Cluster
¶DCE_RPC
¶DHCP
¶GLOBAL
¶JSON
¶KRB
¶MOUNT3
¶NCP
¶NFS3
¶NTLM
¶PE
¶Pcap
¶RADIUS
¶RDP
¶Reporter
¶SMB
¶SMB1
¶SMB2
¶SNMP
¶SOCKS
¶SSH
¶SSL
¶Threading
¶Tunnel
¶Unified2
¶Weird
¶X509
¶Namespaces: | Cluster, DCE_RPC, DHCP, GLOBAL, JSON, KRB, MOUNT3, NCP, NFS3, NTLM, PE, Pcap, RADIUS, RDP, Reporter, SMB, SMB1, SMB2, SNMP, SOCKS, SSH, SSL, Threading, Tunnel, Unified2, Weird, X509 |
---|---|
Imports: | base/bif/bro.bif.bro, base/bif/const.bif.bro, base/bif/event.bif.bro, base/bif/option.bif.bro, base/bif/plugins/Bro_KRB.types.bif.bro, base/bif/plugins/Bro_SNMP.types.bif.bro, base/bif/reporter.bif.bro, base/bif/stats.bif.bro, base/bif/strings.bif.bro, base/bif/types.bif.bro |
Source File: | /scripts/base/init-bare.bro |
Weird::sampling_duration : interval &redef |
How long a weird of a given type is allowed to keep state/counters in memory. |
Weird::sampling_rate : count &redef |
The rate-limiting sampling rate. |
Weird::sampling_threshold : count &redef |
How many weirds of a given type to tolerate before sampling begins. |
Weird::sampling_whitelist : set &redef |
Prevents rate-limiting sampling of any weirds named in the table. |
default_file_bof_buffer_size : count &redef |
Default amount of bytes that file analysis will buffer in order to use for mime type matching. |
default_file_timeout_interval : interval &redef |
Default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. |
DCE_RPC::max_cmd_reassembly : count &redef |
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input. |
DCE_RPC::max_frag_data : count &redef |
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input. |
KRB::keytab : string &redef |
Kerberos keytab file name. |
NCP::max_frame_size : count &redef |
The maximum number of bytes to allocate when parsing NCP frames. |
NFS3::return_data : bool &redef |
If true, nfs_proc_read and nfs_proc_write
events return the file data that has been read/written. |
NFS3::return_data_first_only : bool &redef |
If NFS3::return_data is true, whether to only return data
if the read or write offset is 0, i.e., only return data for the
beginning of the file. |
NFS3::return_data_max : count &redef |
If NFS3::return_data is true, how much data should be
returned at most. |
Pcap::bufsize : count &redef |
Number of Mbytes to provide as buffer space when capturing from live interfaces. |
Pcap::snaplen : count &redef |
Number of bytes per packet to capture from live interfaces. |
Reporter::errors_to_stderr : bool &redef |
Tunable for sending reporter error messages to STDERR. |
Reporter::info_to_stderr : bool &redef |
Tunable for sending reporter info messages to STDERR. |
Reporter::warnings_to_stderr : bool &redef |
Tunable for sending reporter warning messages to STDERR. |
SMB::pipe_filenames : set &redef |
A set of file names used as named pipes over SMB. |
Threading::heartbeat_interval : interval &redef |
The heartbeat interval used by the threading framework. |
Tunnel::delay_gtp_confirmation : bool &redef |
With this set, the GTP analyzer waits until the most-recent upflow
and downflow packets are a valid GTPv1 encapsulation before
issuing protocol_confirmation . |
Tunnel::delay_teredo_confirmation : bool &redef |
With this set, the Teredo analyzer waits until it sees both sides
of a connection using a valid Teredo encapsulation before issuing
a protocol_confirmation . |
Tunnel::enable_ayiya : bool &redef |
Toggle whether to do IPv{4,6}-in-AYIYA decapsulation. |
Tunnel::enable_gre : bool &redef |
Toggle whether to do GRE decapsulation. |
Tunnel::enable_gtpv1 : bool &redef |
Toggle whether to do GTPv1 decapsulation. |
Tunnel::enable_ip : bool &redef |
Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation. |
Tunnel::enable_teredo : bool &redef |
Toggle whether to do IPv6-in-Teredo decapsulation. |
Tunnel::ip_tunnel_timeout : interval &redef |
How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels). |
Tunnel::max_depth : count &redef |
The maximum depth of a tunnel to decapsulate until giving up. |
backdoor_stat_backoff : double &redef |
Deprecated. |
backdoor_stat_period : interval &redef |
Deprecated. |
bits_per_uid : count &redef |
Number of bits in UIDs that are generated to identify connections and files. |
check_for_unused_event_handlers : bool &redef |
If true, warns about unused event handlers at startup. |
chunked_io_buffer_soft_cap : count &redef |
The number of IO chunks allowed to be buffered between the child and parent process of remote communication before Bro starts dropping connections to remote peers in an attempt to catch up. |
cmd_line_bpf_filter : string &redef |
BPF filter the user has set via the -f command line options. |
detect_filtered_trace : bool &redef |
Whether to attempt to automatically detect SYN/FIN/RST-filtered trace and not report missing segments for such connections. |
dns_resolver : addr &redef |
The address of the DNS resolver to use. |
dns_session_timeout : interval &redef |
Time to wait before timing out a DNS request. |
dpd_buffer_size : count &redef |
Size of per-connection buffer used for dynamic protocol detection. |
dpd_ignore_ports : bool &redef |
If true, don’t consider any ports for deciding which protocol analyzer to use. |
dpd_match_only_beginning : bool &redef |
If true, stops signature matching if dpd_buffer_size has been
reached. |
dpd_reassemble_first_packets : bool &redef |
Reassemble the beginning of all TCP connections before doing signature matching. |
enable_syslog : bool &redef |
Deprecated. |
encap_hdr_size : count &redef |
If positive, indicates the encapsulation header size that should be skipped. |
exit_only_after_terminate : bool &redef |
Flag to prevent Bro from exiting automatically when input is exhausted. |
expensive_profiling_multiple : count &redef |
Multiples of profiling_interval at which (more expensive) memory
profiling is done (0 disables). |
forward_remote_events : bool &redef |
If true, broadcast events received from one peer to all other peers. |
forward_remote_state_changes : bool &redef |
If true, broadcast state updates received from one peer to all other peers. |
frag_timeout : interval &redef |
How long to hold onto fragments for possible reassembly. |
global_hash_seed : string &redef |
Seed for hashes computed internally for probabilistic data structures. |
icmp_inactivity_timeout : interval &redef |
If an ICMP flow is inactive, time it out after this interval. |
ignore_checksums : bool &redef |
If true, don’t verify checksums. |
ignore_keep_alive_rexmit : bool &redef |
Ignore certain TCP retransmissions for conn_stats . |
interconn_default_pkt_size : count &redef |
Deprecated. |
interconn_max_interarrival : interval &redef |
Deprecated. |
interconn_max_keystroke_pkt_size : count &redef |
Deprecated. |
interconn_min_interarrival : interval &redef |
Deprecated. |
interconn_stat_backoff : double &redef |
Deprecated. |
interconn_stat_period : interval &redef |
Deprecated. |
likely_server_ports : set &redef |
Ports which the core considers being likely used by servers. |
log_encryption_key : string &redef |
Deprecated. |
log_max_size : double &redef |
Deprecated. |
log_rotate_base_time : string &redef |
Deprecated. |
log_rotate_interval : interval &redef |
Deprecated. |
max_files_in_cache : count &redef |
The maximum number of open files to keep cached at a given time. |
max_remote_events_processed : count &redef |
With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity. |
max_timer_expires : count &redef |
The maximum number of timers to expire after processing each new packet. |
mmdb_dir : string &redef |
The directory containing MaxMind DB (.mmdb) files to use for GeoIP support. |
non_analyzed_lifetime : interval &redef |
If a connection belongs to an application that we don’t analyze, time it out after this interval. |
ntp_session_timeout : interval &redef |
Time to wait before timing out an NTP request. |
old_comm_usage_is_ok : bool &redef |
Whether usage of the old communication system is considered an error or not. |
packet_filter_default : bool &redef |
Default mode for Bro’s user-space dynamic packet filter. |
partial_connection_ok : bool &redef |
If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen. |
passive_fingerprint_file : string &redef |
p0f fingerprint file to use. |
peer_description : string &redef |
Description transmitted to remote communication peers for identification. |
pkt_profile_freq : double &redef |
Frequency associated with packet profiling. |
pkt_profile_mode : pkt_profile_modes &redef |
Output mode for packet profiling information. |
profiling_interval : interval &redef |
Update interval for profiling (0 disables). |
record_all_packets : bool &redef |
If a trace file is given with -w , dump all packets seen by Bro into it. |
remote_check_sync_consistency : bool &redef |
Whether for &synchronized state to send the old value as a
consistency check. |
remote_trace_sync_interval : interval &redef |
Synchronize trace processing at a regular basis in pseudo-realtime mode. |
remote_trace_sync_peers : count &redef |
Number of peers across which to synchronize trace processing in pseudo-realtime mode. |
report_gaps_for_partial : bool &redef |
Whether we want content_gap for partial
connections. |
rpc_timeout : interval &redef |
Time to wait before timing out an RPC request. |
segment_profiling : bool &redef |
If true, then write segment profiling information (very high volume!) in addition to profiling statistics. |
sig_max_group_size : count &redef |
Maximum size of regular expression groups for signature matching. |
skip_http_data : bool &redef |
Skip HTTP data for performance considerations. |
ssl_ca_certificate : string &redef |
The CA certificate file to authorize remote Bros/Broccolis. |
ssl_passphrase : string &redef |
The passphrase for our private key. |
ssl_private_key : string &redef |
File containing our private key and our certificate. |
state_dir : string &redef |
Specifies a directory for Bro to store its persistent state. |
state_write_delay : interval &redef |
Length of the delays inserted when storing state incrementally. |
stp_delta : interval &redef |
Internal to the stepping stone detector. |
stp_idle_min : interval &redef |
Internal to the stepping stone detector. |
suppress_local_output : bool &redef |
Deprecated. |
table_expire_delay : interval &redef |
When expiring table entries, wait this amount of time before checking the next chunk of entries. |
table_expire_interval : interval &redef |
Check for expired table entries after this amount of time. |
table_incremental_step : count &redef |
When expiring/serializing table entries, don’t work on more than this many table entries at a time. |
tcp_SYN_ack_ok : bool &redef |
If true, instantiate connection state when a SYN/ACK is seen but not the
initial SYN (even if partial_connection_ok is false). |
tcp_SYN_timeout : interval &redef |
Check up on the result of an initial SYN after this much time. |
tcp_attempt_delay : interval &redef |
Wait this long upon seeing an initial SYN before timing out the connection attempt. |
tcp_close_delay : interval &redef |
Upon seeing a normal connection close, flush state after this much time. |
tcp_connection_linger : interval &redef |
When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. |
tcp_content_deliver_all_orig : bool &redef |
If true, all TCP originator-side traffic is reported via
tcp_contents . |
tcp_content_deliver_all_resp : bool &redef |
If true, all TCP responder-side traffic is reported via
tcp_contents . |
tcp_content_delivery_ports_orig : table &redef |
Defines destination TCP ports for which the contents of the originator stream
should be delivered via tcp_contents . |
tcp_content_delivery_ports_resp : table &redef |
Defines destination TCP ports for which the contents of the responder stream
should be delivered via tcp_contents . |
tcp_excessive_data_without_further_acks : count &redef |
If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. |
tcp_inactivity_timeout : interval &redef |
If a TCP connection is inactive, time it out after this interval. |
tcp_match_undelivered : bool &redef |
If true, pass any undelivered to the signature engine before flushing the state. |
tcp_max_above_hole_without_any_acks : count &redef |
If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. |
tcp_max_initial_window : count &redef |
Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). |
tcp_max_old_segments : count &redef |
Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. |
tcp_partial_close_delay : interval &redef |
Generate a connection_partial_close event this much time after one
half of a partial connection closes, assuming there has been no subsequent
activity. |
tcp_reassembler_ports_orig : set &redef |
For services without a handler, these sets define originator-side ports that still trigger reassembly. |
tcp_reassembler_ports_resp : set &redef |
For services without a handler, these sets define responder-side ports that still trigger reassembly. |
tcp_reset_delay : interval &redef |
Upon seeing a RST, flush state after this much time. |
tcp_session_timer : interval &redef |
After a connection has closed, wait this long for further activity before checking whether to time out its state. |
tcp_storm_interarrival_thresh : interval &redef |
FINs/RSTs must come with this much time or less between them to be considered a “storm”. |
tcp_storm_thresh : count &redef |
Number of FINs/RSTs in a row that constitute a “storm”. |
time_machine_profiling : bool &redef |
If true, output profiling for Time-Machine queries. |
timer_mgr_inactivity_timeout : interval &redef |
Per-incident timer managers are drained after this amount of inactivity. |
truncate_http_URI : int &redef |
Maximum length of HTTP URIs passed to events. |
udp_content_deliver_all_orig : bool &redef |
If true, all UDP originator-side traffic is reported via
udp_contents . |
udp_content_deliver_all_resp : bool &redef |
If true, all UDP responder-side traffic is reported via
udp_contents . |
udp_content_delivery_ports_orig : table &redef |
Defines UDP destination ports for which the contents of the originator stream
should be delivered via udp_contents . |
udp_content_delivery_ports_resp : table &redef |
Defines UDP destination ports for which the contents of the responder stream
should be delivered via udp_contents . |
udp_inactivity_timeout : interval &redef |
If a UDP flow is inactive, time it out after this interval. |
use_conn_size_analyzer : bool &redef |
Whether to use the ConnSize analyzer to count the number of packets and
IP-level bytes transferred by each endpoint. |
watchdog_interval : interval &redef |
Bro’s watchdog interval. |
CONTENTS_BOTH : count |
Record both originator and responder contents. |
CONTENTS_NONE : count |
Turn off recording of contents. |
CONTENTS_ORIG : count |
Record originator contents. |
CONTENTS_RESP : count |
Record responder contents. |
DNS_ADDL : count |
An additional record. |
DNS_ANS : count |
An answer record. |
DNS_AUTH : count |
An authoritative record. |
DNS_QUERY : count |
A query. |
ENDIAN_BIG : count |
Big endian. |
ENDIAN_CONFUSED : count |
Tried to determine endian, but failed. |
ENDIAN_LITTLE : count |
Little endian. |
ENDIAN_UNKNOWN : count |
Endian not yet determined. |
ICMP_UNREACH_ADMIN_PROHIB : count |
Administratively prohibited. |
ICMP_UNREACH_HOST : count |
Host unreachable. |
ICMP_UNREACH_NEEDFRAG : count |
Fragment needed. |
ICMP_UNREACH_NET : count |
Network unreachable. |
ICMP_UNREACH_PORT : count |
Port unreachable. |
ICMP_UNREACH_PROTOCOL : count |
Protocol unreachable. |
IPPROTO_AH : count |
IPv6 authentication header. |
IPPROTO_DSTOPTS : count |
IPv6 destination options header. |
IPPROTO_ESP : count |
IPv6 encapsulating security payload header. |
IPPROTO_FRAGMENT : count |
IPv6 fragment header. |
IPPROTO_HOPOPTS : count |
IPv6 hop-by-hop-options header. |
IPPROTO_ICMP : count |
Control message protocol. |
IPPROTO_ICMPV6 : count |
ICMP for IPv6. |
IPPROTO_IGMP : count |
Group management protocol. |
IPPROTO_IP : count |
Dummy for IP. |
IPPROTO_IPIP : count |
IP encapsulation in IP. |
IPPROTO_IPV6 : count |
IPv6 header. |
IPPROTO_MOBILITY : count |
IPv6 mobility header. |
IPPROTO_NONE : count |
IPv6 no next header. |
IPPROTO_RAW : count |
Raw IP packet. |
IPPROTO_ROUTING : count |
IPv6 routing header. |
IPPROTO_TCP : count |
TCP. |
IPPROTO_UDP : count |
User datagram protocol. |
LOGIN_STATE_AUTHENTICATE : count |
|
LOGIN_STATE_CONFUSED : count |
|
LOGIN_STATE_LOGGED_IN : count |
|
LOGIN_STATE_SKIP : count |
|
PEER_ID_NONE : count |
Place-holder constant indicating “no peer”. |
REMOTE_LOG_ERROR : count |
Deprecated. |
REMOTE_LOG_INFO : count |
Deprecated. |
REMOTE_SRC_CHILD : count |
Message from the child process. |
REMOTE_SRC_PARENT : count |
Message from the parent process. |
REMOTE_SRC_SCRIPT : count |
Message from a policy script. |
RPC_status : table |
Mapping of numerical RPC status codes to readable messages. |
SNMP::OBJ_COUNTER32_TAG : count |
Unsigned 32-bit integer. |
SNMP::OBJ_COUNTER64_TAG : count |
Unsigned 64-bit integer. |
SNMP::OBJ_ENDOFMIBVIEW_TAG : count |
A NULL value. |
SNMP::OBJ_INTEGER_TAG : count |
Signed 64-bit integer. |
SNMP::OBJ_IPADDRESS_TAG : count |
An IP address. |
SNMP::OBJ_NOSUCHINSTANCE_TAG : count |
A NULL value. |
SNMP::OBJ_NOSUCHOBJECT_TAG : count |
A NULL value. |
SNMP::OBJ_OCTETSTRING_TAG : count |
An octet string. |
SNMP::OBJ_OID_TAG : count |
An Object Identifier. |
SNMP::OBJ_OPAQUE_TAG : count |
An octet string. |
SNMP::OBJ_TIMETICKS_TAG : count |
Unsigned 32-bit integer. |
SNMP::OBJ_UNSIGNED32_TAG : count |
Unsigned 32-bit integer. |
SNMP::OBJ_UNSPECIFIED_TAG : count |
A NULL value. |
TCP_CLOSED : count |
Endpoint has closed connection. |
TCP_ESTABLISHED : count |
Endpoint has finished initial handshake regularly. |
TCP_INACTIVE : count |
Endpoint is still inactive. |
TCP_PARTIAL : count |
Endpoint has sent data but no initial SYN. |
TCP_RESET : count |
Endpoint has sent RST. |
TCP_SYN_ACK_SENT : count |
Endpoint has sent SYN/ACK. |
TCP_SYN_SENT : count |
Endpoint has sent SYN. |
TH_ACK : count |
ACK. |
TH_FIN : count |
FIN. |
TH_FLAGS : count |
Mask combining all flags. |
TH_PUSH : count |
PUSH. |
TH_RST : count |
RST. |
TH_SYN : count |
SYN. |
TH_URG : count |
URG. |
UDP_ACTIVE : count |
Endpoint has sent something. |
UDP_INACTIVE : count |
Endpoint is still inactive. |
trace_output_file : string |
Holds the filename of the trace file given with -w (empty if none). |
capture_filters : table &redef |
Set of BPF capture filters to use for capturing, indexed by a user-definable ID (which must be unique). |
direct_login_prompts : set &redef |
TODO. |
discarder_maxlen : count &redef |
Maximum length of payload passed to discarder functions. |
dns_max_queries : count &redef |
If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. |
dns_skip_addl : set &redef |
For DNS servers in these sets, omit processing the ADDL records they include in their replies. |
dns_skip_all_addl : bool &redef |
If true, all DNS ADDL records are skipped. |
dns_skip_all_auth : bool &redef |
If true, all DNS AUTH records are skipped. |
dns_skip_auth : set &redef |
For DNS servers in these sets, omit processing the AUTH records they include in their replies. |
done_with_network : bool |
|
generate_OS_version_event : set &redef |
Defines for which subnets we should do passive fingerprinting. |
http_entity_data_delivery_size : count &redef |
Maximum number of HTTP entity data delivered to events. |
interfaces : string &add_func = add_interface &redef |
Network interfaces to listen on. |
irc_servers : set &redef |
Deprecated. |
load_sample_freq : count &redef |
Rate at which to generate load_sample events. |
login_failure_msgs : set &redef |
TODO. |
login_non_failure_msgs : set &redef |
TODO. |
login_prompts : set &redef |
TODO. |
login_success_msgs : set &redef |
TODO. |
login_timeouts : set &redef |
TODO. |
mime_segment_length : count &redef |
The length of MIME data segments delivered to handlers of
mime_segment_data . |
mime_segment_overlap_length : count &redef |
The number of bytes of overlap between successive segments passed to
mime_segment_data . |
pkt_profile_file : file &redef |
File where packet profiles are logged. |
profiling_file : file &redef |
Write profiling info into this file in regular intervals. |
restrict_filters : table &redef |
Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique). |
secondary_filters : table &redef |
Definition of “secondary filters”. |
signature_files : string &add_func = add_signature_file &redef |
Signature files to read. |
skip_authentication : set &redef |
TODO. |
stp_skip_src : set &redef |
Internal to the stepping stone detector. |
BrokerStats : record |
Statistics about Broker communication. |
Cluster::Pool : record |
A pool used for distributing data/work among a set of cluster nodes. |
ConnStats : record |
|
DHCP::Addrs : vector |
A list of addresses offered by a DHCP server. |
DHCP::ClientFQDN : record |
DHCP Client FQDN Option information (Option 81) |
DHCP::ClientID : record |
DHCP Client Identifier (Option 61) .. |
DHCP::Msg : record |
A DHCP message. |
DHCP::Options : record |
|
DHCP::SubOpt : record |
DHCP Relay Agent Information Option (Option 82) .. |
DHCP::SubOpts : vector |
|
DNSStats : record |
Statistics related to Bro’s active use of DNS. |
EncapsulatingConnVector : vector |
A type alias for a vector of encapsulating “connections”, i.e. |
EventStats : record |
|
FileAnalysisStats : record |
Statistics of file analysis. |
GapStats : record |
Statistics about number of gaps in TCP connections. |
IPAddrAnonymization : enum |
Deprecated. |
IPAddrAnonymizationClass : enum |
Deprecated. |
JSON::TimestampFormat : enum |
|
KRB::AP_Options : record |
AP Options. |
KRB::Error_Msg : record |
The data from the ERROR_MSG message. |
KRB::Host_Address : record |
A Kerberos host address See RFC 4120. |
KRB::Host_Address_Vector : vector |
|
KRB::KDC_Options : record |
KDC Options. |
KRB::KDC_Request : record |
The data from the AS_REQ and TGS_REQ messages. |
KRB::KDC_Response : record |
The data from the AS_REQ and TGS_REQ messages. |
KRB::SAFE_Msg : record |
The data from the SAFE message. |
KRB::Ticket : record |
A Kerberos ticket. |
KRB::Ticket_Vector : vector |
|
KRB::Type_Value : record |
Used in a few places in the Kerberos analyzer for elements that have a type and a string value. |
KRB::Type_Value_Vector : vector |
|
MOUNT3::dirmntargs_t : record |
MOUNT mnt arguments. |
MOUNT3::info_t : record |
Record summarizing the general results and status of MOUNT3 request/reply pairs. |
MOUNT3::mnt_reply_t : record |
MOUNT lookup reply. |
MatcherStats : record |
Statistics of all regular expression matchers. |
ModbusCoils : vector |
A vector of boolean values that indicate the setting for a range of modbus coils. |
ModbusHeaders : record |
|
ModbusRegisters : vector |
A vector of count values that represent 16bit modbus register values. |
NFS3::delobj_reply_t : record |
NFS reply for remove, rmdir. |
NFS3::direntry_t : record |
NFS direntry. |
NFS3::direntry_vec_t : vector |
Vector of NFS direntry. |
NFS3::diropargs_t : record |
NFS readdir arguments. |
NFS3::fattr_t : record |
NFS file attributes. |
NFS3::fsstat_t : record |
NFS fsstat. |
NFS3::info_t : record |
Record summarizing the general results and status of NFSv3 request/reply pairs. |
NFS3::link_reply_t : record |
NFS link reply. |
NFS3::linkargs_t : record |
NFS link arguments. |
NFS3::lookup_reply_t : record |
NFS lookup reply. |
NFS3::newobj_reply_t : record |
NFS reply for create, mkdir, and symlink. |
NFS3::read_reply_t : record |
NFS read reply. |
NFS3::readargs_t : record |
NFS read arguments. |
NFS3::readdir_reply_t : record |
NFS readdir reply. |
NFS3::readdirargs_t : record |
NFS readdir arguments. |
NFS3::readlink_reply_t : record |
NFS readline reply. |
NFS3::renameobj_reply_t : record |
NFS reply for rename. |
NFS3::renameopargs_t : record |
NFS rename arguments. |
NFS3::sattr_reply_t : record |
NFS sattr reply. |
NFS3::sattr_t : record |
NFS file attributes. |
NFS3::sattrargs_t : record |
NFS sattr arguments. |
NFS3::symlinkargs_t : record |
NFS symlink arguments. |
NFS3::symlinkdata_t : record |
NFS symlinkdata attributes. |
NFS3::wcc_attr_t : record |
NFS wcc attributes. |
NFS3::write_reply_t : record |
NFS write reply. |
NFS3::writeargs_t : record |
NFS write arguments. |
NTLM::AVs : record |
|
NTLM::Authenticate : record |
|
NTLM::Challenge : record |
|
NTLM::Negotiate : record |
|
NTLM::NegotiateFlags : record |
|
NTLM::Version : record |
|
NetStats : record |
Packet capture statistics. |
OS_version : record |
Passive fingerprinting match. |
OS_version_inference : enum |
Quality of passive fingerprinting matches. |
PE::DOSHeader : record |
|
PE::FileHeader : record |
|
PE::OptionalHeader : record |
|
PE::SectionHeader : record |
Record for Portable Executable (PE) section headers. |
PcapFilterID : enum |
Enum type identifying dynamic BPF filters. |
ProcStats : record |
Statistics about Bro’s process. |
RADIUS::AttributeList : vector |
|
RADIUS::Attributes : table |
|
RADIUS::Message : record |
|
RDP::ClientCoreData : record |
|
RDP::EarlyCapabilityFlags : record |
|
ReassemblerStats : record |
Holds statistics for all types of reassembly. |
ReporterStats : record |
Statistics about reporter messages and weirds. |
SMB1::Find_First2_Request_Args : record |
|
SMB1::Find_First2_Response_Args : record |
|
SMB1::Header : record |
An SMB1 header. |
SMB1::NegotiateCapabilities : record |
|
SMB1::NegotiateRawMode : record |
|
SMB1::NegotiateResponse : record |
|
SMB1::NegotiateResponseCore : record |
|
SMB1::NegotiateResponseLANMAN : record |
|
SMB1::NegotiateResponseNTLM : record |
|
SMB1::NegotiateResponseSecurity : record |
|
SMB1::SessionSetupAndXCapabilities : record |
|
SMB1::SessionSetupAndXRequest : record |
|
SMB1::SessionSetupAndXResponse : record |
|
SMB1::Trans2_Args : record |
|
SMB1::Trans2_Sec_Args : record |
|
SMB1::Trans_Sec_Args : record |
|
SMB2::CloseResponse : record |
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously. |
SMB2::CreateRequest : record |
The request sent by the client to request either creation of or access to a file. |
SMB2::CreateResponse : record |
The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file. |
SMB2::FileAttrs : record |
A series of boolean flags describing basic and extended file attributes for SMB2. |
SMB2::GUID : record |
An SMB2 globally unique identifier which identifies a file. |
SMB2::Header : record |
An SMB2 header. |
SMB2::NegotiateResponse : record |
The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands. |
SMB2::SessionSetupFlags : record |
A flags field that indicates additional information about the session that’s sent in the session_setup response. |
SMB2::SessionSetupRequest : record |
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server. |
SMB2::SessionSetupResponse : record |
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server. |
SMB2::TreeConnectResponse : record |
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server. |
SMB::MACTimes : record &log |
MAC times for a file. |
SNMP::Binding : record |
The VarBind data structure from either RFC 1157 or
RFC 3416, which maps an Object Identifier to a value. |
SNMP::Bindings : vector |
A VarBindList data structure from either RFC 1157 or RFC 3416. |
SNMP::BulkPDU : record |
A BulkPDU data structure from RFC 3416. |
SNMP::Header : record |
A generic SNMP header data structure that may include data from any version of SNMP. |
SNMP::HeaderV1 : record |
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. |
SNMP::HeaderV2 : record |
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. |
SNMP::HeaderV3 : record |
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. |
SNMP::ObjectValue : record |
A generic SNMP object value, that may include any of the
valid ObjectSyntax values from RFC 1155 or RFC 3416. |
SNMP::PDU : record |
A PDU data structure from either RFC 1157 or RFC 3416. |
SNMP::ScopedPDU_Context : record |
The ScopedPduData data structure of an SNMPv3 datagram, not
including the PDU data (i.e. |
SNMP::TrapPDU : record |
A Trap-PDU data structure from RFC 1157. |
SOCKS::Address : record &log |
This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection. |
SSH::Algorithm_Prefs : record |
The client and server each have some preferences for the algorithms used in each direction. |
SSH::Capabilities : record |
This record lists the preferences of an SSH endpoint for algorithm selection. |
SSL::SignatureAndHashAlgorithm : record |
|
SYN_packet : record |
Fields of a SYN packet. |
ThreadStats : record |
Statistics about threads. |
TimerStats : record |
Statistics of timers. |
Tunnel::EncapsulatingConn : record &log |
Records the identity of an encapsulating parent of a tunneled connection. |
Unified2::IDSEvent : record |
|
Unified2::Packet : record |
|
X509::BasicConstraints : record &log |
|
X509::Certificate : record |
|
X509::Extension : record |
|
X509::Result : record |
Result of an X509 certificate chain verification |
X509::SubjectAlternativeName : record |
|
addr_set : set |
A set of addresses. |
addr_vec : vector |
A vector of addresses. |
any_vec : vector |
A vector of any, used by some builtin functions to store a list of varying types. |
backdoor_endp_stats : record |
Deprecated. |
bittorrent_benc_dir : table |
A table of BitTorrent “benc” values. |
bittorrent_benc_value : record |
BitTorrent “benc” value. |
bittorrent_peer : record |
A BitTorrent peer. |
bittorrent_peer_set : set |
A set of BitTorrent peers. |
bt_tracker_headers : table |
Header table type used by BitTorrent analyzer. |
call_argument : record |
Meta-information about a parameter to a function/event. |
call_argument_vector : vector |
Vector type used to capture parameters of a function/event call. |
conn_id : record &log |
A connection’s identifying 4-tuple of endpoints and ports. |
connection : record |
A connection. |
count_set : set |
A set of counts. |
dns_answer : record |
The general part of a DNS reply. |
dns_dnskey_rr : record |
A DNSSEC DNSKEY record. |
dns_ds_rr : record |
A DNSSEC DS record. |
dns_edns_additional : record |
An additional DNS EDNS record. |
dns_mapping : record |
|
dns_msg : record |
A DNS message. |
dns_nsec3_rr : record |
A DNSSEC NSEC3 record. |
dns_rrsig_rr : record |
A DNSSEC RRSIG record. |
dns_soa : record |
A DNS SOA record. |
dns_tsig_additional : record |
An additional DNS TSIG record. |
endpoint : record |
Statistics about a connection endpoint. |
endpoint_stats : record |
Statistics about what a TCP endpoint sent. |
entropy_test_result : record |
Computed entropy values. |
event_peer : record |
A communication peer. |
fa_file : record &redef |
A file that Bro is analyzing. |
fa_metadata : record |
Metadata that’s been inferred about a particular file. |
files_tag_set : set |
A set of file analyzer tags. |
flow_id : record &log |
The identifying 4-tuple of a uni-directional flow. |
ftp_port : record |
A parsed host/port combination describing server endpoint for an upcoming data transfer. |
geo_location : record &log |
GeoIP location information. |
gtp_access_point_name : string |
|
gtp_cause : count |
|
gtp_charging_characteristics : count |
|
gtp_charging_gateway_addr : addr |
|
gtp_charging_id : count |
|
gtp_create_pdp_ctx_request_elements : record |
|
gtp_create_pdp_ctx_response_elements : record |
|
gtp_delete_pdp_ctx_request_elements : record |
|
gtp_delete_pdp_ctx_response_elements : record |
|
gtp_end_user_addr : record |
|
gtp_gsn_addr : record |
|
gtp_imsi : count |
|
gtp_msisdn : string |
|
gtp_nsapi : count |
|
gtp_omc_id : string |
|
gtp_private_extension : record |
|
gtp_proto_config_options : string |
|
gtp_qos_profile : record |
|
gtp_rai : record |
|
gtp_recovery : count |
|
gtp_reordering_required : bool |
|
gtp_selection_mode : count |
|
gtp_teardown_ind : bool |
|
gtp_teid1 : count |
|
gtp_teid_control_plane : count |
|
gtp_tft : string |
|
gtp_trace_reference : count |
|
gtp_trace_type : count |
|
gtp_trigger_id : string |
|
gtp_update_pdp_ctx_request_elements : record |
|
gtp_update_pdp_ctx_response_elements : record |
|
gtpv1_hdr : record |
A GTPv1 (GPRS Tunneling Protocol) header. |
http_message_stat : record |
HTTP message statistics. |
http_stats_rec : record |
HTTP session statistics. |
icmp6_nd_option : record |
Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861. |
icmp6_nd_options : vector |
A type alias for a vector of ICMPv6 neighbor discovery message options. |
icmp6_nd_prefix_info : record |
Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861. |
icmp_conn : record |
Specifics about an ICMP conversation. |
icmp_context : record |
Packet context part of an ICMP message. |
icmp_hdr : record |
Values extracted from an ICMP header. |
id_table : table |
Table type used to map script-level identifiers to meta-information describing them. |
index_vec : vector |
A vector of counts, used by some builtin functions to store a list of indices. |
interconn_endp_stats : record |
Deprecated. |
ip4_hdr : record |
Values extracted from an IPv4 header. |
ip6_ah : record |
Values extracted from an IPv6 Authentication extension header. |
ip6_dstopts : record |
Values extracted from an IPv6 Destination options extension header. |
ip6_esp : record |
Values extracted from an IPv6 ESP extension header. |
ip6_ext_hdr : record |
A general container for a more specific IPv6 extension header. |
ip6_ext_hdr_chain : vector |
A type alias for a vector of IPv6 extension headers. |
ip6_fragment : record |
Values extracted from an IPv6 Fragment extension header. |
ip6_hdr : record |
Values extracted from an IPv6 header. |
ip6_hopopts : record |
Values extracted from an IPv6 Hop-by-Hop options extension header. |
ip6_mobility_back : record |
Values extracted from an IPv6 Mobility Binding Acknowledgement message. |
ip6_mobility_be : record |
Values extracted from an IPv6 Mobility Binding Error message. |
ip6_mobility_brr : record |
Values extracted from an IPv6 Mobility Binding Refresh Request message. |
ip6_mobility_bu : record |
Values extracted from an IPv6 Mobility Binding Update message. |
ip6_mobility_cot : record |
Values extracted from an IPv6 Mobility Care-of Test message. |
ip6_mobility_coti : record |
Values extracted from an IPv6 Mobility Care-of Test Init message. |
ip6_mobility_hdr : record |
Values extracted from an IPv6 Mobility header. |
ip6_mobility_hot : record |
Values extracted from an IPv6 Mobility Home Test message. |
ip6_mobility_hoti : record |
Values extracted from an IPv6 Mobility Home Test Init message. |
ip6_mobility_msg : record |
Values extracted from an IPv6 Mobility header’s message data. |
ip6_option : record |
Values extracted from an IPv6 extension header’s (e.g. |
ip6_options : vector |
A type alias for a vector of IPv6 options. |
ip6_routing : record |
Values extracted from an IPv6 Routing extension header. |
irc_join_info : record |
IRC join information. |
irc_join_list : set |
Set of IRC join information. |
l2_hdr : record |
Values extracted from the layer 2 header. |
load_sample_info : set |
|
mime_header_list : table |
A list of MIME headers. |
mime_header_rec : record |
A MIME header key/value pair. |
mime_match : record |
A structure indicating a MIME type and strength of a match against file magic signatures. |
mime_matches : vector |
A vector of file magic signature matches, ordered by strength of the signature, strongest first. |
ntp_msg : record |
An NTP message. |
packet : record |
Deprecated. |
pcap_packet : record |
Policy-level representation of a packet passed on by libpcap. |
peer_id : count |
A locally unique ID identifying a communication peer. |
pkt_hdr : record |
A packet header, consisting of an IP header and transport-layer header. |
pkt_profile_modes : enum |
Output modes for packet profiling information. |
pm_callit_request : record |
An RPC portmapper callit request. |
pm_mapping : record |
An RPC portmapper mapping. |
pm_mappings : table |
Table of RPC portmapper mappings. |
pm_port_request : record |
An RPC portmapper request. |
raw_pkt_hdr : record |
A raw packet header, consisting of L2 header and everything in
pkt_hdr . |
record_field : record |
Meta-information about a record field. |
record_field_table : table |
Table type used to map record field declarations to meta-information describing them. |
rotate_info : record |
Deprecated. |
script_id : record |
Meta-information about a script-level identifier. |
signature_and_hashalgorithm_vec : vector |
A vector of Signature and Hash Algorithms. |
signature_state : record |
Description of a signature match. |
software : record |
|
software_version : record |
|
string_array : table |
An ordered array of strings. |
string_set : set |
A set of strings. |
string_vec : vector |
A vector of strings. |
subnet_vec : vector |
A vector of subnets. |
sw_align : record |
Helper type for return value of Smith-Waterman algorithm. |
sw_align_vec : vector |
Helper type for return value of Smith-Waterman algorithm. |
sw_params : record |
Parameters for the Smith-Waterman algorithm. |
sw_substring : record |
Helper type for return value of Smith-Waterman algorithm. |
sw_substring_vec : vector |
Return type for Smith-Waterman algorithm. |
table_string_of_count : table |
A table of counts indexed by strings. |
table_string_of_string : table |
A table of strings indexed by strings. |
tcp_hdr : record |
Values extracted from a TCP header. |
teredo_auth : record |
A Teredo origin indication header. |
teredo_hdr : record |
A Teredo packet header. |
teredo_origin : record |
A Teredo authentication header. |
transport_proto : enum |
A connection’s transport-layer protocol. |
udp_hdr : record |
Values extracted from a UDP header. |
var_sizes : table |
Table type used to map variable names to their memory allocation. |
x509_opaque_vector : vector |
A vector of x509 opaques. |
add_interface : function |
Internal function. |
add_signature_file : function |
Internal function. |
discarder_check_icmp : function |
Function for skipping packets based on their ICMP header. |
discarder_check_ip : function |
Function for skipping packets based on their IP header. |
discarder_check_tcp : function |
Function for skipping packets based on their TCP header. |
discarder_check_udp : function |
Function for skipping packets based on their UDP header. |
log_file_name : function &redef |
Deprecated. |
max_count : function |
Returns maximum of two count values. |
max_double : function |
Returns maximum of two double values. |
max_interval : function |
Returns maximum of two interval values. |
min_count : function |
Returns minimum of two count values. |
min_double : function |
Returns minimum of two double values. |
min_interval : function |
Returns minimum of two interval values. |
open_log_file : function &redef |
Deprecated. |
Weird::sampling_duration
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 10.0 mins |
How long a weird of a given type is allowed to keep state/counters in
memory. For “net” weirds an expiration timer starts per weird name when
first initializing its counter. For “flow” weirds an expiration timer
starts once per src/dst IP pair for the first weird of any name. For
“conn” weirds, counters and expiration timers are kept for the duration
of the connection for each named weird and reset when necessary. E.g.
if a “conn” weird by the name of “foo” is seen more than
Weird::sampling_threshold
times, then an expiration timer
begins for “foo” and upon triggering will reset the counter for “foo”
and unthrottle its rate-limiting until it once again exceeds the
threshold.
Weird::sampling_rate
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 1000 |
The rate-limiting sampling rate. One out of every of this number of rate-limited weirds of a given type will be allowed to raise events for further script-layer handling. Setting the sampling rate to 0 will disable all output of rate-limited weirds.
Weird::sampling_threshold
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 25 |
How many weirds of a given type to tolerate before sampling begins. I.e. this many consecutive weirds of a given type will be allowed to raise events for script-layer handling before being rate-limited.
Weird::sampling_whitelist
¶Type: | set [string ] |
---|---|
Attributes: | &redef |
Default: | {} |
Prevents rate-limiting sampling of any weirds named in the table.
DCE_RPC::max_cmd_reassembly
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 20 |
The maximum number of simultaneous fragmented commands that the DCE_RPC analyzer will tolerate before the it will generate a weird and skip further input.
DCE_RPC::max_frag_data
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 30000 |
The maximum number of fragmented bytes that the DCE_RPC analyzer will tolerate on a command before the analyzer will generate a weird and skip further input.
KRB::keytab
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "" |
Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
NCP::max_frame_size
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 65536 |
The maximum number of bytes to allocate when parsing NCP frames.
NFS3::return_data
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, nfs_proc_read
and nfs_proc_write
events return the file data that has been read/written.
See also: NFS3::return_data_max
, NFS3::return_data_first_only
NFS3::return_data_first_only
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
If NFS3::return_data
is true, whether to only return data
if the read or write offset is 0, i.e., only return data for the
beginning of the file.
NFS3::return_data_max
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 512 |
If NFS3::return_data
is true, how much data should be
returned at most.
Pcap::bufsize
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 128 |
Number of Mbytes to provide as buffer space when capturing from live interfaces.
Pcap::snaplen
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 9216 |
Number of bytes per packet to capture from live interfaces.
Reporter::errors_to_stderr
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Tunable for sending reporter error messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.
Reporter::info_to_stderr
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Tunable for sending reporter info messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.
Reporter::warnings_to_stderr
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Tunable for sending reporter warning messages to STDERR. The option to turn it off is presented here in case Bro is being run by some external harness and shouldn’t output anything to the console.
SMB::pipe_filenames
¶Type: | set [string ] |
---|---|
Attributes: | &redef |
Default: |
{
"lsarpc",
"wkssvc",
"srvsvc",
"MsFteWds",
"samr",
"netdfs",
"spoolss",
"winreg"
}
A set of file names used as named pipes over SMB. This only comes into play as a heuristic to identify named pipes when the drive mapping wasn’t seen by Bro.
See also: smb_pipe_connect_heuristic
Threading::heartbeat_interval
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 1.0 sec |
The heartbeat interval used by the threading framework. Changing this should usually not be necessary and will break several tests.
Tunnel::delay_gtp_confirmation
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
With this set, the GTP analyzer waits until the most-recent upflow
and downflow packets are a valid GTPv1 encapsulation before
issuing protocol_confirmation
. If it’s false, the
first occurrence of a packet with valid GTPv1 encapsulation causes
confirmation. Since the same inner connection can be carried
differing outer upflow/downflow connections, setting to false
may work better.
Tunnel::delay_teredo_confirmation
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
With this set, the Teredo analyzer waits until it sees both sides
of a connection using a valid Teredo encapsulation before issuing
a protocol_confirmation
. If it’s false, the first
occurrence of a packet with valid Teredo encapsulation causes a
confirmation.
Tunnel::enable_ayiya
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
Tunnel::enable_gtpv1
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Toggle whether to do GTPv1 decapsulation.
Tunnel::enable_ip
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
Tunnel::enable_teredo
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Toggle whether to do IPv6-in-Teredo decapsulation.
Tunnel::ip_tunnel_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 1.0 day |
How often to cleanup internal state for inactive IP tunnels (includes GRE tunnels).
Tunnel::max_depth
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 2 |
The maximum depth of a tunnel to decapsulate until giving up. Setting this to zero will disable all types of tunnel decapsulation.
bits_per_uid
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 96 |
Number of bits in UIDs that are generated to identify connections and files. The larger the value, the more confidence in UID uniqueness. The maximum is currently 128 bits.
check_for_unused_event_handlers
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, warns about unused event handlers at startup.
chunked_io_buffer_soft_cap
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 800000 |
The number of IO chunks allowed to be buffered between the child and parent process of remote communication before Bro starts dropping connections to remote peers in an attempt to catch up.
cmd_line_bpf_filter
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "" |
BPF filter the user has set via the -f command line options. Empty if none.
detect_filtered_trace
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
and not report missing segments for such connections.
If this is enabled, then missing data at the end of connections may not
be reported via content_gap
.
dns_resolver
¶Type: | addr |
---|---|
Attributes: | &redef |
Default: | :: |
The address of the DNS resolver to use. If not changed from the
unspecified address, [::]
, the first nameserver from /etc/resolv.conf
gets used (IPv6 is currently only supported if set via this option, not
when parsed from the file).
dns_session_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 10.0 secs |
Time to wait before timing out a DNS request.
dpd_buffer_size
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 1024 |
Size of per-connection buffer used for dynamic protocol detection. For each connection, Bro buffers this initial amount of payload in memory so that complete protocol analysis can start even after the initial packets have already passed through (i.e., when a DPD signature matches only later). However, once the buffer is full, data is deleted and lost to analyzers that are activated afterwards. Then only analyzers that can deal with partial connections will be able to analyze the session.
See also: dpd_reassemble_first_packets
, dpd_match_only_beginning
, dpd_ignore_ports
dpd_ignore_ports
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, don’t consider any ports for deciding which protocol analyzer to use.
See also: dpd_reassemble_first_packets
, dpd_buffer_size
, dpd_match_only_beginning
dpd_match_only_beginning
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
If true, stops signature matching if dpd_buffer_size
has been
reached.
See also: dpd_reassemble_first_packets
, dpd_buffer_size
, dpd_ignore_ports
Note
Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.
dpd_reassemble_first_packets
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
Reassemble the beginning of all TCP connections before doing signature matching. Enabling this provides more accurate matching at the expense of CPU cycles.
See also: dpd_buffer_size
, dpd_match_only_beginning
, dpd_ignore_ports
Note
Despite the name, this option affects all signature matching, not only signatures used for dynamic protocol detection.
encap_hdr_size
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 0 |
If positive, indicates the encapsulation header size that should be skipped. This applies to all packets.
exit_only_after_terminate
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Flag to prevent Bro from exiting automatically when input is exhausted.
Normally Bro terminates when all packet sources have gone dry
and communication isn’t enabled. If this flag is set, Bro’s main loop will
instead keep idling until terminate
is explicitly called.
This is mainly for testing purposes when termination behaviour needs to be controlled for reproducing results.
expensive_profiling_multiple
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 20 |
Multiples of profiling_interval
at which (more expensive) memory
profiling is done (0 disables).
See also: profiling_interval
, profiling_file
, segment_profiling
forward_remote_events
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, broadcast events received from one peer to all other peers.
See also: forward_remote_state_changes
Note
This option is only temporary and will disappear once we get a more sophisticated script-level communication framework.
forward_remote_state_changes
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, broadcast state updates received from one peer to all other peers.
See also: forward_remote_events
Note
This option is only temporary and will disappear once we get a more sophisticated script-level communication framework.
frag_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 mins |
How long to hold onto fragments for possible reassembly. A value of 0.0 means “forever”, which resists evasion, but can lead to state accrual.
global_hash_seed
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "" |
Seed for hashes computed internally for probabilistic data structures. Using the same value here will make the hashes compatible between independent Bro instances. If left unset, Bro will use a temporary local seed.
icmp_inactivity_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 1.0 min |
If an ICMP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also: tcp_inactivity_timeout
, udp_inactivity_timeout
, set_inactivity_timeout
ignore_checksums
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, don’t verify checksums. Useful for running on altered trace
files, and for saving a few cycles, but at the risk of analyzing invalid
data. Note that the -C
command-line option overrides the setting of this
variable.
ignore_keep_alive_rexmit
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Ignore certain TCP retransmissions for conn_stats
. Some
connections (e.g., SSH) retransmit the acknowledged last byte to keep the
connection alive. If ignore_keep_alive_rexmit is set to true, such
retransmissions will be excluded in the rexmit counter in
conn_stats
.
See also: conn_stats
likely_server_ports
¶Type: | set [port ] |
---|---|
Attributes: | &redef |
Default: |
{
88/udp,
8000/tcp,
631/tcp,
81/tcp,
992/tcp,
585/tcp,
21/tcp,
8888/tcp,
20000/udp,
6669/tcp,
25/tcp,
3389/tcp,
20000/tcp,
53/tcp,
514/udp,
6668/tcp,
563/tcp,
53/udp,
67/udp,
614/tcp,
5223/tcp,
2811/tcp,
587/tcp,
137/udp,
5269/tcp,
993/tcp,
8080/tcp,
80/tcp,
5355/udp,
5353/udp,
6666/tcp,
5060/udp,
143/tcp,
990/tcp,
22/tcp,
139/tcp,
443/udp,
636/tcp,
135/tcp,
445/tcp,
3544/udp,
2152/udp,
2123/udp,
88/tcp,
6667/tcp,
1812/udp,
162/udp,
5222/tcp,
3128/tcp,
995/tcp,
1080/tcp,
989/tcp,
443/tcp,
161/udp,
5072/udp,
502/tcp
}
Ports which the core considers being likely used by servers. For ports in this set, it may heuristically decide to flip the direction of the connection if it misses the initial handshake.
max_files_in_cache
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 0 |
The maximum number of open files to keep cached at a given time. If set to zero, this is automatically determined by inspecting the current/maximum limit on open files for the process.
max_remote_events_processed
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 10 |
With a similar trade-off, this gives the number of remote events to process in a batch before interleaving other activity.
max_timer_expires
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 300 |
The maximum number of timers to expire after processing each new packet. The value trades off spreading out the timer expiration load with possibly having to hold state longer. A value of 0 means “process all expired timers with each new packet”.
mmdb_dir
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "" |
The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
non_analyzed_lifetime
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 0 secs |
If a connection belongs to an application that we don’t analyze,
time it out after this interval. If 0 secs, then don’t time it out (but
tcp_inactivity_timeout
, udp_inactivity_timeout
, and
icmp_inactivity_timeout
still apply).
ntp_session_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 mins |
Time to wait before timing out an NTP request.
old_comm_usage_is_ok
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Whether usage of the old communication system is considered an error or not. The default Bro configuration no longer works with the non-Broker communication system unless you have manually taken action to initialize and set up the old comm. system. Deprecation warnings are still emitted when setting this flag, but they will not result in a fatal error.
packet_filter_default
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Default mode for Bro’s user-space dynamic packet filter. If true, packets that aren’t explicitly allowed through, are dropped from any further processing.
Note
This is not the BPF packet filter but an additional dynamic filter that Bro optionally applies just before normal processing starts.
See also: install_dst_addr_filter
, install_dst_net_filter
, install_src_addr_filter
, install_src_net_filter
, uninstall_dst_addr_filter
, uninstall_dst_net_filter
, uninstall_src_addr_filter
, uninstall_src_net_filter
partial_connection_ok
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
If true, instantiate connection state when a partial connection (one missing its initial establishment negotiation) is seen.
passive_fingerprint_file
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "base/misc/p0f.fp" |
p0f
fingerprint file to use. Will be searched relative to BROPATH
.
peer_description
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "bro" |
Description transmitted to remote communication peers for identification.
pkt_profile_freq
¶Type: | double |
---|---|
Attributes: | &redef |
Default: | 0.0 |
Frequency associated with packet profiling.
See also: pkt_profile_modes
, pkt_profile_mode
, pkt_profile_file
pkt_profile_mode
¶Type: | pkt_profile_modes |
---|---|
Attributes: | &redef |
Default: | PKT_PROFILE_MODE_NONE |
Output mode for packet profiling information.
See also: pkt_profile_modes
, pkt_profile_freq
, pkt_profile_file
profiling_interval
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 15.0 secs |
Update interval for profiling (0 disables). The easiest way to activate profiling is loading policy/misc/profiling.bro.
See also: profiling_file
, expensive_profiling_multiple
, segment_profiling
record_all_packets
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If a trace file is given with -w
, dump all packets seen by Bro into it.
By default, Bro applies (very few) heuristics to reduce the volume. A side
effect of setting this to true is that we can write the packets out before we
actually process them, which can be helpful for debugging in case the
analysis triggers a crash.
See also: trace_output_file
remote_check_sync_consistency
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Whether for &synchronized
state to send the old value as a
consistency check.
remote_trace_sync_interval
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 0 secs |
Synchronize trace processing at a regular basis in pseudo-realtime mode.
See also: remote_trace_sync_peers
remote_trace_sync_peers
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 0 |
Number of peers across which to synchronize trace processing in pseudo-realtime mode.
See also: remote_trace_sync_interval
report_gaps_for_partial
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Whether we want content_gap
for partial
connections. A connection is partial if it is missing a full handshake. Note
that gap reports for partial connections might not be reliable.
See also: content_gap
, partial_connection
rpc_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 24.0 secs |
Time to wait before timing out an RPC request.
segment_profiling
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, then write segment profiling information (very high volume!) in addition to profiling statistics.
See also: profiling_interval
, expensive_profiling_multiple
, profiling_file
sig_max_group_size
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 50 |
Maximum size of regular expression groups for signature matching.
skip_http_data
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
Skip HTTP data for performance considerations. The skipped portion will not go through TCP reassembly.
See also: http_entity_data
, skip_http_entity_data
, http_entity_data_delivery_size
ssl_ca_certificate
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "<undefined>" |
The CA certificate file to authorize remote Bros/Broccolis.
See also: ssl_private_key
, ssl_passphrase
ssl_passphrase
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "<undefined>" |
The passphrase for our private key. Keeping this undefined causes Bro to prompt for the passphrase.
See also: ssl_private_key
, ssl_ca_certificate
ssl_private_key
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | "<undefined>" |
File containing our private key and our certificate.
See also: ssl_ca_certificate
, ssl_passphrase
state_dir
¶Type: | string |
---|---|
Attributes: | &redef |
Default: | ".state" |
Specifies a directory for Bro to store its persistent state. All globals can
be declared persistent via the &persistent
attribute.
state_write_delay
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 10.0 msecs |
Length of the delays inserted when storing state incrementally. To avoid dropping packets when serializing larger volumes of persistent state to disk, Bro interleaves the operation with continued packet processing.
table_expire_delay
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 10.0 msecs |
When expiring table entries, wait this amount of time before checking the next chunk of entries.
See also: table_expire_interval
, table_incremental_step
table_expire_interval
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 10.0 secs |
Check for expired table entries after this amount of time.
See also: table_incremental_step
, table_expire_delay
table_incremental_step
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 5000 |
When expiring/serializing table entries, don’t work on more than this many table entries at a time.
See also: table_expire_interval
, table_expire_delay
tcp_SYN_ack_ok
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
If true, instantiate connection state when a SYN/ACK is seen but not the
initial SYN (even if partial_connection_ok
is false).
tcp_SYN_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 secs |
Check up on the result of an initial SYN after this much time.
tcp_attempt_delay
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 secs |
Wait this long upon seeing an initial SYN before timing out the connection attempt.
tcp_close_delay
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 secs |
Upon seeing a normal connection close, flush state after this much time.
tcp_connection_linger
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 secs |
When checking a closed connection for further activity, consider it inactive if there hasn’t been any for this long. Complain if the connection is reused before this much time has elapsed.
tcp_content_deliver_all_orig
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, all TCP originator-side traffic is reported via
tcp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_resp
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, tcp_contents
tcp_content_deliver_all_resp
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, all TCP responder-side traffic is reported via
tcp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_orig
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, tcp_contents
tcp_content_delivery_ports_orig
¶Type: | table [port ] of bool |
---|---|
Attributes: | &redef |
Default: | {} |
Defines destination TCP ports for which the contents of the originator stream
should be delivered via tcp_contents
.
See also: tcp_content_delivery_ports_resp
, tcp_content_deliver_all_orig
, tcp_content_deliver_all_resp
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, tcp_contents
tcp_content_delivery_ports_resp
¶Type: | table [port ] of bool |
---|---|
Attributes: | &redef |
Default: | {} |
Defines destination TCP ports for which the contents of the responder stream
should be delivered via tcp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_deliver_all_orig
, tcp_content_deliver_all_resp
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, tcp_contents
tcp_excessive_data_without_further_acks
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 10485760 |
If we’ve seen this much data without any of it being acked, we give up on that connection to avoid memory exhaustion due to buffering all that stuff. If set to zero, then we don’t ever give up. Ideally, Bro would track the current window on a connection and use it to infer that data has in fact gone too far, but for now we just make this quite beefy.
See also: tcp_max_initial_window
, tcp_max_above_hole_without_any_acks
tcp_inactivity_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 mins |
If a TCP connection is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also: udp_inactivity_timeout
, icmp_inactivity_timeout
, set_inactivity_timeout
tcp_match_undelivered
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | T |
If true, pass any undelivered to the signature engine before flushing the state. If a connection state is removed, there may still be some data waiting in the reassembler.
tcp_max_above_hole_without_any_acks
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 16384 |
If we’re not seeing our peer’s ACKs, the maximum volume of data above a sequence hole that we’ll tolerate before assuming that there’s been a packet drop and we should give up on tracking a connection. If set to zero, then we don’t ever give up.
See also: tcp_max_initial_window
, tcp_excessive_data_without_further_acks
tcp_max_initial_window
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 16384 |
Maximum amount of data that might plausibly be sent in an initial flight (prior to receiving any acks). Used to determine whether we must not be seeing our peer’s ACKs. Set to zero to turn off this determination.
See also: tcp_max_above_hole_without_any_acks
, tcp_excessive_data_without_further_acks
tcp_max_old_segments
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 0 |
Number of TCP segments to buffer beyond what’s been acknowledged already to detect retransmission inconsistencies. Zero disables any additonal buffering.
tcp_partial_close_delay
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 3.0 secs |
Generate a connection_partial_close
event this much time after one
half of a partial connection closes, assuming there has been no subsequent
activity.
tcp_reassembler_ports_orig
¶Type: | set [port ] |
---|---|
Attributes: | &redef |
Default: | {} |
For services without a handler, these sets define originator-side ports that still trigger reassembly.
See also: tcp_reassembler_ports_resp
tcp_reassembler_ports_resp
¶Type: | set [port ] |
---|---|
Attributes: | &redef |
Default: | {} |
For services without a handler, these sets define responder-side ports that still trigger reassembly.
See also: tcp_reassembler_ports_orig
tcp_reset_delay
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 5.0 secs |
Upon seeing a RST, flush state after this much time.
tcp_session_timer
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 6.0 secs |
After a connection has closed, wait this long for further activity before checking whether to time out its state.
tcp_storm_interarrival_thresh
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 1.0 sec |
FINs/RSTs must come with this much time or less between them to be considered a “storm”.
See also: tcp_storm_thresh
tcp_storm_thresh
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 1000 |
Number of FINs/RSTs in a row that constitute a “storm”. Storms are reported
as weird
via the notice framework, and they must also come within
intervals of at most tcp_storm_interarrival_thresh
.
See also: tcp_storm_interarrival_thresh
time_machine_profiling
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, output profiling for Time-Machine queries.
timer_mgr_inactivity_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 1.0 min |
Per-incident timer managers are drained after this amount of inactivity.
truncate_http_URI
¶Type: | int |
---|---|
Attributes: | &redef |
Default: | -1 |
Maximum length of HTTP URIs passed to events. Longer ones will be truncated to prevent over-long URIs (usually sent by worms) from slowing down event processing. A value of -1 means “do not truncate”.
See also: http_request
udp_content_deliver_all_orig
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, all UDP originator-side traffic is reported via
udp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_resp
tcp_content_delivery_ports_orig
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
, udp_content_deliver_all_resp
, udp_contents
udp_content_deliver_all_resp
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, all UDP responder-side traffic is reported via
udp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_resp
tcp_content_delivery_ports_orig
, udp_content_delivery_ports_orig
, udp_content_delivery_ports_resp
, udp_content_deliver_all_orig
, udp_contents
udp_content_delivery_ports_orig
¶Type: | table [port ] of bool |
---|---|
Attributes: | &redef |
Default: | {} |
Defines UDP destination ports for which the contents of the originator stream
should be delivered via udp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_orig
, tcp_content_deliver_all_resp
, udp_content_delivery_ports_resp
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, udp_contents
udp_content_delivery_ports_resp
¶Type: | table [port ] of bool |
---|---|
Attributes: | &redef |
Default: | {} |
Defines UDP destination ports for which the contents of the responder stream
should be delivered via udp_contents
.
See also: tcp_content_delivery_ports_orig
, tcp_content_delivery_ports_resp
, tcp_content_deliver_all_orig
, tcp_content_deliver_all_resp
, udp_content_delivery_ports_orig
, udp_content_deliver_all_orig
, udp_content_deliver_all_resp
, udp_contents
udp_inactivity_timeout
¶Type: | interval |
---|---|
Attributes: | &redef |
Default: | 1.0 min |
If a UDP flow is inactive, time it out after this interval. If 0 secs, then don’t time it out.
See also: tcp_inactivity_timeout
, icmp_inactivity_timeout
, set_inactivity_timeout
RPC_status
¶Type: | table [rpc_status ] of string |
---|---|
Default: |
{
[RPC_PROC_UNAVAIL] = "proc unavail",
[RPC_AUTH_ERROR] = "auth error",
[RPC_PROG_UNAVAIL] = "prog unavail",
[RPC_PROG_MISMATCH] = "mismatch",
[RPC_GARBAGE_ARGS] = "garbage args",
[RPC_TIMEOUT] = "timeout",
[RPC_UNKNOWN_ERROR] = "unknown",
[RPC_SUCCESS] = "ok",
[RPC_SYSTEM_ERR] = "system err"
}
Mapping of numerical RPC status codes to readable messages.
See also: pm_attempt_callit
, pm_attempt_dump
, pm_attempt_getport
, pm_attempt_null
, pm_attempt_set
, pm_attempt_unset
, rpc_dialogue
, rpc_reply
trace_output_file
¶Type: | string |
---|---|
Default: | "" |
Holds the filename of the trace file given with -w
(empty if none).
See also: record_all_packets
capture_filters
¶Type: | table [string ] of string |
---|---|
Attributes: | &redef |
Default: | {} |
Set of BPF capture filters to use for capturing, indexed by a user-definable
ID (which must be unique). If Bro is not configured with
PacketFilter::enable_auto_protocol_capture_filters
,
all packets matching at least one of the filters in this table (and all in
restrict_filters
) will be analyzed.
See also: PacketFilter
, PacketFilter::enable_auto_protocol_capture_filters
, PacketFilter::unrestricted_filter
, restrict_filters
discarder_maxlen
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 128 |
Maximum length of payload passed to discarder functions.
See also: discarder_check_tcp
, discarder_check_udp
, discarder_check_icmp
, discarder_check_ip
dns_max_queries
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 25 |
If a DNS request includes more than this many queries, assume it’s non-DNS traffic and do not process it. Set to 0 to turn off this functionality.
dns_skip_addl
¶Type: | set [addr ] |
---|---|
Attributes: | &redef |
Default: | {} |
For DNS servers in these sets, omit processing the ADDL records they include in their replies.
See also: dns_skip_all_addl
, dns_skip_auth
dns_skip_all_addl
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, all DNS ADDL records are skipped.
See also: dns_skip_all_auth
, dns_skip_addl
dns_skip_all_auth
¶Type: | bool |
---|---|
Attributes: | &redef |
Default: | F |
If true, all DNS AUTH records are skipped.
See also: dns_skip_all_addl
, dns_skip_auth
dns_skip_auth
¶Type: | set [addr ] |
---|---|
Attributes: | &redef |
Default: | {} |
For DNS servers in these sets, omit processing the AUTH records they include in their replies.
See also: dns_skip_all_auth
, dns_skip_addl
generate_OS_version_event
¶Type: | set [subnet ] |
---|---|
Attributes: | &redef |
Default: | {} |
Defines for which subnets we should do passive fingerprinting.
See also: OS_version_found
http_entity_data_delivery_size
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 1500 |
Maximum number of HTTP entity data delivered to events.
See also: http_entity_data
, skip_http_entity_data
, skip_http_data
interfaces
¶Type: | string |
---|---|
Attributes: | &add_func = add_interface &redef |
Default: | "" |
Network interfaces to listen on. Use redef interfaces += "eth0"
to
extend.
irc_servers
¶Type: | set [addr ] |
---|---|
Attributes: | &redef |
Default: | {} |
Deprecated.
Todo
Remove. It’s still declared internally but doesn’t seem used anywhere else.
load_sample_freq
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 20 |
Rate at which to generate load_sample
events. As all
events, the event is only generated if you’ve also defined a
load_sample
handler. Units are inverse number of packets; e.g.,
a value of 20 means “roughly one in every 20 packets”.
See also: load_sample
mime_segment_length
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 1024 |
The length of MIME data segments delivered to handlers of
mime_segment_data
.
See also: mime_segment_data
, mime_segment_overlap_length
mime_segment_overlap_length
¶Type: | count |
---|---|
Attributes: | &redef |
Default: | 0 |
The number of bytes of overlap between successive segments passed to
mime_segment_data
.
pkt_profile_file
¶Type: | file |
---|---|
Attributes: | &redef |
File where packet profiles are logged.
See also: pkt_profile_modes
, pkt_profile_freq
, pkt_profile_mode
profiling_file
¶Type: | file |
---|---|
Attributes: | &redef |
Default: |
file "prof.log" of string
Write profiling info into this file in regular intervals. The easiest way to activate profiling is loading policy/misc/profiling.bro.
See also: profiling_interval
, expensive_profiling_multiple
, segment_profiling
restrict_filters
¶Type: | table [string ] of string |
---|---|
Attributes: | &redef |
Default: | {} |
Set of BPF filters to restrict capturing, indexed by a user-definable ID (which must be unique).
See also: PacketFilter
, PacketFilter::enable_auto_protocol_capture_filters
, PacketFilter::unrestricted_filter
, capture_filters
secondary_filters
¶Type: | table [string ] of event (filter: string , pkt: pkt_hdr ) |
---|---|
Attributes: | &redef |
Default: | {} |
Definition of “secondary filters”. A secondary filter is a BPF filter given as index in this table. For each such filter, the corresponding event is raised for all matching packets.
signature_files
¶Type: | string |
---|---|
Attributes: | &add_func = add_signature_file &redef |
Default: | "" |
Signature files to read. Use redef signature_files += "foo.sig"
to
extend. Signature files added this way will be searched relative to
BROPATH
. Using the @load-sigs
directive instead is preferred
since that can search paths relative to the current script.
BrokerStats
¶Type: |
num_peers:
|
---|
Statistics about Broker communication.
See also: get_broker_stats
Cluster::Pool
¶Type: |
|
---|
A pool used for distributing data/work among a set of cluster nodes.
ConnStats
¶Type: |
total_conns: current_conns: current_conns_extern: sess_current_conns: num_packets: num_fragments: max_fragments:
killed_by_inactivity: |
---|
DHCP::Addrs
¶Type: | vector of addr |
---|
A list of addresses offered by a DHCP server. Could be routers, DNS servers, or other.
See also: dhcp_message
DHCP::ClientFQDN
¶Type: |
---|
DHCP Client FQDN Option information (Option 81)
DHCP::ClientID
¶Type: |
hwtype: hwaddr: |
---|
DHCP Client Identifier (Option 61) .. bro:see:: dhcp_message
DHCP::Msg
¶Type: |
flags:
|
---|
A DHCP message. .. bro:see:: dhcp_message
DHCP::Options
¶Type: |
|
---|
DHCP::SubOpt
¶Type: |
code: value: |
---|
DHCP Relay Agent Information Option (Option 82) .. bro:see:: dhcp_message
DHCP::SubOpts
¶Type: | vector of DHCP::SubOpt |
---|
DNSStats
¶Type: |
---|
Statistics related to Bro’s active use of DNS. These numbers are about Bro performing DNS queries on it’s own, not traffic being seen.
See also: get_dns_stats
EncapsulatingConnVector
¶Type: | vector of Tunnel::EncapsulatingConn |
---|
A type alias for a vector of encapsulating “connections”, i.e. for when there are tunnels within tunnels.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
EventStats
¶Type: |
---|
FileAnalysisStats
¶Type: |
---|
Statistics of file analysis.
See also: get_file_analysis_stats
GapStats
¶Type: |
---|
Statistics about number of gaps in TCP connections.
See also: get_gap_stats
IPAddrAnonymization
¶Type: |
|
---|
Deprecated.
See also: anonymize_addr
IPAddrAnonymizationClass
¶Type: |
|
---|
Deprecated.
See also: anonymize_addr
JSON::TimestampFormat
¶Type: |
|
---|
KRB::Error_Msg
¶Type: |
|
---|
The data from the ERROR_MSG message. See RFC 4120.
KRB::Host_Address_Vector
¶Type: | vector of KRB::Host_Address |
---|
KRB::KDC_Options
¶Type: |
|
---|
KDC Options. See RFC 4120
KRB::KDC_Request
¶Type: |
|
---|
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
KRB::KDC_Response
¶Type: |
|
---|
The data from the AS_REQ and TGS_REQ messages. See RFC 4120.
KRB::SAFE_Msg
¶Type: |
|
---|
The data from the SAFE message. See RFC 4120.
KRB::Ticket_Vector
¶Type: | vector of KRB::Ticket |
---|
KRB::Type_Value
¶Type: |
---|
Used in a few places in the Kerberos analyzer for elements that have a type and a string value.
KRB::Type_Value_Vector
¶Type: | vector of KRB::Type_Value |
---|
MOUNT3::dirmntargs_t
¶Type: |
|
---|
MOUNT mnt arguments.
See also: mount_proc_mnt
MOUNT3::info_t
¶Type: |
|
---|
Record summarizing the general results and status of MOUNT3 request/reply pairs.
Note that when rpc_stat or mount_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time
MOUNT3::mnt_reply_t
¶Type: |
|
---|
MOUNT lookup reply. If the mount failed, dir_attr may be set. If the mount succeeded, fh is always set.
See also: mount_proc_mnt
MatcherStats
¶Type: |
|
---|
Statistics of all regular expression matchers.
See also: get_matcher_stats
ModbusCoils
¶Type: | vector of bool |
---|
A vector of boolean values that indicate the setting for a range of modbus coils.
ModbusHeaders
¶Type: |
---|
ModbusRegisters
¶Type: | vector of count |
---|
A vector of count values that represent 16bit modbus register values.
NFS3::delobj_reply_t
¶Type: |
|
---|
NFS reply for remove, rmdir. Corresponds to wcc_data in the spec.
See also: nfs_proc_remove
, nfs_proc_rmdir
NFS3::direntry_t
¶Type: |
---|
NFS direntry. fh and attr are used for readdirplus. However, even for readdirplus they may not be filled out.
See also: NFS3::direntry_vec_t
, NFS3::readdir_reply_t
NFS3::direntry_vec_t
¶Type: | vector of NFS3::direntry_t |
---|
Vector of NFS direntry.
See also: NFS3::readdir_reply_t
NFS3::diropargs_t
¶Type: |
---|
NFS readdir arguments.
See also: nfs_proc_readdir
NFS3::fattr_t
¶Type: |
|
---|
NFS file attributes. Field names are based on RFC 1813.
See also: nfs_proc_getattr
NFS3::fsstat_t
¶Type: |
---|
NFS fsstat.
NFS3::info_t
¶Type: |
|
---|
Record summarizing the general results and status of NFSv3 request/reply pairs.
Note that when rpc_stat or nfs_stat indicates not successful, the reply record passed to the corresponding event will be empty and contain uninitialized fields, so don’t use it. Also note that time and duration values might not be fully accurate. For TCP, we record times when the corresponding chunk of data is delivered to the analyzer. Depending on the reassembler, this might be well after the first packet of the request was received.
See also: nfs_proc_create
, nfs_proc_getattr
, nfs_proc_lookup
, nfs_proc_mkdir
, nfs_proc_not_implemented
, nfs_proc_null
, nfs_proc_read
, nfs_proc_readdir
, nfs_proc_readlink
, nfs_proc_remove
, nfs_proc_rmdir
, nfs_proc_write
, nfs_reply_status
NFS3::link_reply_t
¶Type: |
|
---|
NFS link reply.
See also: nfs_proc_link
NFS3::linkargs_t
¶Type: |
|
---|
NFS link arguments.
See also: nfs_proc_link
NFS3::lookup_reply_t
¶Type: |
|
---|
NFS lookup reply. If the lookup failed, dir_attr may be set. If the lookup succeeded, fh is always set and obj_attr and dir_attr may be set.
See also: nfs_proc_lookup
NFS3::newobj_reply_t
¶Type: |
|
---|
NFS reply for create, mkdir, and symlink. If the proc failed, dir_*_attr may be set. If the proc succeeded, fh and the attr’s may be set. Note: no guarantee that fh is set after success.
See also: nfs_proc_create
, nfs_proc_mkdir
NFS3::read_reply_t
¶Type: |
---|
NFS read reply. If the lookup fails, attr may be set. If the lookup succeeds, attr may be set and all other fields are set.
NFS3::readargs_t
¶Type: |
---|
NFS read arguments.
See also: nfs_proc_read
NFS3::readdir_reply_t
¶Type: |
|
---|
NFS readdir reply. Used for readdir and readdirplus. If an is returned, dir_attr might be set. On success, dir_attr may be set, all others must be set.
NFS3::readdirargs_t
¶Type: |
|
---|
NFS readdir arguments. Used for both readdir and readdirplus.
See also: nfs_proc_readdir
NFS3::readlink_reply_t
¶Type: |
|
---|
NFS readline reply. If the request fails, attr may be set. If the request succeeds, attr may be set and all other fields are set.
See also: nfs_proc_readlink
NFS3::renameobj_reply_t
¶Type: |
src_dir_pre_attr: src_dir_post_attr: dst_dir_pre_attr: dst_dir_post_attr: |
---|
NFS reply for rename. Corresponds to wcc_data in the spec.
See also: nfs_proc_rename
NFS3::renameopargs_t
¶Type: |
src_dirfh: src_fname: dst_dirfh: dst_fname: |
---|
NFS rename arguments.
See also: nfs_proc_rename
NFS3::sattr_reply_t
¶Type: |
|
---|
NFS sattr reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr are set.
NFS3::sattr_t
¶Type: |
---|
NFS file attributes. Field names are based on RFC 1813.
See also: nfs_proc_sattr
NFS3::sattrargs_t
¶Type: |
|
---|
NFS sattr arguments.
See also: nfs_proc_sattr
NFS3::symlinkargs_t
¶Type: |
|
---|
NFS symlink arguments.
See also: nfs_proc_symlink
NFS3::symlinkdata_t
¶Type: |
|
---|
NFS symlinkdata attributes. Field names are based on RFC 1813
See also: nfs_proc_symlink
NFS3::wcc_attr_t
¶Type: |
---|
NFS wcc attributes.
See also: NFS3::write_reply_t
NFS3::write_reply_t
¶Type: |
|
---|
NFS write reply. If the request fails, pre|post attr may be set. If the request succeeds, pre|post attr may be set and all other fields are set.
See also: nfs_proc_write
NFS3::writeargs_t
¶Type: |
---|
NFS write arguments.
See also: nfs_proc_write
NTLM::AVs
¶Type: |
|
---|
NTLM::Authenticate
¶Type: |
|
---|
NTLM::Challenge
¶Type: |
|
---|
NTLM::Negotiate
¶Type: |
|
---|
NTLM::NegotiateFlags
¶Type: |
|
---|
NTLM::Version
¶Type: |
---|
NetStats
¶Type: |
|
---|
Packet capture statistics. All counts are cumulative.
See also: get_net_stats
OS_version
¶Type: |
|
---|
Passive fingerprinting match.
See also: OS_version_found
OS_version_inference
¶Type: |
|
---|
Quality of passive fingerprinting matches.
See also: OS_version
PE::DOSHeader
¶Type: |
|
---|
PE::FileHeader
¶Type: |
|
---|
PE::OptionalHeader
¶Type: |
|
---|
PE::SectionHeader
¶Type: |
|
---|
Record for Portable Executable (PE) section headers.
PcapFilterID
¶Type: |
|
---|
Enum type identifying dynamic BPF filters. These are used by
Pcap::precompile_pcap_filter
and Pcap::precompile_pcap_filter
.
ProcStats
¶Type: |
|
---|
Statistics about Bro’s process.
See also: get_proc_stats
Note
All process-level values refer to Bro’s main process only, not to the child process it spawns for doing communication.
RADIUS::Attributes
¶Type: | table [count ] of RADIUS::AttributeList |
---|
RADIUS::Message
¶Type: |
|
---|
RDP::ClientCoreData
¶Type: |
version_major: version_minor: desktop_width: desktop_height: color_depth: sas_sequence: keyboard_layout: client_build: client_name: keyboard_type: keyboard_sub: keyboard_function_key: ime_file_name: post_beta2_color_depth: client_product_id: serial_number: high_color_depth: supported_color_depths: ec_flags: |
---|
RDP::EarlyCapabilityFlags
¶Type: |
support_err_info_pdu: want_32bpp_session: support_statusinfo_pdu: strong_asymmetric_keys: support_monitor_layout_pdu: support_netchar_autodetect: support_dynvc_gfx_protocol: support_dynamic_time_zone: support_heartbeat_pdu: |
---|
ReassemblerStats
¶Type: |
---|
Holds statistics for all types of reassembly.
See also: get_reassembler_stats
ReporterStats
¶Type: |
---|
Statistics about reporter messages and weirds.
See also: get_reporter_stats
SMB1::Find_First2_Request_Args
¶Type: |
|
---|
SMB1::Find_First2_Response_Args
¶Type: |
|
---|
SMB1::Header
¶Type: |
---|
An SMB1 header.
See also: smb1_message
, smb1_empty_response
, smb1_error
, smb1_check_directory_request
, smb1_check_directory_response
, smb1_close_request
, smb1_create_directory_request
, smb1_create_directory_response
, smb1_echo_request
, smb1_echo_response
, smb1_negotiate_request
, smb1_negotiate_response
, smb1_nt_cancel_request
, smb1_nt_create_andx_request
, smb1_nt_create_andx_response
, smb1_query_information_request
, smb1_read_andx_request
, smb1_read_andx_response
, smb1_session_setup_andx_request
, smb1_session_setup_andx_response
, smb1_transaction_request
, smb1_transaction2_request
, smb1_trans2_find_first2_request
, smb1_trans2_query_path_info_request
, smb1_trans2_get_dfs_referral_request
, smb1_tree_connect_andx_request
, smb1_tree_connect_andx_response
, smb1_tree_disconnect
, smb1_write_andx_request
, smb1_write_andx_response
SMB1::NegotiateCapabilities
¶Type: |
|
---|
SMB1::NegotiateRawMode
¶Type: |
---|
SMB1::NegotiateResponse
¶Type: |
|
---|
SMB1::NegotiateResponseLANMAN
¶Type: |
|
---|
SMB1::NegotiateResponseNTLM
¶Type: |
|
---|
SMB1::NegotiateResponseSecurity
¶Type: |
|
---|
SMB1::SessionSetupAndXCapabilities
¶Type: |
|
---|
SMB1::SessionSetupAndXRequest
¶Type: |
|
---|
SMB1::SessionSetupAndXResponse
¶Type: |
|
---|
SMB1::Trans2_Args
¶Type: |
|
---|
SMB1::Trans2_Sec_Args
¶Type: |
|
---|
SMB1::Trans_Sec_Args
¶Type: |
|
---|
SMB2::CloseResponse
¶Type: |
|
---|
The response to an SMB2 close request, which is used by the client to close an instance of a file that was opened previously.
For more information, see MS-SMB2:2.2.16
See also: smb2_close_response
SMB2::CreateRequest
¶Type: |
---|
The request sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.13
See also: smb2_create_request
SMB2::CreateResponse
¶Type: |
|
---|
The response to an SMB2 create_request request, which is sent by the client to request either creation of or access to a file.
For more information, see MS-SMB2:2.2.14
See also: smb2_create_response
SMB2::FileAttrs
¶Type: |
|
---|
A series of boolean flags describing basic and extended file attributes for SMB2.
For more information, see MS-CIFS:2.2.1.2.3 and MS-FSCC:2.6
See also: smb2_create_response
SMB2::GUID
¶Type: |
---|
An SMB2 globally unique identifier which identifies a file.
For more information, see MS-SMB2:2.2.14.1
See also: smb2_close_request
, smb2_create_response
, smb2_read_request
, smb2_file_rename
, smb2_file_delete
, smb2_write_request
SMB2::Header
¶Type: |
|
---|
An SMB2 header.
For more information, see MS-SMB2:2.2.1.1 and MS-SMB2:2.2.1.2
See also: smb2_message
, smb2_close_request
, smb2_close_response
, smb2_create_request
, smb2_create_response
, smb2_negotiate_request
, smb2_negotiate_response
, smb2_read_request
, smb2_session_setup_request
, smb2_session_setup_response
, smb2_file_rename
, smb2_file_delete
, smb2_tree_connect_request
, smb2_tree_connect_response
, smb2_write_request
SMB2::NegotiateResponse
¶Type: |
|
---|
The response to an SMB2 negotiate request, which is used by tghe client to notify the server what dialects of the SMB2 protocol the client understands.
For more information, see MS-SMB2:2.2.4
See also: smb2_negotiate_response
SMB2::SessionSetupFlags
¶Type: |
---|
A flags field that indicates additional information about the session that’s sent in the session_setup response.
For more information, see MS-SMB2:2.2.6
See also: smb2_session_setup_response
SMB2::SessionSetupRequest
¶Type: |
|
---|
The request sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.5
See also: smb2_session_setup_request
SMB2::SessionSetupResponse
¶Type: |
|
---|
The response to an SMB2 session_setup request, which is sent by the client to request a new authenticated session within a new or existing SMB 2 Protocol transport connection to the server.
For more information, see MS-SMB2:2.2.6
See also: smb2_session_setup_response
SMB2::TreeConnectResponse
¶Type: |
|
---|
The response to an SMB2 tree_connect request, which is sent by the client to request access to a particular share on the server.
For more information, see MS-SMB2:2.2.9
See also: smb2_tree_connect_response
SMB::MACTimes
¶Type: | |
---|---|
Attributes: |
MAC times for a file.
For more information, see MS-SMB2:2.2.16
See also: smb1_nt_create_andx_response
, smb2_create_response
SNMP::Binding
¶Type: |
oid: value: |
---|
The VarBind
data structure from either RFC 1157 or
RFC 3416, which maps an Object Identifier to a value.
SNMP::Bindings
¶Type: | vector of SNMP::Binding |
---|
A VarBindList
data structure from either RFC 1157 or RFC 3416.
A sequences of SNMP::Binding
, which maps an OIDs to values.
SNMP::BulkPDU
¶Type: |
request_id: non_repeaters: max_repititions: bindings: |
---|
A BulkPDU
data structure from RFC 3416.
SNMP::Header
¶Type: |
version:
|
---|
A generic SNMP header data structure that may include data from
any version of SNMP. The value of the version
field
determines what header field is initialized.
SNMP::HeaderV1
¶Type: |
community: |
---|
The top-level message data structure of an SNMPv1 datagram, not including the PDU data. See RFC 1157.
SNMP::HeaderV2
¶Type: |
community: |
---|
The top-level message data structure of an SNMPv2 datagram, not including the PDU data. See RFC 1901.
SNMP::HeaderV3
¶Type: |
id: max_size: flags: auth_flag: priv_flag: reportable_flag: security_model: security_params: pdu_context: |
---|
The top-level message data structure of an SNMPv3 datagram, not including the PDU data. See RFC 3412.
SNMP::ObjectValue
¶Type: |
tag: |
---|
A generic SNMP object value, that may include any of the
valid ObjectSyntax
values from RFC 1155 or RFC 3416.
The value is decoded whenever possible and assigned to
the appropriate field, which can be determined from the value
of the tag
field. For tags that can’t be mapped to an
appropriate type, the octets
field holds the BER encoded
ASN.1 content if there is any (though, octets
is may also
be used for other tags such as OCTET STRINGS or Opaque). Null
values will only have their corresponding tag value set.
SNMP::PDU
¶Type: |
request_id: error_status: error_index: bindings: |
---|
SNMP::ScopedPDU_Context
¶Type: |
engine_id: name: |
---|
The ScopedPduData
data structure of an SNMPv3 datagram, not
including the PDU data (i.e. just the “context” fields).
See RFC 3412.
SNMP::TrapPDU
¶Type: |
enterprise: agent: generic_trap: specific_trap: time_stamp: bindings: |
---|
A Trap-PDU
data structure from RFC 1157.
SOCKS::Address
¶Type: | |
---|---|
Attributes: |
This record is for a SOCKS client or server to provide either a name or an address to represent a desired or established connection.
SSH::Algorithm_Prefs
¶Type: |
---|
The client and server each have some preferences for the algorithms used in each direction.
SSH::Capabilities
¶Type: |
|
---|
This record lists the preferences of an SSH endpoint for algorithm selection. During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. See RFC 4253#section-7.1 for details.
SSL::SignatureAndHashAlgorithm
¶Type: |
---|
SYN_packet
¶Type: |
|
---|
Fields of a SYN packet.
See also: connection_SYN_packet
ThreadStats
¶Type: |
num_threads: |
---|
Statistics about threads.
See also: get_thread_stats
TimerStats
¶Type: |
---|
Statistics of timers.
See also: get_timer_stats
Tunnel::EncapsulatingConn
¶Type: |
|
---|---|
Attributes: |
Records the identity of an encapsulating parent of a tunneled connection.
Unified2::IDSEvent
¶Type: |
sensor_id: event_id: ts: signature_id: generator_id: signature_revision: classification_id: priority_id: src_ip: dst_ip: src_p: dst_p: impact_flag: impact: blocked: |
---|
Unified2::Packet
¶Type: |
sensor_id: event_id: event_second: packet_ts: link_type: data: |
---|
X509::BasicConstraints
¶Type: | |
---|---|
Attributes: |
X509::Certificate
¶Type: |
|
---|
X509::Extension
¶Type: |
---|
X509::Result
¶Type: |
---|
Result of an X509 certificate chain verification
X509::SubjectAlternativeName
¶Type: |
|
---|
addr_set
¶Type: | set [addr ] |
---|
A set of addresses.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
addr_vec
¶Type: | vector of addr |
---|
A vector of addresses.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
any_vec
¶Type: | vector of any |
---|
A vector of any, used by some builtin functions to store a list of varying types.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
backdoor_endp_stats
¶Type: |
is_partial: num_pkts: num_8k0_pkts: num_8k4_pkts: num_lines: num_normal_lines: num_bytes: num_7bit_ascii: |
---|
Deprecated.
bittorrent_benc_dir
¶Type: | table [string ] of bittorrent_benc_value |
---|
A table of BitTorrent “benc” values.
See also: bt_tracker_response
bittorrent_benc_value
¶Type: |
---|
BitTorrent “benc” value. Note that “benc” = Bencode (“Bee-Encode”), per http://en.wikipedia.org/wiki/Bencode.
See also: bittorrent_benc_dir
bittorrent_peer
¶Type: |
---|
A BitTorrent peer.
See also: bittorrent_peer_set
bittorrent_peer_set
¶Type: | set [bittorrent_peer ] |
---|
A set of BitTorrent peers.
See also: bt_tracker_response
bt_tracker_headers
¶Type: | table [string ] of string |
---|
Header table type used by BitTorrent analyzer.
See also: bt_tracker_request
, bt_tracker_response
, bt_tracker_response_not_ok
call_argument
¶Type: |
|
---|
Meta-information about a parameter to a function/event.
See also: call_argument_vector
, new_event
call_argument_vector
¶Type: | vector of call_argument |
---|
Vector type used to capture parameters of a function/event call.
See also: call_argument
, new_event
conn_id
¶Type: | |
---|---|
Attributes: |
A connection’s identifying 4-tuple of endpoints and ports.
Note
It’s actually a 5-tuple: the transport-layer protocol is stored as
part of the port values, orig_p and resp_p, and can be extracted from
them with get_port_transport_proto
.
connection
¶Type: |
|
---|
A connection. This is Bro’s basic connection type describing IP- and transport-layer information about the conversation. Note that Bro uses a liberal interpretation of “connection” and associates instances of this type also with UDP and ICMP flows.
count_set
¶Type: | set [count ] |
---|
A set of counts.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
dns_answer
¶Type: |
---|
The general part of a DNS reply.
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TXT_reply
, dns_WKS_reply
dns_dnskey_rr
¶Type: |
---|
A DNSSEC DNSKEY record.
See also: dns_DNSKEY
dns_edns_additional
¶Type: |
---|
An additional DNS EDNS record.
See also: dns_EDNS_addl
dns_mapping
¶Type: |
|
---|
dns_msg
¶Type: |
|
---|
A DNS message.
See also: dns_AAAA_reply
, dns_A_reply
, dns_CNAME_reply
, dns_EDNS_addl
, dns_HINFO_reply
, dns_MX_reply
, dns_NS_reply
, dns_PTR_reply
, dns_SOA_reply
, dns_SRV_reply
, dns_TSIG_addl
, dns_TXT_reply
, dns_WKS_reply
, dns_end
, dns_message
, dns_query_reply
, dns_rejected
, dns_request
dns_nsec3_rr
¶Type: |
|
---|
A DNSSEC NSEC3 record.
See also: dns_NSEC3
dns_rrsig_rr
¶Type: |
|
---|
A DNSSEC RRSIG record.
See also: dns_RRSIG
dns_soa
¶Type: |
|
---|
A DNS SOA record.
See also: dns_SOA_reply
dns_tsig_additional
¶Type: |
---|
An additional DNS TSIG record.
See also: dns_TSIG_addl
endpoint
¶Type: |
|
---|
Statistics about a connection
endpoint.
See also: connection
endpoint_stats
¶Type: |
|
---|
Statistics about what a TCP endpoint sent.
See also: conn_stats
entropy_test_result
¶Type: |
---|
Computed entropy values. The record captures a number of measures that are computed in parallel. See A Pseudorandom Number Sequence Test Program for more information, Bro uses the same code.
See also: entropy_test_add
, entropy_test_finish
, entropy_test_init
, find_entropy
event_peer
¶Type: |
|
---|
A communication peer.
See also: complete_handshake
, disconnect
, finished_send_state
, get_event_peer
, get_local_event_peer
, remote_capture_filter
, remote_connection_closed
, remote_connection_error
, remote_connection_established
, remote_connection_handshake_done
, remote_event_registered
, remote_log_peer
, remote_pong
, request_remote_events
, request_remote_logs
, request_remote_sync
, send_capture_filter
, send_current_packet
, send_id
, send_ping
, send_state
, set_accept_state
, set_compression_level
fa_file
¶Type: |
|
---|---|
Attributes: |
A file that Bro is analyzing. This is Bro’s type for describing the basic internal metadata collected about a “file”, which is essentially just a byte stream that is e.g. pulled from a network connection or possibly some other input source.
fa_metadata
¶Type: |
|
---|
Metadata that’s been inferred about a particular file.
files_tag_set
¶Type: | set [Files::Tag ] |
---|
A set of file analyzer tags.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
flow_id
¶Type: | |
---|---|
Attributes: |
The identifying 4-tuple of a uni-directional flow.
Note
It’s actually a 5-tuple: the transport-layer protocol is stored as
part of the port values, src_p and dst_p, and can be extracted from
them with get_port_transport_proto
.
ftp_port
¶Type: |
---|
A parsed host/port combination describing server endpoint for an upcoming data transfer.
See also: fmt_ftp_port
, parse_eftp_port
, parse_ftp_epsv
, parse_ftp_pasv
, parse_ftp_port
geo_location
¶Type: | |
---|---|
Attributes: |
GeoIP location information.
See also: lookup_location
gtp_create_pdp_ctx_request_elements
¶Type: |
recovery: select_mode: data1: cp: nsapi: linked_nsapi: charge_character: trace_ref: trace_type: end_user_addr: ap_name: opts: signal_addr: user_addr: msisdn: qos_prof: trigger_id: omc_id: |
---|
gtp_create_pdp_ctx_response_elements
¶Type: |
cause: reorder_req: recovery: cp: charging_id: end_user_addr: opts: cp_addr: user_addr: qos_prof: charge_gateway: |
---|
gtp_delete_pdp_ctx_request_elements
¶Type: |
teardown_ind: nsapi: |
---|
gtp_gsn_addr
¶Type: |
---|
gtp_update_pdp_ctx_request_elements
¶Type: |
recovery: data1: cp: nsapi: trace_ref: trace_type: cp_addr: user_addr: qos_prof: trigger_id: omc_id: ext: end_user_addr: |
---|
gtp_update_pdp_ctx_response_elements
¶Type: |
cause: recovery: cp: charging_id: cp_addr: user_addr: qos_prof: charge_gateway: |
---|
gtpv1_hdr
¶Type: |
|
---|
A GTPv1 (GPRS Tunneling Protocol) header.
http_message_stat
¶Type: |
|
---|
HTTP message statistics.
See also: http_message_done
http_stats_rec
¶Type: |
---|
HTTP session statistics.
See also: http_stats
icmp6_nd_option
¶Type: |
|
---|
Options extracted from ICMPv6 neighbor discovery messages as specified by RFC 4861.
See also: icmp_router_solicitation
, icmp_router_advertisement
, icmp_neighbor_advertisement
, icmp_neighbor_solicitation
, icmp_redirect
, icmp6_nd_options
icmp6_nd_options
¶Type: | vector of icmp6_nd_option |
---|
A type alias for a vector of ICMPv6 neighbor discovery message options.
icmp6_nd_prefix_info
¶Type: |
|
---|
Values extracted from a Prefix Information option in an ICMPv6 neighbor discovery message as specified by RFC 4861.
See also: icmp6_nd_option
icmp_conn
¶Type: |
|
---|
Specifics about an ICMP conversation. ICMP events typically pass this in
addition to conn_id
.
See also: icmp_echo_reply
, icmp_echo_request
, icmp_redirect
, icmp_sent
, icmp_time_exceeded
, icmp_unreachable
icmp_context
¶Type: |
|
---|
Packet context part of an ICMP message. The fields of this record reflect the packet that is described by the context.
See also: icmp_time_exceeded
, icmp_unreachable
icmp_hdr
¶Type: |
|
---|
Values extracted from an ICMP header.
See also: pkt_hdr
, discarder_check_icmp
id_table
¶Type: | table [string ] of script_id |
---|
Table type used to map script-level identifiers to meta-information describing them.
See also: global_ids
, script_id
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
index_vec
¶Type: | vector of count |
---|
A vector of counts, used by some builtin functions to store a list of indices.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
interconn_endp_stats
¶Type: |
num_pkts: num_keystrokes_two_in_row: num_normal_interarrivals: num_8k0_pkts: num_8k4_pkts: is_partial: num_bytes: num_7bit_ascii: num_lines: num_normal_lines: |
---|
Deprecated.
ip4_hdr
¶Type: |
---|
Values extracted from an IPv4 header.
See also: pkt_hdr
, ip6_hdr
, discarder_check_ip
ip6_ah
¶Type: |
|
---|
Values extracted from an IPv6 Authentication extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
ip6_dstopts
¶Type: |
|
---|
Values extracted from an IPv6 Destination options extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_option
ip6_esp
¶Type: |
---|
Values extracted from an IPv6 ESP extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
ip6_ext_hdr
¶Type: |
|
---|
A general container for a more specific IPv6 extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hopopts
, ip6_dstopts
, ip6_routing
, ip6_fragment
, ip6_ah
, ip6_esp
ip6_ext_hdr_chain
¶Type: | vector of ip6_ext_hdr |
---|
A type alias for a vector of IPv6 extension headers.
ip6_fragment
¶Type: |
---|
Values extracted from an IPv6 Fragment extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
ip6_hdr
¶Type: |
|
---|
Values extracted from an IPv6 header.
See also: pkt_hdr
, ip4_hdr
, ip6_ext_hdr
, ip6_hopopts
, ip6_dstopts
, ip6_routing
, ip6_fragment
, ip6_ah
, ip6_esp
ip6_hopopts
¶Type: |
|
---|
Values extracted from an IPv6 Hop-by-Hop options extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_option
ip6_mobility_back
¶Type: |
---|
Values extracted from an IPv6 Mobility Binding Acknowledgement message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_be
¶Type: |
|
---|
Values extracted from an IPv6 Mobility Binding Error message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_brr
¶Type: |
|
---|
Values extracted from an IPv6 Mobility Binding Refresh Request message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_bu
¶Type: |
---|
Values extracted from an IPv6 Mobility Binding Update message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_cot
¶Type: |
|
---|
Values extracted from an IPv6 Mobility Care-of Test message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_coti
¶Type: |
|
---|
Values extracted from an IPv6 Mobility Care-of Test Init message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_hdr
¶Type: |
|
---|
Values extracted from an IPv6 Mobility header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
ip6_mobility_hot
¶Type: |
|
---|
Values extracted from an IPv6 Mobility Home Test message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_hoti
¶Type: |
|
---|
Values extracted from an IPv6 Mobility Home Test Init message.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
, ip6_mobility_msg
ip6_mobility_msg
¶Type: |
|
---|
Values extracted from an IPv6 Mobility header’s message data.
See also: ip6_mobility_hdr
, ip6_hdr
, ip6_ext_hdr
ip6_option
¶Type: |
---|
Values extracted from an IPv6 extension header’s (e.g. hop-by-hop or destination option headers) option field.
See also: ip6_hdr
, ip6_ext_hdr
, ip6_hopopts
, ip6_dstopts
ip6_options
¶Type: | vector of ip6_option |
---|
A type alias for a vector of IPv6 options.
ip6_routing
¶Type: |
---|
Values extracted from an IPv6 Routing extension header.
See also: pkt_hdr
, ip4_hdr
, ip6_hdr
, ip6_ext_hdr
irc_join_info
¶Type: |
nick: channel: password: usermode: |
---|
IRC join information.
See also: irc_join_list
irc_join_list
¶Type: | set [irc_join_info ] |
---|
Set of IRC join information.
See also: irc_join_message
l2_hdr
¶Type: |
|
---|
Values extracted from the layer 2 header.
See also: pkt_hdr
mime_header_list
¶Type: | table [count ] of mime_header_rec |
---|
A list of MIME headers.
See also: mime_header_rec
, http_all_headers
, mime_all_headers
mime_header_rec
¶Type: |
---|
A MIME header key/value pair.
See also: mime_header_list
, http_all_headers
, mime_all_headers
, mime_one_header
mime_match
¶Type: |
---|
A structure indicating a MIME type and strength of a match against file magic signatures.
mime_matches
¶Type: | vector of mime_match |
---|
A vector of file magic signature matches, ordered by strength of the signature, strongest first.
ntp_msg
¶Type: |
---|
An NTP message.
See also: ntp_message
packet
¶Type: |
conn: is_orig:
timestamp: |
---|
Deprecated.
Todo
Remove. It’s still declared internally but doesn’t seem used anywhere else.
pcap_packet
¶Type: |
|
---|
Policy-level representation of a packet passed on by libpcap. The data includes the complete packet as returned by libpcap, including the link-layer header.
See also: dump_packet
, get_current_packet
peer_id
¶Type: | count |
---|
A locally unique ID identifying a communication peer. The ID is returned by
connect
.
See also: connect
pkt_hdr
¶Type: |
---|
A packet header, consisting of an IP header and transport-layer header.
See also: new_packet
pkt_profile_modes
¶Type: |
|
---|
Output modes for packet profiling information.
See also: pkt_profile_mode
, pkt_profile_freq
, pkt_profile_file
pm_callit_request
¶Type: |
---|
An RPC portmapper callit request.
See also: pm_attempt_callit
, pm_request_callit
pm_mapping
¶Type: |
---|
An RPC portmapper mapping.
See also: pm_mappings
pm_mappings
¶Type: | table [count ] of pm_mapping |
---|
Table of RPC portmapper mappings.
See also: pm_request_dump
pm_port_request
¶Type: |
---|
An RPC portmapper request.
See also: pm_attempt_getport
, pm_request_getport
raw_pkt_hdr
¶Type: |
|
---|
A raw packet header, consisting of L2 header and everything in
pkt_hdr
. .
See also: raw_packet
, pkt_hdr
record_field
¶Type: |
|
---|
Meta-information about a record field.
See also: record_fields
, record_field_table
record_field_table
¶Type: | table [string ] of record_field |
---|
Table type used to map record field declarations to meta-information describing them.
See also: record_fields
, record_field
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
rotate_info
¶Type: |
---|
Deprecated.
See also: rotate_file
, rotate_file_by_name
, rotate_interval
script_id
¶Type: |
|
---|
Meta-information about a script-level identifier.
See also: global_ids
, id_table
signature_and_hashalgorithm_vec
¶Type: | vector of SSL::SignatureAndHashAlgorithm |
---|
A vector of Signature and Hash Algorithms.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
signature_state
¶Type: |
|
---|
Description of a signature match.
See also: signature_match
software
¶Type: |
name: version: |
---|
string_array
¶Type: | table [count ] of string |
---|
An ordered array of strings. The entries are indexed by successive numbers. Note that it depends on the usage whether the first index is zero or one.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
string_set
¶Type: | set [string ] |
---|
A set of strings.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
string_vec
¶Type: | vector of string |
---|
A vector of strings.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
subnet_vec
¶Type: | vector of subnet |
---|
A vector of subnets.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
sw_align
¶Type: |
---|
Helper type for return value of Smith-Waterman algorithm.
See also: str_smith_waterman
, sw_substring_vec
, sw_substring
, sw_align_vec
, sw_params
sw_align_vec
¶Type: | vector of sw_align |
---|
Helper type for return value of Smith-Waterman algorithm.
See also: str_smith_waterman
, sw_substring_vec
, sw_substring
, sw_align
, sw_params
sw_params
¶Type: |
---|
Parameters for the Smith-Waterman algorithm.
See also: str_smith_waterman
sw_substring
¶Type: |
|
---|
Helper type for return value of Smith-Waterman algorithm.
See also: str_smith_waterman
, sw_substring_vec
, sw_align_vec
, sw_align
, sw_params
sw_substring_vec
¶Type: | vector of sw_substring |
---|
Return type for Smith-Waterman algorithm.
See also: str_smith_waterman
, sw_substring
, sw_align_vec
, sw_align
, sw_params
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
table_string_of_count
¶Type: | table [string ] of count |
---|
A table of counts indexed by strings.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
table_string_of_string
¶Type: | table [string ] of string |
---|
A table of strings indexed by strings.
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
tcp_hdr
¶Type: |
---|
Values extracted from a TCP header.
See also: pkt_hdr
, discarder_check_tcp
teredo_auth
¶Type: |
|
---|
A Teredo origin indication header. See RFC 4380 for more information about the Teredo protocol.
See also: teredo_bubble
, teredo_origin_indication
, teredo_authentication
, teredo_hdr
teredo_hdr
¶Type: |
|
---|
A Teredo packet header. See RFC 4380 for more information about the Teredo protocol.
See also: teredo_bubble
, teredo_origin_indication
, teredo_authentication
teredo_origin
¶Type: |
---|
A Teredo authentication header. See RFC 4380 for more information about the Teredo protocol.
See also: teredo_bubble
, teredo_origin_indication
, teredo_authentication
, teredo_hdr
transport_proto
¶Type: |
|
---|
A connection’s transport-layer protocol. Note that Bro uses the term “connection” broadly, using flow semantics for ICMP and UDP.
udp_hdr
¶Type: |
---|
Values extracted from a UDP header.
See also: pkt_hdr
, discarder_check_udp
var_sizes
¶Type: | table [string ] of count |
---|
Table type used to map variable names to their memory allocation.
See also: global_sizes
Todo
We need this type definition only for declaring builtin functions
via bifcl
. We should extend bifcl
to understand composite types
directly and then remove this alias.
discarder_check_icmp
¶Type: | function (p: pkt_hdr ) : bool |
---|
Function for skipping packets based on their ICMP header. If defined, this function will be called for all ICMP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
P: | The IP and ICMP headers of the considered packet. |
---|---|
Returns: | True if the packet should not be analyzed any further. |
See also: discarder_check_ip
, discarder_check_tcp
, discarder_check_udp
, discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
discarder_check_ip
¶Type: | function (p: pkt_hdr ) : bool |
---|
Function for skipping packets based on their IP header. If defined, this function will be called for all IP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
P: | The IP header of the considered packet. |
---|---|
Returns: | True if the packet should not be analyzed any further. |
See also: discarder_check_tcp
, discarder_check_udp
, discarder_check_icmp
, discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
discarder_check_tcp
¶Type: | function (p: pkt_hdr , d: string ) : bool |
---|
Function for skipping packets based on their TCP header. If defined, this function will be called for all TCP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
P: | The IP and TCP headers of the considered packet. |
---|---|
D: | Up to discarder_maxlen bytes of the TCP payload. |
Returns: | True if the packet should not be analyzed any further. |
See also: discarder_check_ip
, discarder_check_udp
, discarder_check_icmp
, discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
discarder_check_udp
¶Type: | function (p: pkt_hdr , d: string ) : bool |
---|
Function for skipping packets based on their UDP header. If defined, this function will be called for all UDP packets before Bro performs any further analysis. If the function signals to discard a packet, no further processing will be performed on it.
P: | The IP and UDP headers of the considered packet. |
---|---|
D: | Up to discarder_maxlen bytes of the UDP payload. |
Returns: | True if the packet should not be analyzed any further. |
See also: discarder_check_ip
, discarder_check_tcp
, discarder_check_icmp
, discarder_maxlen
Note
This is very low-level functionality and potentially expensive. Avoid using it.
log_file_name
¶Type: | function (tag: string ) : string |
---|---|
Attributes: | &redef |
Deprecated. This is superseded by the new logging framework.
max_count
¶Type: | function (a: count , b: count ) : count |
---|
Returns maximum of two count
values.
A: | First value. |
---|---|
B: | Second value. |
Returns: | The maximum of a and b. |
max_double
¶Type: | function (a: double , b: double ) : double |
---|
Returns maximum of two double
values.
A: | First value. |
---|---|
B: | Second value. |
Returns: | The maximum of a and b. |
max_interval
¶Type: | function (a: interval , b: interval ) : interval |
---|
Returns maximum of two interval
values.
A: | First value. |
---|---|
B: | Second value. |
Returns: | The maximum of a and b. |
min_count
¶Type: | function (a: count , b: count ) : count |
---|
Returns minimum of two count
values.
A: | First value. |
---|---|
B: | Second value. |
Returns: | The minimum of a and b. |
min_double
¶Type: | function (a: double , b: double ) : double |
---|
Returns minimum of two double
values.
A: | First value. |
---|---|
B: | Second value. |
Returns: | The minimum of a and b. |