policy/protocols/conn/known-services.bro

Known

This script logs and tracks services. In the case of this script, a service is defined as an IP address and port which has responded to and fully completed a TCP handshake with another host. If a protocol is detected during the session, the protocol will also be logged.

Namespace:	Known
Imports:	base/utils/directions-and-hosts.bro
Source File:	`/scripts/policy/protocols/conn/known-services.bro`

Summary

Options

Known::service_tracking: Host &redef The hosts whose services should be tracked and logged.

State Variables

Known::known_services: set &create_expire = 1.0 day &synchronized Tracks the set of daily-detected services for preventing the logging of duplicates, but can also be inspected by other scripts for different purposes.

Types

Known::ServicesInfo: record The record type which contains the column fields of the known-services log.

Redefinitions

`Log::ID`: `enum`	The known-services logging stream identifier.
`connection`: `record`

Events

Known::log_known_services: event Event that can be handled to access the Known::ServicesInfo record as it is sent on to the logging framework.

Detailed Interface

Options

Known::service_tracking

Type:	`Host`
Attributes:	`&redef`
Default:	`ALL_HOSTS`

The hosts whose services should be tracked and logged. See Host for possible choices.

State Variables

Known::known_services

Type:	`set` [`addr`, `port`]
Attributes:	`&create_expire` = `1.0 day` `&synchronized`
Default:	`{}`

Tracks the set of daily-detected services for preventing the logging of duplicates, but can also be inspected by other scripts for different purposes.

Types

Known::ServicesInfo

Type:

Type:	`record` ts: `time` `&log` The time at which the service was detected. host: `addr` `&log` The host address on which the service is running. port_num: `port` `&log` The port number on which the service is running. port_proto: `transport_proto` `&log` The transport-layer protocol which the service uses. service: `set` [`string`] `&log` A set of protocols that match the service’s connection payloads.

record

ts: time &log: The time at which the service was detected.
host: addr &log: The host address on which the service is running.
port_num: port &log: The port number on which the service is running.
port_proto: transport_proto &log: The transport-layer protocol which the service uses.
service: set [string] &log: A set of protocols that match the service’s connection payloads.

The record type which contains the column fields of the known-services log.

Events

Known::log_known_services

Type:	`event` (rec: `Known::ServicesInfo`)

Event that can be handled to access the Known::ServicesInfo record as it is sent on to the logging framework.

policy/protocols/conn/known-services.bro

Summary

Options

State Variables

Types

Redefinitions

Events

Detailed Interface

Options

State Variables

Types

Events

Table of Contents

Next Page

Previous Page

policy/protocols/conn/known-services.bro

Summary

Options

State Variables

Types

Redefinitions

Events

Detailed Interface

Options

State Variables

Types

Events

Table of Contents

Next Page

Previous Page

Search