base/init-bare.bro

DCE_RPC

GLOBAL

JSON

KRB

NCP

NFS3

NTLM

PE

Pcap

RADIUS

RDP

Reporter

SMB

SMB1

SMB2

SNMP

SOCKS

SSH

SSL

Threading

Tunnel

Unified2

Weird

X509

Namespaces:	DCE_RPC, GLOBAL, JSON, KRB, NCP, NFS3, NTLM, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SNMP, SOCKS, SSH, SSL, Threading, Tunnel, Unified2, Weird, X509
Imports:	base/bif, base/bif/bro.bif.bro, base/bif/const.bif.bro, base/bif/event.bif.bro, base/bif/plugins, base/bif/plugins/Bro_KRB.types.bif.bro, base/bif/plugins/Bro_SNMP.types.bif.bro, base/bif/reporter.bif.bro, base/bif/strings.bif.bro, base/bif/types.bif.bro, base/frameworks/analyzer, base/frameworks/broker, base/frameworks/files, base/frameworks/input, base/frameworks/logging
Source File:	`/scripts/base/init-bare.bro`

Summary

Options

`DCE_RPC::max_cmd_reassembly`: `count` `&redef`	The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
`DCE_RPC::max_frag_data`: `count` `&redef`	The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
`NCP::max_frame_size`: `count` `&redef`	The maximum number of bytes to allocate when parsing NCP frames.
`NFS3::return_data`: `bool` `&redef`	If true, `nfs_proc_read` and `nfs_proc_write` events return the file data that has been read/written.
`NFS3::return_data_first_only`: `bool` `&redef`	If `NFS3::return_data` is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.
`NFS3::return_data_max`: `count` `&redef`	If `NFS3::return_data` is true, how much data should be returned at most.
`Pcap::bufsize`: `count` `&redef`	Number of Mbytes to provide as buffer space when capturing from live interfaces.
`Pcap::snaplen`: `count` `&redef`	Number of bytes per packet to capture from live interfaces.
`Reporter::errors_to_stderr`: `bool` `&redef`	Tunable for sending reporter error messages to STDERR.
`Reporter::info_to_stderr`: `bool` `&redef`	Tunable for sending reporter info messages to STDERR.
`Reporter::warnings_to_stderr`: `bool` `&redef`	Tunable for sending reporter warning messages to STDERR.
`SMB::pipe_filenames`: `set` `&redef`	A set of file names used as named pipes over SMB.
`Threading::heartbeat_interval`: `interval` `&redef`	The heartbeat interval used by the threading framework.
`Tunnel::delay_gtp_confirmation`: `bool` `&redef`	With this set, the GTP analyzer waits until the most-recent upflow and downflow packets are a valid GTPv1 encapsulation before issuing `protocol_confirmation`.
`Tunnel::delay_teredo_confirmation`: `bool` `&redef`	With this set, the Teredo analyzer waits until it sees both sides of a connection using a valid Teredo encapsulation before issuing a `protocol_confirmation`.
`Tunnel::enable_ayiya`: `bool` `&redef`	Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
`Tunnel::enable_gre`: `bool` `&redef`	Toggle whether to do GRE decapsulation.
`Tunnel::enable_gtpv1`: `bool` `&redef`	Toggle whether to do GTPv1 decapsulation.
`Tunnel::enable_ip`: `bool` `&redef`	Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
`Tunnel::enable_teredo`: `bool` `&redef`	Toggle whether to do IPv6-in-Teredo decapsulation.
`Tunnel::ip_tunnel_timeout`: `interval` `&redef`	How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
`Tunnel::max_depth`: `count` `&redef`	The maximum depth of a tunnel to decapsulate until giving up.
`Weird::sampling_duration`: `interval` `&redef`	How long a weird of a given type is allowed to keep state/counters in memory.
`Weird::sampling_rate`: `count` `&redef`	The rate-limiting sampling rate.
`Weird::sampling_threshold`: `count` `&redef`	How many weirds of a given type to tolerate before sampling begins.
`Weird::sampling_whitelist`: `set` `&redef`	Prevents rate-limiting sampling of any weirds named in the table.
`backdoor_stat_backoff`: `double` `&redef`	Deprecated.
`backdoor_stat_period`: `interval` `&redef`	Deprecated.
`bits_per_uid`: `count` `&redef`	Number of bits in UIDs that are generated to identify connections and files.
`check_for_unused_event_handlers`: `bool` `&redef`	If true, warns about unused event handlers at startup.
`chunked_io_buffer_soft_cap`: `count` `&redef`	The number of IO chunks allowed to be buffered between the child and parent process of remote communication before Bro starts dropping connections to remote peers in an attempt to catch up.
`cmd_line_bpf_filter`: `string` `&redef`	BPF filter the user has set via the -f command line options.
`default_file_bof_buffer_size`: `count` `&redef`	Default amount of bytes that file analysis will buffer in order to use for mime type matching.
`default_file_timeout_interval`: `interval` `&redef`	Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file.
`detect_filtered_trace`: `bool` `&redef`	Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections.
`dns_session_timeout`: `interval` `&redef`	Time to wait before timing out a DNS request.
`dpd_buffer_size`: `count` `&redef`	Size of per-connection buffer used for dynamic protocol detection.
`dpd_ignore_ports`: `bool` `&redef`	If true, don’t consider any ports for deciding which protocol analyzer to use.
`dpd_match_only_beginning`: `bool` `&redef`	If true, stops signature matching if `dpd_buffer_size` has been reached.
`dpd_reassemble_first_packets`: `bool` `&redef`	Reassemble the beginning of all TCP connections before doing signature matching.
`enable_syslog`: `bool` `&redef`	Deprecated.
`encap_hdr_size`: `count` `&redef`	If positive, indicates the encapsulation header size that should be skipped.
`exit_only_after_terminate`: `bool` `&redef`	Flag to prevent Bro from exiting automatically when input is exhausted.
`expensive_profiling_multiple`: `count` `&redef`	Multiples of `profiling_interval` at which (more expensive) memory profiling is done (0 disables).
`forward_remote_events`: `bool` `&redef`	If true, broadcast events received from one peer to all other peers.
`forward_remote_state_changes`: `bool` `&redef`	If true, broadcast state updates received from one peer to all other peers.
`frag_timeout`: `interval` `&redef`	How long to hold onto fragments for possible reassembly.
`global_hash_seed`: `string` `&redef`	Seed for hashes computed internally for probabilistic data structures.
`icmp_inactivity_timeout`: `interval` `&redef`	If an ICMP flow is inactive, time it out after this interval.
`ignore_checksums`: `bool` `&redef`	If true, don’t verify checksums.
`ignore_keep_alive_rexmit`: `bool` `&redef`	Ignore certain TCP retransmissions for `conn_stats`.
`interconn_default_pkt_size`: `count` `&redef`	Deprecated.
`interconn_max_interarrival`: `interval` `&redef`	Deprecated.
`interconn_max_keystroke_pkt_size`: `count` `&redef`	Deprecated.
`interconn_min_interarrival`: `interval` `&redef`	Deprecated.
`interconn_stat_backoff`: `double` `&redef`	Deprecated.
`interconn_stat_period`: `interval` `&redef`	Deprecated.
`likely_server_ports`: `set` `&redef`	Ports which the core considers being likely used by servers.
`log_encryption_key`: `string` `&redef`	Deprecated.
`log_max_size`: `double` `&redef`	Deprecated.
`log_rotate_base_time`: `string` `&redef`	Deprecated.
`log_rotate_interval`: `interval` `&redef`	Deprecated.
`max_files_in_cache`: `count` `&redef`	The maximum number of open files to keep cached at a given time.
`max_remote_events_processed`: `count` `&redef`	With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity.
`max_timer_expires`: `count` `&redef`	The maximum number of timers to expire after processing each new packet.
`non_analyzed_lifetime`: `interval` `&redef`	If a connection belongs to an application that we don’t analyze, time it out after this interval.
`ntp_session_timeout`: `interval` `&redef`	Time to wait before timing out an NTP request.
`packet_filter_default`: `bool` `&redef`	Default mode for Bro’s user-space dynamic packet filter.
`partial_connection_ok`: `bool` `&redef`	If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
`passive_fingerprint_file`: `string` `&redef`	`p0f` fingerprint file to use.
`peer_description`: `string` `&redef`	Description transmitted to remote communication peers for identification.
`pkt_profile_freq`: `double` `&redef`	Frequency associated with packet profiling.
`pkt_profile_mode`: `pkt_profile_modes` `&redef`	Output mode for packet profiling information.
`profiling_interval`: `interval` `&redef`	Update interval for profiling (0 disables).
`record_all_packets`: `bool` `&redef`	If a trace file is given with `-w`, dump all packets seen by Bro into it.
`remote_check_sync_consistency`: `bool` `&redef`	Whether for `&synchronized` state to send the old value as a consistency check.
`remote_trace_sync_interval`: `interval` `&redef`	Synchronize trace processing at a regular basis in pseudo-realtime mode.
`remote_trace_sync_peers`: `count` `&redef`	Number of peers across which to synchronize trace processing in pseudo-realtime mode.
`report_gaps_for_partial`: `bool` `&redef`	Whether we want `content_gap` for partial connections.
`rpc_timeout`: `interval` `&redef`	Time to wait before timing out an RPC request.
`segment_profiling`: `bool` `&redef`	If true, then write segment profiling information (very high volume!) in addition to profiling statistics.
`sig_max_group_size`: `count` `&redef`	Maximum size of regular expression groups for signature matching.
`skip_http_data`: `bool` `&redef`	Skip HTTP data for performance considerations.
`ssl_ca_certificate`: `string` `&redef`	The CA certificate file to authorize remote Bros/Broccolis.
`ssl_passphrase`: `string` `&redef`	The passphrase for our private key.
`ssl_private_key`: `string` `&redef`	File containing our private key and our certificate.
`state_dir`: `string` `&redef`	Specifies a directory for Bro to store its persistent state.
`state_write_delay`: `interval` `&redef`	Length of the delays inserted when storing state incrementally.
`stp_delta`: `interval` `&redef`	Internal to the stepping stone detector.
`stp_idle_min`: `interval` `&redef`	Internal to the stepping stone detector.
`suppress_local_output`: `bool` `&redef`	Deprecated.
`table_expire_delay`: `interval` `&redef`	When expiring table entries, wait this amount of time before checking the next chunk of entries.
`table_expire_interval`: `interval` `&redef`	Check for expired table entries after this amount of time.
`table_incremental_step`: `count` `&redef`	When expiring/serializing table entries, don’t work on more than this many table entries at a time.
`tcp_SYN_ack_ok`: `bool` `&redef`	If true, instantiate connection state when a SYN/ACK is seen but not the initial SYN (even if `partial_connection_ok` is false).
`tcp_SYN_timeout`: `interval` `&redef`	Check up on the result of an initial SYN after this much time.
`tcp_attempt_delay`: `interval` `&redef`	Wait this long upon seeing an initial SYN before timing out the connection attempt.
`tcp_close_delay`: `interval` `&redef`	Upon seeing a normal connection close, flush state after this much time.
`tcp_connection_linger`: `interval` `&redef`	When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long.
`tcp_content_deliver_all_orig`: `bool` `&redef`	If true, all TCP originator-side traffic is reported via `tcp_contents`.
`tcp_content_deliver_all_resp`: `bool` `&redef`	If true, all TCP responder-side traffic is reported via `tcp_contents`.
`tcp_content_delivery_ports_orig`: `table` `&redef`	Defines destination TCP ports for which the contents of the originator stream should be delivered via `tcp_contents`.
`tcp_content_delivery_ports_resp`: `table` `&redef`	Defines destination TCP ports for which the contents of the responder stream should be delivered via `tcp_contents`.
`tcp_excessive_data_without_further_acks`: `count` `&redef`	If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff.
`tcp_inactivity_timeout`: `interval` `&redef`	If a TCP connection is inactive, time it out after this interval.
`tcp_match_undelivered`: `bool` `&redef`	If true, pass any undelivered to the signature engine before flushing the state.
`tcp_max_above_hole_without_any_acks`: `count` `&redef`	If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection.
`tcp_max_initial_window`: `count` `&redef`	Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks).
`tcp_max_old_segments`: `count` `&redef`	Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies.
`tcp_partial_close_delay`: `interval` `&redef`	Generate a `connection_partial_close` event this much time after one half of a partial connection closes, assuming there has been no subsequent activity.
`tcp_reassembler_ports_orig`: `set` `&redef`	For services without a handler, these sets define originator-side ports that still trigger reassembly.
`tcp_reassembler_ports_resp`: `set` `&redef`	For services without a handler, these sets define responder-side ports that still trigger reassembly.
`tcp_reset_delay`: `interval` `&redef`	Upon seeing a RST, flush state after this much time.
`tcp_session_timer`: `interval` `&redef`	After a connection has closed, wait this long for further activity before checking whether to time out its state.
`tcp_storm_interarrival_thresh`: `interval` `&redef`	FINs/RSTs must come with this much time or less between them to be considered a “storm”.
`tcp_storm_thresh`: `count` `&redef`	Number of FINs/RSTs in a row that constitute a “storm”.
`time_machine_profiling`: `bool` `&redef`	If true, output profiling for Time-Machine queries.
`timer_mgr_inactivity_timeout`: `interval` `&redef`	Per-incident timer managers are drained after this amount of inactivity.
`truncate_http_URI`: `int` `&redef`	Maximum length of HTTP URIs passed to events.
`udp_content_deliver_all_orig`: `bool` `&redef`	If true, all UDP originator-side traffic is reported via `udp_contents`.
`udp_content_deliver_all_resp`: `bool` `&redef`	If true, all UDP responder-side traffic is reported via `udp_contents`.
`udp_content_delivery_ports_orig`: `table` `&redef`	Defines UDP destination ports for which the contents of the originator stream should be delivered via `udp_contents`.
`udp_content_delivery_ports_resp`: `table` `&redef`	Defines UDP destination ports for which the contents of the responder stream should be delivered via `udp_contents`.
`udp_inactivity_timeout`: `interval` `&redef`	If a UDP flow is inactive, time it out after this interval.
`use_conn_size_analyzer`: `bool` `&redef`	Whether to use the `ConnSize` analyzer to count the number of packets and IP-level bytes transferred by each endpoint.
`watchdog_interval`: `interval` `&redef`	Bro’s watchdog interval.

Constants

`CONTENTS_BOTH`: `count`	Record both originator and responder contents.
`CONTENTS_NONE`: `count`	Turn off recording of contents.
`CONTENTS_ORIG`: `count`	Record originator contents.
`CONTENTS_RESP`: `count`	Record responder contents.
`DNS_ADDL`: `count`	An additional record.
`DNS_ANS`: `count`	An answer record.
`DNS_AUTH`: `count`	An authoritative record.
`DNS_QUERY`: `count`	A query.
`ENDIAN_BIG`: `count`	Big endian.
`ENDIAN_CONFUSED`: `count`	Tried to determine endian, but failed.
`ENDIAN_LITTLE`: `count`	Little endian.
`ENDIAN_UNKNOWN`: `count`	Endian not yet determined.
`ICMP_UNREACH_ADMIN_PROHIB`: `count`	Administratively prohibited.
`ICMP_UNREACH_HOST`: `count`	Host unreachable.
`ICMP_UNREACH_NEEDFRAG`: `count`	Fragment needed.
`ICMP_UNREACH_NET`: `count`	Network unreachable.
`ICMP_UNREACH_PORT`: `count`	Port unreachable.
`ICMP_UNREACH_PROTOCOL`: `count`	Protocol unreachable.
`IPPROTO_AH`: `count`	IPv6 authentication header.
`IPPROTO_DSTOPTS`: `count`	IPv6 destination options header.
`IPPROTO_ESP`: `count`	IPv6 encapsulating security payload header.
`IPPROTO_FRAGMENT`: `count`	IPv6 fragment header.
`IPPROTO_HOPOPTS`: `count`	IPv6 hop-by-hop-options header.
`IPPROTO_ICMP`: `count`	Control message protocol.
`IPPROTO_ICMPV6`: `count`	ICMP for IPv6.
`IPPROTO_IGMP`: `count`	Group management protocol.
`IPPROTO_IP`: `count`	Dummy for IP.
`IPPROTO_IPIP`: `count`	IP encapsulation in IP.
`IPPROTO_IPV6`: `count`	IPv6 header.
`IPPROTO_MOBILITY`: `count`	IPv6 mobility header.
`IPPROTO_NONE`: `count`	IPv6 no next header.
`IPPROTO_RAW`: `count`	Raw IP packet.
`IPPROTO_ROUTING`: `count`	IPv6 routing header.
`IPPROTO_TCP`: `count`	TCP.
`IPPROTO_UDP`: `count`	User datagram protocol.
`LOGIN_STATE_AUTHENTICATE`: `count`
`LOGIN_STATE_CONFUSED`: `count`
`LOGIN_STATE_LOGGED_IN`: `count`
`LOGIN_STATE_SKIP`: `count`
`PEER_ID_NONE`: `count`	Place-holder constant indicating “no peer”.
`REMOTE_LOG_ERROR`: `count`	Deprecated.
`REMOTE_LOG_INFO`: `count`	Deprecated.
`REMOTE_SRC_CHILD`: `count`	Message from the child process.
`REMOTE_SRC_PARENT`: `count`	Message from the parent process.
`REMOTE_SRC_SCRIPT`: `count`	Message from a policy script.
`RPC_status`: `table`	Mapping of numerical RPC status codes to readable messages.
`SNMP::OBJ_COUNTER32_TAG`: `count`	Unsigned 32-bit integer.
`SNMP::OBJ_COUNTER64_TAG`: `count`	Unsigned 64-bit integer.
`SNMP::OBJ_ENDOFMIBVIEW_TAG`: `count`	A NULL value.
`SNMP::OBJ_INTEGER_TAG`: `count`	Signed 64-bit integer.
`SNMP::OBJ_IPADDRESS_TAG`: `count`	An IP address.
`SNMP::OBJ_NOSUCHINSTANCE_TAG`: `count`	A NULL value.
`SNMP::OBJ_NOSUCHOBJECT_TAG`: `count`	A NULL value.
`SNMP::OBJ_OCTETSTRING_TAG`: `count`	An octet string.
`SNMP::OBJ_OID_TAG`: `count`	An Object Identifier.
`SNMP::OBJ_OPAQUE_TAG`: `count`	An octet string.
`SNMP::OBJ_TIMETICKS_TAG`: `count`	Unsigned 32-bit integer.
`SNMP::OBJ_UNSIGNED32_TAG`: `count`	Unsigned 32-bit integer.
`SNMP::OBJ_UNSPECIFIED_TAG`: `count`	A NULL value.
`TCP_CLOSED`: `count`	Endpoint has closed connection.
`TCP_ESTABLISHED`: `count`	Endpoint has finished initial handshake regularly.
`TCP_INACTIVE`: `count`	Endpoint is still inactive.
`TCP_PARTIAL`: `count`	Endpoint has sent data but no initial SYN.
`TCP_RESET`: `count`	Endpoint has sent RST.
`TCP_SYN_ACK_SENT`: `count`	Endpoint has sent SYN/ACK.
`TCP_SYN_SENT`: `count`	Endpoint has sent SYN.
`TH_ACK`: `count`	ACK.
`TH_FIN`: `count`	FIN.
`TH_FLAGS`: `count`	Mask combining all flags.
`TH_PUSH`: `count`	PUSH.
`TH_RST`: `count`	RST.
`TH_SYN`: `count`	SYN.
`TH_URG`: `count`	URG.
`UDP_ACTIVE`: `count`	Endpoint has sent something.
`UDP_INACTIVE`: `count`	Endpoint is still inactive.
`trace_output_file`: `string`	Holds the filename of the trace file given with `-w` (empty if none).

State Variables

`capture_filters`: `table` `&redef`	Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique).
`direct_login_prompts`: `set` `&redef`	TODO.
`discarder_maxlen`: `count` `&redef`	Maximum length of payload passed to discarder functions.
`dns_max_queries`: `count` `&redef`	If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it.
`dns_skip_addl`: `set` `&redef`	For DNS servers in these sets, omit processing the ADDL records they include in their replies.
`dns_skip_all_addl`: `bool` `&redef`	If true, all DNS ADDL records are skipped.
`dns_skip_all_auth`: `bool` `&redef`	If true, all DNS AUTH records are skipped.
`dns_skip_auth`: `set` `&redef`	For DNS servers in these sets, omit processing the AUTH records they include in their replies.
`done_with_network`: `bool`
`generate_OS_version_event`: `set` `&redef`	Defines for which subnets we should do passive fingerprinting.
`http_entity_data_delivery_size`: `count` `&redef`	Maximum number of HTTP entity data delivered to events.
`interfaces`: `string` `&add_func` = `add_interface` `&redef`	Network interfaces to listen on.
`irc_servers`: `set` `&redef`	Deprecated.
`load_sample_freq`: `count` `&redef`	Rate at which to generate `load_sample` events.
`login_failure_msgs`: `set` `&redef`	TODO.
`login_non_failure_msgs`: `set` `&redef`	TODO.
`login_prompts`: `set` `&redef`	TODO.
`login_success_msgs`: `set` `&redef`	TODO.
`login_timeouts`: `set` `&redef`	TODO.
`mime_segment_length`: `count` `&redef`	The length of MIME data segments delivered to handlers of `mime_segment_data`.
`mime_segment_overlap_length`: `count` `&redef`	The number of bytes of overlap between successive segments passed to `mime_segment_data`.
`pkt_profile_file`: `file` `&redef`	File where packet profiles are logged.
`profiling_file`: `file` `&redef`	Write profiling info into this file in regular intervals.
`restrict_filters`: `table` `&redef`	Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
`secondary_filters`: `table` `&redef`	Definition of “secondary filters”.
`signature_files`: `string` `&add_func` = `add_signature_file` `&redef`	Signature files to read.
`skip_authentication`: `set` `&redef`	TODO.
`stp_skip_src`: `set` `&redef`	Internal to the stepping stone detector.

Types

`ConnStats`: `record`
`DNSStats`: `record`	Statistics related to Bro’s active use of DNS.
`EncapsulatingConnVector`: `vector`	A type alias for a vector of encapsulating “connections”, i.e.
`EventStats`: `record`
`FileAnalysisStats`: `record`	Statistics of file analysis.
`GapStats`: `record`	Statistics about number of gaps in TCP connections.
`IPAddrAnonymization`: `enum`	Deprecated.
`IPAddrAnonymizationClass`: `enum`	Deprecated.
`JSON::TimestampFormat`: `enum`
`KRB::AP_Options`: `record`	AP Options.
`KRB::Error_Msg`: `record`	The data from the ERROR_MSG message.
`KRB::Host_Address`: `record`	A Kerberos host address See RFC 4120.
`KRB::Host_Address_Vector`: `vector`
`KRB::KDC_Options`: `record`	KDC Options.
`KRB::KDC_Request`: `record`	The data from the AS_REQ and TGS_REQ messages.
`KRB::KDC_Response`: `record`	The data from the AS_REQ and TGS_REQ messages.
`KRB::SAFE_Msg`: `record`	The data from the SAFE message.
`KRB::Ticket`: `record`	A Kerberos ticket.
`KRB::Ticket_Vector`: `vector`
`KRB::Type_Value`: `record`	Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
`KRB::Type_Value_Vector`: `vector`
`MatcherStats`: `record`	Statistics of all regular expression matchers.
`ModbusCoils`: `vector`	A vector of boolean values that indicate the setting for a range of modbus coils.
`ModbusHeaders`: `record`
`ModbusRegisters`: `vector`	A vector of count values that represent 16bit modbus register values.
`NFS3::delobj_reply_t`: `record`	NFS reply for remove, rmdir.
`NFS3::direntry_t`: `record`	NFS direntry.
`NFS3::direntry_vec_t`: `vector`	Vector of NFS direntry.
`NFS3::diropargs_t`: `record`	NFS readdir arguments.
`NFS3::fattr_t`: `record`	NFS file attributes.
`NFS3::fsstat_t`: `record`	NFS fsstat.
`NFS3::info_t`: `record`	Record summarizing the general results and status of NFSv3 request/reply pairs.
`NFS3::lookup_reply_t`: `record`	NFS lookup reply.
`NFS3::newobj_reply_t`: `record`	NFS reply for create, mkdir, and symlink.
`NFS3::read_reply_t`: `record`	NFS read reply.
`NFS3::readargs_t`: `record`	NFS read arguments.
`NFS3::readdir_reply_t`: `record`	NFS readdir reply.
`NFS3::readdirargs_t`: `record`	NFS readdir arguments.
`NFS3::readlink_reply_t`: `record`	NFS readline reply.
`NFS3::wcc_attr_t`: `record`	NFS wcc attributes.
`NFS3::write_reply_t`: `record`	NFS write reply.
`NFS3::writeargs_t`: `record`	NFS write arguments.
`NTLM::AVs`: `record`
`NTLM::Authenticate`: `record`
`NTLM::Challenge`: `record`
`NTLM::Negotiate`: `record`
`NTLM::NegotiateFlags`: `record`
`NTLM::Version`: `record`
`NetStats`: `record`	Packet capture statistics.
`OS_version`: `record`	Passive fingerprinting match.
`OS_version_inference`: `enum`	Quality of passive fingerprinting matches.
`PE::DOSHeader`: `record`
`PE::FileHeader`: `record`
`PE::OptionalHeader`: `record`
`PE::SectionHeader`: `record`	Record for Portable Executable (PE) section headers.
`PcapFilterID`: `enum`	Enum type identifying dynamic BPF filters.
`ProcStats`: `record`	Statistics about Bro’s process.
`RADIUS::AttributeList`: `vector`
`RADIUS::Attributes`: `table`
`RADIUS::Message`: `record`
`RDP::ClientCoreData`: `record`
`RDP::EarlyCapabilityFlags`: `record`
`ReassemblerStats`: `record`	Summary statistics of all regular expression matchers.
`ReporterStats`: `record`	Statistics about reporter messages and weirds.
`SMB1::Find_First2_Request_Args`: `record`
`SMB1::Find_First2_Response_Args`: `record`
`SMB1::Header`: `record`	An SMB1 header.
`SMB1::NegotiateCapabilities`: `record`
`SMB1::NegotiateRawMode`: `record`
`SMB1::NegotiateResponse`: `record`
`SMB1::NegotiateResponseCore`: `record`
`SMB1::NegotiateResponseLANMAN`: `record`
`SMB1::NegotiateResponseNTLM`: `record`
`SMB1::NegotiateResponseSecurity`: `record`
`SMB1::SessionSetupAndXCapabilities`: `record`
`SMB1::SessionSetupAndXRequest`: `record`
`SMB1::SessionSetupAndXResponse`: `record`
`SMB2::CloseResponse`: `record`	The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
`SMB2::FileAttrs`: `record`	A series of boolean flags describing basic and extended file attributes for SMB2.
`SMB2::GUID`: `record`	An SMB2 globally unique identifier which identifies a file.
`SMB2::Header`: `record`	An SMB2 header.
`SMB2::NegotiateResponse`: `record`	The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.
`SMB2::SessionSetupFlags`: `record`	A flags field that indicates additional information about the session that’s sent in the session_setup response.
`SMB2::SessionSetupRequest`: `record`	The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
`SMB2::SessionSetupResponse`: `record`	The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
`SMB2::TreeConnectResponse`: `record`	The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
`SMB::MACTimes`: `record` `&log`	MAC times for a file.
`SNMP::Binding`: `record`	The `VarBind` data structure from either RFC 1157 or RFC 3416, which maps an Object Identifier to a value.
`SNMP::Bindings`: `vector`	A `VarBindList` data structure from either RFC 1157 or RFC 3416.
`SNMP::BulkPDU`: `record`	A `BulkPDU` data structure from RFC 3416.
`SNMP::Header`: `record`	A generic SNMP header data structure that may include data from any version of SNMP.
`SNMP::HeaderV1`: `record`	The top-level message data structure of an SNMPv1 datagram, not including the PDU data.
`SNMP::HeaderV2`: `record`	The top-level message data structure of an SNMPv2 datagram, not including the PDU data.
`SNMP::HeaderV3`: `record`	The top-level message data structure of an SNMPv3 datagram, not including the PDU data.
`SNMP::ObjectValue`: `record`	A generic SNMP object value, that may include any of the valid `ObjectSyntax` values from RFC 1155 or RFC 3416.
`SNMP::PDU`: `record`	A `PDU` data structure from either RFC 1157 or RFC 3416.
`SNMP::ScopedPDU_Context`: `record`	The `ScopedPduData` data structure of an SNMPv3 datagram, not including the PDU data (i.e.
`SNMP::TrapPDU`: `record`	A `Trap-PDU` data structure from RFC 1157.
`SOCKS::Address`: `record` `&log`	This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.
`SSH::Algorithm_Prefs`: `record`	The client and server each have some preferences for the algorithms used in each direction.
`SSH::Capabilities`: `record`	This record lists the preferences of an SSH endpoint for algorithm selection.
`SSL::SignatureAndHashAlgorithm`: `record`
`SYN_packet`: `record`	Fields of a SYN packet.
`ThreadStats`: `record`	Statistics about threads.
`TimerStats`: `record`	Statistics of timers.
`Tunnel::EncapsulatingConn`: `record` `&log`	Records the identity of an encapsulating parent of a tunneled connection.
`Unified2::IDSEvent`: `record`
`Unified2::Packet`: `record`
`X509::BasicConstraints`: `record` `&log`
`X509::Certificate`: `record`
`X509::Extension`: `record`
`X509::Result`: `record`	Result of an X509 certificate chain verification
`X509::SubjectAlternativeName`: `record`
`addr_set`: `set`	A set of addresses.
`addr_vec`: `vector`	A vector of addresses.
`any_vec`: `vector`	A vector of any, used by some builtin functions to store a list of varying types.
`backdoor_endp_stats`: `record`	Deprecated.
`bittorrent_benc_dir`: `table`	A table of BitTorrent “benc” values.
`bittorrent_benc_value`: `record`	BitTorrent “benc” value.
`bittorrent_peer`: `record`	A BitTorrent peer.
`bittorrent_peer_set`: `set`	A set of BitTorrent peers.
`bt_tracker_headers`: `table`	Header table type used by BitTorrent analyzer.
`call_argument`: `record`	Meta-information about a parameter to a function/event.
`call_argument_vector`: `vector`	Vector type used to capture parameters of a function/event call.
`conn_id`: `record` `&log`	A connection’s identifying 4-tuple of endpoints and ports.
`connection`: `record`	A connection.
`count_set`: `set`	A set of counts.
`dhcp_msg`: `record`	A DHCP message.
`dhcp_router_list`: `table`	A list of router addresses offered by a DHCP server.
`dns_answer`: `record`	The general part of a DNS reply.
`dns_edns_additional`: `record`	An additional DNS EDNS record.
`dns_mapping`: `record`
`dns_msg`: `record`	A DNS message.
`dns_soa`: `record`	A DNS SOA record.
`dns_tsig_additional`: `record`	An additional DNS TSIG record.
`endpoint`: `record`	Statistics about a `connection` endpoint.
`endpoint_stats`: `record`	Statistics about what a TCP endpoint sent.
`entropy_test_result`: `record`	Computed entropy values.
`event_peer`: `record`	A communication peer.
`fa_file`: `record` `&redef`	A file that Bro is analyzing.
`fa_metadata`: `record`	Metadata that’s been inferred about a particular file.
`files_tag_set`: `set`	A set of file analyzer tags.
`flow_id`: `record` `&log`	The identifying 4-tuple of a uni-directional flow.
`ftp_port`: `record`	A parsed host/port combination describing server endpoint for an upcoming data transfer.
`geo_location`: `record` `&log`	GeoIP location information.
`gtp_access_point_name`: `string`
`gtp_cause`: `count`
`gtp_charging_characteristics`: `count`
`gtp_charging_gateway_addr`: `addr`
`gtp_charging_id`: `count`
`gtp_create_pdp_ctx_request_elements`: `record`
`gtp_create_pdp_ctx_response_elements`: `record`
`gtp_delete_pdp_ctx_request_elements`: `record`
`gtp_delete_pdp_ctx_response_elements`: `record`
`gtp_end_user_addr`: `record`
`gtp_gsn_addr`: `record`
`gtp_imsi`: `count`
`gtp_msisdn`: `string`
`gtp_nsapi`: `count`
`gtp_omc_id`: `string`
`gtp_private_extension`: `record`
`gtp_proto_config_options`: `string`
`gtp_qos_profile`: `record`
`gtp_rai`: `record`
`gtp_recovery`: `count`
`gtp_reordering_required`: `bool`
`gtp_selection_mode`: `count`
`gtp_teardown_ind`: `bool`
`gtp_teid1`: `count`
`gtp_teid_control_plane`: `count`
`gtp_tft`: `string`
`gtp_trace_reference`: `count`
`gtp_trace_type`: `count`
`gtp_trigger_id`: `string`
`gtp_update_pdp_ctx_request_elements`: `record`
`gtp_update_pdp_ctx_response_elements`: `record`
`gtpv1_hdr`: `record`	A GTPv1 (GPRS Tunneling Protocol) header.
`http_message_stat`: `record`	HTTP message statistics.
`http_stats_rec`: `record`	HTTP session statistics.
`icmp6_nd_option`: `record`	Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.
`icmp6_nd_options`: `vector`	A type alias for a vector of ICMPv6 neighbor discovery message options.
`icmp6_nd_prefix_info`: `record`	Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.
`icmp_conn`: `record`	Specifics about an ICMP conversation.
`icmp_context`: `record`	Packet context part of an ICMP message.
`icmp_hdr`: `record`	Values extracted from an ICMP header.
`id_table`: `table`	Table type used to map script-level identifiers to meta-information describing them.
`index_vec`: `vector`	A vector of counts, used by some builtin functions to store a list of indices.
`interconn_endp_stats`: `record`	Deprecated.
`ip4_hdr`: `record`	Values extracted from an IPv4 header.
`ip6_ah`: `record`	Values extracted from an IPv6 Authentication extension header.
`ip6_dstopts`: `record`	Values extracted from an IPv6 Destination options extension header.
`ip6_esp`: `record`	Values extracted from an IPv6 ESP extension header.
`ip6_ext_hdr`: `record`	A general container for a more specific IPv6 extension header.
`ip6_ext_hdr_chain`: `vector`	A type alias for a vector of IPv6 extension headers.
`ip6_fragment`: `record`	Values extracted from an IPv6 Fragment extension header.
`ip6_hdr`: `record`	Values extracted from an IPv6 header.
`ip6_hopopts`: `record`	Values extracted from an IPv6 Hop-by-Hop options extension header.
`ip6_mobility_back`: `record`	Values extracted from an IPv6 Mobility Binding Acknowledgement message.
`ip6_mobility_be`: `record`	Values extracted from an IPv6 Mobility Binding Error message.
`ip6_mobility_brr`: `record`	Values extracted from an IPv6 Mobility Binding Refresh Request message.
`ip6_mobility_bu`: `record`	Values extracted from an IPv6 Mobility Binding Update message.
`ip6_mobility_cot`: `record`	Values extracted from an IPv6 Mobility Care-of Test message.
`ip6_mobility_coti`: `record`	Values extracted from an IPv6 Mobility Care-of Test Init message.
`ip6_mobility_hdr`: `record`	Values extracted from an IPv6 Mobility header.
`ip6_mobility_hot`: `record`	Values extracted from an IPv6 Mobility Home Test message.
`ip6_mobility_hoti`: `record`	Values extracted from an IPv6 Mobility Home Test Init message.
`ip6_mobility_msg`: `record`	Values extracted from an IPv6 Mobility header’s message data.
`ip6_option`: `record`	Values extracted from an IPv6 extension header’s (e.g.
`ip6_options`: `vector`	A type alias for a vector of IPv6 options.
`ip6_routing`: `record`	Values extracted from an IPv6 Routing extension header.
`irc_join_info`: `record`	IRC join information.
`irc_join_list`: `set`	Set of IRC join information.
`l2_hdr`: `record`	Values extracted from the layer 2 header.
`load_sample_info`: `set`
`mime_header_list`: `table`	A list of MIME headers.
`mime_header_rec`: `record`	A MIME header key/value pair.
`mime_match`: `record`	A structure indicating a MIME type and strength of a match against file magic signatures.
`mime_matches`: `vector`	A vector of file magic signature matches, ordered by strength of the signature, strongest first.
`ntp_msg`: `record`	An NTP message.
`packet`: `record`	Deprecated.
`pcap_packet`: `record`	Policy-level representation of a packet passed on by libpcap.
`peer_id`: `count`	A locally unique ID identifying a communication peer.
`pkt_hdr`: `record`	A packet header, consisting of an IP header and transport-layer header.
`pkt_profile_modes`: `enum`	Output modes for packet profiling information.
`pm_callit_request`: `record`	An RPC portmapper callit request.
`pm_mapping`: `record`	An RPC portmapper mapping.
`pm_mappings`: `table`	Table of RPC portmapper mappings.
`pm_port_request`: `record`	An RPC portmapper request.
`raw_pkt_hdr`: `record`	A raw packet header, consisting of L2 header and everything in `pkt_hdr`.
`record_field`: `record`	Meta-information about a record field.
`record_field_table`: `table`	Table type used to map record field declarations to meta-information describing them.
`rotate_info`: `record`	Deprecated.
`script_id`: `record`	Meta-information about a script-level identifier.
`signature_and_hashalgorithm_vec`: `vector`	A vector of Signature and Hash Algorithms.
`signature_state`: `record`	Description of a signature match.
`software`: `record`
`software_version`: `record`
`string_array`: `table`	An ordered array of strings.
`string_set`: `set`	A set of strings.
`string_vec`: `vector`	A vector of strings.
`subnet_vec`: `vector`	A vector of subnets.
`sw_align`: `record`	Helper type for return value of Smith-Waterman algorithm.
`sw_align_vec`: `vector`	Helper type for return value of Smith-Waterman algorithm.
`sw_params`: `record`	Parameters for the Smith-Waterman algorithm.
`sw_substring`: `record`	Helper type for return value of Smith-Waterman algorithm.
`sw_substring_vec`: `vector`	Return type for Smith-Waterman algorithm.
`table_string_of_count`: `table`	A table of counts indexed by strings.
`table_string_of_string`: `table`	A table of strings indexed by strings.
`tcp_hdr`: `record`	Values extracted from a TCP header.
`teredo_auth`: `record`	A Teredo origin indication header.
`teredo_hdr`: `record`	A Teredo packet header.
`teredo_origin`: `record`	A Teredo authentication header.
`transport_proto`: `enum`	A connection’s transport-layer protocol.
`udp_hdr`: `record`	Values extracted from a UDP header.
`var_sizes`: `table`	Table type used to map variable names to their memory allocation.
`x509_opaque_vector`: `vector`	A vector of x509 opaques.

Functions

`add_interface`: `function`	Internal function.
`add_signature_file`: `function`	Internal function.
`discarder_check_icmp`: `function`	Function for skipping packets based on their ICMP header.
`discarder_check_ip`: `function`	Function for skipping packets based on their IP header.
`discarder_check_tcp`: `function`	Function for skipping packets based on their TCP header.
`discarder_check_udp`: `function`	Function for skipping packets based on their UDP header.
`log_file_name`: `function` `&redef`	Deprecated.
`max_count`: `function`	Returns maximum of two `count` values.
`max_double`: `function`	Returns maximum of two `double` values.
`max_interval`: `function`	Returns maximum of two `interval` values.
`min_count`: `function`	Returns minimum of two `count` values.
`min_double`: `function`	Returns minimum of two `double` values.
`min_interval`: `function`	Returns minimum of two `interval` values.
`open_log_file`: `function` `&redef`	Deprecated.

Detailed Interface

Options

DCE_RPC::max_cmd_reassembly

Type:	`count`
Attributes:	`&redef`
Default:	`20`

The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.

DCE_RPC::max_frag_data

Type:	`count`
Attributes:	`&redef`
Default:	`30000`

The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.

NCP::max_frame_size

Type:	`count`
Attributes:	`&redef`
Default:	`65536`

The maximum number of bytes to allocate when parsing NCP frames.

NFS3::return_data

Type:	`bool`
Attributes:	`&redef`
Default:	`F`

If true, nfs_proc_read and nfs_proc_write events return the file data that has been read/written.

NFS3::return_data_first_only

Type:	`bool`
Attributes:	`&redef`
Default:	`T`

If NFS3::return_data is true, whether to only return data if the read or write offset is 0, i.e., only return data for the beginning of the file.

NFS3::return_data_max

Type:	`count`
Attributes:	`&redef`
Default:	`512`

If NFS3::return_data is true, how much data should be returned at most.

Pcap::bufsize

Type:	`count`
Attributes:	`&redef`
Default:	`128`

Number of Mbytes to provide as buffer space when capturing from live interfaces.

Pcap::snaplen

Type:	`count`
Attributes:	`&redef`
Default:	`8192`

Number of bytes per packet to capture from live interfaces.

Reporter::errors_to_stderr

Type:	`bool`
Attributes:	`&redef`
Default:	`T`

Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Reporter::info_to_stderr

Type:	`bool`
Attributes:	`&redef`
Default:	`T`

Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

Reporter::warnings_to_stderr

Type:	`bool`
Attributes:	`&redef`
Default:	`T`

Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.

SMB::pipe_filenames

Type:	`set` [`string`]
Attributes:	`&redef`
Default:

{
   "wkssvc",
   "winreg",
   "samr",
   "spoolss",
   "netdfs",
   "MsFteWds",
   "srvsvc",
   "lsarpc"
}

A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Bro.

Type:	`interval`
Attributes:	`&redef`
Default:	`1.0 sec`

Type:	`interval`
Attributes:	`&redef`
Default:	`1.0 day`

Type:	`interval`
Attributes:	`&redef`
Default:	`10.0 mins`

Type:	`double`
Attributes:	`&redef`

Type:	`interval`
Attributes:	`&redef`

Type:	`interval`
Attributes:	`&redef`
Default:	`2.0 mins`

Type:	`interval`
Attributes:	`&redef`
Default:	`10.0 secs`

Constants

CONTENTS_BOTH

Type:	`count`
Default:	`3`

Record both originator and responder contents.

CONTENTS_NONE

Type:	`count`
Default:	`0`

Turn off recording of contents.

CONTENTS_ORIG

Type:	`count`
Default:	`1`

Record originator contents.

CONTENTS_RESP

Type:	`count`
Default:	`2`

Record responder contents.

DNS_ADDL

Type:	`count`
Default:	`3`

An additional record.

DNS_ANS

Type:	`count`
Default:	`1`

An answer record.

DNS_AUTH

Type:	`count`
Default:	`2`

An authoritative record.

DNS_QUERY

Type:	`count`
Default:	`0`

A query. This shouldn’t occur, just for completeness.

ENDIAN_BIG

Type:	`count`
Default:	`2`

Big endian.

ENDIAN_CONFUSED

Type:	`count`
Default:	`3`

Tried to determine endian, but failed.

ENDIAN_LITTLE

Type:	`count`
Default:	`1`

Little endian.

ENDIAN_UNKNOWN

Type:	`count`
Default:	`0`

Endian not yet determined.

ICMP_UNREACH_ADMIN_PROHIB

Type:	`count`
Default:	`13`

Administratively prohibited.

ICMP_UNREACH_HOST

Type:	`count`
Default:	`1`

Host unreachable.

ICMP_UNREACH_NEEDFRAG

Type:	`count`
Default:	`4`

Fragment needed.

ICMP_UNREACH_NET

Type:	`count`
Default:	`0`

Network unreachable.

ICMP_UNREACH_PORT

Type:	`count`
Default:	`3`

Port unreachable.

ICMP_UNREACH_PROTOCOL

Type:	`count`
Default:	`2`

Protocol unreachable.

IPPROTO_AH

Type:	`count`
Default:	`51`

IPv6 authentication header.

IPPROTO_DSTOPTS

Type:	`count`
Default:	`60`

IPv6 destination options header.

IPPROTO_ESP

Type:	`count`
Default:	`50`

IPv6 encapsulating security payload header.

IPPROTO_FRAGMENT

Type:	`count`
Default:	`44`

IPv6 fragment header.

IPPROTO_HOPOPTS

Type:	`count`
Default:	`0`

IPv6 hop-by-hop-options header.

IPPROTO_ICMP

Type:	`count`
Default:	`1`

Control message protocol.

IPPROTO_ICMPV6

Type:	`count`
Default:	`58`

ICMP for IPv6.

IPPROTO_IGMP

Type:	`count`
Default:	`2`

Group management protocol.

IPPROTO_IP

Type:	`count`
Default:	`0`

Dummy for IP.

IPPROTO_IPIP

Type:	`count`
Default:	`4`

IP encapsulation in IP.

IPPROTO_IPV6

Type:	`count`
Default:	`41`

IPv6 header.

IPPROTO_MOBILITY

Type:	`count`
Default:	`135`

IPv6 mobility header.

IPPROTO_NONE

Type:	`count`
Default:	`59`

IPv6 no next header.

IPPROTO_RAW

Type:	`count`
Default:	`255`

Raw IP packet.

IPPROTO_ROUTING

Type:	`count`
Default:	`43`

IPv6 routing header.

IPPROTO_TCP

Type:	`count`
Default:	`6`

TCP.

IPPROTO_UDP

Type:	`count`
Default:	`17`

User datagram protocol.

LOGIN_STATE_AUTHENTICATE

Type:	`count`
Default:	`0`

LOGIN_STATE_CONFUSED

Type:	`count`
Default:	`3`

LOGIN_STATE_LOGGED_IN

Type:	`count`
Default:	`1`

LOGIN_STATE_SKIP

Type:	`count`
Default:	`2`

PEER_ID_NONE

Type:	`count`
Default:	`0`

Place-holder constant indicating “no peer”.

REMOTE_LOG_ERROR

Type:	`count`
Default:	`2`

Deprecated.

REMOTE_LOG_INFO

Type:	`count`
Default:	`1`

Deprecated.

REMOTE_SRC_CHILD

Type:	`count`
Default:	`1`

Message from the child process.

REMOTE_SRC_PARENT

Type:	`count`
Default:	`2`

Message from the parent process.

REMOTE_SRC_SCRIPT

Type:	`count`
Default:	`3`

Message from a policy script.

RPC_status

Type:	`table` [`rpc_status`] of `string`
Default:

{
   [RPC_SYSTEM_ERR] = "system err",
   [RPC_UNKNOWN_ERROR] = "unknown",
   [RPC_PROG_MISMATCH] = "mismatch",
   [RPC_TIMEOUT] = "timeout",
   [RPC_PROG_UNAVAIL] = "prog unavail",
   [RPC_PROC_UNAVAIL] = "proc unavail",
   [RPC_GARBAGE_ARGS] = "garbage args",
   [RPC_SUCCESS] = "ok",
   [RPC_AUTH_ERROR] = "auth error"
}

Mapping of numerical RPC status codes to readable messages.

SNMP::OBJ_COUNTER32_TAG

Type:	`count`
Default:	`65`

Unsigned 32-bit integer.

SNMP::OBJ_COUNTER64_TAG

Type:	`count`
Default:	`70`

Unsigned 64-bit integer.

SNMP::OBJ_ENDOFMIBVIEW_TAG

Type:	`count`
Default:	`130`

A NULL value.

SNMP::OBJ_INTEGER_TAG

Type:	`count`
Default:	`2`

Signed 64-bit integer.

SNMP::OBJ_IPADDRESS_TAG

Type:	`count`
Default:	`64`

An IP address.

SNMP::OBJ_NOSUCHINSTANCE_TAG

Type:	`count`
Default:	`129`

A NULL value.

SNMP::OBJ_NOSUCHOBJECT_TAG

Type:	`count`
Default:	`128`

A NULL value.

SNMP::OBJ_OCTETSTRING_TAG

Type:	`count`
Default:	`4`

An octet string.

SNMP::OBJ_OID_TAG

Type:	`count`
Default:	`6`

An Object Identifier.

SNMP::OBJ_OPAQUE_TAG

Type:	`count`
Default:	`68`

An octet string.

SNMP::OBJ_TIMETICKS_TAG

Type:	`count`
Default:	`67`

Unsigned 32-bit integer.

SNMP::OBJ_UNSIGNED32_TAG

Type:	`count`
Default:	`66`

Unsigned 32-bit integer.

SNMP::OBJ_UNSPECIFIED_TAG

Type:	`count`
Default:	`5`

A NULL value.

TCP_CLOSED

Type:	`count`
Default:	`5`

Endpoint has closed connection.

TCP_ESTABLISHED

Type:	`count`
Default:	`4`

Endpoint has finished initial handshake regularly.

TCP_INACTIVE

Type:	`count`
Default:	`0`

Endpoint is still inactive.

TCP_PARTIAL

Type:	`count`
Default:	`3`

Endpoint has sent data but no initial SYN.

TCP_RESET

Type:	`count`
Default:	`6`

Endpoint has sent RST.

TCP_SYN_ACK_SENT

Type:	`count`
Default:	`2`

Endpoint has sent SYN/ACK.

TCP_SYN_SENT

Type:	`count`
Default:	`1`

Endpoint has sent SYN.

TH_ACK

Type:	`count`
Default:	`16`

ACK.

TH_FIN

Type:	`count`
Default:	`1`

FIN.

TH_FLAGS

Type:	`count`
Default:	`63`

Mask combining all flags.

TH_PUSH

Type:	`count`
Default:	`8`

PUSH.

TH_RST

Type:	`count`
Default:	`4`

RST.

TH_SYN

Type:	`count`
Default:	`2`

SYN.

TH_URG

Type:	`count`
Default:	`32`

URG.

UDP_ACTIVE

Type:	`count`
Default:	`1`

Endpoint has sent something.

UDP_INACTIVE

Type:	`count`
Default:	`0`

Endpoint is still inactive.

trace_output_file

Type:	`string`
Default:	`""`

Holds the filename of the trace file given with -w (empty if none).

State Variables

capture_filters

Type:	`table` [`string`] of `string`
Attributes:	`&redef`
Default:	`{}`

Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). If Bro is not configured with PacketFilter::enable_auto_protocol_capture_filters, all packets matching at least one of the filters in this table (and all in restrict_filters) will be analyzed.

direct_login_prompts

Type:	`set` [`string`]
Attributes:	`&redef`
Default:	`{}`

TODO.

discarder_maxlen

Type:	`count`
Attributes:	`&redef`
Default:	`128`

Maximum length of payload passed to discarder functions.

dns_max_queries

Type:	`count`
Attributes:	`&redef`
Default:	`25`

If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.

dns_skip_addl

Type:	`set` [`addr`]
Attributes:	`&redef`
Default:	`{}`

For DNS servers in these sets, omit processing the ADDL records they include in their replies.

dns_skip_all_addl

Type:	`bool`
Attributes:	`&redef`
Default:	`F`

If true, all DNS ADDL records are skipped.

dns_skip_all_auth

Type:	`bool`
Attributes:	`&redef`
Default:	`F`

If true, all DNS AUTH records are skipped.

dns_skip_auth

Type:	`set` [`addr`]
Attributes:	`&redef`
Default:	`{}`

For DNS servers in these sets, omit processing the AUTH records they include in their replies.

done_with_network

Type:	`bool`
Default:	`F`

generate_OS_version_event

Type:	`set` [`subnet`]
Attributes:	`&redef`
Default:	`{}`

Defines for which subnets we should do passive fingerprinting.

Types

ConnStats

Type:

record

total_conns: count

current_conns: count

current_conns_extern: count

sess_current_conns: count

num_packets: count

num_fragments: count

max_fragments: count

num_tcp_conns: count: Current number of TCP connections in memory.
max_tcp_conns: count: Maximum number of concurrent TCP connections so far.
cumulative_tcp_conns: count: Total number of TCP connections so far.
num_udp_conns: count: Current number of UDP flows in memory.
max_udp_conns: count: Maximum number of concurrent UDP flows so far.
cumulative_udp_conns: count: Total number of UDP flows so far.
num_icmp_conns: count: Current number of ICMP flows in memory.
max_icmp_conns: count: Maximum number of concurrent ICMP flows so far.
cumulative_icmp_conns: count: Total number of ICMP flows so far.

killed_by_inactivity: count

DNSStats

Type:

record

requests: count: Number of DNS requests made
successful: count: Number of successful DNS replies.
failed: count: Number of DNS reply failures.
pending: count: Current pending queries.
cached_hosts: count: Number of cached hosts.
cached_addresses: count: Number of cached addresses.

Statistics related to Bro’s active use of DNS. These numbers are about Bro performing DNS queries on it’s own, not traffic being seen.

Functions

add_interface

Type:	`function` (iold: `string`, inew: `string`) : `string`

Internal function.

add_signature_file

Type:	`function` (sold: `string`, snew: `string`) : `string`

Internal function.

discarder_check_icmp

Type:	`function` (p: `pkt_hdr`) : `bool`

Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:	The IP and ICMP headers of the considered packet.
Returns:	True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_ip

Type:	`function` (p: `pkt_hdr`) : `bool`

Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:	The IP header of the considered packet.
Returns:	True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_tcp

Type:	`function` (p: `pkt_hdr`, d: `string`) : `bool`

Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:	The IP and TCP headers of the considered packet.
D:	Up to `discarder_maxlen` bytes of the TCP payload.
Returns:	True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

discarder_check_udp

Type:	`function` (p: `pkt_hdr`, d: `string`) : `bool`

Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.

P:	The IP and UDP headers of the considered packet.
D:	Up to `discarder_maxlen` bytes of the UDP payload.
Returns:	True if the packet should not be analyzed any further.

Note

This is very low-level functionality and potentially expensive. Avoid using it.

log_file_name

Type:	`function` (tag: `string`) : `string`
Attributes:	`&redef`

Deprecated. This is superseded by the new logging framework.

max_count

Type:	`function` (a: `count`, b: `count`) : `count`

Returns maximum of two count values.

A:	First value.
B:	Second value.
Returns:	The maximum of a and b.

max_double

Type:	`function` (a: `double`, b: `double`) : `double`

Returns maximum of two double values.

A:	First value.
B:	Second value.
Returns:	The maximum of a and b.

max_interval

Type:	`function` (a: `interval`, b: `interval`) : `interval`

Returns maximum of two interval values.

A:	First value.
B:	Second value.
Returns:	The maximum of a and b.

min_count

Type:	`function` (a: `count`, b: `count`) : `count`

Returns minimum of two count values.

A:	First value.
B:	Second value.
Returns:	The minimum of a and b.

min_double

Type:	`function` (a: `double`, b: `double`) : `double`

Returns minimum of two double values.

A:	First value.
B:	Second value.
Returns:	The minimum of a and b.

min_interval

Type:	`function` (a: `interval`, b: `interval`) : `interval`

Returns minimum of two interval values.

A:	First value.
B:	Second value.
Returns:	The minimum of a and b.

open_log_file

Type:	`function` (tag: `string`) : `file`
Attributes:	`&redef`

Deprecated. This is superseded by the new logging framework.

base/init-bare.bro

Summary

Options

Constants

State Variables

Types

Functions

Detailed Interface

Options

Constants

State Variables

Types

Functions

Table of Contents

Next Page

Previous Page

Type:	`pkt_profile_modes`
Attributes:	`&redef`
Default:	`PKT_PROFILE_MODE_NONE`

Type:	`table` [`port`] of `bool`
Attributes:	`&redef`
Default:	`{}`

Type:	`table` [`string`] of `event` (filter: `string`, pkt: `pkt_hdr`)
Attributes:	`&redef`
Default:	`{}`

base/init-bare.bro

Summary

Options

Constants

State Variables

Types

Functions

Detailed Interface

Options

Constants

State Variables

Types

Functions

Table of Contents

Next Page

Previous Page

Search