }
8 |
9 | event Input::end_of_data(name: string, source: string)
10 | {
11 | if ( name == "tls-keylog-file" )
12 | continue_processing();
13 | }
14 |
--------------------------------------------------------------------------------
/get-started.rst:
--------------------------------------------------------------------------------
1 | ===========
2 | Get Started
3 | ===========
4 |
5 | .. toctree::
6 | :maxdepth: 2
7 |
8 | install
9 | quickstart
10 | cluster-setup
11 | building-from-source
12 |
--------------------------------------------------------------------------------
/images/architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/architecture.png
--------------------------------------------------------------------------------
/images/cluster-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/cluster-diagram.png
--------------------------------------------------------------------------------
/images/cluster/Makefile:
--------------------------------------------------------------------------------
1 | MMDC?=./node_modules/.bin/mmdc
2 |
3 | %.png : %.mermaid
4 | $(MMDC) -i $< -e png -o $@
5 |
6 | all: zeromq-cluster.png zeromq-pubsub.png zeromq-logging.png
7 |
--------------------------------------------------------------------------------
/images/cluster/zeromq-cluster.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/cluster/zeromq-cluster.png
--------------------------------------------------------------------------------
/images/cluster/zeromq-logging.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/cluster/zeromq-logging.png
--------------------------------------------------------------------------------
/images/cluster/zeromq-pubsub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/cluster/zeromq-pubsub.png
--------------------------------------------------------------------------------
/images/collection-figure1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/collection-figure1.png
--------------------------------------------------------------------------------
/images/collection-figure2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/collection-figure2.png
--------------------------------------------------------------------------------
/images/collection-figure3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/collection-figure3.png
--------------------------------------------------------------------------------
/images/deployment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/deployment.png
--------------------------------------------------------------------------------
/images/intel-architecture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/intel-architecture.png
--------------------------------------------------------------------------------
/images/management-all-in-one-two-zeeks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/management-all-in-one-two-zeeks.png
--------------------------------------------------------------------------------
/images/management-all-in-one-two-zeeks.svgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/management-all-in-one-two-zeeks.svgz
--------------------------------------------------------------------------------
/images/management-all-in-one.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/management-all-in-one.png
--------------------------------------------------------------------------------
/images/management-all-in-one.svgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/management-all-in-one.svgz
--------------------------------------------------------------------------------
/images/management.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/management.png
--------------------------------------------------------------------------------
/images/management.svgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/management.svgz
--------------------------------------------------------------------------------
/images/troubleshooting/flamegraph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/troubleshooting/flamegraph.png
--------------------------------------------------------------------------------
/images/troubleshooting/http-fake-state-growth.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/troubleshooting/http-fake-state-growth.gif
--------------------------------------------------------------------------------
/images/zeek-favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/zeek-favicon.ico
--------------------------------------------------------------------------------
/images/zeek-logo-sidebar.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/zeek-logo-sidebar.png
--------------------------------------------------------------------------------
/images/zeek-logo-text.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/zeek-logo-text.png
--------------------------------------------------------------------------------
/images/zeek-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/images/zeek-logo.png
--------------------------------------------------------------------------------
/logs/index.rst:
--------------------------------------------------------------------------------
1 | =========
2 | Zeek Logs
3 | =========
4 |
5 | .. toctree::
6 | :maxdepth: 1
7 |
8 | conn
9 | dns
10 | http
11 | files
12 | ftp
13 | ssl
14 | x509
15 | smtp
16 | ssh
17 | pe
18 | dhcp
19 | ntp
20 | smb
21 | irc
22 | ldap
23 | postgresql
24 | quic
25 | rdp
26 | traceroute
27 | tunnel
28 | dpd
29 | known-and-software
30 | weird-and-notice
31 | capture-loss-and-reporter
32 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | Jinja2==3.1.6
2 | Pygments==2.17.2
3 | docutils==0.18.1
4 | sphinx_rtd_theme==2.0.0
5 | Sphinx==6.2.0
6 | GitPython==3.1.41
7 |
--------------------------------------------------------------------------------
/ruff.toml:
--------------------------------------------------------------------------------
1 | target-version = "py39"
2 |
3 | [lint]
4 | select = ["C4", "F", "I", "ISC", "UP"]
--------------------------------------------------------------------------------
/script-reference/assert_1.zeek:
--------------------------------------------------------------------------------
1 | event test_1() {
2 | assert 3 == 3;
3 | local x = 37;
4 | assert x > 40;
5 | print "not reached";
6 | }
7 |
8 | event test_2() {
9 | assert 2 == 2;
10 | local x = 37;
11 | assert x > 40, fmt("%s is not greater than 40", x);
12 | print "not reached";
13 | }
14 |
15 | event zeek_init() {
16 | schedule 0.01sec { test_1() };
17 | schedule 0.02sec { test_2() };
18 | }
19 |
--------------------------------------------------------------------------------
/script-reference/file-analyzers.rst:
--------------------------------------------------------------------------------
1 | .. include:: autogenerated-file-analyzer-index.rst
2 |
--------------------------------------------------------------------------------
/script-reference/index.rst:
--------------------------------------------------------------------------------
1 | ================
2 | Script Reference
3 | ================
4 |
5 | .. toctree::
6 | :maxdepth: 1
7 |
8 | operators
9 | types
10 | attributes
11 | statements
12 | directives
13 | log-files
14 | notices
15 | packet-analyzers
16 | proto-analyzers
17 | file-analyzers
18 | packages
19 | scripts
20 | Zeekygen Example Script
21 |
--------------------------------------------------------------------------------
/script-reference/notices.rst:
--------------------------------------------------------------------------------
1 |
2 | .. Not nice but I don't find a way to link to the notice index
3 | .. directly from the upper level TOC tree.
4 |
5 | Notices
6 | =======
7 |
8 | See the `Zeek Notice Index <../zeek-noticeindex.html>`_.
9 |
--------------------------------------------------------------------------------
/script-reference/packages.rst:
--------------------------------------------------------------------------------
1 | .. _script-packages:
2 |
3 | Zeek Package Index
4 | ==================
5 |
6 | Zeek has the following script packages (e.g. collections of related scripts in
7 | a common directory). If the package directory contains a ``__load__.zeek``
8 | script, it supports being loaded in mass as a whole directory for convenience.
9 |
10 | Packages/scripts in the ``base/`` directory are all loaded by default, while
11 | ones in ``policy/`` provide functionality and customization options that are
12 | more appropriate for users to decide whether they'd like to load it or not.
13 |
14 | .. include:: autogenerated-package-index.rst
15 |
--------------------------------------------------------------------------------
/script-reference/packet-analyzers.rst:
--------------------------------------------------------------------------------
1 | .. include:: autogenerated-packet-analyzer-index.rst
2 |
--------------------------------------------------------------------------------
/script-reference/proto-analyzers.rst:
--------------------------------------------------------------------------------
1 | .. include:: autogenerated-protocol-analyzer-index.rst
2 |
--------------------------------------------------------------------------------
/script-reference/scripts.rst:
--------------------------------------------------------------------------------
1 | =================
2 | Zeek Script Index
3 | =================
4 |
5 | .. include:: autogenerated-script-index.rst
6 |
--------------------------------------------------------------------------------
/scripting/connection_record_01.zeek:
--------------------------------------------------------------------------------
1 | @load base/protocols/conn
2 |
3 | event connection_state_remove(c: connection)
4 | {
5 | print c;
6 | }
7 |
--------------------------------------------------------------------------------
/scripting/connection_record_02.zeek:
--------------------------------------------------------------------------------
1 | @load base/protocols/conn
2 | @load base/protocols/http
3 |
4 | event connection_state_remove(c: connection)
5 | {
6 | print c;
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/data_struct_record_01.zeek:
--------------------------------------------------------------------------------
1 | type Service: record {
2 | name: string;
3 | ports: set[port];
4 | rfc: count;
5 | };
6 |
7 | function print_service(serv: Service)
8 | {
9 | print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
10 |
11 | for ( p in serv$ports )
12 | print fmt(" port: %s", p);
13 | }
14 |
15 | event zeek_init()
16 | {
17 | local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
18 | local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
19 |
20 | print_service(dns);
21 | print_service(http);
22 | }
23 |
--------------------------------------------------------------------------------
/scripting/data_struct_set_declaration.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local ssl_ports: set[port];
4 | local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
5 |
6 | # SSH
7 | add ssl_ports[22/tcp];
8 | # HTTPS
9 | add ssl_ports[443/tcp];
10 | # IMAPS
11 | add ssl_ports[993/tcp];
12 |
13 | # Check for SMTPS
14 | if ( 587/tcp !in ssl_ports )
15 | add ssl_ports[587/tcp];
16 |
17 | for ( i in ssl_ports )
18 | print fmt("SSL Port: %s", i);
19 |
20 | for ( i in non_ssl_ports )
21 | print fmt("Non-SSL Port: %s", i);
22 | }
23 |
--------------------------------------------------------------------------------
/scripting/data_struct_table_complex.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local samurai_flicks: table[string, string, count, string] of string;
4 |
5 | samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
6 | samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
7 | samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
8 | samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
9 |
10 | for ( [d, s, y, a] in samurai_flicks )
11 | print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
12 | }
13 |
14 |
--------------------------------------------------------------------------------
/scripting/data_struct_table_complex_blank_value.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | # local samurai_flicks: ...
4 |
5 | for ( [d, _, _, _], name in samurai_flicks )
6 | print fmt("%s was directed by %s", name, d);
7 |
8 | for ( _, name in samurai_flicks )
9 | print fmt("%s is a movie", name);
10 | }
11 |
12 |
--------------------------------------------------------------------------------
/scripting/data_struct_table_declaration.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | # Declaration of the table.
4 | local ssl_services: table[string] of port;
5 |
6 | # Initialize the table.
7 | ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
8 |
9 | # Insert one key-value pair into the table.
10 | ssl_services["IMAPS"] = 993/tcp;
11 |
12 | # Check if the key "SMTPS" is not in the table.
13 | if ( "SMTPS" !in ssl_services )
14 | ssl_services["SMTPS"] = 587/tcp;
15 |
16 | # Iterate over each key in the table.
17 | for ( k in ssl_services )
18 | print fmt("Service Name: %s - Common Port: %s", k, ssl_services[k]);
19 | }
20 |
--------------------------------------------------------------------------------
/scripting/data_struct_vector.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local v: vector of count = vector(1, 2, 3, 4);
4 | local w = vector(1, 2, 3, 4);
5 | print v;
6 | print w;
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/data_struct_vector_declaration.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local v1: vector of count;
4 | local v2 = vector(1, 2, 3, 4);
5 |
6 | v1 += 1;
7 | v1 += 2;
8 | v1 += 3;
9 | v1 += 4;
10 |
11 | print fmt("contents of v1: %s", v1);
12 | print fmt("length of v1: %d", |v1|);
13 | print fmt("contents of v2: %s", v2);
14 | print fmt("length of v2: %d", |v2|);
15 | }
16 |
--------------------------------------------------------------------------------
/scripting/data_struct_vector_iter.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
4 |
5 | for ( i in addr_vector )
6 | print mask_addr(addr_vector[i], 18);
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/data_struct_vector_iter_value.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
4 |
5 | for ( _, a in addr_vector )
6 | print mask_addr(a, 18);
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/data_type_const.zeek:
--------------------------------------------------------------------------------
1 | const port_list: table[port] of string &redef;
2 |
3 | redef port_list += { [6666/tcp] = "IRC"};
4 | redef port_list += { [80/tcp] = "WWW" };
5 |
6 | event zeek_init()
7 | {
8 | print port_list;
9 | }
10 |
--------------------------------------------------------------------------------
/scripting/data_type_const_simple.zeek:
--------------------------------------------------------------------------------
1 | @load base/protocols/http
2 |
3 | redef HTTP::default_capture_password = T;
4 |
5 |
--------------------------------------------------------------------------------
/scripting/data_type_declaration.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local a: int;
4 | a = 10;
5 | local b = 10;
6 |
7 | if ( a == b )
8 | print fmt("A: %d, B: %d", a, b);
9 | }
10 |
--------------------------------------------------------------------------------
/scripting/data_type_interval.zeek:
--------------------------------------------------------------------------------
1 | # Store the time the previous connection was established.
2 | global last_connection_time: time;
3 |
4 | # boolean value to indicate whether we have seen a previous connection.
5 | global connection_seen: bool = F;
6 |
7 | event connection_established(c: connection)
8 | {
9 | local net_time: time = network_time();
10 |
11 | print fmt("%s: New connection established from %s to %s", strftime("%Y/%m/%d %H:%M:%S", net_time), c$id$orig_h, c$id$resp_h);
12 |
13 | if ( connection_seen )
14 | print fmt(" Time since last connection: %s", net_time - last_connection_time);
15 |
16 | last_connection_time = net_time;
17 | connection_seen = T;
18 | }
19 |
--------------------------------------------------------------------------------
/scripting/data_type_local.zeek:
--------------------------------------------------------------------------------
1 | function add_two(i: count): count
2 | {
3 | local added_two = i+2;
4 | print fmt("i + 2 = %d", added_two);
5 | return added_two;
6 | }
7 |
8 | event zeek_init()
9 | {
10 | local test = add_two(10);
11 | }
12 |
--------------------------------------------------------------------------------
/scripting/data_type_pattern_01.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local test_string = "The quick brown fox jumps over the lazy dog.";
4 | local test_pattern = /quick|lazy/;
5 |
6 | if ( test_pattern in test_string )
7 | {
8 | local results = split_string(test_string, test_pattern);
9 | print results[0];
10 | print results[1];
11 | print results[2];
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/scripting/data_type_pattern_02.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local test_string = "equality";
4 |
5 | local test_pattern = /equal/;
6 | print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
7 |
8 | test_pattern = /equality/;
9 | print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
10 | }
11 |
--------------------------------------------------------------------------------
/scripting/data_type_subnets.zeek:
--------------------------------------------------------------------------------
1 | event zeek_init()
2 | {
3 | local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, [2001:db8:b120::]/64);
4 | local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.1.1, [2001:db8:b120::1]);
5 |
6 | for ( a in addresses )
7 | {
8 | for ( s in subnets )
9 | {
10 | if ( addresses[a] in subnets[s] )
11 | print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
12 | }
13 | }
14 |
15 | }
16 |
--------------------------------------------------------------------------------
/scripting/data_type_time.zeek:
--------------------------------------------------------------------------------
1 | event connection_established(c: connection)
2 | {
3 | print fmt("%s: New connection established from %s to %s\n", strftime("%Y/%m/%d %H:%M:%S", network_time()), c$id$orig_h, c$id$resp_h);
4 | }
5 |
--------------------------------------------------------------------------------
/scripting/framework_logging_factorial_01.zeek:
--------------------------------------------------------------------------------
1 | module Factor;
2 |
3 | function factorial(n: count): count
4 | {
5 | if ( n == 0 )
6 | return 1;
7 | else
8 | return ( n * factorial(n - 1) );
9 | }
10 |
11 | event zeek_init()
12 | {
13 | local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
14 |
15 | for ( n in numbers )
16 | print fmt("%d", factorial(numbers[n]));
17 | }
18 |
19 |
20 |
--------------------------------------------------------------------------------
/scripting/framework_notice_hook_01.zeek:
--------------------------------------------------------------------------------
1 | @load policy/protocols/ssh/interesting-hostnames.zeek
2 |
3 | hook Notice::policy(n: Notice::Info)
4 | {
5 | if ( n$note == SSH::Interesting_Hostname_Login )
6 | add n$actions[Notice::ACTION_EMAIL];
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/framework_notice_hook_suppression_01.zeek:
--------------------------------------------------------------------------------
1 | @load policy/protocols/ssl/expiring-certs.zeek
2 |
3 | hook Notice::policy(n: Notice::Info)
4 | {
5 | if ( n$note == SSL::Certificate_Expires_Soon )
6 | n$suppress_for = 12hrs;
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/framework_notice_shortcuts_01.zeek:
--------------------------------------------------------------------------------
1 | @load policy/protocols/ssh/interesting-hostnames.zeek
2 | @load base/protocols/ssh/
3 |
4 | redef Notice::emailed_types += {
5 | SSH::Interesting_Hostname_Login
6 | };
7 |
8 |
--------------------------------------------------------------------------------
/scripting/framework_notice_shortcuts_02.zeek:
--------------------------------------------------------------------------------
1 | @load policy/protocols/ssh/interesting-hostnames.zeek
2 | @load base/protocols/ssh/
3 |
4 | redef Notice::type_suppression_intervals += {
5 | [SSH::Interesting_Hostname_Login] = 1day,
6 | };
7 |
--------------------------------------------------------------------------------
/scripting/http_main.zeek:
--------------------------------------------------------------------------------
1 | module HTTP;
2 |
3 | export {
4 | ## This setting changes if passwords used in Basic-Auth are captured or
5 | ## not.
6 | const default_capture_password = F &redef;
7 | }
8 |
--------------------------------------------------------------------------------
/scripting/index.rst:
--------------------------------------------------------------------------------
1 |
2 | =========================
3 | Introduction to Scripting
4 | =========================
5 |
6 | .. toctree::
7 | :maxdepth: 2
8 |
9 | basics
10 | usage
11 | event-groups
12 | tracing-events
13 | optimization
14 | javascript
15 |
--------------------------------------------------------------------------------
/scripting/js/api.zeek:
--------------------------------------------------------------------------------
1 | ## api.zeek
2 | ##
3 | ## Sample events to be invoked by api.js
4 | module MyAPI;
5 |
6 | export {
7 | global print_msg: event(msg: string, ts: time &default=network_time());
8 | }
9 |
10 | event MyAPI::print_msg(msg: string, ts: time) {
11 | print "ZEEK", "print_msg", ts, msg;
12 | }
13 |
14 | @load ./api.js
15 |
--------------------------------------------------------------------------------
/scripting/js/connection-service.js:
--------------------------------------------------------------------------------
1 | // connection-service.js
2 | zeek.on('connection_state_remove', { priority: 10 }, (c) => {
3 | // c.service.push('service-from-js'); only modifies JavaScript array
4 | c.service = c.service.concat('service-from-js');
5 | });
6 |
7 | zeek.hook('Conn::log_policy', (rec, id, filter) => {
8 | console.log(rec.service);
9 | });
10 |
--------------------------------------------------------------------------------
/scripting/js/global-vars.js:
--------------------------------------------------------------------------------
1 | // global-vars.js
2 | const timeouts = zeek.global_vars['Conn::analyzer_inactivity_timeouts'];
3 |
4 | // Similar to redef.
5 | timeouts['AllAnalyzers::ANALYZER_ANALYZER_SSH'] = 42.0;
6 |
7 | zeek.on('zeek_init', () => {
8 | console.log('js', timeouts);
9 | });
10 |
--------------------------------------------------------------------------------
/scripting/js/hello.js:
--------------------------------------------------------------------------------
1 | // hello.js
2 | zeek.on('zeek_init', () => {
3 | let version = zeek.invoke('zeek_version');
4 | console.log(`Hello, Zeek ${version}!`);
5 | });
6 |
--------------------------------------------------------------------------------
/scripting/js/intel-insert.js:
--------------------------------------------------------------------------------
1 | // intel-insert.js
2 | zeek.on('zeek_init', () => {
3 | let intel_item = {
4 | indicator: '192.168.0.1',
5 | indicator_type: 'Intel::ADDR',
6 | meta: { source: 'some intel source' },
7 | };
8 |
9 | zeek.invoke('Intel::insert', [intel_item]);
10 | });
11 |
--------------------------------------------------------------------------------
/scripting/js/zeek-as.js:
--------------------------------------------------------------------------------
1 | // zeek-as.js
2 | zeek.on('zeek_init', () => {
3 | try {
4 | // This throws because type_name takes an any parameter
5 | zeek.invoke('type_name', ['192.168.0.0/16']);
6 | } catch (e) {
7 | console.error(`error: ${e}`);
8 | }
9 |
10 | // Explicit conversion of string to addr type.
11 | let type_string = zeek.invoke('type_name', [zeek.as('subnet', '192.168.0.0/16')]);
12 | console.log(`good: type_name is ${type_string}`);
13 | });
14 |
--------------------------------------------------------------------------------
/scripts/base/bif/const.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/const.bif.zeek
4 | =======================
5 | .. zeek:namespace:: GLOBAL
6 |
7 | Declaration of various scripting-layer constants that the Zeek core uses
8 | internally. Documentation and default values for the scripting-layer
9 | variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
10 |
11 | :Namespace: GLOBAL
12 |
13 | Summary
14 | ~~~~~~~
15 |
16 | Detailed Interface
17 | ~~~~~~~~~~~~~~~~~~
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
4 | ================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: InputAscii
7 |
8 |
9 | :Namespaces: GLOBAL, InputAscii
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
4 | ================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: LogAscii
7 |
8 |
9 | :Namespaces: GLOBAL, LogAscii
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
4 | ========================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: InputBenchmark
7 |
8 |
9 | :Namespaces: GLOBAL, InputBenchmark
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
4 | ==================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: InputBinary
7 |
8 |
9 | :Namespaces: GLOBAL, InputBinary
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
4 | ==================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: InputConfig
7 |
8 |
9 | :Namespaces: GLOBAL, InputConfig
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
4 | =============================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_DHCP.types.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: DHCP
6 | .. zeek:namespace:: GLOBAL
7 |
8 |
9 | :Namespaces: DHCP, GLOBAL
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek
4 | ================================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_KRB.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: KRB
7 |
8 |
9 | :Namespaces: GLOBAL, KRB
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_MIME.consts.bif.zeek
4 | ==========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_MQTT.types.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_NCP.consts.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_NTLM.types.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: NTLM
7 |
8 |
9 | :Namespaces: GLOBAL, NTLM
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_NTP.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: NTP
7 |
8 |
9 | :Namespaces: GLOBAL, NTP
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
4 | ==============================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: LogNone
7 |
8 |
9 | :Namespaces: GLOBAL, LogNone
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_POP3.consts.bif.zeek
4 | ==========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_RDP.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: RDP
7 |
8 |
9 | :Namespaces: GLOBAL, RDP
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_RawReader.raw.bif.zeek
4 | ============================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: InputRaw
7 |
8 |
9 | :Namespaces: GLOBAL, InputRaw
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SMB.consts.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SMB.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SMTP.consts.bif.zeek
4 | ==========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SNMP.types.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: SNMP
7 |
8 |
9 | :Namespaces: GLOBAL, SNMP
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek
4 | ==================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: InputSQLite
7 |
8 |
9 | :Namespaces: GLOBAL, InputSQLite
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
4 | ==================================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: LogSQLite
7 |
8 |
9 | :Namespaces: GLOBAL, LogSQLite
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SSH.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: SSH
7 |
8 |
9 | :Namespaces: GLOBAL, SSH
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SSL.consts.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_SSL.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: SSL
7 |
8 |
9 | :Namespaces: GLOBAL, SSL
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_TCP.types.bif.zeek
4 | ========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_WebSocket.consts.bif.zeek
4 | ===============================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_WebSocket.types.bif.zeek
4 | ==============================================
5 | .. zeek:namespace:: GLOBAL
6 | .. zeek:namespace:: WebSocket
7 |
8 |
9 | :Namespaces: GLOBAL, WebSocket
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/plugins/Zeek_X509.types.bif.zeek
4 | =========================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/bif/telemetry_consts.bif.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/bif/telemetry_consts.bif.zeek
4 | ==================================
5 | .. zeek:namespace:: GLOBAL
6 |
7 |
8 | :Namespace: GLOBAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/files/extract/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/files/extract/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/files/extract/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/files/extract/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/files/extract
4 | ===========================
5 |
6 | Support for extracting files with the file analysis framework.
7 |
8 | :doc:`/scripts/base/files/extract/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/files/extract/main.zeek`
12 |
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/files/hash/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/files/hash/__load__.zeek
4 | =============================
5 |
6 |
7 | :Imports: :doc:`base/files/hash/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/files/hash/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/files/hash
4 | ========================
5 |
6 | Support for file hashes with the file analysis framework.
7 |
8 | :doc:`/scripts/base/files/hash/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/files/hash/main.zeek`
12 |
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/files/pe/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/files/pe/__load__.zeek
4 | ===========================
5 |
6 |
7 | :Imports: :doc:`base/files/pe/consts.zeek `, :doc:`base/files/pe/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/files/pe/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/files/pe
4 | ======================
5 |
6 | Support for Portable Executable (PE) file analysis.
7 |
8 | :doc:`/scripts/base/files/pe/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/files/pe/consts.zeek`
12 |
13 |
14 | :doc:`/scripts/base/files/pe/main.zeek`
15 |
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/files/x509/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/files/x509/__load__.zeek
4 | =============================
5 |
6 |
7 | :Imports: :doc:`base/files/x509/certificate-event-cache.zeek `, :doc:`base/files/x509/log-ocsp.zeek `, :doc:`base/files/x509/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/analyzer/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/analyzer/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/analyzer/dpd.zeek `, :doc:`base/frameworks/analyzer/logging.zeek `, :doc:`base/frameworks/analyzer/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/broker/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/broker/__load__.zeek
4 | ====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/broker/backpressure.zeek `, :doc:`base/frameworks/broker/log.zeek `, :doc:`base/frameworks/broker/main.zeek `, :doc:`base/frameworks/broker/store.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/broker/backpressure.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/broker/backpressure.zeek
4 | ========================================
5 |
6 | This handles Broker peers that fall so far behind in handling messages that
7 | this node sends it that the local Broker endpoint decides to unpeer them.
8 | Zeek captures this as follows:
9 |
10 | - In broker.log, with a regular "peer-removed" entry indicating CAF's reason.
11 | - Via eventing through :zeek:see:`Broker::peer_removed` as done in this script.
12 |
13 | The cluster framework additionally captures the unpeering as follows:
14 |
15 | - In cluster.log, with a higher-level message indicating the node names involved.
16 | - Via telemetry, using a labeled counter.
17 |
18 |
19 | Summary
20 | ~~~~~~~
21 |
22 | Detailed Interface
23 | ~~~~~~~~~~~~~~~~~~
24 |
25 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/cluster/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/cluster/__load__.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/cluster/main.zeek `, :doc:`base/frameworks/cluster/pools.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/config/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/config/__load__.zeek
4 | ====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/config/input.zeek `, :doc:`base/frameworks/config/main.zeek `, :doc:`base/frameworks/config/weird.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/config/weird.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/config/weird.zeek
4 | =================================
5 | .. zeek:namespace:: Config
6 |
7 | This script sets up the config framework change handlers for weirds.
8 |
9 | :Namespace: Config
10 | :Imports: :doc:`base/frameworks/config/main.zeek `
11 |
12 | Summary
13 | ~~~~~~~
14 |
15 | Detailed Interface
16 | ~~~~~~~~~~~~~~~~~~
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/control/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/control/__load__.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/control/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/control/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/control
4 | ================================
5 |
6 | The control framework provides the foundation for providing "commands"
7 | that can be taken remotely at runtime to modify a running Zeek instance
8 | or collect information from the running instance.
9 |
10 | :doc:`/scripts/base/frameworks/control/__load__.zeek`
11 |
12 |
13 | :doc:`/scripts/base/frameworks/control/main.zeek`
14 |
15 | The control framework provides the foundation for providing "commands"
16 | that can be taken remotely at runtime to modify a running Zeek instance
17 | or collect information from the running instance.
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/files/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/files/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/files/magic `, :doc:`base/frameworks/files/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/files/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/files
4 | ==============================
5 |
6 | The file analysis framework provides an interface for driving the analysis
7 | of files, possibly independent of any network protocol over which they're
8 | transported.
9 |
10 | :doc:`/scripts/base/frameworks/files/__load__.zeek`
11 |
12 |
13 | :doc:`/scripts/base/frameworks/files/main.zeek`
14 |
15 | An interface for driving the analysis of files, possibly independent of
16 | any network protocol over which they're transported.
17 |
18 | :doc:`/scripts/base/frameworks/files/magic/__load__.zeek`
19 |
20 |
21 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/files/magic/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/files/magic/__load__.zeek
4 | =========================================
5 |
6 |
7 |
8 | Summary
9 | ~~~~~~~
10 |
11 | Detailed Interface
12 | ~~~~~~~~~~~~~~~~~~
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/files/magic/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/files/magic
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/frameworks/files/magic/__load__.zeek`
8 |
9 |
10 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/intel/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/intel/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/cluster `, :doc:`base/frameworks/intel/files.zeek `, :doc:`base/frameworks/intel/input.zeek `, :doc:`base/frameworks/intel/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/logging/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/logging/__load__.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/logging/main.zeek `, :doc:`base/frameworks/logging/postprocessors `, :doc:`base/frameworks/logging/writers/ascii.zeek `, :doc:`base/frameworks/logging/writers/none.zeek `, :doc:`base/frameworks/logging/writers/sqlite.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/logging/postprocessors/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/logging/postprocessors/__load__.zeek
4 | ====================================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/logging/postprocessors/scp.zeek `, :doc:`base/frameworks/logging/postprocessors/sftp.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/netcontrol/non-cluster.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/netcontrol/non-cluster.zeek
4 | ===========================================
5 | .. zeek:namespace:: NetControl
6 |
7 |
8 | :Namespace: NetControl
9 | :Imports: :doc:`base/frameworks/netcontrol/main.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/openflow/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/openflow/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/cluster `, :doc:`base/frameworks/openflow/consts.zeek `, :doc:`base/frameworks/openflow/main.zeek `, :doc:`base/frameworks/openflow/non-cluster.zeek `, :doc:`base/frameworks/openflow/plugins `, :doc:`base/frameworks/openflow/types.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/openflow/non-cluster.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/openflow/non-cluster.zeek
4 | =========================================
5 | .. zeek:namespace:: OpenFlow
6 |
7 |
8 | :Namespace: OpenFlow
9 | :Imports: :doc:`base/frameworks/openflow/main.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/openflow/plugins/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/openflow/plugins/__load__.zeek
4 | ==============================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/openflow/plugins/broker.zeek `, :doc:`base/frameworks/openflow/plugins/log.zeek `, :doc:`base/frameworks/openflow/plugins/ryu.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/openflow/plugins/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/openflow/plugins
4 | =========================================
5 |
6 | Plugins for the OpenFlow framework.
7 |
8 | :doc:`/scripts/base/frameworks/openflow/plugins/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/frameworks/openflow/plugins/ryu.zeek`
12 |
13 | OpenFlow plugin for the Ryu controller.
14 |
15 | :doc:`/scripts/base/frameworks/openflow/plugins/log.zeek`
16 |
17 | OpenFlow plugin that outputs flow-modification commands
18 | to a Zeek log file.
19 |
20 | :doc:`/scripts/base/frameworks/openflow/plugins/broker.zeek`
21 |
22 | OpenFlow plugin for interfacing to controllers via Broker.
23 |
24 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/packet-filter/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/packet-filter/__load__.zeek
4 | ===========================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/cluster `, :doc:`base/frameworks/packet-filter/main.zeek `, :doc:`base/frameworks/packet-filter/netstats.zeek `, :doc:`base/frameworks/packet-filter/utils.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/reporter/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/reporter/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/reporter/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/signatures/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/signatures/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/signatures/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/signatures/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/signatures
4 | ===================================
5 |
6 | The signature framework provides for doing low-level pattern matching. While
7 | signatures are not Zeek's preferred detection tool, they sometimes come in
8 | handy and are closer to what many people are familiar with from using
9 | other NIDS.
10 |
11 | :doc:`/scripts/base/frameworks/signatures/__load__.zeek`
12 |
13 |
14 | :doc:`/scripts/base/frameworks/signatures/main.zeek`
15 |
16 | Script level signature support. See the
17 | :doc:`signature documentation ` for more
18 | information about Zeek's signature engine.
19 |
20 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/software/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/software/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/software/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/spicy/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/spicy/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/spicy/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/spicy/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/spicy
4 | ==============================
5 |
6 |
7 | :doc:`/scripts/base/frameworks/spicy/init-bare.zeek`
8 |
9 |
10 | :doc:`/scripts/base/frameworks/spicy/init-framework.zeek`
11 |
12 |
13 | :doc:`/scripts/base/frameworks/spicy/__load__.zeek`
14 |
15 |
16 | :doc:`/scripts/base/frameworks/spicy/main.zeek`
17 |
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/spicy/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/spicy/main.zeek
4 | ===============================
5 | .. zeek:namespace:: Spicy
6 |
7 |
8 | :Namespace: Spicy
9 | :Imports: :doc:`base/frameworks/notice `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | ============================================ ===================================================
16 | :zeek:type:`Notice::Type`: :zeek:type:`enum`
17 |
18 | * :zeek:enum:`Spicy::Spicy_Max_File_Depth_Exceeded`
19 | ============================================ ===================================================
20 |
21 |
22 | Detailed Interface
23 | ~~~~~~~~~~~~~~~~~~
24 |
25 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/storage/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/storage/__load__.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/storage/async.zeek `, :doc:`base/frameworks/storage/main.zeek `, :doc:`base/frameworks/storage/sync.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/storage/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/storage
4 | ================================
5 |
6 |
7 | :doc:`/scripts/base/frameworks/storage/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/frameworks/storage/async.zeek`
11 |
12 | Asynchronous operation methods for the storage framework.
13 |
14 | :doc:`/scripts/base/frameworks/storage/main.zeek`
15 |
16 | The storage framework provides a way to store long-term data to disk.
17 |
18 | :doc:`/scripts/base/frameworks/storage/sync.zeek`
19 |
20 | Synchronous operation methods for the storage framework.
21 |
22 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/sumstats/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/sumstats/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/cluster `, :doc:`base/frameworks/sumstats/main.zeek `, :doc:`base/frameworks/sumstats/non-cluster.zeek `, :doc:`base/frameworks/sumstats/plugins `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/sumstats/non-cluster.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/sumstats/non-cluster.zeek
4 | =========================================
5 | .. zeek:namespace:: SumStats
6 |
7 |
8 | :Namespace: SumStats
9 | :Imports: :doc:`base/frameworks/sumstats/main.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/supervisor/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/supervisor/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/supervisor/api.zeek `, :doc:`base/frameworks/supervisor/control.zeek `, :doc:`base/frameworks/supervisor/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/supervisor/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/supervisor/main.zeek
4 | ====================================
5 |
6 | Implements Zeek process supervision API and default behavior for its
7 | associated (remote) control events.
8 |
9 | :Imports: :doc:`base/frameworks/supervisor/api.zeek `, :doc:`base/frameworks/supervisor/control.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/telemetry/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/telemetry/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/telemetry/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/tunnels/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/frameworks/tunnels/__load__.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/tunnels/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/frameworks/tunnels/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/frameworks/tunnels
4 | ================================
5 |
6 | The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
7 | AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
8 |
9 | :doc:`/scripts/base/frameworks/tunnels/__load__.zeek`
10 |
11 |
12 | :doc:`/scripts/base/frameworks/tunnels/main.zeek`
13 |
14 | This script handles the tracking/logging of tunnels (e.g. Teredo,
15 | AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
16 |
17 | For any connection that occurs over a tunnel, information about its
18 | encapsulating tunnels is also found in the *tunnel* field of
19 | :zeek:type:`connection`.
20 |
21 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ayiya/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ayiya/__load__.zeek
4 | =========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ayiya/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ayiya/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ayiya
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ayiya/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ayiya/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ayiya/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ayiya/main.zeek
4 | =====================================
5 | .. zeek:namespace:: PacketAnalyzer::AYIYA
6 |
7 |
8 | :Namespace: PacketAnalyzer::AYIYA
9 | :Imports: :doc:`base/frameworks/analyzer/main.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | ==================================================================== =
16 | :zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
17 | ==================================================================== =
18 |
19 |
20 | Detailed Interface
21 | ~~~~~~~~~~~~~~~~~~
22 |
23 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ethernet/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ethernet/__load__.zeek
4 | ============================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ethernet/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ethernet/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ethernet
4 | =======================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ethernet/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ethernet/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/fddi/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/fddi/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/fddi/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/fddi/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/fddi
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/fddi/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/fddi/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/geneve/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/geneve/__load__.zeek
4 | ==========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/geneve/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/geneve/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/geneve
4 | =====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/geneve/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/geneve/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/gre/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/gre/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/gre/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/gre/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/gre
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/gre/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/gre/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/gtpv1/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/gtpv1/__load__.zeek
4 | =========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/gtpv1/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/gtpv1/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/gtpv1
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/gtpv1/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/gtpv1/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/icmp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/icmp/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/icmp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/icmp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/icmp
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/icmp/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/icmp/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/icmp/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/icmp/main.zeek
4 | ====================================
5 | .. zeek:namespace:: PacketAnalyzer::ICMP
6 |
7 |
8 | :Namespace: PacketAnalyzer::ICMP
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ieee802_11/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ieee802_11/__load__.zeek
4 | ==============================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ieee802_11/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ieee802_11/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ieee802_11
4 | =========================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ieee802_11/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ieee802_11/main.zeek`
11 |
12 |
13 | :doc:`/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek`
14 |
15 |
16 | :doc:`/scripts/base/packet-protocols/ieee802_11_radio/main.zeek`
17 |
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ieee802_11/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ieee802_11/main.zeek
4 | ==========================================
5 | .. zeek:namespace:: PacketAnalyzer::IEEE802_11
6 |
7 |
8 | :Namespace: PacketAnalyzer::IEEE802_11
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ieee802_11_radio/__load__.zeek
4 | ====================================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ieee802_11_radio/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ieee802_11_radio/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ieee802_11_radio
4 | ===============================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ieee802_11_radio/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ieee802_11_radio/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ieee802_11_radio/main.zeek
4 | ================================================
5 | .. zeek:namespace:: PacketAnalyzer::IEEE802_11_RADIO
6 |
7 |
8 | :Namespace: PacketAnalyzer::IEEE802_11_RADIO
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ip/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ip/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ip/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ip/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ip
4 | =================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ip/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ip/main.zeek`
11 |
12 |
13 | :doc:`/scripts/base/packet-protocols/iptunnel/__load__.zeek`
14 |
15 |
16 | :doc:`/scripts/base/packet-protocols/iptunnel/main.zeek`
17 |
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/iptunnel/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/iptunnel/__load__.zeek
4 | ============================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/iptunnel/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/iptunnel/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/iptunnel
4 | =======================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/iptunnel/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/iptunnel/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/linux_sll/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/linux_sll/__load__.zeek
4 | =============================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/linux_sll/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/linux_sll/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/linux_sll
4 | ========================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/linux_sll/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/linux_sll/main.zeek`
11 |
12 |
13 | :doc:`/scripts/base/packet-protocols/linux_sll2/__load__.zeek`
14 |
15 |
16 | :doc:`/scripts/base/packet-protocols/linux_sll2/main.zeek`
17 |
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/linux_sll/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/linux_sll/main.zeek
4 | =========================================
5 | .. zeek:namespace:: PacketAnalyzer::LINUXSLL
6 |
7 |
8 | :Namespace: PacketAnalyzer::LINUXSLL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/linux_sll2/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/linux_sll2/__load__.zeek
4 | ==============================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/linux_sll2/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/linux_sll2/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/linux_sll2
4 | =========================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/linux_sll2/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/linux_sll2/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/linux_sll2/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/linux_sll2/main.zeek
4 | ==========================================
5 | .. zeek:namespace:: PacketAnalyzer::LINUXSLL2
6 |
7 |
8 | :Namespace: PacketAnalyzer::LINUXSLL2
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/llc/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/llc/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/llc/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/llc/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/llc
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/llc/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/llc/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/llc/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/llc/main.zeek
4 | ===================================
5 | .. zeek:namespace:: PacketAnalyzer::LLC
6 |
7 |
8 | :Namespace: PacketAnalyzer::LLC
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/mpls/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/mpls/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/mpls/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/mpls/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/mpls
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/mpls/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/mpls/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/nflog/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/nflog/__load__.zeek
4 | =========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/nflog/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/nflog/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/nflog
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/nflog/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/nflog/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/nflog/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/nflog/main.zeek
4 | =====================================
5 | .. zeek:namespace:: PacketAnalyzer::NFLOG
6 |
7 |
8 | :Namespace: PacketAnalyzer::NFLOG
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/novell_802_3/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/novell_802_3/__load__.zeek
4 | ================================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/novell_802_3/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/novell_802_3/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/novell_802_3
4 | ===========================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/novell_802_3/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/novell_802_3/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/novell_802_3/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/novell_802_3/main.zeek
4 | ============================================
5 | .. zeek:namespace:: PacketAnalyzer::NOVELL_802_3
6 |
7 |
8 | :Namespace: PacketAnalyzer::NOVELL_802_3
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/null/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/null/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/null/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/null/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/null
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/null/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/null/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/null/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/null/main.zeek
4 | ====================================
5 | .. zeek:namespace:: PacketAnalyzer::NULL
6 |
7 |
8 | :Namespace: PacketAnalyzer::NULL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/pbb/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/pbb/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/pbb/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/pbb/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/pbb
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/pbb/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/pbb/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ppp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ppp/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ppp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ppp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ppp
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ppp/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ppp/main.zeek`
11 |
12 |
13 | :doc:`/scripts/base/packet-protocols/ppp_serial/__load__.zeek`
14 |
15 |
16 | :doc:`/scripts/base/packet-protocols/ppp_serial/main.zeek`
17 |
18 |
19 | :doc:`/scripts/base/packet-protocols/pppoe/__load__.zeek`
20 |
21 |
22 | :doc:`/scripts/base/packet-protocols/pppoe/main.zeek`
23 |
24 |
25 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ppp/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ppp/main.zeek
4 | ===================================
5 | .. zeek:namespace:: PacketAnalyzer::PPP
6 |
7 |
8 | :Namespace: PacketAnalyzer::PPP
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ppp_serial/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ppp_serial/__load__.zeek
4 | ==============================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/ppp_serial/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ppp_serial/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/ppp_serial
4 | =========================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/ppp_serial/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/ppp_serial/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/ppp_serial/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/ppp_serial/main.zeek
4 | ==========================================
5 | .. zeek:namespace:: PacketAnalyzer::PPP_SERIAL
6 |
7 |
8 | :Namespace: PacketAnalyzer::PPP_SERIAL
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/pppoe/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/pppoe/__load__.zeek
4 | =========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/pppoe/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/pppoe/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/pppoe
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/pppoe/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/pppoe/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/pppoe/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/pppoe/main.zeek
4 | =====================================
5 | .. zeek:namespace:: PacketAnalyzer::PPPOE
6 |
7 |
8 | :Namespace: PacketAnalyzer::PPPOE
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/root/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/root/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/root/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/root/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/root
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/root/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/root/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/skip/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/skip/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/skip/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/skip/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/skip
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/skip/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/skip/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/snap/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/snap/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/snap/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/snap/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/snap
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/snap/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/snap/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/snap/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/snap/main.zeek
4 | ====================================
5 | .. zeek:namespace:: PacketAnalyzer::SNAP
6 |
7 |
8 | :Namespace: PacketAnalyzer::SNAP
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/tcp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/tcp/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/tcp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/tcp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/tcp
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/tcp/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/tcp/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/tcp/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/tcp/main.zeek
4 | ===================================
5 | .. zeek:namespace:: PacketAnalyzer::TCP
6 |
7 |
8 | :Namespace: PacketAnalyzer::TCP
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/teredo/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/teredo/__load__.zeek
4 | ==========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/teredo/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/teredo/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/teredo
4 | =====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/teredo/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/teredo/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/udp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/udp/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/udp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/udp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/udp
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/udp/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/udp/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/udp/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/udp/main.zeek
4 | ===================================
5 | .. zeek:namespace:: PacketAnalyzer::UDP
6 |
7 |
8 | :Namespace: PacketAnalyzer::UDP
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vlan/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/vlan/__load__.zeek
4 | ========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/vlan/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vlan/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/vlan
4 | ===================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/vlan/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/vlan/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vntag/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/vntag/__load__.zeek
4 | =========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/vntag/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vntag/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/vntag
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/vntag/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/vntag/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vntag/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/vntag/main.zeek
4 | =====================================
5 | .. zeek:namespace:: PacketAnalyzer::VNTAG
6 |
7 |
8 | :Namespace: PacketAnalyzer::VNTAG
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vxlan/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/packet-protocols/vxlan/__load__.zeek
4 | =========================================
5 |
6 |
7 | :Imports: :doc:`base/packet-protocols/vxlan/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/packet-protocols/vxlan/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/packet-protocols/vxlan
4 | ====================================
5 |
6 |
7 | :doc:`/scripts/base/packet-protocols/vxlan/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/packet-protocols/vxlan/main.zeek`
11 |
12 |
13 |
--------------------------------------------------------------------------------
/scripts/base/protocols/conn/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/conn/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/conn/contents.zeek `, :doc:`base/protocols/conn/inactivity.zeek `, :doc:`base/protocols/conn/main.zeek `, :doc:`base/protocols/conn/polling.zeek `, :doc:`base/protocols/conn/removal-hooks.zeek `, :doc:`base/protocols/conn/thresholds.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dce-rpc/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/dce-rpc/__load__.zeek
4 | ====================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/dce-rpc/consts.zeek `, :doc:`base/protocols/dce-rpc/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dce-rpc/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/dce-rpc
4 | ===============================
5 |
6 | Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
7 | Calls) protocol analysis.
8 |
9 | :doc:`/scripts/base/protocols/dce-rpc/__load__.zeek`
10 |
11 |
12 | :doc:`/scripts/base/protocols/dce-rpc/consts.zeek`
13 |
14 |
15 | :doc:`/scripts/base/protocols/dce-rpc/main.zeek`
16 |
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dhcp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/dhcp/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/dhcp/consts.zeek `, :doc:`base/protocols/dhcp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dhcp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/dhcp
4 | ============================
5 |
6 | Support for Dynamic Host Configuration Protocol (DHCP) analysis.
7 |
8 | :doc:`/scripts/base/protocols/dhcp/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/dhcp/consts.zeek`
12 |
13 | Types, errors, and fields for analyzing DHCP data. A helper file
14 | for DHCP analysis scripts.
15 |
16 | :doc:`/scripts/base/protocols/dhcp/main.zeek`
17 |
18 | Analyze DHCP traffic and provide a log that is organized around
19 | the idea of a DHCP "conversation" defined by messages exchanged within
20 | a relatively short period of time using the same transaction ID.
21 | The log will have information from clients and servers to give a more
22 | complete picture of what happened.
23 |
24 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dnp3/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/dnp3/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/dnp3/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dnp3/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/dnp3
4 | ============================
5 |
6 | Support for Distributed Network Protocol (DNP3) analysis.
7 |
8 | :doc:`/scripts/base/protocols/dnp3/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/dnp3/main.zeek`
12 |
13 | A very basic DNP3 analysis script that just logs requests and replies.
14 |
15 | :doc:`/scripts/base/protocols/dnp3/consts.zeek`
16 |
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dns/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/dns/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/dns/check-event-handlers.zeek `, :doc:`base/protocols/dns/consts.zeek `, :doc:`base/protocols/dns/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dns/check-event-handlers.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/dns/check-event-handlers.zeek
4 | ============================================
5 | .. zeek:namespace:: DNS
6 |
7 | This script checks if DNS event handlers that will not be raised
8 | are used and raises a warning in those cases.
9 |
10 | :Namespace: DNS
11 |
12 | Summary
13 | ~~~~~~~
14 |
15 | Detailed Interface
16 | ~~~~~~~~~~~~~~~~~~
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/dns/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/dns
4 | ===========================
5 |
6 | Support for Domain Name System (DNS) protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/dns/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/dns/consts.zeek`
12 |
13 | Types, errors, and fields for analyzing DNS data. A helper file
14 | for DNS analysis scripts.
15 |
16 | :doc:`/scripts/base/protocols/dns/main.zeek`
17 |
18 | Base DNS analysis script which tracks and logs DNS queries along with
19 | their responses.
20 |
21 | :doc:`/scripts/base/protocols/dns/check-event-handlers.zeek`
22 |
23 | This script checks if DNS event handlers that will not be raised
24 | are used and raises a warning in those cases.
25 |
26 |
--------------------------------------------------------------------------------
/scripts/base/protocols/finger/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/finger/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/finger/main.zeek `, :doc:`base/protocols/finger/spicy-events.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/finger/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/finger
4 | ==============================
5 |
6 |
7 | :doc:`/scripts/base/protocols/finger/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/finger/spicy-events.zeek`
11 |
12 | Events generated by the Finger analyzer.
13 |
14 | :doc:`/scripts/base/protocols/finger/main.zeek`
15 |
16 | Implements base functionality for Finger analysis. We currently do not generate
17 | a log file, but just configure the analyzer.
18 |
19 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ftp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ftp/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/ftp/files.zeek `, :doc:`base/protocols/ftp/gridftp.zeek `, :doc:`base/protocols/ftp/info.zeek `, :doc:`base/protocols/ftp/main.zeek `, :doc:`base/protocols/ftp/utils-commands.zeek `, :doc:`base/protocols/ftp/utils.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/http/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/http/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/http/entities.zeek `, :doc:`base/protocols/http/files.zeek `, :doc:`base/protocols/http/main.zeek `, :doc:`base/protocols/http/utils.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/http/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/http
4 | ============================
5 |
6 | Support for Hypertext Transfer Protocol (HTTP) analysis.
7 |
8 | :doc:`/scripts/base/protocols/http/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/http/main.zeek`
12 |
13 | Implements base functionality for HTTP analysis. The logging model is
14 | to log request/response pairs and all relevant metadata together in
15 | a single record.
16 |
17 | :doc:`/scripts/base/protocols/http/entities.zeek`
18 |
19 | Analysis and logging for MIME entities found in HTTP sessions.
20 |
21 | :doc:`/scripts/base/protocols/http/utils.zeek`
22 |
23 | Utilities specific for HTTP processing.
24 |
25 | :doc:`/scripts/base/protocols/http/files.zeek`
26 |
27 |
28 |
--------------------------------------------------------------------------------
/scripts/base/protocols/imap/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/imap/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/imap/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/imap/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/imap
4 | ============================
5 |
6 | Support for the Internet Message Access Protocol (IMAP).
7 |
8 | Note that currently the IMAP analyzer only supports analyzing IMAP sessions
9 | until they do or do not switch to TLS using StartTLS. Hence, we do not get
10 | mails from IMAP sessions, only X509 certificates.
11 |
12 | :doc:`/scripts/base/protocols/imap/__load__.zeek`
13 |
14 |
15 | :doc:`/scripts/base/protocols/imap/main.zeek`
16 |
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/imap/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/imap/main.zeek
4 | =============================
5 | .. zeek:namespace:: IMAP
6 |
7 |
8 | :Namespace: IMAP
9 |
10 | Summary
11 | ~~~~~~~
12 | Redefinitions
13 | #############
14 | ==================================================================== =
15 | :zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
16 | ==================================================================== =
17 |
18 |
19 | Detailed Interface
20 | ~~~~~~~~~~~~~~~~~~
21 |
22 |
--------------------------------------------------------------------------------
/scripts/base/protocols/irc/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/irc/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/irc/dcc-send.zeek `, :doc:`base/protocols/irc/files.zeek `, :doc:`base/protocols/irc/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/krb/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/krb/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/krb/files.zeek `, :doc:`base/protocols/krb/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/krb/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/krb
4 | ===========================
5 |
6 | Support for Kerberos protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/krb/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/krb/main.zeek`
12 |
13 | Implements base functionality for KRB analysis. Generates the kerberos.log
14 | file.
15 |
16 | :doc:`/scripts/base/protocols/krb/consts.zeek`
17 |
18 |
19 | :doc:`/scripts/base/protocols/krb/files.zeek`
20 |
21 |
22 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ldap/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ldap/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/ldap/consts.zeek `, :doc:`base/protocols/ldap/main.zeek `, :doc:`base/protocols/ldap/spicy-events.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ldap/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/ldap
4 | ============================
5 |
6 |
7 | :doc:`/scripts/base/protocols/ldap/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/ldap/spicy-events.zeek`
11 |
12 | Events generated by the LDAP analyzer.
13 |
14 | See See `RFC4511 `__.
15 |
16 | :doc:`/scripts/base/protocols/ldap/consts.zeek`
17 |
18 |
19 | :doc:`/scripts/base/protocols/ldap/main.zeek`
20 |
21 |
22 |
--------------------------------------------------------------------------------
/scripts/base/protocols/modbus/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/modbus/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/modbus/consts.zeek `, :doc:`base/protocols/modbus/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/modbus/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/modbus
4 | ==============================
5 |
6 | Support for Modbus protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/modbus/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/modbus/consts.zeek`
12 |
13 |
14 | :doc:`/scripts/base/protocols/modbus/main.zeek`
15 |
16 | Base Modbus analysis script.
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/mqtt/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/mqtt/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/mqtt/consts.zeek `, :doc:`base/protocols/mqtt/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/mqtt/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/mqtt
4 | ============================
5 |
6 | Support for MQTT protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/mqtt/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/mqtt/consts.zeek`
12 |
13 | Constants definitions for MQTT.
14 |
15 | :doc:`/scripts/base/protocols/mqtt/main.zeek`
16 |
17 | Implements base functionality for MQTT (v3.1.1) analysis.
18 | Generates the mqtt.log file.
19 |
20 |
--------------------------------------------------------------------------------
/scripts/base/protocols/mysql/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/mysql/__load__.zeek
4 | ==================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/mysql/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/mysql/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/mysql
4 | =============================
5 |
6 | Support for MySQL protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/mysql/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/mysql/main.zeek`
12 |
13 | Implements base functionality for MySQL analysis. Generates the mysql.log file.
14 |
15 | :doc:`/scripts/base/protocols/mysql/consts.zeek`
16 |
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ntlm/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ntlm/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/ntlm/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ntlm/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/ntlm
4 | ============================
5 |
6 | Support for NT LAN Manager (NTLM) protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/ntlm/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/ntlm/main.zeek`
12 |
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ntp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ntp/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/ntp/consts.zeek `, :doc:`base/protocols/ntp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ntp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/ntp
4 | ===========================
5 |
6 |
7 | :doc:`/scripts/base/protocols/ntp/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/ntp/main.zeek`
11 |
12 |
13 | :doc:`/scripts/base/protocols/ntp/consts.zeek`
14 |
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/protocols/pop3/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/pop3/__load__.zeek
4 | =================================
5 |
6 |
7 |
8 | Summary
9 | ~~~~~~~
10 |
11 | Detailed Interface
12 | ~~~~~~~~~~~~~~~~~~
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/protocols/pop3/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/pop3
4 | ============================
5 |
6 | Support for POP3 (Post Office Protocol) protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/pop3/__load__.zeek`
9 |
10 |
11 |
--------------------------------------------------------------------------------
/scripts/base/protocols/postgresql/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/postgresql/__load__.zeek
4 | =======================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/postgresql/consts.zeek `, :doc:`base/protocols/postgresql/main.zeek `, :doc:`base/protocols/postgresql/spicy-events.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/postgresql/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/postgresql
4 | ==================================
5 |
6 |
7 | :doc:`/scripts/base/protocols/postgresql/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/postgresql/consts.zeek`
11 |
12 |
13 | :doc:`/scripts/base/protocols/postgresql/spicy-events.zeek`
14 |
15 | Events generated by the PostgreSQL analyzer.
16 |
17 | :doc:`/scripts/base/protocols/postgresql/main.zeek`
18 |
19 | Implements base functionality for PostgreSQL analysis.
20 |
21 |
--------------------------------------------------------------------------------
/scripts/base/protocols/quic/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/quic/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/quic/consts.zeek `, :doc:`base/protocols/quic/main.zeek `, :doc:`base/protocols/quic/spicy-events.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/quic/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/quic
4 | ============================
5 |
6 |
7 | :doc:`/scripts/base/protocols/quic/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/quic/spicy-events.zeek`
11 |
12 | Events generated by the QUIC analyzer.
13 |
14 | See See `RFC9000 `__.
15 |
16 | :doc:`/scripts/base/protocols/quic/consts.zeek`
17 |
18 |
19 | :doc:`/scripts/base/protocols/quic/main.zeek`
20 |
21 | Implements base functionality for QUIC analysis. Generates quic.log.
22 |
23 |
--------------------------------------------------------------------------------
/scripts/base/protocols/radius/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/radius/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/radius/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/radius/consts.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/radius/consts.zeek
4 | =================================
5 | .. zeek:namespace:: RADIUS
6 |
7 |
8 | :Namespace: RADIUS
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/base/protocols/radius/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/radius
4 | ==============================
5 |
6 | Support for RADIUS protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/radius/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/radius/main.zeek`
12 |
13 | Implements base functionality for RADIUS analysis. Generates the radius.log file.
14 |
15 | :doc:`/scripts/base/protocols/radius/consts.zeek`
16 |
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/rdp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/rdp/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/rdp/consts.zeek `, :doc:`base/protocols/rdp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/rdp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/rdp
4 | ===========================
5 |
6 | Support for Remote Desktop Protocol (RDP) analysis.
7 |
8 | :doc:`/scripts/base/protocols/rdp/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/rdp/consts.zeek`
12 |
13 |
14 | :doc:`/scripts/base/protocols/rdp/main.zeek`
15 |
16 | Implements base functionality for RDP analysis. Generates the rdp.log file.
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/redis/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/redis/__load__.zeek
4 | ==================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/redis/main.zeek `, :doc:`base/protocols/redis/spicy-events.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/redis/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/redis
4 | =============================
5 |
6 |
7 | :doc:`/scripts/base/protocols/redis/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/redis/spicy-events.zeek`
11 |
12 | Events and records generated by the Redis analyzer.
13 |
14 | :doc:`/scripts/base/protocols/redis/main.zeek`
15 |
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/protocols/rfb/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/rfb/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/rfb/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/rfb/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/rfb
4 | ===========================
5 |
6 | Support for Remote FrameBuffer analysis. This includes all VNC servers.
7 |
8 | :doc:`/scripts/base/protocols/rfb/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/rfb/main.zeek`
12 |
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/protocols/sip/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/sip/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/sip/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/sip/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/sip
4 | ===========================
5 |
6 | Support for Session Initiation Protocol (SIP) analysis.
7 |
8 | :doc:`/scripts/base/protocols/sip/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/sip/main.zeek`
12 |
13 | Implements base functionality for SIP analysis. The logging model is
14 | to log request/response pairs and all relevant metadata together in
15 | a single record.
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/protocols/smb/const-dos-error.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/smb/const-dos-error.zeek
4 | =======================================
5 | .. zeek:namespace:: SMB
6 |
7 |
8 | :Namespace: SMB
9 | :Imports: :doc:`base/protocols/smb/consts.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | ============================================================================================================== =
16 | :zeek:id:`SMB::statuses`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
17 | ============================================================================================================== =
18 |
19 |
20 | Detailed Interface
21 | ~~~~~~~~~~~~~~~~~~
22 |
23 |
--------------------------------------------------------------------------------
/scripts/base/protocols/smb/const-nt-status.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/smb/const-nt-status.zeek
4 | =======================================
5 | .. zeek:namespace:: SMB
6 |
7 |
8 | :Namespace: SMB
9 | :Imports: :doc:`base/protocols/smb/consts.zeek `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | ============================================================================================================== =
16 | :zeek:id:`SMB::statuses`: :zeek:type:`table` :zeek:attr:`&redef` :zeek:attr:`&default` = :zeek:type:`function`
17 | ============================================================================================================== =
18 |
19 |
20 | Detailed Interface
21 | ~~~~~~~~~~~~~~~~~~
22 |
23 |
--------------------------------------------------------------------------------
/scripts/base/protocols/smb/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/smb
4 | ===========================
5 |
6 | Support for SMB protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/smb/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/smb/consts.zeek`
12 |
13 |
14 | :doc:`/scripts/base/protocols/smb/const-dos-error.zeek`
15 |
16 |
17 | :doc:`/scripts/base/protocols/smb/const-nt-status.zeek`
18 |
19 |
20 | :doc:`/scripts/base/protocols/smb/main.zeek`
21 |
22 |
23 | :doc:`/scripts/base/protocols/smb/smb1-main.zeek`
24 |
25 |
26 | :doc:`/scripts/base/protocols/smb/smb2-main.zeek`
27 |
28 |
29 | :doc:`/scripts/base/protocols/smb/files.zeek`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/scripts/base/protocols/smtp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/smtp/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/smtp/entities.zeek `, :doc:`base/protocols/smtp/files.zeek `, :doc:`base/protocols/smtp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/smtp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/smtp
4 | ============================
5 |
6 | Support for Simple Mail Transfer Protocol (SMTP) analysis.
7 |
8 | :doc:`/scripts/base/protocols/smtp/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/smtp/main.zeek`
12 |
13 |
14 | :doc:`/scripts/base/protocols/smtp/entities.zeek`
15 |
16 | Analysis and logging for MIME entities found in SMTP sessions.
17 |
18 | :doc:`/scripts/base/protocols/smtp/files.zeek`
19 |
20 |
21 |
--------------------------------------------------------------------------------
/scripts/base/protocols/snmp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/snmp/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/snmp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/snmp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/snmp
4 | ============================
5 |
6 | Support for Simple Network Management Protocol (SNMP) analysis.
7 |
8 | :doc:`/scripts/base/protocols/snmp/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/snmp/main.zeek`
12 |
13 | Enables analysis and logging of SNMP datagrams.
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/socks/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/socks/__load__.zeek
4 | ==================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/socks/consts.zeek `, :doc:`base/protocols/socks/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/socks/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/socks
4 | =============================
5 |
6 | Support for Socket Secure (SOCKS) protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/socks/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/socks/consts.zeek`
12 |
13 |
14 | :doc:`/scripts/base/protocols/socks/main.zeek`
15 |
16 |
17 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ssh/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ssh/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/ssh/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ssh/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/ssh
4 | ===========================
5 |
6 | Support for SSH protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/ssh/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/ssh/main.zeek`
12 |
13 | Implements base functionality for SSH analysis. Generates the ssh.log file.
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ssl/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ssl/__load__.zeek
4 | ================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/ssl/consts.zeek `, :doc:`base/protocols/ssl/ct-list.zeek `, :doc:`base/protocols/ssl/files.zeek `, :doc:`base/protocols/ssl/main.zeek `, :doc:`base/protocols/ssl/mozilla-ca-list.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ssl/ct-list.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ssl/ct-list.zeek
4 | ===============================
5 | .. zeek:namespace:: SSL
6 |
7 |
8 | :Namespace: SSL
9 | :Imports: :doc:`base/protocols/ssl `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | =============================================================== =
16 | :zeek:id:`SSL::ct_logs`: :zeek:type:`table` :zeek:attr:`&redef`
17 | =============================================================== =
18 |
19 |
20 | Detailed Interface
21 | ~~~~~~~~~~~~~~~~~~
22 |
23 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ssl/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/ssl
4 | ===========================
5 |
6 | Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/ssl/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/ssl/consts.zeek`
12 |
13 |
14 | :doc:`/scripts/base/protocols/ssl/main.zeek`
15 |
16 | Base SSL analysis script. This script logs information about the SSL/TLS
17 | handshaking and encryption establishment process.
18 |
19 | :doc:`/scripts/base/protocols/ssl/mozilla-ca-list.zeek`
20 |
21 |
22 | :doc:`/scripts/base/protocols/ssl/ct-list.zeek`
23 |
24 |
25 | :doc:`/scripts/base/protocols/ssl/files.zeek`
26 |
27 |
28 |
--------------------------------------------------------------------------------
/scripts/base/protocols/ssl/mozilla-ca-list.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/ssl/mozilla-ca-list.zeek
4 | =======================================
5 | .. zeek:namespace:: SSL
6 |
7 |
8 | :Namespace: SSL
9 | :Imports: :doc:`base/protocols/ssl `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | ================================================================== =
16 | :zeek:id:`SSL::root_certs`: :zeek:type:`table` :zeek:attr:`&redef`
17 | ================================================================== =
18 |
19 |
20 | Detailed Interface
21 | ~~~~~~~~~~~~~~~~~~
22 |
23 |
--------------------------------------------------------------------------------
/scripts/base/protocols/syslog/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/syslog/__load__.zeek
4 | ===================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/syslog/consts.zeek `, :doc:`base/protocols/syslog/main.zeek `, :doc:`base/protocols/syslog/spicy-events.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/syslog/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/syslog
4 | ==============================
5 |
6 | Support for Syslog protocol analysis.
7 |
8 | :doc:`/scripts/base/protocols/syslog/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/base/protocols/syslog/spicy-events.zeek`
12 |
13 | Events generated by the Syslog analyzer.
14 |
15 | :doc:`/scripts/base/protocols/syslog/consts.zeek`
16 |
17 | Constants definitions for syslog.
18 |
19 | :doc:`/scripts/base/protocols/syslog/main.zeek`
20 |
21 | Core script support for logging syslog messages. This script represents
22 | one syslog message as one logged record.
23 |
24 |
--------------------------------------------------------------------------------
/scripts/base/protocols/tunnels/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/tunnels/__load__.zeek
4 | ====================================
5 |
6 |
7 |
8 | Summary
9 | ~~~~~~~
10 |
11 | Detailed Interface
12 | ~~~~~~~~~~~~~~~~~~
13 |
14 |
--------------------------------------------------------------------------------
/scripts/base/protocols/tunnels/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/tunnels
4 | ===============================
5 |
6 | Provides DPD signatures for tunneling protocols that otherwise
7 | wouldn't be detected at all.
8 |
9 | :doc:`/scripts/base/protocols/tunnels/__load__.zeek`
10 |
11 |
12 |
--------------------------------------------------------------------------------
/scripts/base/protocols/websocket/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/websocket/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/websocket/consts.zeek `, :doc:`base/protocols/websocket/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/websocket/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/websocket
4 | =================================
5 |
6 |
7 | :doc:`/scripts/base/protocols/websocket/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/base/protocols/websocket/consts.zeek`
11 |
12 | WebSocket constants.
13 |
14 | :doc:`/scripts/base/protocols/websocket/main.zeek`
15 |
16 | Implements base functionality for WebSocket analysis.
17 |
18 | Upon a websocket_established() event, logs all gathered information into
19 | websocket.log and configures the WebSocket analyzer with the headers
20 | collected via http events.
21 |
22 |
--------------------------------------------------------------------------------
/scripts/base/protocols/xmpp/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/xmpp/__load__.zeek
4 | =================================
5 |
6 |
7 | :Imports: :doc:`base/protocols/xmpp/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/base/protocols/xmpp/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: base/protocols/xmpp
4 | ============================
5 |
6 | Support for the Extensible Messaging and Presence Protocol (XMPP).
7 |
8 | Note that currently the XMPP analyzer only supports analyzing XMPP sessions
9 | until they do or do not switch to TLS using StartTLS. Hence, we do not get
10 | actual chat information from XMPP sessions, only X509 certificates.
11 |
12 | :doc:`/scripts/base/protocols/xmpp/__load__.zeek`
13 |
14 |
15 | :doc:`/scripts/base/protocols/xmpp/main.zeek`
16 |
17 |
18 |
--------------------------------------------------------------------------------
/scripts/base/protocols/xmpp/main.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | base/protocols/xmpp/main.zeek
4 | =============================
5 | .. zeek:namespace:: XMPP
6 |
7 |
8 | :Namespace: XMPP
9 |
10 | Summary
11 | ~~~~~~~
12 | Redefinitions
13 | #############
14 | ==================================================================== =
15 | :zeek:id:`likely_server_ports`: :zeek:type:`set` :zeek:attr:`&redef`
16 | ==================================================================== =
17 |
18 |
19 | Detailed Interface
20 | ~~~~~~~~~~~~~~~~~~
21 |
22 |
--------------------------------------------------------------------------------
/scripts/builtin-plugins/Zeek_AF_Packet/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | builtin-plugins/Zeek_AF_Packet/__load__.zeek
4 | ============================================
5 |
6 |
7 | :Imports: :doc:`builtin-plugins/Zeek_AF_Packet/init.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/builtin-plugins/Zeek_AF_Packet/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: builtin-plugins/Zeek_AF_Packet
4 | =======================================
5 |
6 |
7 | :doc:`/scripts/builtin-plugins/Zeek_AF_Packet/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/builtin-plugins/Zeek_AF_Packet/init.zeek`
11 |
12 | Packet source using AF_Packet.
13 |
14 | Note: This module is in testing and is not yet considered stable!
15 |
16 |
--------------------------------------------------------------------------------
/scripts/builtin-plugins/Zeek_JavaScript/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: builtin-plugins/Zeek_JavaScript
4 | ========================================
5 |
6 |
7 | :doc:`/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek`
8 |
9 |
10 |
--------------------------------------------------------------------------------
/scripts/builtin-plugins/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | builtin-plugins/__load__.zeek
4 | =============================
5 |
6 |
7 | :Imports: :doc:`builtin-plugins/Zeek_AF_Packet/__load__.zeek `, :doc:`builtin-plugins/Zeek_JavaScript/__load__.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/builtin-plugins/__preload__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | builtin-plugins/__preload__.zeek
4 | ================================
5 |
6 |
7 |
8 | Summary
9 | ~~~~~~~
10 |
11 | Detailed Interface
12 | ~~~~~~~~~~~~~~~~~~
13 |
14 |
--------------------------------------------------------------------------------
/scripts/builtin-plugins/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: builtin-plugins
4 | ========================
5 |
6 |
7 | :doc:`/scripts/builtin-plugins/__preload__.zeek`
8 |
9 |
10 | :doc:`/scripts/builtin-plugins/__load__.zeek`
11 |
12 |
13 | :doc:`/scripts/builtin-plugins/Zeek_AF_Packet/__load__.zeek`
14 |
15 |
16 | :doc:`/scripts/builtin-plugins/Zeek_AF_Packet/init.zeek`
17 |
18 | Packet source using AF_Packet.
19 |
20 | Note: This module is in testing and is not yet considered stable!
21 |
22 | :doc:`/scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek`
23 |
24 |
25 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/cluster/backend/zeromq/__load__.zeek
4 | ======================================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/cluster/backend/zeromq/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/cluster/backend/zeromq/connect.zeek
4 | =====================================================
5 | .. zeek:namespace:: Cluster::Backend::ZeroMQ
6 |
7 | Establish ZeroMQ connectivity with the broker.
8 |
9 | :Namespace: Cluster::Backend::ZeroMQ
10 | :Imports: :doc:`policy/frameworks/cluster/backend/zeromq/main.zeek `
11 |
12 | Summary
13 | ~~~~~~~
14 |
15 | Detailed Interface
16 | ~~~~~~~~~~~~~~~~~~
17 |
18 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/cluster/nodes-experimental/manager.zeek
4 | =========================================================
5 | .. zeek:namespace:: Cluster::Experimental
6 |
7 | This script is loaded on the cluster manager to cover manager-related
8 | parts of experimental features.
9 |
10 | :Namespace: Cluster::Experimental
11 | :Imports: :doc:`base/frameworks/cluster `, :doc:`policy/frameworks/cluster/experimental.zeek `
12 |
13 | Summary
14 | ~~~~~~~
15 |
16 | Detailed Interface
17 | ~~~~~~~~~~~~~~~~~~
18 |
19 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/dpd/detect-protocols.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/dpd/detect-protocols.zeek
4 | ===========================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/analyzer/detect-protocols.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/files/extract-all-files.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/files/extract-all-files.zeek
4 | ==============================================
5 |
6 | Extract all files to disk.
7 |
8 | :Imports: :doc:`base/files/extract `
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/files/hash-all-files.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/files/hash-all-files.zeek
4 | ===========================================
5 |
6 | Perform MD5 and SHA1 hashing on all files.
7 |
8 | :Imports: :doc:`base/files/hash `
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/do_expire.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/do_expire.zeek
4 | ======================================
5 | .. zeek:namespace:: Intel
6 |
7 | This script enables expiration for intelligence items.
8 |
9 | :Namespace: Intel
10 | :Imports: :doc:`base/frameworks/intel `
11 |
12 | Summary
13 | ~~~~~~~
14 | Redefinitions
15 | #############
16 | ============================================================================ =
17 | :zeek:id:`Intel::item_expiration`: :zeek:type:`interval` :zeek:attr:`&redef`
18 | ============================================================================ =
19 |
20 |
21 | Detailed Interface
22 | ~~~~~~~~~~~~~~~~~~
23 |
24 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/conn-established.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/conn-established.zeek
4 | ==================================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/dns.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/dns.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/file-hashes.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/file-hashes.zeek
4 | =============================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/file-names.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/file-names.zeek
4 | ============================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/http-headers.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/http-headers.zeek
4 | ==============================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/utils/addrs.zeek `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/http-url.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/http-url.zeek
4 | ==========================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/protocols/http/utils.zeek `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/pubkey-hashes.zeek
4 | ===============================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/protocols/ssh `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/smb-filenames.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/smb-filenames.zeek
4 | ===============================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/protocols/smb `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/smtp-url-extraction.zeek
4 | =====================================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/protocols/smtp `, :doc:`base/utils/urls.zeek `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/smtp.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/smtp.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/protocols/smtp `, :doc:`base/utils/email.zeek `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/intel/seen/ssl.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/intel/seen/ssl.zeek
4 | =====================================
5 |
6 |
7 | :Imports: :doc:`base/frameworks/intel `, :doc:`base/protocols/ssl `, :doc:`policy/frameworks/intel/seen/where-locations.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/management/agent/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/management/agent/__load__.zeek
4 | ================================================
5 |
6 | The entry point for the Management framework's cluster agent. It runs
7 | bootstrap logic for launching an agent process via Zeek's Supervisor.
8 |
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/management/controller/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/management/controller/__load__.zeek
4 | =====================================================
5 |
6 | The entry point for the Management framework's cluster controller. It runs
7 | bootstrap logic for launching a controller process via Zeek's Supervisor.
8 |
9 |
10 | Summary
11 | ~~~~~~~
12 |
13 | Detailed Interface
14 | ~~~~~~~~~~~~~~~~~~
15 |
16 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/management/controller/boot.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/management/controller/boot.zeek
4 | =================================================
5 |
6 | The cluster controller's boot logic runs in Zeek's supervisor and instructs
7 | it to launch the Management controller process. The controller's main logic
8 | resides in main.zeek, similarly to other frameworks. The new process will
9 | execute that script.
10 |
11 | If the current process is not the Zeek supervisor, this does nothing.
12 |
13 | :Imports: :doc:`base/utils/paths.zeek `, :doc:`policy/frameworks/management/controller/config.zeek `
14 |
15 | Summary
16 | ~~~~~~~
17 |
18 | Detailed Interface
19 | ~~~~~~~~~~~~~~~~~~
20 |
21 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/management/node/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/management/node/__load__.zeek
4 | ===============================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/management/node/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/management/supervisor/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/management/supervisor/__load__.zeek
4 | =====================================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/management/supervisor/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/management/supervisor/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: policy/frameworks/management/supervisor
4 | ================================================
5 |
6 |
7 | :doc:`/scripts/policy/frameworks/management/supervisor/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/policy/frameworks/management/supervisor/main.zeek`
11 |
12 | This module provides functionality the Management framework places directly
13 | in the Supervisor.
14 |
15 | :doc:`/scripts/policy/frameworks/management/supervisor/api.zeek`
16 |
17 |
18 | :doc:`/scripts/policy/frameworks/management/supervisor/config.zeek`
19 |
20 | Configuration settings for the Management framework's supervisor extension.
21 |
22 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/notice/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/notice/__load__.zeek
4 | ======================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/notice/extend-email/hostnames.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/notice/extend-email/hostnames.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/notice/extend-email/hostnames.zeek
4 | ====================================================
5 | .. zeek:namespace:: Notice
6 |
7 | Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
8 | by appending to the email the hostnames associated with
9 | :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
10 | DNS lookup.
11 |
12 | :Namespace: Notice
13 | :Imports: :doc:`base/frameworks/notice/main.zeek `
14 |
15 | Summary
16 | ~~~~~~~
17 |
18 | Detailed Interface
19 | ~~~~~~~~~~~~~~~~~~
20 |
21 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/notice/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: policy/frameworks/notice
4 | =================================
5 |
6 |
7 | :doc:`/scripts/policy/frameworks/notice/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/policy/frameworks/notice/extend-email/hostnames.zeek`
11 |
12 | Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
13 | by appending to the email the hostnames associated with
14 | :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
15 | DNS lookup.
16 |
17 | :doc:`/scripts/policy/frameworks/notice/actions/drop.zeek`
18 |
19 | This script extends the built in notice code to implement the IP address
20 | dropping functionality.
21 |
22 | :doc:`/scripts/policy/frameworks/notice/community-id.zeek`
23 |
24 |
25 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/signatures/iso-9660.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/signatures/iso-9660.zeek
4 | ==========================================
5 |
6 | Load signature for ISO 9660 disk image and increase
7 | default_file_bof_buffer_size to make it functional.
8 |
9 |
10 | Summary
11 | ~~~~~~~
12 | Redefinitions
13 | #############
14 | =============================================================================== =
15 | :zeek:id:`default_file_bof_buffer_size`: :zeek:type:`count` :zeek:attr:`&redef`
16 | =============================================================================== =
17 |
18 |
19 | Detailed Interface
20 | ~~~~~~~~~~~~~~~~~~
21 |
22 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/spicy/resource-usage.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/spicy/resource-usage.zeek
4 | ===========================================
5 | .. zeek:namespace:: Spicy
6 |
7 | Logs Spicy-related resource usage continuously for debugging purposes.
8 |
9 | :Namespace: Spicy
10 |
11 | Summary
12 | ~~~~~~~
13 |
14 | Detailed Interface
15 | ~~~~~~~~~~~~~~~~~~
16 |
17 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/storage/backend/redis/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/storage/backend/redis/__load__.zeek
4 | =====================================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/storage/backend/redis/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/storage/backend/redis/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: policy/frameworks/storage/backend/redis
4 | ================================================
5 |
6 |
7 | :doc:`/scripts/policy/frameworks/storage/backend/redis/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/policy/frameworks/storage/backend/redis/main.zeek`
11 |
12 | Redis storage backend support
13 |
14 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/frameworks/storage/backend/sqlite/__load__.zeek
4 | ======================================================
5 |
6 |
7 | :Imports: :doc:`policy/frameworks/storage/backend/sqlite/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/frameworks/storage/backend/sqlite/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: policy/frameworks/storage/backend/sqlite
4 | =================================================
5 |
6 |
7 | :doc:`/scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek`
8 |
9 |
10 | :doc:`/scripts/policy/frameworks/storage/backend/sqlite/main.zeek`
11 |
12 | SQLite storage backend support
13 |
14 |
--------------------------------------------------------------------------------
/scripts/policy/integration/collective-intel/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/integration/collective-intel/__load__.zeek
4 | =================================================
5 |
6 |
7 | :Imports: :doc:`policy/integration/collective-intel/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/integration/collective-intel/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: policy/integration/collective-intel
4 | ============================================
5 |
6 | The scripts in this module are for deeper integration with the
7 | Collective Intelligence Framework (CIF) since Zeek's Intel framework
8 | doesn't natively behave the same as CIF nor does it store and maintain
9 | the same data in all cases.
10 |
11 | :doc:`/scripts/policy/integration/collective-intel/__load__.zeek`
12 |
13 |
14 | :doc:`/scripts/policy/integration/collective-intel/main.zeek`
15 |
16 |
17 |
--------------------------------------------------------------------------------
/scripts/policy/misc/detect-traceroute/__load__.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/misc/detect-traceroute/__load__.zeek
4 | ===========================================
5 |
6 |
7 | :Imports: :doc:`policy/misc/detect-traceroute/main.zeek `
8 |
9 | Summary
10 | ~~~~~~~
11 |
12 | Detailed Interface
13 | ~~~~~~~~~~~~~~~~~~
14 |
15 |
--------------------------------------------------------------------------------
/scripts/policy/misc/detect-traceroute/index.rst:
--------------------------------------------------------------------------------
1 | :orphan:
2 |
3 | Package: policy/misc/detect-traceroute
4 | ======================================
5 |
6 | Detect hosts that are running traceroute.
7 |
8 | :doc:`/scripts/policy/misc/detect-traceroute/__load__.zeek`
9 |
10 |
11 | :doc:`/scripts/policy/misc/detect-traceroute/main.zeek`
12 |
13 | This script detects a large number of ICMP Time Exceeded messages heading
14 | toward hosts that have sent low TTL packets. It generates a notice when the
15 | number of ICMP Time Exceeded messages for a source-destination pair exceeds
16 | a threshold.
17 |
18 |
--------------------------------------------------------------------------------
/scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/protocols/conn/disable-unknown-ip-proto-support.zeek
4 | ===========================================================
5 |
6 | This script filters the ip_proto field out of the conn.log and disables
7 | logging of connections with unknown IP protocols.
8 |
9 | :Imports: :doc:`base/frameworks/analyzer/main.zeek `, :doc:`base/protocols/conn `
10 |
11 | Summary
12 | ~~~~~~~
13 | Redefinitions
14 | #############
15 | ============================================ =
16 | :zeek:type:`Conn::Info`: :zeek:type:`record`
17 | ============================================ =
18 |
19 |
20 | Detailed Interface
21 | ~~~~~~~~~~~~~~~~~~
22 |
23 |
--------------------------------------------------------------------------------
/scripts/policy/protocols/ssl/log-hostcerts-only.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/protocols/ssl/log-hostcerts-only.zeek
4 | ============================================
5 | .. zeek:namespace:: X509
6 |
7 | When this script is loaded, only the host certificates (client and server)
8 | will be logged to x509.log. Logging of all other certificates will be suppressed.
9 |
10 | :Namespace: X509
11 | :Imports: :doc:`base/files/x509 `, :doc:`base/protocols/ssl `
12 |
13 | Summary
14 | ~~~~~~~
15 |
16 | Detailed Interface
17 | ~~~~~~~~~~~~~~~~~~
18 |
19 |
--------------------------------------------------------------------------------
/scripts/policy/tuning/json-logs.zeek.rst:
--------------------------------------------------------------------------------
1 | :tocdepth: 3
2 |
3 | policy/tuning/json-logs.zeek
4 | ============================
5 |
6 | Loading this script will cause all logs to be written
7 | out as JSON by default.
8 |
9 |
10 | Summary
11 | ~~~~~~~
12 | Redefinitions
13 | #############
14 | ==================================================================== =
15 | :zeek:id:`LogAscii::use_json`: :zeek:type:`bool` :zeek:attr:`&redef`
16 | ==================================================================== =
17 |
18 |
19 | Detailed Interface
20 | ~~~~~~~~~~~~~~~~~~
21 |
22 |
--------------------------------------------------------------------------------
/traces/20171220_smb_at_schedule.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/traces/20171220_smb_at_schedule.pcap
--------------------------------------------------------------------------------
/traces/README:
--------------------------------------------------------------------------------
1 | Traces used in the examples of the docs.
2 |
3 | * tm1t.pcap
4 |
5 | ?
6 |
7 | * 20171220_smb_at_schedule.pcap
8 |
9 | References:
10 |
11 | https://redmine.openinfosecfoundation.org/issues/3109
12 | https://github.com/tianyulab/Hunting_lateral_movement/blob/master/20171220_smb_at_schedule.pcap
13 |
14 | SHA1:
15 |
16 | b5c5329536c7add1267cbbc50ac1436387c0b773
17 |
18 | * get.trace
19 |
20 | That's the zeek/testing/btest/Traces/http/get.trace one.
21 |
22 | * quickstart.pcap
23 |
24 | From curl commands:
25 |
26 | curl -X GET http://zeek.org
27 | curl -X WEIRD http://zeek.org
28 |
--------------------------------------------------------------------------------
/traces/get.trace:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/traces/get.trace
--------------------------------------------------------------------------------
/traces/quickstart.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zeek/zeek-docs/229fde87920f68d9afee557144b7776438b8bc40/traces/quickstart.pcap
--------------------------------------------------------------------------------